HomeDigest
Executive Order to Strengthen National Cybersecurity

Executive Order to Strengthen National Cybersecurity

Executive Order to Strengthen National Cybersecurity

By the authority granted to me as President under the Constitution and the laws of the United States, I hereby issue the following order:

Section 1. Policy.
 The United States continues to face persistent and increasingly sophisticated cyber threats targeting the public sector, private sector, and ultimately the security and privacy of the American people. It is imperative that the Federal Government enhance its capabilities to identify, deter, protect against, detect, and respond to these threats and their perpetrators. Additionally, thorough investigations of major cyber incidents must be conducted to extract valuable lessons for future prevention and response.

However, cybersecurity is not solely the responsibility of the government. Protecting the Nation from malicious cyber actors requires a strong partnership between the Federal Government and the private sector. The private sector must remain agile in adapting to the evolving threat landscape, ensure the security and integrity of its products, and collaborate with the government to build a safer cyberspace. Ultimately, the level of trust placed in our digital infrastructure should reflect the transparency and reliability of that infrastructure, as well as the potential consequences if that trust is broken.

Incremental measures will not suffice. The Federal Government must implement bold reforms and make substantial investments to defend the critical institutions fundamental to the American way of life. This includes securing all government computer systems—whether cloud-based, on-site, or hybrid—and protecting both information technology (IT) systems that process data and operational technology (OT) systems that control vital safety functions.

It is the policy of my Administration that preventing, detecting, assessing, and responding to cyber incidents is a top national and economic security priority. The Federal Government must set the standard. Accordingly, all Federal Information Systems are required to meet or exceed the cybersecurity standards and requirements established under this order.

Section 2. Removing Barriers to Sharing Threat Information.

(a) The Federal Government relies on IT and OT service providers, including cloud providers, to perform daily operations on Federal Information Systems. These providers have unique access to cyber threat and incident data. However, existing contract terms may restrict sharing this information with federal agencies responsible for investigating or responding to cyber incidents—such as CISA, the FBI, and the Intelligence Community. Removing these contractual barriers and increasing information sharing is essential to enhance incident prevention, deterrence, and response, thereby strengthening the defense of federal systems and data.

(b) Within 60 days of this order, the Director of the Office of Management and Budget (OMB), consulting with the Secretary of Defense, Attorney General, Secretary of Homeland Security, and Director of National Intelligence, shall review and recommend updates to the Federal Acquisition Regulation (FAR) and Defense FAR Supplement contract requirements for IT and OT service providers. These recommendations will specify the contractors covered by the proposed contract language.

(c) The updated contract language shall ensure that service providers:
(i) Collect and preserve cybersecurity-related data on all controlled information systems, including those operated for federal agencies, according to agency requirements;
(ii) Share relevant data about cyber incidents or potential incidents directly with the contracting agency and other designated agencies, consistent with privacy laws and policies;
(iii) Collaborate with federal cybersecurity and investigative agencies during incident investigations and responses, including enabling technical capabilities such as threat monitoring;
(iv) Share cyber threat and incident information using recognized industry formats for incident response and remediation where possible.

(d) Within 90 days of receiving the recommendations, the FAR Council will review and, if appropriate, publish proposed FAR updates for public comment.

(e) Within 120 days of this order, the Secretary of Homeland Security and OMB Director will take steps to maximize data sharing between service providers, agencies, CISA, and the FBI to effectively respond to cyber threats.

(f) It is federal policy that:
(i) ICT service providers must promptly report cyber incidents involving software or support systems provided to agencies;
(ii) Providers must also report these incidents directly to CISA, which will centrally manage the information;
(iii) Reports concerning National Security Systems will be handled by designated agencies.

(g) To implement this policy:
(i) Within 45 days, the Secretary of Homeland Security, in consultation with the Secretary of Defense (through the NSA Director), Attorney General, and OMB Director, shall recommend FAR contract language defining:
(A) Types of cyber incidents requiring reporting;
(B) Information needed for effective incident response;
(C) Protections for privacy and civil liberties;
(D) Reporting deadlines based on incident severity, with critical incidents reported within 3 days;
(E) Reporting requirements for National Security Systems;
(F) Covered contractors and service providers.
(ii) Within 90 days, the FAR Council will review and publish these recommendations for public comment.
(iii) Within 90 days, the Secretary of Defense (through the NSA Director), Attorney General, Secretary of Homeland Security, and Director of National Intelligence will develop procedures to ensure timely sharing of cyber incident reports among agencies.

