Strengthening and Promoting Innovation in the Nation's Cybersecurity
Jan 17, 2025
Jan 17, 2025
Summary
Improves the nation's cybersecurity by making software safer, securing government systems and communications, and using new technologies like AI to fight threats.
What problem does this solve?
Foreign countries and criminals are launching cyberattacks against the U.S. This order creates new rules for government agencies and contractors to better protect their computer systems and data.
What does this order do?
Requires software security proof
Makes software providers give the government proof that they follow secure development practices by submitting attestations and records to CISA.
Strengthens CISA's threat hunting powers
Gives the Cybersecurity and Infrastructure Security Agency (CISA) the ability to access federal agency computer systems to hunt for and identify cyber threats across the government.
Prepares for quantum computing threats
Directs agencies to prepare for future threats from quantum computers by requiring new products to support post-quantum cryptography (PQC).
Promotes AI for cyber defense
Launches a pilot program to use artificial intelligence (AI) to improve the cyber defense of critical infrastructure, like the energy sector.
Reference
Text:
Section:
Header:
Additional steps to combat significant malicious cyber-enabled activities
Expands sanctions against cybercriminals
Amends a previous order to make it easier to block the money and property of people involved in ransomware attacks and other malicious cyber activities.
Improves security for space systems
Requires new cybersecurity rules for civilian space systems to protect them from being hacked, including encrypting commands and detecting unusual activity.
Secures internet communications
Requires federal agencies to use stronger security for internet routing, encrypt their Domain Name System (DNS) traffic, and encrypt emails to protect communications.
Encourages use of digital IDs to fight fraud
Promotes the use of digital identity documents, like mobile driver's licenses, to verify identities for public benefits programs and reduce fraud.
Sets minimum security for government contractors
Requires companies that work with the federal government to follow a set of minimum cybersecurity practices to protect their systems.
Who does this affect?
- Federal government agencies
- Software providers and government contractors
- Critical infrastructure operators
What is the real world impact?
•
Protects against foreign cyber threats
Strengthens national security by creating a more unified and robust defense against cyberattacks from countries like China and criminal groups.
•
Increases accountability for software companies
Forces software companies that sell to the government to prove their products are built securely, reducing the risk of vulnerabilities that hackers can exploit.
•
Modernizes government technology
Pushes federal agencies to adopt modern security practices like better encryption and AI-powered defense tools to keep up with evolving cyber threats.
When does this start?
This order takes effect on January 16, 2025, and sets multiple deadlines for federal agencies to complete specific actions.
Software provider contract language
Within 30 days, OMB must recommend new contract language for software providers.
CISA software verification program
Within 30 days of FAR amendments, CISA must develop a program to verify software security attestations.
Secure software development consortium
Within 60 days, NIST must establish a consortium with industry to develop guidance on secure software development.
Encrypted DNS contract language
Within 90 days, CISA must publish template contract language requiring products to support encrypted DNS.
Cybersecurity for space systems
Within 180 days, several agencies must recommend updated cybersecurity requirements for civil space systems.
AI for cyber defense pilot
Within 180 days of the 2025 AI Cyber Challenge, the Department of Energy must launch a pilot program using AI to defend critical infrastructure.
Minimum cybersecurity practices guidance
Within 240 days, NIST must issue guidance identifying minimum cybersecurity practices for industry.
Updated OMB cybersecurity guidance
Within 3 years, OMB must issue updated guidance to modernize federal cybersecurity practices and promote zero trust architecture.