On May 12, 2021, President Joe Biden issued an Executive Order on Improving the Nation’s Cybersecurity. The Executive Order places ambitious requirements and deadlines upon federal agencies and, once implemented, will directly affect government contractors and their supply chains.
The key sections of the Order that are likely to impact federal contractors, and the practical effects of those requirements, are:
- There will be a number of new Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) provisions and contract clauses. The new FAR and DFARS will relate to collecting and preserving data, reporting and sharing data related to cyber incidents, and collaborating with federal agencies when investigating cyber incidents.
- It is unlikely that Department of Defense contractors already subject to the cybersecurity requirements of DFARS 252.204-7012 will see a significant change in their reporting and data preservation obligations. Indeed, for many contractors, a uniform reporting obligation will be a welcome change to the wide-ranging agency- and contract-specific obligations that currently exist. However, for those contractors that are not already subject to such reporting and preservation obligations, implementation will require close coordination between many parts of the business, including legal, compliance, project teams, and IT.
- The FAR will require that information and technology service contractors “promptly” report cyber incidents involving a software product or service being provided to an agency. Reports must be provided to the relevant agency and to the Cybersecurity and Infrastructure Security Agency.
- Many software providers sell commercial or commercial-off-the-shelf (COTS) products to the government and do not host government data. Until now, such contractors had little to no contractually mandated cybersecurity reporting obligations. Such companies will want to closely scrutinize any proposed FAR rules and comment accordingly, so that the government understands the implications of any rule on commercial businesses before enactment.
- The government will strive for a “streamlined” approach to protect contractors' unclassified systems with common cybersecurity contract requirements across agencies. The FAR Council will implement the common cybersecurity contract requirements for unclassified system contracts through the FAR.
- As with reporting obligations, contractors that are already subject to requirements from a variety of agencies will likely appreciate a uniform approach to cybersecurity requirements. However, it is worth noting that while the Executive Order discourages agency-specific requirements, it does not prohibit them. Instead, the Executive Order instructs agencies to amend their agency-specific requirements to ensure that they are consistent with any new FAR requirements. Thus, agencies may still consider requirements in addition to the new FAR requirements, and it is yet to be seen whether the Executive Order will actually streamline the requirements.
- The National Institute of Standards and Technology (NIST) will publish guidelines identifying criteria that can be used to evaluate software security and to evaluate the security practices of the developers and suppliers. Contractors and suppliers providing “critical software,” which is currently defined as “software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources),” will need to ensure that the critical software complies with applicable NIST guidelines. NIST guidelines outlining security measures for critical software. The NIST guidelines will address applying practices of least privilege, network segmentation, and proper configuration.
- It is not clear from the Executive Order whether, and to what extent, these guidelines are expected to become evaluation criteria in solicitations for software. Thus, software developers and suppliers will want to closely monitor the development of the NIST guidelines and pay careful attention to the extent to which the requirements are included in solicitations.
- The FAR ultimately will include contract language requiring “suppliers of software” to comply with the security requirements for critical software outlined above. After the FAR requirements are implemented, agencies will remove software products that do not meet the security requirements from indefinite-delivery/indefinite-quantity contracts, schedule contracts, government-wide contracts, blanket purchase agreements, and multiple award contracts. Software procured prior to May 12, 2021, will need to comply with the updated security requirements, subject to certain exceptions.
- The retroactive application of these requirements make them particularly critical to software developers and suppliers. Companies should closely monitor the development of the requirements and, to the extent possible, make any necessary adjustments over time. This will enable companies to avoid having to make large-scale changes on an extremely ambitious schedule, potentially impacting the integrity of the product or jeopardizing the company’s ability to sell its products to the government.
- From a technical perspective, the Executive Order emphasizes zero-trust architecture and the government’s use of secure cloud systems.
- In certain respects, these requirements may conflict with the current CMMC framework. Thus, it will be important for IT professional to review any guidance issued by DoD in the coming months that addresses the implementation of the CMMC framework in light of the Executive Order, and to incorporate such guidance into CMMC-implementation plans.
The changes required under the Order will occur over time. The Order establishes deadlines for government action that range between 30 days and one year. We will continue to monitor developments associated with this Order. If you have any questions regarding this publication, please contact the authors or your DLA Piper relationship attorney.