Executive Order Enhances Cybersecurity Requirements for Government Contractors

In response to increasing cybersecurity threats, including the SolarWinds and Colonial Pipeline attacks, President Biden issued an Executive Order on May 12, 2021, that enhances cybersecurity requirements for federal contractors. The Executive Order applies to contractors that provide government-procured software and those that operate the “vital machinery that ensures our safety.” Sections 2 and 4 of the Executive Order will have the greatest impact on contractors due to the new requirements discussed below.

Sharing Threat Information Between the Public and Private Sectors

Section 2 aims to remove barriers to sharing information about cyber threats between the public and private sectors. The Executive Order calls for revisions within 60 days to the contract requirements for government service providers. These new contract provisions must ensure that:

• Service providers collect and preserve data relevant to cybersecurity prevention
• Service providers share data regarding cyberattacks with federal agencies
• Service providers collaborate with federal agencies while investigating and responding to incidents, including by implementing technical procedures, such as monitoring networks for threats in collaboration with the agencies they support
• Service providers share cyber threat information in industry-recognized formats

All new federal contracts involving software products will require service providers to promptly report any cyber incidents directly to the Cybersecurity and Infrastructure Security Agency (CISA). These new requirements are expected to be published within the next five months.

Securing the Software Supply Chain

Section 4 of the Executive Order enhances the security of the software supply chain and requires the Secretary of Commerce to issue related guidance within one year. The Office of Management and Budget (OMB) will then require agencies to comply with the guidelines for all software procured after the date of the Executive Order.

Supply chain security will include standards regarding:

• Securing software development environments, including:
  • Using administratively separate build environments
  • Auditing trust relationships
  • Establishing multifactor, risk-based authentication
  • Documenting and minimizing dependencies on enterprise products that are part of the environments used to develop software
  • Employing encryption for data
  • Monitoring alerts and responding to attempted or actual cyber incidents
    
    
• Generating and providing artifacts that demonstrate conformance to the updated guidance
  
  
• Employing automated tools to maintain trusted source code supply chains and to check for known and potential vulnerabilities and remediate them
  
  
• Providing artifacts of the execution of the automated tools and making summary information publicly available on completion of these actions
  
  
• Maintaining accurate origin of software code with recurring audits
  
  
• Providing a Software Bill of Materials (SBOM) for each product published on a public website; SBOM means a formal record containing the details and supply chain relationships of various components used in building software
  
  
• Participating in a vulnerability disclosure program that includes a reporting process

Federal agencies will remove software products from federal deployment that do not contain the new contract language or meet the supply chain guidance issued under Section 4. The OMB will also require federal agencies that employ software developed prior to the Executive Order to either comply with Section 4 or provide a plan for how to comply. All renewed software contracts will need to comply with Section 4 going forward.

Special Requirements for “Critical Software”

Section 4 also creates a new category of “critical software,” or software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources). The Secretary of Commerce will publish special security requirements for handling all critical software, including applying practices of least privilege, network segmentation, and proper systems configuration. Within the next 90 days, the OMB will require agencies to comply with the new guidance for critical software.

Guidelines for Testing Code and Securing the Internet of Things

Finally, Section 4 calls for guidelines within 60 days that recommend minimum standards for vendors to test their government-procured software, including identifying recommended types of manual or automated testing (e.g., code review tools). The Secretary of Commerce will also initiate pilot programs to educate the public on the security capabilities of Internet of Things (IoT) devices, and related IoT software development practices, and will consider means to incentivize IoT developers to participate in these programs. These pilot programs will lead to IoT cybersecurity criteria, to be issued within nine months of the Executive Order, that will incorporate a consumer-labeling program that reflects the testing and assessment criteria that an IoT device has undergone.

Conclusion

The Executive Order requires government service providers to strengthen their cybersecurity procedures and affirm compliance through new contract language. These requirements for government contracts may well be followed and expanded upon in the private sector. Companies that provide software to federal agencies, or operate critical infrastructure, should monitor the resulting regulations in the coming months.