Diff – Trump Administration's June 2025 amendments to EO 13694 AND EO 14144

eo13694-2015

Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities

By the authority vested in me as President by the Constitution and the laws of the United States of America, including the International Emergency Economic Powers Act (50 U.S.C. 1701 

et seq.) (IEEPA), the National Emergencies Act (50 U.S.C. 1601 

et seq.) (NEA), section 212(f) of the Immigration and Nationality Act of 1952 (8 U.S.C. 1182(f)), and section 301 of title 3, United States Code,

I, BARACK OBAMA, President of the United States of America, find that the increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States constitute an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States. I hereby declare a national emergency to deal with this threat.

Accordingly, I hereby order:

Section 1

. (a) All property and interests in property that are in the United States, that hereafter come within the United States, or that are or hereafter come within the possession or control of any United States person of the following persons are blocked and may not be transferred, paid, exported, withdrawn, or otherwise dealt in:

(i) any person determined by the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to be responsible for or complicit in, or to have engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of:

(A) harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector;

(B) significantly compromising the provision of services by one or more entities in a critical infrastructure sector;

(C) causing a significant disruption to the availability of a computer or network of computers; or

(D) causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain; or

(ii) any person determined by the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State:

(A) to be responsible for or complicit in, or to have engaged in, the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled means, knowing they have been misappropriated, where the misappropriation of such trade secrets is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States;

(B) to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, any activity described in subsections (a)(i) or (a)(ii)(A) of this section or any person whose property and interests in property are blocked pursuant to this order;

(C) to be owned or controlled by, or to have acted or purported to act for or on behalf of, directly or indirectly, any person whose property and interests in property are blocked pursuant to this order; or

(D) to have attempted to engage in any of the activities described in subsections (a)(i) and (a)(ii)(A)-(C) of this section.

(b) The prohibitions in subsection (a) of this section apply except to the extent provided by statutes, or in regulations, orders, directives, or licenses that may be issued pursuant to this order, and notwithstanding any contract entered into or any license or permit granted prior to the effective date of this order.

Sec. 2

. I hereby determine that the making of donations of the type of articles specified in section 203(b)(2) of IEEPA (50 U.S.C. 1702(b)(2)) by, to, or for the benefit of any person whose property and interests in property are blocked pursuant to section 1 of this order would seriously impair my ability to deal with the national emergency declared in this order, and I hereby prohibit such donations as provided by section 1 of this order.

Sec. 3

. The prohibitions in section 1 of this order include but are not limited to:

(a) the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any person whose property and interests in property are blocked pursuant to this order; and

(b) the receipt of any contribution or provision of funds, goods, or services from any such person.

Sec. 4

. I hereby find that the unrestricted immigrant and nonimmigrant entry into the United States of aliens determined to meet one or more of the criteria in section 1(a) of this order would be detrimental to the interests of the United States, and I hereby suspend entry into the United States, as immigrants or nonimmigrants, of such persons. Such persons shall be treated as persons covered by section 1 of Proclamation 8693 of July 24, 2011 (Suspension of Entry of Aliens Subject to United Nations Security Council Travel Bans and International Emergency Economic Powers Act Sanctions).

Sec. 5

. (a) Any transaction that evades or avoids, has the purpose of evading or avoiding, causes a violation of, or attempts to violate any of the prohibitions set forth in this order is prohibited.

(b) Any conspiracy formed to violate any of the prohibitions set forth in this order is prohibited.

Sec. 6

. For the purposes of this order:

(a) the term “person” means an individual or entity;

(b) the term “entity” means a partnership, association, trust, joint venture, corporation, group, subgroup, or other organization;

(c) the term “United States person” means any United States citizen, permanent resident alien, entity organized under the laws of the United States or any jurisdiction within the United States (including foreign branches), or any person in the United States;

(d) the term “critical infrastructure sector” means any of the designated critical infrastructure sectors identified in Presidential Policy Directive 21; and

(e) the term “misappropriation” includes any taking or obtaining by improper means, without permission or consent, or under false pretenses.

Sec. 7

. For those persons whose property and interests in property are blocked pursuant to this order who might have a constitutional presence 

in the United States, I find that because of the ability to transfer funds or other assets instantaneously, prior notice to such persons of measures to be taken pursuant to this order would render those measures ineffectual. I therefore determine that for these measures to be effective in addressing the national emergency declared in this order, there need be no prior notice of a listing or determination made pursuant to section 1 of this order.

Sec. 8

. The Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, is hereby authorized to take such actions, including the promulgation of rules and regulations, and to employ all powers granted to the President by IEEPA as may be necessary to carry out the purposes of this order. The Secretary of the Treasury may redelegate any of these functions to other officers and agencies of the United States Government consistent with applicable law. All agencies of the United States Government are hereby directed to take all appropriate measures within their authority to carry out the provisions of this order.

Sec. 9

. The Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, is hereby authorized to submit the recurring and final reports to the Congress on the national emergency declared in this order, consistent with section 401(c) of the NEA (50 U.S.C. 1641(c)) and section 204(c) of IEEPA (50 U.S.C. 1703(c)).

