Published on May 20th, 2021 📆 | 7529 Views ⚑
0Cybersecurity Executive Order Will Impact Government Contractors | Pillsbury Winthrop Shaw Pittman LLP
Removing Barriers to Sharing Threat Information
The EO asserts that IT and OT service providers âhave unique access to and insight into cyber threat and incident information on Federal Information Systems;â however, requirements in the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) âmay limit the sharing of such threat or incident information.â Accordingly, the EO directs the Office of Management and Budget (OMB) to, within 60 days, review the FAR and the DFARS and provide recommendations to the FAR Council on âremoving these contractual barriers and increasing the sharing of information about such threats.â The OMBâs recommendations must provide the types of contractors covered by the proposed contract language, which must be designed to ensure, among other things, that service providers collect and share with the government data related to cyber incidents and collaborate with the government in its investigation of such incidents. The collaboration with the government may include things like implementing technical capabilities, such as monitoring networks for threats. The FAR Council must issue proposed rules within 90 days of receipt of the OMBâs recommendations.
Information and communications technology (ICT) service providers will also find themselves with new cybersecurity obligations. The EO requires ICT services providers to promptly report cyber incidents involving a software product or service provided to the government. The Department of Homeland Security (DHS) is tasked with recommending contract language to the FAR Council, within 45 days, that identifies the nature of the cyber incidents that require reporting, the type of information to report, reporting time periods, and the types of contractors covered by the recommendations. The EO gives the FAR Council 90 days from receipt of DHSâs recommendation to issue proposed rules.
The EO also calls for streamlining cybersecurity requirements across all federal agencies. The DHS is tasked with reviewing agency-specific cybersecurity requirements and making recommendations to the FAR Council for standardized cybersecurity requirements. After the FAR Council issues proposed rules implementing the DHS recommendations, agencies must eliminate any agency-specific cybersecurity requirements that are duplicative.
Enhancing Software Supply Chain Security
The EO states that the government âmust take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.â The EO requires federal agencies to develop guidance and standards related to âcritical software.â The term âcritical softwareâ is undefined in the EO; however, a definition must be developed within 45 days. Further, within 30 days, the National Institute of Standards and Technology (NIST) Director must solicit input from agencies, the private sector, academia, and other sources regarding standards, procedures, and criteria designed to ensure software supply chain security. Based on that input, the NIST Director must develop and issue guidance to enhance the security of the software supply chain. By May 2022, the DHS must recommend contract language to the FAR Council that requires software suppliers to certify compliance with the NIST-developed guidance.
While most of the EOâs requirements are forthcoming and based on agenciesâ recommendations and the FAR Councilâs implementation, the EO brings sweeping changes to cybersecurity requirements for federal contracts, especially those that are IT, OT, or ICT service providers. The EOâs release coincides with one of the most consequential cybersecurity attacks in U.S. history, Colonial Pipeline, and comes just six months after the SolarWinds cyberattack that managed to breach the data of over a dozen federal agencies and 200 private companies. While the EOâs requirements target federal agencies and government contractors, the Biden administration âencourage[s] private sector companies to follow the federal governmentâs lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.â
Gloss