(h) Currently, cybersecurity requirements for unclassified contracts are agency-specific and vary. Standardizing these requirements across agencies will streamline compliance for vendors and improve government security.

(i) Within 60 days, the Secretary of Homeland Security (through the Director of CISA), consulting with the Secretary of Defense (through the NSA Director), OMB Director, and General Services Administrator, shall review existing agency cybersecurity requirements and recommend standardized contract language to the FAR Council, including the scope of covered contractors.

(j) Within 60 days of receiving these recommendations, the FAR Council shall review and publish proposed FAR updates for public comment.

(k) After the FAR updates are finalized, agencies must revise their requirements to remove any duplication.

(l) The OMB Director shall include a cost analysis of all recommendations in the annual budget process.

Section 3. Modernizing Federal Government Cybersecurity

(a) To address today’s rapidly evolving and increasingly sophisticated cyber threats, the Federal Government must modernize its cybersecurity approach. This includes enhancing visibility into threats while safeguarding privacy and civil liberties. The Government must adopt best security practices, advance toward Zero Trust Architecture, accelerate secure cloud adoption—including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS)—centralize cybersecurity data access to enable advanced analytics, and invest in both technology and personnel to achieve these goals.

(b) Within 60 days of this order, agency heads shall:
(i) Update existing plans to prioritize resources for cloud technology adoption, aligned with OMB guidance;
(ii) Develop a plan to implement Zero Trust Architecture incorporating migration steps recommended by the National Institute of Standards and Technology (NIST), detailing completed steps, prioritizing activities with immediate security impact, and establishing a timeline for implementation;
(iii) Submit reports on these plans to the Director of OMB and the Assistant to the President and National Security Advisor (APNSA).

(c) Agencies adopting cloud technology must do so deliberately and in coordination to effectively prevent, detect, assess, and remediate cyber incidents. Cloud migration shall follow Zero Trust Architecture principles where practical. The Cybersecurity and Infrastructure Security Agency (CISA) will modernize its cybersecurity programs to fully support cloud environments with Zero Trust Architecture. The Secretary of Homeland Security, via CISA, in consultation with the Administrator of General Services through FedRAMP, will establish security principles for Cloud Service Providers (CSPs) to support agency modernization efforts. To support this:
(i) Within 90 days, the Director of OMB, in consultation with CISA and FedRAMP, will develop and provide agencies with a Federal cloud-security strategy and guidance to ensure risks are understood and addressed, advancing agencies toward Zero Trust Architecture;
(ii) Within 90 days, CISA, in coordination with OMB and FedRAMP, will issue technical reference architecture documentation recommending cloud migration and data protection approaches for Federal Civilian Executive Branch (FCEB) agencies;
(iii) Within 60 days, CISA will release a cloud-service governance framework for FCEB agencies, outlining services and protections based on incident severity, including related data and processing activities;
(iv) Within 90 days, FCEB agency heads, with CISA, will evaluate the types and sensitivity of their unclassified data, report findings prioritizing the most sensitive and at-risk data, and recommend appropriate processing and storage solutions to CISA and OMB.

(d) Within 180 days, agencies shall implement multi-factor authentication and encryption for data at rest and in transit, consistent with applicable laws. Specifically:
(i) FCEB agency heads will report progress on these implementations to CISA, OMB, and APNSA every 60 days until fully adopted;
(ii) CISA will support agencies in maximizing adoption of these technologies and processes;
(iii) Agencies unable to complete adoption within 180 days must submit written explanations to CISA, OMB, and APNSA.

(e) Within 90 days, CISA, in coordination with the Attorney General, FBI Director, and FedRAMP Administrator, will establish a framework to facilitate collaboration on cybersecurity and incident response activities related to FCEB cloud technology, ensuring effective information sharing among agencies and with CSPs.

