President Biden's Executive Order on January 16, 2025, ushers in a significant shift in the cybersecurity landscape for Federal Civilian Executive Branch (FCEB) agencies. This comprehensive order recognizes the evolving sophistication of cyber threats, particularly from adversaries like China, and outlines a multi-pronged approach to fortifying federal systems.

The order's emphasis on robust authentication practices underscores a commitment to securing critical government functions. By mandating specific actions to improve authentication mechanisms, the executive order aims to create a more resilient and secure digital environment for FCEB agencies.

This blog focuses specifically on the order's guidelines as it relates to Section 3.

Phishing-Resistant Authentication: A New Standard for Federal Agencies

The executive order sets a clear directive for FCEB agencies: adopt phishing-resistant authentication.

This mandate signals a move away from traditional, vulnerable authentication methods, like passwords, towards more secure alternatives. Citing OMB and CISA guidelines, this executive order specifically calls out the need to prioritize investments in "innovative identity technologies and processes of the future and phishing-resistant authentication options."

Key takeaways:

• Pilot Deployments: Agencies are required to initiate pilot deployments of phishing-resistant technologies, such as WebAuthn. This technology leverages cryptographic keys and digital certificates to provide a more secure and robust alternative to traditional password-based authentication methods. These pilots will serve as valuable testing grounds, informing future federal identity and access management strategies.

• Prioritizing Innovation: The emphasis on modern, commercially available authentication solutions reflects a commitment to leveraging industry best practices and innovation to enhance federal cybersecurity.

Additional Section 3 Mandates

Enhanced Threat Detection and Response

The order recognizes the crucial role of the Cybersecurity and Infrastructure Security Agency (CISA) in safeguarding federal networks. To enhance CISA's capabilities, the order directs the agency to develop the technical means to access data from agency endpoint detection and response (EDR) solutions and security operation center.

Secure Cloud Configurations

As federal agencies increasingly rely on cloud services, securing these environments becomes paramount. The order directs the Administrator of General Services, acting through the Federal Risk and Authorization Management Program (FedRAMP), to develop policies and practices that incentivize or require cloud service providers in the FedRAMP Marketplace to offer secure baselines and configurations for agency cloud systems. This measure aims to elevate the default security posture of cloud deployments and safeguard sensitive federal data in the cloud.

Conclusion

Executive Order on Strengthening and Promoting Innovation in the Nation's Cybersecurity addresses the growing cyber threats the United States faces from adversarial countries and criminals. Section 3 of the order specifically emphasizes the need to hold software and cloud service providers accountable, strengthen the security of federal communications and identity management, and promote innovation in cybersecurity technologies such as the use of phishing-resistant authentication to enhance identity and access management and protect against phishing attacks.