Sec. 10

. This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

eo14144-jan2025

By the authority vested in me as President by the Constitution and the laws of the United States of America, including the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.), the National Emergencies Act (50 U.S.C. 1601 et seq.), section 212(f) of the Immigration and Nationality Act of 1952 (8 U.S.C. 1182(f)), and section 301 of title 3, United States Code, it is hereby ordered as follows: 

Section 1.  Policy.  Foreign nations and criminals continue to conduct cyber campaigns targeting the United States and Americans.  The People’s Republic of China presents the most active and persistent cyber threat to United States Government, private sector, and critical infrastructure networks, but significant threats also emanate from Russia, Iran, North Korea, and others who undermine United States cybersecurity.  These campaigns disrupt the delivery of critical services across the Nation, cost billions of dollars, and undermine Americans’ security and privacy.  More must be done to improve the Nation’s cybersecurity against these threats.  I am ordering additional actions to improve our Nation’s cybersecurity, focusing on defending our digital infrastructure, securing the services and capabilities most vital to the digital domain, and building our capability to address key threats.

Sec. 2.  Operationalizing Transparency and Security in Third-Party Software Supply Chains.  

(a)  Secure software development practices are not sufficient to address the potential for cyber incidents from resourced and determined nation-state actors.  To mitigate the risk of such incidents occurring, software providers must also address how software is delivered and the security of the software itself.  The Federal Government must identify a coordinated set of practical and effective security practices to require when it procures software.

(i)    Within 60 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST, shall establish a consortium with industry at the National Cybersecurity Center of Excellence to develop guidance, informed by the consortium as appropriate, that demonstrates the implementation of secure software development, security, and operations practices based on NIST Special Publication 800-218 (Secure Software Development Framework (SSDF)).

(ii)   Within 90 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST, shall update NIST Special Publication 800-53 (Security and Privacy Controls for Information Systems and Organizations) to provide guidance on how to securely and reliably deploy patches and updates. 

(iii)  Within 180 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST, in consultation with the heads of such agencies as the Director of NIST deems appropriate, shall develop and publish a preliminary update to the SSDF.  This update shall include practices, procedures, controls, and implementation examples regarding the secure and reliable development and delivery of software as well as the security of the software itself.  Within 120 days of publishing the preliminary update, the Secretary of Commerce, acting through the Director of NIST, shall publish a final version of the updated SSDF.

(iv)   Within 120 days of the final update to the SSDF described in subsection (c)(iii) of this section, the Director of OMB shall incorporate select practices for the secure development and delivery of software contained in NIST’s updated SSDF into the requirements of OMB Memorandum M-22-18 (Enhancing the Security of the Software Supply Chain through Secure Software Development Practices) or related requirements.

(v)    Within 30 days of the issuance of OMB’s updated requirements described in subsection (c)(iv) of this section, the Director of CISA shall prepare any revisions to CISA’s common form for Secure Software Development Attestation to conform to OMB’s requirements and shall initiate any process required to obtain clearance of the revised form under the Paperwork Reduction Act, 44 U.S.C. 3501 et seq.

(b)  As agencies have improved their cyber defenses, adversaries have targeted the weak links in agency supply chains and the products and services upon which the Federal Government relies.  Agencies need to integrate cybersecurity supply chain risk management programs into enterprise-wide risk management activities.  Within 90 days of the date of this order, the Director of OMB, in coordination with the Secretary of Commerce, acting through the Director of NIST, the Administrator of General Services, and the Federal Acquisition Security Council (FASC), shall take steps to require, as the Director deems appropriate, that agencies comply with the guidance in NIST Special Publication 800-161 (Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP 800-161 Revision 1)).  OMB shall require agencies to provide annual updates to OMB as they complete implementation.  Consistent with SP 800-161 Revision 1, OMB’s requirements shall address the integration of cybersecurity into the acquisition lifecycle through acquisition planning, source selection, responsibility determination, security compliance evaluation, contract administration, and performance evaluation.

(c)  Relevant executive departments and agencies (agencies) shall take the following actions:

(i)    By August 1, 2025, the Secretary of Commerce, acting through the Director of NIST, shall establish a consortium with industry at the National Cybersecurity Center of Excellence to develop guidance, informed by the consortium as appropriate, that demonstrates the implementation of secure software development, security, and operations practices based on NIST Special Publication 800–218 (Secure Software Development Framework (SSDF)).

(ii)   By September 2, 2025, the Secretary of Commerce, acting through the Director of NIST, shall update NIST Special Publication 800–53 (Security and Privacy Controls for Information Systems and Organizations) to provide guidance on how to securely and reliably deploy patches and updates.

(iii)  By December 1, 2025, the Secretary of Commerce, acting through the Director of NIST, in consultation with the heads of such agencies as the Director of NIST deems appropriate, shall develop and publish a preliminary update to the SSDF.  This preliminary update shall include practices, procedures, controls, and implementation examples regarding the secure and reliable development and delivery of software as well as the security of the software itself.  Within 120 days of publishing the preliminary update, the Secretary of Commerce, acting through the Director of NIST, shall publish a final version of the updated SSDF.”;

(c)  striking from subsection 4(b) the phrase “The security of Internet traffic depends on data being correctly routed and delivered to the intended recipient network.  Routing information originated and propagated across the Internet, utilizing the Border Gateway Protocol (BGP), is vulnerable to attack and misconfiguration.” and inserting, in lieu thereof, the following:

Sec. 3.  Improving the Cybersecurity of Federal Systems. 

