In the wake of the increasingly aggressive attacks within the cyber threat landscape, such as the 2021 Colonial Pipeline Ransomware Attack, 2020 SolarWinds Espionage Campaign and 2O2O Microsoft HANIFUM Vulnerability exploits; President Biden issued an Executive Order on Wednesday, May 12, 2021 aimed at improving the nation’s cybersecurity posture. Not complying with the directives within the EO, could result in grave repercussions for Federal Contractors, including the termination of current federal contracts, and the “ban of selling their products to Federal Agencies“.
At a high level, the order is intended to institute various baseline cybersecurity standards and requirements for U.S. Government Agencies and subsequent Federal Contractors through a series of strict mandates. The Cybersecurity Maturity Model Certification (CMMC) is the first of its kind to certify a cybersecurity standard and deem adequate cyber protections of unclassified networks of Defense Industrial companies. The President’s Executive Order removes scope limitations of organizations providing services to the Defense Agencies, as the EO requirement is applicable across all agencies and the vendors they employ.
Key Takeaways for Federal Contractors
- Increased Rigor of Requirements for Government Software Supply Chain Vendors
- The EO requires Federal Contractors to implement multi-factor authentication and data encryption within their environment.
- The order calls for a push towards Zero Trust, requiring Federal Agencies to apply a Zero Trust Architecture to software vendors within their supply-chain. According to Microsoft “regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” The push towards Zero Trust is positively viewed widely within the private sector, especially amongst more mature organizations – rather than an Agency assuming its Vendor or Contractor is employing adequate cyber hygiene and similar principles, the model considers all systems as already breached.
- Enhanced Contract Review and Reassessment of Current Federal Contracts
- Within 60 days of Biden’s EO being issued, the Director of the Office of Management and Budget (OMB), following the consultation of 4 other governing bodies is required to review the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation (DFAR) supplemental contract provisions and language and propose supplemental updates to the document. Additionally, their proposal should include suggestions on which contractors should be covered by the proposed language.
- Federal Information Technology Vendors are now required to disclose specific data about hacks, and security breaches. The EO mandates the removal of all contractual limitations and restrictions, that would prevent Federal Contractors from disclosing breach information.
- Mandatory Investment in Cybersecurity Infrastructure
- The beforementioned provisions will assuredly result in additional costs for Federal Contractor’s hoping to comply with the directives issued in the EO. Additionally, the accelerated timeline of implementation may result in further additional costs as contractors will need to identify the required software, third-party vendors to onboard quickly, and allocate internal resources to meet the deadlines.
- Hastened Implementation Timeline
1. The EO has approximately 40 deadlines, the most notable deadline for Federal Contractors correlates to the implementation phase and enforcement phase of the new directives. Most of the requirements for Federal Contractors can be found in Section 4. Enhancing Software Supply Chain Security of the Order and have a 120-day turnaround time.
The issuance of Biden’s Executive Order is timely as malicious cyber activity from nation-state actors and cybercriminals has steadily increased within the last decade. As successfully stated within the Order, “these incidents share commonalities, including insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents.” Hence, it is essential to note that the mandates, although complex, are necessary to secure our nation’s cybersecurity infrastructure and security posture. CKSS will continuously monitor the subsequent policy and contractual revisions that emerge in the coming months for Federal Contractors due to this Order.