The Biden Administration is close to signing an Executive Order (EO) that will create a federal requirement for vendors who sell their products and/or services to government customers to, among other things, disclose any cybersecurity breach to those government customers. This comes on the heels of the massive hack of SolarWinds Corp., giving Russian hackers unauthorized access to thousands of government offices and other companies that used SolarWinds products (not to mention the even more recent Microsoft “Zero-Day” exploit). The EO is expected to be finalized in the upcoming weeks, and no decision on the final content has been decided yet.
The draft’s disclosure requirement is one aspect of the draft EO that will likely have an immediate impact to vendors. Currently drafted, a reporting timeframe is not noted, nor is the definition of a “reportable event.” The requirement hopes to allow government officials to understand data security events and override non-disclosure agreements that are typically signed when software moves from the private sector to the public sector limiting the sharing of information. The EO would also include many measures that are commonplace among other industries, such as:
- adopting multi-factor authentication;
- encrypting sensitive data;
- preserving digital records; and
- working with federal agencies after an incident occurs.
Additionally, the EO would create a federal cybersecurity incident response board comprised of representatives from federal agencies and cybersecurity companies that would encourage all parties, including victims, to share information.
It will be important for all software vendors and service providers that provide their products and services to government customers to understand the new requirements, particularly the timing of notification and what constitutes a “reportable event,” as they continue to contract with federal agencies.
Mullen Coughlin will continue to monitor the draft EO. If signed by President Biden, we will provide an update on what it means for software/service provider companies with federal customers. If you have any questions about how this may affect your company, please contact Chris DiIenno (267.930.4775; ) or any other Mullen Coughlin attorney.