(a)  The Federal Government must maintain the ability to rapidly and effectively identify threats across the Federal enterprise. To enable identification of threat activity, CISA’s capability to hunt for and identify threats across FCEB agencies under 44 U.S.C. 3553(b)(7) must be strengthened.

(i)     The Secretary of Homeland Security, acting through the Director of CISA, in coordination with the Federal Chief Information Officer (CIO) Council and Federal Chief Information Security Officer (CISO) Council, shall develop the technical capability to gain timely access to required data from FCEB agency endpoint detection and response (EDR) solutions and from FCEB agency security operation centers to enable:

(A)  timely hunting and identification of cyber threats and vulnerabilities across the Federal civilian enterprise;

(B)  identification of coordinated cyber campaigns that simultaneously target multiple agencies and move laterally across the Federal enterprise; and

(C)  coordination of Government-wide efforts on information security policies and practices, including compilation and analysis of information about incidents that threaten information security.

(ii)    Within 180 days of the date of this order, the Secretary of Homeland Security, acting through the Director of CISA, in coordination with the Federal CIO and CISO Councils, shall develop and release a concept of operations that enables CISA to gain timely access to required data to achieve the objectives described in subsection (c)(i) of this section.  The Director of OMB shall oversee the development of this concept of operations to account for agency perspectives and the objectives outlined in this section and shall approve the final concept of operations.  This concept of operations shall include:

(A)  requirements for FCEB agencies to provide CISA with data of sufficient completeness and on the timeline required to enable CISA to achieve the objectives described in subsection (c)(i) of this section;

(B)  requirements for CISA to provide FCEB agencies with advanced notification when CISA directly accesses agency EDR solutions to obtain required telemetry;

(C)  specific use cases for which agencies may provide telemetry data subject to the requirements in subsection (c)(ii)(A) of this section as opposed to direct access to EDR solutions by CISA;

(D)  high-level technical and policy control requirements to govern CISA access to agency EDR solutions that conform with widely accepted cybersecurity principles, including role-based access controls, “least privilege,” and separation of duties;

(E)  specific protections for highly sensitive agency data that is subject to statutory, regulatory, or judicial restrictions to protect confidentiality or integrity; and

(F)  an appendix to the concept of operations that identifies and addresses certain types of specific use cases under subsection (c)(ii)(C) of this section that apply to the Department of Justice, including certain categories of information described in subsections (c)(vi) and (c)(vii) of this section, and requires the Department of Justice’s concurrence on the terms of the appendix prior to implementation of the concept of operations on the Department of Justice’s or its subcomponents’ networks.

(iii)   In undertaking the activities described in subsection (c) of this section, the Secretary of Homeland Security, acting through the Director of CISA, shall only make a change to an agency network, system, or data when such change is required for threat hunting by CISA, including access to the EDR tools described in subsection (c)(ii) of this section, or in furtherance of its authority to conduct threat hunting as authorized under 44 U.S.C. 3553(b)(7), unless otherwise authorized by the agency.

(iv)    Within 30 days of the release of the concept of operations described in subsection (c)(ii) of this section, the Secretary of Homeland Security, acting through the Director of CISA, shall establish working groups, open to all agencies, to develop and release specific technical controls that achieve the objectives set forth in subsection (c)(ii) of this section and to work with EDR solution providers to implement those controls in FCEB agency deployments of EDR solutions.  The Secretary of Homeland Security, acting through the Director of CISA, shall, at a minimum, establish a working group for each EDR solution authorized by CISA for use in the CISA Continuous Diagnostic and Mitigation Program.  Each working group shall be open to all agencies and include at least one representative from an FCEB agency employing the designated EDR solution.

(v)     Within 180 days of the release of the technical controls described in subsection (c)(iv) of this section, the heads of FCEB agencies shall enroll endpoints using an EDR solution covered by those controls in the CISA Persistent Access Capability program.

(vi)    Within 90 days of the date of this order, and periodically thereafter as needed, the heads of FCEB agencies shall provide to CISA a list of systems, endpoints, and data sets that require additional controls or periods of non-disruption to ensure that CISA’s threat-hunting activities do not disrupt mission-critical operations, along with an explanation of those operations.

(vii)   In cases in which agency data is subject to statutory, regulatory, or judicial access restrictions, the Director of CISA shall comply with agency processes and procedures required to access such data or work with the agency to develop an appropriate administrative accommodation consistent with any such restrictions so that the data is not subject to unauthorized access or use.

(viii)  Nothing in this order requires an agency to provide access to information that is protected from non-disclosure by court order or otherwise required to be kept confidential in connection with a judicial proceeding.

(b)  The security of Federal information systems relies on the security of the Government’s cloud services.  Within 90 days of the date of this order, the Administrator of General Services, acting through the Director of the Federal Risk and Authorization Management Program (FedRAMP), in coordination with the Secretary of Commerce, acting through the Director of NIST, and the Secretary of Homeland Security, acting through the Director of CISA, shall develop FedRAMP policies and practices to incentivize or require cloud service providers in the FedRAMP Marketplace to produce baselines with specifications and recommendations for agency configuration of agency cloud-based systems in order to secure Federal data based on agency requirements.

