Improving the Nation's Cybersecurity

“Improving the Nation’s Cybersecurity” (issued May 12, 2021) requires agencies to enhance cybersecurity and software supply chain integrity.

Summary of requirements

• Requires service providers to share cyber incident and threat information that could impact Government networks.
• Moves the Federal government to secure cloud services, zero-trust architecture, and mandates deployment of multifactor authentication and encryption within a specific time period.
• Establishes baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available.
• Establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads, that may convene following a significant cyber incident to analyze what happened and make recommendations for improving cybersecurity.
• Creates a standardized playbook and set of definitions for cyber incident response by Federal departments and agencies.
• Improves the ability to detect malicious cyber activity on Federal networks by enabling a governmentwide endpoint detection and response system and improved information sharing within the Federal government.
• Creates cybersecurity event log requirements for Federal departments and agencies.
• Requires amendments to the FAR to align with requirements in the EO.

What contractors can expect

• Modification of contract language to reflect new guidance from NIST and CISA. If your company cannot accept the modification, you will not be able to sell to the Federal government.
• GSA will keep you informed; communicating with you regarding all major developments.
• Future updates to the Federal Acquisition Regulation.

Provide feedback

Look out for the FAR rules’ public comment periods and provide feedback.

Update your compliance program

Stay on top of proposed updates to the FAR and prepare for changes that could impact your entity’s compliance.

Educate

Communicate and train your purchasing/procurement and materials management professionals to ensure they are familiar with your compliance plan and potential changes.

Why these changes are important

• Adversaries are using increasingly sophisticated methods and cyber operations to attack the supply chain, gain access to critical infrastructure, and steal sensitive information.
• Foreign owned or controlled Information and Communications Technology products may create vulnerabilities in U.S. supply chains.
• IT providers are often hesitant or unable to voluntarily share information about a cyber incident.
• The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.
• The planned FAR rules will ensure contractors keep national security interests in mind by requiring contractors to follow a set of standardized rules when doing business with the Federal government. 

Resources

• Acquisition policy library and resources
• NIST critical software definition
• NIST security measures
• NIST recommended minimum standards for vendor or developer verification of software
• Moving the U.S. government towards zero trust cybersecurity principles

Tell us what you think