The Executive Order on Improving the Nation’s Cybersecurity, released on May 12, is primarily an engine for the White House to direct Executive Branch action on shoring up critical government security dependencies. For the private sector, it is perhaps most interesting for what it may portend about emergent standards for sound software development and secure supply chain management. It also potentially represents a watershed moment for raising IoT security standards. In this post, we will focus solely on those elements that are relevant to private firms, whether they are federal contractors or companies whose future practices may be affected by some of the Order’s requirements.
Setting aside the elaborate action requirements levied on federal entities, the Order could affect the private sector by: (i) setting certain federal requirements that will potentially influence expectations about what constitutes reasonable practices in the private sector; (ii) creating rigorous expectations for supply chain security; (iii) calling for new NIST standards on critical IoT and software development practices; (iv) requiring revisions to standard federal contracts and the creation of related reporting obligations for contractors; and (v) requiring the establishment of a Cyber Safety Review Board. We address each below.
This Order will particularly impact private entities that develop software in the government supply chain, who contribute to the development of IoT capabilities, and who provide services to the federal government that are implicated by cyber events. But as is detailed further below, the Order calls for updating standards on a number of fronts, and such updates may influence the public discussion and legal landscape around certain baseline security measures taken not only by those directly implicated by the Order, but private industry more generally.
- Forthcoming Influential Federal Standards. The Order mandates several technology and procedural requirements for the U.S. federal government, some of which are already common practices in some sectors. While these do not apply to private industry, the formal articulation of specific requirements can be expected to influence judgments about the steps that are reasonable to take for private entities.
- Cloud. The Order requires the Cybersecurity and Infrastructure Security Agency (CISA), in consultation with the Federal Risk and Authorization Management Program (FedRAMP), to “modernize” its cybersecurity programs to fully function with cloud-environments and develop security principles governing Cloud Service Providers for incorporation into these modernization efforts. Moreover, it requires CISA to issue a “cloud-service governance framework.” This will influence not only aspects of cloud contracting done by federal entities, but presumably FedRAMP compliance and (at least informal) expectations about baseline cloud governance requirements in private companies not already meeting or exceeding the standards.
- Zero Trust. The Order links cloud modernization to the adoption of a Zero Trust architectural approach. Zero Trust is, generally, a security framework and set of design principles that assumes threats already exist within (and, obviously, outside) a given network. Assuming “Zero Trust” leads to a range of technical implementations that the Order directs CISA (in consultation with others) to further incorporate into the modernization efforts.
- Additional Technical Requirements. The EO mandates several other security mechanisms for government entities. To the degree that private entities have not already adopted such practices, they will want to evaluate those or analogous mechanisms. These requirements are also likely to be imposed on contractors as part of the “appropriate cybersecurity requirements” in contracts detailed further below.
- Incident Response Collaboration Framework. The Order also requires certain named federal agencies, including CISA, the FBI and FedRAMP, to establish a framework to collaborate on cybersecurity and incident response activities relating to federal cloud technologies. This framework will involve information sharing requirements for service providers to affected federal agencies.
- FedRAMP Modernization. The Order requires the General Services Administration, in consultation with others, to begin a modernization of FedRAMP by, among other things, improving communications with service providers through “automation and standardization of messages at each stage of authorization”; automation of various aspects of the FedRAMP lifecycle, including continuous monitoring and compliance; identifying relevant compliance frameworks and mapping them into FedRAMP requirements, and more.
- Incident Response Playbook. While solely a government matter, the Order requires CISA, in consultation with others, to establish a set of operational procedures (referred to as a “playbook”) to be used in planning and conducting cybersecurity vulnerability and incident response activities. Companies will want to pay close attention to the ultimate product as such a playbook will, again, be influential in subsequent discussions about the reasonability of preparation and related measures taken by private entities in similar response activities.
- Supply Chain Security. Some of the most significant changes to which the Order will give rise are new requirements impacting private companies whose software development is within the federal “software supply chain.” The Order requires that a range of steps be taken to better secure the supply chain that will be specifically directed at private contributors.
- Guidelines on Software Development Security Evaluation and Best Practices. Of greatest immediacy, the National Institute of Standards and Technology (NIST) will solicit input from a range of actors, including the private sector, on guidelines that will be used to evaluate software security, including the practices of developers and suppliers. This will be one of the only opportunities for interested parties to inform government thinking about a set of requirements that will shape industry behavior for years to come. A solicitation of input is supposed to occur by June 12, 2021, with preliminary guidelines published around November 8, 2021. By early February 2022, NIST is to publish guidance identifying practices that enhance the security of the software supply chain. The anticipated publications will therefore set criteria for evaluating security practices and offer guidance for establishing best practices. Such guidance is likely to have foundational implications for future judgments about acceptable software development security practices writ large.
