In the waning days of his presidency, Joe Biden is signing a second cybersecurity executive order that seeks to put teeth behind the software security standards established in the early days of his administration.

The cyber executive order signed today also includes new efforts to further centralize federal cyber defenses; strengthen sanctions against nation-state hackers and ransomware groups; combat digital identity fraud; and promote the security of artificial intelligence technologies.

And Biden’s top national security officials maintain the new EO is designed to put the incoming Trump administration on the front foot when it comes to cybersecurity.

“This administration’s capstone cyber EO announcement today is designed to strengthen America’s digital foundations and also put the new administration and the country on a path to continued success,” Deputy National Security Advisor Anne Neuberger told reporters in a call.

But Neuberger said she hadn’t had in-depth conversations about the new cyber directive with representatives of the incoming administration.

“To the best of my knowledge, the new cyber team has not yet been named, so while we’ve had broader national security discussions, it is unclear who will lead this work for the Trump administration,” she said. “So as a result, we haven’t discussed but we are very happy to as soon as the incoming cyber team is named, of course, have any discussions during this final transition period.”

Federal software requirements

The new executive order directs actions that would require federal software vendors to provide evidence of following secure development practices.

Biden’s first cyber executive order, signed in May 2021, led to the establishment of secure software development guidelines issued by the National Institute of Standards and Technology.

The Office of Management and Budget also directed agencies to require their software vendors to self-attest to meeting the NIST guidelines by submitting attestation forms. But those forms don’t require vendors to submit any evidence, known in cybersecurity parlance as “artifacts,” of following the guidelines.

Neuberger said the Biden administration has given companies time to adopt the NIST standards.

“Let’s raise the bar,” she said. “Let’s actually bring transparency and accountability in these software supply chains by having companies show us proof that they tested their software, they’ve addressed vulnerabilities. And let’s post that publicly, so not only the federal government benefits from it, but a regional hospital, a regional bank, a global manufacturing company can also look online and see whether companies are really testing their products or really proving that their products are secure.”

She added that OMB will issue implementation guidance on the new software security requirements.

The latest cyber executive order also sets out actions to require cloud computing companies that work with government agencies to store their cryptographic keys in secure environments.

Neuberger said that step would address recent high-profile cyber incidents, including the Treasury hack late last year, in which attackers used stolen digital keys from vendors to break into federal networks.

Cybersecurity and Infrastructure Security Agency Director Jen Easterly, speaking separately on Wednesday, also called for software vendors to focus on improving their security practices.

“The transformational progress that we have made to help secure the.gov is really, really impressive,” Easterly said. “Are we still going to have issues like what we saw in Treasury? Yes, we will, until you have vendors that we know are specifically focused on secure by design software.”

Strengthening CISA’s role

Under the order, CISA would play a central role in verifying the security evidence that software vendors submit to government agencies.

“CISA will have the master list of who’s selling to the federal government, and those companies will be required to share that with CISA,” Neuberger said. “They’ll do the validation, which then the Office of the National Cyber Director will post on their website. So that’s the way we both give CISA a more central role in facilitating the centralized visibility and cyber threat hunting for federal agencies, while also giving them a key role leveraging their cyber expertise in reviewing and looking at the proof companies provide so that we really get to more secure software.”

And as previewed in the draft executive order obtained by Federal News Network, the new directive would strengthen the role of CISA to hunt for cyber threats on agency networks.

Neuberger said the order ensures CISA has “centralized visibility and hunting” capabilities across all federal civilian networks. But she said it also addresses concerns around increasing CISA’s authorities to hunt down threats on other agencies’ networks by creating “protections for some agencies who were concerned that they have sensitive data and wanted to ensure that data was protected.”

More federal cyber requirements

In the wake of the Salt Typhoon hack into U.S. telecommunications networks, the executive order requires agencies to use end-to-end encryption for their communications, including over email and video conference.

It also aims to accelerate the adoption of post-quantum technologies. NIST last year finalized an initial slate of cryptographic algorithms designed to resist attack by a quantum computer.

The executive order requires agencies to enable the establishment of quantum-resistant cryptography within their current networks, while also calling for agencies to adopt post-quantum cryptographic products, once they’re available on the market.

The directive includes some action on the digital identity front, although it falls short of the sweeping anti-fraud measures teased by Biden in his 2022 State of the Union address. The White House never finalized that digital identity executive order.

But the new cyber order does direct agencies to set up an early-warning fraud pilot for public programs. The program would alert Americans of potential fraudulent claims filed on their behalf.

And starting in 2027, government agencies would only buy internet-connected devices that have the FCC’s Cyber Trust Mark label under the executive order. The White House announced the formal launch of the Cyber Trust Mark program earlier this month. The voluntary program allows Internet-of-Things vendors to submit their products to receive the Cyber Trust Mark label for meeting certain cyber standards.

Copyright © 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.