Legal Updates

On May 12, 2021, President Biden signed a lengthy executive order aimed at advancing federal cybersecurity defenses following a tumultuous year of devastating cyberattacks on private and government sector networks. The release of the executive order came after the recent crippling ransomware attack on Colonial Pipeline that caused extensive fuel shortages along the East Coast. The order establishes guidelines for select executive agencies to review and implement.  Below are some of the notable portions of the order:

• Entities contracting with the federal government for software services are to collect, preserve and share with different executive agencies, data that can be used to prevent, respond and learn from cyber incidents.
• The standards for qualifying reportable data will be compiled by various agencies and recommended to the Federal Acquisition Regulation (FAR) Council for implementation.
• The order facilitates the government’s ability to test the security of a product before purchasing it.
• Reporting severe cyber incidents must occur within three days of the incident.
• Entities must report incidents to the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA). CISA will act as the central repository for these reports.
• CISA will also now be responsible for establishing frameworks for cloud security and improved information sharing within the federal government, requiring a number of agencies to report to CISA regarding compliance.
• The order creates the “Cybersecurity Safety Review Board,” which will be responsible for reviewing severe incidents.
• Agencies are to plan to implement multi-factor authentication methodologies that emphasize behavior as the authenticating tool, in lieu of a password or location, or other various two-factor authentication tools. Such a system will report anomalous behavior by the user as a means of detecting cyber threats.
• The National Institute of Standards and Technology (NIST) must publish preliminary guidelines on software supply-chain security within six months, and final guidelines within a year. These guidelines should discuss: checking for vulnerabilities; finding evidence of system flaws; ensuring current and compliant source code; and more, such as how to validate trusted source code with automated tools.
• The order also permits the National Cyber Director, a newly established executive position (see National Defense Authorization Act (NDAA), Pub. L. 116-283, Sec. 1752 (2021)), to modify portions of the order to ensure that the duties and responsibilities of the Office of the National Cyber Director can be fulfilled.