Outgoing Biden Administration Issues Sweeping Executive Order on AI-Driven Cybersecurity and Supply Chain Transparency

Executive orders have been flying off the pen in recent weeks, including a significant one focused on strengthening US cybersecurity infrastructure. In the final days of his administration, President Joe Biden issued a comprehensive executive order titled "Strengthening and Promoting Innovation in the Nation’s Cybersecurity."

Signed on January 16, 2025, this directive introduces new measures to improve transparency in software supply chains, promote secure development practices, integrate AI into cybersecurity defenses, and prepare for threats posed by advanced technologies like quantum computing. The order is aimed at government agencies and contracted software providers, but offers a glimpse into the government’s priorities for advancing cybersecurity innovations.

After the administration change, the original document is now only available via the Internet Archive. It cites adversarial countries and criminals, including the People’s Republic of China as the most active and persistent threat to the US government, private sector, and critical infrastructure networks, as the impetus for the order. These malicious campaigns disrupt critical services and “cost billions of dollars, and undermine Americans’ security and privacy.”

A Push to Operationalize Secure Software Supply Chains#

Agencies are directed to enforce stricter requirements for software providers, ensuring secure development practices and the submission of attestations to the Cybersecurity and Infrastructure Security Agency (CISA), referencing both vulnerable and malicious incidents:

Operationalizing Transparency and Security in Third-Party Software Supply Chains. (a) The Federal Government and our Nation’s critical infrastructure rely on software providers. Yet insecure software remains a challenge for both providers and users and makes Federal Government and critical infrastructure systems vulnerable to malicious cyber incidents. The Federal Government must continue to adopt secure software acquisition practices and take steps so that software providers use secure software development practices to reduce the number and severity of vulnerabilities in software they produce.

Within 30 days, the Director of OMB, in collaboration with NIST and CISA, must propose rules requiring software providers to:

1. Submit secure software attestations in machine-readable format.
2. Provide supporting evidence to validate those attestations.
3. List their federal agency customers.

These submissions will go to CISA’s software repository for oversight.

AI-Powered Cyber Defense#

Federal agencies are tasked with integrating AI models into cyber defense strategies, launching pilot programs for critical infrastructure, and promoting security with and in artificial intelligence:

Artificial intelligence (AI) has the potential to transform cyber defense by rapidly identifying new vulnerabilities, increasing the scale of threat detection techniques, and automating cyber defense. The Federal Government must accelerate the development and deployment of AI, explore ways to improve the cybersecurity of critical infrastructure using AI, and accelerate research at the intersection of AI and cybersecurity.

The order introduces set timelines for each of the initiatives, including 150 days for the Departments of Commerce, Energy, Homeland Security, and the National Science Foundation, to prioritize research on:

1. Enhancing human-AI collaboration for cyber defense.
2. Securing AI coding tools and AI-generated code.
3. Developing methods for building secure AI systems.
4. Improving strategies for preventing and responding to AI-related cyber incidents.

Bolstering Open Source Software Security#

In recognition of the critical role open source software plays in federal information systems, the government is also making key recommendations to guide agencies on managing and contributing to these ecosystems.

To help the Federal Government continue to reap the innovation and cost benefits of open source software and contribute to the cybersecurity of the open source software ecosystem, agencies must better manage their use of open source software.

Within 120 days, the Secretary of Homeland Security (via CISA) and the Director of OMB is expected to provide recommendations to federal agencies, covering the following:

• How to assess the security of open source software.
• Best practices for patching vulnerabilities in open source software.
• Guidelines for contributing safely to open source projects.

This wide-ranging order covers a number of other federal security concerns, including cybersecurity threats in space, the transition to post-quantum cryptography, and initiatives to strengthen federal systems and communications.

Implications and Future Considerations#

The issuance of this executive order just days before the transition to President Donald Trump's administration raises questions about its future implementation. While cybersecurity has traditionally garnered bipartisan support, the incoming administration may choose to review, modify, or rescind the order based on its policy priorities. Deputy National Security Adviser Anne Neuberger expressed optimism in an interview with AP News, stating that the order's objectives of strengthening cybersecurity and holding malicious actors accountable should resonate across party lines.

For organizations and cybersecurity professionals, the order signals a clear direction: compliance with higher standards, leveraging emerging technologies like AI, and preparing for quantum resilience are no longer optional but necessary for navigating the future of digital security.