Executive Order 14144

​Executive Order 14144 of January 16, 2025

Strengthening and Promoting Innovation in the Nation’s Cybersecurity

By the authority vested in me as President by the Constitution and the laws of the United States of America, including the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.), the National Emergencies Act (50 U.S.C. 1601 et seq.), section 212(f) of the Immigration and Nationality Act of 1952 (8 U.S.C. 1182(f)), and section 301 of title 3, United States Code, it is hereby ordered as follows:

Section 1. Policy. Adversarial countries and criminals continue to conduct cyber campaigns targeting the United States and Americans, with the People’s Republic of China presenting the most active and persistent cyber threat to United States Government, private sector, and critical infrastructure networks. These campaigns disrupt the delivery of critical services across the Nation, cost billions of dollars, and undermine Americans’ security and privacy. More must be done to improve the Nation’s cybersecurity against these threats.

Building on the foundational steps I directed in Executive Order 14028 of May 12, 2021 (Improving the Nation’s Cybersecurity), and the initiatives detailed in the National Cybersecurity Strategy, I am ordering additional actions to improve our Nation’s cybersecurity, focusing on defending our digital infrastructure, securing the services and capabilities most vital to the digital domain, and building our capability to address key threats, including those from the People’s Republic of China. Improving accountability for software and cloud service providers, strengthening the security of Federal communications and identity management systems, and promoting innovative developments and the use of emerging technologies for cybersecurity across executive departments and agencies (agencies) and with the private sector are especially critical to improvement of the Nation’s cybersecurity.

Sec. 2. Operationalizing Transparency and Security in Third-Party Software Supply Chains. (a) The Federal Government and our Nation’s critical infrastructure rely on software providers. Yet insecure software remains a challenge for both providers and users and makes Federal Government and critical infrastructure systems vulnerable to malicious cyber incidents. The Federal Government must continue to adopt secure software acquisition practices and take steps so that software providers use secure software development practices to reduce the number and severity of vulnerabilities in software they produce.

(b) Executive Order 14028 directed actions to improve the security and integrity of software critical to the Federal Government’s ability to function. Executive Order 14028 directed the development of guidance on secure software development practices and on generating and providing evidence in the form of artifacts—computer records or data that are generated manually or by automated means—that demonstrate compliance with those practices. Additionally, it directed the Director of the Office of Management and Budget (OMB) to require agencies to use only software from providers that attest to using those secure software development practices. In some instances, providers of software to the Federal Government commit to following cybersecurity practices, yet do not fix well-known exploitable vulnerabilities in their software, which puts the Government at risk of compromise. The ​Federal Government needs to adopt more rigorous third-party risk management practices and greater assurance that software providers that support critical Government services are following the practices to which they attest.

(c) Secure software development practices are not sufficient to address the potential for cyber incidents from resourced and determined nationstate actors. To mitigate the risk of such incidents occurring, software providers must also address how software is delivered and the security of the software itself. The Federal Government must identify a coordinated set of practical and effective security practices to require when it procures software. {{EOsubsection|2|c|i|content=Within 60 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST, shall establish a consortium with industry at the National Cybersecurity Center of Excellence to develop ​guidance, informed by the consortium as appropriate, that demonstrates the implementation of secure software development, security, and operations practices based on NIST Special Publication 800–218 (Secure Software Development Framework (SSDF)).}}

(ii) Within 90 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST, shall update NIST Special Publication 800–53 (Security and Privacy Controls for Information Systems and Organizations) to provide guidance on how to securely and reliably deploy patches and updates. (iii) Within 180 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST, in consultation with the heads of such agencies as the Director of NIST deems appropriate, shall develop and publish a preliminary update to the SSDF. This update shall include practices, procedures, controls, and implementation examples regarding the secure and reliable development and delivery of software as well as the security of the software itself. Within 120 days of publishing the preliminary update, the Secretary of Commerce, acting through the Director of NIST, shall publish a final version of the updated SSDF. (iv) Within 120 days of the final update to the SSDF described in subsection (c)(iii) of this section, the Director of OMB shall incorporate select practices for the secure development and delivery of software contained in NIST’s updated SSDF into the requirements of OMB Memorandum M–22–18 (Enhancing the Security of the Software Supply Chain through Secure Software Development Practices) or related requirements.

