Created
June 11, 2025 22:30
-
-
Save jschauma/236d10a9535ab6719c8031f0e11e9b84 to your computer and use it in GitHub Desktop.
EO 14144 diff from Biden vs. Trump's amendements from 2025-06-06
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Updates taken from: | |
| https://www.whitehouse.gov/presidential-actions/2025/06/sustaining-select-efforts-to-strengthen-the-nations-cybersecurity-and-amending-executive-order-13694-and-executive-order-14144/ | |
| Applied to: | |
| https://public-inspection.federalregister.gov/2025-01470.pdf | |
| Following the instructions from whitehouse.gov is not straight forward, | |
| since some sections are stricken wholesale and then renumbered and | |
| subsequently referenced either by their old or by their new section | |
| numbers | |
| --- 14144 2025-06-11 16:47:28 | |
| +++ 14144.amended 2025-06-11 17:14:54 | |
| @@ -13,148 +13,29 @@ | |
| Section 1. Policy. | |
| -Adversarial countries and criminals continue to | |
| -conduct cyber campaigns targeting the United States | |
| -and Americans, with the People's Republic of China | |
| -presenting the most active and persistent cyber threat | |
| -to United States Government, private sector, and | |
| -critical infrastructure networks. These campaigns | |
| -disrupt the delivery of critical services across the | |
| -Nation, cost billions of dollars, and undermine | |
| -Americans' security and privacy. More must be done to | |
| -improve the Nation's cybersecurity against these | |
| +Foreign nations and criminals continue to conduct | |
| +cyber campaigns targeting the United States and | |
| +Americans. The People’s Republic of China presents | |
| +the most active and persistent cyber threat to United | |
| +States Government, private sector, and critical | |
| +infrastructure networks, but significant threats also | |
| +emanate from Russia, Iran, North Korea, and others who | |
| +undermine United States cybersecurity. These | |
| +campaigns disrupt the delivery of critical services | |
| +across the Nation, cost billions of dollars, and | |
| +undermine Americans’ security and privacy. More must | |
| +be done to improve the Nation’s cybersecurity against | |
| +these threats. I am ordering additional actions to | |
| +improve our Nation’s cybersecurity, focusing on | |
| +defending our digital infrastructure, securing the | |
| +services and capabilities most vital to the digital | |
| +domain, and building our capability to address key | |
| threats. | |
| -Building on the foundational steps I directed in | |
| -Executive Order 14028 of May 12, 2021 (Improving the | |
| -Nation's Cybersecurity), and the initiatives detailed | |
| -in the National Cybersecurity Strategy, I am ordering | |
| -additional actions to improve our Nation's | |
| -cybersecurity, focusing on defending our digital | |
| -infrastructure, securing the services and capabilities | |
| -most vital to the digital domain, and building our | |
| -capability to address key threats, including those | |
| -from the People's Republic of China. Improving | |
| -accountability for software and cloud service | |
| -providers, strengthening the security of Federal | |
| -communications and identity management systems, and | |
| -promoting innovative developments and the use of | |
| -emerging technologies for cybersecurity across | |
| -executive departments and agencies (agencies) and with | |
| -the private sector are especially critical to | |
| -improvement of the Nation's cybersecurity. | |
| - | |
| Sec. 2. Operationalizing Transparency and Security in | |
| Third-Party Software Supply Chains. | |
| -(a) The Federal Government and our Nation's critical | |
| -infrastructure rely on software providers. Yet | |
| -insecure software remains a challenge for both | |
| -providers and users and makes Federal Government and | |
| -critical infrastructure systems vulnerable to | |
| -malicious cyber incidents. The Federal Government must | |
| -continue to adopt secure software acquisition | |
| -practices and take steps so that software providers | |
| -use secure software development practices to reduce | |
| -the number and severity of vulnerabilities in software | |
| -they produce. | |
| - | |
| -(b) Executive Order 14028 directed actions to improve | |
| -the security and integrity of software critical to the | |
| -Federal Government's ability to function. Executive | |
| -Order 14028 directed the development of guidance on | |
| -secure software development practices and on | |
| -generating and providing evidence in the form of | |
| -artifacts—computer records or data that are generated | |
| -manually or by automated means—that demonstrate | |
| -compliance with those practices. Additionally, it | |
| -directed the Director of the Office of Management and | |
| -Budget (OMB) to require agencies to use only software | |
| -from providers that attest to using those secure | |
| -software development practices. In some instances, | |
| -providers of software to the Federal Government commit | |
| -to following cybersecurity practices, yet do not fix | |
| -well-known exploitable vulnerabilities in their | |
