How the Cybersecurity Executive Order Affects Federal Contractors
A May 12 executive order (EO), issued by President Joe Biden, will have a significant impact on the nation’s cybersecurity. It calls for standardizing the federal government’s incident response and oversight while mandating better incident tracking and information sharing.
The EO elevates cybercrime as a national security issue. It aims to strengthen federal defenses and align them with those of the private sector. The federal government will use the power of the purse to bring federal contractors into compliance with new cybersecurity regulations. Contractors should expect to see specific timelines and new Federal Acquisition Regulation (FAR) clauses by the end of the year.
Modernizing Federal Cybersecurity Standards
The new federal standards build on the key functions of the National Institute of Standards and Technologies (NIST) Cybersecurity Framework: identify, protect, detect, respond and recover. Driving standardization will make federal incident response more effective. It will also help implement cybersecurity best practices sooner and improve supply chain security.
In response, federal contractors should plan to implement various new standards and policies.
Zero Trust — Because Trust Leaves Organizations Vulnerable
These standards start with zero trust — a cybersecurity model focused on users, assets and resources instead of network-based perimeters. Zero trust always requires authentication and authorization to move laterally inside a network and access data or other assets. It doesn’t trust users because of their physical or network location. This is essential with remote users, bring your own device (BYOD) policies and cloud-based assets.
Multifactor Authentication — Layered Defense Against Unauthorized Access
The EO calls for multifactor authentication (MFA), combining different types of credentials to verify identity and grant access. These include passwords, ID cards with mag stripes and biometric identification. Each factor represents a layer of defense and another obstacle for unauthorized users. Best practices call for MFA as a key part of identity and access management — now the federal government calls for it too.
Encryption — Protection After Unauthorized Access
Encryption protects data with a unique code that makes it illegible to unauthorized users. An encryption key translates plain text data into ciphertext. Without that encryption key, the data is useless, even if attackers manage to access it. Websites using transport layer security (TLS), a data encryption mechanism, feature a padlock symbol with their URL and an “https” address (instead of the old “http”). Moving forward, federal agencies and contractors must ensure that data is encrypted, whether at rest or in transit.
Consistency — Eliminating Variables that Cause Vulnerability
Companies should plan to implement uniform security standards for all network-connected devices and assets. This includes hardware, firmware, software, printers, routers, ethernet switches and WiFi units. Companies should also plan to audit their source code. If your IT department manages BYOD policies, you will need to apply these new security standards to employee-owned laptops, tablets and mobile phones.
Secure Cloud Services — a Tectonic Shift from Traditional Data Centers
The executive order moves federal agencies to the cloud and couples this move with zero trust security architecture. Agencies are working on accelerated timelines with a clear mission: develop a federal cloud security strategy. They must also provide recommendations for migration and data protection. Federal contractors should expect to follow suit.
The Need to Share Threat Information
Recent large-scale cyberattacks revealed the urgency of sharing threat information between federal agencies and contractors. The EO calls for the removal of contractual barriers, requiring IT providers to share breach data that could involve federal agencies. The Cybersecurity and Infrastructure Security Agency (CISA) has taken the lead to improve interagency collaboration. Their new Joint Cyber Defense Collaborative, or JCDC, signals support for increased public-private sharing of cyber threats and incident information.
CISA has been charged with developing cloud security principles and overseeing their implementation within federal agencies. Agencies must maximize adoption of these principles and move to standardized language in their contracts. The executive order imposes a 180-day deadline, affecting how agencies identify and report cybersecurity incidents.
The EO applies to IT contractors that process data and operational technology (OT) contractors that run mission-critical machinery. Moving forward, agencies and software contractors must notify CISA about cyber incidents. New FAR rulemaking should provide specific details late this year, but serious incidents must be reported within 72 hours.
Improving Software Supply Chain Security
The executive order targets the need for better-controlled access to software. This covers all functions that allow access to data, functionality or and networks. The federal government is looking at the need for a software bill of materials, to identify affected software and its risks. The bill of materials will list all components in software products, including open-source components, to support agency vulnerability assessments. NIST will drive this process, following a process it used to develop Department of Defense cybersecurity standards.
Federal agencies will take a hard line on non-compliant software, removing it from ongoing contracts, supply schedules and purchase agreements. Expect new certification requirements for software supply chain security after May 2022.
New Baseline Transparency Requirements
Federal contractors will need to increase the transparency of their security updates. They must also demonstrate the ability to identify vulnerabilities in their products, instead of waiting for customers to point them out.
This will be a new federal cybersecurity requirement, but global markets are moving toward demanding this information. A 2021 Ponemon Institute study, sponsored by Intel, demonstrated this conclusively. It found 73 percent of respondents preferred technology and service providers that proactively find, mitigate and communicate security vulnerabilities.
Developing the Software Equivalent of an “Energy Star” Label
The executive order calls for a pilot program to label software. According to The White House, this is so “the government — and the public at large — can quickly determine whether software was developed securely.”
The Department of Commerce, working with the NIST, “shall initiate” pilot programs similar to current consumer product labeling programs. These programs will educate the public on the security capabilities of software and Internet-of-Things (IoT) devices. The agencies are also charged with developing incentives for manufacturer and developer participation.
A Standardized Incident Response Playbook
Federal agencies will have to follow a standardized playbook for cyber incident response, using processes and definitions currently in development. The intent is to ensure that federal agencies take uniform steps to deal with cyber threats. This playbook will also serve as a template for federal contractors to use in the development of their incidence response protocols.
Federal contractors without the necessary internal resources may need to engage a managed detection and response (MDR) company. MDR vendors provide more experienced and capable personnel to help organizations respond to evolving cyber threats. They can also address compliance requirements for stakeholder reporting and log retention.
In addition, the EO authorizes a government-wide endpoint detection and response (EDR) system to identify malicious cyber activity. The EDR system will leverage the improved information sharing capabilities inside the federal government. It also expects federal contractors to support this system and commit to effective participation.
New Event Logging Requirements Ahead
In August, The Office of Management and Budget (OMB) gave federal agencies 60 days to assess their ability to log cybersecurity incident data. Agencies will use a new cybersecurity maturity model to assess their progress, how to move forward and projected costs
OMB has defined four maturity levels within this model. They range from the lowest level (EL0) to EL3, which meets logging requirements at all levels of criticality. After their 60-day review, agencies will have eighteen months to reach EL2 and 24 months to reach EL3.
The executive order also directs agencies to improve their investigative and remediation capabilities, focusing on logging, log retention and log management. Standardizing these capabilities will help CISA and agencies detect intrusions, mitigate damage and assess that damage after the intrusion.
OMB has told agencies to store log data for 12 months in active storage and 18 months in cold storage. Federal contractors will need to comply with these documentation and storage requirements.
A Clarion Call for Collective Action
Recent cyberattacks have reinforced the need for the government and the private sector to close ranks. The rationale for united collective action is simple: Companies that don’t implement these new standards leave themselves and everyone they deal with vulnerable. Ultimately, every company that does business or communicates online has a national security responsibility.
Regulatory and market pressure will eventually force all companies into compliance. They may be slower to adopt new standards and best practices, but the demand to improve cyber hygiene will be substantial. Federal contractors don’t have the luxury of time. They must be ready to operate using these new federal standards as their baseline or lose their government business.
To discuss your current cybersecurity standards and what needs to change, contact Dean Flores, or your Windham Brannon advisor.
