FACT SHEET: Executive Order on Strengthening and Promoting Innovation in the Nation's Cybersecurity

Malicious countries and criminals continue to target the United States Government, corporations and individual Americans with cyberattacks. They disrupt critical services, businesses and individual lives, costing billions of dollars and harming national security. This capstone executive order is the result of a review of how these attacks occurred, to understand how to better protect and secure these systems, stay ahead of threats, and make it riskier, costlier and harder for cyber attackers to conduct future attacks.

The United States stands alone among major economies in lacking secure, privacy-preserving digital identity infrastructure, leaving Americans exposed to a wave of cybercrime. Indeed, Americans face $56 billion in identity fraud every year and the U.S. Government confronts billions of dollars in fraud in Federal programs due to the lack of secure, usable digital identities. The Executive Order addresses this problem, making Federal programs more efficient, cutting bureaucracy and fraud, helping Americans be safe online, and promoting America's digital economy.

Defending against cyber attackers requires rapidly deploying new technologies. The Executive Order addresses this challenge by promoting the use of new AI-based tools for cyber defense and accelerating the transition to "post-quantum cryptographic" algorithms to resist attacks leveraging quantum computing capabilities.
Specific initiatives within the Executive Order include those outlined below:

Making Sanctions More Effective to Punish Cyber Attackers, including Ransomware Attackers

The Executive Order improves the U.S. Government's ability to use sanctions to punish cyber attackers. It amends cyber sanctions authorities to be more responsive to today's threats, notably sophisticated ransomware attackers targeting Americans, hospitals and businesses.

Making Software More Secure – for Americans, Companies and the Federal Government

Russia and China conduct cyber attacks by exploiting numerous vulnerabilities in the software Americans use every day. This Executive Order puts $100 billion dollars of annual government procurement of IT to work by driving companies to build more secure software benefiting all Americans, through the following actions:

• Requires software vendors to the U.S. Government to provide proof that they are using secure development practices to develop software.
• Establishes Federal initiatives to validate those proofs and publish the validation results to allow private sector buyers of technology to also benefit from knowing which vendors use secure software development practices.
• Requires the National Institute for Standards and Technology (NIST) to develop guidance for how to securely and reliably deploy software updates to better prevent future cyber incidents.
• Requires the General Services Administration (GSA) to develop policy driving cloud companies to clearly spell out how customers can secure their use of cloud products, making it easier for agencies and companies to safely use the cloud.

Combatting Billions of Dollars in Cybercrime and Keeping Americans Secure Online

The U.S. economy endures tens of billions of dollars in losses to cyber-enabled fraud and cybercrime every year. Massive data breaches and the lack of robust digital identity infrastructure have made it easy for cybercriminals to purchase stolen identity information online and exploit Americans through identity theft. Artificial Intelligence accelerates this trend.
Americans currently lack a secure way to do transactions online through a digital government issued ID with attendant privacy and civil liberties protections. Digital identities enable more efficient, trusted digital services and commerce across digital economies while still protecting citizens' sensitive data.

This Executive Order accelerates the rollout of private-sector technologies to make the U.S. Government more efficient and reduce fraud, protects Americans from cyber-enabled crimes, and advances America's digital economy through the following actions:

• Promotes privacy-preserving digital identity documents, like mobile drivers licenses, and verification systems to better protect Americans and reduce identity fraud.
• Launches an early-warning fraud pilot to alert Americans of potential fraudulent claims of their public benefits and payments.

Promoting Security with and in Artificial Intelligence (AI)

The Executive Order launches innovative agency efforts to accelerate development and use of AI for cyber defense through the following actions:

• Launches a public/private partnership to use AI for cyber defense of critical infrastructure in the energy sector, one of the sectors where cyber attacks could affect Americans' day-to-day lives.
• Directs research and development of AI-based cybersecurity tools and techniques, including in vulnerability discovery, threat detection, and patch management, and enable AI security incident and vulnerability reporting.

Reducing Bureaucracy and Waste in Government Cybersecurity

The Federal Government must reduce bureaucracy in cybersecurity policy and procurement and make our cybersecurity more efficient. The Executive Order achieves this through the following actions:

• Cuts bureaucracy and simplifies cybersecurity requirements for Federal information systems over the next three years.
• Identifies a minimum set of widely used cybersecurity practices, which will be required for all companies doing business with the Federal Government.

Keeping American Consumers Safe

The Cyber Trust Mark program gives Americans an easy way to see whether consumer products – like baby monitors and home security systems - are cybersecure. To incentivize companies to build more secure, connected devices and keep Americans safe from malicious hackers, the U.S. Government will buy only Cyber Trust Mark labeled devices beginning in 2027.

Improving Security of Federal Systems

In the President's first Cyber Executive Order, Federal agencies were required to implement five high-impact cybersecurity practices to defend against cyber attacks. Now, the U.S. Government must also implement centralized visibility and threat hunting, to quickly identify and mitigate threats across all Federal networks.
Federal networks are frequently targeted by sophisticated hackers. The U.S. Government must improve the security of its own communications, including protections of data routed across Federal systems and the Internet, to protect them from well-resourced, sophisticated threat actors.

The Executive Order improves the cybersecurity of U.S. Government systems through the following actions:

• Advances the use of modern phishing-resistant authentication technologies in Federal agencies.
• Enables government-wide visibility of attacker activity by CISA and sharing of actionable threat information to better defend Federal and private sector networks.
• To enable Federal network users to communicate with each other securely, this Executive Order requires Federal users to use end-to-end encryption to protect Federal communications, including in email and videoconferencing.

Defending against Threats to Space Systems

Russia's attack of Ukraine's commercially provided military satellite communications systems the evening before it invaded Ukraine demonstrated the devastating impacts disruption of space infrastructure can bring. Cybersecurity threats to space systems have risen dramatically, threatening global critical infrastructure and communications. Space-based systems support everything from internet connection for homes to global military operations. Their disruption can bring global commerce to a halt and seriously impact national security.

To further protect space systems and the supporting digital infrastructure vital to our national and economic security from cyber attacks, this Executive Order directs the following actions:

• Develops new cybersecurity contract requirements for agency-procured space systems, including protection of command-and-control systems and the use of secure hardware and software development practices.
• Requires the National Cyber Director to inventory space ground systems and develop recommendations for improving their cyber defenses.

Promoting Adoption of Post-Quantum Technologies

Although the timeline for achieving a large-scale quantum computer is still uncertain, a quantum computer of sufficient size and sophistication will be able to break the public-key cryptosystems currently in use, allowing an attacker to decrypt encrypted communications and impersonate users and servers. In August of 2024, NIST standardized new post-quantum cryptographic (PQC) algorithms which are designed to resist attack by quantum computers. This Executive Order accelerates the transition of Federal cryptographic systems to use PQC through the following actions:

• Requires agencies to enable quantum-resistant key establishment within their existing networks, protecting government communications from being recorded now for decryption once a CRQC exists.
• Identifies PQC-capable products and requires that agencies purchase them once they become widely available, protecting the US Government and helping grow the global market of post quantum technologies.