While this EO and almost all EOs only affect what executive branch agencies do, it is likely that it will have a big effect on cybersecurity in general. Here are some requirements:
- The government uses a lot of commercial cloud software. Current contract terms may limit what data a cloud provider is allowed to share with departments or agencies that are responsible for investigating or remediating cyber incidents. In some cases, the reverse may be true – service providers may not be contractually required to share information on malicious activity on their systems unless the agency is the direct target or victim. Even if they are required to notify that agency about a breach, they may not be allowed or required to notify, say, the FBI. If it is not in writing and it hurts the image of the company – well, they are probably not going to tell. The service providers may have contracts with other customers which prohibit them from disclosing information about that customer to, say, the government.. The OMB has 60 days to make recommendations for changes to the FARs and DFARS to facilitate information sharing. This new language needs to address collection and preservation of data and a requirement to share this data with whoever OMB thinks is important. The FAR council has 90 days to publish proposed changes after that.
- Within 120 days DHS and the FBI need to take steps to maximize the data sharing with service providers that is possible under current contracts.
- Within 45 days, DHS, working with NSA, the AG and OMB needs to recommend to the FAR council contract language regarding what cyber incidents must be reported with a not to exceed reporting window of 3 days for serious incidents.
- Within 60 days DHS/CISA, working with NSA, OMB and the GSA shall review agency specific policies and contract terms for cybersecurity and make recommendations to the FAR council on standard language. The FAR council has 60 days to publish their recommendations based on this input.
- Here is one that will likely affect the entire industry. The federal government will adopt security best practices, advance zero trust, move towards secure cloud services, etc. Agencies have 60 days to come up with a plan.
- Within 90 days, OMB, CISA and GSA will come up with a coordinated cloud security strategy and provide guidance to agencies.
- Within 90 days the same team will develop and release a standard cloud security architecture for agencies to use in procurements.
This is just from section 3. More later on other sections. Look at these requirements. A REALLY short time line for the federal government. Normal timelines are measured in years or decades. It requires standards. Obviously this won’t get DONE in 45-60-90 days, but the roadmap will be developed. Understand that with this kind of aggressive timeline, the results will not be pretty, but it should move things in the right direction. That will impact everyone who sells to the government and clearly, they are not going to develop two separate versions of the product – one for the government and one for everyone else.
Look for more information on the EO tomorrow.