President Biden Issues Executive Order to Strengthen U.S. Cybersecurity Practices

13 May 2021 Privacy, Cybersecurity & Technology Law Perspectives Blog
Authors: Aaron K. Tantleff Jennifer L. Urban Steven M. Millendorf Avi B. Ginsberg Paige M. Papandrea

On May 12, 2021, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity following a series of highly publicized cybersecurity incidents during the first four months of his presidency, including the Colonial Pipeline attack, which revealed vulnerabilities within the nation’s infrastructure and information systems. While this is not the first executive order issued to enhance the nation’s cyber defenses, it is the executive order most likely to have an impact and result in a change in light of the White House’s statement that “[r]ecent cybersecurity incidents . . . are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals . . . [as well as] insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents.”

This should serve as a wake-up call to everyone to review their security protocols and test their systems to ensure they are appropriately secured. This Executive Order establishes standards and requirements for information systems used or operated by federal agencies, their contractors, and other organizations working on behalf of a federal agency, including upgrading cyber defenses; enhancements to logging critical information related to an incident; establishing a straightforward, consistent, and universal methodology for responding to incidents; and establishing and requiring affected entities to share information safely and securely following an incident. The Executive Order aims to strengthen the United States’ cybersecurity defenses by:

  • Removing Barriers to Threat Information Sharing Between the Federal Government and the Private Sector: The Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) contract requirements and language will be updated to remove contractual impediments to information sharing about cybersecurity incidents. These updated contractual provisions will establish periods where contractors must report cyber incidents to the appropriate federal agencies, with a three-day deadline for the most severe incidents.

  • Modernizing and Implementing Stronger Cybersecurity Standards in the Federal Government: Federal agencies must update their existing agency plans to prioritize a move to secure cloud services and a zero-trust architecture. Zero-trust is a security concept wherein organizations do not automatically trust anything, whether inside or outside the organization. Instead, they must verify every device trying to connect to its environment before granting access. The Executive Order also mandates the implementation and deployment of multifactor authentication and encryption at rest and in transit within 180 days of the Executive Order’s issuance.

  • Improving Software Supply Chain Security: The National Institute of Standards and Technology (NIST) will develop and issue guidance establishing strict baseline security standards for software sold to the government, including a requirement to make software security data publicly available. Failure to comply with these standards could result in the supplier being blacklisted. The Executive Order also creates a pilot program and seeks to develop an “energy star” type of label that will allow buyers to quickly and easily determine whether the software was developed in compliance with the requirements.

  • Establishing a Cybersecurity Safety Review Board: The Executive Order establishes a Cybersecurity Safety Review Board, to be comprised of representatives from the Department of Defense, Department of Justice, Cybersecurity & Infrastructure Security Agency, National Security Agency, and Federal Bureau of Investigation as well as selected private-sector cybersecurity or software suppliers. Modeled after the National Transportation Safety Board, the Cybersecurity Safety Review Board will convene after a “significant cyber incident” and provide recommendations for improvements to the Secretary of Homeland Security for improving cybersecurity and incident response practices. The Board will also be charged with the development of a standardized approach or “playbook” for incident response by governmental agencies. This Board will be first deployed to investigate the SolarWinds attack.

  • Creating a Standard Playbook for Responding to Cyber Incidents: The Executive order recognizes the need to standardize cybersecurity incident and vulnerability response efforts across federal departments and agencies. By creating a playbook that establishes a set of definitions and uniform steps for identifying and mitigating a threat, the Executive Order ensures all federal agencies meet a certain preparedness threshold. The playbook will also serve as a guide for the private sector when responding to cyber incidents.

  • Improving Detection of Cybersecurity Incidents on Federal Government Networks: A government-wide endpoint detection and response (EDR) system will be deployed across federal networks. This will be coupled with improved intra-governmental information sharing capabilities to vastly improve the ability to detect malicious cyber activity on federal networks.

  • Improving Investigative and Remediation Capabilities: Federal agencies will be required to generate and retain robust and consistent cybersecurity event logs according to detailed requirements, to be published within 90 days of this Executive Order. The requirements will also establish policies for log management to ensure centralized access and to permit sharing of log information with other federal agencies when needed and appropriate. This will help with intrusion attempt detection, mitigation of in-progress intrusions, post-event forensic analysis, and minimization of potential cyber risks.

While this Executive Order does not introduce anything new that has not been discussed or known for years, implementing the steps outlined in the Executive Order will be critical in light of the recent increase in cybersecurity attacks. While additional regulations will still need to be drafted, the Executive Order establishes a baseline of cybersecurity best practices that all companies should consider.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.