President Joe Biden is set to sign his second cybersecurity executive order this week, marking a significant milestone in a presidency characterized by major cybersecurity challenges.
Biden’s administration began amid the aftermath of the SolarWinds cyber breach, which significantly impacted both government and private sectors. As his term concludes, agencies and telecom companies are working to recover from the Salt Typhoon and Treasury Department security breaches. Throughout his presidency, his cyber teams have been continuously challenged by an unprecedented surge in ransomware attacks targeting healthcare facilities, educational institutions, and various other sectors, along with the Log4j vulnerability and numerous other cybersecurity threats.
This upcoming EO aims to strengthen the position of federal chief information officers and chief information security officers by providing additional requirements and resources to combat evolving threats. This follows Biden’s initial cyber EO here from May 2021.
Federal News Network has discovered that the draft EO contains provisions requiring the Office of Management and Budget to revise Circular A-130. Additional components include enhanced software attestation protocols, new directives for AI security and post-quantum cryptography preparation, and border gateway protocol and route origin authorization requirements to enhance the security of Internet routing infrastructure.
However, what’s raising eyebrows among federal executives is a section that would require civilian agencies to participate in the Cybersecurity and Infrastructure Security Agency’s (CISA) persistent access capabilities (PAC) program.
Beyond the content specifics, the timing of this executive order has sparked debate among federal officials.
Despite months of preparation, several federal sources, speaking anonymously due to the sensitive nature of the draft document, expressed concerns about issuing such an order in the administration’s final stages. They argue this is particularly problematic given the current turnover of cyber leadership across government departments who would typically spearhead such initiatives.
“Implementing an executive order on cybersecurity’s complex issues and mandating specific actions without considering the political and policy [landscapes] raises serious concerns,” noted one federal cyber official. “Effective implementation becomes questionable when key senior managers and policymakers are either departing or haven’t been appointed. Furthermore, the extensive requirements and proposed timelines make meaningful implementation impractical given the current flux in senior cyber leadership.”
A separate federal technology executive echoed these sentiments.
“While the order contains valuable elements, the timing so close to the administration’s end is problematic,” the official remarked.
Agency-level cyber to remain the same.
Meanwhile, several federal officials maintain that cybersecurity transcends partisan politics, suggesting that the subsequent administration will likely adopt many, if not all, of the proposed executive order’s key objectives.
“The current administration’s decision to release this EO indicates their confidence in its future implementation. Otherwise, it would be an exercise in futility,” explained the federal official. “Industry stakeholders frequently inquire about cybersecurity’s future trajectory, and discussions with OMB and transition team members consistently emphasize one point: Cybersecurity fundamentally remains apolitical. Will there be a departure from zero trust architecture? Certainly not. Considering that the initial Trump administration developed the ZTA strategy, which the Biden administration subsequently endorsed, it would be counterintuitive for a new Trump administration to reject ZTA merely because their predecessors supported it.”
The official further noted that while the Salt Typhoon incident and Treasury Department breach will likely prompt meaningful discussions about cyber regulations with the incoming administration, they anticipate minimal disruption to agency-level operations.
However, some federal officials point out that the draft EO’s most significant change would be making CISA’s PAC program mandatory. This persistent access capabilities initiative, integrated with endpoint detection and response (EDR) tools, delivers continuous threat hunting capabilities.
According to OMB’s annual Federal Information Security Modernization Act (FISMA) report to Congress released in July, 76 agencies have achieved the benchmark of having at least 80% of their known endpoints covered by the Continuous Diagnostics and Mitigation (CDM) program. Among these, 36 agencies have implemented PAC tools for continuous threat hunting activities. Since 2021, CISA has successfully deployed over 750,000 EDR licenses across 54 agencies.
While the draft EO doesn’t explicitly mention PAC, it would mandate collaboration between CISA, the CIO and CISO councils to develop such an EDR-related capability.
The proposed tools would facilitate:
- Swift detection and identification of emerging cyber threats and vulnerabilities throughout the federal civilian infrastructure;
- Recognition of coordinated cyber campaigns targeting multiple agencies simultaneously and moving laterally across federal systems; and
- Synchronization of government-wide initiatives regarding information security policies and practices, including comprehensive analysis of incidents threatening information security.
Within 180 days of the Executive Order’s issuance, CISA and the relevant councils would need to establish a comprehensive concept of operations. This framework should incorporate specific safeguards for highly sensitive agency information and outline distinct use cases for the Department of Justice’s telemetry data sharing, while maintaining restrictions on CISA’s direct device access.
