In his final days in office, President Biden signed an ambitious executive order to improve the federal government's approach to cybersecurity. Executive Order 14114 ("Executive Order"), issued January 16, 2025, titled "Strengthening and Promoting Innovation in the Nation's Cybersecurity," has major implications for federal contractors, particularly cloud service and other technology providers. The Executive Order builds on—and in some places overhauls—activities directed by an early Biden-era executive order, no. 14028 (EO 14028), "Improving the Nation's Cybersecurity" (see our prior post on EO 14028).

Federal cloud service providers and other federal contractors should review the Executive Order closely and stay abreast of related developments from federal agencies. The Executive Order envisions significant new attestation requirements for software suppliers to federal agencies, a slew of cybersecurity requirements in the Federal Acquisition Regulation (FAR), and changes to the Federal Risk and Authorization Management Program (FedRAMP), for participating cloud services providers.

How this sweeping Executive Order will fare under the Trump Administration is difficult to predict. The Executive Order was not included on President Trump's January 20, 2025, list of revoked executive orders, and the Biden Administration and prior Trump Administration shared many cybersecurity initiatives. However, the Executive Order's ambitious directives could run afoul of other Trump Administration priorities, including cutting federal regulations and shrinking the federal workforce. The order also could prove controversial in that it expands the responsibilities of the Cybersecurity and Infrastructure Security Agency ("CISA") in coordinating federal cybersecurity efforts.

Key Points

  • President Biden's Executive Order, signed during his last few days of office, envisions sweeping changes to federal cybersecurity programs and guidance.
  • The Executive Order calls for more robust attestation requirements for software providers to the federal government.
    • A prior executive order directed CISA to create an attestation form that agencies must collect from their software providers.
    • Under the new Executive Order, software providers will be required to provide attestations—and supporting artifacts— that they adhere to secure software development and delivery practices. Those attestations must be provided both to agency customers and CISA. CISA must review those submissions, and misstatements could be prosecuted under the False Claims Act or other government anti-fraud laws.
  • The Executive Order also calls for numerous amendments to the FAR to impose new cybersecurity requirements on federal contractors—including to adopt new "cybersecurity minimum practices" to be identified by NIST.
  • Cloud service providers participating in FedRAMP will be "incentivize[d] or require[d]" to provide secure configuration guidance to federal agencies.
  • The Executive Order directs numerous updates to foundational federal cybersecurity guidance, including NIST 800-53, OMB Memorandum M-22-18, and OMB Circular A-130.
  • How the Executive Order will fare under President Trump remains to be seen. While President Biden and President Trump shared similar goals and initiatives related to federal cybersecurity, the Executive Order's ambitious efforts and timelines may run afoul of policy priorities to cut regulations. Expansions of CISA's authority also could prove controversial with Republicans.

Overview of the Executive Order

The Executive Order includes nine sections of detailed directives for federal agencies. We summarize key directives below.

More Robust Attestations—and Potentially More Enforcement—for Software Providers

Improving the security of software used by the federal government was a major focus of EO 14028. Among other things, EO 14028 required agencies to collect attestations from their software providers certifying that the providers follow various secure software development practices. EO 14028 required CISA to develop a standard form for those attestations and required the National Institute of Standards and Technology (NIST) to create software security guidance, including its Secure Software Development Framework (SSDF).

Clearly, President Biden found these post-EO 14028 efforts inadequate to secure software used by federal agencies. Section 2 of the Executive Order opens with a shot across the bow of software providers, stating that some providers to federal agencies "commit to following cybersecurity practices, yet do not fix well-known exploitable vulnerabilities in their software." The Executive Order thus proposes numerous significant changes to how software providers must verify the security of their software. Several of these changes build on and strengthen the requirements of EO 14028. Specifically:

  • CISA, NIST and the Office of Management and Budget (OMB) must propose contract language for the FAR requiring software providers to federal agencies to submit to CISA secure software development attestations, supporting artifacts, and a list of their federal agency customers. CISA, NIST and OMB have just 60 days to submit this proposed contract language. Currently, the burden is on federal agencies to collect and review attestations from their software providers. There is no direct obligation for providers to submit those attestations. This contract language would create that obligation for providers.
  • CISA also must develop a continuous process to "centrally verify" the completeness of all attestation forms. There currently is no centralized process for evaluating attestations under EO 14028. Agencies are expected to perform their own review and validation of attestations.
  • If CISA finds that an attestation is incomplete or that artifacts provide insufficient validation, CISA must notify the provider and the customer agencies.
  • The National Cyber Director must publicly post the results of CISA validations. Currently, information about software providers' validations is not made public.