| -software, which puts the Government at risk of | |
| -compromise. The Federal Government needs to adopt more | |
| -rigorous third-party risk management practices and | |
| -greater assurance that software providers that support | |
| -critical Government services are following the | |
| -practices to which they attest. | |
| - | |
| -(i) Within 30 days of the date of this order, the | |
| -Director of OMB, in consultation with the Secretary of | |
| -Commerce, acting through the Director of the National | |
| -Institute of Standards and Technology (NIST), and the | |
| -Secretary of Homeland Security, acting through the | |
| -Director of the Cybersecurity and Infrastructure | |
| -Security Agency (CISA), shall recommend to the Federal | |
| -Acquisition Regulatory Council (FAR Council) contract | |
| -language requiring software providers to submit to | |
| -CISA through CISA's Repository for Software | |
| -Attestation and Artifacts (RSAA): | |
| - | |
| -(A) machine-readable secure software development | |
| -attestations; | |
| - | |
| -(B) high-level artifacts to validate those | |
| -attestations; and | |
| - | |
| -(C) a list of the providers' Federal Civilian | |
| -Executive Branch (FCEB) agency software customers. | |
| - | |
| -(ii) Within 120 days of the receipt of the | |
| -recommendations described in subsection (b)(i) of this | |
| -section, the FAR Council shall review the | |
| -recommendations and, as appropriate and consistent | |
| -with applicable law, the Secretary of Defense, the | |
| -Administrator of General Services, and the | |
| -Administrator of the National Aeronautics and Space | |
| -Administration (the agency members of the FAR Council) | |
| -shall jointly take steps to amend the Federal | |
| -Acquisition Regulation (FAR) to implement those | |
| -recommendations. The agency members of the FAR Council | |
| -are strongly encouraged to consider issuing an interim | |
| -final rule, as appropriate and consistent with | |
| -applicable law. | |
| - | |
| -(iii) Within 60 days of the date of the issuance of | |
| -the recommendations described in subsection (b)(i) of | |
| -this section, the Secretary of Homeland Security, | |
| -acting through the Director of CISA, shall evaluate | |
| -emerging methods of generating, receiving, and | |
| -verifying machine-readable secure software development | |
| -attestations and artifacts and, as appropriate, shall | |
| -provide guidance for software providers on submitting | |
| -them to CISA's RSAA website, including a common data | |
| -schema and format. | |
| - | |
| -(iv) Within 30 days of the date of any amendments to | |
| -the FAR described in subsection (b)(ii) of this | |
| -section, the Secretary of Homeland Security, acting | |
| -through the Director of CISA, shall develop a program | |
| -to centrally verify the completeness of all | |
| -attestation forms. CISA shall continuously validate a | |
| -sample of the complete attestations using high-level | |
| -artifacts in the RSAA. | |
| - | |
| -(v) If CISA finds that attestations are incomplete or | |
| -artifacts are insufficient for validating the | |
| -attestations, the Director of CISA shall notify the | |
| -software provider and the contracting agency. The | |
| -Director of CISA shall provide a process for the | |
| -software provider to respond to CISA's initial | |
| -determination and shall duly consider the response. | |
| - | |
| -(vi) For attestations that undergo validation, the | |
| -Director of CISA shall inform the National Cyber | |
| -Director, who shall publicly post the results, | |
| -identifying the software providers and software | |
| -version. The National Cyber Director is encouraged to | |
| -refer attestations that fail validation to the | |
| -Attorney General for action as appropriate. | |
| - | |
| -(c) Secure software development practices are not | |
| +(a) Secure software development practices are not | |
| sufficient to address the potential for cyber | |
| incidents from resourced and determined nation-state | |
| actors. To mitigate the risk of such incidents | |
| @@ -213,7 +94,7 @@ | |
| to obtain clearance of the revised form under the | |
| Paperwork Reduction Act, 44 U.S.C. 3501 et seq. | |
| -(d) As agencies have improved their cyber defenses, | |
| +(b) As agencies have improved their cyber defenses, | |
| adversaries have targeted the weak links in agency | |
| supply chains and the products and services upon which | |
| the Federal Government relies. Agencies need to | |
| @@ -238,51 +119,45 @@ | |
| compliance evaluation, contract administration, and | |
| performance evaluation. | |
| -(e) Open source software plays a critical role in | |
| -Federal information systems. To help the Federal | |
| -Government continue to reap the innovation and cost | |
| -benefits of open source software and contribute to the | |
| -cybersecurity of the open source software ecosystem, | |
| -agencies must better manage their use of open source | |
| -software. Within 120 days of the date of this order, | |
| -the Secretary of Homeland Security, acting through the | |
