[House Document 119-13]
[From the U.S. Government Publishing Office]
119th Congress, 1st Session - - - - - - - - - - - House Document 119-13
TAKING ADDITIONAL STEPS WITH RESPECT TO SIGNIFICANT MALICIOUS
CYBER-ENABLED ACTIVITIES
__________
MESSAGE
from
THE PRESIDENT OF THE UNITED STATES
transmitting
AN EXECUTIVE ORDER TAKING ADDITIONAL STEPS TO DEAL WITH THE NATIONAL
EMERGENCY DECLARED IN EXECUTIVE ORDER 13694 OF APRIL 1, 2015, AS
AMENDED BY EXECUTIVE ORDER 13757 OF DECEMBER 28, 2016, AND FURTHER
AMENDED BY EXECUTIVE ORDER 13984 OF JANUARY 19, 2021, TAKING ADDITONAL
STEPS TO ADDRESS THE NATIONAL EMERGENCY WITH RESPECT TO SIGNIFICANT
MALICIOUS CYBER-ENABLED ACTIVITIES, PURSUANT TO 50 U.S.C. 1703(b);
PUBLIC LAW 95-223, SEC. 204(b); (91 STAT. 1627)
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
January 16, 2025.--Message and accompanying papers referred to the
Committee on Foreign Affairs and ordered to be printed
_______
U.S. GOVERNMENT PUBLISHING OFFICE
59-011 WASHINGTON : 2025
To the Congress of the United States:
Pursuant to the International Emergency Economic Powers Act
(50 U.S.C. 1701 et seq.) (IEEPA), I hereby report that I have
issued an Executive Order that takes additional steps to deal
with the national emergency declared in Executive Order 13694
of April 1, 2015 (Blocking the Property of Certain Persons
Engaging in Significant Malicious Cyber-Enabled Activities), as
amended by Executive Order 13757 of December 28, 2016 (Taking
Additional Steps to Address the National Emergency With Respect
to Significant Malicious Cyber-Enabled Activities), and further
amended by Executive Order 13984 of January 19, 2021 (Taking
Additional Steps To Address the National Emergency With Respect
to Significant Malicious Cyber-Enabled Activities).
Significant malicious cyber-enabled activities continue to
pose an unusual and extraordinary threat to the national
security, foreign policy, and economy of the United States. To
address this continuing national emergency and protect against
the growing and evolving threat of malicious cyber-enabled
activities against the United States and United States allies
and partners, including the increasing threats by foreign
actors of unauthorized access to critical infrastructure,
ransomware, and cyber-enabled intrusions and sanctions evasion,
section 9 of the Executive Order I have issued updates the
criteria to be used by the Secretary of the Treasury in
designating a person for sanctions for engaging in specified
malicious cyber-enabled activities and related conduct.
I am enclosing a copy of the Executive Order I have issued.
Joseph R. Biden, Jr.
The White House, January 16, 2025.
Executive Order
----------
Strengthening and Promoting Innovation in the Nation's Cybersecurity
By the authority vested in me as President by the
Constitution and the laws of the United States of America
including the International Emergency Economic Powers Act (50
U.S.C. 1701 et seq.), the National Emergencies Act (50 U.S.C.
1601 et seq.), section 212(f) of the Immigration and
Nationality Act of 1952 (8 U.S.C. 1182(f)), and section 301 of
title 3, United States Code, it is hereby ordered as follows:
Section 1. Policy. Adversarial countries and criminals
continue to conduct cyber campaigns targeting the United States
and Americans, with the People's Republic of China presenting
the most active and persistent cyber threat to United States
Government, private sector, and critical infrastructure
networks. These campaigns disrupt the delivery of critical
services across the Nation, cost billions of dollars, and
undermine Americans' security and privacy. More must be done to
improve the Nation's cybersecurity against these threats.
Building on the foundational steps I directed in Executive
Order 14028 of May 12, 2021 (Improving the Nation's
Cybersecurity), and the initiatives detailed in the National
Cybersecurity Strategy, I am ordering additional actions to
improve our Nation's cybersecurity, focusing on defending our
digital infrastructure, securing the services and capabilities
most vital to the digital domain, and building our capability
to address key threats, including those from the People's
Republic of China. Improving accountability for software and
cloud service providers, strengthening the security of Federal
communications and identity management systems, and promoting
innovative developments and the use of emerging technologies
for cybersecurity across executive departments and agencies
(agencies) and with the private sector are especially critical
to improvement of the Nation's cybersecurity.
Sec. 2. Operationalizing Transparency and Security in
Third-Party Software Supply Chains. (a) The Federal Government
and our Nation's critical infrastructure rely on software
providers. Yet insecure software remains a challenge for both
providers and users and makes Federal Government and critical
infrastructure systems vulnerable to malicious cyber incidents.
The Federal Government must continue to adopt secure software
acquisition practices and take steps so that software providers
use secure software development practices to reduce the number
and severity of vulnerabilities in software they produce.
(b) Executive Order 14028 directed actions to improve the
security and integrity of software critical to the Federal
Government's ability to function. Executive Order 14028
directed the development of guidance on secure software
development practices and on generating and providing evidence
in the form of artifacts--computer records or data that are
generated manually or by automated means--that demonstrate
compliance with those practices. Additionally, it directed the
Director of the Office of Management and Budget (OMB) to
require agencies to use only software from providers that
attest to using those secure software development practices. In
some instances, providers of software to the Federal Government
commit to following cybersecurity practices, yet do not fix
well-known exploitable vulnerabilities in their software, which
puts the Government at risk of compromise. The Federal
Government needs to adopt more rigorous third-party risk
management practices and greater assurance that software
providers that support critical Government services are
following the practices to which they attest.
