From AI to FedRAMP: 5 agency takeaways from Biden’s cyber executive order
The Biden White House’s last-minute flurry of tech policy activity continued Thursday with the release of the president’s long-awaited executive order on cybersecurity, a bookend to his 2021 EO that dictates agency action on everything from securing federal systems to addressing artificial intelligence-fueled risks.
A CyberScoop story published Monday based on a draft of the order obtained by reporters broke down the broad strokes of the document, including sections on combatting cybercrime and fraud and establishing minimum cybersecurity requirements for the private sector.
For IT, cybersecurity, data and AI officials across the federal government, there are myriad callouts throughout the document that will have a substantial impact on their work going forward, depending on how the incoming Trump administration decides to move forward with it. Here are five agency-specific takeaways from the order:
1. Software acquisition practices will change
President Joe Biden’s first executive order on cybersecurity called for the development of guidance on secure software development practices and required agencies to exclusively use software from manufacturers that attested to following those practices.
In reality, some federal government software providers made commitments to abide by that guidance, but then wouldn’t fix exploitable — and well-known — vulnerabilities in their products. The new order from Biden seeks to address that disconnect by requiring the Office of Management and Budget director to team with the heads of the National Institute of Standards and Technology and the Cybersecurity and Infrastructure Security Agency on new contract language for software providers that would be submitted to the Federal Acquisition Regulatory Council.
The updated language would require software manufacturers selling to the federal government to submit attestations via CISA’s Repository for Software Attestation and Artifacts on machine-readable secure software development and high-level artifacts to validate those attestations. The software makers would also be required to provide a list of Federal Civilian Executive Branch agency customers. The FAR Council would have 120 days to review the recommended language and then implement a final rule.
2. Strengthening open-source software security
The use of open-source software by federal agencies has long been an area of concern for cybersecurity experts. CISA’s Joint Cyber Defense Collaborative in 2023 released guidance to address the private-sector side of that equation, while Sens. Gary Peters, D-Mich., and Josh Hawley, R-Mo., introduced legislation that year targeting agencies’ open-source software usage.
The Peters-Hawley bill, which was largely in response to the Log4j vulnerability, didn’t make it out of the Senate. But the Biden order picks up some of the pieces, directing CISA, OMB, the General Services Administration and other relevant agency leaders to issue joint recommendations on best practices for open-source software projects.
The recommendations to agencies would also cover the use of security assessments and the patching of open-source software.
3. FedRAMP ramp up
2024 was a year of major change for FedRAMP, which welcomed a new director, unveiled a roadmap for modernization and issued much-anticipated guidance for agencies and cloud services providers meant to transform the compliance program into a “security-first” operation.
Biden’s order takes those developments another step, calling on the GSA administrator and top NIST and CISA officials to create incentive-laden guidelines for cloud service providers in the FedRAMP marketplace.
Those guidelines would incentivize or require CSPs to “produce baselines with specifications and recommendations for agency configuration of agency cloud-based systems,” the order said, adding that that approach is intended to better secure federal data based on agency requirements.
4. AI’s time to shine
It wouldn’t be a government-issued policy document in the year 2025 without a section covering artificial intelligence. Biden’s EO meets this mark with a provision on promoting security through AI, a technology that the order says “has the potential to transform cyber defense by rapidly identifying new vulnerabilities, increasing the scale of threat detection techniques, and automating cyber defense.”
The federal government is tasked with accelerating the development and deployment of AI and with exploring the ways it can bolster cybersecurity protection for critical infrastructure. It also calls for the prioritization of research “at the intersection of AI and cybersecurity.”
Specific requirements in the AI section include a pilot program to leverage AI in the cyber defenses of the energy sector, multi-agency coordination on the development of large-scale datasets that facilitate cyber defense research, and additional efforts tied to the design of secure AI systems and the security of AI coding assistance.
5. Teeing up Treasury
Fresh off the release of a report last month that detailed the ways in which AI could mitigate risks in the financial sector, the Treasury Department is given directions in the order for additional tech-centric security work.
The Treasury secretary will team with the GSA administrator on a pilot program that would leverage technology to flag individuals and entities when their personal information is used to request a payment from a public benefits program. The pilot would also explore ways that people and companies could stop “potentially fraudulent transactions before they occur” and alert law enforcement accordingly.
The pilot would essentially be a continuation of Treasury’s work over the past year with AI and cybersecurity. Todd Conklin, the agency’s chief AI officer and deputy assistant secretary for the Office of Cybersecurity and Critical Infrastructure Protection, said in April that he’d seen a “significant reduction” in fraud at some of the country’s largest financial institutions thanks to AI.