| -Director of CISA, and the Director of OMB, in | |
| -consultation with the Administrator of General | |
| -Services and the heads of other agencies as | |
| -appropriate, shall jointly issue recommendations to | |
| -agencies on the use of security assessments and | |
| -patching of open source software and best practices | |
| -for contributing to open source software projects. | |
| +(c) Relevant executive departments and agencies | |
| +(agencies) shall take the following actions: | |
| -Sec. 3. Improving the Cybersecurity of Federal Systems. | |
| +(i) By August 1, 2025, the Secretary of Commerce, | |
| +acting through the Director of NIST, shall establish a | |
| +consortium with industry at the National Cybersecurity | |
| +Center of Excellence to develop guidance, informed by | |
| +the consortium as appropriate, that demonstrates the | |
| +implementation of secure software development, | |
| +security, and operations practices based on NIST | |
| +Special Publication 800–218 (Secure Software | |
| +Development Framework (SSDF)). | |
| -(a) The Federal Government must adopt proven security | |
| -practices from industry—to include in identity and | |
| -access management—in order to improve visibility of | |
| -security threats across networks and strengthen cloud | |
| -security. | |
| +(ii) By September 2, 2025, the Secretary of | |
| +Commerce, acting through the Director of NIST, shall | |
| +update NIST Special Publication 800–53 (Security and | |
| +Privacy Controls for Information Systems and | |
| +Organizations) to provide guidance on how to securely | |
| +and reliably deploy patches and updates. | |
| -(b) To prioritize investments in the innovative | |
| -identity technologies and processes of the future and | |
| -phishing-resistant authentication options, FCEB | |
| -agencies shall begin using, in pilot deployments or in | |
| -larger deployments as appropriate, commercial | |
| -phishing-resistant standards such as WebAuthn, | |
| -building on the deployments that OMB and CISA have | |
| -developed and established since the issuance of | |
| -Executive Order 14028. These pilot deployments shall | |
| -be used to inform future directions for Federal | |
| -identity, credentialing, and access management | |
| -strategies. | |
| +(iii) By December 1, 2025, the Secretary of Commerce, | |
| +acting through the Director of NIST, in consultation | |
| +with the heads of such agencies as the Director of | |
| +NIST deems appropriate, shall develop and publish a | |
| +preliminary update to the SSDF. This preliminary | |
| +update shall include practices, procedures, controls, | |
| +and implementation examples regarding the secure and | |
| +reliable development and delivery of software as well | |
| +as the security of the software itself. Within 120 | |
| +days of publishing the preliminary update, the | |
| +Secretary of Commerce, acting through the Director of | |
| +NIST, shall publish a final version of the updated | |
| +SSDF. | |
| -(c) The Federal Government must maintain the ability | |
| +Sec. 3. Improving the Cybersecurity of Federal Systems. | |
| + | |
| +(a) The Federal Government must maintain the ability | |
| to rapidly and effectively identify threats across the | |
| -Federal enterprise. In Executive Order 14028, I | |
| -directed the Secretary of Defense and the Secretary of | |
| -Homeland Security to establish procedures to | |
| -immediately share threat information to strengthen the | |
| -collective defense of Department of Defense and | |
| -civilian networks. To enable identification of threat | |
| +Federal enterprise. To enable identification of threat | |
| activity, CISA's capability to hunt for and identify | |
| threats across FCEB agencies under 44 U.S.C. | |
| 3553(b)(7) must be strengthened. | |
| @@ -296,7 +171,7 @@ | |
| detection and response (EDR) solutions and from FCEB | |
| agency security operation centers to enable: | |
| -(A) timely hunting and identification of novel cyber | |
| +(A) timely hunting and identification of cyber | |
| threats and vulnerabilities across the Federal | |
| civilian enterprise; | |
| @@ -419,7 +294,7 @@ | |
| be kept confidential in connection with a judicial | |
| proceeding. | |
| -(d) The security of Federal information systems relies | |
| +(b) The security of Federal information systems relies | |
| on the security of the Government's cloud services. | |
| Within 90 days of the date of this order, the | |
| Administrator of General Services, acting through the | |
| @@ -435,7 +310,7 @@ | |
| cloud-based systems in order to secure Federal data | |
| based on agency requirements. | |
| -(e) As cybersecurity threats to space systems | |
| +(c) As cybersecurity threats to space systems | |
| increase, these systems and their supporting digital | |
| infrastructure must be designed to adapt to evolving | |
| cybersecurity threats and operate in contested | |
| @@ -531,12 +406,7 @@ | |
| using modern, standardized, and commercially available | |
| algorithms and protocols. | |
| -(b) The security of Internet traffic depends on data | |
| -being correctly routed and delivered to the intended | |
