On May 12, 2021, President Joe Biden signed an Executive Order on Improving the Nation’s Cybersecurity (the Order) mandating “bold changes and significant investments” to advance the nation’s efforts to identify, deter and defend against cybercriminals. The Order institutes ambitious cybersecurity requirements for “information systems used or operated by [Federal agencies] or by a contractor of an agency or by another organization on behalf of an agency,” and further calls for the advancement of private sector data security practices to enhance the security of U.S. cyberspace and infrastructure.
The Order consists of 11 sections, each including several requirements. At a high-level, the Order addresses four (4) primary cybersecurity interests:
- expanding incident reporting and information sharing;
- modernizing federal information systems;
- improving software supply chain security; and
- remodeling the federal government’s policies and procedures to better detect, respond to, and mitigate cybersecurity events.
While the Order focuses on the federal government and its agencies, many of the requirements are expected to impact federal government contractors and the private sector at large, either directly or indirectly. The Order mandates that guidance be issued, and new requirements be adopted, in a number of areas over the next several months, and the cybersecurity industry will be closely monitoring this activity.
Information Sharing and Reporting
The Order seeks to remove obstacles in contracts between the federal government and its information technology service providers to increase information sharing requirements and opportunities. The Order requires more stringent reporting requirements for service providers. As part of this effort, the Order calls for a review of the Federal Acquisition Regulation (FAR) and recommends new conditions on federal contracts, including severity-based cyber incident reporting deadlines – some as early as three (3) days after discovery of a cyber incident. The Order seeks to not only improve the flow of information sharing from the private sector to the federal government, but also to standardize the collection and sharing of information between agencies and coordination of agency responses and approaches to cybersecurity, as discussed in more detail below.
Paul Caron, Cybersecurity Incident Response Lead at Arete Advisors, notes that the Order aims to provide a common lens to view cybersecurity so that those performing critical roles across defense, technology and incident response can seamlessly facilitate cross-functional information sharing in a transparent manner. Paul is reminded of the intelligence community’s experience following 9/11, when security professionals encouraged flattening the information sharing landscape to achieve national security goals.
Others are less certain about the Order’s potency when it comes to information sharing. To be sure, the federal government has advocated for information sharing for decades, and, while the Order goes to great lengths to funnel threat intelligence to the appropriate authorities, government contractors should brace for significant growing pains as the conditions and procedure for reporting begin to materialize.
Modernizing Federal Government Cybersecurity
The Order requires federal entities to accelerate the transition to cloud-based architectures, including Software-as-a-Service (SaaS), and adopt security practices including encryption standards, zero-trust architecture and multifactor authentication (MFA). The Order also emphasizes critical risk areas such as Secure Software Development Lifecycle (SSDLC), where many code vulnerabilities are overlooked and subsequently exploited. These vulnerabilities are found across both Information Technology (IT) and Operational Technology (OT) environments. While the requirements target government agencies, government contractors and suppliers should be prepared to facilitate these requirements.
Supply Chain Security
The Order addresses the lack of transparency and security controls in software development and calls for guidance that will enhance software supply chains, including securing production environments, attesting to secure development practices and requiring contract language that would mandate that private suppliers of software available for purchase by agencies to comply with the directive. Suppliers will need to attest to certain standards and those that fail to meet the standards may be removed from contracts.
Further, the Order instructs agencies to require vendors to provide a “Software Bill of Materials” (SBOM), or “a formal record containing the details and supply chain relationships of various components used in building software.” Open-source software developers and service providers, in particular, should take note of potential risks when attesting to the integrity and provenance of open-source software.
Federal Vulnerability and Incident Detection, Response, and Remediation
The Order seeks to improve detection of cybersecurity vulnerabilities and response to incidents involving Federal Information Systems. For instance, the Order explicitly identifies Endpoint Detection and Response (EDR) software and requires the Office of Management and Budget (OMB) to issue requirements for agencies to adopt a uniform EDR approach.
In addition, agencies and their contractors are directed to increase efforts to collect and maintain network and system logs on Federal Information Systems. The Order solicits recommendations on the retention schedules and types of logs to be collected, and vendors should be on the lookout for updated guidance in the FAR.
Conclusion
Much of the Order is a recitation of well-established, yet unrealized, cybersecurity goals. However, with this directive, the President establishes aggressive timelines for implementing large-scale information security measures across federal agencies, which will ultimately affect current and future government contractors and suppliers. Mandating that security measures liked EDR and MFA be adopted may have a significant positive benefit on federal government information systems, depending on the implementation specifications. In addition to creating more stringent reporting requirements for contractors and suppliers, the private sector can also expect to see greater government investment in certain technologies, and such contracts will surely be aggressively sought.
Time will tell if the new cybersecurity standards materially improve the federal government’s cybersecurity defenses. In the meantime, businesses that provide information technology products and services to federal agencies should begin evaluating the Order and positioning for compliance. If you have any questions or would like additional information, please contact Edward Finn (; 267.930.4776) or Ryan Gallagher (; 267.930.2308). Thank you to Paul Caron, Cybersecurity Incident Response Lead at Arete Advisors, for contributing to this article. He can be reached at or 847.274.5607