On January 16, 2025, President Biden issued Executive Order 14144 on Strengthening and Promoting Innovation in the Nation's Cybersecurity (the "EO"). Building on prior initiatives such as Executive Order 14028 and the National Cybersecurity Strategy, this latest EO addresses persistent threats posed by malicious countries and criminals who target the United States Government, corporations, and individual Americans with cyber-attacks.
Signed in the closing days of the Biden Administration, it falls to the incoming Trump Administration to rescind, modify, or implement the EO. As of January 23, 2025, the White House has made no announcements regarding the EO despite extensive recissions – including some affecting cybersecurity – on January 20, 2025. Companies doing business with the U.S. Government should monitor whether the EO remains in effect and, if it does, begin preparing attestations regarding their software's compliance with minimum security standards.
Background
The EO is the culmination of the Biden Administration's efforts to promote cybersecurity and is reportedly the product of a monthslong review by U.S. officials analyzing hacking operations perpetrated during the Biden Administration.
According to Biden Administration officials, the goal of the EO is to "make it costlier and harder for China, Russia, Iran, and ransomware criminals to hack."
The EO is consistent with views of senior Biden Administration officials that the issue is not only preventing external hacks, but also ensuring that internal products are free of defects. As articulated by the Director of the Cybersecurity and Infrastructure Security Agency ("CISA") in August 2024, "We don't have a security problem. We have a software quality problem... We have a multi-billion-dollar cybersecurity industry because for decades, technology vendors have been allowed to create defective, insecure, flawed software."
THE EXECUTIVE ORDER
The EO is the Biden Administration's final effort to improve cybersecurity and fortify the U.S. Government and companies against cyber threats. President Biden previously issued Executive Order 14028 in 2021 which required government contractors meet a minimum set of security standards in order to do business with the federal government. This EO takes the 2021 requirements one step further: now requiring companies doing business with the government to provide proof they are in compliance with minimum security standards established by EO 14028 and provide that attestation to CISA.
Key provisions
The EO addresses the following key issues:
Software Security Attestations. The EO identifies insecure software as a critical challenge for both providers and users and emphasizes the need to adopt secure software acquisition practices to reduce the number and severity of vulnerabilities. Section 2 of the EO directs the Federal Acquisition Regulatory Council to develop contract language requiring software providers to submit machine-readable attestations and supporting artifacts demonstrating compliance with secure software practices developed by the National Institute of Standards and Technology as directed by Executive Order 14028. The EO also encourages the National Cyber Director to "refer attestations that fail validation to the Attorney General for action as appropriate" suggesting companies that submit incorrect or inaccurate attestations may subject themselves to legal liability, including potentially under the False Claims Act.
Increasing Federal Government Cloud Security. The EO acknowledges the need for the Federal Government to adopt proven security practices from industry to improve cross-network security threat visibility and strengthen cloud security. As a part of improving federal system cybersecurity, Section 3 of the EO directs federal agencies to implement phishing-resistant authentication, develop endpoint detection and response, and update the Federal Risk and Authorization Management Program guidelines.
Updating Policy and Promoting Cybersecurity Practices. The EO calls for the modernization of IT infrastructure and networks that support agencies' critical missions and for the subsequent alignment of policies, investments, and priorities that include a guidance on "minimum cybersecurity practices." Section 6 of the EO also directs the Secretary of Commerce to create a pilot program that would create machine-readable versions of cybersecurity policy and guidance and require vendors supplying Internet-of-Things products to the federal government to carry U.S. Cyber Trust Mark labeling for those products.
Using Artificial Intelligence to Advance Security Goals. In recognition of the transformative potential of Artificial Intelligence ("AI"), the EO emphasizes the need to facilitate the development of AI-driven cybersecurity solutions and directs the creation of AI pilot programs. These programs would collaborate with private sector entities where applicable on the use of AI to enhance cyber defense of critical infrastructure. According to the EO, AI could eventually assist with vulnerability detection, automatic patch management, and the identification and categorization of anomalous and malicious activity across information technology or operational technology systems.
Strengthening Encryption and Securing Federal Communications. In order to protect sensitive information during transmission, the EO requires the encryption of Domain Name systems, email traffic, and communication platforms such as video conferencing. It also directs federal agencies to consider future vulnerabilities and prepare for post-quantum computing and its impact on cryptography.
Promoting Digital Identity While Maximizing User Privacy. The EO highlights the cost of identity theft to the Federal Government and the taxpayer. To mitigate this, Section 5 encourages the acceptance of digital identity documents to access public benefits programs that require identity verification. The EO also promotes the minimization of data that is exchanged during a transaction that uses digital identity documents to maximize user privacy. It also directs the Secretary of the Treasury to create a pilot program that notifies users when their information is used to request a payment from a public benefits program and creates opportunities to stop potentially fraudulent transactions.
THe Trump administration and Enforcement
Executive Order 14144 was signed just four days before the end of the Biden Administration. The Trump Administration might leave the EO in place in whole or part, modify it, pause it for review, or withdraw it entirely.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
