Executive Order Will Spur Big Changes In Cybersecurity

Akin Gump attorneys have written a long, forward-looking analysis of Executive Order 14,028, “Improving the Nation’s Cybersecurity,” issued by the Biden administration in May 2024. The Order contains a schedule of reviews and rulemaking that will lead to significant changes in cybersecurity and software.

The administration wants these changes to become norms for “reasonable” cyber and supply chain security practices for government contractors, cybersecurity vendors, and software solution providers for the government, and potentially for the private sector.

There are no requirements or prohibitions for non-governmental entities, but the order calls for federal agencies to quickly establish policies and propose changes to federal contracting rules to implement the Order. The aggressive timelines suggest that those proposals will come in the form of interim final rules. According to the authors, this increases the importance of proactive planning and engagement.

The report highlights sections of the Order that will quickly affect federal contractors and the wider ICTS, cloud, software, and cybersecurity services system.

Section 2, “Removing Barriers to Sharing Threat Information,” sets the stage for federal incident reporting requirements for information technology and operational technology “service providers” and “cloud service providers.” As a first step, the Order directs the Office of Management and Budget to review and recommend updates to contract requirements and language for “contracting with IT and OT service providers.” The recommendations will include definitions of contractors (i.e., the “service providers”) to be covered by the proposed updates.

Section 4, “Enhancing Software Supply Chain Security,” proposes to establish standards for the security and integrity of software products purchased by U.S. federal agencies. The integrity of so-called “critical software,” tentatively defined as software that “performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources),” is singled out for particular concern.

According to the authors, Section 4 portends sweeping changes in the software acquisition process, and over time, in software development and security practices outside the federal system.