Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity (JANUARY 16, 2025)

Ed. Note: if you’re new to TURBOFAC, please take note that the text string filtration function generally shouldn’t be used for terms such as “ordinarily resident,” “causing” or “new debt”. For research on the meaning of words and phrases such as those, i.e. terms central to the key legal issues in sanctions law that appear on a cross-programmatic basis, you’re typically better off locating and checking the appropriate box in the “Key Legal Issues” search category, which will limit the results to those that have been manually assessed as being relevant for the interpretation of the terms at issue.

Try typing your search term (“ordinarily resident,” “new debt,” or something else) in the “Find a Search Filter” box at the top of the page, and the corresponding “Key Legal Issues” check box will pop up instantly, if one exists. Once you check the box (e.g. “new debt,” with ~55 results), you can always use the text string filtration function to further refine your search (e.g. by typing “invoice” and narrowing the ~55 results to ~10).

Note in addition that the same applies to text string searches such as “14071” (if you’re looking for items related to EO 14071). By typing “14071” in the “Find a Search Filter” field up top, you will be able to instantly narrow the results down to items manually assessed as relating to EO 14071. Ditto terms such as “515.204” or “Iran General License G” (try the “Discrete Legal Provision” search category). Please contact [email protected] or [email protected] with any questions on search results and efficiency.

Please click "Apply Text String Filters" again after clicking the "Close" button immediately below.

Back

Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity (JANUARY 16, 2025)

Date issued: Jan. 16 2025

Plain text (2291 words)
Native PDF
External link

JANUARY 16, 2025

Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity.

By the authority vested in me as President by the Constitution and the laws of the United States of America, including the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.), the National Emergencies Act (50 U.S.C. 1601 et seq.), section 212(f ) of the Immigration and Nationality Act of 1952 (8 U.S.C. 1182(f )), and section 301 of title 3, United States Code, it is hereby ordered as follows:

Section 1. Policy. Adversarial countries and criminals continue to conduct cyber campaigns targeting the United States and Americans, with the People’s Republic of China presenting the most active and persistent cyber threat to United States Government, private sector, and critical infrastructure networks. These campaigns disrupt the delivery of critical services across the Nation, cost billions of dollars, and undermine Americans’ security and privacy. More must be done to improve the Nation’s cybersecurity against these threats.

Building on the foundational steps I directed in Executive Order 14028 of May 12, 2021 (Improving the Nation’s Cybersecurity), and the initiatives detailed in the National Cybersecurity Strategy, I am ordering additional actions to improve our Nation’s cybersecurity, focusing on defending our digital infrastructure, securing the services and capabilities most vital to the digital domain, and building our capability to address key threats, including those from the People’s Republic of China. Improving accountability for software and cloud service providers, strengthening the security of Federal communications and identity management systems, and promoting innovative developments and the use of emerging technologies for cybersecurity across executive departments and agencies (agencies) and with the private sector are especially critical to improvement of the Nation’s cybersecurity.

[…]

Sec. 9. Additional Steps to Combat Signiﬁcant Malicious Cyber-Enabled Activities. Because I ﬁnd that additional steps must be taken to deal with the national emergency with respect to signiﬁcant malicious cyber-enabled activities declared in Executive Order 13694 of April 1, 2015 (Blocking the Property of Certain Persons Engaging in Signiﬁcant Malicious Cyber- Enabled Activities), as amended by Executive Order 13757 of December 28, 2016 (Taking Additional Steps to Address the National Emergency With Respect to Signiﬁcant Malicious Cyber-Enabled Activities), and further amended by Executive Order 13984 of January 19, 2021 (Taking Additional Steps to Address the National Emergency With Respect to Signiﬁcant Malicious Cyber-Enabled Activities), to protect against the growing and evolving threat of malicious cyber-enabled activities against the United States and United States allies and partners, including the increasing threats by foreign actors of unauthorized access to critical infrastructure, ransomware, and cyber-enabled intrusions and sanctions evasion, I hereby order that section 1(a) of