(c)  As cybersecurity threats to space systems increase, these systems and their supporting digital infrastructure must be designed to adapt to evolving cybersecurity threats and operate in contested environments.  In light of the pivotal role space systems play in global critical infrastructure and communications resilience, and to further protect space systems and the supporting digital infrastructure vital to our national security, including our economic security, agencies shall take steps to continually verify that Federal space systems have the requisite cybersecurity capabilities through actions including continuous assessments, testing, exercises, and modeling and simulation.

(i)    Within 180 days of the date of this order, the Secretary of the Interior, acting through the Director of the United States Geological Survey; the Secretary of Commerce, acting through the Under Secretary of Commerce for Oceans and Atmosphere and the Administrator of the National Oceanic and Atmospheric Administration; and the Administrator of the National Aeronautics and Space Administration shall each review the civil space contract requirements in the FAR and recommend to the FAR Council and other appropriate agencies updates to civil space cybersecurity requirements and relevant contract language.  The recommended cybersecurity requirements and contract language shall use a risk-based, tiered approach for all new civil space systems.  Such requirements shall be designed to apply at minimum to the civil space systems’ on-orbit segments and link segments.  The requirements shall address the following elements for the highest-risk tier and, as appropriate, other tiers:

(A)  protection of command and control of the civil space system, including backup or failover systems, by:

(1)  encrypting commands to protect the confidentiality of communications;

(2)  ensuring commands are not modified in transit;

(3)  ensuring an authorized party is the source of commands; and

(4)  rejecting unauthorized command and control attempts;

(B)  establishment of methods to detect, report, and recover from anomalous network or system activity; and

(C)  use of secure software and hardware development practices, consistent with the NIST SSDF or any successor documents.

(ii)   Within 180 days of receiving the recommended contract language described in subsection (e)(i) of this section, the FAR Council shall review the proposal and, as appropriate and consistent with applicable law, the agency members of the FAR Council shall jointly take steps to amend the FAR.

(iii)  Within 120 days of the date of this order, the National Cyber Director shall submit to OMB a study of space ground systems owned, managed, or operated by FCEB agencies.  This study shall include:

(A)  an inventory of space ground systems;

(B)  whether each space ground system is classified as a major information system under 44 U.S.C. 3505(c), labeled “Inventory of major information systems”; and

(C)  recommendations to improve the cyber defenses and oversight of such space ground systems.

(iv)   Within 90 days of the submission of the study described in subsection (e)(iii) of this section, the Director of OMB shall take appropriate steps to help ensure that space ground systems owned, managed, or operated by FCEB agencies comply with relevant cybersecurity requirements issued by OMB.

Sec. 4.  Securing Federal Communications.  (a)  To improve the security of Federal Government communications against adversarial nations and criminals, the Federal Government must implement, to the extent practicable and consistent with mission needs, strong identity authentication and encryption using modern, standardized, and commercially available algorithms and protocols.

(b)  The security of Internet traffic depends on data being correctly routed and delivered to the intended recipient network.  Routing information originated and propagated across the Internet, utilizing the Border Gateway Protocol (BGP), is vulnerable to attack and misconfiguration.

(i)    Within 90 days of the date of this order, FCEB agencies shall take steps to ensure that all of their assigned Internet number resources (Internet Protocol (IP) address blocks and Autonomous System Numbers) are covered by a Registration Services Agreement with the American Registry for Internet Numbers or another appropriate regional Internet registry.  Thereafter, FCEB agencies shall annually review and update in their regional Internet registry accounts organizational identifiers related to assigned number resources such as organization names, points of contact, and associated email addresses.

(ii)   Within 120 days of the date of this order, all FCEB agencies that hold IP address blocks shall create and publish Route Origin Authorizations in the public Resource Public Key Infrastructure repository hosted or delegated by the American Registry for Internet Numbers or the appropriate regional Internet registry for the IP address blocks they hold.

(iii)  Within 120 days of the date of this order, the National Cyber Director, in coordination with the heads of other agencies as appropriate, shall      recommend contract language to the FAR Council to require contracted providers of Internet services to agencies to adopt and deploy Internet routing security technologies, including publishing Route Origin Authorizations and performing Route Origin Validation filtering.  The recommended language shall include requirements or exceptions, as appropriate, for agency contracts regarding overseas operations and overseas local service providers.  Within 270 days of receiving these recommendations, the FAR Council shall review the recommended contract language and, as appropriate and consistent with applicable law, the agency members of the FAR Council shall jointly take steps to amend the FAR.  Pending any such amendments to the FAR, individual agencies are encouraged to include such requirements in future contracts, consistent with applicable law.

(c)  Encrypting Domain Name System (DNS) traffic in transit is a critical step to protecting both the confidentiality of the information being transmitted to, and the integrity of the communication with, the DNS resolver.

