Executive Order 14028 and Federal Acquisition Regulation (FAR): 10 Months Later

In response to incidents such as the Colonial Pipeline and Solar Winds attacks, on May 12, 2021, President Biden signed executive order 14028 on Improving the Nation’s Cybersecurity. This order outlines over 55 actions federal agencies need to take to improve cybersecurity. These actions range from developing strategies for critical software use to directly removing certain software products that do not comply with revamped standards. The objective of the executive order is to bolster the cybersecurity of federal systems. One of the mechanisms to accomplish that is by updating the contracting language of the Federal Acquisition Regulation (FAR). Federal agencies spent $10.5 billion on software contracts in 2020 and $11.8 billion in 2021. Around 40,000 contractors possess data that is critical to national security. The companies under the FAR’s jurisdiction are key to the infrastructure of networks in the United States. 

The FAR guides the use of appropriated funds by Executive Branch agencies to acquire goods or services and is overseen by the heads of the Department of Defense (DOD), the General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA). Agencies have regulatory supplements that build off the FAR to provide additional guidance into contracting with specific departments.

What does the process of updating the FAR language look like? In this case, federal agencies recommended language updates and delivered them to the FAR Council—the government officials from the Office of Management and Budget (OMB), DOD, NASA, and GSA in charge of any modifications to the FAR. After review from the FAR Council and a public comment period, these updates were sent to the FAR teams that draft the final language and then are to follow the “notice-and-comment” procedures of the Administrative Procedure Act (APA). These procedures require agencies to submit a notice of a revised rule and create an opportunity for public comment. The executive order mandates the execution of four FAR processes.

Executive orders have used the FAR to advance American manufacturing, further adherence to labor laws, and even to require COVID-19 vaccinations. To promote increased cybersecurity, the May executive order asks the FAR language to be updated to require vendors to report incidents and to meet certain software standards (as outlined in the order’s sections 2 and 4 respectively). Section 2 aims to increase transparency on incident reporting using the power of federal procurement. Officials have stated that this is just a starting point, and they look forward to engaging with legislators to expand these guidelines to cover companies regardless of whether or not they are government contractors. Section 4, on the other hand, seeks to leverage federal authority to activate the market for secure software, according to administration officials.

Sec. 2(b),(c),(d) directs a revision of contracting language with the goal of advancing information sharing and incident response collaboration between vendors and federal agencies. This language seeks to ensure that companies (1) collect and preserve data on all systems, (2) share this data as it relates to confirmed or potential cyber incidents with the agency they contracted with, and (3) collaborate on incident response, which may include implementing technical updates to the contractors' systems.
  • This section remains an open FAR case (2021-017) with the Notice of Proposed Rulemaking (NPRM), or the publication of an agency’s intent to enact a certain rule and the option to submit public comments, period closing in April 2022. 
Sec. 2(g) mandates agencies to recommend language to reflect new reporting requirements from contractors. This should include additional guidance on what incidents require reporting to federal agencies, what information needs to be reported, specific reporting timelines, and what contractors will be covered by these modifications. Sec. 2(i),(j),(k) outlines the need to standardize cybersecurity requirements for federal contractors, as many face a patchwork of agency-specific guidelines.
  • To fulfill this directive, the FAR Acquisition Technology and Information Team is currently drafting the proposed rule as a part of FAR case 2021-019 with the NPRM period also closing in April 2022. After this wording is finalized, agencies are required to remove any duplicate agency-specific cybersecurity requirements.
Sec. 4(n),(o) focuses on updating contracting language to reflect the critical software guidance. The executive order mandated the National Institute of Standards and Technology (NIST) to develop this guidance.
  • NIST finalized the Secure Software Development Framework (SSDF) in February 2022, which maps the guidelines from section 4e in the EO to specific security practices. This framework outlines practices for secure software development in four categories— (1) prepare the organization, (2) protect the software, (3) produce well-secured software, and (4) respond to vulnerabilities. NIST also released guidelines for how federal agency staff can ensure developers are following this framework and what information to request to confirm its application in vendor systems. Following the release of the SSDF, the Department of Homeland Security (DHS) needs to recommend to the FAR council how contract language can incorporate this guidance. This will begin the process of amending the FAR to reflect section 4’s requirements.
From the private sector, many are preparing for the implementation of updates to the FAR, with 76% of organizations surveyed by the Linux Foundation considering changes to comply with the executive order. But, do companies have the resources and capabilities to comply with these requirements? Recent DOD analysis shows that only 1 in 4 defense contractors meet the Pentagon’s current cybersecurity standards. Out of 220 companies surveyed by the DOD, 75% failed to implement basic cybersecurity measures and had to enter Plans of Actions and Milestones (POA&M), which track a company’s progress on repairing security vulnerabilities or weaknesses. Many companies are seeking a more collaborative approach on cybersecurity capabilities from the federal government. Ahead of the projected Q1 FY23 implementation of the first of these new requirements, is there an opportunity for increased government assistance to raise the standard of cybersecurity practices in the private sector?

Georgia Wood is a program coordinator and research assistant with the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, DC.
The Strategic Technologies Blog is produced by the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

Georgia Wood
Program Manager and Research Associate, Strategic Technologies Program