Biden’s 11th hour Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity (the “Order”) provides significant detail concerning the thinking of cybersecurity experts in the Biden Administration concerning what still needs to be done in the Federal Government to secure networks. Considering that the Department of Homeland Security disbanded the Cyber Safety Review Board that was investigating Salt Typhoon, it may explain why  despite Trump’s flurry of Executive Orders rescinding many Biden-era policies, it might have survived.  This may have major implications regarding cybersecurity for private companies and the Executive Branch.

As adversarial nations like China and criminal networks increase the scale and sophistication of their attacks, the Order provides a framework for strengthening the nation’s digital infrastructure. It expands upon prior directives, such as the 2021 Executive Order on Improving the Nation’s Cybersecurity, by introducing new, stringent measures that target supply chain vulnerabilities, and particularly, to mandate transparency in compliance with the 2021 EO’s requirements.

The cornerstone of the Order is its emphasis on supply chain security. Transparency measures, including the Software Bill of Materials (SBOM), aim to expose and eliminate vulnerabilities in third-party and open-source software, and actually hold contractors accountable for software integrity and security by imposing required disclosures. Notably, this approach addresses some of the gaps observed in the 2021 EO, particularly concerning enforceability and contractor accountability.

A key aspect of the Order is its directive that various Executive agencies, in timelines ranging from 30 days to three years, coordinate their information-sharing and communications systems, while improving the broader software ecosystem by raising standards for commercial products the government procures. This initiative aims to create a standardized and resilient cybersecurity posture across the Federal government and its contractors.

Requirements for Contractors

One of the most transformative provisions of the 2025 Executive Order is the introduction of the SBOM, a comprehensive inventory of software components, akin to a “food label.” The SBOM ensures that every software component, including dependencies and open-source libraries, is accounted for and assessed for security risks. Contractors are now required to submit SBOMs for all systems interacting with Federal networks, creating visibility into potential vulnerabilities. The hope is that while the 2021 Executive Order introduced guidelines for cybersecurity, contractors were not actually required to show compliance with them. The new Order requires documentation and transparency of which requirements have been met, so that if software is compromised, it will be clear what steps a contractor did and did not take.

For contractors, this requirement is both a challenge and an opportunity. Maintaining an accurate SBOM demonstrates a commitment to security, positioning companies as reliable partners.

In addition, contractors must undergo risk assessments regularly to ensure third-party software complies with Federal security standards and align with guidelines issued by NIST, including encryption protocols and secure software development practices.

Contractors must also implement systems to detect and report breaches within 24 hours, operational within 180 days. Staff must be trained to recognize and respond to cyber incidents effectively.

Requirements for Federal Agencies

The Executive Order imposes stringent measures on Federal agencies, demanding modernization and collaboration. Agencies must transition to zero-trust architecture within 180 days, requiring continuous validation of user access and strict segmentation of network systems. Advanced identity management systems must be implemented to prevent unauthorized access, including multi-factor authentication (MFA) and biometric verification. Agencies are required to report cyber incidents within 24 hours, ensuring swift containment and coordinated responses. These protocols are supposed be operational within 120 days and standardized across all departments. Additionally, an initial audit is expected to be completed within 6 months, followed by biannual reviews to identify and mitigate emerging risks. Agencies are also tasked with sharing threat intelligence with contractors and other agencies, creating a unified defense against common threats.

Why Did Trump Retain Biden’s Executive Order?

While President Trump has rescinded many Biden-era policies in the first day of his presidency, it is perhaps notable that this Executive Order remains in place. This decision may suggest a recognition of the Order’s critical importance to national security. By retaining this directive, Trump may be acknowledging the escalating threats posed by adversaries and the necessity of a robust cybersecurity framework. Additionally, the bipartisan appeal of strengthening the nation’s digital defenses likely played a role in preserving the Order. This continuity also means that, for now, the deadlines and requirements outlined in the Order remain in effect.

Given President Trump’s history of rapidly shifting positions and policies, the future of this Executive Order remains uncertain. It is possible that it could be rescinded in the coming days or weeks. As the situation develops, stay tuned for updates on its status and the potential implications for cybersecurity policy.