Cybersecurity Executive Order Establishes Framework to Strengthen Cybersecurity Elements of Federal Government Contracts
The Situation: On May 12, 2021, President Biden issued an "Executive Order on Improving the Nation's Cybersecurity," which calls for "bold" and extensive action designed to update and standardize requirements and procedures relating to cybersecurity and Federal Government contracts.
The Result: The Executive Order establishes an aggressive and detailed plan for rapidly strengthening the ability of the Federal Government and its contractors to detect and respond to cyber incidents.
Looking Ahead: Federal Government contractors should anticipate a swift rollout of proposed changes and updates to cybersecurity requirements and be prepared to meet these new requirements as they are released.
In the wake of persistent and increasingly sophisticated malicious cyber attacks, President Biden issued an "Executive Order on Improving the Nation's Cybersecurity" (the "Executive Order") aimed at strengthening cybersecurity in the public and private sectors. As part of this effort, the Executive Order sets forth a framework and specific guidelines for updating and standardizing cybersecurity requirements and procedures relevant to Federal Government contractors. This summary focuses on those directives.
The Executive Order establishes three parallel tracks designed to strengthen and standardize cybersecurity requirements in connection with Federal Government contracts.
Sharing Cyber Threat Information and Collaborating with Response Agencies
The first track relates to contracts involving systems that process data (information technology or "IT") and systems that run the "vital machinery that ensures our safety" (operational technology or "OT"). The Executive Order requires designated government agencies to recommend updates to the Federal Acquisition Regulation ("FAR") and Defense Federal Acquisition Regulation Supplement ("DFARS") regarding IT and OT contracts. These updates should be designed to ensure that IT and OT contractors collect and preserve data relevant to cybersecurity event prevention, detection, response, and investigation, share this data with their government customers and other agencies involved in cybersecurity, and collaborate with Federal cybersecurity or investigative agencies. The timeline established in the Executive Order requires the Federal Acquisition Regulatory Council ("FAR Council") to publish proposed FAR updates related to these areas by October 2021. It further establishes that the government must, by September 2021, establish procedures that require IT and OT contractors to share data with cybersecurity investigation and response agencies, such as the Cybersecurity and Infrastructure Security Agency ("CISA") and the Federal Bureau of Investigation ("FBI").
Mandatory Cyber Incident Reporting for Information Communications Technology Contractors
The second track requires the establishment of a new mandatory reporting obligation for information communications technology ("ICT") contractors. Pursuant to this new requirement, ICT contractors must "promptly report" to their customer agencies "when they discover a cyber incident involving a software product or service provided to such agencies or involving a support system for a software product or service provided to such agencies." Depending on the relevant customer agency, the ICT contractor will also need to file a report with CISA (for civilian agencies) or to a yet-to-be determined recipient for "National Security Systems" (mostly relevant to classified work and to work for Defense or Intelligence Community agencies). While the details regarding this new reporting requirement are yet to be established, the Executive Order notes that the time period for reporting "the most severe cyber incidents" cannot "exceed 3 days after initial detection." Under the timeline established by the Executive Order, the FAR Council must propose updates by October 2021.
Standardization of Cybersecurity Contract Language
The third track relates to Federal Government contracts concerning "unclassified system contracts." The Executive Order calls for designated agencies to develop recommendations regarding cybersecurity requirements for these contracts that are designed to standardize common requirements to "streamline and improve compliance for vendors and the Federal Government." The Executive Order calls for the FAR Council to propose updates to the FAR on this topic by September 2021.
Additional Cybersecurity Initiatives
The Executive Order describes additional cybersecurity reforms, including:
- Setting out a plan to enhance the security and integrity of the software supply chain;
- Directing government agencies to adopt security best practices, advance toward Zero Trust Architecture, accelerate movement to secure cloud services, and invest in both technology and personnel to match these modernization goals;
- Instructing the Department of Homeland Security to establish a Cyber Safety Review Board; and
- Calling for improving the detection of cybersecurity vulnerabilities and incidents on federal government networks, and standardizing and improving the federal government's response to those.
Jones Day will continue to monitor the changing landscape and provide updates.
Three Key Takeaways
- As early as September 2021, information technology and operational technology contractors should expect to see new government procedures for sharing cybersecurity event data and collaborating with cybersecurity response agencies, with proposed updates to the FAR regarding collection, preservation, and information sharing requirements related to cybersecurity events following soon after.
- Under a proposed rule update with an anticipated release date of October 2021, information communications technology contractors will be required to "promptly" report cyber incidents to their government customer agencies.
- Over the next year, government contractors should anticipate a government-wide effort to standardize cybersecurity contract requirements.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.