Nearly a decade after then-Secretary of Defense Leon Panetta predicted the United States would face a “cyber-Pearl Harbor,” the Federal Government (“USG”) has finally taken dramatic action. On May 12, President Biden signed an Executive Order (“EO”) that radically overhauls the nation’s approach to cybersecurity. After multiple high-profile attacks on both public and private systems, including the Solar Winds debacle and the recent Colonial Pipeline attack, the new administration has prioritized cybersecurity as a critical issue moving forward.
This EO immediately impacts every federal contractor who provides any kind of data management service. These contractors now have new due diligence mandates, certification processes and mandatory disclosure obligations, taking effect as early as August 2021. The EO will affect the rest of the federal contracting sector when the Federal Acquisition Regulation (“FAR”) Council promulgates new contract clauses related to cybersecurity. In addition, the changes announced in the EO will filter down into the private marketplace through a new security rating system and cybersecurity review board. Through these efforts the goal is to strengthen the entire U.S.’s cybersecurity infrastructure.
Impact on Federal Contractors
Federal contractors will face a litany of new hurdles to meet the updated security requirements on an aggressive timeline. Every software program utilized by the USG will have six months to meet the new standards. The only exception to this policy is the Department of Defense, which has altered timelines and regulations due to the national security nature of its sub-agencies. Multifactor authentication will be mandatory — akin to a more secure version of the two-step authentication many users are familiar with when they sign into products like Gmail or Microsoft 365. Similarly, contractors must move all data to a secure cloud-based service. This measure ensures the data is accessible from any location with a stable Internet connection while being secure enough that only authorized users can gain access. Finally, all software bought and utilized by the USG must make the transition to zero-trust architecture. Zero-trust architecture relies on the mantra “never trust, always verify.” Zero-trust assumes that every connection must be independently verified every time it requests access to another part of the network. Some of these first three requirements have already been widely adopted in the private sector and will likely not be too challenging.
However, the fourth requirement may be much more difficult. The EO demands that all software vendors serving federal agencies must encrypt data at rest, as well as in transit. Many technology companies have successfully implemented end-to-end encryption for small amounts of data, like text messages or compressed images sent through Signal or iMessage. However, encrypting data at the scale of the USG is an entirely different task, and it is likely to present logistical hurdles to meet the demanding timeframe. This is especially true considering that in 2015 when China stole 21.5 million files from the Office of Personnel Management, not a single file was encrypted.
Should a contractor fail to meet the requirements outlined in the EO, the relevant agency must notify the contractor that they could be dropped from the list of authorized federal contractors. In addition, contractors will need to furnish the agency with the relevant details when each standard is met and monitor each agency’s reports to ensure its accuracy.
In addition to these significant changes, the EO overhauls information sharing. For example, many current IT providers do not share information on potential threats or breaches with the agency they serve. In some cases, this is to avoid the possibility of public coverage of a damaging breach. In other cases, the contract between the contractor and the USG may include a clause that allows the contractor to avoid telling the government that a breach has occurred. The EO eliminates any contractual barriers and requires providers to share breach information with agencies. By June 11, 2021, the Secretary of Homeland Security will recommend to the FAR Council new contract language concerning information sharing. The FAR Council will then solicit public comments. After that, agencies will update their requirements.
Service providers must begin sharing data with agencies, the Cybersecurity and Infrastructure Security Agency (“CISA”) and the Federal Bureau of Investigation (“FBI”) by September 9, 2021. The information must include any cyber incidents upon discovery, any concrete cyber threats and any potential threats to National Security Systems.
Impact on Non-Government Contractors
Many of the security measures discussed above will trickle down into the private market. As a practical matter, it will be easier for software vendors to maintain one version of a product instead of bifurcating the product line into two: a private market product and a federal government product. The EO mentions a public-private partnership initiative — to be fully fleshed out in the near future — to incentivize change in the commercial market as well. The current provisions with the most significant impact will be the new consumer labeling standard and the new Cyber Safety Review Board.
The EO creates a new consumer labeling standard, similar to the popular Energy Star program– where consumer appliances can display an exclusive sticker on the retail packaging if the product meets rigorous energy consumption standards set by the government. In this case, the government will set strict consumer cyber safety standards similar to the level of security required for federal contractors. If a product meets these requirements, it can display an exclusive certification on the packaging. This marking will enable consumers to tell quickly if it meets the new standard for cybersecurity best practices. The Energy Star program this is modeled after has been wildly successful, and if this new program is even half as effective, the new certification will be a must-have for any software vendor.
The EO also creates a new Cyber Safety Review Board ("CSRB"), similar to the National Transportation Safety Board ("NTSB"). Like the NTSB, the CSRB can compel private companies to participate in an investigation following any cybersecurity breach. The CSRB will be co-led by the Secretary of Homeland Security and a private-sector executive. The private sector executive will be different for each investigation and will be chosen with the input and consent of the entity being investigated. Although the CSRB will not have the sweeping authority of the NTSB — because it was created by an EO and not an act of Congress — the Biden administration hopes it can still provide vital information concerning cyber-attacks. It is anticipated that the information gathered by the board will become the basis for future cyber standards and regulations.
The EO is sprawling and contains a multitude of other cyber initiatives. However, despite its broad scope, the administration is confident that it is only the first step. Federal IT contractors will be busy for the next year implementing these new measures like multifactor authentication and zero-trust architecture, and private industry will want to keep an eye on the new consumer cyber safety certification program. Lutzker & Lutzker is experienced in government contracting matters and will keep you updated on both federal contracting issues generally and the cybersecurity landscape in particular. We are here to help you navigate this rapidly changing environment.