White House Calls for Federal Reforms in Long-Anticipated Cybersecurity Executive Order
President Biden's Executive Order calls for an extensive reassessment and revamping of the federal government's cybersecurity defenses and incident response capabilities, establishing benchmarks that may inform standards among private entities.
Following the 2020 cyberattack on numerous United States government agencies, President Biden issued an "Executive Order on Improving the Nation's Cybersecurity" ("EO") that seeks to strengthen public and private sector cybersecurity defenses and incident response capabilities. The federal government reforms in the EO center around three key themes: modernization, accountability, and resilience.
First, the EO directs agencies to modernize their information technology ("IT") systems by prioritizing the use of cloud services, utilizing multifactor authentication, and adopting encryption technologies for data at rest and in transit. As part of this effort, the Cybersecurity and Infrastructure Security Agency ("CISA") within the Department of Homeland Security will update standards governing the agencies' use of cloud services, which could impact the offerings provided by cloud service providers and other IT government contractors. The EO also directs agencies to utilize guidance from the National Institute of Standards and Technology to migrate toward "Zero Trust Architecture," a framework that limits employees' data and network access to the bare minimum needed to perform their jobs.
Second, the EO increases accountability among federal civilian agencies by giving CISA access to agency network data to conduct vulnerability testing, and creating a "Cyber Safety Review Board," which is tasked with considering mitigation activities and agency responses for any significant cyber incident involving either the government or private sector entities. The Board will include representatives from private sector cybersecurity entities and software suppliers and will provide recommendations for improving incident response.
Third, the EO directs the federal government to develop a standardized incident response "playbook" in order to quickly identify, mitigate, and remediate threats. Federal agencies are also required to keep event logs, in order to increase their ability to detect and mitigate incidents.
While it will take some time for the government to implement these requirements, once they do, these benchmarks may inform evolving expectations for private cybersecurity protections. Accordingly, private entities should review the updated CISA standards and the new incident response playbook when issued and consider whether and to what extent to incorporate them into their Information Security Programs.
This Alert is the third in a series on the contents of President Biden's Executive Order on Improving the Nation's Cybersecurity. Prior Alerts address the EO's new cybersecurity contract language for civilian government contractors and the EO's provisions regarding a cybersecurity labeling regime for consumer products.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.