Executive Order 13694 is further amended to read as follows:

“Section 1. (a) All property and interests in property that are in the United States, that hereafter come within the United States, or that are or hereafter come within the possession or control of any United States person of the following persons are blocked and may not be transferred, paid, exported, withdrawn, or otherwise dealt in:
(i) the persons listed in the Annex to this order;
(ii) any person determined by the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to be responsible for or complicit in, or to have engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a threat to the national security, foreign policy, or economic health or ﬁnancial stability of the United States, and that have the purpose of or involve:
(A) harming, or otherwise compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector;
(B) compromising the provision of services by one or more entities in a critical infrastructure sector;
(C) causing a disruption to the availability of a computer or network of computers or compromising the integrity of the information stored on a computer or network of computers;
(D) causing a misappropriation of funds or economic resources, intellectual property, proprietary or business conﬁdential information, personal identiﬁers, or ﬁnancial information for commercial or competitive advantage or private ﬁnancial gain;
(E) tampering with, altering, or causing a misappropriation of information with the purpose of or that involves interfering with or undermining election processes or institutions; or
(F) engaging in a ransomware attack, such as extortion through malicious use of code, encryption, or other activity to aﬀect the conﬁdentiality, integrity, or availability of data or a computer or network of computers, against a United States person, the United States, a United States ally or partner or a citizen, national, or entity organized under the laws thereof; or
(iii) any person determined by the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State:
(A) to be responsible for or complicit in, or to have engaged in, directly or indirectly, the receipt or use for commercial or competitive advantage or private ﬁnancial gain, or by a commercial entity, outside the United States of funds or economic resources, intellectual property, proprietary or business conﬁdential information, personal identiﬁers, or ﬁnancial information misappropriated through cyber-enabled means, knowing they have been misappropriated, where the misappropriation of such funds or economic resources, intellectual property, proprietary or business conﬁdential information, personal identiﬁers, or ﬁnancial information is reasonably likely to result in, or has materially contributed to, a threat to the national security, foreign policy, or economic health or ﬁnancial stability of the United States;
(B) to be responsible for or complicit in, or to have engaged in, directly or indirectly, activities related to gaining or attempting to gain unauthorized access to a computer or network of computers of a United States person, the United States, a United States ally or partner or a citizen, national, or entity organized under the laws thereof, where such eﬀorts originate from or are directed by persons located, in whole or substantial part, outside the United States and are reasonably likely to result in, or have materially contributed to, a signiﬁcant threat to the national security, foreign policy, or economic health or ﬁnancial stability of the United States;
(C) to have materially assisted, sponsored, or provided ﬁnancial, material, or technological support for, or goods or services to or in support of, any activity described in subsections (a)(ii) or (a)(iii)(A) or (B) of this section or any person whose property and interests in property are blocked pursuant to this order;
(D) to be owned or controlled by, or to have acted or purported to act for or on behalf of, directly or indirectly, any person whose property and interests in property are blocked pursuant to this order or that has engaged in any activity described in subsections (a)(ii) or (a)(iii)(A) – (C) of this section;
(E) to have attempted to engage in any of the activities described in subsections (a)(ii) and (a)(iii)(A)-(D) of this section; or
(F) to be or have been a leader, oﬃcial, senior executive oﬃcer, or member of the board of directors of any person whose property and interests in property are blocked pursuant to this order or that has engaged in any activity described in subsections (a)(ii) or (a)(iii)(A) – (E) of this section.”

