What Does Biden's New Executive Order Mean for Cybersecurity?What Does Biden's New Executive Order Mean for Cybersecurity?

In his final days in office, President Biden issued a sweeping executive order to strengthen cybersecurity.

Carrie Pallardy, Contributing Reporter

January 16, 2025

5 Min Read
President Joe Biden meets with White House staff in the Oval Office, 2022, to review remarks he will give at an executive order signing.
President Joe Biden meets with White House staff in the Oval Office, 2022, to review remarks he will give at an executive order signing. (Official White House Photo by Adam Schultz) American Photo Archive via Alamy Stock Photo

On. Jan. 16, just days before leaving office, President Biden issued an executive order on improving the nation’s cybersecurity. The extensive order comes on the heels of the breaches of US Treasury and US telecommunications providers perpetrated by China state-sponsored threat actors. 

“Adversarial countries and criminals continue to conduct cyber campaigns targeting the United States and Americans, with the People’s Republic of China presenting the most active and persistent cyber threat to United States Government, private sector, and critical infrastructure networks,” the order states.  

This new executive order, building on the one Biden issued in 2021, is extensive. It addresses issues ranging from third-party supply chain risks and AI to cybersecurity in space and the risks of quantum computers.  

Could this executive order shape the federal government’s approach to cybersecurity? And how uncertain is its impact under the incoming Trump administration?  

The Executive Order 

The executive order outlines a broad set of initiatives to address nation state threats, improve defense of the nation’s digital infrastructure, drive accountability for software and cloud providers, and promote innovation in cybersecurity. 

Like the 2021 executive order, the newly released order emphasizes the importance of collaboration with the private sector.  

Related:3 Strategies For a Seamless EU NIS2 Implementation

“Since it's an executive order, it's mainly aimed at the federal government. It doesn't directly regulate the private sector,” Jim Dempsey, managing director of the Cybersecurity Law Center at nonprofit International Association of Privacy Professionals (IAPP), tells information. “It indirectly aims to impact private sector cybersecurity by using the government's procurement power.” 

For example, the order directs software vendors working with the federal government to submit machine-readable secure software development attestations through the Cybersecurity and Infrastructure Security Agency (CISA) Repository for Software Attestation and Artifacts (RSAA).  

“If CISA finds that attestations are incomplete or artifacts are insufficient for validating the attestations, the Director of CISA shall notify the software provider and the contracting agency,” according to the order.  

The order also calls for the development of guidelines relating to the secure management of cloud service providers’ access tokens and cryptographic keys. In 2023, China-backed threat actor stole a cryptographic key, which led to the breach of several government agency Outlook email systems, Wired reports. A stolen key was behind the compromise of BeyondTrust that led to the recent US Treasury breach.  

Related:Microsoft Rings in 2025 With Record Security Update

AI, unsurprisingly, doesn’t go untouched by the order. It delves into establishing a program for leveraging AI models for cyber defense.   

The Biden administration also uses the executive order to call attention to cybersecurity threats that may loom larger in the future. The order points to the risks posed by quantum computers and space system cybersecurity concerns.  

Biden’s Cyber Legacy 

The Biden Administration made cybersecurity a priority. In addition to the 2021 executive order on cybersecurity, the administration released a National Cybersecurity Strategy and an implementation plan in 2023.    

The current administration also took sector-specific actions to bolster cybersecurity. For example, Biden issued an executive order focused on maritime cybersecurity.  

Kevin Orr, president of RSA Federal at RSA Security, a network security company, saw a positive response to the Biden Administration’s efforts to improve cybersecurity within the government.  

“I was surprised at how many agencies … have leaned in the last 18 months, especially within the intelligence community, have really adopted basic identity proofing, coming forward with multifactor authentication, and really strengthening their defenses,” Orr shares.  

Related:How CISOs Can Build a Disaster Recovery Skillset

While the Biden Administration has worked to further cybersecurity, there are questions about adoption of new policies and best practices. Some stakeholders call for more regulatory enforcement.   

“Much like any regulation, people are only going to follow it if there's some type of regulatory teeth to it,” Joe Nicastro, field CTO at software security firm Legit Security, argues.  

Others argue for incentives are more likely to drive adoption of cybersecurity measures.  

Cybersecurity is an ongoing national security concern, and the Biden administration is soon passing the torch.  

“I think this administration can leave extremely, extremely proud,” says Dempsey. “Certainly, they are handing over the nation’s cybersecurity to the incoming Trump administration in far better shape than it was four years ago.” 

A New Administration  

While the order could mean big changes in the federal government’s approach to cybersecurity, the timing makes its ultimate impact uncertain. Many of its directives for federal agencies have a long runway, months or years, for compliance. Will the Trump administration enforce the executive order? 

Cybersecurity has largely been painted as a bipartisan issue. And there has been some continuity between the first Trump Administration and the Biden Administration when it comes to cyber policies.  

For example, the Justice Department recently issued a final rule on Biden’s Executive Order 14117 “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” That order charges the Justice Department with establishing a regulatory program to prevent the sale of Americans’ sensitive data to China, Russia, Iran, and other foreign adversaries. That order and subsequent ruling stem from an executive order signed by Trump in 2019.  

Biden’s 2025 cybersecurity executive order puts a spotlight on cyber threats from China, and President-Elect Trump has been vocal about his intention to crack down on those threats. But that does not preclude changes to or dismissal of provisions in Biden’s final cybersecurity executive order.  

“There may be some things that the incoming administration will ignore or deprioritize. I'd be a little surprised if they repealed the order,” says Dempsey.  

CISA was a major player in the Biden administration’s approach to cybersecurity, and it will continue to play a big role if this new executive order rolls out as outlined. But the federal agency has been criticized by several Republican lawmakers. Some have called to limit its power or even shut it down, AP News reports.  

The incoming Trump administration is also expected to take a more hands-off approach to regulation in many areas. Critical infrastructure is consistently at the heart of national cybersecurity conversations, and the majority of critical infrastructure is owned by the private sector.  

“In terms of new regulation aimed at the private sector, I think we probably will not see anything out of the Trump administration,” Dempsey predicts.  

Cybersecurity policy could look different under the Trump administration, but it is likely it will remain at the forefront of national security discussions.  

“I'm hoping that threat of what China is doing with their cybersecurity programs and how they're facilitating attacks against BeyondTrust and US treasury et cetera, will help continue the progress that we've made within cybersecurity,” says Nicastro.  

About the Author

Carrie Pallardy

Contributing Reporter

Carrie Pallardy is a freelance writer and editor living in Chicago. She writes and edits in a variety of industries including cybersecurity, healthcare, and personal finance.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights