President Biden's Cybersecurity Executive Order: What it Means for Federal Contractors
If you’re not taking security compliance seriously, this may change your mind.
The federal security compliance ecosystem is changing – quickly.
Biden’s new Executive Order (EO) on cybersecurity (enacted on May 12, 2021) is something to pay attention to because it has a particularly large impact on companies that access government systems.
It will also affect companies that develop software for or on behalf of the government.
Here’s what you need to know about the Executive Order, as a federal contractor, about the Executive Order, including how it will affect you, how it relates to CMMC and NIST, and how it relates to ongoing efforts to harden the defense industrial base supply chain.
What Does It Address?
There are seven provisos that the EO covers.
- Removing barriers to sharing threat information between the government and the private sector.
- Modernizing and implementing stronger cybersecurity standards in the federal government.
- Improving software supply chain security.
- Establishing a cybersecurity safety review board.
- Creating a standard playbook for responding to cyber incidents.
- Improving detection of cybersecurity incidents on federal government networks.
- Improving investigative and remediation capabilities.
How the New Executive Order Will Affect You
Now that we’ve looked at an overview of the Executive Order, let’s consider the impact it will have on you as a federal contractor.
Sharing Threat Information
- It will be easier to share information about threats between agencies.
- FAR and DFARS will go through an assessment process to determine appropriate updates, which will affect federal contractors.
- The Executive Order states that “information and communications technology service providers must promptly report to the relevant agency cyber incidents involving a software product or service provided to such agencies.”
Prioritizing Cloud Solutions
- Modernizing cybersecurity protocols
- Agencies will be trained.
- Communication with cloud providers will be authorized and streamlined.
- Continuous monitoring.
The government will now mandate protection for “critical” software.
- A “Software Bill of Materials” will be created.
- Once this has been created, any software that doesn’t meet the standards set forth will be removed.
- New criteria for labeling will also be created.
What’s the Deal with CMMC and NIST?
The Executive Order doesn’t change CMMC or NIST in any way, rather, they all work together.
In fact, it’s very likely CMMC will be the new cybersecurity mandate for all federal agencies, contractors, and their supply chains.
What About the DIB Supply Chain?
Let’s take a closer look at the effects of the Executive Order specifically on the Defense Industrial Base supply chain.
The EO stipulates that DIB companies put appropriate cybersecurity practices and processes into action to safeguard Federal Contract Information and Controlled Unclassified Information within their unclassified networks.
It also requires an accounting for the trickle-down of information to subcontractors in the context of a multi-tiered supply chain.
Are You Ready?
Change is a good thing when it means that the federal government is making strides to protect sensitive or classified information.
As a federal contractor, you have to get familiar with the new Executive Order and do your part to make it work in the long term.