Contributors:
Susan Moser, Partner
John Ford, Senior Consultant
On May 12, 2021, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity. The Order is quite extensive and contains many provisions that may have an impact on contractors. While contractors may be impacted by various provisions of the Order, here we will concentrate on those provisions that will require implementation through the Federal Acquisition Regulation (FAR).
The Order observed that the private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal government to foster a more secure cyberspace. It continued stating that the scope of protection and security must include systems that process data, meaning information technology (IT), and those that run vital machinery that ensures our safety, meaning operational technology (OT).
IT and OT Service Providers
Turning to contracting matters, the Order stated that the Federal government contracts with IT and OT service providers to conduct an array of day-to-day functions on Federal information systems. These providers have unique access to and insight into cyber threat and incident information on Federal information systems. At the same time, current contract terms or restrictions may limit the sharing of such threat or incident information with executive departments and agencies that are responsible for investigating or remediating cyber incidents.
Removing these contract barriers and increasing the sharing of information about such threats, incidents and risks are necessary steps to accelerating incident deterrence, prevention and response efforts, and to enabling more effective defense of agencies’ systems and information.
To accomplish this, the order mandates that within 60 days after the date of the order, the Office of Management and Budget (OMB), in consultation with the Department of Defense (DoD), Department of Justice (DOJ), Department of Homeland Security (DHS) and the Director of National Intelligence, shall review the FAR and Defense Federal Acquisition Regulation Supplement (DFARS) requirements for contracting with IT and OT service providers and recommend updates to such requirements to the FAR Council and other agencies.
The recommendations are to include descriptions of contractors to be covered by the proposed contract language. Further, the recommended contract language shall be designed to ensure that providers:
- Collect and preserve data and information relevant to cybersecurity incident prevention, detection, response and investigations on all information systems over which they have control, including systems operated on behalf of agencies;
- Share such data, information and reporting as they relate to cyber incidents, or potential incidents relevant to any agency with which they contracted, directly with such agency and any other agency that OMB deems appropriate;
- Collaborate with Federal cybersecurity or investigative agencies in their investigations of and response to incidents or potential incidents of Federal information systems;
- Share cyber threat and incidents information with agencies, doing so, where possible, in industry-recognized formats.
Updates to the FAR
Within 90 days of receipt of the recommendations described above, the FAR Council is to issue proposed updates to the FAR. Note that the Order does not mention changes to the DFARS although that may be intended by the use of the phrase “other agencies.”
ICT Providers
The Order then addresses information and communications technology (ICT) service providers. It states that it is the policy of the Government that such providers entering into contracts with agencies must promptly notify the contracting agency when the provider discovers a cyber-incident involving a software product or service provided to the agency or involving a support system for such a product or service.
To implement this policy, within 45 days of the date of the Order, DHS is to recommend to the FAR Council contract language that identifies, among other things, the nature of cyber-incidents that require reporting and the type of information regarding cyber incidents that must be reported. Within 90 days of receipt of the recommendations described above, the FAR Council is to publish proposed updates to the FAR.
In addition, within 60 days of the date of the Order, DHS is to review agency specific cybersecurity requirements that currently exist as a matter of law, policy or contract and recommend to the FAR Council standardized contract language for appropriate cybersecurity requirements. These recommendations are to include consideration of the scope of contractors and associated service providers to be covered by the proposed contract language. Within 60 days of receiving the recommended contract language from DHS, the FAR Council is to publish proposed FAR updates.
Software Supply Chain Security
Finally, Section 4 of the Order is captioned Enhancing Software Supply Chain Security. It states that the security of software used by the Government is vital to the Government’s ability to perform its functions. Accordingly, the Government must take action to improve the security and integrity of the software supply chain with a priority on addressing critical software.
It then lists several steps that must be taken to accomplish this. The Order then requires that within one year of the date of the Order, DHS is to recommend to the FAR Council contract language requiring suppliers of software available for purchase by agencies to comply with and to attest to complying with, the requirements issued pursuant to this section. After receiving these recommendations, the FAR Council will review them and amend the FAR as appropriate. Following any such amendments, agencies, as appropriate and consistent with applicable law, are to remove software products that do not meet the requirements of the amended FAR from all IDIQ contracts, FSS contracts, GWACs, MACs and BPAs.
How We Can Help
As this indicates, contractors can expect significant changes in the cybersecurity realm within the year.
Cherry Bekaert will continue to keep contractors updated on the Order as circumstances and timelines change. If you have questions concerning the Order or other contracting matters, do not hesitate to contact us for advice and assistance.