(i)   Within 90 days of the date of this order, the Secretary of Homeland Security, acting through the Director of CISA, shall publish template contract language requiring that any product that acts as a DNS resolver (whether client or server) for the Federal Government support encrypted DNS and shall recommend that language to the FAR Council.  Within 120 days of receiving the recommended language, the FAR Council shall review it, and, as appropriate and consistent with applicable law, the agency members of the FAR Council shall jointly take steps to amend the FAR.

(ii)  Within 180 days of the date of this order, FCEB agencies shall enable encrypted DNS protocols wherever their existing clients and servers support those protocols.  FCEB agencies shall also enable such protocols within 180 days of any additional clients and servers supporting such protocols.

(d)  The Federal Government must encrypt email messages in transport and, where practical, use end-to-end encryption in order to protect messages from compromise.

(i)    Within 120 days of the date of this order, each FCEB agency shall technically enforce encrypted and authenticated transport for all connections between the agency’s email clients and their associated email servers.


(e)  Modern communications such as voice and video conferencing and instant messaging are usually encrypted at the link level but often are not encrypted end-to-end.  Within 180 days of the date of this order, to advance the security of Internet-based voice and video conferencing and instant messaging, the Director of OMB, in coordination with the Secretary of Homeland Security, acting through the Director of CISA; the Secretary of Defense, acting through the Director of the National Security Agency (NSA); the Secretary of Commerce, acting through the Director of NIST; the Archivist of the United States, acting through the Chief Records Officer for the United States Government; and the Administrator of General Services shall take appropriate steps to require agencies to:

(i)   enable transport encryption by default; and

(ii)  where technically supported, use end-to-end encryption by default while maintaining logging and archival capabilities that allow agencies to fulfill records management and accountability requirements.

(f)  Alongside their benefits, quantum computers pose significant risk to the national security, including the economic security, of the United States.  Most notably, a quantum computer of sufficient size and sophistication — also known as a cryptanalytically relevant quantum computer (CRQC) — will be capable of breaking much of the public-key cryptography used on digital systems across the United States and around the world.  In National Security Memorandum 10 of May 4, 2022 (Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems), I directed the Federal Government to prepare for a transition to cryptographic algorithms that would not be vulnerable to a CRQC. 

(i)    Within 180 days of the date of this order, the Secretary of Homeland Security, acting through the Director of CISA, shall release and thereafter regularly update a list of product categories in which products that support post-quantum cryptography (PQC) are widely available.

(ii)   Within 90 days of a product category being placed on the list described in subsection (f)(i) of this section, agencies shall take steps to include in any solicitations for products in that category a requirement that products support PQC.

(iii)  Agencies shall implement PQC key establishment or hybrid key establishment including a PQC algorithm as soon as practicable upon support being provided by network security products and services already deployed in their network architectures.

(iv)   Within 90 days of the date of this order, the Secretary of State and the Secretary of Commerce, acting through the Director of NIST and the Under Secretary for International Trade, shall identify and engage foreign governments and industry groups in key countries to encourage their transition to PQC algorithms standardized by NIST.

(v)    Within 180 days of the date of this order, to prepare for transition to PQC, the Secretary of Defense with respect to National Security Systems (NSS), and the Director of OMB with respect to non-NSS, shall each issue requirements for agencies to support, as soon as practicable, but not later than January 2, 2030, Transport Layer Security protocol version 1.3 or a successor version.

(g)  The Federal Government should take advantage of commercial security technologies and architectures, such as hardware security modules, trusted execution environments, and other isolation technologies, to protect and audit access to cryptographic keys with extended lifecycles.

(i)    Within 270 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST, in consultation with the Secretary of Homeland Security, acting through the Director of CISA, and the Administrator of General Services shall develop guidelines for the secure management of access tokens and cryptographic keys used by cloud service providers.

(ii)   Within 60 days of the publication of the guidelines described in subsection (g)(i) of this section, the Administrator of General Services, acting through the FedRAMP Director, in consultation with the Secretary of Commerce, acting through the Director of NIST, and the Secretary of Homeland Security, acting through the Director of CISA, shall develop updated FedRAMP requirements, incorporating the guidelines described in subsection (g)(i) of this section, as appropriate and consistent with guidance issued by the Director of OMB, concerning cryptographic key management security practices.

(iii)  Within 60 days of the publication of the guidelines described in subsection (g)(i) of this section, the Director of OMB, in consultation with the Secretary of Commerce, acting through the Director of NIST; the Secretary of Homeland Security, acting through the Director of CISA; and the Administrator of General Services shall take appropriate steps to require FCEB agencies to follow best practices concerning the protection and management of hardware security modules, trusted execution environments, or other isolation technologies for access tokens and cryptographic keys used by cloud service providers in the provision of services to agencies.

Sec. 5.  Promoting Security with and in Artificial Intelligence.  Artificial intelligence (AI) has the potential to transform cyber defense by rapidly identifying new vulnerabilities, increasing the scale of threat detection techniques, and automating cyber defense.  The Federal Government must accelerate the development and deployment of AI, explore ways to improve the cybersecurity of critical infrastructure using AI, and accelerate research at the intersection of AI and cybersecurity.