(i) Within 30 days of the date of this order, the
Director of OMB, in consultation with the Secretary of
Commerce, acting through the Director of the National
Institute of Standards and Technology (NIST), and the
Secretary of Homeland Security, acting through the
Director of the Cybersecurity and Infrastructure
Security Agency (CISA), shall recommend to the Federal
Acquisition Regulatory Council (FAR Council) contract
language requiring software providers to submit to CISA
through CISA'S Repository for Software Attestation and
Artifacts (RSAA):
(A) machine-readable secure software
development attestations;
(B) high-level artifacts to validate those
attestations; and
(C) a list of the provider's Federal Civilian
Executive Branch (FCEB) agency software
customers.
(ii) Within 120 days of the receipt of the
recommendations described in subsection (b)(i) of this
section, the FAR Council shall review the
recommendations and, as appropriate and consistent with
applicable law, the Secretary of Defense, the
Administrator of General Services, and the
Administrator of the National Aeronautics and Space
Administration (the agency members of the FAR Council)
shall jointly take steps to amend the Federal
Acquisition Regulation (FAR) to implement those
recommendations. The agency members of the FAR Council
are strongly encouraged to consider issuing an interim
final rule, as appropriate and consistent with
applicable law.
(iii) Within 60 days of the date of the issuance of
the recommendations described in subsection (b)(i) of
this section, the Secretary of Homeland Security,
acting through the Director of CISA, shall evaluate
emerging methods of generating, receiving, and
verifying machine-readable secure software development
attestations and artifacts and, as appropriate, shall
provide guidance for software providers on submitting
them to CISA's RSAA website, including a common data
schema and format.
(iv) Within 30 days of the date of any amendments to
the FAR described in subsection (b)(ii) of this
section, the Secretary of Homeland Security, acting
through the Director of CISA, shall develop a program
to centrally verify the completeness of all attestation
forms. CISA shall continuously validate a sample of the
complete attestations using high-level artifacts in the
RSAA.
(v) If CISA finds that attestations are incomplete or
artifacts are insufficient for validating the
attestations, the Director of CISA shall notify the
software provider and the contracting agency. The
Director of CISA shall provide a process for the
software provider to respond to CISA's initial
determination and shall duly consider the response.
(vi) For attestations that undergo validation, the
Director of CISA shall inform the National Cyber
Director, who shall publicly post the results,
identifying the software providers and software
version. The National Cyber Director is encouraged to
refer attestations that fail validation to the Attorney
General for action as appropriate.
(c) Secure software development practices are not
sufficient to address the potential for cyber incidents from
resourced and determined nation-state actors. To mitigate the
risk of such incidents occurring, software providers must also
address how software is delivered and the security of the
software itself. The Federal Government must identify a
coordinated set of practical and effective security practices
to require when it procures software.
(i) Within 60 days of the date of this order, the
Secretary of Commerce, acting through the Director of
NIST, shall establish a consortium with industry at the
National Cybersecurity Center of Excellence to develop
guidance, informed by the consortium as appropriate,
that demonstrates the implementation of secure software
development, security, and operations practices based
on NIST Special Publication 800-218 (Secure Software
Development Framework (SSDF)).
(ii) Within 90 days of the date of this order, the
Secretary of Commerce, acting through the Director of
NIST, shall update NIST Special Publication 800-53
(Security and Privacy Controls for Information Systems
and Organizations) to provide guidance on how to
securely and reliably deploy patches and updates.
(iii) Within 180 days of the date of this order, the
Secretary of Commerce, acting through the Director of
NIST in consultation with the heads of such agencies as
the Director of NIST deems appropriate I shall develop
and publish a preliminary update to the SSDF. This
update shall include practices, procedures, controls,
and implementation examples regarding the secure and
reliable development and delivery of software as well
as the security of the software itself. Within 120 days
of publishing the preliminary update, the Secretary of
Commerce, acting through the Director of NIST, shall
publish a final version of the updated SSDF.
(iv) Within 120 days of the final update to the SSDF
described in subsection (c)(iii) of this section, the
Director of OMB shall incorporate select practices for
the secure development and delivery of software
contained in NIST's updated SSDF into the requirements
of OMB Memorandum M-22-18 (Enhancing the Security of
the Software Supply Chain through Secure Software
Development Practices) or related requirements.
(v) Within 30 days of the issuance of OMB's updated
requirements described in subsection (c)(iv) of this
section, the Director of CISA shall prepare any
revisions to CISA's common form for Secure Software
Development Attestation to conform to OMB's
requirements and shall initiate any process required to
obtain clearance of the revised form under the
Paperwork Reduction Act, 44 U.S.C. 3501 et seq.
(d) As agencies have improved their cyber defenses,
adversaries have targeted the weak links in agency supply
chains and the products and services upon which the Federal
Government relies. Agencies need to integrate cybersecurity
supply chain risk management programs into enterprise-wide risk
management activities. Within 90 days of the date of this
order, the Director of OMB, in coordination with the Secretary
of Commerce, acting through the Director of NIST, the
Administrator of General Services, and the Federal Acquisition
Security Council (FASC), shall take steps to require, as the
Director deems appropriate, that agencies comply with the
guidance in NIST Special Publication 800-161 (Cybersecurity
Supply Chain Risk Management Practices for Systems and
Organizations (SP 800-161 Revision 1)). OMB shall require
agencies to provide annual updates to OMB as they complete
implementation. Consistent with SP 800-161 Revision 1, OMB's
requirements shall address the integration of cybersecurity
into the acquisition lifecycle through acquisition planning,
source selection, responsibility determination, security
compliance evaluation, contract administration, and performance
evaluation.
(e) Open source software plays a critical role in Federal
information systems. To help the Federal Government continue to
reap the innovation and cost benefits of open source software
and contribute to the cybersecurity of the open source software
ecosystem, agencies must better manage their use of open source
software. Within 120 days of the date of this order, the
Secretary of Homeland Security, acting through the Director of
CISA, and the Director of OMB, in consultation with the
Administrator of General Services and the heads of other
agencies as appropriate, shall jointly issue recommendations to
agencies on the use of security assessments and patching of
open source software and best practices for contributing to
open source software projects.
Sec. 3. Improving the Cybersecurity of Federal Systems. (a)
The Federal Government must adopt proven security practices
from industry--to include in identity and access management--in
order to improve visibility of security threats across networks
and strengthen cloud security.
(b) To prioritize investments in the innovative identity
technologies and processes of the future and phishing-resistant
authentication options, FCEB agencies shall begin using, in
pilot deployments or in larger deployments as appropriate,
commercial phishing-resistant standards such as WebAuthn,
building on the deployments that OMB and CISA have developed
and established since the issuance of Executive Order 14028.
These pilot deployments shall be used to inform future
directions for Federal identity, credentialing, and access
management strategies.
(c) The Federal Government must maintain the ability to
rapidly and effectively identify threats across the Federal
enterprise. In Executive Order 14028, I directed the Secretary
of Defense and the Secretary of Homeland Security to establish
procedures to immediately share threat information to
strengthen the collective defense of Department of Defense and
civilian networks. To enable identification of threat activity,
CISA's capability to hunt for and identify threats across FCEB
agencies under 44 U.S.C. 3553 (b)(7) must be strengthened.
(i) The Secretary of Homeland Security, acting
through the Director of CISA, in coordination with the
Federal Chief Information Officer (CIO) Council and
Federal Chief Information Security Officer (CISO)
Council, shall develop the technical capability to gain
timely access to required data from FCEB agency
endpoint detection and response (EDR) solutions and
from FCEB agency security operation centers to enable:
(A) timely hunting and identification of
novel cyber threats and vulnerabilities across
the Federal civilian enterprise;
(B) identification of coordinated cyber
campaigns that simultaneously target multiple
agencies and move laterally across the Federal
enterprise; and
(C) coordination of Government-wide efforts
on information security policies and practices,
including compilation and analysis of
information about incidents that threaten
information security.
(ii) Within 180 days of the date of this order, the
Secretary of Homeland Security, acting through the
Director of CISA, in coordination with the Federal CIO
and CISO Councils, shall develop and release a concept
of operations that enables CISA to gain timely access
to required data to achieve the objectives described in
subsection (c)(i) of this section. The Director of OMB
shall oversee the development of this concept of
operations to account for agency perspectives and the
objectives outlined in this section and shall approve
the final concept of operations. This concept of
operations shall include:
(A) requirements for FCEB agencies to provide
CISA with data of sufficient completeness and
on the timeline required to enable CISA to
achieve the objectives described in subsection
(c)(i) of this section;
(B) requirements for CISA to provide FCEB
agencies with advanced notification when CISA
directly accesses agency EDR solutions to
obtain required telemetry;
(C) specific use cases for which agencies may
provide telemetry data subject to the
requirements in subsection (c)(ii)(A) of this
section as opposed to direct access to EDR
solutions by CISA;
(D) high-level technical and policy control
requirements to govern CISA access to agency
EDR solutions that conform with widely accepted
cybersecurity principles, including role-based
access controls, ``least privilege,'' and
separation of duties;
(E) specific protections for highly sensitive
agency data that is subject to statutory,
regulatory, or judicial restrictions to protect
confidentiality or integrity; and
(F) an appendix to the concept of operations
that identifies and addresses certain types of
specific use cases under subsection (c)(ii)(C)
of this section that apply to the Department of
Justice, including certain categories of
information described in subsections (c)(vi)
and (c)(vii) of this section, and requires the
Department of Justice's concurrence on the
terms of the appendix prior to implementation
of the concept of operations on the Department
of Justice's or its subcomponents' networks.
(iii) in undertaking the activities described in
subsection (c) of this section, the Secretary of
Homeland Security, acting through the Director of CISA,
shall only make a change to an agency network, system,
or data when such change is required for threat hunting
by CISA, including access to the EDR tools described in
subsection (c)(ii) of this section, or in furtherance
of its authority to conduct threat hunting as
authorized under 44 U.S.C. 3553 (b)(7), unless
otherwise authorized by the agency.
(iv) Within 30 days of the release of the concept of
operations described in subsection (c)(ii) of this
section, the Secretary of Homeland Security, acting
through the Director of CISA, shall establish working
groups, open to all agencies, to develop and release
specific technical controls that achieve the objectives
set forth in subsection (c)(ii) of this section and to
work with EDR solution providers to implement those
controls in FCEB agency deployments of EDR solutions.
The Secretary of Homeland Security, acting through the
Director of CISA, shall, at a minimum, establish a
working group for each EDR solution authorized by CISA
for use in the CISA Continuous Diagnostic and
Mitigation Program. Each working group shall be open to
all agencies and include at least one representative
from an FCEB agency employing the designated EDR
solution.
(v) Within 180 days of the release of the technical
controls described in subsection (c)(iv) of this
section, the heads of FCEB agencies shall enroll
endpoints using an EDR solution covered by those
controls in the CISA Persistent Access Capability
program.
(vi) Within 90 days of the date of this order, and
periodically thereafter as needed, the heads of FCEB
agencies shall provide to CISA a list of systems,
endpoints, and data sets that require additional
controls or periods of non-disruption to ensure that
CISA's threat-hunting activities do not, disrupt
mission-critical operations, along with an explanation
of those operations.
(vii) In cases in which agency data is subject to
statutory, regulatory, or judicial access restrictions,
the Director of CISA shall comply with agency processes
and procedures required to access such data or work
with the agency to develop an appropriate
administrative accommodation consistent with any such
restrictions so that the data is not subject to
unauthorized access or use.
(viii) Nothing in this order requires an agency to
provide access to information that is protected from
non-disclosure by court order or otherwise required to
be kept confidential in connection with a judicial
proceeding.
(d) The security of Federal information systems relies on
the security of the Government's cloud services. Within 90 days
of the date of this order, the Administrator of General
Services, acting through the Director of the Federal Risk and
Authorization Management Program (FedRAMP), in coordination
with the Secretary of Commerce, acting through the Director of
NIST, and the Secretary of Homeland Security, acting through
the Director of CISA, shall develop FedRAMP policies and
practices to incentivize or require cloud service providers in
the FedRAMP Marketplace to produce baselines with
specifications and recommendations for agency configuration of
agency cloud-based systems in order to secure Federal data
based on agency requirements.
(e) As cybersecurity threats to space systems increase,
these systems and their supporting digital infrastructure must
be designed to adapt to evolving cybersecurity threats and
operate in contested environments. In light of the pivotal role
space systems play in global critical infrastructure and
communications resilience, and to further protect space systems
and the supporting digital infrastructure vital to our national
security, including our economic security, agencies shall take
steps to continually verify that Federal space systems have the
requisite cybersecurity capabilities through actions including
continuous assessments, testing, exercises, and modeling and
simulation.
(i) Within 180 days of the date of this order, the
Secretary of the Interior, acting through the Director
of the United States Geological Survey; the Secretary
of Commerce, acting through the Under Secretary of
Commerce for Oceans and Atmosphere and the
Administrator of the National Oceanic and Atmospheric
Administration; and the Administrator of the National
Aeronautics and Space Administration shall each review
the civil space contract requirements in the FAR and
recommend to the FAR Council and other appropriate
agencies updates to civil space cybersecurity
requirements and relevant contract language. The
recommended cybersecurity requirements and contract
language shall use a risk-based, tiered approach for
all new civil space systems. Such requirements shall be
designed to apply at minimum to the civil space
systems' on-orbit segments and link segments. The
requirements shall address the following elements for
the highest-risk tier and, as appropriate, other tiers:
(A) protection of command and control of the
civil space system, including backup or
failover systems, by:
(1) encrypting commands to protect
the confidentiality of communications;
(2) ensuring commands are not
modified in transit;
(3) ensuring an authorized party is
the source of commands; and
(4) rejecting unauthorized command
and control attempts;
(B) establishment of methods to detect,
report, and recover from anomalous network or
system activity; and
(C) use of secure software and hardware
development practices, consistent with the NIST
SSDF or any successor documents.
(ii) Within 180 days of receiving the recommended
contract language described in subsection (e)(i) of
this section, the FAR Council shall review the proposal
and, as appropriate and consistent with applicable law,
the agency members of the FAR Council shall jointly
take steps to amend the FAR.
(iii) Within 120 days of the date of this order, the
National Cyber Director shall submit to OMB a study of
space ground systems owned, managed, or operated by
FCEB agencies. This study shall include:
(A) an inventory of space ground systems;
(B) whether each space ground system is
classified as a major information system under
44 U.S.C. 3505(c), labeled ``Inventory of major
information systems''; and
(C) recommendations to improve the cyber
defenses and oversight of such space ground
systems.
(iv) Within 90 days of the submission of the study
described in subsection (e)(iii) of this section, the
Director of OMB shall take appropriate steps to help
ensure that space ground systems owned, managed, or
operated by FCEB agencies comply with relevant
cybersecurity requirements issued by OMB.
Sec. 4. Securing Federal Communications. (a) To improve the
security of Federal Government communications against
adversarial nations and criminals, the Federal Government must
implement, to the extent practicable and consistent with
mission needs, strong identity authentication and encryption
using modern, standardized, and commercially available
algorithms and protocols.
(b) The security of Internet traffic depends on data being
correctly routed and delivered to the intended recipient
network. Routing information originated and propagated across
the Internet, utilizing the Border Gateway Protocol (BGP), is
vulnerable to attack and misconfiguration.
(i) Within 90 days of the date of this order, FCEB
agencies shall take steps to ensure that all of their
assigned Internet number resources (Internet Protocol
(IP) address blocks and Autonomous System Numbers) are
covered by a Registration Services Agreement with the
American Registry for Internet Numbers or another
appropriate regional Internet registry. Thereafter,
FCEB agencies shall annually review and update in their
regional Internet registry accounts organizational
identifiers related to assigned number resources such
as organization names, points of contact, and
associated email addresses.
(ii) Within 120 days of the date of this order, all
FCEB agencies that hold IP address blocks shall create
and publish Route Origin Authorizations in the public
Resource Public Key Infrastructure repository hosted or
delegated by the American Registry for Internet Numbers
or the appropriate regional Internet registry for the
IP address blocks they hold.
(iii) Within 120 days of the date of this order, the
National Cyber Director, in coordination with the heads
of other agencies as appropriate, shall recommend
contract language to the FAR Council to require
contracted providers of Internet services to agencies
to adopt and deploy Internet routing security
technologies, including publishing Route Origin
Authorizations and performing Route Origin Validation
filtering. The recommended language shall include
requirements or exceptions, as appropriate, for agency
contracts regarding overseas operations and overseas
local service providers. Within 270 days of receiving
these recommendations, the FAR Council shall review the
recommended contract language and, as appropriate and
consistent with applicable law, the agency members of
the FAR Council shall jointly take steps to amend the
FAR. Pending any such amendments to the FAR, individual
agencies are encouraged to include such requirements in
future contracts, consistent with applicable law.
(iv) Within 180 days of the date of this order, the
Secretary of Commerce, acting through the Director of
NIST, shall publish updated guidance to agencies on
deployment of current, operationally viable BGP
security methods for Federal Government networks and
service providers. The Secretary of Commerce, acting
through the Director of NIST, shall also provide
updated guidance on other emerging technologies to
improve Internet routing security and resilience, such
as route leak mitigation and source address validation.
(c) Encrypting Domain Name System (DNS) traffic in transit
is a critical step to protecting both the confidentiality of
the information being transmitted to, and the integrity of the
communication with, the DNS resolver.
(i) Within 90 days of the date of this order, the
Secretary of Homeland Security, acting through the
Director of CISA, shall publish template contract
language requiring that any product that acts as a DNS
resolver (whether client or server) for the Federal
Government support encrypted DNS and shall recommend
that language to the FAR Council. Within 120 days of
receiving the recommended language, the FAR Council
shall review it, and, as appropriate and consistent
with applicable law, the agency members of the FAR
Council shall jointly take steps to amend the FAR.
(ii) Within 180 days of the date of this order, FCEB
agencies shall enable encrypted DNS protocols wherever
their existing clients and servers support those
protocols. FCEB agencies shall also enable such
protocols within 180 days of any additional clients and
servers supporting such protocols.
(d) The Federal Government must encrypt email messages in
transport and, where practical, use end-to-end encryption in
order to protect messages from compromise.
(i) Within 120 days of the date of this order, each
FCEB agency shall technically enforce encrypted and
authenticated transport for all connections between the
agency's email clients and their associated email
servers.
(ii) Within 180 days of the date of this order, the
Director of OMB shall establish a requirement for
expanded use of authenticated transport-layer
encryption between email servers used by FCEB agencies
to send and receive email.
(iii) Within 90 days of the establishment of the
requirement described in subsection (d) (ii) of this
section, the Secretary of Homeland Security, acting
through the Director of CISA, shall take appropriate
steps to assist agencies in meeting that requirement,
including by issuing implementing directives, as well
as technical guidance to address any identified
capability gaps.
(e) Modern communications such as voice and video
conferencing and instant messaging are usually encrypted at the
link level but often are not encrypted end-to-end. Within 180
days of the date of this order, to advance the security of
Internet-based voice and video conferencing and instant
messaging, the Director of OMB, in coordination with the
Secretary of Homeland Security, acting through the Director of
CISA; the Secretary of Defense, acting through the Director of
the National Security Agency (NSA); the Secretary of Commerce,
acting through the Director of NIST; the Archivist of the
United States, acting through the Chief Records Officer for the
United States Government; and the Administrator of General
Services shall take appropriate steps to require agencies to:
(i) enable transport encryption by default; and
(ii) where technically supported, use end-to-end
encryption by default while maintaIning logging and
archival capabilities that allow agencies to fulfill
records management and accountability requirements.
(f) Alongside their benefits, quantum computers pose
significant risk to the national security, including the
economic security, of the United States. Most notably, a
quantum computer of sufficient size and sophistication--also
known as a cryptanalytically relevant quantum computer (CRQC)--
will be capable of breaking much of the public-key cryptography
used on digital systems across the United States and around the
world. In National Security Memorandum 10 of May 4, 2022
(Promoting United States Leadership in Quantum Computing While
Mitigating Risks to Vulnerable Cryptographic Systems), I
directed the Federal Government to prepare for a transition to
cryptographic algorithms that would not be vulnerable to a
CRQC.
(i) Within 180 days of the date of this order, the
Secretary of Homeland Security, acting through the
Director of CISA, shall release and thereafter
regularly update a list of product categories in which
products that support post-grantum cryptography (PQC)
are widely available.
(ii) Within 90 days of a product category being placed
on the list described in subsection (f)(i) of this
section, agencies shall take steps to include in any
solicitations for products in that category a
requirement that products support PQC.
(iii) Agencies shall implement PQC key establishment
or hybrid key establishment including a PQC algorithm
as soon as practicable upon support being provided by
network security products and services already deployed
in their network architectures.
