Recently we have witnessed the Colonial Pipeline cyberattack, a significant Microsoft Exchange Server hack, and the infamous SolarWinds breach severely impact U.S. companies and the country more broadly. Each of these attacks has been a highly sophisticated breach of the United States’ cyberinfrastructure. Each has also served as a serious and sobering reminder of the digital age and dangerous world we live in.
Over the years, there has been a consistent stream of headlines on cybersecurity breaches resulting from ineffective cybersecurity management and defenses that have left both the public and private sectors vulnerable to IT risk. However, the White House recently demonstrated a willingness to act and attempt to mitigate future IT and cyber risks by signing an executive order to improve the United States’ cybersecurity infrastructure and protect federal government networks.
The executive order represents a significant shift in focus from the government for both the public and private sector and will require that federal agencies provide recommendations for changes to the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) for information and communication technologies.
Soon the government will fully develop new requirements for retaining relevant data, encrypting logs for activity, and logging events—including those managed by third parties. These requirements will also require third-party vendors and contractors that use and maintain information systems utilized by the federal government to collect, maintain, and provide network logs, among other requirements.
Although much of this order is limited to the U.S. government and its contractors, it also represents a monumental shift in cybersecurity—a major step toward modernization and a growing public-private partnership in cyber risk. Organizations across the United States need to consider, however, the potential changes coming to the regulatory landscape in the private sector and whether these changes will impact their overall business strategy and current plans to comply with requirements.
The Biden administration has already issued several executive orders relating to cyber risk and cybersecurity, and regulators under this administration have also been ordered to direct their focus to cyber issues. The administration has signaled a clear intent to collaborate with the private sector while also holding organizations increasingly accountable through enforcement actions.