What the Biden Cybersecurity Executive Order means for technology vendors and service providers in the federal ecosystem
In mid-May, the Biden Administration issued an Executive Order aiming to ensure operational resiliency to cyber-risk in the federal government supply chain. While the Order establishes deadlines for implementing requirements as soon as within the next 30 days, other changes required under the Order may be implemented over the next year. This article is intended to provide guidance and a framework for technology vendors and service providers who serve as federal government contractors, as part of their go-to-market strategy.
Which technology vendors must comply with the Executive Order
Many companies provide services, directly or indirectly, to government agencies that involve the hosting or processing of data and those companies already are accustomed to cybersecurity reporting obligations. Under the Executive Order, however, software vendors who sell commercial or commercial-off-the-shelf (COTS) products to the government will have reporting obligations even if they do not host or process any data on behalf of the government. The new Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) will require that when a cyber incident occurs involving a software product or service provided to a federal government agency, the technology vendor must promptly report the cyber incident to the relevant agency and to the Cybersecurity and Infrastructure Security Agency.
What steps should technology vendors take to prepare?
- Establish an internal framework to meet reporting requirements: There will be new FAR and DFARS requirements for collecting and preserving data and reporting and sharing data related to cyber incidents. There also will be requirements to collaborate with federal agencies in the investigation of cyber incidents. These requirements are likely to be familiar to Department of Defense contractors already subject to the cybersecurity requirements of DFARS 252.204-7012. Technology vendors new to these requirements, however, will need to ensure that their company has an internal reporting system that is coordinated among the IT, compliance, legal and project teams to support compliance with these reporting requirements. While the Executive Order discourages agency-specific requirements, it does not prohibit them. Instead, the Executive Order instructs agencies to amend their agency-specific requirements to ensure that they are consistent with any new FAR requirements. Where a technology vendor or service provider is a federal contractor to multiple agencies, the company must ensure that it will be able to respond to possibly varying agency requirements.
- Follow rule development: Companies that are covered by the scope of the Executive Order should follow the evolution of any proposed FAR rules and where possible, provide comment. It will be important for the government to understand the implications of any rule on commercial businesses before enactment. While it is a priority of the Executive Order to institute a framework that minimizes the risk of cyber attacks on federal government agencies, the framework should not ignore the practical impacts on commerce nor should the new requirements stifle technology evolution and innovation. From a technical perspective, the Executive Order emphasizes zero-trust architecture and the government’s use of secure cloud systems. In certain respects, these requirements may conflict with the current Cybersecurity Maturity Model Certification (CMMC) framework that applies to the DoD supply chain. For software vendors who service the DoD and the Defense Industrial Base, those vendors should review DoD guidance in light of the Executive Order and incorporate that guidance into CMMC-implementation plans.
- Heightened security requirements for “critical software”: Contractors and suppliers providing “critical software,” which is currently defined as “software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources),” must ensure that the critical software complies with guidelines of the National Institute of Standards and Technology (NIST) that outline security measures for critical software. Among other matters, the NIST guidelines will address network segmentation and proper configuration. While it is not clear whether the guidelines will be used as evaluation criteria in solicitations for software, software developers and suppliers will want to closely monitor the development of the NIST guidelines to ensure that their development of critical software satisfies the guidelines. Failing to meet the NIST guidelines may affect a technology vendor’s ability to have their software undergo a successful evaluation. In fact, critical software procured prior to May 12, 2021 will need to comply with the updated security requirements, subject to certain exceptions. After the FAR requirements are implemented, agencies must remove software products that do not meet the security requirements from indefinite-delivery/indefinite-quantity contracts, schedule contracts, government-wide contracts, blanket purchase agreements, and multiple award contracts.
- Review software development processes: Software development typically involves a mix of in-house development as well as engaging the services of third-party developers and using software licensed-in from third-party sources, including open source software. It is essential to mitigate the risk of cyber incidents that a vendor’s software development processes be updated to meet the security guidelines. Use of open source software should not only be reviewed and approved from an open source compliance perspective but also from a security perspective. Software vendors using third-party developers must ensure that they have vetted the developer’s ability to develop the contracted software in a manner consistent with the security guidelines so that the vendor can satisfy the guidelines for the end software product. Software vendors must ensure that the engineering and development teams, as well as the procurement and contracting teams, are aware of the procedures and requirements for engaging third-party developers and using third-party software.
We will continue to monitor developments associated with this Executive Order. If you have any questions regarding this publication, please contact the authors or your DLA Piper relationship attorney.