(iv) Within 90 days of the date of this order, the
Secretary of State and the Secretary of Commerce,
acting through the Director of NIST and the Under
Secretary for International Trade, shall identify and
engage foreign governments and industry groups in key
countries to encourage their transition to PQC
algorithms standardized by NIST.
(v) Within 180 days of the date of this order, to
prepare for transition to PQC, the Secretary of Defense
with respect to National Security Systems (NSS), and
the Director of OMB with respect to non-NSS, shall each
issue requirements for agencies to support, as soon as
practicable, but not later than January 2, 2030,
Transport Layer Security protocol version 1.3 or a
successor version.
(g) The Federal Government should take advantage of
commercial security technologies and architectures, such as
hardware security modules, trusted execution environments, and
other isolation technologies, to protect and audit access to
cryptographic keys with extended lifecycles.
(i) Within 270 days of the date of this order, the
Secretary of Commerce, acting through the Director of
NIST, in consultation with the Secretary of Homeland
Security, acting through the Director of CISA, and the
Administrator of General Services shall develop
guidelines for the secure management of access tokens
and cryptographic keys used by cloud service providers.
(ii) Within 60 days of the publication of the
guidelines described in subsection (g) (i) of this
section, the Administrator of General Services, acting
through the FedRAMP Director, in consultation with the
Secretary of Commerce, acting through the Director of
NIST, and the Secretary of Homeland Security, acting
through the Director of CISA, shall develop updated
FedRAMP requirements, incorporating the guidelines
described in subsection (g) (i) of this section, as
appropriate and consistent with guidance issued by the
Director of OMB, concerning cryptographic key
management security practices.
(iii) Within 60 days of the publication of the
guidelines described in subsection (g) (i) of this
section, the Director of OMB, in consultation with the
Secretary of Commerce, acting through the Director of
NIST; the Secretary of Homeland Security, acting
through the Director of CISA; and the Administrator of
General Services shall take appropriate steps to
require FCEB agencies to follow best practices
concerning the protection and management of hardware
security modules, trusted execution environments, or
other isolation technologies for access tokens and
cryptographic keys used by cloud service providers in
the provision of services to agencies.
Sec. 5. Solutions to Combat Cybercrime and Fraud. (a) The
use of stolen and synthetic identities by criminal syndicates
to systemically defraud public benefits programs costs
taxpayers and wastes Federal Government funds. To help address
these crimes it is the policy of the executive branch to
strongly encourage the acceptance of digital identity documents
to access public benefits programs that require identity
verification, so long as it is done in a manner that preserves
broad program access for vulnerable populations and supports
the principles of privacy, data minimization, and
interoperability.
(i) Within 90 days of the date of this order, agencies
with grantmaking authority are encouraged to consider,
in coordination with OMB and the National Security
Council staff, whether Federal grant funding is
available to assist States in developing and issuing
mobile driver's licenses that achieve the policies and
principles described in this section.
(ii) Within 270 days of the date of this order, the
Secretary of Commerce, acting through the Director of
NIST, shall issue practical implementation guidance, in
collaboration with relevant agencies and other
stakeholders through the National Cybersecurity Center
of Excellence, to support remote digital identity
verification using digital identity documents that will
help issuers and verifiers of digital identity
documents advance the policies and principles described
in this section.
(iii) Agencies should consider accepting digital
identity documents as digital identity verification
evidence to access public benefits programs, but only
if the use of these documents is consistent with the
policies and principles described in this section.
(iv) Agencies should, consistent with applicable law,
seek to ensure that digital identity documents accepted
as digital identity verification evidence to access
public benefits programs:
(A) are interoperable with relevant standards
and trust frameworks, so that the public can
use any standards-compliant hardware or
software containing an official Government-
issued digital identity document, regardless of
manufacturer or developer;
(B) do not enable authorities that issue
digital identity documents, device
manufacturers, or any other third party to
surveil or track presentation of the digital
identity document, including user device
location at the time of presentation; and
(C) support user privacy and data minimization
by ensuring only the minimum information
required for a transaction--often a ``yes'' or
``no'' response to a question, such as whether
an individual is older than a specific age--is
requested from the holder of the digital
identity document.
(b) The use of ``Yes/No'' validation services, also
referred to as attribute validation services, can enable more
privacy-preserving means to reduce identity fraud. These
services allow programs to confirm, via a privacy-preserving
``yes'' or ``no'' response, that applicant-provided identity
information is consistent with information already contained in
official records, without needing to share the contents of
those official records. To support the use of such services,
the Commissioner of Social Security, and the head of any other
agency designated by the Director of OMB, shall, as appropriate
and consistent with applicable law, consider taking steps to
develop or modify services--including through, as appropriate,
the initiation of a proposed rulemaking or the publication of a
notice of a new or significantly modified routine use of
records--related to Government-operated identity verification
systems and public benefits programs, with consideration given
to having such systems and programs submit applicant-provided
identity information to the agency providing the service and
receive a ``yes'' or ``no'' response as to whether the
applicant-provided identity information is consistent with the
information on file with the agency providing the service. In
doing so, the heads of these agencies shall specifically
consider seeking to ensure, consistent with applicable law,
that:
(i) any applicant-provided identity information
submitted to the services and any ``yes'' or ``no''
response provided by the services are used only to
assist with identity verification, program
administration, anti-fraud operations, or investigation
and prosecution of fraud related to the public benefits
program for which the identity information was
submitted;
(ii) the services are made available, to the maximum
extent permissible and as appropriate, to public
benefits programs; Government-operated identity
verification systems, including shared-service
providers; payment integrity programs; and United
States-regulated financial institutions; and
(iii) the agencies, public benefits programs, or
institutions using the services provide reimbursement
to appropriately cover costs and support the ongoing
maintenance, improvement, and broad accessibility of
the services.