- Critical Software. The Order requires the Office of Management and Budget and the Director of National Intelligence to publish a definition for “critical software.” That definition will, in turn, serve as the basis for NIST to create a list of categories of software products that meet the definition. NIST, in consultation with several federal agencies, will publish “guidance outlining security measures for critical software” by early-to-mid July 2021. It steps through some categories of known measures, such as least privilege rules, network segmentation and proper configuration. The guidance will be obligatory and will impact products falling within the ambit of the to-be-defined concept of “critical software.” In particular, the Order mandates that federal contracting language be established by May 2022 requiring suppliers of software available for purchase by agencies to comply with the requirements articulated for critical software. It directs that software products not meeting those requirements be removed from a variety of federal contracting categories.
- Source Code Testing Guidelines. Also of great significance for the private sector, the Order requires NIST, by July 2021, in coordination with others, to publish “guidelines recommending minimum standards for vendors’ testing of their software source code.” Again, this requirement will establish a floor for such testing, and will likely influence practices of, and perceptions of reasonability for activities by, private firms not already implementing standards above such a floor.
- Additional Forthcoming Formal NIST Standards Amongst the most momentous changes nestled within the Order are forthcoming standards relating to Internet-of-Things (IoT) software development and general software development “best practices.” Though not styled as leading to actionable regulatory requirements, these efforts will likely set a floor for IoT and software developers, and as with other elements of the Order, establish minimum baseline expectations for reasonable development practices. One need only look to the manner in which the NIST Cybersecurity Framework became a regulatory expectation of the Federal Trade Commission for an example of how such requirements solidify in the market.
- Internet of Things Pilot Program. NIST will initiate a pilot program to educate the public about the security capabilities of IoT devices and software development practices. This program will eventually lead to labelling standards, addressed below, but will shape the incentive structure in the development of IoT software, which to date is a largely normless space.
- Secure Software Development Practices. The Order also requires NIST to identify “secure software development practices or criteria” for a consumer software labeling program. NIST is to consider whether such a program can be operated or modeled after similar existing government programs. Presumably derivative of lessons also learned in the IoT pilot program, the labeling program is intended by the Order to reflect increasingly comprehensive levels of testing and assessment. This will establish a “tiered software security rating system” that, by definition, will lead entities to need to progressively invest to climb the tiering chain. The Order expects this program to be in place around early February 2022.
- New Requirements for Contractors. The Order establishes new requirements for updating federal contracting provisions and related mandatory reporting.
- Revisions to Federal Contract Requirements. The Order requires revision to federal contracting requirements to enable:
- Maintenance by service providers of data that is critical to understanding cyber incidents;
- Broader information sharing and collaboration by service providers to breached federal organizations with other federal entities; and,
- Updates to “appropriate cybersecurity requirements” for federal contracts.
- Revisions to Federal Contract Requirements. The Order requires revision to federal contracting requirements to enable:
Services providers will want to monitor for such revisions to federal contracts in the coming term and ensure they have procedures and guidance in place to properly implement the specific monitoring, maintenance, sharing, collaboration, and technical requirements.
- Mandatory Vulnerability Reporting. The Order also requires the ultimate revision of contracting requirements to include mandatory vulnerability reporting to federal entities whenever a service provider to such entities discovers a cyber incident involving software, services, or support systems they provide. Public comment on the draft requirements are supposed to be solicited by the Federal Acquisition Regulation Council around August 2021.
- The Board: The Order also directs the Secretary of Homeland Security, in consultation with the Attorney General, to establish a Cyber Safety Review Board. With respect to “significant cyber incidents” (defined in Presidential Policy Directive 41) affecting certain categories of federal systems, and non-Federal systems, the Board will review and assess threat activity, vulnerabilities, mitigation activities, and agency responses. The Board can include representatives of the private sector selected by the DHS Secretary, and will inevitably become a vehicle for channeling focused public-private cooperation on responses to such significant cyber events. The eligibility criteria for private sector representatives will be part of recommendations made to the President.
As is evident, there is significant work to be done to implement a variety of requirements within the Order. In most pertinent part, that implementation will set standards for reasonable cybersecurity measures affecting both federal and private conduct, create new requirements for entities contributing to the federal software supply chain and developing IoT devices, and impose new obligations on federal contractors.
This Order will particularly impact private entities that develop software in the government supply chain, who contribute to the development of IoT capabilities, and who provide services to the federal government that are implicated by cyber events. But as is detailed further below, the Order calls for updating standards on a number of fronts, and such updates may influence the public discussion and legal landscape around certain baseline security measures taken not only be those directly implicated by the Order, but private industry more generally.