Sec. 10. Deﬁnitions. For purposes of this order:
(a) The term “agency” has the meaning ascribed to it under 44 U.S.C. 3502(1), except for the independent regulatory agencies described in 44 U.S.C. 3502(5).
(b) The term “artifact” means a record or data that is generated manually or by automated means and may be used to demonstrate compliance with deﬁned practices, including for secure software development.
(c) The term “artiﬁcial intelligence” or “AI” has the meaning set forth in 15 U.S.C. 9401(3).
(d) The term “AI system” means any data system, software, hardware, application, tool, or utility that operates in whole or in part using AI.
(e) The term “authentication” means the process of determining the validity of one or more authenticators, such as a password, used to claim a digital identity.
(f) The term “Border Gateway Protocol” or “BGP” means the control protocol used to distribute and compute paths between the tens of thousands of autonomous networks that constitute the Internet.
(g) The term “consumer Internet-of-Things products” means Internet-of- Things products intended primarily for consumer use, rather than enterprise or industrial use. Consumer Internet-of-Things products do not include medical devices regulated by the United States Food and Drug Administration or motor vehicles and motor vehicle equipment regulated by the National Highway Traﬃc Safety Administration.
(h) The term “cyber incident” has the meaning given to the term “incident” under 44 U.S.C. 3552(b)(2).
(i) The term “debilitating impact systems” means systems as described by 44 U.S.C. 3553(e)(2) and 3553(e)(3) for Department of Defense and Intelligence Community purposes, respectively.
( j) The term “digital identity document” means an electronic, reusable, cryptographically veriﬁable identity credential issued by a Government source, such as a State-issued mobile driver’s license or an electronic passport.
(k) The term “digital identity veriﬁcation” means identity veriﬁcation that a user performs online.
(l) The term “endpoint” means any device that can be connected to a computer network creating an entry or exit point for data communications. Examples of endpoints include desktop and laptop computers, smartphones, tablets, servers, workstations, virtual machines, and consumer Internet-of- Things products.
(m) The term “endpoint detection and response” means cybersecurity tools and capabilities that combine real-time continuous monitoring and collection of endpoint data (for example, networked computing device such as workstations, mobile phones, servers) with rules-based automated response and analysis capabilities.
(n) The term “Federal Civilian Executive Branch agencies” or “FCEB agencies” includes all agencies except for the agencies and other components in the Department of Defense and agencies in the Intelligence Community.
(o) The term “Federal information system” means an information system used or operated by an agency, a contractor of an agency, or another organization on behalf of an agency.
(p) The term “Government-operated identity veriﬁcation system” means a system owned and operated by a Federal, State, local, Tribal, or territorial Government entity that performs identity veriﬁcation, including single- agency systems and shared services that provide service to multiple agencies.
(q) The term “hardware root of trust” means an inherently trusted combination of hardware and ﬁrmware that helps to maintain the integrity of information.
(r) The term “hybrid key establishment” means a key establishment scheme that is a combination of two or more components that are themselves cryptographic key-establishment schemes.
(s) The term “identity veriﬁcation” means the process of collecting identity information or evidence, validating its legitimacy, and conﬁrming that it is associated with the real person providing it.
(t) The term “Intelligence Community” has the meaning given to it under 50 U.S.C. 3003(4).
(u) The term “key establishment” means the process by which a cryptographic key is securely shared between two or more entities.
(v) The term “least privilege” means the principle that a security architecture is designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.
(w) The term “machine-readable” means that the product output is in a structured format that can be consumed by another program using consistent processing logic.
(x) The term “national security systems” or “NSS” has the meaning given to it under 44 U.S.C. 3552(b)(6).
(y) The term “patch” means a software component that, when installed, directly modiﬁes ﬁles or device settings related to a diﬀerent software component without changing the version number or release details for the related software component.
(z) The term “rules-as-code approach” means a coded version of rules (for example, those contained in legislation, regulation, or policy) that can be understood and used by a computer.
(aa) The term “secure booting” means a security feature that prevents malicious software from running when a computer system starts up. The security feature performs a series of checks during the boot sequence that helps ensure only trusted software is loaded.
(bb) The term “security control outcome” means the results of the performance or non-performance of safeguards or countermeasures prescribed for an information system or an organization to protect the conﬁdentiality, integrity, and availability of the system and its information.
(cc) The term “zero trust architecture” has the meaning given to it in Executive Order 14028.

