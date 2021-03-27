SAN FRANCISCO • A planned Biden administration executive order will require many software vendors to notify their federal government customers when the firms have a cyber-security breach, according to a draft seen by Reuters.

A National Security Council spokesman said no decision has been made on the final content of the executive order.

The SolarWinds hack, which came to light in December, showed "the federal government needs to be able to investigate and remediate threats to the services it provides the American people early and quickly", the spokesman said. "Simply put, you can't fix what you don't know..."

The proposed order outlines several digital security recommendations, including the notification requirements for service providers, said people familiar with the plan.

The order also will require vendors to preserve more digital records for investigating hacks and work with the Federal Bureau of Investigation and the Homeland Security Department's Cybersecurity and Infrastructure Security Agency when responding to incidents.

In practice, the change will occur through updates to federal acquisition rules. Major software companies that sell to the government, such as Microsoft or Salesforce, would be affected by the change, said two of the people familiar with the plans.

In the past, Congress has tried to establish a national data breach notification law but has failed because of industry resistance. Such a Bill would have compelled companies that experience hacks to disclose them publicly through government agencies, rather than keep them secret.

Software from US tech company SolarWinds was used as a springboard to compromise a raft of US government agencies.

