Dark Light
Why all contractors who touch government systems should be prepared to implement strong data collection and maintenance initiatives.

Here’s another requirement we all need to be aware of that works in tandem with many existing initiatives we’re dealing with, such as CMMC, FedRAMP, and NIST publications.

Some small business folks won’t be affected by this, and some will. As the article states, if your contracts require you to access any government systems using your own internal IT systems or if you develop software for or on behalf of the government, this executive order will likely impact you.

If you are impacted, you’ll likely see some changes to the terms and conditions of your existing contracts in the near future, and those terms and conditions will likely include references to this executive order.

It also pays to keep this in mind as you’re vetting new possible opportunities, as they may be impacted by these changes as well. 

This is a guest post by David Shafer and Anna Wright of Piliero Mazza PLLC. 

On May 12, 2021, the Biden administration released a far-reaching executive order intended to improve the U.S. government’s cybersecurity posture, both internally and in any private information technology (IT) systems that “touch” federal IT systems. The executive order is available here, and a related fact sheet is available here

This executive order will work in tandem with existing initiatives, such as the Cybersecurity Maturity Model Certification (CMMC), the Federal Risk and Authorization Management Program, and National Institute of Standards and Technology (NIST) publications. Notably, and unlike CMMC, the executive order is concerned more with improving the entire government’s IT systems to protect all information residing on those systems, and less with scaling protections based on types of information residing on contractor systems. 

If your contracts require you to access any government systems using your own internal IT systems or if you develop software for or on behalf of the government, this executive order will likely impact you.

The executive order requires the government to take eight general actions:

  1. Remove barriers to sharing threat information, so information regarding cybersecurity breaches and other incidents can be shared freely across the government, enhancing the government’s ability to respond to such incidents.
  2. Modernize government cybersecurity, specifically by moving toward a cloud environment and adopting cybersecurity best practices, including Zero Trust Architecture, and by centralizing government access to cybersecurity information.
  3. Enhance software supply chain security by requiring greater transparency from commercial software developers via new NIST standards and guidelines and by utilizing a public-private partnership to ensure software is secure throughout the entire development process.
  4. Establish the Cyber Safety Review Board, which will be a sub-component of the Department of Homeland Security and will convene whenever a “significant cyber incident” occurs to determine the government’s response to the incident. This Board will convene for the first time to review the events leading up to the SolarWinds breach that occurred in December 2020 and will be comprised of both industry and government personnel.
  5. Standardize the government’s strategy for responding to cybersecurity vulnerabilities and incidents by requiring the Cybersecurity and Infrastructure Security Agency (CISA) to draft standard operating procedures in coordination with other agencies such as the Department of Defense.
  6. Improve detection of cybersecurity vulnerabilities and incidents on government networks by, among other things, deploying Endpoint Detection and Response initiatives.
  7. Improve the government’s investigative and remediation capabilities by requiring both agencies and their IT services providers to collect and maintain relevant data, and to provide that data to CISA and the Federal Bureau of Investigation as needed.
  8. Adopt standardized requirements for National Security Systems, which are used to process classified data.

Contractors who do not need to access government systems are unlikely to see much impact from this executive order, but those whose work does require such access should be prepared for changes in their contracts, such as requirements for increased transparency and more stringent cybersecurity incident reporting requirements.

Commercial software developers who provide products to the government will particularly feel the impact because the government will now likely require these developers to also provide information never previously requested.

Further, all contractors who “touch” government systems should be prepared to implement strong data collection and maintenance initiatives.

PilieroMazza will continue to monitor guidance and provide updates in the coming months as agencies work to implement the directives set forth in the executive order.

If you have questions about how the executive order may impact your business, please contact David Shafer and Anna Wright, the authors of this client alert, or a member of PilieroMazza’s Cybersecurity & Data Privacy Team.

This post originally appeared on the PilieroMazza blog at https://www.pilieromazza.com/8-key-takeaways-from-executive-order-on-improving-the-nations-cybersecurity-for-government-contractors/ and was reprinted with permission.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

The All-Small Mentor-Protégé Program

SBA had a well-established mentor-protégé program (MPP) for SBA 8(a) certified firms but lacked an MPP program for other small business concerns and specifically, one for specialized certified concerns such as WOSB, EDWOSB, SDVOSB, & HubZone. The 2010 Jobs Act and 2013 NDAA gave SBA the authorization to address this by establishing an all-encompassing mentor-protégé program. Ms. Sandi Clifford, deputy director of the All Small Mentor-Protégé Program (ASMPP), visited the Mid-Tier Advocacy (MTA) earlier this year to discuss the program. Here are some of the highlights of this candid and informative discussion: As Ms. Clifford explained, mentor services to protégés include: • Management and technical assistance (internal business management systems) • Financial assistance (in the form of equity investments and/or loans) • Contracting assistance (contracting processes, capabilities acquisitions and performance) • International trade education (learn how to export, international trade business plan, finding markets) • Business development assistance (strategy, finding contracting and partnership opportunities) • General and/or administrative assistance (business processes and support) As administrators of the program, SBA provides: • Central HQ as opposed to 8(a) distributive model • Online application – certify.sba.gov • Online course tutorial requirement • Annual review and evaluation • Template agreements, i.e., MPA (Mentor-Protégé Agreement) Other All-Small Mentor-Protégé Program (ASMPP) details: • A protégé may generally only have one mentor at a time; SBA may approve a second (two is the maximum) where no competition exists, or if the protégé registers under a new NAICS or otherwise requires new mentor skills.  • Both protégé and mentor must be for-profit (with exception of protégé being an agriculture cooperative). • A mentor may have no more than three protégés at same time (no lifetime limit). • A participant can be both a protégé and mentor at the same time, if there is no competition or conflict. • The ASMPP is self-certifying and is open to businesses who qualify as small in their primary NAICS code, or who are seeking business development assistance in a secondary NAICs where they also qualify as small.  • SBA will not authorize MPAs in second NAICS in which firm has never performed any work; or where firm would only bring “small” status to Mentor and nothing else. • Existing 8(a) firms in last 6 months of the 8(a) program may transfer their MPA to the ASMPP via the online application process. Coordinate with 8(a) office to fine tune the process but there is no reapplication required. • Application requirements include upload of business plan, but no financial statements or tax returns. • JV agreements: ASMPP will not review and approve joint venture agreements. How to apply for the ASMPP: • Applicants are required to register in the System for Award Management (SAM) prior to submitting their mentor/protégé application. • Complete your business profile in certify.SBA.gov. • Evaluate and select your mentor prior to applying. This is not a matching program. SBA will not find a mentor for you. • Begin the ASMPP application process. • Protégés and mentors must complete the online tutorial and have their certificate of completion and all other required documents ready for upload Thank you to Sandi Clifford, Deputy Director, All Small Mentor-Protégé Program, for this helpful overview. TAPE has mentored several small businesses over it’s life as a large business (we’re large in some NAICS codes, though still small in others) and it has been gratifying, satisfying, and integral to our success. As protégés ourselves, we have benefitted from working with some really classy large businesses, and have also had the experience of being a protégé and really getting no tangible benefits. We are currently working with two small businesses, and negotiating ASMPP agreements. You can learn more about the ASMPP on the SBA site. To join MTA and attend future events like this one, please visit www.midtier.org.