In light of recent cyberattacks targeting the federal government and United States supply chains, President Biden’s administration has released an Executive Order (the “Order”) in an attempt to modernize and enhance the federal government’s cybersecurity posture, as well as introduce and expand upon new or existing requirements imposed on third-party suppliers to federal agencies.
To the extent that the mandates set forth in this Order remain in place after President-elect Donald Trump takes office, third-party vendors and suppliers that contract with the federal government will need to ensure compliance with new or updated cybersecurity standards in order to remain eligible to contract with federal agencies. With that said, even if this Executive Order does not pass through to the next administration, it still provides general guidance on best practices for cybersecurity. While some of these practices may not be novel to the cybersecurity industry, it would serve as yet another guidance document for companies on what constitutes “reasonable security.”
Below is a high-level, non-exhaustive summary of some of the key highlights in the Executive Order. Please note that the mandates would take effect on different dates in accordance with the time frames discussed in the Order.
Federal Government’s Latest Attempt to Modernize its Cybersecurity Posture
The Executive Order underscores the importance of modernizing the federal government’s cybersecurity infrastructure to defend against cyber campaigns by foreign adversaries targeting the government.
One of the ways in which the new Order attempts to do this is by directing federal agencies to implement “strong identity authentication and encryption” across communications transmitted via the internet, including email, voice and video conferencing, and instant messaging.
In addition, as federal agencies have improved their cyber defenses, adversaries have targeted the weak links in agency supply chains and the products and services upon which the government relies. In light of this pervasive threat, the Executive Order places a strong emphasis on the need for federal agencies to integrate cybersecurity supply chain risk management programs into enterprise-wide risk management by requiring those agencies, via the Office of Management and Budget (OMB), to (i) comply with the guidance in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-161 (Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations), and (ii) provide annual updates to OMB on their compliance efforts with respect to the same. The OMB’s requirements will address the integration of cybersecurity into the acquisition lifecycle through acquisition planning, source selection, responsibility determination, security compliance evaluation, contract administration, and performance evaluation.
The Executive Order also addresses the potential to use artificial intelligence (AI) to defend against cyberattacks by increasing the government’s ability to quickly identify new vulnerabilities and automate cyber defenses. Specifically, the Order directs certain agencies to prioritize research on topics related to AI and cyber defense, which include: (i) human-AI interaction methods to assist with defensive cyber analysis; (ii) security of AI coding assistance and the security of AI-generated code; (iii) methods for designing secure AI systems; and (iv) methods for prevention, response, remediation, and recovery from cyber incidents involving AI systems.
Beyond using modern technology to defend against increasing cyber threats, the Executive Order aims to centralize the government’s cybersecurity governance by expanding the Cybersecurity and Infrastructure Security Agency’s (CISA) role as the lead agency overseeing federal civilian agencies’ cybersecurity programs.
Enhancing and Expanding Upon Requirements Imposed on Third-Party Vendors of Federal Agencies
In addition to requiring federal agencies to adjust their cybersecurity posture, the Executive Order also aims to ensure that third-party vendors of federal agencies undertake various measures that are intended to help ensure the safety and security of our federal government and critical infrastructure systems, and strengthen the United States supply chains, from malicious cyber-attacks.
Third-Party Software Providers and Secure Software Development Practices
Part of the latest Executive Order focuses on transparency and deployment of secure software that meets standards set forth in the Biden administrations first cybersecurity, which was issued in May 2021. Under that Order, suppliers are required to attest that they adhere to secure software development practices, in language spurred by Russian hackers who infected an update of the widely used SolarWinds Orion software to penetrate the networks of federal agencies. Given that insecure software remains a challenge for both providers and users, it has continued to make the federal government and critical infrastructure systems vulnerable to additional malicious cyber incidents. This was recently illustrated by several attacks, including the 2024 exploitation of a vulnerability in a popular file transfer application used by multiple federal agencies.
Against this backdrop, the newly released Executive Order sets forth more robust attestation requirements for software providers that support critical government services and pushes for enhanced transparency by publicizing when these providers have submitted their attestations so that others can know what software meets the secure standards. In a similar vein, the new Order also aims to provide federal agencies with a coordinated set of practical and effective security practices to require when they procure software by calling for (i) updates to certain frameworks established by NIST that are adhered to by federal agencies – such as NIST SP 800-218 (Secure Software Development Framework) (SSDF) – for the secure development and delivery of software, (ii) the issuance of new requirements by OMB that derive from NIST’s updated SSDF to apply to federal agencies’ use of third-party software, and (iii) potential revisions to CISA’s Secure Software Development Attestation to conform to OMB’s requirements.
Vendors of Consumer Internet-of-Thing (IoT) Products and U.S. Cyber Trust Mark Label
To further protect the supply chain, the Executive Order recognizes the risks federal agencies face when purchasing IoT products. To address these risks, the Order requires the development of additional requirements for contracts with consumer IoT providers. Consumer IoT providers contracting with federal agencies will have to (i) comply with the minimum cybersecurity practices outlined by NIST, and (ii) carry United States Cyber Trust Mark labeling on their products. The initiative related to Cyber Trust Mark labeling was by the White House on January 7, 2025, and will require consumer IoT products to pass a U.S. cybersecurity audit and legally display the mark on advertising and packaging.
Cloud Service Providers
The Executive Order also requires the development of new guidelines for cloud service providers, which is unsurprising in light of the recent cyber attack on the U.S. Treasury Department where a sophisticated Chinese hacking group known as Silk Typhoon stole a digital key from BeyondTrust Inc.—a third-party service provider for the Treasury Department—and used it to access unclassified information maintained on Treasury Department user workstations. The breach utilized a technique known as token theft. Authentication tokens are designed to enhance security by allowing users to stay logged in without repeated password entry. However, if compromised, these tokens enable attackers to impersonate legitimate users, granting unauthorized access to sensitive systems.
While this incident is likely not the impetus behind the updated guidelines for cloud service providers, it underscores the importance of auditing third-party vendor security practices and taking measures to reduce the lifespan of tokens so as to limit their usefulness if stolen. These new guidelines under the Executive Order would mandate multifactor authentication, complex passwords, and storing cryptographic keys using hardware security keys for cloud service providers of federal agencies.
主要收获
Although the fate of the Executive Order is uncertain with an incoming administration, organizations that contract with the federal government should closely monitor any developments as they will have to adhere to the new or enhanced cybersecurity requirements set out in the Order.
In addition, even if this Executive Order gets revoked by the incoming administration, organizations should not miss the opportunity to evaluate whether their cybersecurity programs comply with industry standard guidelines, such as NIST, as well as general best practices.
For more information on this Executive Order or how to develop a compliant cybersecurity program, please contact the authors or any Partner or Senior Counsel in Foley’s Cybersecurity and Data Privacy group.