| -recipient network. Routing information originated and | |
| -propagated across the Internet, utilizing the Border | |
| -Gateway Protocol (BGP), is vulnerable to attack and | |
| -misconfiguration. | |
| +(b) Relevant agencies shall take the following actions: | |
| (i) Within 90 days of the date of this order, FCEB | |
| agencies shall take steps to ensure that all of their | |
| @@ -580,18 +450,6 @@ | |
| requirements in future contracts, consistent with | |
| applicable law. | |
| -(iv) Within 180 days of the date of this order, the | |
| -Secretary of Commerce, acting through the Director of | |
| -NIST, shall publish updated guidance to agencies on | |
| -deployment of current, operationally viable BGP | |
| -security methods for Federal Government networks and | |
| -service providers. The Secretary of Commerce, acting | |
| -through the Director of NIST, shall also provide | |
| -updated guidance on other emerging technologies to | |
| -improve Internet routing security and resilience, such | |
| -as route leak mitigation and source address | |
| -validation. | |
| - | |
| (c) Encrypting Domain Name System (DNS) traffic in | |
| transit is a critical step to protecting both the | |
| confidentiality of the information being transmitted | |
| @@ -628,21 +486,6 @@ | |
| the agency's email clients and their associated email | |
| servers. | |
| -(ii) Within 180 days of the date of this order, the | |
| -Director of OMB shall establish a requirement for | |
| -expanded use of authenticated transport-layer | |
| -encryption between email servers used by FCEB agencies | |
| -to send and receive email. | |
| - | |
| -(iii) Within 90 days of the establishment of the | |
| -requirement described in subsection (d)(ii) of this | |
| -section, the Secretary of Homeland Security, acting | |
| -through the Director of CISA, shall take appropriate | |
| -steps to assist agencies in meeting that requirement, | |
| -including by issuing implementing directives, as well | |
| -as technical guidance to address any identified | |
| -capability gaps. | |
| - | |
| (e) Modern communications such as voice and video | |
| conferencing and instant messaging are usually | |
| encrypted at the link level but often are not | |
| @@ -667,58 +510,37 @@ | |
| archival capabilities that allow agencies to fulfill | |
| records management and accountability requirements. | |
| -(f) Alongside their benefits, quantum computers pose | |
| -significant risk to the national security, including | |
| -the economic security, of the United States. Most | |
| -notably, a quantum computer of sufficient size and | |
| -sophistication—also known as a cryptanalytically | |
| -relevant quantum computer (CRQC)—will be capable of | |
| +(f) A quantum computer of sufficient size and | |
| +sophistication — also known as a cryptanalytically | |
| +relevant quantum computer (CRQC) — will be capable of | |
| breaking much of the public-key cryptography used on | |
| digital systems across the United States and around | |
| -the world. In National Security Memorandum 10 of May | |
| +the world. National Security Memorandum 10 of May | |
| 4, 2022 (Promoting United States Leadership in Quantum | |
| Computing While Mitigating Risks to Vulnerable | |
| -Cryptographic Systems), I directed the Federal | |
| +Cryptographic Systems), directed the Federal | |
| Government to prepare for a transition to | |
| cryptographic algorithms that would not be vulnerable | |
| to a CRQC. | |
| -(i) Within 180 days of the date of this order, the | |
| -Secretary of Homeland Security, acting through the | |
| -Director of CISA, shall release and thereafter | |
| +(i) By December 1, 2025, the Secretary of Homeland | |
| +Security, acting through the Director of the | |
| +Cybersecurity and Infrastructure Security Agency | |
| +(CISA), and in consultation with the Director of the | |
| +National Security Agency, shall release and thereafter | |
| regularly update a list of product categories in which | |
| products that support post-quantum cryptography (PQC) | |
| are widely available. | |
| -(ii) Within 90 days of a product category being placed | |
| -on the list described in subsection (f)(i) of this | |
| -section, agencies shall take steps to include in any | |
| -solicitations for products in that category a | |
| -requirement that products support PQC. | |
| +(ii) By December 1, 2025, to prepare for transition | |
| +to PQC, the Director of the National Security Agency | |
| +with respect to National Security Systems (NSS), and | |
| +the Director of OMB with respect to non-NSS, shall | |
| +each issue requirements for agencies to support, as | |
| +soon as practicable, but not later than January 2, | |
| +2030, Transport Layer Security protocol version 1.3 or | |
| +a successor version. | |
| -(iii) Agencies shall implement PQC key establishment | |
| -or hybrid key establishment including a PQC algorithm | |
| -as soon as practicable upon support being provided by | |
| -network security products and services already | |
| -deployed in their network architectures. | |
| - | |
| -(iv) Within 90 days of the date of this order, the | |
