Skip to content Skip to footer

Loading Results

Biden's executive order on cybersecurity: a good beginning

President Biden just released an Executive Order (EO) on improving the nation’s cybersecurity to galvanize public and private efforts to help identify, deter, protect against, detect, and respond to persistent and increasingly sophisticated malicious cyber campaigns. Specific measures in the EO reflect lessons learned from recent crises, such as the recent cyber espionage campaigns.

In our view, the EO signals two things.

  • It calls for making federal government systems stronger and safer so they’re harder to break into. It pushes specific actions to modernize cybersecurity in the federal government, such as zero trust architecture. And it uses the $70 billion information technology (IT) purchasing power of the federal government to impel the market to build security into all software from the ground up.

  • It sets a goal for more effective and agile federal government responses. It requires IT providers to report cyber incidents and removes contractual barriers for them to share information with government entities. The EO also standardizes the playbook for different agencies to respond together to incidents.

This is a matter of national security and trust. The EO says “the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.” 

This EO is just the first step for dealing with nation-state supply chain attacks. Sean Joyce, PwC’s Global & US Cybersecurity, Privacy & Forensics leader, had raised the urgency of more holistic action: The United States needs a more organized approach to cyberthreats. Already, the government and industry have lagged in updating our laws, our regulations, corporate responsibilities and adjusting to a digital, boundary-free world.

Who is affected?

  1. Federal executive agencies are expected to modernize their technology environment and security practices.

  2. Federal contractors, including commercial-off-the-shelf (COTS) software providers, will likely see new cybersecurity standards built into contract terms. They will be required to share more information on cyber incidents.

  3. The private sector will likely see a focus on software supply chain security, as well as on transparency through proposed consumer security labeling on software and internet of things (IoT) devices. As a result, software and IoT device companies should expect new security requirements and assessment standards.

The Biden administration EO outlines an array of cybersecurity objectives the government must meet, and there’s a short timeline to do so. As with former President Obama’s EO nine years ago, we anticipate a cascading impact, first to federal contractors and then rippling through other industries, as new standards are set and practices are adopted.

We now turn to the implications of the EO for the most directly affected: the providers of IT services to the federal government.

Directives and implications for federal contractors

Increase information sharing for better detection, investigation and remediation

Enhance information sharing

The EO directs the removal of any contractual barriers and requires IT service providers to share breach information that could impact government networks. The aim is to enable more effective defenses of federal departments and to improve the nation’s cybersecurity as a whole.

Implications

Short of national data breach legislation, this EO likely goes as far as it can to mandate cyber incident reporting. 

Traditionally, only defense contractors have had specific requirements regarding breach reporting (DFARS 252.204.7012 clause). This EO will extend the requirement to all Federal Acquisition Regulation (FAR) contracts. As a result, contractors will need to understand the contract requirements and the ability of their underlying data governance frameworks to classify, manage and protect sensitive data (i.e., controlled unclassified information [CUI].) 

In addition, contractors will be expected to collect and share information related to threats, vulnerabilities and incidents collected to share relevant information with CISA, FBI, and other agencies and boards for investigation.

Improve detection of cyber incidents on federal government networks

The EO improves the ability to detect malicious cyber activity on federal networks by enabling a government-wide endpoint detection-and-response system and improving information sharing within the federal government.

Implications

The intent is to provide greater details to proactively identify threats, as well as having appropriate information to investigate and respond to incidents. 

Proactive threat hunting leads to cyber risk reduction. The ability to actively search endpoints and identify sophisticated threats requires advanced tools, technology and people.

Improve investigative and remediation capabilities

The EO creates cybersecurity event log requirements for federal departments and agencies.

Implication

IT service providers will be required to collect and maintain information from network and system logs on federal information systems (for both on-premise systems and connections hosted by third parties, such as cloud service providers), and to provide them to the government when necessary to address a cyber incident.

Make the federal government systems stronger and safer

Improve collaboration within government agencies and with the private sector

Create a Cybersecurity Safety Review Board

The EO establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads. The board may convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity.

Implication

This is expected to operate similarly to the National Transportation Safety Board’s (NTSB’s) investigations into major transportation incidents, and it will include participation from the private sector. The details concerning what incidents this review board will participate in have not yet been determined.

Create a standard playbook for response to cyber incidents

The EO calls for a standard set of operating procedures (playbook) and a set of definitions for cyber incident response by federal departments and agencies. The playbook will help ensure that all federal agencies meet a certain threshold and are prepared to take uniform steps to identify and mitigate a threat. The playbook will also provide the private sector with a template for its response efforts.

Implication

Standardized playbooks used by government agencies will likely speed up the response and investigative process. Currently, the cybersecurity vulnerability and incident response procedures vary across agencies, hindering the ability of lead agencies to analyze vulnerabilities and incidents more comprehensively across agencies. Standardized response processes could lead to centralized cataloging of incidents and tracking of agencies’ progress toward successful responses.

Timelines in the Executive Order

Great resolve and good ideas in executive orders need to be translated into rules and standards. What are the important milestones?

Contact us

Sean Joyce

Global and US Cybersecurity, Privacy & Forensics Leader, PwC US

Joseph Nocera

Cyber & Privacy Innovation Institute Leader, PwC US

Matt Gorham

Senior Fellow, Cyber & Privacy Innovation Institute, PwC US

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Hide