The White House plans to issue a new executive order that will require many software vendors to notify their agency customers when they experience a cyber breach, reports Reuters. According to a spokeswoman for the National Security Council, the order could be issued as early as this week, but no decision has been made on its final contents. The hack of SolarWinds’ Orion product showed that “the federal government needs to be able to investigate and remediate threats to the services it provides the American people early and quickly,” the spokeswoman said. “Simply put, you can’t fix what you don’t know about.”
According to a draft version, the proposed order would require agencies to use multi-factor authentication and to encrypt data, and would impose additional rules on critical programs, such as requiring a “software bill of materials” that spells out what is inside. The notification requirement is intended to override non-disclosure agreements, which can limit information sharing and to allow officials more insight into breaches. Vendors also would be required to preserve more digital records and to work with CISA and the FBI when responding to breaches.
Source:
