News
Biden Administration Issues Sweeping U.S. Cybersecurity Executive Order
In one of his final acts before leaving office, President Joe Biden on Thursday signed an executive order aimed at enhancing U.S. cybersecurity.
The new order focuses on securing software supply chains, fortifying federal system defenses, and advancing artificial intelligence innovation for cyber defense. It builds on previous measures such as the 2021 Executive Order on Improving the Nation's Cybersecurity, to prioritize addressing holes in software and cloud services, as well as defending against growing threats from nation-state actors, like China.
"These campaigns disrupt the delivery of critical services across the Nation, cost billions of dollars, and undermine Americans’ security and privacy," said Biden in the order. "More must be done to improve the Nation’s cybersecurity against these threats."
Here are some of the key areas affected by the executive order:
Securing Supply Chain
Regarding the nation's supply chain, the order stipulates that federal agencies must implement, within the next month, new channels for software vendors to submit written commitments to adhere to secure development practices. The Cybersecurity and Infrastructure Security Agency (CISA) will oversee these commitments and enforce compliance.
Further, the National Institute of Standards and Technology (NIST) will be required to update and strengthen its current guidelines on secure software and patch delivery within the next 180 days.
Strengthening Federal Government Software
The order directs federal agencies to harden their networks by employing advanced security measures, such as zero-trust architecture and the latest in identity management, "in order to improve visibility of security threats across networks and strengthen cloud security."
Agencies will also be required to share data on endpoint detection and response with CISA to help coordinate overall federal defense against attacks.
Securing Federal Communications
The executive order strengthens federal communication security by requiring modern encryption and authentication to combat cyber threats. Agencies must secure Internet routing by registering IP address blocks and enforcing secure routing practices. DNS traffic must be encrypted, with contracts requiring compliant resolvers. Email systems will adopt transport and end-to-end encryption where possible, while voice and video platforms will enable encryption by default.
To address risks from quantum computing, agencies will transition to post-quantum cryptography and adopt secure protocols by 2030. Guidelines will also enhance the management of cryptographic keys and cloud systems, ensuring robust security for federal communications.
Combating Fraud and Cybercrime
Biden's executive order aims to improve identity verification and reduce identity theft with the use of digital identity documents, such as mobile driver’s licenses, to verify users securely while preserving privacy and interoperability. Agencies will support the development of these technologies through grants and issue guidelines within 270 days.
A key feature is implementing "yes/no" validation services to confirm identity information without exposing sensitive data, enhancing privacy and security. Public benefits programs and financial institutions will adopt these systems to detect and prevent fraud.
Additionally, a pilot program will notify individuals when their identity is used for benefits payments, allowing them to block unauthorized transactions and report fraud. These initiatives aim to modernize fraud prevention, enhance program security, and safeguard taxpayer funds while ensuring accessibility for vulnerable populations.
Implementing Generative AI in Cybersecurity
The executive order leverages gen-AI to enhance cybersecurity by improving threat detection, automating defenses and safeguarding critical infrastructure.
Within 180 days of the 2025 AI Cyber Challenge, a pilot program will be launched to evaluate AI's effectiveness in securing energy sector infrastructure by detecting vulnerabilities, managing software patches, and identifying malicious activities. Within 270 days, the Department of Defense will establish a program to apply advanced AI models for cyber defense.
Agencies are tasked with prioritizing funding within 150 days to develop and share large datasets for AI-driven cybersecurity research. Key research areas include improving AI-assisted cyber analysis, securing AI-generated code, designing robust AI systems and responding to AI-related incidents.