Certain agencies have concerns
A significant point of contention regarding this section of the draft Executive Order, as highlighted by multiple sources, revolves around the extent of CISA’s access to agency networks and devices. The fundamental shift between the current PAC tools’ functionality and their proposed role under this Executive Order lies in CISA’s potential authority to deactivate networks or devices suspected of being compromised.
“CIOs routinely evaluate and accept various levels of risk, carefully weighing their operational decisions. However, for CISA to understand these nuanced risk levels, they would require substantial agency-specific staffing increases. The prospect of CISA disconnecting systems without fully comprehending the operational ramifications is concerning,” explained a senior technology executive. “My primary reservation about this approach is that it appears to be another attempt by CISA to reinforce their significance. While I genuinely value our collaborative relationship with CISA and appreciate their discretion during incidents, I’m worried about them operating within my environment and potentially making decisions on behalf of my agency without fully understanding our context or the broader implications. What would be the consequences if CISA’s management and monitoring of our network infrastructure leads to decisions that compromise our mission delivery capabilities?”
According to an industry insider familiar with PAC, the Department of Justice has emerged as the strongest opponent to CISA’s persistent access proposal. Given DoJ’s significant influence, their opposition could potentially alter this strategic approach.
“Many CIOs and CISOs feel their existing risk management responsibilities are already substantial, and this would further complicate matters,” the insider noted. “While PAC can serve as an effective alert mechanism for CISA regarding potential threats, implementing it as proposed would require expanding CISA’s authority over agency devices – precisely what concerns DoJ. This has sparked ongoing discussions about the appropriate scope of the sensor’s capabilities.”
Another source emphasized that with proper regulatory frameworks, procedural guidelines, and supervisory mechanisms in place, numerous agencies would strongly support enhanced threat hunting capabilities.
“Most CISOs would welcome additional oversight and expanded capabilities. The vast majority express enthusiasm for any available assistance, particularly if CISA brings additional resources to the table,” commented another agency technology official. “There exists a vocal minority expressing concerns, some primarily focused on data access, especially within the statistical community where data requires specific protections. These individuals are hesitant about granting CISA unrestricted access to cyber-related data.”
CISA to lead COO effort
The draft Executive Order mandates CISA and the CIO/CISO councils to develop a notification protocol within the concept of operations, requiring CISA to alert agencies before accessing their EDR tools. The framework must incorporate comprehensive technical and policy control requirements governing CISA’s access to agency EDR solutions, ensuring compliance with cybersecurity standards regarding least privilege access and duty separation.
“Following the prescribed guidelines, working through council processes, and establishing secure rules of engagement will likely bring most skeptics on board with this approach,” reflected the technology official. “While significant concerns existed six months ago, our progress and CISA’s improved approach suggest we can achieve this without damaging relationships.”
The official noted CISA’s steadily improving reputation in recent years regarding service delivery and support, though some agencies maintain a degree of caution in fully embracing the organization.
“We often face pressure to implement specific tools that may not be optimal for our needs, requiring us to piece together recommended approaches,” another official explained. “We need comprehensive lifecycle funding, not just initial investments. Additionally, enhanced cross-governmental orchestration and collaboration would help prevent situations where we must integrate tools into our diverse environments.”
A crucial component of the draft Executive Order requires OMB to modernize Circular A-130 within three years, shifting from prescriptive requirements to emphasizing contemporary cybersecurity practices. The last A-130 update in 2016 introduced risk-based cybersecurity approaches and extensive IT policy revisions.
The proposed revision should:
- Define expectations for agency cybersecurity information sharing, enterprise visibility, and CISO accountability in managing enterprisewide cybersecurity programs;
- Transform OMB Circular A-130 to reduce technical prescriptiveness where appropriate, promoting evolving cybersecurity best practices across federal systems, including zero trust architecture adoption and implementation of critical elements like EDR capabilities, encryption, network segmentation, and phishing-resistant multi-factor authentication; and
- Provide guidance on identifying, assessing, responding to, and mitigating mission-essential function risks related to IT vendor and service concentration.
The draft Executive Order also addresses cloud service security concerns.
It directs the National Institute of Standards and Technology, CISA, and the General Services Administration to develop comprehensive guidelines within 270 days of the Executive Order’s issuance for secure management of access tokens and cryptographic keys utilized by cloud service providers.
Subsequently, CISA, NIST, and GSA’s FedRAMP will have 60 days following this publication to incorporate these new guidelines into the cloud security program’s existing requirements.
In the final phase, OMB will collaborate with NIST, CISA, and FedRAMP to establish a comprehensive civilian agency policy. This policy will outline best practices for safeguarding and administering hardware security modules, trusted execution environments, and other isolation technologies specifically designed for cloud service providers’ access tokens and cryptographic keys.
