Cybersecurity Executive Order Summary: What It Means and How to Get Your Software Ready
Earlier this month, an executive order was issued from the White House aimed at improving the cybersecurity of the United States. This much-anticipated order comes on the heels of widely publicized digital attacks, such as Colonial Pipeline and SolarWinds, which illustrate the current state of cybersecurity standards in the software industry.
In this blog, we summarize what you need to know about the Cybersecurity Executive Order — what this order means, a timeline of key dates to be aware of, and what is yet to be defined in terms of guidelines under this new order.
What Is the Cybersecurity Executive Order?
The aim of this order is to improve the nation’s cybersecurity and protect federal government networks, with the assistance from the private sector. A common thread between the above-mentioned cyber attacks, and many others, is insufficient cybersecurity defenses that leave all organizations, both private and public, vulnerable to malicious acts.
As written in the White House fact sheet, the executive order will:
- Remove barriers to threat information sharing between government and the private Sector.
- Modernize and implement stronger cybersecurity standards in the federal government.
- Improve software supply chain security.
- Establish a cybersecurity safety review board.
- Create a standard playbook for responding to cyber incidents.
- Improve detection of cybersecurity incidents on federal government networks.
While there could be future implications for consumer-facing software (or at least best practices that could be implemented), one of the main targets of this order is organizations that sell software to the government, as well as organizations that build software the government uses.
Cybersecurity Executive Order: What’s Next?
So, what does this order mean to you if your organization is part of a software supply chain?
The first thing is: don’t panic.
These improvements are much needed to address cybersecurity threats to “the public sector, the private sector, and ultimately the American people’s security and privacy,” and while some deadlines in the planned timeline are aggressive, in totality the timeline is manageable.
More than 40 deadlines have been established, with some coming as soon as 14 days after the EO’s release, while others are one year out.
Key Dates in the Cybersecurity Executive Order Timeline
We would like to call attention to the following events in the EO’s timeline, which can be found in Section 4: Enhancing Software Supply Chain Security.
- Within 30 days from EO: The Secretary of Commerce will begin to solicit input from the federal government, private sector, academia, and other actors to identify and develop new standards, tools, and best practices for compliance. These new guidelines will include criteria that can be used by government agencies, or any organization, to evaluate software security, security practices of developers and suppliers themselves, and identify tools or methods to demonstrate compliance with secure practices.
- Within 45 days from EO: A definition will be published for “critical software” — broadly defined at this stage as software that "performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resource)." 30 days after this date, a complete audit will have been performed on all existing software considered critical.
- Within 60 days from EO: Publication of minimum elements for a Software Bill of Materials (SBOM), as well as publication of guidance outlining security measures for critical software. Appropriate steps to require agency compliance shall begin within 30 days.
- Within 180 days from EO: Preliminary guidelines to be published. Within 90 days of publication of these preliminary guidelines, the Secretary of Commerce shall issue guidance on standards, procedures, or criteria for conformance to these guidelines. Within 30 days of this issuance, appropriate steps will be taken to require agencies to comply with such guidelines with respect to software procured after the date of this order.
- Within 1 year from EO: A recommendation will be made to the Federal Acquisition Regulatory (FAR) Council on contract language suppliers of software available for software suppliers to comply with, after which the FAR will be amended, and software products that do not meet the requirements of the amended FAR will be removed.
It is noted that agencies may request an extension for compliance with any requirements, which will be considered on a case-by-case basis, and must be accompanied by a plan for meeting the underlying requirements. Likewise, waivers will also be considered on a case-by-case basis. Waivers shall be accompanied by a plan to mitigate risk, and will only be granted only in exceptional circumstances and for limited duration.
How Perforce Can Help
As the industry leader in DevOps solutions, enabling the secure and efficient development, implementation, and maintenance of software, Perforce is uniquely positioned to respond to the guidelines that will be set forth by the cybersecurity executive order and enable our customers to address cyber security threats.
In the coming weeks we will continue discussion of the EO with solution-specific content to address your organization’s needs. First up: how the requirement of a Software Bill of Materials (SBOM), pursuant to Sec. 4(e)(vii) of the EO, can be solved with Methodics IPLM.
In the meantime, see for yourself how Perforce can help your organization strengthen cybersecurity and comply with the forthcoming guidelines of the EO. Contact us to discuss the security challenges your organization faces – and learn how they can be solved with Perforce.