- President Biden introduces new government cybersecurity requirements
- Third-party software providers must demonstrate compliance with new requirements
- The federal government must use end-to-end encryption by default
In one of his last acts as President of the United States, Joe Biden has signed an executive order aimed at strengthening America’s national cyber security.
The order sets out a series of controls and reviews of third-party software providers for both government systems and critical infrastructure to ensure they adhere to established cybersecurity standards and make active efforts to root out existing vulnerabilities.
The executive order claims that the People’s Republic of China is the biggest threat to vulnerable networks, likely referring to several attacks against US critical infrastructure in early 2024 by the Chinese state-sponsored Volt Typhoon group, and subsequent attacks against US telecommunications networks by the group.
New safety standards
“I am ordering additional actions to improve our nation’s cybersecurity, focusing on defending our digital infrastructure, securing the services and capabilities most critical to the digital domain, and building our ability to address key threats,” the statement said. President Biden’s order.
It also builds on previous requirements set out in the 2021 Improving the Nation’s Cybersecurity Executive Order and implements greater security checks on third-party providers to ensure that “software providers that support critical government services follow the practices that they certify.”
Third-party providers will therefore need to frequently demonstrate that their software and supply chains are secure, and the contracting authority will be notified of those that do not meet security requirements.
The federal government is also mandated to adopt identity management software, phishing-resistant authentication, and end-to-end encrypted communications as standard across DNS protocols, email, voice and video conferencing, and instant messaging.
Biden also looks to address the future threat of cryptanalytically relevant quantum computers (CRQC), which, once viable, will be able to break many of the encryption algorithms used today. US agencies will be required to adopt quantum-safe encryption methods approved by the National Institute of Standards and Technology (NIST).
