Publication

White House Issues Executive Order on Improving Nation’s Cybersecurity

May 21, 2021

By James P. Melendres and Paloma Diaz

Last week, the White House issued a new Executive Order (the “EO” or “Order”) on cybersecurity.1 The EO responds to ever-increasing malicious cyber campaigns threatening the public and private sectors and the American people’s security and privacy.2 The EO asserts the necessity of “bold changes” in order to defend these institutions. While the Order focuses on federal governmental agencies and vendors and developers who do business with the Federal Government, it is likely to have significant ramifications throughout the private sector. 

This legal alert addresses the EO’s key points of substance, with an understanding that significant implementation work still needs to be done.

Key Points & Implications

1. Getting the Federal Government’s House In Order – And Implications for the Private Sector

The EO requires the Federal Government to adopt best practices, doing away with outdated security models and requiring an overall modernization of cybersecurity standards.3 The EO seeks to improve the early detection of cybersecurity vulnerabilities and incidents on federal government networks. To do so, Federal Civilian Executive Branch (“FCEB”) Agencies must deploy an Endpoint Detection and Response (“EDR”) initiative to support proactive detection of cybersecurity incidents within federal government infrastructure, active cyber hunting, containment and remediation, and incident response. This modernization also includes securing cloud services, advancing toward a Zero Trust Architecture, and mandating deployment of multifactor authentication and encryption within a specific time period.4

The EO also creates a standard “playbook” for responding to cyber incidents.5 The playbook is a standard set of operational procedures to be used in planning and conducting a cybersecurity vulnerability and incident response activity.6 The playbook will define key terms, in accordance with statutory definitions, to ensure a common understanding of cyber incidents and the cybersecurity status of an agency.7 Although the playbook applies to only federal agencies, it is meant to “provide the private sector with a template for its response efforts.”8

Additionally, the EO calls for improving the Federal Government’s investigative and remediation capabilities.9 This includes establishing requirements for logging events and retaining other relevant data within an agency’s systems and networks.10

The government’s adoption of best practices is meant to serve as an example for the private sector.11

2. Promoting Cyber Threat Information Sharing

Through updated government contracting requirements, the EO removes barriers to threat information sharing between the government and the private sector.12 The goal of the Order is to streamline and standardize cybersecurity contractual requirements across agencies and ensure that information technology and operational technology contractors share cyber threat information with the government.13 Following updates to the Federal Acquisition Regulation (“FAR”) and Defense Federal Acquisition Regulation Supplement, which will include descriptions of contractors to be covered by the proposed contract language, agencies are required to update their agency-specific cybersecurity requirements.14

3. Improving Software Supply Chain Security

The EO also enhances software supply chain security.15 The EO seeks to improve the security of software by establishing baseline security standards for the development of software sold to the government.16 This includes implementing standards, procedures, and criteria regarding secure development environments, encrypting data, maintaining greater visibility into software, and making security data publicly available.17 These standards will apply to any company that does business with the Federal Government.18 To improve security, the EO tasks the Secretary of Commerce acting through the Director of the National Institute of Standards and Technology (“NIST”) to initiate pilot programs informed by existing consumer product labeling programs to educate the public on the security capabilities of devices and software development practices.19 The Director of NIST will also consider ways to incentivize manufacturers and developers to participate in these programs, including developers and manufacturers in the private sector.20

4. Creation of a Cyber “National Transportation Safety Board”

Additionally, the EO establishes a cyber safety review board.21 The cyber safety review board will convene following a significant cyber incident and will include federal officials and representatives from private sector entities.22

Conclusion

One of the EO’s ambitions is for the private sector to adopt these heightened security standards and the Order may soon be seen to embody reasonable security standards. All companies, especially those doing any business with the Federal Government, should stay informed regarding the forthcoming regulations implementing the EO and agency action regarding security standards and determine whether they would like to submit comments for consideration.

Footnotes

  1. Executive Order on Improving the Nation’s Cybersecurity, White House (May 12, 2021), https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.

  2. Id.

  3. Id.

  4. Id.

  5. Id.

  6. Id.

  7. Id.

  8. Fact Sheet: President Signs Executive Order Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks, White House (May 12, 2021), https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/fact-sheet-president-signs-executive-order-charting-new-course-to-improve-the-nations-cybersecurity-and-protect-federal-government-networks/.  

  9. Executive Order on Improving the Nation’s Cybersecurity, supra note 1.

  10. Id.

  11. Fact Sheet: President Signs Executive Order Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks, supra note 8.

  12. Executive Order on Improving the Nation’s Cybersecurity, supra note 1.

  13. Id.

  14. Id.

  15. Id.

  16. Id.

  17. Id.

  18. Id.

  19. Id.

  20. Id.

  21. Id.

  22. Id.

Back to top

About Snell & Wilmer

Founded in 1938, Snell & Wilmer is a full-service business law firm with more than 500 attorneys practicing in 16 locations throughout the United States and in Mexico, including Los Angeles, Orange County and San Diego, California; Phoenix and Tucson, Arizona; Denver, Colorado; Washington, D.C.; Boise, Idaho; Las Vegas and Reno, Nevada; Albuquerque, New Mexico; Portland, Oregon; Dallas, Texas; Salt Lake City, Utah; Seattle, Washington; and Los Cabos, Mexico. The firm represents clients ranging from large, publicly traded corporations to small businesses, individuals and entrepreneurs. For more information, visit swlaw.com.

©2024 Snell & Wilmer L.L.P. All rights reserved. The purpose of this publication is to provide readers with information on current topics of general interest and nothing herein shall be construed to create, offer, or memorialize the existence of an attorney-client relationship. The content should not be considered legal advice or opinion, because it may not apply to the specific facts of a particular matter. As guidance in areas is constantly changing and evolving, you should consider checking for updated guidance, or consult with legal counsel, before making any decisions.

Contributors

MEET THE TEAM
James P. Melendres, Partner
James P. Melendres,
Partner
Paloma Scheiferstein, Associate
Paloma Scheiferstein,
Associate
Media Contact

Olivia Nguyen-Quang

Associate Director of Communications
media@swlaw.com 714.427.7490