(c) The Secretary of the Treasury, in consultation with the
Administrator of General Services, shall research, develop, and
conduct a pilot program for technology that notifies
individuals and entities when their identity information is
used to request a payment from a public benefits program, gives
individuals and entities the option to stop potentially
fraudulent transactions before they occur, and reports
fraudulent transactions to law enforcement entities.
Sec. 6. Promoting Security with and in Artificial
Intelligence. Artificial intelligence (AI) has the potential to
transform cyber defense by rapidly identifying new
vulnerabilities, increasing the scale of threat detection
techniques, and automating cyber defense. The Federal
Government must accelerate the development and deployment of
AI, explore ways to improve the cybersecurity of critical
infrastructure using AI, and accelerate research at the
intersection of AI and cybersecurity.
(a) Within 180 days of the date of the completion of the
Defense Advanced Research Projects Agency's 2025 Artificial
Intelligence Cyber Challenge, the Secretary of Energy, in
coordination with the Secretary of Defense, acting through the
Director of the Defense Advanced Research Projects Agency, and
the Secretary of Homeland Security, shall launch a pilot
program, involving collaboration with private sector critical
infrastructure entities as appropriate and consistent with
applicable law, on the use of AI to enhance cyber defense of
critical infrastructure in the energy sector, and conduct an
assessment of the pilot program upon its completion. This pilot
program, and accompanying assessment, may include vulnerability
detection, automatic patch management, and the identification
and categorization of anomalous and malicious activity across
information technology (IT) or operational technology systems.
(b) Within 270 days of the date of this order, the
Secretary of Defense shall establish a program to use advanced
AI models for cyber defense.
(c) Within 150 days of the date of this order, the
Secretary of Commerce, acting through the Director of NIST; the
Secretary of Energy; the Secretary of Homeland Security, acting
through the Under Secretary for Science and Technology; and the
Director of the National Science Foundation (NSF) shall each
prioritize funding for their respective programs that encourage
the development of large-scale, labeled datasets needed to make
progress on cyber defense research, and ensure that existing
datasets for cyber defense research have been made accessible
to the broader academic research community (either securely or
publicly) to the maximum extent feasible, in consideration of
business confidentiality and national security.
(d) Within 150 days of the date of this order, the
Secretary of Commerce, acting through the Director of NIST; the
Secretary of Energy; the Secretary of Homeland Security, acting
through the Under Secretary for Science and Technology; and the
Director of the NSF shall prioritize research on the following
topics:
(i) human-AI interaction methods to assist defensive
cyber analysis;
(ii) security of AI coding assistance, including
security of AI-generated code;
(iii) methods for designing secure AI systems ; and
(iv) methods for prevention, response, remediation,
and recovery of cyber incidents involving AI systems.
(e) Within 150 days of the date of this order, the
Secretary of Defense, the Secretary of Homeland Security, and
the Director of National Intelligence, in coordination with the
Director of OMB, shall incorporate management of AI software
vulnerabilities and compromises into their respective agencies'
existing processes and interagency coordination mechanisms for
vulnerability management, including through incident tracking,
response, and reporting, and by sharing indicators of
compromise for AI systems.
Sec. 7. Aligning Policy to Practice. (a) IT infrastructure
and networks that support agencies' critical missions need to
be modernized. Agencies' policies must align investments and
priorities to improve network visibility and security controls
to reduce cyber risks.
(i) Within 3 years of the date of this order, the
Director of OMB shall issue guidance, including any
necessary revision to OMB Circular A-130, to address
critical risks and adapt modern practices and
architectures across Federal information systems and
networks. This guidance shall, at a minimum:
(A) outline expectations for agency
cybersecurity information sharing and exchange,
enterprise visibility, and accountability for
enterprise-wide cybersecurity programs by
agency CISOs;
(B) revise OMB Circular A-130 to be less
technically prescriptive in key areas, where
appropriate, to more clearly promote the
adoption of evolving cybersecurity best
practices across Federal systems, and to
include migration to zero trust architectures
and implementation of critical elements such as
EDR capabilities, encryption, network
segmentation, and phishing-resistant multi-
factor authentication; and
(C) address how agencies should identify,
assess, respond to, and mitigate risks to
mission essential functions presented by
concentration of IT vendors and services.
(ii) The Secretary of Commerce, acting through the
Director of NIST; the Secretary of Homeland Security,
acting through the Director of CISA; and the Director
of OMB shall establish a pilot program of a rules-as-
code approach for machine-readable versions of policy
and guidance that OMB, NIST, and CISA publish and
manage regarding cybersecurity.
(b) Managing cybersecurity risks is now a part of everyday
industry practice and should be expected for all types of
businesses. Minimum cybersecurity requirements can make it
costlier and harder for threat actors to compromise networks.
Within 240 days of the date of this order, the Secretary of
Commerce, acting through the Director of NIST, shall evaluate
common cybersecurity practices and security control outcomes
that are commonly used or recommended across industry sectors,
international standards bodies, and other risk management
programs, and based on that evaluation issue guidance
identifying minimum cybersecurity practices. In developing this
guidance, the Secretary of Commerce, acting through the
Director of NIST, shall solicit input from the Federal
Government, the private sector, academia, and other appropriate
actors.