The National Cyber Director is "encouraged to refer attestations that fail validation to the Attorney General for action as appropriate." While the Executive Order provides no detail on what actions may be "appropriate," it stands to reason that providers that submit inaccurate attestations could be prosecuted civilly or even criminally under anti-fraud laws. As we have discussed previously, the Department of Justice (DOJ) created its Civil Cyber-Fraud Initiative in 2021 to bring False Claims Act claims to enforce cybersecurity requirements in federal contracts. DOJ has brought a number of such cases, including joining in a high-profile whistleblower suit against Georgia Tech.

Updated and New Federal Cybersecurity Guidance

Various federal agencies, and particularly NIST, CISA, and OMB, direct federal cybersecurity efforts through detailed guidance and memoranda for federal agencies. The Executive Order calls for significant additions and updates to these materials:

  • NIST SSDF (NIST 800-218). NIST developed its SSDF following a directive in EO 14028. The Executive Order directs NIST to update the SSDF to include considerations beyond secure software development. The SSDF is to address "secure and reliable development and delivery of software as well as the security of the software itself."
  • OMB Memorandum M-22-18. OMB must incorporate "select practices" from the updated SSDF into its Memorandum M-22-18 (updated by OMB Memorandum M-23-16), which directs federal agencies on securing their software supply chains. Following OMB's updates, CISA must update its attestation form to conform to OMB's requirements.
  • NIST Special Publication 800-53 (NIST 800-53). NIST 800-53, titled "Security and Privacy Controls for Information Systems and Organizations," is NIST's foundational cybersecurity framework for federal systems. Aspects of NIST 800-53 are incorporated into various requirements for federal contractors, including the cybersecurity "baselines" required by FedRAMP. The Executive Order directs NIST to update 800-53 within 90 days of the order.
  • OMB Circular A-130. OMB Circular A-130, titled "Managing Information as a Strategic Resource," has served a major role in shaping federal information management efforts since its initial publication in 1985. Revisions must cover a number of topics including migration to zero-trust architecture (a major federal priority we have discussed previously), and implementation of other security best practices. The updates also must address how agencies are to address risks related to "concentration of IT vendors and services." Cyber risks arising from vendor "concentration" was a recurring theme in the Biden Administration, as reflected in the National Cyber Strategy and guidance from federal financial regulators (for example, in its 2023 report on the adoption of cloud services in the financial sector, the Department of the Treasury identified various resiliency risks related to market concentration in only a few cloud service providers).

The Executive Order also directs various agencies to develop significant new cybersecurity guidance. Section 7 directs NIST to develop ambitious new guidance on "minimum cybersecurity practices," which could establish new baselines for both government agencies and privacy-sector companies. That guidance must be based on NIST's evaluation of "common cybersecurity practices and security control outcomes that are commonly used or recommended across industry sectors, international standards bodies, and other risk management programs," and must involve collaboration with federal agencies, the private sector, and academia. After NIST issues this guidance, FAR amendments must be proposed to require contractors, including those engaged in "developing, maintaining, or supporting IT services or products" for federal agencies, to comply with NIST's minimum cybersecurity practices.

FedRAMP Developments

FedRAMP has undergone significant changes in the past year as the program has worked to implement the FedRAMP Authorization Act, a 2022 law that overhauled and codified FedRAMP (previously, FedRAMP operated pursuant to a 2011 OMB policy memorandum). The Executive Order directs further developments for FedRAMP:

  • Secure Configuration Baselines From Providers to Agencies. The Executive Order directs FedRAMP, in coordination with CISA and NIST, to develop policies and practices to "incentivize or require" participating cloud service providers to "produce baselines with specifications and recommendations for agency configuration of agency cloud-based systems." FedRAMP must introduce these policies and practices within 90 days of the Executive Order.
  • Requirements for Secure Management of Access Tokens and Cryptographic Keys. The Executive Order directs NIST, CISA, and the General Services Administration (GSA) to develop guidelines for the secure management of access tokens and cryptographic keys used by cloud service providers. FedRAMP also must work with NIST and CISA to develop updated FedRAMP requirements based on those guidelines.

