6 minute read 3 Aug 2021
Female government employee system control monitoring center

How President Biden’s cyber executive order may affect your business

By Dave Burg

EY Americas Cybersecurity Leader

Proud husband, father of three. Skiing, tennis and golf enthusiast.

6 minute read 3 Aug 2021
Related topics Cybersecurity Risk Consulting

President Biden's executive order on cybersecurity aims to protect federal government networks. Does your business need to comply?

In brief
  • While the order addresses seven core areas, sections on software supply chain security and threat information sharing are most likely to affect businesses.
  • Organizations may not realize they are bound by the order – even if they aren’t a federal contractor.
  • There are benefits to complying with the new executive order even if you aren’t necessarily bound by it. 

President Biden signed an executive order on May 12, 2021, intended to modernize cybersecurity defenses and protect federal government networks. The order comes amid increasingly public and widespread cyberattacks affecting the nation’s public and private sectors.

Supply-chain attacks, a favorite tactic for threat actors given how effective and far-reaching they can be, are an ongoing issue with no end in sight. While the executive order is primarily aimed at software and hardware suppliers and service providers that contract with federal agencies, organizations in the contractors’ supply chains may have obligations even if they are not direct contractors for the federal government and based outside of the US.

New supply chain security guidelines and processes are expected within 360 days of the order and will likely become new industry standards with global ramifications.

Key elements of the Biden cybersecurity executive order

The order addresses seven core elements and requires agencies to review and develop new guidelines and standards for cybersecurity. Of particular interest and impact to many organizations is the order’s focus on enhancing software supply chain security and improving threat information sharing.

Software supply chain security

Organizations are being asked to define “critical” software in their products and provide a Software Bill of Materials — similar to FDA requirements for medical devices such as pacemakers. SBOM guidelines are expected to require that organizations list all the components used in the software, including libraries, drivers, firmware, licenses, and operating systems. The order also requires that organizations secure their software development processes and access controls. 

Information sharing

The SBOM facilitates another major focus of the order – greater transparency on cybersecurity threats and breaches throughout the federal supply chain. The order encourages active participation in vulnerability disclosure programs to establish trust. By removing contractual barriers to sharing threat intelligence and breach information, the order hopes to encourage information sharing and minimize cultural hesitancy to share information about breaches.

Does the Biden cybersecurity executive order affect my company? 

Although the order is for federal agencies and contractors, it also affects companies in the federal supply chain.  Many organizations may not realize they are bound by the order by virtue of the components that they make or supply — especially software components that end up on government systems.

If you run a software development company, it is likely to be part of the federal government software supply chain even if you don’t know it. By extension, any vendors whose products are used by those developers — hardware providers, for example — are part of the chain.

Besides direct federal contractors, the order also applies to broad commercial subsectors. Companies that supply to defense contractors (or whose software or hardware end up in a contractor’s products or services) are in the supply chain and in a position to introduce risk.

Additionally, it is expected that the National Institute of Standards and Technology (NIST) will publish supply chain security standards that will likely become a security industry standard. Software and hardware suppliers to state and local government and private sector should expect changes to become compliance requirements in the future.

How can my company benefit from the Biden cybersecurity executive order?

Organizations should look at the cybersecurity executive order as more than a check-the-box mandate. Expectations of the public and customers have changed, and companies can gain a lot from answering the growing expectation of transparency and disclosure. 

Building your own SBOM also provides a road map for your organization to assess the controls you need to quickly respond to threats. Without a clear understanding of the software that makes up your infrastructure and products, you risk being unaware of vulnerabilities in your software stack until it’s too late.

SBOMs will also offer an incredibly valuable new set of data for companies to use to enhance their own third-party risk management (TPRM) efforts. While this new data set does increase the complexity of a TPRM program, it provides an opportunity to match your product inventory with existing and upcoming risks and provides transparency that should enable much faster remediation in the event of a vulnerability.

Three actions organizations can take

Whether your organization is directly affected by the cybersecurity executive order or you want to take advantage of this new set of data in your TPRM program, you can take action to improve your cybersecurity posture.

Improve software supply chain security

Organizations should apply a risk-based approach when implementing security controls in the software development pipeline. Additionally, automation via security as code can enable detection and verification of security risks. Organizations moving critical software to the cloud should take the opportunity to implement baseline security controls and apply verification checks as part of the pipeline.

Utilize cyber threat intelligence

Many organizations are working with third-party cyber threat intelligence (CTI) professionals, who monitor the cybersecurity landscape and have experience with an organization’s systems and devices. Vendors can provide flash notifications when an event occurs or a vulnerability is discovered, allowing organizations to take mitigating actions more quickly.

Enhance third-party risk management

More and more, the most agile organizations work with multiple third parties in order to stay competitive. All these relationships are important, but each one adds risk: cyber risk, regulatory risk, brand risk and more. The new order will require companies to contend with another large data set.

Organizations can manage this increasingly complex third-party risk landscape by improving decision-making with pre-screening, using technology to be more fully informed with end-to-end workflow management and managing your due diligence reporting. 

Ransomware and cyber-attacks aren’t slowing down

Cyber-attacks show no signs of de-escalating, and ransomware has become its own industry. Supply chain relationships continue to be vulnerable and organizations are struggling to manage the risk introduced by their vendors.

President Biden’s new executive order on cybersecurity provides an opportunity for organizations to find collaborative ways to address a nationwide problem by introducing requirements for federal contractors (and their supply chains) to be more transparent, modernize their cybersecurity defenses, and strengthen their responses to cybersecurity events.

Summary

President Biden’s executive order on cybersecurity comes amid increasing cyberattacks affecting the nation’s public and private sectors. New guidelines and processes based on the order are expected within the year and will likely become new industry standards with global ramifications. All organizations – not just federal contractors – should consider how they might be affected by the order, examining their software supply chain security and third-party risk management. 

About this article

By Dave Burg

EY Americas Cybersecurity Leader

Proud husband, father of three. Skiing, tennis and golf enthusiast.

Related topics Cybersecurity Risk Consulting