The Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity attempts to cement many of the cybersecurity priorities started in the Biden Administration and move forward other initiatives to stop new and emerging threats in cyberspace.

People’s Republic of China-affiliated attackers – such as Salt Typhoon and Volt Typhoon – have launched high profile attacks on critical infrastructure in the United States and allied countries. This latest EO is designed to help the incoming Trump Administration begin to deal with these threats and others. The EO comprises multiple sections and contains overarching directives to all federal agencies.

Does this EO and its provisions have a future in the Trump Administration? In fact, there is precedent for issuing a cybersecurity EO in the waning days of an administration. On January 19, 2021, the day before President Biden’s inauguration, then-President Trump issued the Executive Order on Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities (EO 13984). While the Biden Administration made some adjustments, it chose not to revoke the order. Instead, it allowed the Department of Commerce to proceed with a rulemaking process to establish new Know Your Customer (KYC) requirements for Infrastructure-as-a-Service (IaaS) providers as outlined in the order.

National Security Council staff have been briefing the incoming team on the merits of this new EO, which is admittedly far more comprehensive than EO 13984. However its future is still uncertain, especially given the incoming administration’s recent threats to revoke a number of other Biden Administration EOs. 

Below are high-level summaries of the EO’s key provisions. 

Section 1: Policy

This Section provides an overview of U.S. policy on cybersecurity and reiterates that China is the most active and persistent threat to the U.S. federal government, private sector, and critical infrastructure owners and operators. It goes on to state that the latest EO builds on the May 2021 EO on Improving the Nation’s Cybersecurity (EO 14028) and on the 2023 National Cyber Strategy (NCS).

Section 2: Operationalizing Transparency and Security in Third-Party Software Supply Chains

This section focuses on software supply chain, including:

• Secure Software Development: Directs the White House Office of Management and Budget (OMB) to update the Federal Acquisition Regulation (FAR) with new contract language requiring software providers to submit machine-readable secure software development attestations and high-level artifacts to validate them. The Cybersecurity Infrastructure and Security Agency (CISA) will validate these attestations, and the Office of the National Cyber Director (ONCD) will publish the validation tests, and CISA will refer attestations that fail validation to the U.S. Attorney General.
• Secure Acquisition and Software Security: Directs the National Institute of Standards and Technology (NIST) to create an industry consortium at the National Cybersecurity Center of Excellence (NCCoE) to demonstrate the implementation of SP 800-216 (Secure Software Development Framework (SSDF). It also directs NIST to update SP 800-53 (Security and Privacy Controls for Information Systems and Organizations) to provide guidance on secure patches and update deployment and to update SP 800-216 to include practices, procedures, controls, and implementation examples regarding the secure and reliable development and delivery of software as well as the security of the software itself.
• Cybersecurity Supply Chain Risk Management: Directs OMB to require agencies to implement SP 800-161 (Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations), integrating cybersecurity into all parts of the acquisition lifecycle.
• Open Source Security: Directs CISA to issue recommendations to agencies on the use of security assessments and patching of open source software and best practices for contributing to open source software projects.

Section 3: Improving the Cybersecurity of Federal Systems

This Section focuses on steps that agencies can take to better cybersecurity, including:

• Phishing-Resistant Authentication: Directs federal agencies to pilot or fully deploy commercial phishing resistant standards like WebAuthn.
• Threat Information Sharing: Directs CISA to develop and implement the technical capability to gain timely access to required data from FCEB agency endpoint detection and response (EDR) solutions and from FCEB agency security operation centers.
• Cloud Configuration: Directs the FedRAMP PMO to develop FedRAMP policies and practices to incentivize or require cloud service providers (CSPs) in the FedRAMP Marketplace to produce baselines with specifications and recommendations for agency configuration of agency cloud-based systems.
• Cybersecurity of Space Systems: Directs USGS, NOAA, and NASA to make recommendations to the FAR Council for how to update civil space cybersecurity requirements and relevant contract language in the FAR. It also directs ONCD to conduct a study that inventories space ground systems and makes recommendations for how to improve cyber defenses and oversight of such systems.

Section 4: Securing Federal Communications

This Section focuses on the foundational technologies and protocols used to secure online communication, including:

• Internet Routing Security: Directs federal agencies to ensure that their IP address blocks and ASNs are covered by a Registration Service Agreement and publish Route Origin Authorizations in the public Resource Public Key Infrastructure repository. It also directs ONCD to recommend contract language to the FAR Council to require contracted providers of Internet services to agencies to adopt and deploy Internet routing security technologies. It also directs NIST to provide updated guidance to federal agencies on deployment of current BGP security methods for federal networks and on other emerging technologies to improve Internet routing security and resilience.
• Encryption for Federal Communications: Directs CISA to recommend contract language to the FAR Council to require products acting as a DNS resolver to support encrypted DNS. It then directs federal agencies to enable encrypted DNS protocols wherever it is supported. It also directs federal agencies to encrypt email messages in transport and directs CISA to establish requirements to expand the use of transport-layer encryption and authentication. Finally, it directs OMB to require agencies to enable transport encryption by default and use end-to-end encryption by default while maintaining logging and archival capabilities that allow agencies to fulfill records management and accountability requirements.
• Post-Quantum Cryptography (PQC) Implementation: Directs CISA to release and regularly update a list of product categories in which products that support PQC are widely available. It then directs agencies to implement PQC or hybrid key establishment as soon as network security products and services in their architectures support it. It also directs NIST and International Trade Administration (ITA) to engage foreign countries to encourage their transition to PQC algorithms standardized by NIST. Finally, it directs the National Security Agency (NSA) and OMB to issue requirements for agencies to support Transport Layer Security (TLS) protocol version 1.3 or later by Jan. 2, 2030.
• Secure Management of Access Tokens: Directs NIST to develop guidelines for the secure management of access tokens and cryptographic keys used by Cloud Service Providers. It then directs the FedRAMP PMO to develop updated FedRAMP requirements incorporating those guidelines and directs OMB to require federal agencies to follow best practices described in the guidance.

Section 5: Solutions to Combat Cybercrime and Fraud

This Section focuses on improving digital identity, including:

• Mobile Driver Licenses: Directs federal agencies to consider federal grant funding to assist States in developing mobile driver’s licenses (mDLs). It then directs NIST to issue guidance on using digital identity documents for remote verification and directs agencies to consider accepting these documents as evidence to access public benefits programs.
• Attribute Validation Services: Directs the Social Security Administration and other agencies chosen by OMB to consider using attribute validation services (i.e., “Yes/No” validation services) in government-operated identity verification systems and public benefits programs.
• Identity Information Use Notification Pilot: Directs Treasury to create a pilot program for a technology that notifies individuals when their identity information is used to request payment from a public benefits program, giving them the ability to stop potentially fraudulent transactions before they occur.

Section 6: Promoting Security with and in Artificial Intelligence

This Section focuses on AI, including:

• AI for Cyber Defense: Directs the Department of Energy (DoE) to launch a pilot program on the use of AI to enhance cyber defense of critical infrastructure in the energy sector. It also directs the Department of Defense (DoD) to establish a program to use advanced AI models for cyber defense.
• AI-Cybersecurity Research: Directs NIST, the Department of Homeland Security Science & Technology Directorate (DHS S&T), and the National Science Foundation (NSF) to prioritize funding for programs that develop large-scale data sets for use by cyber defense researchers. It also directs NIST, DHS S&T, and NSF to prioritize research on specific topics, including human-AI interaction for defensive cyber analysis and security of AI coding assistance.
• AI Software Vulnerability Management: Directs DOD, DHS, and Office of the Director of National Intelligence to incorporate “management of AI software vulnerabilities and compromises” into their existing processes and interagency coordination mechanisms for vulnerability management.

Section 7: Aligning Policy to Practice

This Section focuses on putting policy into practice, including:

• Federal Agency IT Infrastructure Modernization: Directs OMB to issue guidance to federal agencies, helping them to address critical risks and adapt modern practices and architectures. It also directs NIST, CISA, and OMB to establish a pilot program for a rules-as-code approach to create machine-readable versions of policy and guidance.
• Minimum Cybersecurity Practices: Directs NIST to issue guidance identifying minimum cybersecurity practices based on its evaluation of common cybersecurity practices and security control outcomes across industries. It then directs the FAR Council to incorporate into the FAR a requirement to abide by these minimum practices and to carry the Cyber Trust Market label if relevant.

Section 8: National Security Systems and Debilitating Impact Systems

This Section focuses on the following issues:

• National Security Systems (NSS): States that Sections 1-7 of this EO do not apply to national security systems (NSS). Instead, it directs DOD to develop requirements for NSS and debilitating impact systems that are consistent with the EO.
• Space NSS Cybersecurity: Directs the CNSS – a U.S. intergovernmental organization of 21 federal agencies – to review and update policies and guidance on space system cybersecurity and implement cyber defense on space NSS.
• Information Systems Inventory: Directs OMB to issue guidance requiring agencies to inventory all major information systems in a centralized system to be maintained by CISA or DOD.

Section 9: Additional Steps to Combat Significant malicious Cyber-Enabled Activities

This Section updates the April 2015 Executive Order on Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities (EO 13694), which authorized sanctions on individuals and entities responsible for or complicit in certain malicious cyber-enabled activities. The new EO amends Section 1 of EO 13694, expanding the list of criteria that the Treasury’s Office of Foreign Assets Control (OFAC) uses as grounds to issue sanctions.

Carole House, special advisor for cybersecurity and critical infrastructure policy on the White House National Security Council staff, will join Ari Schwartz for a webinar on Jan. 16 from 1:45-2:45 pm ET to walk through key provisions of this EO and to discuss its significance.