(a)  Within 180 days of the date of the completion of the Defense Advanced Research Projects Agency’s 2025 Artificial Intelligence Cyber Challenge, the Secretary of Energy, in coordination with the Secretary of Defense, acting through the Director of the Defense Advanced Research Projects Agency, and the Secretary of Homeland Security, shall launch a pilot program, involving collaboration with private sector critical infrastructure entities as appropriate and consistent with applicable law, on the use of AI to enhance cyber defense of critical infrastructure in the energy sector, and conduct an assessment of the pilot program upon its completion.  This pilot program, and accompanying assessment, may include vulnerability detection, automatic patch management, and the identification and categorization of anomalous and malicious activity across information technology (IT) or operational technology systems.

(b)  Within 270 days of the date of this order, the Secretary of Defense shall establish a program to use advanced AI models for cyber defense. 

(c)  Within 150 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST; the Secretary of Energy; the Secretary of Homeland Security, acting through the Under Secretary for Science and Technology; and the Director of the National Science Foundation (NSF) shall each prioritize funding for their respective programs that encourage the development of large-scale, labeled datasets needed to make progress on cyber defense research, and ensure that existing datasets for cyber defense research have been made accessible to the broader academic research community (either securely or publicly) to the maximum extent feasible, in consideration of business confidentiality and national security.

(d)  Within 150 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST; the Secretary of Energy; the Secretary of Homeland Security, acting through the Under Secretary for Science and Technology; and the Director of the NSF shall prioritize research on the following topics:

(i)    human-AI interaction methods to assist defensive cyber analysis;

(ii)   security of AI coding assistance, including security of AI-generated code;

(iii)  methods for designing secure AI systems; and

(iv)   methods for prevention, response, remediation, and recovery of cyber incidents involving AI systems.

(e)  Within 150 days of the date of this order, the Secretary of Defense, the Secretary of Homeland Security, and the Director of National Intelligence, in coordination with the Director of OMB, shall incorporate management of AI software vulnerabilities and compromises into their respective agencies’ existing processes and interagency coordination mechanisms for vulnerability management, including through incident tracking, response, and reporting, and by sharing indicators of compromise for AI systems.

Sec. 6.  Aligning Policy to Practice.  (a)  IT infrastructure and networks that support agencies’ critical missions need to be modernized.  Agencies’ policies must align investments and priorities to improve network visibility and security controls to reduce cyber risks.

(i)   Within 3 years of the date of this order, the Director of OMB shall issue guidance, including any necessary revision to OMB Circular A-130, to address critical risks and adapt modern practices and architectures across Federal information systems and networks.  This guidance shall, at a minimum:

(A)  outline expectations for agency cybersecurity information sharing and exchange, enterprise visibility, and accountability for enterprise-wide cybersecurity programs by agency CISOs;

(B)  revise OMB Circular A-130 to be less technically prescriptive in key areas, where appropriate, to more clearly promote the adoption of evolving cybersecurity best practices across Federal systems, and to include migration to zero trust architectures and implementation of critical elements such as EDR capabilities, encryption, network segmentation, and phishing-resistant multi-factor authentication; and

(C)  address how agencies should identify, assess, respond to, and mitigate risks to mission essential functions presented by concentration of IT vendors and services.

(ii)  The Secretary of Commerce, acting through the Director of NIST; the Secretary of Homeland Security, acting through the Director of CISA; and the Director of OMB shall establish a pilot program of a rules-as-code approach for machine-readable versions of policy and guidance that OMB, NIST, and CISA publish and manage regarding cybersecurity.

(b)  Managing cybersecurity risks is now a part of everyday industry practice and should be expected for all types of businesses.  Minimum cybersecurity requirements can make it costlier and harder for threat actors to compromise networks.  Within 240 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST, shall evaluate common cybersecurity practices and security control outcomes that are commonly used or recommended across industry sectors, international standards bodies, and other risk management programs, and based on that evaluation issue guidance identifying minimum cybersecurity practices.  In developing this guidance, the Secretary of Commerce, acting through the Director of NIST, shall solicit input from the Federal Government, the private sector, academia, and other appropriate actors.

(c)  Agencies face multiple cybersecurity risks when purchasing products and services.  While agencies have already made significant advances to improve their supply chain risk management, additional actions are needed to keep pace with the evolving threat landscape.  Within 180 days of the issuance of the guidance described in subsection (b) of this section, the FAR Council shall review the guidance and, as appropriate and consistent with applicable law, the agency members of the FAR Council shall jointly take steps to amend the FAR to:

(i)   require that contractors with the Federal Government follow applicable minimum cybersecurity practices identified in NIST’s guidance pursuant to subsection (b) of this section with respect to work performed under agency contracts or when developing, maintaining, or supporting IT services or products that are provided to the Federal Government; and

(ii)  adopt requirements for agencies to, by January 4, 2027, require vendors to the Federal Government of consumer Internet-of-Things products, as defined by 47 C.F.R. 8.203(b), to carry United States Cyber Trust Mark labeling for those products.

Sec. 7.  National Security Systems and Debilitating Impact Systems.  (a)  Except as specifically provided for in section 4(f)(v) of this order, sections 1 through 7 of this order shall not apply to Federal information systems that are NSS or are otherwise identified by the Department of Defense or the Intelligence Community as debilitating impact systems.