| -Secretary of State and the Secretary of Commerce, | |
| -acting through the Director of NIST and the Under | |
| -Secretary for International Trade, shall identify and | |
| -engage foreign governments and industry groups in key | |
| -countries to encourage their transition to PQC | |
| -algorithms standardized by NIST. | |
| - | |
| -(v) Within 180 days of the date of this order, to | |
| -prepare for transition to PQC, the Secretary of | |
| -Defense with respect to National Security Systems | |
| -(NSS), and the Director of OMB with respect to | |
| -non-NSS, shall each issue requirements for agencies to | |
| -support, as soon as practicable, but not later than | |
| -January 2, 2030, Transport Layer Security protocol | |
| -version 1.3 or a successor version. | |
| - | |
| (g) The Federal Government should take advantage of | |
| commercial security technologies and architectures, | |
| such as hardware security modules, trusted execution | |
| @@ -762,305 +584,81 @@ | |
| cryptographic keys used by cloud service providers in | |
| the provision of services to agencies. | |
| -Sec. 5. Solutions to Combat Cybercrime and Fraud. | |
| +Sec. 5. Promoting Security with and in Artificial Intelligence. | |
| -(a) The use of stolen and synthetic identities by | |
| -criminal syndicates to systemically defraud public | |
| -benefits programs costs taxpayers and wastes Federal | |
| -Government funds. To help address these crimes it is | |
| -the policy of the executive branch to strongly | |
| -encourage the acceptance of digital identity documents | |
| -to access public benefits programs that require | |
| -identity verification, so long as it is done in a | |
| -manner that preserves broad program access for | |
| -vulnerable populations and supports the principles of | |
| -privacy, data minimization, and interoperability. | |
| - | |
| -(i) Within 90 days of the date of this order, agencies | |
| -with grantmaking authority are encouraged to consider, | |
| -in coordination with OMB and the National Security | |
| -Council staff, whether Federal grant funding is | |
| -available to assist States in developing and issuing | |
| -mobile driver's licenses that achieve the policies and | |
| -principles described in this section. | |
| - | |
| -(ii) Within 270 days of the date of this order, the | |
| -Secretary of Commerce, acting through the Director of | |
| -NIST, shall issue practical implementation guidance, | |
| -in collaboration with relevant agencies and other | |
| -stakeholders through the National Cybersecurity Center | |
| -of Excellence, to support remote digital identity | |
| -verification using digital identity documents that | |
| -will help issuers and verifiers of digital identity | |
| -documents advance the policies and principles | |
| -described in this section. | |
| - | |
| -(iii) Agencies should consider accepting digital | |
| -identity documents as digital identity verification | |
| -evidence to access public benefits programs, but only | |
| -if the use of these documents is consistent with the | |
| -policies and principles described in this section. | |
| - | |
| -(iv) Agencies should, consistent with applicable law, | |
| -seek to ensure that digital identity documents | |
| -accepted as digital identity verification evidence to | |
| -access public benefits programs: | |
| - | |
| -(A) are interoperable with relevant standards and | |
| -trust frameworks, so that the public can use any | |
| -standards-compliant hardware or software containing an | |
| -official Government-issued digital identity document, | |
| -regardless of manufacturer or developer; | |
| - | |
| -(B) do not enable authorities that issue digital | |
| -identity documents, device manufacturers, or any other | |
| -third party to surveil or track presentation of the | |
| -digital identity document, including user device | |
| -location at the time of presentation; and | |
| - | |
| -(C) support user privacy and data minimization by | |
| -ensuring only the minimum information required for a | |
| -transaction—often a "yes" or "no" response to a | |
| -question, such as whether an individual is older than | |
| -a specific age—is requested from the holder of the | |
| -digital identity document. | |
| - | |
| -(b) The use of "Yes/No" validation services, also | |
| -referred to as attribute validation services, can | |
| -enable more privacy-preserving means to reduce | |
| -identity fraud. These services allow programs to | |
| -confirm, via a privacy-preserving "yes" or "no" | |
| -response, that applicant-provided identity information | |
| -is consistent with information already contained in | |
| -official records, without needing to share the | |
| -contents of those official records. To support the use | |
| -of such services, the Commissioner of Social Security, | |
| -and the head of any other agency designated by the | |
| -Director of OMB, shall, as appropriate and consistent | |
| -with applicable law, consider taking steps to develop | |
| -or modify services—including through, as appropriate, | |
| -the initiation of a proposed rulemaking or the | |