KHAMMOND on DSK9W7S144PROD with PRESDOCB

(v) Within 30 days of the issuance of OMB’s updated requirements described in subsection (c)(iv) of this section, the Director of CISA shall prepare any revisions to CISA’s common form for Secure Software Development Attestation to conform to OMB’s requirements and shall initiate any process required to obtain clearance of the revised form under the Paperwork Reduction Act, 44 U.S.C. 3501 et seq. (d) As agencies have improved their cyber defenses, adversaries have targeted the weak links in agency supply chains and the products and services upon which the Federal Government relies. Agencies need to integrate cybersecurity supply chain risk management programs into enterprisewide risk management activities. Within 90 days of the date of this order, the Director of OMB, in coordination with the Secretary of Commerce, acting through the Director of NIST, the Administrator of General Services, and the Federal Acquisition Security Council (FASC), shall take steps to require, as the Director deems appropriate, that agencies comply with the guidance in NIST Special Publication 800–161 (Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP 800–161 Revision 1)). OMB shall require agencies to provide annual updates to OMB as they complete implementation. Consistent with SP 800–161 Revision 1, OMB’s requirements shall address the integration of cybersecurity into the acquisition lifecycle through acquisition planning, source selection, responsibility determination, security compliance evaluation, contract administration, and performance evaluation. (e) Open source software plays a critical role in Federal information systems. To help the Federal Government continue to reap the innovation and cost benefits of open source software and contribute to the cybersecurity of the open source software ecosystem, agencies must better manage their use of open source software. Within 120 days of the date of this order, the Secretary of Homeland Security, acting through the Director of CISA, and the Director of OMB, in consultation with the Administrator of General Services and the heads of other agencies as appropriate, shall jointly issue recommendations to agencies on the use of security assessments and patching of open source software and best practices for contributing to open source software projects. Sec. 3. Improving the Cybersecurity of Federal Systems. (a) The Federal Government must adopt proven security practices from industry—to include

VerDate Sep<11>2014

10:33 Jan 17, 2025

Jkt 265001

PO 00000

Frm 00003

Fmt 4790

Sfmt 4790

E:FRFMJAE3.SGM

17JAE3 ​Page:Executive Order 14144.pdf/4 ​Page:Executive Order 14144.pdf/5 ​Page:Executive Order 14144.pdf/6 ​Page:Executive Order 14144.pdf/7 ​Page:Executive Order 14144.pdf/8 ​Page:Executive Order 14144.pdf/9 ​Page:Executive Order 14144.pdf/10 ​Page:Executive Order 14144.pdf/11 ​Page:Executive Order 14144.pdf/12 ​Page:Executive Order 14144.pdf/13 ​

(C) causing a disruption to the availability of a computer or network of computers or compromising the integrity of the information stored on a computer or network of computers;

(D) causing a misappropriation of funds or economic resources, intellectual property, proprietary or business confidential information, personal identifiers, or financial information for commercial or competitive advantage or private financial gain;

(E) tampering with, altering, or causing a misappropriation of information with the purpose of or that involves interfering with or undermining election processes or institutions; or

(F) engaging in a ransomware attack, such as extortion through malicious use of code, encryption, or other activity to affect the confidentiality, integrity, or availability of data or a computer or network of computers, against a United States person, the United States, a United States ally or partner or a citizen, national, or entity organized under the laws thereof; or

(iii) any person determined by the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State:

(A) to be responsible for or complicit in, or to have engaged in, directly or indirectly, the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of funds or economic resources, intellectual property, proprietary or business confidential information, personal identifiers, or financial information misappropriated through cyber-enabled means, knowing they have been misappropriated, where the misappropriation of such funds or economic resources, intellectual property, proprietary or business confidential information, personal identifiers, or financial information is reasonably likely to result in, or has materially contributed to, a threat to the national security, foreign policy, or economic health or financial stability of the United States;

(B) to be responsible for or complicit in, or to have engaged in, directly or indirectly, activities related to gaining or attempting to gain unauthorized access to a computer or network of computers of a United States person, the United States, a United States ally or partner or a citizen, national, or entity organized under the laws thereof, where such efforts originate from or are directed by persons located, in whole or substantial part, outside the United States and are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States;

(C) to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, any activity described in subsections (a)(ii) or (a)(iii)(A) or (B) of this section or any person whose property and interests in property are blocked pursuant to this order;

(D) to be owned or controlled by, or to have acted or purported to act for or on behalf of, directly or indirectly, any person whose property and interests in property are blocked pursuant to this order or that has engaged in any activity described in subsections (a)(ii) or (a)(iii)(A)–(C) of this section;

(E) to have attempted to engage in any of the activities described in subsections (a)(ii) and (a)(iii)(A)–(D) of this section; or

(F) to be or have been a leader, official, senior executive officer, or member of the board of directors of any person whose property and interests in property are blocked pursuant to this order or that has engaged in any activity described in subsections (a)(ii) or (a)(iii)(A) – (E) of this section.’’

Sec. 10. Definitions. For purposes of this order: ​(a) The term ‘‘agency’’ has the meaning ascribed to it under 44 U.S.C. 3502(1), except for the independent regulatory agencies described in 44 U.S.C. 3502(5).

