Beyond causing long lines and shortages at the gas pump, the cyberattack on the Colonial Pipeline this month may have important implications for federal contractors. As part of the federal government’s response, President Joe Biden issued an executive order emphasizing a strong need for the federal government to cooperate with the private sector (e.g., government contractors) to detect, prevent, and remediate cyber threats. In furtherance of that goal, the order generally requires the following:
- Evaluating, and potentially amending, contract terms between the federal government and its technology-related service providers, such that the service providers have a broader right (and in some cases, an affirmative duty) to disclose cyber threat information to federal agencies, and that they implement additional measures to cooperate with government agencies in monitoring for potential cyberattacks and responding to incidents.
- Implementing across the federal government best practices in the cybersecurity industry, including adopting Zero Trust Architecture, migrating from on-premise software to secure, cloud-based solutions, and generally streamlining data management practices.
- Working to improve the security and integrity of the federal government’s “critical software” and implementing practices that enhance the reliability of its software supply chain.
- Establishing a federal Cyber Safety Review Board, staffed with both federal officials and private-sector representatives, to review and assess significant cyber incidents and make recommendations to the president regarding the same.
- Standardizing the federal government’s incident response procedures for cyberattacks in order to “ensure a more coordinated and centralized cataloging of incidents” and track individual agencies’ ability to successfully resolve issues.
- Improving the federal government’s means to detect cyber incidents early and increasing requirements for logging events and preserving other threat data.
- Adopting requirements set forth in the executive order for use on national security systems.
The order generally calls on federal agencies to proposes rules, recommendations, and procedures in furtherance of the general goals set forth above. Private entities that serve as government contractors should look out for additional regulations, standards, and potential changes to the Federal Acquisition Regulation (FAR) clauses in the next couple of months to address these issues.
Additionally, the Department of Homeland Security, through its Transportation Security Administration (TSA), has already begun coordinating with companies in the pipeline sector in an effort to increase their resilience against another attack. Although TSA previously issued voluntary cybersecurity guidelines for pipeline companies, it has now issued new, mandatory reporting guidelines to facilitate incident detection, prevention, and response.
Though Biden’s executive order directly impacts government contractors, these new requirements are yet another marker toward stringent contractual security terms with vendors more globally. All businesses should institute regular review of vendor agreements to ensure that they keep up with industry norms on data security.