Biden's executive order on cybersecurity: a good beginning

President Biden just released an Executive Order (EO) on improving the nation’s cybersecurity to galvanize public and private efforts to help identify, deter, protect against, detect, and respond to persistent and increasingly sophisticated malicious cyber campaigns. Specific measures in the EO reflect lessons learned from recent crises, such as the recent cyber espionage campaigns.

In our view, the EO signals two things.

  • It calls for making federal government systems stronger and safer so they’re harder to break into. It pushes specific actions to modernize cybersecurity in the federal government, such as zero trust architecture. And it uses the $70 billion information technology (IT) purchasing power of the federal government to impel the market to build security into all software from the ground up.

  • It sets a goal for more effective and agile federal government responses. It requires IT providers to report cyber incidents and removes contractual barriers for them to share information with government entities. The EO also standardizes the playbook for different agencies to respond together to incidents.

This is a matter of national security and trust. The EO says “the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.” 

This EO is just the first step for dealing with nation-state supply chain attacks. Sean Joyce, PwC’s Global & US Cybersecurity, Privacy & Forensics leader, had raised the urgency of more holistic action: The United States needs a more organized approach to cyberthreats. Already, the government and industry have lagged in updating our laws, our regulations, corporate responsibilities and adjusting to a digital, boundary-free world.

Who is affected?

  1. Federal executive agencies are expected to modernize their technology environment and security practices.

  2. Federal contractors, including commercial-off-the-shelf (COTS) software providers, will likely see new cybersecurity standards built into contract terms. They will be required to share more information on cyber incidents.

  3. The private sector will likely see a focus on software supply chain security, as well as on transparency through proposed consumer security labeling on software and internet of things (IoT) devices. As a result, software and IoT device companies should expect new security requirements and assessment standards.

The Biden administration EO outlines an array of cybersecurity objectives the government must meet, and there’s a short timeline to do so. As with former President Obama’s EO nine years ago, we anticipate a cascading impact, first to federal contractors and then rippling through other industries, as new standards are set and practices are adopted.

We now turn to the implications of the EO for the most directly affected: the providers of IT services to the federal government.

Directives and implications for federal contractors

Increase information sharing for better detection, investigation and remediation

Enhance information sharing

The EO directs the removal of any contractual barriers and requires IT service providers to share breach information that could impact government networks. The aim is to enable more effective defenses of federal departments and to improve the nation’s cybersecurity as a whole.

Implications

Short of national data breach legislation, this EO likely goes as far as it can to mandate cyber incident reporting. 

Traditionally, only defense contractors have had specific requirements regarding breach reporting (DFARS 252.204.7012 clause). This EO will extend the requirement to all Federal Acquisition Regulation (FAR) contracts. As a result, contractors will need to understand the contract requirements and the ability of their underlying data governance frameworks to classify, manage and protect sensitive data (i.e., controlled unclassified information [CUI].) 

In addition, contractors will be expected to collect and share information related to threats, vulnerabilities and incidents collected to share relevant information with CISA, FBI, and other agencies and boards for investigation.

Improve detection of cyber incidents on federal government networks

The EO improves the ability to detect malicious cyber activity on federal networks by enabling a government-wide endpoint detection-and-response system and improving information sharing within the federal government.

Implications

The intent is to provide greater details to proactively identify threats, as well as having appropriate information to investigate and respond to incidents. 

Proactive threat hunting leads to cyber risk reduction. The ability to actively search endpoints and identify sophisticated threats requires advanced tools, technology and people.

Improve investigative and remediation capabilities

The EO creates cybersecurity event log requirements for federal departments and agencies.

Implication

IT service providers will be required to collect and maintain information from network and system logs on federal information systems (for both on-premise systems and connections hosted by third parties, such as cloud service providers), and to provide them to the government when necessary to address a cyber incident.

Make the federal government systems stronger and safer

Modernize cyber in government

The EO challenges the federal government to lead the way and increase its adoption of security best practices. These practices include employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.

Implications

There’s a strong commitment to zero trust architecture in this EO. The business community has been talking about this, and adoption has accelerated since the software supply chain attacks this past winter, but many executives are still asking if it’s the best thing to do. Seeing zero trust architecture called out in the EO may encourage business leaders to consider it a leading practice. It’s important to think of zero trust architecture as a layer in a layered defense strategy, and not the be-all and end-all of cybersecurity investments. 