As stated, the Executive Order also directs NIST to update NIST 800-53 to provide guidance on securely and reliably deploying patches and security updates for agency software. NIST 800-53 forms the basis of FedRAMP's security baselines, so updates to NIST 800-53 could result in updates to the FedRAMP baselines down the line.

Communications Security

Section 4 of the Executive Order focuses on the security of federal communications infrastructure. This area has been a priority for the federal government, particularly after Chinese state-sponsored hackers were able to compromise the communications of some high-ranking government officials as part recent attacks by Salt Typhoon, a threat actor group believed to be associated with China's Ministry of State Security. Among other things, agencies are directed to encrypt email messages and voice and video conferencing traffic, including through use of end-to-end encryption where available. Agencies also must take steps to secure internet routing information used by the Border Gateway Protocol, following guidance to be issued by NIST.

The Executive Order directs several changes to the FAR as part of this effort:

  • Internet Routing Security. Within 120 days of the Executive Order, the National Cyber Director must develop and recommend contract language to require providers of internet services to agencies to adopt and deploy internet routing security technologies, including publishing Route Origin Authorizations and performing Route Origin Validation filtering.
  • Encrypted DNS. CISA must propose template contract language requiring any product that acts as a Domain Name System (DNS) host resolver to support encrypted DNS.

Internet-of-Things (IoT) Security

The Executive Order directs additional FAR amendments requiring vendors of IoT products to federal agencies to carry the U.S Cyber Trust Mark label by January 4, 2027. The U.S. Cyber Trust Mark program is administered by the Federal Commissions Commission (FCC) and has been linked to an EnergyStar program for IoT cybersecurity. EO 14028 directed the creation of an IoT labeling program, and the FCC proposed the U.S. Cyber Trust Mark in 2023 (we discussed the FCC's proposal and initial efforts by NIST to explore IoT labeling, in prior posts). The FCC adopted rules for the program in 2024.

Other Improvements for Federal Cybersecurity and Cyber Defenses

Several sections of the Executive Order direct efforts to harden federal systems from cybersecurity threats and to improve cybersecurity defenses.

  • CISA Access to Agency EDR and SOCs. Section 3 of the Executive Order expands CISA's role in coordinating the federal government's response to cyber threats. Under the Executive Order, Civilian agencies must permit CISA to access and pull data from their endpoint detection and response (EDR) tools and security operations centers (SOCs). Although CISA has enjoyed bipartisan support for much of its short life—the agency was created in 2018 under a law signed by President Trump—CISA more recently has been criticized by some Republicans for alleged political bias in its election misinformation and disinformation work. Some even have proposed to eliminate the agency altogether. However, the agency's existence seems assured for now. CISA employees were informed that they may not participate in the recently announced deferred buyout offer for federal employees because their positions are related to national security.
  • Phishing-Resistant Authentication. Civilian agencies are directed to begin piloting and using commercial phishing-resistant authentication standards such as WebAuthn.
  • Secure Configuration Baselines From Providers to Agencies. The Executive Order directs FedRAMP, in coordination with CISA and NIST, to develop policies and practices to "incentivize or require" participating cloud service providers to "produce baselines with specifications and recommendations for agency configuration of agency cloud-based systems." FedRAMP must introduce these policies and practices within 90 days of the Executive Order.
  • Requirements for Secure Management of Access Tokens and Cryptographic Keys. The Executive Order directs NIST, CISA, and the General Services Administration (GSA) to develop guidelines for the secure management of access tokens and cryptographic keys used by cloud service providers. FedRAMP also must work with NIST and CISA to develop updated FedRAMP requirements based on those guidelines.
  • Post-Quantum Cryptography. Adoption of post-quantum cryptography (PQC) technologies (a new generation of cryptographic algorithms that are designed to resist attacks from quantum computers) has been a major priority for the federal government. The Executive Order directs agencies to prioritize procurement of technologies that support PQC.
  • Cybersecurity Requirements for Federal Space Systems. NASA, the U.S. Geological Survey, and the National Oceanic and Atmospheric Administration (NOAA) must recommend updated cybersecurity requirements and contract language for civilian space systems.
  • NSS and Debilitating Impact Systems. Most of the Executive Order expressly does not apply to federal national security systems (NSS) or systems designed by the Department of Defense or the intelligence community as "debilitating impact systems." To provide for the protection of those systems, the Director of the National Security Agency must develop security requirements to implement cyber defenses for those systems consistent with the Executive Order, including intrusion detection, use of hardware roots of trust for secure booting, and development and deployment of security patches.

