Prohibition on Use by the United States Government of Commercial Spyware That Poses Risks to National Security
Executive Order 14093, signed March 27, 2023, establishes a government-wide policy to prohibit the operational use of commercial spyware by U.S. government agencies when such software poses significant counterintelligence or security risks or creates substantial risk of improper use by foreign governments or persons. The order directs a formal process to assess, monitor, and manage risks from commercial spyware, including a centralized intelligence assessment by the Director of National Intelligence (DNI) and interagency coordination led by the APNSA. It also requires agencies to review, justify, and, if necessary, terminate existing uses of such spyware, implement internal controls, and report on compliance and protective measures. The goal is to safeguard U.S. government information systems, protect civil liberties and human rights, and discourage the misuse and proliferation of commercial spyware. In short, the order tightens scrutiny and oversight of commercial spyware used by the U.S. government, creates a risk-based framework for procurement and deployment, and builds in reporting and interagency coordination to prevent misuse and counterforeign exploitation.
Key Points
- 1Prohibition on operational use: Agencies may not use commercial spyware operationally if credible information shows significant counterintelligence or security risks or significant risks of improper use by foreign governments or persons. Operational use includes direct or indirect use that enables remote access to a target computer.
- 2Criteria and due diligence: The order lists specific risk factors (such as unauthorized access, data handling by vendors, and ties to foreign governments or entities) and directs agencies to consider these when evaluating whether to employ such spyware. A non-delegable certification is required for any proposed operational use.
- 3DNI intelligence assessment and interagency coordination: The DNI must produce a classified intelligence assessment within 90 days of the order and then semiannually, incorporating intelligence, open-source, sanctions-related, export-control, and due-diligence information. Agencies must continually feed new credible information to the DNI to inform ongoing risk assessment.
- 4Procurement and due diligence: Before procuring spyware for any non-criminal-use purpose, agencies must review the DNI assessment, request additional information from the DNI as needed, and consider the defined risk factors and vendor due-diligence standards in procurement decisions.
- 5Reporting and oversight: Agencies that procure or use spyware must report findings, ongoing reviews, and termination steps to the APNSA, including timelines for completing reviews and any changes in procurement or usage. There are periodic (6-month and 1-year) reports on actions taken to implement the order and on current operational uses.
- 6Definitions and scope: The order provides detailed definitions for terms such as commercial spyware, operational use, foreign entity/government/person, furnishing, and relevant officials. It also specifies who counts as an “agency,” what constitutes testing or countermeasures exemptions, and clarifies that the order does not grant new legal rights.
- 7Waivers and emergency exceptions: A non-delegable waiver authority exists for up to one year in extraordinary circumstances, with required notice to the President and DNI. Waivers can be revoked, and both the granting and revocation must be reported within 72 hours.
- 8Exceptions for non-operational activities: The prohibitions do not apply to testing, research, cybersecurity work, development of countermeasures, or certain criminal investigations arising from the sale or use of spyware.
- 9General provisions: The order preserves existing legal authorities, does not create new rights, and must be implemented in a manner consistent with applicable law and procurement regulations.