Federal contractors should expect zero-trust security requirements, as well as further focus on CUI, to be included as new or alternative requirements in NIST requirements (NIST 800-53 (FedRAMP), NIST 800-171 (CMMC)).

There’s also a strong emphasis on getting cloud security right: developing a cloud-service governance framework, a federal cloud security strategy, and cloud-security technical reference architecture documentation. A well-thought-out, step-by-step approach to security can jumpstart cloud adoption. 

Also, contractors that are cloud service providers (CSPs) should expect an expansion in the US government market for solutions that support zero-trust principles.

Improve software supply chain security

The EO seeks to improve the security of software by establishing baseline security standards for the development of software sold to the government — including requiring developers to maintain greater visibility into their software and making security data publicly available. The EO stands up a concurrent public-private process to develop new and innovative approaches to secure software development and uses the power of federal procurement to incentivize the market. Finally, it creates a pilot program to create an “Energy Star” type of label so the government and the public can quickly determine whether software was developed securely.

Implications

This section of the EO will require the most change from IT providers. Recent cyber espionage campaigns underscored an insufficient focus on “the ability of software to resist attack,” as the EO describes it. The development of commercial software is opaque to most, and controls are inadequate to prevent tampering by malicious actors. Of particular concern is the security and integrity of “critical software” — software that performs functions critical to trust, such as affording or requiring elevated system privileges or direct access to networking and computing resources.

Software providers should be prepared to provide input on software supply chain security. The EO specifically directs the NIST director to solicit input within 45 days from the private sector, academia and others, in addition to the federal government, to help identify existing or develop new standards, tools and best practices.

Standards, procedures and criteria will be developed for a secure software development lifecycle. Providers of commercially-off-the-shelf (COTS) and non-COTS software will need to meet, audit/assess and attest to compliance against requirements including:

  • separate build and development environments

  • mapping and monitoring dependencies and interactions between systems (“trust relationships”)

  • conducting and remediating vulnerability scans prior to release

  • voluntarily disclosing vulnerabilities

  • Software Bill of Materials (SBOM), which includes enumerating and maintaining an inventory of open-source and commercial libraries and components used by the software.

The EO directs the pilot of a consumer labeling program, based on criteria for IoT cybersecurity and secure software development practices. The process and requirements for this will be defined over the coming months by the Federal Trade Commission (FTC).

Questions remain regarding the impact of these requirements on innovation. Will they limit the government's access to cutting-edge software?

Improve collaboration within government agencies and with the private sector

Create a Cybersecurity Safety Review Board

The EO establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads. The board may convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity.

Implication

This is expected to operate similarly to the National Transportation Safety Board’s (NTSB’s) investigations into major transportation incidents, and it will include participation from the private sector. The details concerning what incidents this review board will participate in have not yet been determined.

Create a standard playbook for response to cyber incidents

The EO calls for a standard set of operating procedures (playbook) and a set of definitions for cyber incident response by federal departments and agencies. The playbook will help ensure that all federal agencies meet a certain threshold and are prepared to take uniform steps to identify and mitigate a threat. The playbook will also provide the private sector with a template for its response efforts.

Implication

Standardized playbooks used by government agencies will likely speed up the response and investigative process. Currently, the cybersecurity vulnerability and incident response procedures vary across agencies, hindering the ability of lead agencies to analyze vulnerabilities and incidents more comprehensively across agencies. Standardized response processes could lead to centralized cataloging of incidents and tracking of agencies’ progress toward successful responses.

Timelines in the Executive Order

Great resolve and good ideas in executive orders need to be translated into rules and standards. What are the important milestones?

Table showing the important cybersecurity milestones for President Biden from May 2021 to February 2022. Table showing the important cybersecurity milestones for President Biden from May 2021 to February 2022.

Contact us

Sean Joyce

Global Cybersecurity & Privacy Leader, US Cyber, Risk and Regulatory Leader, PwC US

Joseph Nocera

Cyber, Risk and Regulatory Marketing Lead Partner, PwC US

Matt Gorham

Cyber & Privacy Innovation Institute Leader, PwC US

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Hide