The Biden administration is planning an executive order that would force software vendors to notify federal government customers if they have suffered a cybersecurity breach, according to a report from Reuters.

The order as it stands is said to be in draft with no decision made on the final content. However, it could be released as early as next week, the report noted.

The decision to pursue an order to force cybersecurity disclosure is said to be directly related to the hack of SolarWinds Worldwide LLC breach last year. “The federal government needs to be able to investigate and remediate threats to the services it provides the American people early and quickly,” a National Security Council spokesperson told Reuters. “Simply put, you can’t fix what you don’t know about.”

The proposed order does not stop at breach disclosure. It would also impose additional rules such as a requirement for a “software bill of materials” that spells out what’s inside. That relates to software using other forms of software, particularly open-source software, as part of its overall structure. Various reports have detailed how open-source repositories expose companies to hacking, such as in the case of a security researcher who was able to breach Apple Inc., Microsoft Corp. and others in February.

The notification required reportedly would have the most immediate impact because it would override nondisclosure agreements that have previously limited information sharing. The order would also require vendors to preserve more digital records and work with the U.S. Federal Bureau of Investigation and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

In practice, most companies already keep those records because of existing compliance regulations, and informing and then working with the FBI is basically the default response when a company is hacked. This part of the order is either formalizing or repeating what’s already standard practice.

The last part of the order creates a “cybersecurity incident response board” that will include representatives from federal agencies and cybersecurity companies. The board would encourage victims and vendors to share information, something that already occurs in practice.

If and when the order is passed, the changes will occur through updates to federal acquisition rules and will affect major companies selling to the government, such as Microsoft and Salesforce.com Inc.

Photo: White House/Twitter