- President Biden introduces new government cybersecurity requirements
- Third-party software providers must demonstrate compliance with the new requirements.
- Federal Government Must Use End-to-End Encryption by Default
In one of his last acts as president of the United States, Joe Biden has signed an executive order aimed at strengthening American national cybersecurity.
The order establishes a series of controls and reviews of third-party software providers for both government systems and critical infrastructure to ensure that they meet established cybersecurity standards and make active efforts to eradicate existing vulnerabilities.
The executive order posits that the People’s Republic of China is the primary threat to vulnerable networks, and likely references numerous attacks on critical US infrastructure in early 2024 by the Chinese state-sponsored group Volt Typhoon. and subsequent attacks on US telecommunications networks by the group.
New security standards
“I am ordering additional actions to improve our nation’s cybersecurity, focusing on defending our digital infrastructure, securing the services and capabilities most vital to the digital domain, and building our capacity to address key threats,” President Biden’s order said.
It also builds on previous requirements set forth in the Executive Order to Improve the Nation’s Cybersecurity of 2021 and implements greater security controls on third-party vendors to ensure that “software vendors that support critical government services follow attesting practices.”
Third-party vendors will therefore need to provide frequent demonstrations that their software and supply chains are secure, and the contracting agency will be notified if they fail to meet security requirements.
The federal government is also mandated to adopt identity management software, phishing-resistant authentication, and end-to-end encrypted communications by default across DNS protocols, email, voice and video conferencing, and instant messaging.
Biden also seeks to address the future threat of cryptanalytically relevant quantum computers (CRQC) which, when viable, will be able to break many of the encryption algorithms in use today. US agencies will be required to adopt quantum-safe encryption methods authorized by the National Institute of Standards and Technology (NIST).
