On Wednesday, May 12, President Biden signed an extensive Executive Order (E.O.) on Improving the Nation’s Cybersecurity. The E.O. is primarily directed at federal departments and agencies, and federal contractors, but its implementing standards will likely have a much broader impact across critical infrastructure sectors and related technology suppliers.
Key directives include:
- Development of new software security standards, tools, and best practices, prioritizing a yet-to-be defined category of “critical software”
- Maturation of a Software Bill of Materials (SBOM) and participation in vulnerability disclosure programs
- Formalizing software code testing expectations
- Development of standards and best practices for IoT cyber security, including consumer labeling
- Expanded breach notification requirements for technology suppliers, plus the establishment of a Cyber Safety Review Board to investigate significant cyber incidents
- A requirement for federal agencies to implement “zero trust” architectures, accelerating migrations to secure cloud and adopting other data protection capabilities—plus related endpoint detection, response, and logging—to mitigate continuing supply chain risk