Following a string of high profile cyber attacks on key infrastructure, including the recent Colonial Pipeline hack, President Biden has taken action to enhance cybersecurity standards across both government and the private sector.
The Executive Order (EO) on Improving the Nation’s Cybersecutiry was signed in May and is now in the process of being implemented. The EO is broad ranging in scope, focusing on key areas of vulnerability, including:
- Removing barriers to threat information sharing between government and the private sector
- Modernizing and implementing stronger cybersecurity standards in the federal government
- Improving software supply chain security
- Establishing a cybersecurity safety review board
- Creating a standard playbook for responding to cyber incidents
- Improving detection of cybersecurity incidents on federal government networks
- Improving investigative and remediation capabilities
The principal aim of the EO is to enhance the cybersecurity of government departments and supply chains. However, expect this to have a trickle-down impact on all types of businesses within the private sector, both big and small.
Therefore, small businesses should make themselves aware of the requirements of the EO and determine if they are required to make any changes to remain in compliance, specifically with regards to their vendor relationships.
Understanding the implications for your business
The most significant impact will be on small businesses that work with government agencies as a contractor, subcontractor or under any other type of business relationship. If these businesses fail to keep up with the directives in the new EO, then they could quickly find themselves unable to continue working with government agencies.
However, it isn’t just small businesses that work with government agencies that should take heed of the EO. The White House is encouraging all businesses to adopt the guidance that it’s laid out. And while the EO can’t demand that all private companies adopt specific cybersecurity protocols, these could become part of the framework of enhanced cybersecurity measures for businesses operating in sensitive industries such as healthcare and finance.
Updating your vendor risk assessment
If vendor risk assessments are already a part of your data security protocols, then you should start updating these now to take account of the measures within the EO. Start by asking how your vendors are planning to comply with the new measures and what their roadmaps are towards compliance.
For small businesses working with government agencies, any vendor of yours that is found lacking in its preparedness should be treated as a red flag. For small businesses that don’t do any government work, this may not necessarily mean you won’t want to work with this vendor, but finding vendors who are taking steps to be in compliance with the EO will help you to better future-proof your infrastructure. So, for example, this could be a deciding factor when weighing up vendor RFP responses.
Reviewing vendor contracts
As well as updating your vendor risk assessments, you’ll also need to review and possibly update your existing vendor contracts. For example, as the EO requires enhanced sharing of threats or breach information between software providers and government agencies, vendor contracts will need to be updated to ensure that the sharing of such data is not currently prohibited by contractual terms.
Also – contracts should be updated to reflect the other requirements of the EO, to ensure that your vendors are encrypting all data, using multi factor authentication, etc. This will also enable you to terminate contracts early if a vendor is found to be in breach of any of these terms.
Updating internal data security protocols
In addition to updating vendor risk assessments and contracts, small businesses should also ensure their internal data security protocols cover all the bases set out in the EO. This includes two-factor authentication for accessing key systems and the encryption of all data being sent and received by your business.
While the final details of how the EO will be implemented are yet to be confirmed, plenty of small businesses should take a moment to assess what this could mean for them as well as plan for next steps.
If you handle government work, no matter in what capacity, you should start taking immediate steps to ensure your vendors are working towards compliance. You should also consult your legal counsel to determine how best to review and update vendor contract terms.
For small businesses that do not handle government work, it’s still a valuable exercise to begin conversations with your software vendors to understand how they plan to remain in compliance, to help future proof your business.