Key Takeaways:
The Biden administration issued a new cybersecurity executive order (EO) on January 16, 2025. This directive introduces stringent standards for software companies working with the US government and mandates greater transparency from providers to bolster national digital security.
The 40-page executive order signed by the Biden administration on Thursday addresses multiple cybersecurity concerns. These include requiring software providers to develop more secure products, harnessing AI to boost cyber defense capabilities, issuing strict sanctions for ransomware groups, and securing federal communications networks against foreign entities.
Specifically, the executive order mandates software vendors that sell products and services to the US government to submit proof that they follow secure software development practices. The Cybersecurity and Infrastructure Security Agency (CISA) will be required to double-check these security attestations within 90 days. These companies will be required to adhere to a new set of security practices.
Additionally, the order directs the National Institute for Standards and Technology to offer guidance on securely deploying software updates and patches. It also directs federal agencies to issue recommendations on using and securing open-source software.
Biden’s directive requires federal agencies to use phishing-resistant authentication standards like WebAuthn. It directs CISA, the Department of Defense, and Homeland Security to accelerate the detection and identification of new security threats before they spread across government networks. The executive order also mandates federal agencies to migrate to post-quantum cryptographic standards by 2030. The agencies will be required to submit detailed plans in this regard within 90 days.
According to the executive order, artificial intelligence (AI) must be deployed to bolster US cyber defenses. It focuses on launching new initiatives to protect critical infrastructure like energy and the pilot programs are expected to begin within 180 days. The order also asks government agencies to enable transport encryption by default across instant messaging, email systems, as well as voice and video conferencing platforms.
Lastly, the directive asks federal agencies to implement enhanced protections for ground stations and space systems to address emerging threats. Other provisions in the order include establishing a “Cyber Trust Mark” for consumer Internet-of-Things devices and mandating minimum cybersecurity practices for federal contractors.