Building on the 2021 Executive Order on Improving the Nation’s Cybersecurity, former US President Joe Biden’s 2025 Executive Order (EO) 14144 puts forth additional actions for strengthening security, improving accountability for software and cloud service providers, and promoting innovation, including use of emerging technologies.

In this blog, we’ll break down the key topics and technology areas of this latest cybersecurity executive order, highlighting the good that will come from it as well as other implications.

Raising The Bar Once More For Third-Party Software Supply Chains

What’s good: This EO pushes for the Federal Acquisition Regulation (FAR) to update contract language as a risk management tool. It requires software providers to provide machine-readable secure software development attestations, high-level artifacts to validate those attestations, and a list of the providers’ Federal Civilian Executive Branch (FCEB) agency software customers. It sets a higher bar, with updating of attestations to address both the delivery and the security of software and make them machine-readable, along with the removal of agency discretion to collect evidence and the centralization of attestation verification and artifact validation by the Cybersecurity and Infrastructure Security Agency (CISA). Notably, it recommends “[referring] attestations that fail validation to the Attorney General for action as appropriate,” which aligns with the National Cybersecurity Strategy to hold providers accountable that fail to adhere to secure development practices. This will help federal agencies with processes, tools, and resources necessary to ensure supplier submission and conformity. For suppliers, the establishment of common procurement standards reduces the ambiguity of expectations, minimizes the duplication of efforts to attest, and provides a more efficient process.

Forrester’s take: Federal agencies should assess their progress in adopting cybersecurity risk management practices in compliance with the National Institute of Standards and Technology’s (NIST) SP 800-161 Revision 1 before the Office of Management and Budget (OMB) begins requesting progress reports. Agencies should watch for updates to NIST Special Publication (SP) 800-161 on how to securely and reliably deploy patches and updates as well as guidance on management of open-source software usage. Software providers should look out for updates to the NIST Secure Software Development Framework (SSDF), modifications to the attestation form, and methods to automate the attestation. Providers should also keep an eye out for the enumeration of “high-level artifacts to validate those attestations,” with a software bill of materials (SBOM) being the most likely evidence to be required.

A Focus On EDR And Enabling Threat Hunting And Response Capabilities

What’s good: The EO prioritizes use of endpoint detection and response (EDR) controls to enable CISA’s hunting and response capabilities in FCEB agencies. It also provides CISA wiggle room on specifying what qualifies as timely access and completeness of data for threat hunting and response and also requires CISA to provide advanced notice of if and when it accesses FCEB systems. The EO also emphasizes use of phishing-resistant authentication and standards like WebAuthn as well as requirements for baselines for configuration of cloud-based systems from cloud service providers in the FedRAMP Marketplace for improving cybersecurity of federal systems overall.

Forrester’s take: FCEB participation in the working groups is fundamental to ensure that the EDR technologies that CISA supports include those implemented by each agency. This helps determine what “timely access to required data” and “completeness” of data when delivering data to CISA for hunting and response should be, as well as establishing use cases for administrative accommodation on restricted data access. FCEB agencies should now start preparing a comprehensive and continually updated list of systems, endpoints, and datasets that need more controls, have data access restrictions, or require periods of nondisruption. Cloud service providers can be proactive in recommending baselines, such as checking for insecure configurations and detecting and remediating configuration drifts.

A First Acknowledgement Of Defending Against Threats To Space Systems

What’s good: While the White House has not officially designated space systems as critical infrastructure, this EO is the first to acknowledge that space systems must be protected as if they were. Space systems’ roles in supporting critical infrastructure and services such as global commerce, health, communication, and national security make them key targets for attack. The EO sets requirements for FCEB agencies that deploy, operat,e and maintain space systems to enhance the security of communications between ground and in-orbit systems. It directs the FAR Council to develop new cybersecurity contract requirements for agency-procured civil space systems that follow NIST SSDF best practices and bring space systems into agencies’ existing continuous risk assessment requirements. The EO also requires the National Cyber Director to create the government’s first inventory of space ground systems to support a national study on recommendations to improve civil space cyber defenses.

Forrester’s take: A governmentwide inventory will be difficult to achieve. While FCEB agencies are already required to report all federal information systems to CISA, the federal definition of an “information system” and the unique category of “space system” are not exactly the same, making it potentially difficult for agencies to meet the deadlines. Additionally, the government has historically left civil space system cybersecurity up to global standards bodies, with NIST only recently publishing space-related guidance for ground and satellite systems. This creates an opportunity for the private sector to influence best practices and standards going forward as threats and the technologies that comprise space systems evolve. FCEB agencies should not wait for FAR-mandated requirements and should begin evaluating their existing contracts to ensure that minimum SSDF best practices are already in place.

The Prioritization Of Advancing Cryptographic Infrastructure: E2EE, PQC, And Key Protection

What’s good: The EO takes a holistic view of securing communications from internet routing, DNS traffic, and email messages to end-to-end encryption (E2EE) for modern communications such as voice- and videoconferencing and instant messages. It stresses continued urgency and action for quantum security and the migration to usage of post-quantum cryptographic (PQC) algorithms and measures to protect cryptographic keys, in particular with a call to take advantage of commercial security technologies like hardware security modules (HSMs), trusted execution environments (TEEs), and other isolation technologies to do so. There is specific mention of requirements to support TLS 1.3 or a successor version. Cloud services providers should also note updates to FedRAMP requirements concerning cryptographic key management security practices stemming from this EO.

Forrester’s take: The call to create a list of product categories in which products support PQC will help spur more technology market momentum in this area. For encryption in general, the devil is in the details. Some older systems might still require backward compatibility with older encryption protocols, slowing implementation of TLS 1.3, let alone a successor version. Additionally, end-to-end encryption of messages and calls via voice and video are not currently enabled by default in Microsoft Teams, though communication is still encrypted via standard protocols like Secure Real-Time Transport Protocol (SRTP) and Datagram Transport Layer Security (DTLS). Agencies using Teams must enable end-to-end encryption, which requires purchase of Teams Premium by both sending and receiving parties. Secure communications solutions have an advantage here, with end-to-end encryption as a default, faster time to implementation of PQC within their solutions, and the ability to retain communications for record management.

Reinforcing Core Measures To Secure Internet Routing

What’s good: The EO has emphasis on enhancing the security of Border Gateway Protocol (BGP). BGP is vital for internet routing but is also susceptible to attacks including route hijacking and route leaks. This became evident with major incidents, including the 2008 YouTube incident and, more recently, the 2021 Vodafone route leak, resulting in major disruptions impacting US companies. By mandating the NIST to publish update guidance on the deployment of operationally viable BGP security methods such as Resource Public Key Infrastructure (RPKI), agencies will be able to bolster the security and resilience of federal government networks and service providers. The goal is to ensure that internet routing is more secure and less susceptible to malicious attacks or misconfigurations.

Forrester’s take: Even before the publication of this EO, the White House, Department of Justice, and Department of Defense were already in talks to explore solutions to mitigate the inherent risks of BGP. NIST published the initial draft for its revision to SP 800-189 and has opened it up for public comment until February 25, 2025. FCEB agencies should expect the need for infrastructure and software updates, as well as training stemming from updated NIST guidance on BGP security. Additionally, the IP space in the US that is managed by the American Registry for Internet Numbers (ARIN) is not only larger when compared to other regions but also older. Adoption of mechanisms such as RPKI has been slow, particularly in FCEB agencies, but should increase now that it will become mandated.

Encouraging The Use Of Digital Identities To Combat Cybercrime And Fraud

What’s good: Given that stolen and synthetic identities are a top attack vector, the EO promotes the implementation and adoption of digital identity documents that adhere to key privacy principles and trust frameworks with privacy-preserving means to reduce identity fraud. By encouraging use of digital identity documents for access to public benefits programs, the EO seeks to create incentives for solution providers and to facilitate broad user adoption. Likewise, the EO encourages federal funding to states to boost more widespread issuance of mobile driver’s licenses.

Forrester’s take: The outcome of exploring grant funding to assist states in developing and issuing mobile driver’s licenses will be a key indicator for future digital identity technology adoption. In a best-case scenario, grant funding spurs investment by technology and service providers to deliver on the improved security and efficiencies that a digital identity technology can offer government and industry. Decentralized digital identity (DDID) technology is a foundational component, offering stronger identity security and fraud protections while also providing the opportunity to preserve user privacy and minimize data sharing, but the development of a digital identity ecosystem is a long-range goal that will face challenges, many outside the technical realm. The EO encourages a lot, but without a mandate requiring implementation and deployment, adoption of DDID will be prolonged.

A Comprehensive View Of Promoting Security With And In Artificial Intelligence

What’s good: The EO aims to accomplish something that many AI and cybersecurity practitioners often miss: securing AI, as it’s used for various tasks by people, and deploying AI within cybersecurity tools to improve how security practitioners do their jobs, because AI is a necessity in cybersecurity. The EO addresses these issues by:

1. Launching an AI pilot program to use AI in cybersecurity within the energy sector, which will provide insights into how AI can help protect critical infrastructure.
2. Creating AI models specific to cybersecurity tasks.
3. Funding the creation of additional datasets to enhance AI cybersecurity.
4. Funding additional AI research into making coding assistants more secure, secure AI system design, and cyber incident management in AI systems.
5. Incorporating AI software vulnerabilities into existing vulnerability management programs and practices.

Forrester’s take: Each of these actions indicates that the outgoing administration understands facets of how AI and cybersecurity intersect with one another, but much of the work being performed here lays the groundwork for future improvements. For example, NIST and the National Science Foundation (NSF) creating cybersecurity datasets to train AI systems is a positive development. It’s unlikely, however, that this will directly benefit any enterprise organization. Instead, vendors and innovators will be able to use these datasets to improve their own products and services. It’s debatable whether datasets provided by the government will offer any benefit over what vendors have today.

A Vision For Aligning Policy To Practice And A Focus On Risk Management

What’s good: The callout for aligning policy to practice aims to set the foundation for operational efficiencies. Machine-readable versions of policy and guidance documents position FCEB agencies to implement and enforce them in a more streamlined fashion by leveraging what the public sector describes as a “rules as code” approach. This leads to more transparency and accountability within the public sector, as agencies will be better equipped to track and measure success toward outcomes such as adoption of Zero Trust architecture (ZTA). Also notable is the mention of addressing concentration risk of IT vendors and services and added actions to improve supply chain risk management, such as contractor requirements and the requirement of government vendors of consumer internet-of-things products to have a US Cyber Trust Mark label.

Forrester’s take: These are ambitious but necessary goals. The revision to OMB Circular A-130 will be a critical resource for guidance. Lessons learned from a pilot program for a rules-as-code approach will set the stage for reducing discrepancies between policy formulation and practical application to foster innovation. This helps automate compliance processes and promotes more adaptive and responsive cybersecurity practices. Tackling concentration risk is no easy feat, with multiple forces — from budget to technology requirements — standing to derail efforts. It will most critically require a complete and comprehensive mapping of the supply chain and subcontractors. New contractual language requiring attestation and artifacts will need to be harmonized across agencies and embedded in the procurement process.

The Clock Has Started

Generally, EOs direct heads of the federal government to act, with agency-level and policy-specific requirements coming in 30 days via official OMB memoranda. But stakeholders must not wait, as this EO will require a heavier lift than just updating policies and controls. This is especially relevant in areas such as third-party software supply chains if agencies are to meet its intent “to integrate cybersecurity supply chain risk management programs into enterprisewide risk management activities.”

Organize internally to gather data, anticipate actions, and prepare responses. The previous 2021 EO required substantial internal resources to address evolving requirements from the OMB and CISA. This 2025 EO will likely play out the same way.

Private-sector partners will also have a critical role in supporting departments and agencies by demonstrating their own commitment to the new cybersecurity requirements among the products and services that they provide to the government.

President Trump, however, may have other plans should his administration issue an executive order that supersedes this one or emphasizes different areas of focus in cybersecurity. Numerous prior executive orders were revoked on inauguration day, but this executive order on cybersecurity (EO 14144) was not one of them.