Breaking Down President Biden's New Cybersecurity Executive Order

Written By Ashling Knight
Ashling Knight
VP of Communications
Jesse Dye
Senior Security Engineer
Mack Wartenberger
Security Architect
Scott Zimmerman
Senior GRC Engineer

President Biden just signed a major cybersecurity executive order, “Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity,” targeting China and other threats to U.S. infrastructure.

Why it matters: This is the most comprehensive federal cybersecurity directive since 2021, setting new requirements for software providers, federal agencies, and critical infrastructure protection.

The big picture

The order addresses six key areas:

  • Software supply chain security

  • Federal systems security

  • Communications security

  • Cybersecurity and fraud prevention

  • AI in cybersecurity

  • Policy implementation and national security

Here's what you need to know 👇

1. Software providers face new requirements

The changes: Software companies working with the federal government must now:

  • Submit machine-readable attestations about their security practices

  • Provide validation artifacts

  • List all their Federal Civilian Executive Branch (FCEB) customers

  • Manage open source software components

Why it matters: The Cybersecurity and Infrastructure Security Agency (CISA) will verify these attestations through a new repository system, creating more accountability for software security. Attestations that cannot be validated may be referred to the US Attorney General for resolution. For the federal contracting space, that means that teams will need to redouble their efforts to embrace practices like GRC engineering and the use of solutions like OSCAL to support a “rules-as-code approach,” and adds emphasis to the importance of mature software supply chain risk management (S-SCRM) practices and software bill of materials (SBOM) creation.

2. Federal systems get enhanced threat detection

What's new: CISA gains expanded powers to:

  • Access agency endpoint detection data

  • Hunt for threats across federal networks

  • Identify coordinated cyber campaigns

  • Oversee cloud security through FedRAMP

The impact: This creates stronger centralized threat detection across government systems, addressing a long-standing vulnerability. The prevailing wind in the federal space has been focused on breaking down silos between agencies and industry. This move for centralized threat detection creates great opportunities for collaboration between those spaces.

3. Communications security gets an upgrade

Key requirements:

  • Agencies must implement encrypted domain name systems (DNS)

  • Email systems need stronger encryption

  • Internet routing security gets enhanced

  • Systems must prepare for post-quantum cryptography by 2030

Between the lines: These changes are intended to prevent China and other adversaries from intercepting or manipulating federal communications. Linking back to 2021’s Executive Order 14028, this push for microsegmentation and encryption sets up agencies and partners who are well versed in zero trust security to pivot in a more secure direction.

4. Fighting cybercrime and fraud

The initiatives:

  • Digital identity verification improvements

  • Public benefits program protection

  • Payment fraud prevention systems

  • Identity validation services

Why it matters: These measures directly target the growing problem of identity theft and public benefits fraud. Identity is the new perimeter, and as adversaries leverage new tactics, it’s incumbent on security teams to update defense tactics.

5. AI gets a cybersecurity role

The initiatives:

  • AI-enhanced cyber defense pilots in critical infrastructure

  • New datasets for cyber defense research

  • AI vulnerability management integration

The bottom line: The government is betting on AI to improve cyber defenses while managing AI-specific risks. Now more than ever, security services teams need to spend the time and resources to build approaches to AI and upskill their teams on how to leverage this transformational technology safely and securely. 

6. Modernizing policy and protecting national security

Key changes:

  • IT infrastructure modernization requirements

  • New industry cybersecurity practices

  • Updated federal contractor requirements

  • Special provisions for national security systems

  • Enhanced space systems security

Between the lines: This creates a framework for long-term security improvements while protecting the most sensitive systems. For those of us in the contracting space, this section in particular emphasizes the need to align with the National Institute of Standards and Technology (NIST) and CISA cybersecurity best practices. The executive branch is increasingly looking toward contractors to innovate and drive centralized security best practices.

What's next

If you work at or with federal agencies, below are key dates to be aware of:

The bottom line

This order signals a stronger approach to standardizing and centralizing federal cybersecurity, emphasizing:

  • Increased accountability for software security

  • Centralized threat detection and inter-agency information sharing

  • Comprehensive fraud prevention

  • Modernized infrastructure requirements

  • National security systems protection

What to watch: Implementation guidelines from CISA, NIST, and other agencies in the coming months.

Interested in more breakdowns like this? Sign up to receive our newsletter.

Ashling Knight
Previous

A Guide to Selecting Key Performance Indicators (KPIs) for Effective Security Architecture
Next

Can The DoD’s Zero Trust Overlays Be a Starter Kit for Civilian Federal Agencies?