President Biden’s latest cybersecurity-themed executive order issued today aims to engineer security improvements in at least a dozen major areas, with Federal agency systems, cloud services, and software emerging as prominent topics on an exhaustive list of security policy items.
At the top line, the latest order aims to build on the administration’s landmark 2021 cybersecurity executive order whose major themes included the imperatives for Federal agencies to move to cloud-based systems as a way to improve security, and to begin a years-long transition to zero trust security architectures. The new order does not appear to change course on either of those initiatives and seeks to build on them.
“Building on the foundational steps I directed in Executive Order 14028 of May 12, 2021 (Improving the Nation’s Cybersecurity), and the initiatives detailed in the National Cybersecurity Strategy, I am ordering additional actions to improve our Nation’s cybersecurity, focusing on defending our digital infrastructure, securing the services and capabilities most vital to the digital domain, and building our capability to address key threats, including those from the People’s Republic of China,” President Biden said in the new order.
“Improving accountability for software and cloud service providers, strengthening the security of Federal communications and identity management systems, and promoting innovative developments and the use of emerging technologies for cybersecurity across executive departments and agencies … and with the private sector are especially critical to improvement of the Nation’s cybersecurity,” he said.
The latest cybersecurity order was issued just four days before the Biden administration gives way to the incoming Trump administration, and it’s unclear whether the new administration will agree with the same cybersecurity policy agenda.
Here are pointers to some of the order’s major moves:
Software Security
The new order emphasizes that the Federal government needs to do more to adopt secure software acquisition practices in order to reduce the number of security vulnerabilities in software that the government buys from the private sector.
The order would kick off requirements for the Office of Management and Budget (OMB) to work with the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) to recommend to the Federal Acquisition Regulatory (FAR) Council contract language requiring software providers to submit to CISA through its Repository for Software Attestation and Artifacts (RSAA) machine-readable secure software attestations, high-level artifacts to validate those, and a list of Federal civilian agency software customers. The FAR Council would have four months to amend the Federal Acquisition Regulation to implement those recommendations. CISA would be in charge of dealing with software providers whose attestations were found to be insufficient.
Supply Chain Security
The new order tasks OMB with taking steps to require Federal agencies to comply with guidance in NIST Special Publication 800-161 (Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP 800-161 Revision 1)) and provide annual reports on implementation.
“Consistent with SP 800-161 Revision 1, OMB’s requirements shall address the integration of cybersecurity into the acquisition lifecycle through acquisition planning, source selection, responsibility determination, security compliance evaluation, contract administration, and performance evaluation,” the order says.
Open Source Software
Stating that “open source software plays a critical role in Federal information systems,” the new order tasks OMB and CISA to issue within four months “recommendations to agencies on the use of security assessments and patching of open source software and best practices for contributing to open source software projects.”
Federal Systems Security
The order features numerous directives to improve Federal agency security, including a requirement that agencies “shall begin using, in pilot deployments or in larger deployments as appropriate, commercial phishing-resistant standards such as WebAuthn, building on the deployments that OMB and CISA have developed and established since the issuance of Executive Order 14028.”
“These pilot deployments shall be used to inform future directions for Federal identity, credentialing, and access management strategies,” the order says.
The new order also aims to strengthen CISA’s ability to hunt for cybersecurity threats on Federal systems.
To achieve that aim, CISA, along with the Federal CIO Council and the Federal CISO Council, “shall develop the technical capability to gain timely access to required data from FCEB [Federal civilian executive branch] agency endpoint detection and response (EDR) solutions and from FCEB agency security operation centers to enable” more timely threat hunting of “novel” cyber threats and vulnerabilities, identify coordinated cyber campaigns targeting Federal agencies, and better compile and analyze threat data.
CISA is also charged with establishing agency working groups to develop technical controls and work with EDR providers to implement those controls at agencies, and will “at a minimum, establish a working group for each EDR solution authorized by CISA for use in the CISA Continuous Diagnostic and Mitigation Program.”
Further on the agency security front, Federal agencies will have 90 days to ensure that “all of their assigned Internet number resources (Internet Protocol (IP) address blocks and Autonomous System Numbers) are covered by a Registration Services Agreement with the American Registry for Internet Numbers or another appropriate regional Internet registry.”
“Within 120 days of the date of this order, all FCEB agencies that hold IP address blocks shall create and publish Route Origin Authorizations in the public Resource Public Key Infrastructure repository hosted or delegated by the American Registry for Internet Numbers or the appropriate regional Internet registry for the IP address blocks they hold,” the order says.
