On May 12, 2021, the Biden Administration issued an Executive Order on “Improving the Nation’s Cybersecurity” (EO). The EO was in the works prior to the Colonial Pipeline cyberattack, reportedly a ransomware incident that snarled the flow of gas on the east coast for days. Ransomware attacks are nothing new, but they are increasing in severity. Most do not see the large sums paid to hackers by victim organizations needing access to their encrypted data or wanting to stop a disclosure of sensitive information if they can. But most do see the crippling of vital infrastructure caused by compromised computer systems without which basic services cease to flow.

Of course, the Colonial Pipeline incident is not the only attack we have seen affecting entities that provide to critical infrastructure. In February of this year, ABC News reported that weak cybersecurity controls “allowed hackers to access a Florida wastewater treatment plant’s computer system and momentarily tamper with the water supply,” based on a memo by federal investigators obtained by ABC. A month later, sensitive data were exposed for some time in cloud storage by New England’s largest energy provider, according to reports. The SolarWinds breach last year, named Sunburst, was a massive compromise of government agencies including the Department of Energy.

Will the EO help? It is unclear at this point, however, the EO makes a clear statement on the policy of the Administration:

It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.  The Federal Government must lead by example.  All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.

The effect of the EO will mostly affect the federal government and its agencies. However, several of the requirements in the EO will reach certain federal contractors, and also will influence the private sector. Below are several of the items directed by the EO:

  • Removing contractual barriers in contracts between the federal government and its information technology (IT) and operational technology (OT) service providers. The goal here is to increase information sharing about threats, incidents, and risks in order to accelerate incident deterrence, prevention, and response efforts and to enable more effective defense of government systems and information. As part of this effort, the EO requires a review of the Federal Acquisition Regulation (FAR) concerning contracts with such providers and recommendations for language designed to achieve these goals. Recommendations will include, for example, time periods contractors must report cyber incidents based on severity, with reporting on the most severe cyber incidents not to exceed 3 days after initial detection. The changes also will seek to standardize common cybersecurity contractual requirements across agencies.
  • Modernize approach to cybersecurity. To achieve this goal, some of the steps called for in the EO include adopting security best practices, advance to Zero Trust Architecture, move to secure cloud services, including Software as a Service (SaaS), and centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks. More specifically, the EO requires that within 180 days of the date of the EO, agencies must adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.
  • Improve software supply chain security. Driven by the impact of the SolarWinds incident, the EO points to the lack of transparency in the software development and whether adequate controls exist to prevent tampering by malicious actors, among other things. The EO calls for guidance to be developed that will strengthen this supply chain, which will include standards, procedures, and criteria, such as securing development environments and attesting to conformity with secure software development practices. The EO also requires recommendations for contract language that would require suppliers of software available for purchase by agencies to comply with, and attest to complying with the guidance developed. Efforts also will be made to reach the private sector. For instance, pilot programs will be initiated by the Secretary of Commerce acting through the Director of NIST to educate the public on the security capabilities of Internet-of-Things (IoT) devices and software development practices, and shall consider ways to incentivize manufacturers and developers to participate in these programs.
  • Establishing a Cyber Safety Review Board. Among the Board’s duties would include reviewing and assessing certain significant cyber incidents affecting FCEB Information Systems or non-Federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses.
  • Standardize incident response. Standardize the federal government’s response to cybersecurity vulnerabilities and incidents to ensure a more coordinated and centralized cataloging of incidents and tracking of agencies’ progress toward successful responses.
  • Improve detection. The EO seeks to improve detection of cybersecurity vulnerabilities and incidents on federal government networks.
  • Improving the federal government’s investigative and remediation capabilities. The Administration recognizes it is essential that agencies and their IT service providers collect and maintain network and system logs on federal information systems in order to address a cyber incident. The EO seeks recommendations on the types of logs to be maintained, the time periods to retain the logs and other relevant data, the time periods for agencies to enable recommended logging and security requirements, and how to protect logs. These recommendations will also be considered by the FAR Council when promulgating rules for removing barriers to sharing threat information.

It is expected the U.S. government will ramp up efforts to strengthen its cybersecurity, and we can expect states to continue to legislate and regulate in this area. All businesses, including federal contractors, likely will experience pressure to evaluate their data privacy and security threats and vulnerabilities and adopt measures to address their risk and improve compliance.

Tags: Biden Administration, BTI Law Firms Best at Cybersecurity 2017, Colonial Pipeline, cybersecurity, Executive Order, FAR, Federal Acquisition Regulation, federal contractors, President Biden, ransomware, software supply chain, SolarWinds
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the…

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Read more about Joseph J. Lazzarotti
Show more Show less
Photo of Laura A. Mitchell Laura A. Mitchell

As co-leader of the firm’s ESG group, Laura Mitchell partners with her clients to evaluate, set, achieve and monitor their organizational culture and human capital goals. She focuses her practice on data analytics, including pay equity and other employee analytics, working side-by-side with…

As co-leader of the firm’s ESG group, Laura Mitchell partners with her clients to evaluate, set, achieve and monitor their organizational culture and human capital goals. She focuses her practice on data analytics, including pay equity and other employee analytics, working side-by-side with employers to build programs that benefit employees and create a stable, high-functioning workplace. Understanding that an inclusive, values-based culture provides a crucial competitive advantage in the modern workplace, Laura enjoys counseling companies on the development of proactive and equitable pay and diversity practices.

In Laura’s version of the reimagined workplace, attention to human capital issues, especially DEI and pay equity, would be the rule rather than the exception nationwide and she works with companies across all industries—both new and well-established multi-national organizations of all sizes—to realize this vision for her clients’ ongoing success. She helps clients understand all issues across the spectrum of their journey, helping to establish regular analyses as well as counseling organizations on implementation and compliance obligations, where applicable. Committed to putting her clients’ organizational goals first and foremost, Laura views herself as an extension of her clients’ team, responsible for providing proactive guidance and engaging in transparent, ongoing communication.

Laura also represents companies in OFCCP matters, preparing for and defending OFCCP audits, and counseling employers on issues stemming from OFCCP regulations. She personally oversees the development of hundreds of Affirmative Action Plans for clients each year and is intimately involved in the defense of OFCCP audits. Her approach to compliance is one of facilitation and conciliation while simultaneously advocating in the best interests of her clients.

Read more about Laura A. Mitchell
Show more Show less
Related Posts
A Brief Reminder About the Florida Information Protection Act
March 4, 2025
Firings at the US Privacy and Civil Liberties Oversight Board and Potential Impact on Transatlantic Data Transfers
February 3, 2025
Happy Privacy Day: Emerging Issues in Privacy, Cybersecurity, and AI in the Workplace
January 28, 2025