Four days before he leaves office, President Joe Biden has issued a sweeping cybersecurity directive ordering improvements to how the government monitors its networks, buys software, uses artificial intelligence and punishes foreign hackers.
The 40-page executive order unveiled Thursday is the latest effort by the Biden White House to jump-start efforts to harness the security benefits of artificial intelligence, create digital identities for American citizens, and close loopholes that have helped China, Russia and other adversaries to Intrude frequently. American government systems
Ann Neuberger, Biden’s deputy national security adviser for cyber affairs and emerging technologies, told reporters Wednesday that the order “is designed to strengthen America’s digital foundation as well as put the new administration and the country on a path of continued success.”
The question over Biden’s order is whether President-elect Donald Trump will follow through on any of these initiatives after he is sworn in on Monday. None of the highly technical projects laid out in the order are partisan, but Trump’s advisers may prefer different approaches (or timelines) to solving the problems the order identifies.
Trump has not named any of his top cyber officials, and Neuberger said the White House has not discussed the order with his transition staff, “but we’re very happy to have any discussions once the incoming cyber team is named.” This is the final transition period.
The core of the executive order is a set of directives to protect government networks based on lessons learned from recent high-profile incidents—namely, federal contractor security failures.
The order requires software vendors to provide evidence that they follow secure development practices, building on an order that began in 2022 in response to Biden’s first cyber executive order. The Cybersecurity and Infrastructure Security Agency is required to review these security certificates and work with vendors to resolve any issues. To circumvent this requirement, the Office of the White House National Cyber Administrator is “encouraged to refer non-credentialing certificates to the Attorney General” for investigation and possible prosecution.
The order gives the Commerce Department eight months to assess the most common cyber practices used by the business community and issue guidance based on them. Shortly thereafter, these practices become mandatory for companies seeking to do business with the government. This directive also initiates updates to the National Institute of Standards and Technology’s Safe Software Development Guide.
Another part of the directive focuses on protecting the authentication keys of cloud platforms, the compromise of which paved the way for the theft of Chinese government emails from Microsoft servers and the recent hack of the Treasury Department’s supply chain. Commerce and the General Services Administration have 270 days to develop guidelines for key protection, which must then become requirements for cloud vendors within 60 days.
To protect federal agencies from attacks that rely on flaws in IoT gadgets, the order sets a January 4, 2027 deadline for agencies to purchase only consumer IoT devices that carry the newly launched US Cyber Trustmark label. .