| -publication of a notice of a new or significantly | |
| -modified routine use of records—related to | |
| -Government-operated identity verification systems and | |
| -public benefits programs, with consideration given to | |
| -having such systems and programs submit | |
| -applicant-provided identity information to the agency | |
| -providing the service and receive a "yes" or "no" | |
| -response as to whether the applicant-provided identity | |
| -information is consistent with the information on file | |
| -with the agency providing the service. In doing so, | |
| -the heads of these agencies shall specifically | |
| -consider seeking to ensure, consistent with applicable | |
| -law, that: | |
| - | |
| -(i) any applicant-provided identity information | |
| -submitted to the services and any "yes" or "no" | |
| -response provided by the services are used only to | |
| -assist with identity verification, program | |
| -administration, anti-fraud operations, or | |
| -investigation and prosecution of fraud related to the | |
| -public benefits program for which the identity | |
| -information was submitted; | |
| - | |
| -(ii) the services are made available, to the maximum | |
| -extent permissible and as appropriate, to public | |
| -benefits programs; Government-operated identity | |
| -verification systems, including shared-service | |
| -providers; payment integrity programs; and United | |
| -States-regulated financial institutions; and | |
| - | |
| -(iii) the agencies, public benefits programs, or | |
| -institutions using the services provide reimbursement | |
| -to appropriately cover costs and support the ongoing | |
| -maintenance, improvement, and broad accessibility of | |
| -the services. | |
| - | |
| -(c) The Secretary of the Treasury, in consultation | |
| -with the Administrator of General Services, shall | |
| -research, develop, and conduct a pilot program for | |
| -technology that notifies individuals and entities when | |
| -their identity information is used to request a | |
| -payment from a public benefits program, gives | |
| -individuals and entities the option to stop | |
| -potentially fraudulent transactions before they occur, | |
| -and reports fraudulent transactions to law enforcement | |
| -entities. | |
| - | |
| -Sec. 6. Promoting Security with and in Artificial Intelligence. | |
| - | |
| Artificial intelligence (AI) has the potential to | |
| -transform cyber defense by rapidly identifying new | |
| +transform cyber defense by rapidly identifying | |
| vulnerabilities, increasing the scale of threat | |
| detection techniques, and automating cyber defense. | |
| -The Federal Government must accelerate the development | |
| -and deployment of AI, explore ways to improve the | |
| -cybersecurity of critical infrastructure using AI, and | |
| -accelerate research at the intersection of AI and | |
| -cybersecurity. | |
| -(a) Within 180 days of the date of the completion of | |
| -the Defense Advanced Research Projects Agency's 2025 | |
| -Artificial Intelligence Cyber Challenge, the Secretary | |
| -of Energy, in coordination with the Secretary of | |
| -Defense, acting through the Director of the Defense | |
| -Advanced Research Projects Agency, and the Secretary | |
| -of Homeland Security, shall launch a pilot program, | |
| -involving collaboration with private sector critical | |
| -infrastructure entities as appropriate and consistent | |
| -with applicable law, on the use of AI to enhance cyber | |
| -defense of critical infrastructure in the energy | |
| -sector, and conduct an assessment of the pilot program | |
| -upon its completion. This pilot program, and | |
| -accompanying assessment, may include vulnerability | |
| -detection, automatic patch management, and the | |
| -identification and categorization of anomalous and | |
| -malicious activity across information technology (IT) | |
| -or operational technology systems. | |
| +(a) By November 1, 2025, the Secretary of Commerce, | |
| +acting through the Director of NIST; the Secretary of | |
| +Energy; the Secretary of Homeland Security, acting | |
| +through the Under Secretary for Science and | |
| +Technology; and the Director of the National Science | |
| +Foundation shall ensure that existing datasets for | |
| +cyber defense research have been made accessible to | |
| +the broader academic research community (either | |
| +securely or publicly) to the maximum extent feasible, | |
| +in consideration of business confidentiality and | |
| +national security. | |
| -(b) Within 270 days of the date of this order, the | |
| -Secretary of Defense shall establish a program to use | |
| -advanced AI models for cyber defense. | |
| +(b) By November 1, 2025, the Secretary of Defense, | |
| +the Secretary of Homeland Security, and the Director | |
| +of National Intelligence, in coordination with | |
| +appropriate officials within the Executive Office of | |
| +the President, to include officials within the Office | |
| +of Science and Technology Policy, the Office of the | |
| +National Cyber Director, and the Director of OMB, | |
