The White House at night showing cybersecurity executive order for federal agencies

Major Cybersecurity Executive Order Looks to Bolster Federal Agencies and Contractors Before Presidential Transition

Just days before the inauguration ceremony, the outgoing Biden administration issued a sweeping cybersecurity executive order aimed primarily at improving the defenses of federal agencies and their contractors. But the order includes a number of other elements, such as expanding government power to sanction entities targeting critical infrastructure.

The move comes as the Trump administration prepares to take office without having yet named its senior cybersecurity officials. Trump would be free to repeal the executive order, but the Biden officials expect to work in tandem during the transition on what are a broadly bipartisan set of measures that leave little room for political objection.

Biden cybersecurity executive order: New requirements for secure-by-design software, federal agency security

The new cybersecurity executive order builds on steps introduced rapidly since the issuance of the Improving the Nation’s Cybersecurity order in May 2021, which came very shortly after the massive disruptions caused by the Colonial Pipeline ransomware attack. While private Russian for-profit hackers prompted the initial flurry of activity on cybersecurity, the focus has since switched to China with multiple high-profile events attributed to its state-backed hacking teams.

As Robert Huber (Chief Security Officer, Head of Research and President of Tenable Public Sector, Tenable) notes, continued activity by China’s state-backed hackers have ensured that cybersecurity has been an ongoing focus of the Biden administration: “The Salt Typhoon attack and the Treasury Department breaches demonstrate what can happen when outdated cybersecurity systems provide opportunities for motivated and well-resourced adversaries. Not only did these attacks undermine public trust, they compromised our national defence, disrupted essential services and created a beachhead for adversaries like China to disrupt our way of life. This EO takes a step in the right direction by implementing secure third-party software supply chains and improving the cybersecurity of fed systems and communications. As evident by news of recent attacks, these types of updates are long overdue.”

The first item on the Biden list is improvement of secure-by-design practices in the software that government and critical infrastructure companies make use of. The cybersecurity executive order gives the Director of the Office of Management and Budget (OMB) 30 days to develop new contract language requiring software providers to submit attestations of security by design and list of the providers’ Federal Civilian Executive Branch (FCEB) agency software customers.

The Federal Acquisition Regulatory Council (FAR Council) will then have to review this new language within 120 days and take steps to amend its regulations to implement the suggested changes. The Secretary of Homeland Security is also tasked with evaluating emerging methods of generating, receiving, and verifying machine-readable secure software development attestations and artifacts, and must develop a program to centrally verify the completeness of all attestation forms within 30 days of the FAR Council changes being implemented.

The government is also targeting delivery of this software by tasking the Secretary of Commerce with establishing a consortium with industry at the National Cybersecurity Center of Excellence to develop guidance for developers, focused on existing practices in NIST Special Publication 800-218. NIST Special Publication 800-53 will additionally be updated with new and improved guidance on securely and reliably deploying patches and updates, and the Secure Software Development Framework (SSDF) will also be receiving an update within 180 days (pending possible cancellation by the Trump administration). That update will in turn lead to eventual updates to the requirements of OMB Memorandum M-22-18 for the secure development and delivery of software.

The cybersecurity executive order also instructs federal agencies to improve their handling of open source software. The Secretary of Homeland Security and Director of OMB are being given 120 days to jointly issue recommendations to agencies on the use of security assessments and patching of open source software and best practices for contributing to open source software projects.

Dr. Marc Manzano, general manager for cybersecurity at SandboxAQ, believes that the software element is the most important of the new terms: “The Biden administration’s emphasis on requiring software vendors to provide proof of security is a significant step toward strengthening the software supply chain and ensuring greater accountability. This focus on security aligns with the critical need for improved compliance, auditing, observability, and agility in managing modern cybersecurity challenges. With this new EO, I am delighted to see additional efforts to push the current status quo and establish a more regulated framework, as this will ultimately improve IT resilience and safeguard critical systems across industries.”

Federal agencies are also looking at new requirements under the cybersecurity executive order. This includes pilot deployments of commercial phishing-resistant standards such as WebAuthn, new procedures to improve CISA access to FCEB agency endpoint detection and response data, and new FedRAMP policies and practices for these contractors to improve cloud security. There are also extensive new requirements for inventorying and securing federal space systems.

Cybersecurity executive order odds and ends: New fraud deterrents, AI defenses

OMB will also be looking into whether federal grant funding can be provided to states for the development of “mobile driver’s licenses” and digital identity documents aimed at curbing fraud, particularly in public benefits programs. This type of fraud was a massively expensive issue during the Covid-19 pandemic, with even foreign actors able to access relief payments and siphon off millions of dollars.

The cybersecurity executive order also adds some more specificity as to how AI will be used for defense. A public-private pilot program has been proposed that will explore use of AI to defend critical infrastructure. Advanced AI defense models would be required to be in place by late 2025.

It will also now be easier to slap sanctions onto ransomware attackers if the cybersecurity executive order stands. The new terms empower the Secretary of the Treasury to more directly act to issue sanctions when ransomware is involved and/or stolen funds are transferred out of the United States.

And federal agencies are again being prompted to begin the transition to quantum-safe algorithms, as Chris Hickman (CSO at Keyfactor) observes: “The Biden administration’s latest Executive Order underscores the critical urgency of preparing for the quantum era, where current widely used legacy algorithms, like RSA and ECC, will no longer provide adequate protection against advanced threats. Organizations must act now to assess their cryptographic systems, identify vulnerabilities, and adopt post-quantum cryptography (PQC) solutions. As quantum computing continues to advance, organizations must emphasize the importance of crypto-agility, ensuring their business can seamlessly transition to quantum-safe algorithms as standards evolve. Delaying action could leave sensitive data exposed to future quantum-enabled adversaries, making proactive steps essential to maintaining digital trust and security.”

The cybersecurity executive order has largely been met with approval from industry observers, but James Yeager (VP of Public Sector at Abnormal Security) notes some points of criticism: “Biden’s Executive Order puts a large focus on AI use for cyber defense – no surprise, given AI’s powerful potential to better anticipate and mitigate national security threats. However, limiting the program to the Pentagon (as outlined in the EO summary) is disconcerting. It’s potentially a missed opportunity to additionally support the Executive Branch and FCEB agencies, many of which are on the frontlines of grappling with increasingly sophisticated and targeted cyberattacks. Additionally, the EO’s proposed establishment of working groups to conduct more threat hunting and EDR in federal networks is encouraging. But threat hunting goes hand in hand with visibility, and it will be interesting to see what guidance CISA releases around how visibility is defined and promoted. I think there is an opportunity here to open up the aperture when it comes to defining ‘visibility.’ For example, email continues to be the number one threat vector facing organizations today, and is the root cause of the vast majority of federal incidents and breaches. Expanding visibility into systems like email could be necessary precursors for conducting effective threat hunting in federal networks. Lastly, the push for digital identity documents and validation services promises enhancements to the process of applying for public benefits, but comes with potential risks. Public sector organizations may need to prepare for spikes in identity-based fraud, for example, and figure out how they protect a deluge of PII from being exploited by adversaries.”

Marcus Fowler, CEO of Darktrace Federal, agrees that the AI aspect requires further attention: “While the order calls out AI’s ability to rapidly and effectively identify threats, greater emphasis and prioritization should be placed on AI’s role in stopping them as well. Specific types of AI can perform the micro decision-making necessary to respond to and contain malicious behavior in seconds. Private-Public partnerships are increasingly critical as some of the key areas of expansion and AI innovation are already occurring in the commercial space. Specifically, effective human-AI collaboration is augmenting stretched security teams, helping organizations to stay one step ahead of rising threats.”

Cory Michal, CSO at AppOmni, notes some additional potential issues: “One of the most interesting and noteworthy points in the Executive Order is the mandate for agencies to provide real-time telemetry data to CISA while maintaining control over their networks. This represents a significant step toward centralized threat hunting and cross-agency collaboration. However, it also highlights a potential area of tension, as agencies may resist sharing telemetry data or granting real-time access to their endpoint detection and response solutions due to concerns about operational disruption, the handling of sensitive data, or perceived loss of autonomy. This balance between centralized oversight and agency independence will likely be a critical factor in the success of the EO’s implementation. One of the key struggles in following the Executive Order is the requirement for businesses, especially smaller vendors, to attest to secure software development practices and provide supporting artifacts. This could face resistance due to the resource-intensive nature of compliance. Additionally, the enforcement of Federal Acquisition Regulation (FAR) updates and compliance checks for these attestations will demand robust auditing mechanisms, which may create operational and administrative challenges for both vendors and the agencies tasked with oversight. These factors could slow implementation and create friction in vendor-government relationships.”