President Biden Issues Executive Order on Strengthening and Promoting Innovation in the Nations Cybersecurity

Introduction

On January 16, 2025, President Biden issued an Executive Order (EO) on Strengthening and Promoting Innovation in the Nation’s Cybersecurity, to further address increasing threats from nation-state actors and cybercriminal organizations. This directive seeks to build on prior measures, such as Executive Order 14028, and provides additional steps for securing the nation’s digital infrastructure such as enhancing cybersecurity across federal systems and collaborating with the private sector. Key objectives include improving secure software development, modernizing and securing federal information technology, and fostering development of emerging technologies. 

With the transition to the Trump Administration just days away—and the EO mandating many agency actions with deadlines that are months away—questions remain about whether this Executive Order will be retained in its current form, modified, or rescinded altogether. We expect a flurry of executive actions starting on January 20, several of which will be focused on rolling back directives from the prior Administration. While we anticipate that cybersecurity will be a priority for the Trump Administration, its approach may differ from the Biden Administration’s. Companies should keep a close eye on these developments. 

Below, we summarize the substantive sections of the Executive Order. 

Summary of Key Sections

Section 2. Operationalizing Transparency and Security in Third-Party Software Supply Chains: The EO seeks to address the vulnerabilities posed by third-party software. It directs future changes to the Federal Acquisition Regulation (FAR) that will require software providers to submit machine-readable attestations and supporting artifacts to the Cybersecurity and Infrastructure Security Agency (CISA), demonstrating their compliance with secure software development practices. Furthermore, the National Cyber Director would be authorized to refer invalidated attestations to the Department of Justice for further action. Additionally, the EO emphasizes the need for improved third-party risk management frameworks, and the adoption of rigorous security standards for open-source software.

Section 3. Improving the Cybersecurity of Federal Systems: Federal agencies are directed to adopt phishing-resistant authentication measures, such as WebAuthn, to enhance identity security. The EO also mandates CISA to lead the deployment of robust endpoint detection and response (EDR) capabilities across federal networks to enable timely threat detection, information sharing, and mitigation. Furthermore, it mandates updates to FedRAMP guidelines to strengthen the security of cloud services, requiring technology vendors to align their offerings with these updated standards.

Section 4. Securing Federal Communications: This section focuses on improving the security of federal communications systems by mandating the encryption of Domain Name System (DNS) traffic, email transmissions, and modern communication platforms, such as video conferencing applications. It addresses vulnerabilities in internet routing protocols, specifically the Border Gateway Protocol (BGP), which is critical for secure and reliable internet communications. And it also directs agencies to prepare for the transition to post-quantum cryptography.

Section 5. Solutions to Combat Cybercrime and Fraud: To reduce the prevalence of identity fraud, the EO promotes the use of digital identity documents in public benefits programs, and advocates the adoption of privacy-preserving "Yes/No" validation services to verify user identity without compromising sensitive information. Additionally, it introduces pilot programs to notify individuals of potentially fraudulent activities in real time, enabling preemptive action against cybercrime.

Section 6. Promoting Security with and in Artificial Intelligence: The EO emphasizes the transformative potential of artificial intelligence (AI) in strengthening cybersecurity. It directs the establishment of pilot programs that leverage AI to automate vulnerability detection, patch management, and threat identification across IT and operational technology systems. It also prioritizes research into the development of secure AI systems and the creation of large-scale datasets to facilitate the development of AI-driven cybersecurity solutions.

Section 7. Aligning Policy to Practice: This section mandates revisions to Office of Management & Budget (OMB) policies for federal agencies to include the migration to zero-trust architectures, which prioritize stringent access controls and continuous verification of user identities and devices. The EO introduces a "rules-as-code" approach to enable the creation of machine-readable cybersecurity policies, streamlining regulatory compliance and enforcement.

Section 8. National Security Systems and Debilitating Impact Systems: Recognizing the critical importance of National Security Systems (NSS) and debilitating impact systems, the EO directs updates to requirements for these systems to address advanced cyber threats. In addition, this section specifically addresses the threat to space systems, directing a review of policies and guidance for space systems cybersecurity.

Section 9. Additional Steps to Combat Significant Malicious Cyber-Enabled Activities: The EO updates the language of the existing sanctions framework for malicious cyber activity to explicitly cover ransomware attacks.