White House Issues Executive Order on Improving Nation’s Cybersecurity

Paloma Diaz, James Melendres
Snell & Wilmer
Contact
LinkedIn
Facebook
X
Send
Embed

Snell & WilmerLast week, the White House issued a new Executive Order (the “EO” or “Order”) on cybersecurity. The EO responds to ever-increasing malicious cyber campaigns threatening the public and private sectors and the American people’s security and privacy. The EO asserts the necessity of “bold changes” in order to defend these institutions. While the Order focuses on federal governmental agencies and vendors and developers who do business with the Federal Government, it is likely to have significant ramifications throughout the private sector.

This legal alert addresses the EO’s key points of substance, with an understanding that significant implementation work still needs to be done.

Key Points & Implications

1. Getting the Federal Government’s House In Order – And Implications for the Private Sector

The EO requires the Federal Government to adopt best practices, doing away with outdated security models and requiring an overall modernization of cybersecurity standards. The EO seeks to improve the early detection of cybersecurity vulnerabilities and incidents on federal government networks. To do so, Federal Civilian Executive Branch (“FCEB”) Agencies must deploy an Endpoint Detection and Response (“EDR”) initiative to support proactive detection of cybersecurity incidents within federal government infrastructure, active cyber hunting, containment and remediation, and incident response. This modernization also includes securing cloud services, advancing toward a Zero Trust Architecture, and mandating deployment of multifactor authentication and encryption within a specific time period.

The EO also creates a standard “playbook” for responding to cyber incidents. The playbook is a standard set of operational procedures to be used in planning and conducting a cybersecurity vulnerability and incident response activity. The playbook will define key terms, in accordance with statutory definitions, to ensure a common understanding of cyber incidents and the cybersecurity status of an agency. Although the playbook applies to only federal agencies, it is meant to “provide the private sector with a template for its response efforts.”

Additionally, the EO calls for improving the Federal Government’s investigative and remediation capabilities. This includes establishing requirements for logging events and retaining other relevant data within an agency’s systems and networks.

The government’s adoption of best practices is meant to serve as an example for the private sector.

2. Promoting Cyber Threat Information Sharing

Through updated government contracting requirements, the EO removes barriers to threat information sharing between the government and the private sector. The goal of the Order is to streamline and standardize cybersecurity contractual requirements across agencies and ensure that information technology and operational technology contractors share cyber threat information with the government. Following updates to the Federal Acquisition Regulation (“FAR”) and Defense Federal Acquisition Regulation Supplement, which will include descriptions of contractors to be covered by the proposed contract language, agencies are required to update their agency-specific cybersecurity requirements.

3. Improving Software Supply Chain Security

The EO also enhances software supply chain security. The EO seeks to improve the security of software by establishing baseline security standards for the development of software sold to the government. This includes implementing standards, procedures, and criteria regarding secure development environments, encrypting data, maintaining greater visibility into software, and making security data publicly available. These standards will apply to any company that does business with the Federal Government. To improve security, the EO tasks the Secretary of Commerce acting through the Director of the National Institute of Standards and Technology (“NIST”) to initiate pilot programs informed by existing consumer product labeling programs to educate the public on the security capabilities of devices and software development practices. The Director of NIST will also consider ways to incentivize manufacturers and developers to participate in these programs, including developers and manufacturers in the private sector.

4. Creation of a Cyber “National Transportation Safety Board”

Additionally, the EO establishes a cyber safety review board. The cyber safety review board will convene following a significant cyber incident and will include federal officials and representatives from private sector entities.

Conclusion

One of the EO’s ambitions is for the private sector to adopt these heightened security standards and the Order may soon be seen to embody reasonable security standards. All companies, especially those doing any business with the Federal Government, should stay informed regarding the forthcoming regulations implementing the EO and agency action regarding security standards and determine whether they would like to submit comments for consideration.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Snell & Wilmer | Attorney Advertising

Written by:

Snell & Wilmer
Snell & Wilmer
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Snell & Wilmer on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide