This past year has seen a series of cyberattacks not just against private entities, but against the U.S. government itself.  Given the magnitude of the problem, the private sector is looking to the government for more leadership in addressing the threat. On May 12, President Biden signed an Executive Order on Improving the Nation’s Cybersecurity (“EO”) designed to not only protect government assets, but also to address the broader threat.  

In the statement announcing the EO the White House acknowledged that U.S. public and private sector entities “increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals,” and that significant contributions toward modernizing cybersecurity defenses are needed.  The statement also acknowledged, “federal action alone is not enough”.

The EO sets forth a number of initiatives intended to modernize cybersecurity defenses in the U.S. by protecting federal networks, improving information sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur. Not only will this EO impact a large number of government contractors, but the White House encouraged the private sector to “take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents”.

The specific mandates include:

• Removal of Barriers to Information Sharing Between the Government and Contractors. The EO helps to ensure that Information Technology (“IT”) Service Providers share information about actual or suspected cyber incidents by removing any contractual barriers and mandating the sharing of certain breach information to help improve U.S. cybersecurity.
• Modernizing Federal Cybersecurity Practices. The EO helps facilitate the movement of the federal government to “secure cloud services and a zero-trust architecture” as well as the deployment of multifactor authentication and encryption security tools with a specific time period.
• Enhancing Software Supply Chain Security.  The EO requires the establishment of certain baseline security standards to be used by IT companies in the development of software that may be sold to the U.S. government. These standards will require software developers to maintain more visibility into their products and security-related data. The EO also creates a process for the development of new approaches to secure software development for both the public and privacy sectors.  The process will include a pilot program that utilizes an “energy star” – like label that will help the U.S. government and public determine at a glance whether software has been developed in a secure manner.
• Establishing a Cybersecurity Safety Review Board. The EO creates the Cybersecurity Safety Review Board, which will be co-chaired by both government and private sector leads and will conduct oversight and analysis with respect to any significant cybersecurity incidents. The Cybersecurity Safety Review Board will also help develop concrete and functional recommendations for improving cybersecurity within the U.S.
• Creating a Standard Playbook for Responding to Cyber Incidents. The EO requires the creation of a standardized playbook and set of definitions for federal departments and agencies to utilize in their response to cybersecurity incidents. This playbook and associated definitions will help to ensure uniform steps are implemented to identify and mitigate threats.
• Maximizing Early Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks. The EO requires the enablement of a government-wide endpoint detection and response (“EDR”) system, as well as improved intra-governmental information sharing within the federal government in order to improve the ability to detect malicious cyber activity on federal networks.
• Requiring Collection and Maintenance of Event Logs and Relevant Data. Finally, the EO requires the creation of a cybersecurity event log for federal departments and agencies to foster robust and consistent logging practices in order to improve how government agencies and departments detect intrusions, mitigate those in progress, and determine the extent of an incident after the fact.

The initiatives set forth in the EO are a significant step forward for improving U.S. cyber defenses as the collective effect encourages collaboration and sharing of data concerning cyber threats to both public and private entities. While the standards have yet to be developed, it is likely that these requirements will eventually become leading baseline for cybersecurity practices.