US President Joe Biden Issues Sweeping Cybersecurity Directive
The 40-page executive order unveiled on Thursday is the Biden White House’s final attempt to kickstart efforts to harness the security benefits of AI, roll out digital identities for US citizens, and close gaps that have helped China, Russia, and other adversaries repeatedly penetrate US government systems.
Background
Looming over Biden’s directive is the question of whether president-elect Donald Trump will continue any of these initiatives after he takes the oath of office on Monday. None of the highly technical projects decreed in the order are partisan, but Trump’s advisers may prefer different approaches (or timetables) to solving the problems that the order identifies.
Key Provisions
The core of the executive order is an array of mandates for protecting government networks based on lessons learned from recent major incidents—namely, the security failures of federal contractors.
Software Vendors
The order requires software vendors to submit proof that they follow secure development practices, building on a mandate that debuted in 2022 in response to Biden’s first cyber executive order. The Cybersecurity and Infrastructure Security Agency would be tasked with double-checking these security attestations and working with vendors to fix any problems. To put some teeth behind the requirement, the White House’s Office of the National Cyber Director is “encouraged to refer attestations that fail validation to the Attorney General” for potential investigation and prosecution.
Cloud Platforms
The order gives the Department of Commerce eight months to assess the most commonly used cyber practices in the business community and issue guidance based on them. Shortly thereafter, those practices would become mandatory for companies seeking to do business with the government. The directive also kicks off updates to the National Institute of Standards and Technology’s secure software development guidance.
Internet-of-Things (IoT) Devices
To protect federal agencies from attacks that rely on flaws in internet-of-things gadgets, the order sets a January 4, 2027, deadline for agencies to purchase only consumer IoT devices that carry the newly launched US Cyber Trust Mark label.
Conclusion
The executive order is a significant step towards improving the government’s cybersecurity posture and ensuring the protection of its networks and data. While its effectiveness will depend on the implementation and enforcement of its provisions, it is a critical step towards securing the government’s digital foundations.
FAQs
Q: What is the purpose of the executive order?
A: The executive order aims to improve the government’s cybersecurity posture by requiring software vendors to follow secure development practices, assessing and mandating common cyber practices in the business community, and protecting federal agencies from attacks that rely on flaws in IoT devices.
Q: Will President-elect Trump continue these initiatives?
A: The order is not specific to a particular administration, and its provisions are designed to be continued or modified by future administrations.
Q: What is the US Cyber Trust Mark label?
A: The US Cyber Trust Mark label is a newly launched certification that indicates a consumer IoT device meets certain security standards and requirements.
Q: What is the deadline for agencies to purchase US Cyber Trust Mark labeled IoT devices?
A: The deadline is January 4, 2027.
