President Joe Biden is expected this week to sign his second cybersecurity executive order, bookending a term defined by major cyber incidents.

The President entered the White House just as the public and private sector started to feel the impacts of the SolarWinds cyber incident. As he is leaving, agencies and telecommunications companies are digging out of the Salt Typhoon and Treasury Department hacks. In between, agencies dealt with a significant increase in the use of ransomware against healthcare, school systems and other sectors, the Log4j threat and numerous other cyberattacks that kept his cyber leaders more than busy.

And this new EO will try to give federal chief information officers and chief information security officers more requirements and tools to deal with the ever-changing threat. Biden issued his first cyber EO in May 2021.

Federal News Network has learned the draft EO includes a requirement for the Office of Management and Budget to rewrite Circular A-130. It also includes new software attestation requirements, new mandates around how to secure artificial intelligence and prepare for post-quantum cryptography and border gateway protocol and route origin authorization requirements to improve the security and resilience of Internet routing-based network tools.

But the one section of the draft EO that is most concerning to some federal executives would make the Cybersecurity and Infrastructure Security Agency’s (CISA) persistent access capabilities (PAC) program mandatory for civilian agencies.

But beyond the specifics of the draft EO, some federal executives are questioning the timing of its release.

While this second EO has been in the works for several months, several federal sources, speaking on the condition of anonymity in order to talk about the draft document, said that issuing an EO so late in the administration seems like a bit of a wasted effort. The officials say it’s especially concerning given the turnover of cyber leaders across the government who typically would champion such an effort.

“The whole premise of issuing an executive order on a topic as complex as cybersecurity and mandating specific activities, with little, or no, regard for the political and policy [environments] is concerning,” said one federal cyber official. “How does one expect timely and meaningful implementation to occur when the necessary senior managers and policymakers are not in their chairs, let alone have not even been named? But beyond politics, the amount of lifting that’s required, and the timelines included make effective meaningful implementation impractical based upon the amount of senior cyber people that are coming and going.”

Another federal technology executive highlighted similar concerns.

“It’s not that there isn’t some good stuff in there, but we shouldn’t be doing that so close to the end of the administration,” the official said.

Agency-level cyber to remain the same

At the same time, other federal officials believe cybersecurity is such a non-partisan issue that the next administration will pick up on many, if not all, of the draft EO’s objectives.

“I think if this [the Biden] administration didn’t think we would be marching forward this way, they wouldn’t release the EO. I think they recognize it would be a waste of everyone’s time,” the federal official said. “I’ve been asked a lot by industry about what the future of cyber looks like and the one thing that has been consistent in conversations with OMB and folks on the transition team: Cyber, in principle, is not a political topic. Is there going to be a move away or shift away from zero trust? The answer is no. If we look at the fact that the first Trump administration developed the ZTA strategy and plan and the Biden folks agreed with it, it would be odd for the new Trump administration to say ZTA is wrong because the other administration touched it.”

The official added there definitely will be some interesting conversations with the new administration about cyber regulations in the wake of Salt Typhoon and the Treasury Department hack, but they expect no radical shifts at the agency level.

For some federal officials, however, the radical shift in the draft EO would make the CISA PAC program mandatory. The persistent access capabilities initiative is part of the rollout of endpoint detection and response (EDR) tools and provides continuous threat hunting capabilities.

OMB reported in July in its annual Federal Information Security Modernization Act (FISMA) report to Congress that 76 agencies have met the criteria to have at least 80% of all known endpoints covered by the Continuous Diagnostics and Mitigation (CDM) program. Of those 76 agencies, 36 are using PAC tools to enable continuous threat hunting activities. CISA has now deployed more than 750,000 EDR licenses across 54 agencies since 2021.

The draft EO doesn’t call out PAC specifically, but would require CISA, the CIO and CISO councils to work together to develop such an EDR related capability.

The tools would enable:

• The timely hunting and identification of novel cyber threats and vulnerabilities across the federal civilian enterprise;
• Identification of coordinated cyber campaigns that simultaneously target multiple agencies and move laterally across the federal enterprise; and
• Coordination of govermentwide efforts on information security policies and practices, including compilation and analysis of information about incidents that threaten information security.

Within 180 days of the President issuing the EO, CISA and the councils would be required to issue a concept of operations that should include specific protections for highly sensitive agency data. It also should identify and address specific use cases for the Department of Justice to provide telemetry data from the devices, but not give CISA direct access to them.

