What does the federal government need? “Bold changes and significant investments.”
The quote is about cybersecurity, not space exploration or a military initiative. It’s part of the Executive Order on Improving the Nation’s Cybersecurity, which President Joe Biden signed May 12, and it’s the latest Biden administration step in prioritizing cybersecurity in reaction to attacks against the nation’s infrastructure and supply chain.
Most recently, ransomware hackers attacked the Colonial Pipeline, leading to the system shutting down and a gas-buying panic across the southeastern United States. But even before Biden took office, the December 2020 SolarWinds hack put cybersecurity high on the then-incoming administration’s agenda.
“It calls for federal agencies to work more closely with the private sector to share information, strengthen cybersecurity practices, and deploy technologies that increase reliance against cyberattacks,” Biden said about the executive order in a May 13 update about the Colonial Pipeline ransomware attack. “It outlines innovative ways the government will drive to deliver security and software, using federal buying power to jumpstart the market and improve the products that all Americans use. “
The order will change reporting requirements and information sharing, but also identifies technologies agencies will prioritize and need help implementing. This week’s This Is IT dissects the executive order’s meaning for contractors from two perspectives: new requirements and opportunities.
Data Collection, Transparency, and Sharing
There will be a new emphasis on information sharing with the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the intelligence community (IC).
To accomplish this, the director of the Office of Management and Budget (OMB) will review the Federal Acquisition Regulation (FAR) and recommend changes to language associated with information technology and operational technology contracting.
That language would require contractors to collect and preserve data and information that would help prevent, detect, respond to, and investigate cyber incidents on all systems they operate. They must also share cyber incident or potential incident data and information and collaborate with those agencies during cyber investigations and responses. The big change is that these requirements extend to all information systems, not just those related to a contract with the federal government. For companies with a large footprint outside the federal government, this could have an enormous impact.
The secretary of homeland security will help determine the types of cyber incidents and information that will require reporting along with the time period for reporting, type of contractors that must fulfill the requirements, and any differences for national security systems. Those agencies would then recommend corresponding contracting language for cybersecurity requirements to be included in the FAR. Any suggested changes to the FAR will be posted for public comment.
The executive order will also result in policy changes around network and system logs, which will affect the incident information contractors must collect, time for retaining logs, and security requirements for protecting logs.
Cloud and Zero-Trust
Agencies must prioritize a few areas: adopting zero trust architecture, using and securing cloud services, centralizing access to cybersecurity data, and then using analytics to identify cybersecurity risks, and adopting multi-factor authentication and encryption for data. Contractors will be essential in implementing these changes.
Cloud is a surprising addition, unlike the other focus areas. Agencies have typically considered moving data to the cloud to be a less-secure alternative. For example, the Cloud Smart strategy required changes to the Trusted Internet Connections program that would reduce security in exchange for convenience and mobile capabilities that come with data hosted in the cloud. Now, moving to the cloud is a cybersecurity priority. It’s unclear what changed since the 2018 strategy. Perhaps agencies saw results in incorporating cybersecurity into more cloud migration contract requirements, or two more years of the Federal Risk and Authorization Management Program (FedRAMP) brought stronger security.
There’s still cloud-related security work to be done and the executive order tries to address that. Agencies must coordinate and adopt zero trust architectures when migrating to the cloud and do so in a coordinated way to ensure consistency. The Defense Information Systems Agency released a zero trust reference architecture last week.
CISA will incorporate risk-based security into frameworks for securing data and information, including cloud service providers and during cloud migrations. Agencies will need contractor assistance to implement changes to policies, and cloud service providers could see additional security requirements.
The order requires changes to the FedRAMP process, but they will benefit contractors by making the process easier and creating new opportunities. The biggest changes include adding automation throughout the FedRAMP lifecycle, making the documentation digital, and identifying substitutes for FedRAMP requirements that are duplicative across other certifications, an important feature and one contractors request each time new certifications arise. The order doesn’t require removing redundancies in other areas.
Agencies must implement two-factor authentication within 180 days as well as encryption at rest and in-transit.
The executive order will also create an Endpoint Detection and Response (EDR) initiative, focused on proactively detecting cyber incident and vulnerability detection, active cyber hunting, containment and remediation, and incident response. This initiative, while specific to civilian agencies, is also relevant to defense agencies, as they are required to improve cyber incident detection as well.
The Commerce Department’s National Institute of Standards and Technology (NIST) must identify standards, tools, and best practices for securing supply chains for critical software, currently defined as “software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources).” In 45 days, a more specific definition is due, and 30 days later, a list of categories of software in use or in the acquisition process that meet that definition is required. The number of contractors that could be affected is unclear, but it’s relevant to both civilian and defense contractors.
The software requirements could have a major impact on government contractors.
Contractors that can provide products and services outlined in NIST’s guidelines may be in high demand. Those include methods for securing software development environments, using automation to find vulnerabilities, and maintaining a “Software Bill of Materials” for each software product, which would mean supplying the agency with a record of supply chain relationships for the software components. This could be very time-intensive, especially for contractors with a large suite of software and suppliers. It’s sure to be part of an ongoing conversation about the difficulty for contractors to identify full supply chains.
Those that can’t meet the forthcoming guidelines are at risk. If critical software doesn’t meet security measures defined by NIST, contractors may not be able to sell products to federal agencies. NIST’s requirements would be enacted in about 120 days. In about a year, FAR updates will reflect these requirements, and agencies must then remove software products that don’t meet the standards from indefinite delivery, indefinite quantity contracts, federal supply schedules, governmentwide acquisition contracts, blanket purchase agreements, and multiple-award contracts.
It’s likely standards will be similar to those being phased in for defense contractors through the Cybersecurity Maturity Model Certification (CMMC), a requirement civilian agencies are expected to adopt after DOD piloted it. However, the absence of the CMMC in the order, along with CMMC delays and controversies, could indicate the executive order requirements will replace the defense certification.
In addition, NIST will work with NSA to publish standards around contractor source code testing.
It’s unclear when all these changes will come to full fruition for contractors, and they aren’t likely to come with any funding, at least not initially. OMB’s director will incorporate costs of the new reporting and sharing requirements into the annual budget process, but that’s not likely to affect funding until fiscal 2023.
The Technology Modernization Fund (TMF), CISA’s $650 million boost in fiscal 2021 appropriations, and the fiscal 2022 cybersecurity budget are likely to pay for these technologies. The TMF, with a $1 billion surge in appropriations and a new strategy that prioritizes cybersecurity, which includes allowing the TMF board to loosen the requirement that agencies reimburse the fund if their project addresses “critical cybersecurity improvements,” is a likely candidate for much of this order’s short-term funding.
There are still many details we won’t know for a few months because they rely on agency reviews and assessments. The common thread throughout the order is simple: standardization is needed. That’s the case in preparing for incidents, collecting and reporting data, and responding to attacks. There will be many updated and new standards, strategies, and frameworks agencies and contractors will have to track and comply with. There will even be a playbook for responding to cybersecurity incidents. Exactly what the incidents look like and how important they are for contractors is something we will explore in future This Is IT analyses as details become available in the coming months.
— With assistance from Chris Cornillie
Note: This Is IT is a weekly column by Bloomberg Government focused on information technology matters affecting government contractors.
To contact the analyst on this story: Laura Criste in Salt Lake City, Utah at firstname.lastname@example.org
To contact the editor responsible for this story: Michael Clark at email@example.com