On May 12, 2021, the Biden Administration issued Executive Order 14028 on Improving the Nation’s Cybersecurity. The Executive Order comes in the wake of cybersecurity incidents such as the SolarWinds hack in December 2020, the recent Colonial Pipeline attack, and Brazil’s JBS attack this past week. The overarching goal of the Executive Order is to standardize cybersecurity protection protocols across the entire Federal Government, rather than the agency-to-agency protocols currently in place, and to use the Government’s buying power to jumpstart cybersecurity improvements in the private sector. With these changes, the Executive Order is expected to impact government contractors and their cybersecurity requirements.
The Executive Order
The Executive Order covers an array of cybersecurity topics, including preparing for, protecting against, and responding to cyber breaches; required reporting and cooperation from government contractors in the wake of cyber breaches; directing the Federal Government to transition to secure cloud services and implementing Zero Trust Architecture and multifactor authentication; enhancing software supply chain security; and establishing a Cyber Safety Review Board.
Though the main focus of the Executive Order is the implementation of changes within the Federal Government itself, government contractors can also expect to see some changes. Specifically, in support of the initiatives to remove barriers to sharing threat information and to improve software supply chain security, President Biden has ordered the Office of Management and Budget (OMB) to review and recommend updates to the FAR and DFARS. Because the Executive Order gives OMB 60 days to make recommendations, the full impact on government contractors is not yet known. However, any proposed amendments to the FAR and DFARS will follow the standard procedures and be open to public comment, thereby providing potentially affected contractors the opportunity to offer input regarding the proposed changes.
Although the specifics of the FAR and DFARS changes are not yet known, it is clear that contractors will be required to extend the data collection and preservation requirements aimed at preventing and responding to cyber breaches to the contractor’s entire IT infrastructure – not just those systems utilized in federal contracting. Accordingly, every contractor that does business with the Federal Government may need a potentially significant overhaul of their IT systems to comply with the updated cybersecurity standards.
Cybersecurity Maturity Model Certification
Interestingly, the Executive Order makes no mention of, or reference to, the Cybersecurity Maturity Model Certification (CMMC), which is the current cybersecurity certification process government contractors must comply with prior to bidding on Department of Defense contracts. CMMC previously had experienced delays in its rollout, which were exacerbated by the replacement of top Pentagon officials after the election. The omission of any reference to CMMC in the Executive Order may signal an intention to replace the CMMC with a single Federal Government-wide set of standards, but to date there has been no official word on the fate of CMMC.
Though the exact future of cybersecurity practices and standards are unclear, government contractors should be prepared to meet more stringent requirements and should consider reviewing their cybersecurity programs now to identify weaknesses and areas of improvement. When the revisions to the FAR and DFARS are issued, contractors will need to promptly implement them. Improving cybersecurity ultimately should provide both the Federal Government and its government contractors with additional operational security to combat the ever-increasing threat of cyberattacks.