| +shall incorporate management of AI software | |
| +vulnerabilities and compromises into their respective | |
| +agencies’ existing processes and interagency | |
| +coordination mechanisms for vulnerability management, | |
| +including through incident tracking, response, and | |
| +reporting, and by sharing indicators of compromise for | |
| +AI systems.” | |
| -(c) Within 150 days of the date of this order, the | |
| -Secretary of Commerce, acting through the Director of | |
| -NIST; the Secretary of Energy; the Secretary of | |
| -Homeland Security, acting through the Under Secretary | |
| -for Science and Technology; and the Director of the | |
| -National Science Foundation (NSF) shall each | |
| -prioritize funding for their respective programs that | |
| -encourage the development of large-scale, labeled | |
| -datasets needed to make progress on cyber defense | |
| -research, and ensure that existing datasets for cyber | |
| -defense research have been made accessible to the | |
| -broader academic research community (either securely | |
| -or publicly) to the maximum extent feasible, in | |
| -consideration of business confidentiality and national | |
| -security. | |
| +Sec. 6. Aligning Policy to Practice. | |
| -(d) Within 150 days of the date of this order, the | |
| -Secretary of Commerce, acting through the Director of | |
| -NIST; the Secretary of Energy; the Secretary of | |
| -Homeland Security, acting through the Under Secretary | |
| -for Science and Technology; and the Director of the | |
| -NSF shall prioritize research on the following topics: | |
| - | |
| -(i) human-AI interaction methods to assist defensive | |
| -cyber analysis; | |
| - | |
| -(ii) security of AI coding assistance, including | |
| -security of AI-generated code; | |
| - | |
| -(iii) methods for designing secure AI systems; and | |
| - | |
| -(iv) methods for prevention, response, remediation, | |
| -and recovery of cyber incidents involving AI systems. | |
| - | |
| -(e) Within 150 days of the date of this order, the | |
| -Secretary of Defense, the Secretary of Homeland | |
| -Security, and the Director of National Intelligence, | |
| -in coordination with the Director of OMB, shall | |
| -incorporate management of AI software vulnerabilities | |
| -and compromises into their respective agencies' | |
| -existing processes and interagency coordination | |
| -mechanisms for vulnerability management, including | |
| -through incident tracking, response, and reporting, | |
| -and by sharing indicators of compromise for AI | |
| -systems. | |
| - | |
| -Sec. 7. Aligning Policy to Practice. | |
| - | |
| -(a) IT infrastructure and networks that support | |
| -agencies' critical missions need to be modernized. | |
| Agencies' policies must align investments and | |
| priorities to improve network visibility and security | |
| -controls to reduce cyber risks. | |
| +controls to reduce cyber risks. In consultation with | |
| +the National Cyber Director, agencies shall take the | |
| +following actions: | |
| -(i) Within 3 years of the date of this order, the | |
| +(a) Within 3 years of the date of this order, the | |
| Director of OMB shall issue guidance, including any | |
| necessary revision to OMB Circular A-130, to address | |
| critical risks and adapt modern practices and | |
| architectures across Federal information systems and | |
| -networks. This guidance shall, at a minimum: | |
| +networks. | |
| -(A) outline expectations for agency cybersecurity | |
| -information sharing and exchange, enterprise | |
| -visibility, and accountability for enterprise-wide | |
| -cybersecurity programs by agency CISOs; | |
| +(b) Within 1 year of the date of this order, the | |
| +Secretary of Commerce, acting through the Director of | |
| +NIST; the Secretary of Homeland Security, acting | |
| +through the Director of CISA; and the Director of OMB | |
| +shall establish a pilot program of a rules-as- code | |
| +approach for machine-readable versions of policy and | |
| +guidance that OMB, NIST, and CISA publish and manage | |
| +regarding cybersecurity. | |
| -(B) revise OMB Circular A-130 to be less technically | |
| -prescriptive in key areas, where appropriate, to more | |
| -clearly promote the adoption of evolving cybersecurity | |
| -best practices across Federal systems, and to include | |
| -migration to zero trust architectures and | |
| -implementation of critical elements such as EDR | |
| -capabilities, encryption, network segmentation, and | |
| -phishing-resistant multi-factor authentication; and | |
| +(c) Within 1 year of the date of this order, agency | |
| +members of the FAR Council shall, as appropriate and | |
| +consistent with applicable law, jointly take steps to | |
| +amend the FAR to adopt requirements for agencies to, | |
| +by January 4, 2027, require vendors to the Federal | |
| +Government of consumer Internet-of-Things products, as | |
| +defined by 47 CFR 8.203(b), to carry United States | |
| +Cyber Trust Mark labeling for those products. | |
| -(C) address how agencies should identify, assess, | |
| -respond to, and mitigate risks to mission essential | |
