US President Joe Biden has issued a directive to enhance IT security across federal agencies. The directive includes a wide range of measures that will impact nearly all government ICT systems. This comprehensive plan took years to prepare and was released just days before the end of Biden’s term.
The directive not only sets requirements for federal agencies but also for their suppliers and service providers. For example, if purchased software doesn’t support DNS encryption, it becomes ineffective. Similarly, if a network operator’s BGP router doesn’t process origin keys, data transmission security is compromised. If hardware is compromised before installation, defense efforts are weakened.
These measures contrast with the deregulation approach of Biden’s successor, Donald Trump, who aims for significant cuts in public services. The directive emphasizes the need to defend against adversaries and criminals, particularly highlighting China as a persistent IT threat to US agencies, the private sector, and critical infrastructure.
“More must be done to protect the nation’s IT security against these threats,” Biden states, continuing previous directives from Barack Obama, Donald Trump, and himself. The strategy aims to hold software and cloud service providers accountable, strengthen communication and identity management systems, and leverage innovative technologies like AI for IT security.
Suppliers will undergo more rigorous monitoring. Biden’s directive outlines steps for various stakeholders, though it primarily affects federal agencies and their contractors. National security systems and critical military facilities are largely exempt, though similar measures are recommended.
Open-source software, which often lacks a formal contract partner, will have guidelines for security assessments, update management, and public sector contributions to projects.
Software suppliers must follow specific security rules during development but often neglect to patch known vulnerabilities. Therefore, agencies will scrutinize their suppliers more closely. New contractual terms and supplier confirmations of compliance with security requirements are mandated. Suppliers must upload data proving compliance, subject to random checks, with results made public to hold negligent providers accountable.
Improved programming methods alone aren’t sufficient. Software deployment and updates, and the security of the final product, must also be addressed. Recommendations from the National Institute of Standards and Technology (NIST) will be updated and made mandatory. This includes the Secure Software Development Framework (SSDF) and Cybersecurity Supply Chain Risk Management Practices.
Agencies must also address their internal practices. Effective management of digital identities and access rights is necessary. Biden specifically mentions enhancing phishing protection through WebAuthn and passkeys. Cloud systems will have predefined security settings.
Previously, Biden mandated that federal agencies share threat information. Now, endpoint detection and response systems will be deployed, with oversight by the IT security agency CISA, except where privacy or security concerns limit information sharing.
For space-related matters, Biden’s directive requires basic security measures: encrypting data transmission, securing against tampering, certifying sources, and rejecting unauthorized commands. Methods to detect and respond to anomalies and secure development practices for hardware and software are also required.
Ground stations must first be inventoried to identify critical assets needing protection. Recommendations for enhanced security and monitoring will be developed for these facilities.