Exclusive: Software Vendors Would Have To Disclose Breaches To U.S. Government Users Under New Order
SAN FRANCISCO: A planned Biden administration executive order will require many software vendors to notify their federal government customers when the companies have a cybersecurity breach, people consulted on the draft order said on Thursday.
A National Security Council spokeswoman said no decision has been made on the final content of the executive order. Reuters reviewed the draft order.
The Solar Winds hack, which came to light in December, showed “the federal government needs to be able to investigate and remediate threats to the services it provides the American people early and quickly. Simply put, you can’t fix what you don’t know about,” the spokeswoman said.
The proposed order outlines several digital security recommendations, including the notification requirements for service providers, according to four people familiar with the plan.
The order also will require vendors to preserve more digital records for investigating hacks and work with the FBI and the Homeland Security Department’s Cybersecurity Infrastructure Security Agency, known as CISA, when responding to incidents.
In practice, the change will occur through updates to federal acquisition rules. Major software companies that sell to the government, like Microsoft or SalesForce, would be affected by the change, said two of the people familiar with the plans.