| -functions presented by concentration of IT vendors and | |
| -services. | |
| +Sec. 7. National Security Systems and Debilitating | |
| +Impact Systems. | |
| -(ii) The Secretary of Commerce, acting through the | |
| -Director of NIST; the Secretary of Homeland Security, | |
| -acting through the Director of CISA; and the Director | |
| -of OMB shall establish a pilot program of a | |
| -rules-as-code approach for machine-readable versions | |
| -of policy and guidance that OMB, NIST, and CISA | |
| -publish and manage regarding cybersecurity. | |
| - | |
| -(b) Managing cybersecurity risks is now a part of | |
| -everyday industry practice and should be expected for | |
| -all types of businesses. Minimum cybersecurity | |
| -requirements can make it costlier and harder for | |
| -threat actors to compromise networks. Within 240 days | |
| -of the date of this order, the Secretary of Commerce, | |
| -acting through the Director of NIST, shall evaluate | |
| -common cybersecurity practices and security control | |
| -outcomes that are commonly used or recommended across | |
| -industry sectors, international standards bodies, and | |
| -other risk management programs, and based on that | |
| -evaluation issue guidance identifying minimum | |
| -cybersecurity practices. In developing this guidance, | |
| -the Secretary of Commerce, acting through the Director | |
| -of NIST, shall solicit input from the Federal | |
| -Government, the private sector, academia, and other | |
| -appropriate actors. | |
| - | |
| -(c) Agencies face multiple cybersecurity risks when | |
| -purchasing products and services. While agencies have | |
| -already made significant advances to improve their | |
| -supply chain risk management, additional actions are | |
| -needed to keep pace with the evolving threat | |
| -landscape. Within 180 days of the issuance of the | |
| -guidance described in subsection (b) of this section, | |
| -the FAR Council shall review the guidance and, as | |
| -appropriate and consistent with applicable law, the | |
| -agency members of the FAR Council shall jointly take | |
| -steps to amend the FAR to: | |
| - | |
| -(i) require that contractors with the Federal | |
| -Government follow applicable minimum cybersecurity | |
| -practices identified in NIST's guidance pursuant to | |
| -subsection (b) of this section with respect to work | |
| -performed under agency contracts or when developing, | |
| -maintaining, or supporting IT services or products | |
| -that are provided to the Federal Government; and | |
| - | |
| -(ii) adopt requirements for agencies to, by January 4, | |
| -2027, require vendors to the Federal Government of | |
| -consumer Internet-of-Things products, as defined by 47 | |
| -C.F.R. 8.203(b), to carry United States Cyber Trust | |
| -Mark labeling for those products. | |
| - | |
| -Sec. 8. National Security Systems and Debilitating Impact Systems. | |
| - | |
| -(a) Except as specifically provided for in section | |
| -4(f)(v) of this order, sections 1 through 7 of this | |
| -order shall not apply to Federal information systems | |
| -that are NSS or are otherwise identified by the | |
| -Department of Defense or the Intelligence Community as | |
| +(a) Except as specifically provided for in subsection | |
| +4(f) of this order, sections 1 through 7 of this order | |
| +shall not apply to Federal information systems that | |
| +are NSS or are otherwise identified by the Department | |
| +of Defense or the Intelligence Community as | |
| debilitating impact systems. | |
| (b) Within 90 days of the date of this order, to help | |
| @@ -1091,10 +689,7 @@ | |
| addition to appropriate updates, the CNSS shall | |
| identify and address appropriate requirements to | |
| implement cyber defenses on Federal | |
| -Government-procured space NSS in the areas of | |
| -intrusion detection, use of hardware roots of trust | |
| -for secure booting, and development and deployment of | |
| -security patches. | |
| +Government-procured space NSS. | |
| (d) To enhance the effective governance and oversight | |
| of Federal information systems, within 90 days of the | |
| @@ -1125,7 +720,7 @@ | |
| Department of Defense, and Intelligence Community | |
| Systems). | |
| -Sec. 9. Additional Steps to Combat Significant | |
| +Sec. 8. Additional Steps to Combat Significant | |
| Malicious Cyber-Enabled Activities. | |
| Because I find that additional steps must be taken to | |
| @@ -1269,7 +864,7 @@ | |
| in any activity described in subsections (a)(ii) or | |
| (a)(iii)(A)-(E) of this section." | |
| -Sec. 10. Definitions. For purposes of this order: | |
| +Sec. 9. Definitions. For purposes of this order: | |
| (a) The term "agency" has the meaning ascribed to it | |
| under 44 U.S.C. 3502(1), except for the independent | |
| @@ -1418,7 +1013,7 @@ | |
| (cc) The term "zero trust architecture" has the | |
| meaning given to it in Executive Order 14028. | |
| -Sec. 11. General Provisions. | |
| +Sec. 10. General Provisions. | |
| (a) Nothing in this order shall be construed to impair | |
| or otherwise affect: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment