Navigating the Aggressive Scope of the New Cybersecurity Executive Order

February 11, 2025

On January 16, 2025, the White House released a new Executive Order (EO), titled “Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity”. If you have not read it, you can find the EO here: Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity | The White House

As I read this, two things resonated with me. The first is how aggressive and this second is how broad this Executive Order really is. My feeling is that this represents years of effort from this administration and before to improve cybersecurity without really achieving the desired outcomes. Over many years we have seen a transition of the Government encouraging better cybersecurity to regulating better security. While the executive branch’s powers are limited, this EO uses about every tool in their toolbox to change the cybersecurity status quo.

Before I go further, we should acknowledge that we don’t know what the incoming administration will do regarding this specific Executive Order. It could leave it stand, change it, or outright pull it. Until we have some insight on the longevity of this EO, whether or not any of the provisions I’m going to cover here will be enforced has a level of uncertainty.

Overall, there are ten sections to the EO, with six being the most relevant to commercial companies:

• Section 2. Operationalizing Transparency and Security in Third-Party Supply Chains
• Section 3. Improving the Cybersecurity of Federal Systems
• Section 4. Securing Federal Communications
• Section 5. Solutions to Combat Cybercrime and Fraud
• Section 6. Promoting Security with and in Artificial Intelligence
• Section 7. Aligning Policy to Practice

While the scope of the EO is limited to what the executive branch can do, given that the US Federal Government is the world’s largest IT buyer, much of this EO will impact a significant number of commercial software providers simply because they sell their products to the US Government. What I’d like to do now is to step through some of the major impacts that we might see coming out of this EO, assuming it remains as it is written today. I’m going to focus on the impact to commercial companies.

Section 2. Operationalizing Transparency and Security in Third-Party Supply Chains

The EO directs an update to the Federal Acquisition Regulations (FAR) that will require federal contractors (with some exceptions) to legally attest that the development of the software within their product meets NIST SP 800-218, Secure Software Development Framework (SSDF). Elements of this has been in place since earlier in 2024, but this will expand that and require the collection of the attestations by the Cybersecurity and Infrastructure Security Agency (CISA). For those that have read the SSDF, it was written as a guide and not something that is objectionable measurable. Therefore, the EO directs an update to the SSDF, and I’d expect it to read more like NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations, which is inherently more auditable.

So, what does this mean? As structured, this will impact commercial companies beyond just being eligible for selling software to the Government. It requires CISA to publicly publish the results. I can easily see this becoming a part of most companies Vendor Risk Management (VRM) process, and thus making compliance to the SSDF a competitive advantage.

Additionally, the EO directs an update to NIST SP 800-53 to include guidance on the deployment of patches and updates. This will end up impacting multiple compliance frameworks that depend on 800-53, such as FedRAMP.

Section 2 requires federal agencies to comply with NIST SP 800-161, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. Depending on how this is implemented, we can expect additional contract requirements regarding supply chain security and reporting levied on Government contractors.

Finally, Section 2 vaguely addresses the security of Open-Source software, and requires federal agencies to use security assessments and patching of open source software. It is probably too early to tell what this really means for the open-source components within commercial products, if it means anything.

Section 3. Improving the Cybersecurity of Federal Systems

Section 3 focuses on improvements within federal networks and doesn’t directly impact most commercial companies. However, it will likely drive additional drive additional cybersecurity procurements, specifically in Endpoint Detection and Reporting (EDR).

However, if you happen to be a FedRAMP authorized service provider, this section has some impact. It requires FedRAMP service providers to develop a product baseline with specifications and recommendations for agency configuration. It is uncertain if this will result in another deliverable under the FedRAMP program, or if this will be implemented via specific agency contracts.

If you happen to work in the space industry, this section does drive some changes. It drives an update to the existing cybersecurity regulations and the relevant contractual language. The focus appears to be the prevention of an adversary from being able to spoof satellite commands and to improve the space software supply chain.

Section 4. Securing Federal Communications

Section 4 will result in updated contract language which will require internet service providers to adopt and deploy internet routing security technologies. The goal here is to address some of the weaknesses within the Border Gateway Protocol (BGP). If successful, this has the potential of addressing those BGP weaknesses globally, especially if the required changes are deployed throughout the Internet Service Providers (ISP) network and not only implemented for the networks dedicated to the federal government.

End-to-End (E2E) encryption is a key security safeguard for conferencing and instant messaging. The EO takes step to require conferencing and instant messaging products to adopt E2E encryption. Given that the government using commercially produced conferencing and instant messaging, this is likely to improve the security of those products at a minimum, and it has the possibility of setting a new standard across the industry. The EO can’t mandate this in all products sold in the US, but they can make E2E a requirement for being purchased by the federal government.

Finally, Section 4 goes into encryption and quantum encryption. This will likely impact those companies that produce encryption modules or are developing quantum computing. Most of this section covers the improvement of the handling of encryption keys and will at a minimum impact FedRAMP service providers.

Section 5. Solutions to Combat Cybercrime and Fraud

This section is perhaps one of the most interesting and impactful. The goal here is to enable digital identifications within the US, and to be able to use those digital identifications when citizens are engaging with the federal government. The purpose of this is to make identity theft much harder, although there are likely many other implications depending on how this is implemented.

I can easily imagine that this will lead to multiple commercial products and industries also accepting these digital identifications.

Section 6. Promoting Security with and in Artificial Intelligence

Artificial Intelligence (AI) is all the rage and there are no signs of it slowing down anytime soon. Section 6 acknowledges this and directs the federal government to implement AI for cyber defense. This will certainly add additional pressure to commercial cybersecurity software providers to incorporate AI into their products. If we can get to a place where AI can take much of the load off of the security analyst within a Security Operations Center (SOC), it will be a huge win for both the government and the commercial clients of these AI enabled SOC tools.

This effort is supported through the prioritization of related research to include designing secure AI systems. This research may help a broad range of companies that are investing in AI.

Section 7. Aligning Policy to Practice

Section 7 of the EO impacts commercial companies primarily in two ways. The first is that it proposes updates to the FAR that requires federal contractors to meet minimum cybersecurity requirements, which are to be developed with collaboration between the government, industry, international standards bodies, and other stakeholder.

My take is that the government wants a more meaningful international cybersecurity standard than there is today, and once that standard is developed will leverage it. If they are successful in building a new cybersecurity standard that isn’t overly “federal”, it has the potential of impacting globally if enterprise customers start requiring that standard to be met in their procurement processes. Frankly, this would be great for federal contractors, as it would unify the requirements instead of having different commercial and federal cybersecurity standards.

Finally, section 7 would require all Internet-of-Things (IoT) vendors to the US government to carry the US Cyber Trust Mark labeling by January of 2027.

Summary

As previously stated, this Executive Order is both aggressive and broad. As I read through it I can feel the stress the US Government has in attempting to move the needle on improving cybersecurity, especially within the executive branch. As with all EO’s, they are limited to what can be done within the executive branch.

Companies that sell software to the federal government will be impacted by the outcomes of this EO, just as they are impacted by every federal regulation that applies to them. However, improving secure development practices, addressing BGP weaknesses, new cybersecurity standards, and enabling AI within cyber defense are likely to have a much larger impact than either the federal government or their contractors.

With only days until a new administration comes into power, there are significant uncertainties on the future of the directives within this and every other EO. We will keep watching to see what changes, if any, the new administration makes to this EO. Once we have those better understood, the true impact of this EO will be much better understood.

Follow Optiv
LinkedIn: www.linkedin.com/company/clearshark
Facebook: www.facebook.com/optivinc
YouTube: www.youtube.com/c/OptivInc
Blog: www.optiv.com/explore-optiv-insights/blog