Page:Executive Order 14144.pdf/1

This page has been proofread, but needs to be validated.
Federal Register / Vol. 90, No. 11 / Friday, January 17, 2025 / Presidential Documents
6755

Presidential Documents

Executive Order 14144 of January 16, 2025

Strengthening and Promoting Innovation in the Nation’s Cybersecurity

By the authority vested in me as President by the Constitution and the laws of the United States of America, including the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.), the National Emergencies Act (50 U.S.C. 1601 et seq.), section 212(f) of the Immigration and Nationality Act of 1952 (8 U.S.C. 1182(f)), and section 301 of title 3, United States Code, it is hereby ordered as follows:

Section 1. Policy. Adversarial countries and criminals continue to conduct cyber campaigns targeting the United States and Americans, with the People’s Republic of China presenting the most active and persistent cyber threat to United States Government, private sector, and critical infrastructure networks. These campaigns disrupt the delivery of critical services across the Nation, cost billions of dollars, and undermine Americans’ security and privacy. More must be done to improve the Nation’s cybersecurity against these threats.

Building on the foundational steps I directed in Executive Order 14028 of May 12, 2021 (Improving the Nation’s Cybersecurity), and the initiatives detailed in the National Cybersecurity Strategy, I am ordering additional actions to improve our Nation’s cybersecurity, focusing on defending our digital infrastructure, securing the services and capabilities most vital to the digital domain, and building our capability to address key threats, including those from the People’s Republic of China. Improving accountability for software and cloud service providers, strengthening the security of Federal communications and identity management systems, and promoting innovative developments and the use of emerging technologies for cybersecurity across executive departments and agencies (agencies) and with the private sector are especially critical to improvement of the Nation’s cybersecurity.

Sec. 2. Operationalizing Transparency and Security in Third-Party Software Supply Chains. (a) The Federal Government and our Nation’s critical infrastructure rely on software providers. Yet insecure software remains a challenge for both providers and users and makes Federal Government and critical infrastructure systems vulnerable to malicious cyber incidents. The Federal Government must continue to adopt secure software acquisition practices and take steps so that software providers use secure software development practices to reduce the number and severity of vulnerabilities in software they produce.

(b) Executive Order 14028 directed actions to improve the security and integrity of software critical to the Federal Government’s ability to function. Executive Order 14028 directed the development of guidance on secure software development practices and on generating and providing evidence in the form of artifacts—computer records or data that are generated manually or by automated means—that demonstrate compliance with those practices. Additionally, it directed the Director of the Office of Management and Budget (OMB) to require agencies to use only software from providers that attest to using those secure software development practices. In some instances, providers of software to the Federal Government commit to following cybersecurity practices, yet do not fix well-known exploitable vulnerabilities in their software, which puts the Government at risk of compromise. The

This article is issued from Wikisource. The text is available under Creative Commons Attribution-Share Alike 4.0 unless otherwise noted. Additional terms may apply for the media files.