Alert 10.01.20
DoD Issues Interim Rule Implementing CMMC Cyber Rules for all DoD Contractors
Once CMMC has been rolled out, nearly all DoD contractors will need to be assessed by a third party for the issuance of a CMMC Certificate.
Alert
Alert
05.19.21
On May 12, 2021, President Biden signed Executive Order 14028 (EO), “Improving the Nation's Cybersecurity.” The EO was widely anticipated after the White House announced in February 2021 that it was planning a cybersecurity executive order. As detailed in our companion alert, the EO sets forth numerous cybersecurity requirements for federal agencies and government contractors and calls for the government to “bear the full scope of its authorities and resources to protect and secure its computer systems.” The scope of that protection, the EO states, “must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).” Key provisions of the EO related to federal contractors are outlined below.
Removing Barriers to Sharing Threat Information
The EO asserts that IT and OT service providers “have unique access to and insight into cyber threat and incident information on Federal Information Systems;” however, requirements in the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) “may limit the sharing of such threat or incident information.” Accordingly, the EO directs the Office of Management and Budget (OMB) to, within 60 days, review the FAR and the DFARS and provide recommendations to the FAR Council on “removing these contractual barriers and increasing the sharing of information about such threats.” The OMB’s recommendations must provide the types of contractors covered by the proposed contract language, which must be designed to ensure, among other things, that service providers collect and share with the government data related to cyber incidents and collaborate with the government in its investigation of such incidents. The collaboration with the government may include things like implementing technical capabilities, such as monitoring networks for threats. The FAR Council must issue proposed rules within 90 days of receipt of the OMB’s recommendations.
Information and communications technology (ICT) service providers will also find themselves with new cybersecurity obligations. The EO requires ICT services providers to promptly report cyber incidents involving a software product or service provided to the government. The Department of Homeland Security (DHS) is tasked with recommending contract language to the FAR Council, within 45 days, that identifies the nature of the cyber incidents that require reporting, the type of information to report, reporting time periods, and the types of contractors covered by the recommendations. The EO gives the FAR Council 90 days from receipt of DHS’s recommendation to issue proposed rules.
The EO also calls for streamlining cybersecurity requirements across all federal agencies. The DHS is tasked with reviewing agency-specific cybersecurity requirements and making recommendations to the FAR Council for standardized cybersecurity requirements. After the FAR Council issues proposed rules implementing the DHS recommendations, agencies must eliminate any agency-specific cybersecurity requirements that are duplicative.
Enhancing Software Supply Chain Security
The EO states that the government “must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.” The EO requires federal agencies to develop guidance and standards related to “critical software.” The term “critical software” is undefined in the EO; however, a definition must be developed within 45 days. Further, within 30 days, the National Institute of Standards and Technology (NIST) Director must solicit input from agencies, the private sector, academia, and other sources regarding standards, procedures, and criteria designed to ensure software supply chain security. Based on that input, the NIST Director must develop and issue guidance to enhance the security of the software supply chain. By May 2022, the DHS must recommend contract language to the FAR Council that requires software suppliers to certify compliance with the NIST-developed guidance.
While most of the EO’s requirements are forthcoming and based on agencies’ recommendations and the FAR Council’s implementation, the EO brings sweeping changes to cybersecurity requirements for federal contracts, especially those that are IT, OT, or ICT service providers. The EO’s release coincides with one of the most consequential cybersecurity attacks in U.S. history, Colonial Pipeline, and comes just six months after the SolarWinds cyberattack that managed to breach the data of over a dozen federal agencies and 200 private companies. While the EO’s requirements target federal agencies and government contractors, the Biden administration “encourage[s] private sector companies to follow the federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.”