The Biden administration released yesterday an executive order that makes cybersecurity a national-level priority. It includes several broad-sweeping requirements, including:

  • adoption of Security by Design concepts in the software development lifecycle;
  • creation of a software bill of materials requirement outlining all open source and other software embedded in a commercial product or deliverable;
  • implementation of a zero-trust security model across all federal agencies;
  • improving detection of cybersecurity vulnerabilities and incidents on Federal Government networks;
  • removing barriers to sharing threat information;
  • improving the Federal Government’s investigative and remediation capabilities;
  • standardizing the government’s response to cyber vulnerabilities and incidents;
  • improved cyber incident information sharing; and,
  • establishing a Cyber Safe Review Board to review significant cyber incidents impacting Federal Civilian Executive Branch (FCEB) Agencies or non-Federal systems.

In Section 2, which focuses on information sharing, the administration recognizes that “requirements for unclassified system contracts are largely implemented through agency-specific policies and regulations, including cloud-service cybersecurity requirements.  Standardizing common cybersecurity contractual requirements across agencies will streamline and improve compliance for vendors and the Federal Government.” The Secretary of Homeland Security, acting through the Director of CISA, in consultation with the Secretary of Defense, acting through the Director of the NSA, the Director of OMB, and the Administrator of General Services, is then instructed to review agency-specific cybersecurity requirements that currently exist as a matter of law, policy, or contract and recommend to the FAR Council standardized contract language for appropriate cybersecurity requirements.  Those recommendations are expected to take into account the scope of contractors and associated service providers to be covered by the proposed contract language.

The recommendations must be submitted to the FAR Council no later than July 11, 2021. The FAR Council then has 60 days (i.e., until September 9, 2021) to publish the received recommendations for public comment and updating of the FAR. This is a very aggressive timeline and does not allow for much innovation. Instead, it will require the government to adopt “best of breed” approaches in an effort to improve our national security.

The US Department of Defense’s CMMC program, along with the self-assessment and attestation requirements under DFARS 252.204-7012, 252.204-7019, and 252.204-7020, will be among the contractual requirements reviewed by the group. DoD and industry have already expended significant time, effort, and both taxpayer and private funds to bring the CMMC program to where it is today, and these efforts are at the leading edge for securing our nation’s supply chain. Therefore, any resulting changes to the FAR will likely resemble DoD’s requirements, including CMMC. However, even if much of CMMC is adopted, there is a chance that any changes made while incorporating CMMC into the FAR will make the requirements different enough, especially from a contractors’ perspective, that they will require significant investments, adoption of new policies, and other material changes to contractor systems and cybersecurity programs.

What should Contractors Do Now?

The Executive Order clearly adds confusion for defense contractors who are already waiting for DoD to release the finalized version of the DFARS 252.204-7019 through -7021, along with updated CMMC Assessment Guides, assessment scoping guidance, and more. However, we can make a few basic assumptions:

  1. Those organizations that do not handle Controlled Unclassified Information (“CUI”) will still need to meet, at a minimum, the basic requirements outlined in FAR 52.204-21. The FAR Council may add additional requirements like multifactor authentication and encryption of data at rest and in motion, but the basic requirements already defined in the FAR aren’t likely to go away.
  2. Those handling CUI will likely, at a minimum, need to meet the requirements defined in NIST SP 800-171. For CUI those handling CUI that is especially sensitive, such as information subject to export controls and nuclear information, they should expect to meet NIST SP 800-172.

Given these assumptions, contractors can take a few steps now, including:

  1. Conduct a gap analysis against your expected requirements.
    1. For those organizations that do not handle CUI, the basic FAR requirements are incorporated into NIST SP 800-171. If your organization is unsure about how to implement one or more of the FAR requirements, you can look to the informative references in NIST SP 800-171 for additional guidance.
    2. For these organizations that do handle CUI, you should begin by conducting a self-assessment using NIST SP 800-171A. It is important to note that both NIST SP 800-171 and -172 require the creation of system security plans (SSPs). NIST has published SSP templates that can help you create this critical documentation.
    3. Our Gap Analysis Tool can help you catalog your results. You can use it to document why/how you believe you are meeting those requirements. When you conduct your gap analysis, approach it from the perspective of an outsider who is concerned with protecting the sensitive information they are entrusting to you. Ask yourself “are they likely to agree with you that we meet the objectives?” If not, that’s a “gap” in your overall cybersecurity program and should be documented.
  2. Create a Plan of Action and Milestones (“POA&M”) for addressing any gaps, or shortcomings in your cybersecurity program. NIST has also published a POA&M template that can help with POA&M creation, too. The POA&M should include information like expected implementation costs, implementation timelines, and responsible individuals. Your POA&M should outline obtainable steps to close the gaps, and you should ensure that your organization is meeting the POA&M timelines. Periodically review the POA&M and update the gap analysis as the gaps are remediated.

What about policies and procedures?

Beginning at Maturity Level 2, CMMC requires contractors to adopt written policies and procedures, including embedding them into the underlying culture. We also believe that organizations, including organizations that do not handle CUI, should adopt carefully-crafted policies, procedures, and plans (the “documents”). Those documents should be written based on each organization’s unique attributes (e.g., lines of business, organizational structure, information system architecture, etc.) and should address all of the legal, regulatory, and contractual commitments as well as any other cybersecurity-related risks the organization faces. Given that the legal and regulatory landscape is likely to change over the next 3-6 months due to the Executive Order and the impending changes to CMMC, contractors may be better off focusing on meeting the requirements described above (i.e., those in FAR 52.204-21 and NIST SP 800-171) and holding off on crafting policies, procedures, and plans until the regulatory environment stabilizes a bit more over the next 4-6 months.