Strengthening and Promoting Innovation in the Nation's Cybersecurity
Executive Order 14144, titled Strengthening and Promoting Innovation in the Nation's Cybersecurity, directs a broad set of actions across the federal government to harden the United States’ digital defenses, modernize how software and communications are secured, and accelerate the adoption of emerging security technologies. Building on prior orders and the National Cybersecurity Strategy, the EO focuses on three core areas: (1) securing software supply chains and software development practices (including third-party risk management and attestations), (2) strengthening the security of federal systems, communications, and identity management, and (3) advancing zero-trust-style protections, modern cryptography (including post-quantum readiness), and cyber threat awareness across government and critical infrastructure. It also expands cybersecurity activities related to space systems, open-source software, and digital identity for public benefits, while creating and guiding a coordinated federal structure to implement these changes (involving OMB, CISA, NIST, FAR Council, GSA, and the National Cyber Director, among others). The order sets specific timelines and processes for implementing secure software development attestations, updating risk management frameworks, enhancing threat hunting capabilities, modernizing identity and access management (including phishing-resistant authentication), encrypting communications (DNS, email, etc.), improving routing security, and pursuing quantum-safe cryptography. It directs agencies to adopt industry best practices, increase transparency in software supply chains, and incentivize cloud security improvements through FedRAMP and related measures. It also envisions international engagement on cryptography standards and requires attention to sensitive data access and privacy protections when enabling government-wide threat hunting and data sharing.
Key Points
- 1Third-party software supply chain transparency and attestations
- 2- Requires secure software development attestations and high-level artifacts to be provided to CISA for software procured by the Federal Government.
- 3- Establishes a centralized RSAA (Repository for Software Attestation and Artifacts) for collecting attestations and artifacts; sets timelines for producing and verifying these attestations; and publicly posts validated results.
- 4Federal contracting and risk management
- 5- Directs FAR Council to amend the Federal Acquisition Regulation (FAR) to incorporate secure software development attestations and related evidence as a condition of contract awards for software used by the government.
- 6- Creates a process to verify completeness of attestations and to notify providers and agencies when attestations fail validation.
- 7Secure software development practices and standards
- 8- Builds on Executive Order 14028 by mandating more rigorous third-party risk management and aligning with NIST SSDF (Secure Software Development Framework) guidance.
- 9- Requires updates to NIST SP 800-53 for secure deployment and patch management; establishes a long-term SSDF update cycle.
- 10Threat visibility, threat hunting, and data access
- 11- Expands capability for threat hunting across Federal civilian networks, enabling CISA to access telemetry from endpoint detection and response (EDR) tools and security operation centers, with a defined concept of operations and safeguards to limit disruption.
- 12- Establishes a process for using collected data to identify threats and coordinate government-wide responses, while respecting data protection constraints and agency processes.
- 13Identity, authentication, and access management
- 14- Accelerates deployment of phishing-resistant authentication (such as WebAuthn) within Federal civilian agencies, and pilots to inform broader identity strategies.
- 15- Emphasizes rapid adoption of zero-trust concepts in identity and access management to improve visibility and control over security threats.
- 16Communication security and routing resilience
- 17- Mandates encryption for internet traffic and DNS traffic, including requirements for DNS over TLS/HTTPS and encrypted DNS, and Route Origin Authorizations (ROAs) to improve routing security (BGP).
- 18- Requires agencies to publish ROAs for IP addresses and to implement routing security technologies in contracted internet services.
- 19Post-quantum cryptography (PQC) and cryptography modernization
- 20- Requires agencies to identify PQC product categories and begin transitioning to PQC algorithms, with timelines for category-based adoption and PKI/key establishment upgrades.
- 21- Sets international engagement to encourage PQC adoption and alignment with NIST standards; targets toward cryptographic upgrades by specified dates.
- 22Space systems cybersecurity
- 23- Calls for civil space cyber requirements updates and risk-based contract language for space-related systems, focusing on securing command and control, anomaly detection, and secure software practices.
- 24- Requires space ground system inventory, cyber defense improvements, and oversight updates, with a plan to amend FAR language accordingly.
- 25Open source software and government use
- 26- Encourages prudent use and management of open-source software, including security assessments and patching guidance; addresses how to contribute to open-source projects to bolster security.
- 27Cloud security and FedRAMP
- 28- Directs FedRAMP policy enhancements to incentivize or require cloud-service providers to meet baselines aligned with secure cloud configurations; ties into broader agency requirements for secure cloud deployment.
- 29Digital identity for public benefits (identity documents)
- 30- Promotes use of digital identity documents for public benefits where appropriate, with requirements to ensure interoperability, privacy protections, and user privacy by minimizing data collection.
- 31Data protection, privacy, and compliance
- 32- Emphasizes protecting highly sensitive agency data, complying with statutory or regulatory restrictions, and coordinating administrative accommodations when necessary to enable data access for security purposes without compromising confidentiality.