(b)  Within 90 days of the date of this order, to help ensure that NSS and debilitating impact systems are protected with the most advanced security measures, the Secretary of Defense, acting through the Director of NSA as the National Manager for National Security Systems (National Manager), in coordination with the Director of National Intelligence and the Committee on National Security Systems (CNSS), and in consultation with the Director of OMB and the Assistant to the President for National Security Affairs (APNSA), shall develop requirements for NSS and debilitating impact systems that are consistent with the requirements set forth in this order, as appropriate and consistent with applicable law.  The Secretary of Defense may grant exceptions to such requirements in circumstances necessitated by unique mission needs.  Such requirements shall be incorporated into a proposed National Security Memorandum, to be submitted to the President through the APNSA. 

(c)  To help protect space NSS with cybersecurity measures that keep pace with emerging threats, within 210 days of the date of this order, the CNSS shall review and update, as appropriate, relevant policies and guidance regarding space system cybersecurity.  In addition to appropriate updates, the CNSS shall identify and address appropriate requirements to implement cyber defenses on Federal Government-procured space NSS.

(d)  To enhance the effective governance and oversight of Federal information systems, within 90 days of the date of this order, the Director of OMB shall issue guidance as appropriate requiring agencies to inventory all major information systems and provide the inventory to CISA, the Department of Defense, or the National Manager, as applicable, which shall each maintain a registry of agency inventories within their purview.  CISA, the Department of Defense CIO, and the National Manager will share their inventories as appropriate to identify gaps or overlaps in oversight coverage.  This guidance shall not apply to elements of the Intelligence Community.

(e)  Nothing in this order alters the authorities and responsibilities granted in law or policy to the Director of National Intelligence, the Secretary of Defense, and the National Manager over applicable systems pursuant to the National Security Act of 1947 (Public Law 80–253), the Federal Information Security Modernization Act of 2014 (Public Law 113-283), National Security Directive 42 of July 5, 1990 (National Policy for the Security of National Security Telecommunications and Information Systems), or National Security Memorandum 8 of January 19, 2022 (Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems).

Sec. 8.  Additional Steps to Combat Significant Malicious Cyber-Enabled Activities.  Because I find that additional steps must be taken to deal with the national emergency with respect to significant malicious cyber-enabled activities declared in Executive Order 13694 of April 1, 2015 (Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities), as amended by Executive Order 13757 of December 28, 2016 (Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities), and further amended by Executive Order 13984 of January 19, 2021 (Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities), to protect against the growing and evolving threat of malicious cyber-enabled activities against the United States and United States allies and partners, including the increasing threats by foreign actors of unauthorized access to critical infrastructure, ransomware, and cyber-enabled intrusions and sanctions evasion, I hereby order that section 1(a) of Executive Order 13694 is further amended to read as follows:

“Section 1.  (a)  All property and interests in property that are in the United States, that hereafter come within the United States, or that are or hereafter come within the possession or control of any United States person of the following persons are blocked and may not be transferred, paid, exported, withdrawn, or otherwise dealt in:

(i)    the persons listed in the Annex to this order;

(ii)   any person determined by the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to be responsible for or complicit in, or to have engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a threat to the national security, foreign policy, or economic health or financial stability of the United States, and that have the purpose of or involve:

(A)  harming, or otherwise compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector;

(B)  compromising the provision of services by one or more entities in a critical infrastructure sector;

(C)  causing a disruption to the availability of a computer or network of computers or compromising the integrity of the information stored on a computer or network of computers;

(D)  causing a misappropriation of funds or economic resources, intellectual property, proprietary or business confidential information, personal identifiers, or financial information for commercial or competitive advantage or private financial gain;

(E)  tampering with, altering, or causing a misappropriation of information with the purpose of or that involves interfering with or undermining election processes or institutions; or

(F)  engaging in a ransomware attack, such as extortion through malicious use of code, encryption, or other activity to affect the confidentiality, integrity, or availability of data or a computer or network of computers, against a United States person, the United States, a United States ally or partner or a citizen, national, or entity organized under the laws thereof; or

(iii)  any person determined by the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State:

(A)  to be responsible for or complicit in, or to have engaged in, directly or indirectly, the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of funds or economic resources, intellectual property, proprietary or business confidential information, personal identifiers, or financial information misappropriated through cyber-enabled means, knowing they have been misappropriated, where the misappropriation of such funds or economic resources, intellectual property, proprietary or business confidential information, personal identifiers, or financial information is reasonably likely to result in, or has materially contributed to, a threat to the national security, foreign policy, or economic health or financial stability of the United States;

(B)  to be responsible for or complicit in, or to have engaged in, directly or indirectly, activities related to gaining or attempting to gain unauthorized access to a computer or network of computers of a United States person, the United States, a United States ally or partner or a citizen, national, or entity organized under the laws thereof, where such efforts originate from or are directed by persons located, in whole or substantial part, outside the United States and are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States;

(C)  to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, any activity described in subsections (a)(ii) or (a)(iii)(A) or (B) of this section or any person whose property and interests in property are blocked pursuant to this order;

(D)  to be owned or controlled by, or to have acted or purported to act for or on behalf of, directly or indirectly, any person whose property and interests in property are blocked pursuant to this order or that has engaged in any activity described in subsections (a)(ii) or (a)(iii)(A) – (C) of this section;

(E)  to have attempted to engage in any of the activities described in subsections (a)(ii) and (a)(iii)(A)-(D) of this section; or

(F)  to be or have been a leader, official, senior executive officer, or member of the board of directors of any person whose property and interests in property are blocked pursuant to this order or that has engaged in any activity described in subsections (a)(ii) or (a)(iii)(A) – (E) of this section.”