(f) Within 60 days, the Administrator of General Services, consulting with OMB and agency heads, will begin modernizing FedRAMP by:
(i) Establishing a training program to equip agencies to manage FedRAMP requests effectively, including providing training materials such as on-demand videos;
(ii) Enhancing communication with CSPs by automating and standardizing messages at each authorization stage;
(iii) Incorporating automation throughout FedRAMP’s lifecycle—assessment, authorization, continuous monitoring, and compliance;
(iv) Digitizing and streamlining vendor documentation with online accessibility and pre-filled forms;
(v) Identifying relevant compliance frameworks and mapping them to FedRAMP requirements to allow substituting equivalent frameworks during authorization where appropriate.

Section 4. Enhancing Software Supply Chain Security

(a) Software security is critical for the Federal Government to fulfill its essential functions. Commercial software development often lacks transparency, rigorous security measures, and protection against tampering. Special attention is required for “critical software” — software that holds elevated privileges or direct access to network and computing resources. The Government must act swiftly to strengthen software supply chain security, prioritizing critical software.

(b) Within 30 days, the Secretary of Commerce, through NIST, shall gather input from government, industry, academia, and other stakeholders to identify or develop standards, tools, and best practices for software security compliance, including evaluation criteria for both software and its developers.

(c) Within 180 days, NIST shall publish preliminary guidelines based on consultations and existing materials to enhance software supply chain security.

(d) Within 360 days, NIST shall publish updated guidelines including procedures for regular review and updates.

(e) Within 90 days of the preliminary guidelines, the Secretary of Commerce and NIST, with agency consultation, shall issue guidance on practices to secure the software supply chain, covering:

  • Secure software development environments (e.g., separate build environments, multi-factor authentication, encryption, monitoring);

  • Providing proof of compliance upon request;

  • Use of automated tools to maintain code integrity and identify vulnerabilities;

  • Maintaining provenance data and control over software components;

  • Providing Software Bill of Materials (SBOM);

  • Participation in vulnerability disclosure programs;

  • Attesting to conformity with secure practices and integrity of open source components.

(f) Within 60 days, the Secretary of Commerce shall publish minimum elements for SBOMs.

(g) Within 45 days, NIST, in consultation with relevant agencies, shall define “critical software” for inclusion in the guidance, considering privileges, dependencies, and potential harm.

(h) Within 30 days of this definition, CISA shall provide agencies with a list of software categories meeting the “critical software” criteria.

(i) Within 60 days, NIST shall publish security guidelines for critical software, including least privilege, network segmentation, and configuration.

(j-k) Within 30 days of issuing guidance, OMB shall require agencies to comply with these standards for new software procurements and existing software.

(l-m) Agencies may request extensions or waivers for compliance, subject to OMB review and reporting to the National Security Advisor.

(n-o) Within one year, DHS, Commerce, and other agencies shall propose FAR contract language requiring software suppliers to comply with these standards, leading to appropriate FAR updates.

(p) Agencies shall remove non-compliant software from federal contracts once FAR updates are finalized.

(q) OMB shall require agencies using legacy software to comply or submit remediation plans, and require compliance for contract renewals unless extensions or waivers are granted.

(r) Within 60 days, NIST shall publish minimum standards for vendor software testing, including manual and automated methods.

(s-u) NIST, in coordination with other agencies, shall launch pilot consumer labeling programs for Internet-of-Things (IoT) devices and software security, aiming to educate the public and incentivize manufacturers.

(v) These pilots will follow federal conformity assessment guidelines.

(w) Within one year, NIST shall review pilot effectiveness and submit a report to the National Security Advisor.

(x) Within one year, Commerce shall report to the President on progress and recommend further steps to secure the software supply chain.

Section 5. Establishing a Cyber Safety Review Board

(a) The Secretary of Homeland Security, in consultation with the Attorney General, shall establish the Cyber Safety Review Board (the Board) under section 871 of the Homeland Security Act of 2002 (6 U.S.C. 451).

(b) The Board will review and assess significant cyber incidents, as defined by Presidential Policy Directive 41 (PPD-41), affecting Federal Civilian Executive Branch (FCEB) Information Systems or non-federal systems. This includes examining threat activities, vulnerabilities, mitigation efforts, and agency responses.

