Privacy & Information Security Law Blog

On January 16, 2025, President Biden issued Executive Order 14144, titled “Strengthening and Promoting Innovation in the Nation’s Cybersecurity” (“EO 14144”). EO 14144 builds on President Biden’s Executive Order on Improving the Nation’s Security (“EO 14028”), and aims to strengthen software supply chain security, impose more stringent cybersecurity requirements on federal contractors, combat cybercrime, and encourage the development of identity verification technologies.

EO 14144 prescribes detailed supply chain cybersecurity standards for developers that provide software to the federal government, and recommends that federal agencies treat cybersecurity as a key consideration in software procurements and in the assessment of contractor performance. Building on an existing requirement that software developers submit attestations of their secure development practices to sell products to the federal government, EO 14144 introduces additional supply chain security measures, including a requirement that such developers submit to the Cybersecurity and Infrastructure Security Agency (“CISA”) the following: (1) machine-readable attestations of secure development practices; (2) high-level validation artifacts; and (3) a list of federal government customers. EO 14144 urges CISA to develop an audit process to verify the completeness of the attestations received, and directs CISA to regularly validate sample attestations. 

EO 14144 also directs CISA to update the software development attestation form based on future guidance from the National Institute of Standards and Technology (“NIST”), and instructs NIST to provide guidance on industry cybersecurity practices and controls. Based on NIST’s guidance, the Federal Acquisition Regulatory Council will update its regulations to mandate minimum cybersecurity practices for federal contractors, and to require that compliant Internet-of-Things products sold to the federal government carry the United States Cyber Trust Mark label. Further, EO14144 instructs federal agencies to transition to quantum-resistant cryptography standards by the year 2030 and encourages federal agencies to adopt yet-to-be-issued best practices for using open-source software.

EO 14144 also contains a number of provisions addressing cybercrime, including the expansion of the scope of Executive Order 13694 (“Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities”), which authorizes the seizing the assets of persons engaged in malicious cyber-related activities. In addition, EO 14144 calls for the establishment of public-private pilot programs to use advanced AI models for cyber defense, and urges the federal government to share data with the academic community to support research into the use of AI in cyber defense. Aiming to reduce identity fraud, EO 14144 also recommends expanding the use of digital identification documents and the development of attribute validation services.

EO 14144’s provisions require federal agencies to develop cybersecurity rules and programs during the first few months of the Trump Administration. As of the date of this publication, EO 14144 remains in effect.