Four days before leaving office, U.S. President Joe Biden issued a sweeping cybersecurity directive ordering improvements to the way the government monitors its networks, buys software, uses artificial intelligence and punishes foreign hackers.
The 40-page implementing regulation Thursday unveiled the Biden White House’s latest attempt to launch an effort to harness the security benefits of artificial intelligence, open up digital identity to U.S. citizens and close loopholes that have helped China, Russia and other adversaries repeatedly penetrate U.S. government systems.
The executive order “is designed to strengthen America’s digital foundation and put the new administration and the country on a path to continued success,” Anne Neuberger, Biden’s deputy national security adviser for cybersecurity and emerging technologies, told reporters.
Hanging over Biden’s directive is the question of whether President-elect Donald Trump will continue any of these initiatives after taking the oath of office on Monday. None of the highly technical projects ordered in the executive order are partisan, but Trump’s advisers may prefer different approaches (or timelines) to addressing the problems identified in the executive order.
Trump did not name any of his top cybersecurity officials, and Neuberger said the White House had not discussed the executive order with his transition staff, “but we are very pleased that as soon as the new cybersecurity team is established, we will begin any discussions on that.” last transitional period.”
The core of the Executive Order is a series of mandates to protect government networks based on lessons learned from recent major incidents, namely security lapses by federal contractors.
The order requires software vendors to provide evidence that they exploit sheltered programming practices by relying on them mandate that debuted in 2022 in response to Biden’s first cyber executive order. The Cybersecurity and Infrastructure Security Agency would be tasked with thoroughly reviewing these security clearances and working with vendors to resolve any issues. To give some support to this requirement, the White House Office of the National Cybersecurity Director “encourages the referral of credentials that have not been verified to the Attorney General” for potential investigation and prosecution.
The order gives the Department of Commerce eight months to evaluate the most common cyber practices in the business environment and issue guidance based on them. These practices will soon become mandatory for companies wanting to work with the government. The directive also begins updates to the National Institute of Standards and Technology tips for secure software development.
Another part of the directive focuses on protecting the authentication keys of cloud platforms, and their compromise opened the door to the theft of government emails from Microsoft servers and the recent supply chain hack of the Treasury Department. The Department of Commerce and the General Services Administration have 270 days to develop key protection guidelines, which would then become requirements for cloud providers within 60 days.
To protect federal agencies from attacks that exploit flaws in IoT gadgets, the order sets January 4, 2027, as the deadline for agencies to purchase only consumer IoT devices equipped with newly released US cyber trust mark label.