As 2021 draws to a close, we wanted to share a recap of some of the most important cybersecurity developments we covered this past year along with some suggestions on what companies (particularly those that do business with the federal government) should expect in 2022. This is part one of a four-part series.

On May 12, the Biden Administration issued its much anticipated “Executive Order on Improving the Nation’s Cybersecurity,” which – with over 55 deliverables – has been the driving force behind may of our updates this year. In addition to many internal government initiatives, the EO calls for new data security and incident reporting regulations, publication of requirements for secure software development practices, and establishment of criteria for consumer labeling programs for software and Internet of Things (IoT) devices. You can review our initial article on the EO here, and some additional related articles here (discussion relating to “critical software”), here (draft guidance relating to cloud computing), here (comments on Zero Trust architecture), and here (publication relating to cyber supply chain risk management).

Putting it into Practice – What to expect in 2022: The next EO deliverables are due in February 2022 and relate to solidifying practices for enhancing the security of the software supply chain, and publicizing criteria for the software and IoT consumer labeling programs. Additionally, companies that do business with the federal government (either directly or indirectly through a supplier or reseller) should be keeping an eye out for new proposed rules (e.g., FAR Case 2021-017) that likely will increase instances in which information about cyber threats and incidents must be shared with the Government by certain providers.