Biden Signs Order to Bolster Cybersecurity.

• Author: Cassidy, Susan B.
• Position: Government Contracting Insights

* On May 12, President Joe Biden issued the "Executive Order on Improving the Nation's Cybersecurity."

The directive aims to strengthen the federal government's ability to respond to and prevent cybersecurity threats, including by modernizing federal networks, enhancing the federal government's software supply chain security, implementing enhanced cybersecurity practices and procedures in the federal government, and creating government-wide plans for incident response.

Private sector entities, including federal contractors and service providers, will have opportunities to provide input to some of these actions.

The directive covers a wide array of issues and processes, setting numerous deadlines for recommendations and actions by federal agencies, and focusing on enhancing the protection of federal networks in partnership with the service providers on which federal agencies rely.

It seeks to remove obstacles to sharing threat information between the private sector and federal agencies; mandates that software purchased by the federal government meet new cybersecurity standards; discusses securing cloud-based systems, including information-technology systems that process data, and operational-technology systems that run vital machinery and infrastructure.

It also aims to impose new cyber incident reporting requirements on certain IT and OT providers and software product and service vendors, and establishes a cyber safety review board to evaluate and assess such cyber incidents and other cyber events; and addresses the creation of pilot programs related to consumer labeling in connection with the cybersecurity capabilities of intemet-of-things devices.

The order acknowledges that the federal government regularly contracts with IT and OT service providers who have "unique access to and insight into cyber threat and incident information" on "federal information systems." However, it notes that "contract terms" can restrict the ability of those companies to share threat or incident information with federal agencies. It requires a review of the current regulations for revisions to improve data reporting.

The directive addresses the modernization of federal systems, including investment in technology and personnel, increasing the adoption and user security of cloud services, evaluation of the types and sensitivity of unclassified information on federal networks, the use of multi-factor authentication and encryption, and other issues. It mandates...