Research and Investments – AI and Cyber Defenses

Section 6 of the Executive Order directs various research and investments into the use of AI for cyber defense. In particular, the Department of Energy (DOE), the DOD, and the Department of Homeland Security (DHS) are to launch a pilot program with the private sector to enhance the use of AI for defense of critical energy infrastructure against cyber threats.

Push Toward Digital Identity

Section 5 of the Executive Order encourages the acceptance of digital identity documents to grant access to public benefits programs as a way to combat fraud against those programs and taxpayers.

Combatting Significant Malicious Cyber-Enabled Activities

Section 9 of the Executive Order builds on three prior executive orders that enabled the Department of the Treasury (Treasury) to sanction foreign actors involved in "malicious cyber-enabled activities" against the United States. The first two of those executive orders was issued by President Obama and the third by President Trump, illustrating the relatively bipartisan consensus that has formed around defending the nation from foreign cyber threats. The Executive Order specifically amends the 2015 Executive Order 13694, "Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities" (EO 13694). Treasury recently invoked EO 13694 in connection with the attacks by Salt Typhoon, sanctioning one individual and one company based in China for their involvement in the attacks.

The Executive Order amends EO 13694 by:

  • Removing qualifiers like "significant" and "significantly" from numerous provisions, thereby empowering Treasury to act against a broader range of activities. For example, EO 13694 previously empowered Treasury to sanction parties involved in "significantly compromising" a computer network or in "significant misappropriation." Now, Treasury may act against parties involved in any "compromise[e]" of a computer network or in any "misappropriation" of funds.
  • Adding new grounds for Treasury to act under EO 13694, including:
    • Misappropriation of intellectual property or business confidential information;
    • Misappropriation of personal identifiers or financial information for commercial advantage or financial gain;
    • Tampering or interfering with elections;
    • Engaging in a ransomware attack; and
    • Gaining unauthorized access to computers or networks of the United States, U.S. persons or U.S. allies.

What Comes Next?

It is difficult to predict what will come out of this ambitious order under the Trump Administration. One the one hand, the Biden Administration and the prior Trump Administration shared many priorities and initiatives related to improving federal cybersecurity. If that remains the case under the new Trump Administration, much or all of the Executive Order's directives may move forward. On the other hand, the Executive Order calls for numerous agencies to undertake immediate and significant efforts to update guidance, issue new rules for federal contractors, and strengthen cybersecurity practices. This level of effort may be at odds with President Trump's priorities to cut regulation and reduce the federal workforce.

Moreover, the Executive Order's endowment of CISA with significant new responsibilities—including its central role in validating federal software providers' attestations and in coordinating agencies' cyber defenses—may run into Republican efforts to limit or even eliminate the agency. CISA, which was created in 2018 by a law signed by President Trump, has come under increasing criticism, including for a perceived inability to effectively share cyber threat intelligence and allegations of political bias in its election misinformation and disinformation efforts. During her confirmation hearing, the new DHS Secretary Kristi Noem also criticized CISA (which is part of DHS), stating that the agency must be "smaller" and "more nimble," and needs to move away from its election disinformation and misinformation work.

Initial skirmishes over the government's cybersecurity priorities are already underway. On President Trump's first day in office, the DHS dismissed all members of DHS advisory boards, including the Cyber Safety Review Board (CSRB) and various other cybersecurity-focused boards. CSRB, which was created by EO 14028 and is administered by CISA, had previously produced reports on major cyber incidents and threats, including the Log4Shell vulnerability, and currently was working on a report about the Salt Typhoon attacks. At the same time, CISA employees have been told that they cannot accept the federal employee deferred buyout because they are related to national security, indicating that CISA will continue to have an important role in the new Trump Administration.

+++

DWT's information security team will continue to monitor implementation of the Executive Order and other initiatives to improve federal cybersecurity—particularly those with implications for federal cloud service providers and other federal contractors.

Jóna Mays is an attorney on the litigation team.*