Certain agencies have concerns

One big concern about this section of the draft EO, according to several sources, has been around giving CISA deep access to agency networks and devices. The big difference between what the PAC tools do today and what they would do under this EO is they would let CISA have the ability to shut down any networks or devices that may be under attack.

“CIOs accept risk every day. They manage and measure risk that they are willing to accept, but that level of detail, CISA would have to staff up immensely for each agency for them to understand the levels of risk. I wouldn’t want CISA to pull the plug on something that they don’t understand what the consequences are of doing that,” said one technology executive. “I feel like the concern I have about this is this is yet another way CISA is trying to justify and reinforce how important it is. Don’t get me wrong, I do value the relationship we have with CISA and I love the anonymity they give us if there is a problem. But my concern if they were in my environment is they would start answering on behalf of my agency without understanding the impact or environment. What would happen if CISA is managing and monitoring my network or devices and they are making decisions that could impact my ability to deliver mission?”

An industry source familiar with PAC said the Justice Department is pushing back the hardest against CISA having persistent access. The source said DoJ is such a “heavy hitter” that they may be able to force change to this approach.

“Some CIOs and CISO feel like they have enough risk to manage and this would add to that,” the source said. “PAC can be a sensor to alert CISA that something bad is going on. If they want to use it in this way, CISA would need to have more authorities on agency devices, and that is what DoJ is concerned about. That has been an ongoing discussion about how much capability that sensor would have.”

Another source said with the right governance, policies and oversight, the support for advanced threat hunting tools would be strong across many agencies.

“The majority of CISOs would welcome another set of eyes and capabilities. The vast majority are on board and say we will take all help we can get. This is especially true if CISA brings more resources,” another agency technology official said. “There is a vocal minority that have concerns. Some of it is postured around data access, particularly among the statistical community where data has certain protections. Some folks don’t want CISA to have carte blanche access to look through that cyber data.”

CISA to lead COO effort

The draft EO does require CISA and the CIO/CISO councils to develop as part of the concept of operations a process for CISA to notify agencies before accessing their EDR tools. The document also needs to include high-level technical and policy control requirements to govern CISA access to agency EDR solutions that meet cyber standards regarding least privilege access and the separation of duties.

“If we follow what has been prescribed and worked through council process, create the rules of engagements and the platform is secure, I think we can get most, if not all, naysayers on board and be comfortable with this approach,” the technology official said. “Six months ago, I say a majority had concerns, but I think we’ve gotten better and CISA can get there without burning bridges.”

The official added that the CISA’s reputation has continued to improve over the last few years in terms of how it’s supporting and delivering services. Agencies still may be cautious to fully trust the agency.

“Sometimes we get pressure to use a set of tools that may not be the best ones. We have to piecemeal the approach that we are highly encouraged to use,” another official said. “My ask would be to fund it for its lifecycle, not just giving us seed money. I also wish we had more orchestration and collaboration across government so as not to be stuck in a situation that we have to incorporate these tools into our non-homogenous environment.”

Another key section of the draft EO is the requirement for OMB to revise Circular A-130 over the next three years to be less prescriptive and more focused on adopting modern cybersecurity practices. OMB last updated A-130 in 2016 and included a more risk-based approach to cybersecurity and wide range of IT policy updates.

The draft EO says the rewrite should:

• Outline expectations for agency cybersecurity information sharing and exchange, enterprise visibility and accountability for enterprisewide cybersecurity programs by agency CISOs;
• Revise OMB Circular A-130 to be less technically prescriptive in key areas, where appropriate, to more clearly promote the adoption of evolving cybersecurity best practices across federal systems, to include migration to zero trust architectures and implementation of critical elements such as EDR capabilities, encryption, network segmentation and phishing resistant multi-factor authentication; and
• Address how agencies should identify, assess, respond to and mitigate risks to mission essential functions presented by concentration of IT vendors and services.

The draft EO also is attempting to address the security of cloud services.

It calls on the National Institute of Standards and Technology, CISA and the General Services Administration in 270 days after the President issues the EO to develop guidelines for secure management of access tokens and cryptographic keys used by cloud service providers.

Then, within 60 days of that publication, CISA, NIST and GSA’s Federal Risk Authorization Management Program (FedRAMP) will update the cloud security program’s requirements to include these new guidelines.

Finally, OMB, working with NIST, CISA and FedRAMP, will issue a policy for civilian agencies to adopt best practices concerning the protection and management of hardware security modules, trusted execution environments and other isolation technologies for access tokens and cryptographic keys used by cloud service providers.

Copyright © 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.