(c) The Secretary of Homeland Security shall convene the Board following a significant cyber incident that triggers the creation of a Cyber Unified Coordination Group (UCG) as outlined in PPD-41; at the President’s direction through the Assistant to the President and National Security Advisor (APNSA); or whenever deemed necessary.

(d) The Board’s initial review will focus on the cyber activities that led to the UCG’s establishment in December 2020. Within 90 days of formation, the Board shall provide the Secretary of Homeland Security with recommendations to improve cybersecurity and incident response.

(e) The Board’s membership will include federal officials from the Departments of Defense and Justice, CISA, NSA, FBI, and representatives from relevant private-sector cybersecurity or software providers, as determined by the Secretary of Homeland Security. An OMB representative will participate when incidents involve FCEB Information Systems. Additional participants may be invited as appropriate.

(f) The Secretary of Homeland Security will appoint a Chair and Deputy Chair biennially, selecting one federal and one private-sector member.

(g) The Board shall safeguard all sensitive law enforcement, operational, business, and confidential information shared with it, consistent with law.

(h) Upon completing its review, the Secretary of Homeland Security will provide the President, via the APNSA, with the Board’s advice and recommendations for improving cybersecurity and incident response.

(i) Within 30 days after the initial review, the Secretary of Homeland Security shall deliver to the President, through the APNSA, the Board’s recommendations, which will include:
(i) Identified gaps and options regarding Board composition and authority;
(ii) Proposed mission, scope, and responsibilities;
(iii) Criteria for private-sector membership eligibility;
(iv) Governance structure and interaction with the executive branch;
(v) Criteria for cyber incidents to be reviewed;
(vi) Information sources accessible to the Board;
(vii) Procedures to protect shared information and secure cooperation for incident reviews;
(viii) Administrative and budget considerations for Board operations.

(j) The Secretary of Homeland Security, with the Attorney General and APNSA, shall review and implement the Board’s recommendations as appropriate.

(k) Unless directed otherwise by the President, the Secretary of Homeland Security will renew the Board’s mandate every two years as deemed necessary under section 871 of the Homeland Security Act of 2002.

Section 6. Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents

(a) Currently, agencies use varied procedures to identify, remediate, and recover from cybersecurity vulnerabilities and incidents. This inconsistency limits lead agencies’ ability to comprehensively analyze threats across the federal government. Standardized response processes will enable coordinated incident cataloging and improved tracking of agencies’ progress in managing responses.

(b) Within 120 days of this order, the Secretary of Homeland Security, through the Director of CISA and in consultation with the Director of OMB, the Federal CIO Council, the Federal Chief Information Security Council, and coordination with the Secretary of Defense (via NSA), the Attorney General, and the Director of National Intelligence, shall develop a standard set of operational procedures (a playbook) for planning and conducting cybersecurity vulnerability and incident responses for Federal Civilian Executive Branch (FCEB) Information Systems. The playbook will:
(i) Incorporate all relevant NIST standards;
(ii) Be mandatory for use by FCEB agencies;
(iii) Track progress through all incident response phases while remaining flexible enough to support various response activities.

(c) The Director of OMB will issue guidance directing agencies on the use of this playbook.

(d) Agencies wishing to use alternative procedures must consult with the Director of OMB and the APNSA, demonstrating that their procedures meet or exceed the playbook’s standards.

(e) The Director of CISA, consulting with the NSA Director, shall review and update the playbook annually and provide updates to OMB for agency guidance revisions.

(f) To confirm comprehensive incident response and ensure unauthorized actors no longer access FCEB systems, the playbook will require the Director of CISA to review and validate agencies’ incident response and remediation outcomes after completion. The Director may recommend involving other agencies or third-party response teams as needed.

(g) To promote shared understanding, the playbook will define key cybersecurity terms consistently with statutory definitions where possible, establishing a common lexicon among agencies.

Section 7. Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks

(a) The Federal Government shall leverage all appropriate resources and authorities to maximize early detection of cybersecurity vulnerabilities and incidents across its networks. This includes enhancing visibility into threats to agency networks to strengthen overall cybersecurity.

