President Biden’s Recent Cybersecurity Executive Order Will Increase Compliance Obligations on the Private Sector

Sharon R. Klein, Alex C. Nisenbaum, Karen H. Shin, Justin A. Chiarodo, and Michael Joseph Montalbano

Companies providing information technology products and services to U.S. government agencies are now required to notify such agencies of cyber incidents and meet specific cybersecurity standards. The executive order attempts to modernize the federal government’s cybersecurity defenses by “protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the [United States]’ ability to respond to incidents when they occur.” The executive order is just one example of the Biden administration’s push to improve the nation’s data privacy and cybersecurity practices in response to the recent series of ransomware attacks.

On May 12, 2021, President Biden signed an executive order to bolster the federal government’s cybersecurity practices and contractually obligate the private sector to align with such enhanced security practices (“the Order”). The Order comes on the heels of a ransomware attack on Colonial Pipeline that occurred on May 6, 2021, which shut down the largest oil pipeline in the United States and disrupted supplies of gasoline, diesel, and jet fuel to the East Coast. This initiative to improve the security of the software supply chain also stems from the SolarWinds cyberattack that occurred last year. In the attack, Russian hackers used a routine software update that Texas-based SolarWinds Corp. provided to its customers to install malicious code, allowing the hackers to infiltrate nine federal agencies and about 100 companies.

Proposed amendments are expected soon from the Federal Acquisition Regulation (“FAR”) and the Defense Federal Acquisition Regulation Supplement (“DFARS”) that will increase compliance obligations for government contractors and their vendors, building on a string of supply chain and cybersecurity regulation in recent years (including Section 889’s prohibition on the use of certain Chinese telecommunications, new registration requirements in the Supplier Performance Risk System, and the Department of Defense’s Cybersecurity Maturity Model Certification program). We see the biggest impacts on government contractors, such as developers and users of software.

To read the full client alert, please click here