Biden Executive Order Sets the Table for Industry Cybersecurity Reform

After months of anticipation and internal deliberation, on May 12, 2021, the Biden Administration issued a sweeping Executive Order aimed at strengthening the nation’s cybersecurity. The Order comes on the heels of several major cyber incidents, including Solar Winds, the Microsoft Exchange exploitation, and the Colonial Pipeline ransomware attack that resulted in gas shortages across the East Coast.

While the lion’s share of the Order focuses on securing federal networks and improving vendor security standards, it contains a number of provisions designed to raise cybersecurity standards across the private sector, and sets the table for possible future regulation of software and Internet of Things (“IoT”) security.

Many of the new security standards will be imposed through modifications to the Federal Acquisition Regulation (“FAR”), and companies providing technology products and services to the government should begin preparing now to meet heightened standards. Even companies who do not conduct business with the federal government should take advantage of the opportunities for collaboration, including commenting on proposed standards and participating in advisory bodies, as the standards and requirements developed pursuant to the Order will shape the cybersecurity landscape well beyond the federal government and federal contractors.

This alert highlights some of the prominent features of the Order that could impact private sector companies.

Securing the Software Supply Chain

New Security Guidance for Commercial Software: The Order directs the National Institute for Standards and Technology (“NIST”) to work with industry to establish baseline security guidelines for commercial software. This represents the most aggressive effort yet by either Congress or the Executive branch to dictate the security standards federal vendors must meet. The Order requires the initial guidelines to address the following:

• Establishing secure software development environments;
• Generating and making available, when requested, artifacts validating the security of such software development environments;
• Using automated tools to identify vulnerabilities and ensure the integrity of code;
• Documenting the provenance of software code and components;
• Providing purchasers with a Software Bill of Materials (“SBOM”), a formal record stating the details and supply chain relationships of the various components used in the software; and
• Ensuring and attesting, to the extent practicable, to the integrity and provenance of open source software used within the product.

These guidelines will eventually be incorporated into the FAR, making them mandatory for federal contractors. While the guidelines will not be mandatory for entities who do not contract with the government, they will likely significantly shape industry practices as a whole. The government contracts with many large software companies, and the ripple effects of their compliance will reach broadly into the private sector. Further, because NIST is developing the guidelines in conjunction with private sector partners, they will likely become the industry standard, even if they are not direct regulatory requirements.

Software and IoT Security Labeling Pilot: A novel, and potentially controversial, aspect of the Order is the direction to establish pilot programs for security labelling standards for software and IoT products (e.g., smart appliances). Likened to an “energy star” label for security purposes, the intent is to allow the government and the public to make informed choices about the security of the software and IoT products they purchase. The Order directs NIST to collaborate with the private sector and to “consider ways to incentivize manufacturers and developers to participate.” Notably, the Federal Trade Commission (“FTC”) will play a role in the development of the consumer labelling pilot, signaling that the program could be a catalyst for increased FTC scrutiny of software and IoT providers.

Improving Cyber Threat and Incident Information Sharing

In the wake of recent cybersecurity incidents, government contractors have complained that contracting rules and legal requirements have inhibited their ability to share critical cyber information with the government. The Order takes steps to remove these barriers and directs the FAR Council to update the FAR, based upon recommendations from agencies, to standardize cybersecurity requirements across all federal contracts. The updates will also require service providers to: (1) collect and preserve data relevant to cybersecurity event prevention and incident response; (2) share information regarding any cyber incidents or potential cyber incidents with the government; (3) collaborate with government investigations into the incident; and (4) share cyber threat information with the government. The contractual provisions to implement these goals will be complex and potentially require broad disclosures, and companies should review and comment on the proposed revisions to the FAR when they are published for public comment within the next four to six months.

In the interim, the Order directs the Department of Homeland Security (“DHS”) and the Office of Management and Budget (“OMB”) to take steps to “ensure to the greatest extent possible” that contractors are sharing information needed by the government to respond to cyber threats, incidents, and risks.

Cybersecurity Safety Review Board

The Order also tasks the Secretary of DHS with establishing a Cybersecurity Safety Review Board, modeled after the National Transportation Safety Board (“NTSB”). Just as the NTSB reviews airplane crashes and other safety incidents, the Board will convene following significant cyber incidents to review and assess threat activity, vulnerabilities, mitigation activities, and agency responses, and to provide concrete recommendations for improving cybersecurity and incident response practices. Absent Congressional action, the Board’s authority is limited to serving as an “advisory committee” to the Secretary of DHS, and it will not have subpoena powers. Nevertheless, because the Board will include representatives of the private sector, and will be co-chaired by the Secretary of DHS and a private sector official chosen for the particular incident being investigated, its findings and recommendations will likely have influence well beyond the federal government. The Board’s first task will be to review the SolarWinds hack and issue recommendations to prevent similar breaches in the future, as well as to compile recommendations on improvements to the Board’s operations.

Key Takeaways and Open Questions

The Order directs a massive effort by the government to take comprehensive steps to improve federal cybersecurity, and to use the government’s purchasing power and influence to improve cybersecurity in the private sector. The Order makes clear that the White House understands that federal contracts are a significant leverage point to change industry standards more broadly, and contractors should expect to see that wider goal reflected in the specific updates to the FAR.

The Order also reflects an understanding that the interests of the government and industry cybersecurity are intertwined and seeks to enhance collaboration with the private sector to address these issues. This offers an opportunity for companies to shape the standards and requirements developed pursuant to the Order. Even companies who do not do business with the government should consider participating as the new standards will shape the cybersecurity landscape well beyond the federal government and federal contractors.

Outside of the federal contracting sphere, direct cybersecurity requirements will likely have to wait for congressional action. The Colonial Pipeline incident will likely motivate Congress to provide increased authority to regulators of critical infrastructure, a move the White House would certainly support. Proposals for a nationwide cyber incident reporting standard are also circulating on the Hill, although there remain significant questions regarding liability and confidentiality protections for companies.

Despite this uncertainty, it is clear that changing the landscape of cybersecurity is a priority for the Biden Administration, and the recent high-profile incidents may be sufficient fuel to pursue significant new regulatory efforts.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Randall W. Edwards, an O'Melveny partner licensed to practice law in California, Tod Cohen, an O'Melveny partner licensed to practice law in the District of Columbia, Greta Lichtenbaum, an O'Melveny partner licensed to practice law in the District of Columbia, Scott W. Pink, an O'Melveny special counsel licensed to practice law in California and Illinois, John Dermody, an O'Melveny counsel licensed to practice law in California and the District of Columbia, Evan N. Schlom, an O'Melveny counsel licensed to practice law in California and the District of Columbia, and Rachel Chung, an O'Melveny associate licensed to practice law in New York, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2021 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.