President Joe Biden issued his second cybersecurity-focused Executive Order just four days before leaving office.
With this new document, “Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity,” the White House aims to improve US national cybersecurity in order to defend the nation’s digital infrastructure against key threats, especially those from China.
Recent incidents like the Volt Typhoon and Salt Typhoon attacks, attributed to Chinese state-sponsored actors, have highlighted the critical need for a robust defense against sophisticated cyber threats targeting critical infrastructure and sensitive government systems.
Building on his 2021 cyber Executive Order, President Biden now wants to improve accountability for software and cloud service providers, strengthen the security of federal communications and promote the use of emerging technologies for cybersecurity across federal agencies.
To achieve these goals, the new Executive Order introduces a series of requirements for software and cloud service providers.
It also expands the authority of the US Cybersecurity and Infrastructure Agency (CISA) – which will see its Director, Jen Easterly, leave office on the same day as President Biden.
Read more: CISA's 2024 Review Highlights Major Efforts in Cybersecurity Industry Collaboration
Key New Cybersecurity Requirements
Some of the new requirements outlined in the 2025 Executive Order include:
- Federal agencies are mandated to encrypt emails and other internal messages
- CISA will develop tools to identify and track the spread of cyber threats across government agencies
- Software vendors contracting with federal agencies must demonstrate compliance with specific cybersecurity requirements introduced in 2022 following Biden’s first cyber Executive Order
- Unique requirements will apply to government cloud providers and aerospace contractors – several US agencies have 270 days to develop guidelines for key protection, which would then have to become requirements for cloud vendors within 60 days
- US federal agencies will have to establish quantum-resistant encryption within existing networks and prepare to adopt post-quantum cryptographic products as they become available
- Starting on January 4, 2027, the US government will only purchase smart devices certified through the US Cyber Trust Mark program
- The Department of Energy will pilot a program to explore the use of AI in enhancing the cybersecurity of critical infrastructure organizations
- The Pentagon will establish its own program to leverage advanced AI models for cyber defense purposes
Cyber Community Welcomes Executive Order
The announcement of these new requirements has generally been welcomed by the cybersecurity community.
Andrew Borene, Executive Director of Global Security for Flashpoint and a former ODNI senior official at the US Office of the Director of National Intelligence (ODNI), said that the Executive Order “takes a bold” to address evolving threat the US faces, particularly from adversarial states like China, Russia, and North Korea.
He commented “With its focus on secure software standards, emerging technologies, and critical infrastructure, the order demonstrates a clear understanding of the challenges at hand and the need for decisive action.”
Meanwhile, the efforts to establish a more regulated framework was welcomed by Marc Manzano, SandboxAQ's General Manager of Cybersecurity.
“This will ultimately improve IT resilience and safeguard critical systems across industries,” Manzano said
However, Joe Saunders, Founder & CEO of ICS/OT software cybersecurity firm RunSafe, noted the Executive Order missed some opportunities to add efficient ways to solve memory safety issues across critical infrastructure.
“Given the lion’s share of code is susceptible to China’s prepositioned cyber bombs it can leverage at a time of its choosing,” he said.
He also cautioned that it would add new prerogatives to existing US federal agencies, including non-cyber ones.
“Whether these requirements survive the next administration is an open question.” He added.
It is understood that that while the White House had engaged in broader discussions regarding cyber-specific national security matters, they have not had detailed conversations about the executive order since Trump has not yet appointed a successor for the Deputy National Security Advisor role.
Photo credits: OogImages/Anna Moneymaker/Shutterstock