Sec. 11. General Provisions. (a) Nothing in this order shall be construed to impair or otherwise aﬀect:
(i) the authority granted by law to an executive department or agency, or the head thereof; or
(ii) the functions of the Director of the Oﬃce of Management and Budget relating to budgetary, administrative, or legislative proposals.
(b) This order shall be implemented in a manner consistent with applicable law and subject to the availability of appropriations.

(c) This order is not intended to, and does not, create any right or beneﬁt, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its oﬃcers, employees, or agents, or any other person.

JOSEPH R. BIDEN JR. THE WHITE HOUSE,
January 16, 2025.

External link location:
https://ofac.treasury.gov/media/933946/download?inline

TURBOFAC Commentary (38 words)

Notes:

1) On 1-16-25, President Biden's second-to-last business day in office, this was issued to amend EO 13694 to add certain designation criteria to the pre-existing EO. In particular, designation criteriat for "

html,body,div,span,applet,object,iframe,h1,h2,h3,h4,h5,h6,p,blockquote,pre,a,abbr,acronym,address,big,cite,code,del,dfn,em,img,ins,kbd,q,s,samp,small,strike,strong,sub,sup,tt,var,b,u,i,center,dl,dt,dd,ol,ul,li,fieldset,form,label,legend,table,caption,tbody,tfoot,thead,tr,th,td,article,aside,canvas,details,embed,figure,figcaption,footer,header,hgroup,menu,nav,output,ruby,section,summary,time,mark,audio,video{margin:0;padding:0;border:0;font-size:100%;font:inherit;vertical-align:baseline}article,aside,details,figcaption,figure,footer,header,hgroup,menu,nav,section{display:block}body{line-height:1}ol,ul{list-style:none}blockquote,q{quotes:none}blockquote:before,blockquote:after,q:before,q:after{content:'';content:none}table{border-collapse:collapse;border-spacing:0}body{font:normal normal .8125em/1.4 Arial,Sans-Serif;background-color:white;color:#333}strong,b{font-weight:bold}cite,em,i{font-style:italic}a{text-decoration:none}a:hover{text-decoration:underline}a img{border:none}abbr,acronym{border-bottom:1px dotted;cursor:help}sup,sub{vertical-align:baseline;position:relative;top:-.4em;font-size:86%}sub{top:.4em}small{font-size:86%}kbd{font-size:80%;border:1px solid #999;padding:2px 5px;border-bottom-width:2px;border-radius:3px}mark{background-color:#ffce00;color:black}p,blockquote,pre,table,figure,hr,form,ol,ul,dl{margin:1.5em 0}hr{height:1px;border:none;background-color:#666}h1,h2,h3,h4,h5,h6{font-weight:bold;line-height:normal;margin:1.5em 0 0}h1{font-size:200%}h2{font-size:180%}h3{font-size:160%}h4{font-size:140%}h5{font-size:120%}h6{font-size:100%}ol,ul,dl{margin-left:3em}ol{list-style:decimal outside}ul{list-style:disc outside}li{margin:.5em 0}dt{font-weight:bold}dd{margin:0 0 .5em 2em}input,button,select,textarea{font:inherit;font-size:100%;line-height:normal;vertical-align:baseline}textarea{display:block;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}pre,code{font-family:"Courier New",Courier,Monospace;color:inherit}pre{white-space:pre;word-wrap:normal;overflow:auto}blockquote{margin-left:2em;margin-right:2em;border-left:4px solid #ccc;padding-left:1em;font-style:italic}table[border="1"] th,table[border="1"] td,table[border="1"] caption{border:1px solid;padding:.5em 1em;text-align:left;vertical-align:top}th{font-weight:bold}table[border="1"] caption{border:none;font-style:italic}.no-print{display:none}