Recent Updates and Developments: Executive Order on Strengthening and Promoting Innovation in the Nation's Cybersecurity

This timeline tracks the implementation of the January 15, 2025, Executive Order on Strengthening and Promoting Innovation in the Nation's Cybersecurity. As the order is recent, these entries reflect mandated deadlines and anticipated milestones.

• January 15, 2025:

  • The Executive Order—Strengthening and Promoting Innovation in the Nation's Cybersecurity was signed.
  • This order focuses on enhancing national cybersecurity through several key areas: supply chain security for software, improvements to federal systems, securing federal communications, and combating cybercrime.

• Anticipated by March 16, 2025 (Within 60 days of the order):

  • The Secretary of Commerce, through NIST, will establish a consortium with industry to develop guidance for secure software development practices, based on NIST Special Publication 800-218 (Secure Software Development Framework (SSDF)).
  • CISA is tasked with evaluating methods for secure software development attestations and providing guidance to software providers on submission to CISA's RSAA website.

• Anticipated by April 15, 2025 (Within 90 days of the order):

  • NIST will update Special Publication 800-53 (Security and Privacy Controls) to include guidance on secure patch and update deployment.
  • Federal Civilian Executive Branch (FCEB) agencies must begin ensuring the security of their Internet number resources (IP addresses and Autonomous System Numbers) through the implementation of routing security protocols, such as Resource Public Key Infrastructure (RPKI), to prevent BGP hijacking.
  • The goal is for FedRAMP, in coordination with NIST and CISA, to develop policies that incentivize or require cloud service providers in the FedRAMP Marketplace to produce secure configuration baselines for agency cloud systems.
  • OMB, coordinating with NIST, GSA, and the Federal Acquisition Security Council (FASC), will take steps to require agencies to comply with NIST Special Publication 800-161 (Cybersecurity Supply Chain Risk Management Practices) and mandate annual implementation updates.
  • The Department of Defense, through the NSA, is directed to develop cybersecurity requirements for National Security Systems (NSS) and debilitating impact systems (systems where a cyber incident would result in debilitating effects on national security, the economy, or public health).
  • The Department of Justice, in coordination with the Department of State, will establish a joint task force and international engagement framework dedicated to combating transnational cybercrime.

• Anticipated by May 15, 2025 (Within 120 days of the order):

  • CISA and OMB plan to jointly issue recommendations to agencies regarding security assessments and patching of open-source software, alongside best practices for contributing to open-source projects.
  • The National Cyber Director will submit a study of space ground systems owned or managed by FCEB agencies to OMB.

• Anticipated by June 14, 2025 (Within 150 days of the order):

  • The Departments of Commerce, Energy, and Homeland Security, along with the NSF, are directed to prioritize funding for programs that develop large-scale datasets for cyber defense research and ensure the accessibility of existing datasets to the research community.
  • The Department of Defense, Homeland Security, and the Director of National Intelligence will integrate AI software vulnerability management into their existing processes.

• Anticipated by July 14, 2025 (Within 180 days of the order):

  • NIST is scheduled to develop and publish a preliminary update to the SSDF.
  • The Departments of the Interior and Commerce, along with NASA, will review civil space contract requirements and recommend updates to civil space cybersecurity requirements to the FAR Council.
  • CISA, coordinating with the Federal CIO and CISO Councils, is tasked with releasing a concept of operations enabling CISA to access data from FCEB agency endpoint detection and response (EDR) solutions and security operation centers.
  • The Department of Energy, alongside the Department of Defense and Homeland Security, will launch a pilot program utilizing AI to enhance the cyber defense of critical infrastructure in the energy sector.
  • The FAR Council will review guidance and potentially amend the Federal Acquisition Regulation (FAR) based on the Executive Order.

These first six months represent the foundational phase of the Executive Order's multi-year implementation strategy.

Ongoing Monitoring:

Because the Executive Order is new, formal implementation reports and legal analyses are still developing. Key areas to monitor include agency plans, NIST publication updates, and expert feedback. Specific developments to watch include:

• Agency implementation plans and guidance documents.
• Updates to NIST Special Publications related to cybersecurity.
• Any legal challenges or court decisions related to the order.
• Feedback and analysis from industry and cybersecurity experts.