- President Biden Introduces New Government Cybersecurity Requirements
- Third-party software providers must demonstrate compliance with new requirements
- The federal government must default to end-to-end encryption
In one of his final acts as President of the United States, Joe Biden signed an executive order aimed at strengthening America’s national cybersecurity.
The order provides for a series of controls and reviews on third-party software providers for government systems and critical infrastructure to ensure that they adhere to established cybersecurity standards and make active efforts to eradicate vulnerabilities existing.
The executive order posits that the People’s Republic of China is the primary threat to vulnerable networks, likely referring to numerous attacks on U.S. critical infrastructure in early 2024 by the Chinese state-sponsored Volt Typhoon group and attacks subsequent attacks against American telecommunications networks by the group.
New safety standards
“I am ordering additional actions to improve our nation’s cybersecurity, focusing on defending our digital infrastructure, securing the most critical services and capabilities in the digital domain, and strengthening our ability to address major threats,” President Biden’s order states.
It also builds on previous requirements outlined in the Nation’s Cybersecurity Improvement Executive Order of 2021 and implements stricter security controls on third-party vendors to ensure that “software providers that support critical government services follow the practices they attest to.”
Third-party providers will therefore need to frequently demonstrate that their software and supply chains are secure, with the contracting body informed of those that do not meet security requirements.
The federal government is also mandated to default to identity management software, phishing-resistant authentication, and end-to-end encrypted communications across DNS protocols, email, voice and video conferencing, and instant messaging. .
Biden also seeks to address the future threat of cryptanalytically relevant quantum computers (CRQCs) which, when viable, will be capable of breaking many encryption algorithms used today. U.S. agencies will be required to adopt quantum-secure encryption methods authorized by the National Institute of Standards and Technology (NIST).