Also within 120 days, the Office of the National Cyber Director will recommend contract language to the FAR Council to require contracted providers of internet services to agencies to adopt and deploy internet routing security technologies, including publishing Route Origin Authorizations and performing Route Origin Validation filtering.
Cloud Services
The new order tasks the General Services Administration (GSA), CISA, and GSA’s Federal Risk and Authorization Management Program (FedRAMP) to “develop FedRAMP policies and practices to incentivize or require cloud service providers in the FedRAMP Marketplace to produce baselines with specifications and recommendations for agency configuration of agency cloud-based systems in order to secure Federal data based on agency requirements.”
Quantum Tech
The order requires CISA within six months to release a list of product categories that support post-quantum cryptography (PQC). “Agencies shall implement PQC key establishment or hybrid key establishment including a PQC algorithm as soon as practicable upon support being provided by network security products and services already deployed in their network architectures,” the order says.
The order also aims to have FedRAMP develop updated requirements for cryptographic key management security practices.
Digital Identity
The new order also states “it is the policy of the executive branch to strongly encourage the acceptance of digital identity documents to access public benefits programs that require identity verification, so long as it is done in a manner that preserves broad program access for vulnerable populations and supports the principles of privacy, data minimization, and interoperability.”
The order tasks Federal agencies with grantmaking authorities to consider helping states develop and issue mobile driver’s licenses, and tasks NIST with supporting “remote digital identity verification using digital identity documents that will help issuers and verifiers of digital identity documents advance the policies and principles” of the order.
AI for Cybersecurity
The new order states that the government “must accelerate the development and deployment of AI, explore ways to improve the cybersecurity of critical infrastructure using AI, and accelerate research at the intersection of AI and cybersecurity.”
The order tasks the Defense Department, Energy Department, and Department of Homeland Security (DHS) with launching a pilot program involving collaboration with “private sector critical infrastructure entities as appropriate and consistent with applicable law, on the use of AI to enhance cyber defense of critical infrastructure in the energy sector, and conduct an assessment of the pilot program upon its completion.”
“This pilot program, and accompanying assessment, may include vulnerability detection, automatic patch management, and the identification and categorization of anomalous and malicious activity across information technology (IT) or operational technology systems,” the order says.
The order also requires the Defense Department within nine months to “establish a program to use advanced AI models for cyber defense.”
In addition, NIST, the Energy Department, DHS, and the National Science Foundation will “prioritize funding for their respective programs that encourage the development of large-scale, labeled datasets needed to make progress on cyber defense research, and ensure that existing datasets for cyber defense research have been made accessible to the broader academic research community (either securely or publicly) to the maximum extent feasible, in consideration of business confidentiality and national security.”
Finally, within five months, those same agencies are required to prioritize research on topics including: human-AI interaction methods to assist defensive cyber analysis; security of AI coding assistance, including security of AI-generated code; methods for designing secure AI systems; and methods for prevention, response, remediation, and recovery of cyber incidents involving AI systems.
Industry Reaction
Gary Barlet, public sector chief technology officer at Illumio, told MeriTalk that the new order “introduces several promising proposals that could significantly enhance the nation’s cybersecurity posture, including stricter software requirements, guidance on leveraging artificial intelligence for cyber defenses, and the adoption of endpoint detection and response tools.”
“It’s encouraging to see a focus on addressing critical issues that align with the pressing need to counter nation-state threat actors, and I’m particularly encouraged by the emphasis on collaboration, which will be essential to the success of these measures,” he said.
“While it is reassuring to see critical cybersecurity issues addressed at a national level, the success of this EO will depend on policy priorities set forth in the upcoming administration,” Barlet said.
“The next administration has an opportunity to bring renewed focus and energy to government technology,” he said, adding, “by building on the existing foundations and progress, we could see meaningful progress in Federal cybersecurity posture and collaboration efforts that lead to impactful results.”
Phil Fuster, chief revenue officer at Hitachi Vantara Federal, said the new order marks “an encouraging step towards protecting networks and securing data across the Federal government.”
“By prioritizing secure cyber defenses, cloud security, and the safe use of artificial intelligence, the administration is tackling foundational cybersecurity challenges in an increasingly complex threat landscape,” he said. “While the Executive Order provides a robust framework, its successful implementation will require sustained collaboration and unwavering focus across all levels of government and in partnership with industry.”
As our nation increasingly relies on interconnected systems – from the Internet of Things to critical infrastructure – safeguarding digital assets is paramount,” Fuster said. “The Executive Order recognizes the importance of data-driven innovation while emphasizing the need for robust security measures. I am confident that through continued collaboration between government, industry, and international allies, we can achieve a shared vision of a secure and resilient cyberspace.”