(b) Federal Civilian Executive Branch (FCEB) agencies shall implement an Endpoint Detection and Response (EDR) program to support proactive detection, active cyber hunting, containment, remediation, and incident response within Federal infrastructure.

(c) Within 30 days, the Secretary of Homeland Security, via the Director of CISA, shall provide the Director of OMB with recommendations for implementing a centralized EDR initiative to enhance host-level visibility, attribution, and response for FCEB Information Systems.

(d) Within 90 days of receiving these recommendations, the Director of OMB, consulting with the Secretary of Homeland Security, shall issue requirements for FCEB agencies to adopt government-wide EDR solutions. These requirements will enable CISA to conduct cyber hunt, detection, and response activities.

(e) The Director of OMB will collaborate with the Secretary of Homeland Security and agency leaders to ensure agencies have adequate resources to comply with these EDR requirements.

(f) To defend FCEB Information Systems effectively, CISA must access agency data relevant to threat and vulnerability analysis. Within 75 days, agencies shall establish or update Memoranda of Agreement (MOAs) with CISA for the Continuous Diagnostics and Mitigation Program, ensuring required data availability consistent with law.

(g) Within 45 days, the NSA Director, as National Manager for National Security Systems, shall recommend to the Secretary of Defense, Director of National Intelligence, and the Committee on National Security Systems (CNSS) actions to improve cyber incident detection for National Security Systems. Recommendations will include EDR strategies and whether such capabilities should be agency-operated or centralized.

(h) Within 90 days, the Secretary of Defense, Director of National Intelligence, and CNSS shall review these recommendations and establish policies accordingly, consistent with law.

(i) Within 90 days, the Director of CISA shall report to the Director of OMB and APNSA on the implementation of authorities under section 1705 of Public Law 116-283, enabling threat hunting on FCEB networks without prior agency approval. The report will recommend procedures to prevent disruption of critical systems, notify system owners of vulnerabilities, and outline testing techniques. Quarterly updates shall be provided thereafter.

(j) To align directives between Department of Defense Information Network (DODIN) and FCEB systems, the Secretaries of Defense and Homeland Security, with OMB consultation, shall:
(i) Within 60 days, establish procedures for immediate sharing of incident response orders and emergency directives between the Departments;
(ii) Evaluate whether to adopt guidance from the other Department, respecting classified information sharing regulations;
(iii) Within 7 days of receiving such orders, notify APNSA and OMB’s Office of Electronic Government of the evaluation results, rationale, and implementation timeline if applicable.

Section 8. Improving the Federal Government’s Investigative and Remediation Capabilities

(a) Network and system logs from Federal Information Systems—including both on-premises and third-party hosted systems such as those managed by Cloud Service Providers (CSPs)—are critical for investigating and addressing cyber incidents. Agencies and their IT service providers must collect, maintain, and, when necessary, provide these logs upon request to the Secretary of Homeland Security through the Director of CISA and to the FBI, consistent with applicable law.

(b) Within 14 days of this order, the Secretary of Homeland Security, in consultation with the Attorney General and the Administrator of the Office of Electronic Government at OMB, shall provide the Director of OMB with recommendations on requirements for logging events and retaining relevant data within agency systems and networks. These recommendations will specify types of logs to maintain, retention periods, timelines for enabling logging and security measures, and methods for protecting logs. Logs must be cryptographically secured to ensure integrity and verified periodically throughout their retention. Data retention must comply with all applicable privacy laws. The FAR Council will consider these recommendations when developing rules under Section 2 of this order.

(c) Within 90 days of receiving these recommendations, the Director of OMB, in consultation with the Secretaries of Commerce and Homeland Security, shall develop policies for agencies establishing requirements for logging, log retention, and log management. These policies will ensure centralized access and visibility for each agency’s highest-level security operations center.

(d) The Director of OMB will work with agency heads to ensure agencies have adequate resources to comply with these logging requirements.