(b) The term ‘‘artifact’’ means a record or data that is generated manually or by automated means and may be used to demonstrate compliance with defined practices, including for secure software development.

(c) The term ‘‘artificial intelligence’’ or ‘‘AI’’ has the meaning set forth in 15 U.S.C. 9401(3).

(d) The term ‘‘AI system’’ means any data system, software, hardware, application, tool, or utility that operates in whole or in part using AI.

(e) The term ‘‘authentication’’ means the process of determining the validity of one or more authenticators, such as a password, used to claim a digital identity.

(f) The term ‘‘Border Gateway Protocol’’ or ‘‘BGP’’ means the control protocol used to distribute and compute paths between the tens of thousands of autonomous networks that constitute the internet.

(g) The term ‘‘consumer internet-of-Things products’’ means internet-of-Things products intended primarily for consumer use, rather than enterprise or industrial use. Consumer internet-of-Things products do not include medical devices regulated by the United States Food and Drug Administration or motor vehicles and motor vehicle equipment regulated by the National Highway Traffic Safety Administration.

(h) The term ‘‘cyber incident’’ has the meaning given to the term ‘‘incident’’ under 44 U.S.C. 3552(b)(2).

(i) The term ‘‘debilitating impact systems’’ means systems as described by 44 U.S.C. 3553(e)(2) and 3553(e)(3) for Department of Defense and Intelligence Community purposes, respectively.

(j) The term ‘‘digital identity document’’ means an electronic, reusable, cryptographically verifiable identity credential issued by a Government source, such as a State-issued mobile driver’s license or an electronic passport.

(k) The term ‘‘digital identity verification’’ means identity verification that a user performs online.

(l) The term ‘‘endpoint’’ means any device that can be connected to a computer network creating an entry or exit point for data communications. Examples of endpoints include desktop and laptop computers, smartphones, tablets, servers, workstations, virtual machines, and consumer internet-of-Things products.

(m) The term ‘‘endpoint detection and response’’ means cybersecurity tools and capabilities that combine real-time continuous monitoring and collection of endpoint data (for example, networked computing device such as workstations, mobile phones, servers) with rules-based automated response and analysis capabilities.

(n) The term ‘‘Federal Civilian Executive Branch agencies’’ or ‘‘FCEB agencies’’ includes all agencies except for the agencies and other components in the Department of Defense and agencies in the Intelligence Community.

(o) The term ‘‘Federal information system’’ means an information system used or operated by an agency, a contractor of an agency, or another organization on behalf of an agency.

(p) The term ‘‘Government-operated identity verification system’’ means a system owned and operated by a Federal, State, local, Tribal, or territorial Government entity that performs identity verification, including single-agency systems and shared services that provide service to multiple agencies.

(q) The term ‘‘hardware root of trust’’ means an inherently trusted combination of hardware and firmware that helps to maintain the integrity of information. ​(r) The term ‘‘hybrid key establishment’’ means a key establishment scheme that is a combination of two or more components that are themselves cryptographic key-establishment schemes.

(s) The term ‘‘identity verification’’ means the process of collecting identity information or evidence, validating its legitimacy, and confirming that it is associated with the real person providing it.

(t) The term ‘‘Intelligence Community’’ has the meaning given to it under 50 U.S.C. 3003(4).

(u) The term ‘‘key establishment’’ means the process by which a cryptographic key is securely shared between two or more entities.

(v) The term ‘‘least privilege’’ means the principle that a security architecture is designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.

(w) The term ‘‘machine-readable’’ means that the product output is in a structured format that can be consumed by another program using consistent processing logic.

(x) The term ‘‘national security systems’’ or ‘‘NSS’’ has the meaning given to it under 44 U.S.C. 3552(b)(6).

(y) The term ‘‘patch’’ means a software component that, when installed, directly modifies files or device settings related to a different software component without changing the version number or release details for the related software component.

(z) The term ‘‘rules-as-code approach’’ means a coded version of rules (for example, those contained in legislation, regulation, or policy) that can be understood and used by a computer.

(aa) The term ‘‘secure booting’’ means a security feature that prevents malicious software from running when a computer system starts up. The security feature performs a series of checks during the boot sequence that helps ensure only trusted software is loaded.

(bb) The term ‘‘security control outcome’’ means the results of the performance or non-performance of safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information.

(cc) The term ‘‘zero trust architecture’’ has the meaning given to it in Executive Order 14028.

Sec. 11. General Provisions. (a) Nothing in this order shall be construed to impair or otherwise affect:

(b) This order shall be implemented in a manner consistent with applicable law and subject to the availability of appropriations.

​(c) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

THE WHITE HOUSE,
January 16, 2025.