Sec. 9.  Definitions.  For purposes of this order:

(a)  The term “agency” has the meaning ascribed to it under 44 U.S.C. 3502(1), except for the independent regulatory agencies described in 44 U.S.C. 3502(5).

(b)  The term “artifact” means a record or data that is generated manually or by automated means and may be used to demonstrate compliance with defined practices, including for secure software development.

(c)  The term “artificial intelligence” or “AI” has the meaning set forth in 15 U.S.C. 9401(3).

(d)  The term “AI system” means any data system, software, hardware, application, tool, or utility that operates in whole or in part using AI.

     (e)  The term “authentication” means the process of determining the validity of one or more authenticators, such as a password, used to claim a digital identity.

(f)  The term “Border Gateway Protocol” or “BGP” means the control protocol used to distribute and compute paths between the tens of thousands of autonomous networks that constitute the Internet.

(g)  The term “consumer Internet-of-Things products” means Internet-of-Things products intended primarily for consumer use, rather than enterprise or industrial use.  Consumer Internet-of-Things products do not include medical devices regulated by the United States Food and Drug Administration or motor vehicles and motor vehicle equipment regulated by the National Highway Traffic Safety Administration.

(h)  The term “cyber incident” has the meaning given to the term “incident” under 44 U.S.C. 3552(b)(2).

(i)  The term “debilitating impact systems” means systems as described by 44 U.S.C. 3553(e)(2) and 3553(e)(3) for Department of Defense and Intelligence Community purposes, respectively.

(j)  The term “digital identity document” means an electronic, reusable, cryptographically verifiable identity credential issued by a Government source, such as a State-issued mobile driver’s license or an electronic passport.

(k)  The term “digital identity verification” means identity verification that a user performs online.

(l)  The term “endpoint” means any device that can be connected to a computer network creating an entry or exit point for data communications.  Examples of endpoints include desktop and laptop computers, smartphones, tablets, servers, workstations, virtual machines, and consumer Internet-of-Things products.

(m)  The term “endpoint detection and response” means cybersecurity tools and capabilities that combine real-time continuous monitoring and collection of endpoint data (for example, networked computing device such as workstations, mobile phones, servers) with rules-based automated response and analysis capabilities.

(n)  The term “Federal Civilian Executive Branch agencies” or “FCEB agencies” includes all agencies except for the agencies and other components in the Department of Defense and agencies in the Intelligence Community.

(o)  The term “Federal information system” means an information system used or operated by an agency, a contractor of an agency, or another organization on behalf of an agency.

(p)  The term “Government-operated identity verification system” means a system owned and operated by a Federal, State, local, Tribal, or territorial Government entity that performs identity verification, including single-agency systems and shared services that provide service to multiple agencies.

(q)  The term “hardware root of trust” means an inherently trusted combination of hardware and firmware that helps to maintain the integrity of information.

(r)  The term “hybrid key establishment” means a key establishment scheme that is a combination of two or more components that are themselves cryptographic key-establishment schemes.

(s)  The term “identity verification” means the process of collecting identity information or evidence, validating its legitimacy, and confirming that it is associated with the real person providing it.

(t)  The term “Intelligence Community” has the meaning given to it under 50 U.S.C. 3003(4).

(u)  The term “key establishment” means the process by which a cryptographic key is securely shared between two or more entities.

(v)  The term “least privilege” means the principle that a security architecture is designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.

(w)  The term “machine-readable” means that the product output is in a structured format that can be consumed by another program using consistent processing logic.

(x)  The term “national security systems” or “NSS” has the meaning given to it under 44 U.S.C. 3552(b)(6).

(y)  The term “patch” means a software component that, when installed, directly modifies files or device settings related to a different software component without changing the version number or release details for the related software component.

(z)  The term “rules-as-code approach” means a coded version of rules (for example, those contained in legislation, regulation, or policy) that can be understood and used by a computer.

(aa)  The term “secure booting” means a security feature that prevents malicious software from running when a computer system starts up.  The security feature performs a series of checks during the boot sequence that helps ensure only trusted software is loaded.

(bb)  The term “security control outcome” means the results of the performance or non-performance of safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information.

(cc)  The term “zero trust architecture” has the meaning given to it in Executive Order 14028.

Sec. 10.  General Provisions.  (a)  Nothing in this order shall be construed to impair or otherwise affect:

(i)   the authority granted by law to an executive department or agency, or the head thereof; or

(ii)  the functions of the Director of the Office of Management and Budget relating to budgetary, administrative, or legislative proposals.

(b)  This order shall be implemented in a manner consistent with applicable law and subject to the availability of appropriations.

(c)  This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

                              JOSEPH R. BIDEN JR.

THE WHITE HOUSE,

    January 16, 2025.