(e) To address cyber risks or incidents, including potential threats, the recommendations from subsection (b) shall include provisions requiring agencies to provide logs, upon request, to the Secretary of Homeland Security through CISA and to the FBI, consistent with applicable law. The requirements should also enable agencies to share log information with other federal entities as appropriate for managing cyber risks or incidents.

Section 9. National Security Systems

(a) Within 60 days, the Secretary of Defense, through the National Manager and in coordination with the Director of National Intelligence, the Committee on National Security Systems (CNSS), and in consultation with the Assistant to the President and National Security Advisor (APNSA), shall establish cybersecurity requirements for National Security Systems that meet or exceed the standards set forth in this order for systems not otherwise covered. These requirements may include exceptions based on unique mission needs and will be formalized in a National Security Memorandum (NSM). Until the NSM is issued, existing programs, standards, or requirements from this order do not apply to National Security Systems.

(b) This order does not affect the authority of the National Manager over National Security Systems as defined in National Security Directive 42 (NSD-42) of July 5, 1990. The Federal Civilian Executive Branch (FCEB) network remains under the authority of the Secretary of Homeland Security, acting through the Director of CISA.

Section 10. Definitions

For purposes of this order:

(a) “Agency” means the same as defined under 44 U.S.C. 3502.

(b) “Auditing trust relationship” refers to an agreed relationship between two or more system components governed by criteria ensuring secure interaction, behavior, and protection of assets.

(c) “Cyber incident” has the meaning of “incident” under 44 U.S.C. 3552(b)(2).

(d) “Federal Civilian Executive Branch Agencies” (FCEB Agencies) includes all agencies except the Department of Defense and agencies within the Intelligence Community.

(e) “Federal Civilian Executive Branch Information Systems” (FCEB Information Systems) are information systems operated by FCEB Agencies, excluding National Security Systems.

(f) “Federal Information Systems” means any information system used or operated by an agency, its contractor, or another organization on its behalf, including both FCEB Information Systems and National Security Systems.

(g) “Intelligence Community” (IC) is as defined under 50 U.S.C. 3003(4).

(h) “National Security Systems” means information systems defined under 44 U.S.C. 3552(b)(6), 3553(e)(2), and 3553(e)(3).

(i) “Logs” are records of events occurring within an organization’s systems and networks, composed of individual entries detailing specific events.

(j) “Software Bill of Materials” (SBOM) is a formal record listing the components and supply chain relationships used in software products. SBOMs help developers, buyers, and operators identify included open source and commercial components, assess vulnerabilities, manage risk, and respond quickly to security issues. Machine-readable SBOM formats enhance automation and integration, providing significant value when stored in easily searchable repositories.

(k) “Zero Trust Architecture” is a security model and system design approach that assumes threats exist both inside and outside traditional network boundaries. It removes implicit trust in any component, requiring continuous verification from multiple data sources to control access and system responses. This model enforces least-privileged access—granting users only the minimum permissions necessary—and incorporates real-time monitoring, granular risk-based controls, and automated security throughout the infrastructure to protect data dynamically. Zero Trust Architecture limits damage from breaches by containing access and actively detecting malicious activity.

Section 11. General Provisions

(a) Upon appointment of the National Cyber Director (NCD) and the creation of the corresponding Office within the Executive Office of the President, pursuant to section 1752 of Public Law 116-283, parts of this order may be adjusted to enable the NCD to fully carry out its duties and responsibilities.

(b) Nothing in this order shall be interpreted to limit or affect:
(i) The legal authority granted to any executive department, agency, or its head; or
(ii) The functions of the Director of the Office of Management and Budget related to budgetary, administrative, or legislative matters.

(c) This order will be implemented in accordance with applicable laws and subject to the availability of funding.

(d) This order does not create any enforceable legal or procedural rights or benefits against the United States, its departments, agencies, officials, employees, or any other persons.

(e) Nothing in this order grants authority to interfere with or direct criminal or national security investigations, arrests, searches, seizures, disruption operations, or to modify legal protections regarding information obtained during such investigations.

Back to digest
Recommended Articles
Why Ivermectin Is Not Recommended for Treating or Preventing COVID-19
Read More
Milestones in the History of HIV and AIDS
Read More
Understanding Probiotics: Key Facts You Should Know
Read More