On May 12, President Biden signed an Executive Order on Improving the Nation’s Cybersecurity. The order comes on the heels of a number of recent widely reported cybersecurity crises, including the Solar Winds and Microsoft Exchange compromises, that brought renewed attention to the glaring gaps in supply chain security. By wading into the issue of software security in the federal procurement process, the Biden Administration is beginning to increase obligations on the private sector and establish new security standards across the industry.
The order requires companies to take a number of cybersecurity-related actions when contracting with the federal government. One key component of the order requires contractors to share cybersecurity threat information in the context of incident response. Specifically, the order requires that service providers for the federal government collect and share cybersecurity event prevention, detection, response, and investigation information with the government. This requirement was likely inspired by the Solar Winds hack, which revealed the government’s reliance on the security posture of privately owned companies.
The order also requires the publication of federal contracting language addressing software supply chain security. The order directs the National Institute of Standards and Technology (NIST) to establish criteria to evaluate software security, including security practices of developers and suppliers, and to identify innovative tools and methods that software companies can use to “demonstrate” conformance with secure best practices. These methods include providing purchasers with a Software Bill of Materials, participating in a vulnerability disclosure program, and attesting to the integrity of open source software.
These features of the order are likely to have spillover effects outside of government contracting, as companies that contract with the government will likely implement similar security changes for their private sector customers as well. Once the new guidelines come into effect, companies that can demonstrate compliance with these NIST standards may also gain competitive advantage in the marketplace. This may create a trickle-down effect as even companies that do not contract with the federal government implement security changes to demonstrate that they conform with best practices in order to attract business. To this end, supply chain security firm Finite State is already offering advice to software vendors preparing to follow the order’s guidelines.
The order will also affect software developers and other companies in more indirect ways. The order directs the federal government to initiate pilot programs to educate the public of the security capabilities of Internet of Things (IoT) devices, and to identify IoT cybersecurity criteria and secure software development practices for a consumer labeling program. The private sector will likely need to adjust their practices to align with these criteria. The order also creates a standardized playbook for federal agencies’ cybersecurity incident response, which will provide the private sector with a standardized template of best practices for its own response efforts.
We recommend that software developers, IoT product manufacturers, and device manufacturers continue to track the development of guidelines and standards pursuant to the order. As more specific requirements begin to take shape, companies should be aware that they will soon more frequently need to provide proof of their products’ security and their security development lifecycle. This shift towards demonstrable security compliance will likely reverberate among multiple sectors, so the time to begin paying attention to the order and its aftereffects is now.