Biden’s final order on cybersecurity represents evolution, not revolution

Just days before leaving office, U.S. President Joe Biden issued an extensive executive order on cybersecurity, requiring over 50 separate agency actions with deadlines stretching in length from 30 days to three years. While much of the measure is directed inward, at improving the security of the federal government's own information and communications systems, the order also seeks to improve the broader ecosystem by raising standards for commercial products and services the government procures.

Little, if anything, in the order is revolutionary. Instead, it aims to build on existing initiatives and drive progress on multiple fronts, including software security, cloud computing, digital identity, artificial intelligence and quantum computing.

On software security, developers selling to the federal government are already required under a process launched by the Biden-Harris administration's first cybersecurity order in 2021 to attest that they follow certain secure software development practices. The new order goes a step further, requiring agencies to modify the federal acquisition regulation to require vendors to submit evidence that they are following those practices. Further, it requires the Cybersecurity and Infrastructure Security Agency to validate the contractors' claims. And it directs the National Institute of Standards and Technology to do one more revision of its secure software development framework.

With respect to cloud computing, the order requires agencies to ensure their cloud service providers use hardware security modules, trusted execution environments or other isolation technologies to protect access tokens and cryptographic keys. This seems a direct response to the 2023 incident in which Chinese hackers obtained a Microsoft key that allowed them to compromise the cloud-based emails of senior U.S. officials.