President Biden Issues Cybersecurity Executive Order | Practical Law

President Biden Issues Cybersecurity Executive Order | Practical Law

President Biden has signed an Executive Order on Improving the Nation's Cybersecurity that imposes new cybersecurity prevention, detection, response, and reporting requirements on federal agencies and their information and communication technology contractors and software providers. The Order also creates a Cyber Safety Review Board to investigate cyberattacks.

President Biden Issues Cybersecurity Executive Order

Practical Law Legal Update w-030-9949 (Approx. 4 pages)

President Biden Issues Cybersecurity Executive Order

by Practical Law Data Privacy Advisor
Published on 14 May 2021USA (National/Federal)
President Biden has signed an Executive Order on Improving the Nation's Cybersecurity that imposes new cybersecurity prevention, detection, response, and reporting requirements on federal agencies and their information and communication technology contractors and software providers. The Order also creates a Cyber Safety Review Board to investigate cyberattacks.
On May 12, 2021, President Biden signed an Executive Order on Improving the Nation's Cybersecurity. The Order aims to make cybersecurity prevention, detection, and assessment a top priority of the federal government, and encourage improvements in the private sector.
Notably, the Order directs the Secretary for the Department of Homeland Security (DHS Secretary), in consultation with the US Attorney General, to create a Cyber Safety Review Board to review and assess significant cyber incidents as directed by the President or the DHS Secretary. Federal officials from specified agencies and private-sector stakeholders chosen by the DHS Secretary will staff the Board. The Order directs the Board to investigate the SolarWinds, Inc. attack and provide recommendations to the DHS Secretary within 90 days after it is established.
The Order also directs agencies, as assigned, to:
  • Solicit recommendations from academic and stakeholders and publish recommendations for enhancing software supply chain security that include certain specified measures.
  • Improve inter-agency communication on cyber threats and vulnerabilities.
  • Create and use standardized language for security requirements in federal procurement contracts and improve software supply chain security.
  • Remove barriers to sharing threat information, including contract obligations that may inhibit information sharing.
  • Develop a plan to implement zero-trust architecture, as defined by the Order.
  • Develop cybersecurity guidelines for cloud service providers servicing federal agencies and develop a plan to migrate federal systems to cloud services.
  • Evaluate unclassified data and identify the data that is most sensitive and under greatest threat.
  • Adopt multi-factor authentication and encryption practices.
  • Promulgate standardized incident reporting standards for federal contractors.
  • Identify cybersecurity criteria for a consumer labeling program of Internet of Things (IoT) devices, and initiate pilot programs to educate the public.
  • Develop a standard set of operational procedures, or "playbook", for cybersecurity incident responses.
  • Improve incident detection capability by deploying an Endpoint Detection and Response initiative.
  • Improve event logging and log retention policies.
The Order makes it federal government policy for information and communication technology service providers that contract with agencies to promptly report cyber incidents involving the agency's software or its support systems and, where appropriate, report the same to the Cybersecurity and Infrastructure Security Agency.
The Order also imposes specific requirements for national security systems and defines key terms including zero-trust architecture and software bill of materials.