Contractors Beware: New Cybersecurity Executive Order Signals a Change in Direction
The White House just issued a long-awaited Cybersecurity Executive Order (EO). The EO is divided into five sections, which we will summarize in turn:
Section 1 of the EO includes "policy," "findings," and "risk management" and lays out the Administration's views of key concerns general themes. Among the more interesting findings include:
- The federal government has accepted antiquated (and difficult-to-defend) IT for too long
- Effective risk management includes protecting IT/data in place and what will come down the road
- Known vulnerabilities are "among the highest cybersecurity risks"
- Effective risk management requires assembling a cross-functional team
The "findings" emphasize known vulnerabilities as a risk factor because there continue to be deficiencies across agencies. The Federal Information Security Management Act (FISMA) was updated in 2015 to include a separate process to handle more malicious attacks including zero-day exploits and the OPM attack certainly created new structures to handle broader cyber risks that the agencies are facing.
The Risk Management subsection emphasizes that agency heads will be responsible for ensuring the implementation of risk-based cybersecurity policies. This continues policies and laws set up under both FISMA reform and during the Obama Administration. To do so, all agencies must now utilize the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (the "Framework"). While agency heads played a role in previous cybersecurity executive orders, agencies' roles and responsibilities are more prominent here. Within 90 days, agencies must issue a report that documents the "risk mitigation and acceptance choices made by each agency head" and "describe the agency's action plan to implement the Framework." It is then up to the Secretary of Homeland Security and the Director of OMB to determine whether such plan is sufficient and whether additional budgetary funding is needed to address outstanding agency needs.
Further, the EO (under the Risk Management section) states that future IT procurements should favor the use of shared IT services. This furthers the goals of the Federal Information Technology Acquisition Reform, adopted in the last couple of years with the goal of streamlining how the government obtains IT services.
Section 2 addresses cybersecurity of Critical Infrastructure. The policy outlines that the government will use its "authorities and capabilities" to support cybersecurity risk management for owners and operators of Critical Infrastructure. The definition of Critical Infrastructure adopted (from 42 USC § 5195c) covers all aspects of the major sectors in the U.S. and could have an impact on government contractors. However, the focus is on a smaller subset of Critical Infrastructure deemed to be at greatest risk as defined by a prior EO 13636 that defines it as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."
Within 240 days, a report is required regarding how to "improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets)."
Also within this section is an assessment regarding the electrical grid and a report requiring an evaluation of "cybersecurity risks facing the defense industrial base, including its supply chain, and United States military platforms, systems, networks, and capabilities, and recommendations for mitigating these risks." Such a report could potentially lead to new regulations on government contractors.
Section 3 emphasizes the need for effective cybersecurity and a well-trained cybersecurity workforce. Also mentioned in this section is the need for international cooperation and engagement.
Sections 4 and 5 contain definitions and general provisions often found in EOs.
As one can tell from the summary above there are numerous reports that will be produced in the coming months. These reports, coupled with additional action from NIST, could lead to additional requirements on government contractors. Certainly the emphasis on shared services could further direct changes to how the government obtains IT services from contractors and a focus on federal IT modernization provides a series of opportunities for contractors as well,
We will provide further updates as warranted.