US President Joe Biden, left, and Antony Blinken, US secretary of state, speak on the ceasefire deal between Israel and Hamas, in the Cross Hall of the White House in Washington, DC, US, on Wednesday, Jan. 15, 2025. Israel and Hamas agreed to a ceasefire deal, bringing at least a temporary halt to the war in Gaza that has killed tens of thousands of people in the last 15 months and touched off broader turmoil across the Middle East.
Aaron Schwartz | Sipa | Bloomberg | Getty Images
The Biden administration on Thursday announced an executive order on cybersecurity that imposes new standards for companies selling to the U.S. government and calls for greater disclosure from software providers.
The White House is looking to put in place new rules “to strengthen America’s digital foundations,” Anne Neuberger, deputy national security advisor for cybersecurity and emerging technology, said in a briefing with reporters on Wednesday.
Cyberattacks have caused an increasing number of disruptions inside federal agencies and companies in recent years.
Attackers have pulled off ransomware attacks at Change Healthcare, the operator of the Colonial Pipeline and the Ascension health care system. And Microsoft said in 2023 that Chinese attackers had broken into U.S. government officials’ email accounts, prompting a critical federal report and a series of changes at the software maker.
Companies selling software to the U.S. government will have to demonstrate that their development practices are secure, according to a statement. There will be “evidence that we post on a government website for all software users to benefit from,” Neuberger said.
The General Services Administration will have to make policy that makes cloud providers provide information to clients on how to operate securely.
Companies selling products and services to the U.S. government must adhere to a new set of security practices as a result of the executive order.
Last week the White House announced the U.S. Cyber Trust Mark label to help consumers evaluate internet-connected devices. The executive order states that the U.S. government will only purchase such products if they carry the label, starting in 2027.
The order also directs the National Institute for Standards and Technology to come up with guidance for handling software updates. In late 2020, hackers gained access to Microsoft and U.S. Defense Department systems by targeting updates to SolarWinds‘ Orion software.
It’s not clear if President-elect Donald Trump’s new administration will uphold the executive order. Biden’s cybersecurity officials have not met with those who will take up the work for Trump.
“We haven’t discussed, but we are very happy to, as soon as the incoming cyber team is named, of course, have any discussions during this final transition period,” Neuberger said.
WATCH: Fmr. CISA Director Chris Krebs on cyberthreats: Expect an increase of offensive cyber activity