(c) Agencies face multiple cybersecurity risks when
purchasing products and services. While agencies have already
made significant advances to improve their supply chain risk
management, additional actions are needed to keep pace with the
evolving threat landscape. Within 180 days of the issuance of
the guidance described in subsection (b) of this section, the
FAR Council shall review the guidance and, as appropriate and
consistent with applicable law, the agency members of the FAR
Council shall jointly take steps to amend the FAR to:
(i) require that contractors with the Federal
Government follow applicable minimum cybersecurity
practices identified in NIST's guidance pursuant to
subsection (b) of this section with respect to work
performed under agency contracts or when developing,
maintaining, or supporting IT services or products that
are provided to the Federal Government; and
(ii) adopt requirements for agencies to, by January 4,
2027, require vendors to the Federal Government of
consumer Internet-of-Things products, as defined by 47
C.F.R. 8.203(b), to carry United States Cyber Trust
Mark labeling for those products.
Sec. 8. National Security Systems and Debilitating Impact
Systems. (a) Except as specifically provided for in section
4(f)(v) of this order, sections 1 through 7 of this order shall
not apply to Federal information systems that are NSS or are
otherwise identified by the Department of Defense or the
Intelligence Community as debilitating impact systems.
(b) Within 90 days of the date of this order, to help
ensure that NSS and debilitating impact systems are protected
with the most advanced security measures, the Secretary of
Defense, acting through the Director of NSA as the National
Manager for National Security Systems (National Manager), in
coordination with the Director of National Intelligence and the
Committee on National Security Systems (CNSS), and in
consultation with the Director of OMB and the Assistant to the
President for National Security Affairs (APNSA), shall develop
requirements for NSS and debilitating impact systems that are
consistent with the requirements set forth in this order, as
appropriate and consistent with applicable law. The Secretary
of Defense may grant exceptions to such requirements in
circumstances necessitated by unique mission needs. Such
requirements shall be incorporated into a proposed National
Security Memorandum, to be submitted to the President through
the APNSA.
(c) To help protect space NSS with cybersecurity measures
that keep pace with emerging threats, within 210 days of the
date of this order, the CNSS shall review and update, as
appropriate, relevant policies and guidance regarding space
system cybersecurity. In addition to appropriate updates, the
CNSS shall identify and address appropriate requirements to
implement cyber defenses on Federal Government-procured space
NSS in the areas of intrusion detection, use of hardware roots
of trust for secure booting, and development and deployment of
security patches.
(d) To enhance the effective governance and oversight of
Federal information systems, within 90 days of the date of this
order, the Director of OMB shall issue guidance as appropriate
requiring agencies to inventory all major information systems
and provide the inventory to CISA, the Department of Defense,
or the National Manager, as applicable, which shall each
maintain a registry of agency inventories within their purview.
CISA, the Department of Defense CIO, and the National Manager
will share their inventories as appropriate to identify gaps or
overlaps in oversight coverage. This guidance shall not apply
to elements of the Intelligence Community.
(e) Nothing in this order alters the authorities and
responsibilities granted in law or policy to the Director of
National Intelligence, the Secretary of Defense, and the
National Manager over applicable systems pursuant to the
National Security Act of 1947 (Public Law 80-253), the Federal
Information Security Modernization Act of 2014 (Public Law 113-
283), National Security Directive 42 of July 5, 1990 (National
Policy for the Security of National Security Telecommunications
and Information Systems), or National Security Memorandum 8 of
January 19, 2022 (Improving the Cybersecurity of National
Security, Department of Defense, and Intelligence Community
Systems).
Sec. 9. Additional Steps to Combat Significant Malicious
Cyber-Enabled Activities. Because I find that additional steps
must be taken to deal with the national emergency with respect
to significant malicious cyber-enabled activities declared in
Executive Order 13694 of April 1, 2015 (Blocking the Property
of Certain Persons Engaging in Significant Malicious Cyber-
Enabled Activities), as amended by Executive Order 13757 of
December 28, 2016 (Taking Additional Steps to Address the
National Emergency With Respect to Significant Malicious Cyber-
Enabled Activities), and further amended by Executive Order
13984 of January 19, 2021 (Taking Additional Steps to Address
the National Emergency With Respect to Significant Malicious
Cyber-Enabled Activities), to protect against the growing and
evolving threat of malicious cyber-enabled activities against
the United States and United States allies and partners,
including the increasing threats by foreign actors of
unauthorized access to critical infrastructure, ransomware, and
cyber-enabled intrusions and sanctions evasion, I hereby order
that section 1(a) of Executive Order 13694 is further amended
to read as follows:
``Section 1. (a) All property and interests in property that
are in the United States, that hereafter come within the United
States, or that are or hereafter come within the possession or
control of any United States person of the following persons
are blocked and may not be transferred, paid, exported,
withdrawn, or otherwise dealt in:
(i) the persons listed in the Annex to this order;
(ii) any person determined by the Secretary of the
Treasury, in consultation with the Attorney General and
the Secretary of State, to be responsible for or
complicit in, or to have engaged in, directly or
indirectly, cyber-enabled activities originating from,
or directed by persons located, in whole or in
substantial part, outside the United States that are
reasonably likely to result in, or have materially
contributed to, a threat to the national security,
foreign policy, or economic health or financial
stability of the United States, and that have the
purpose of or involve:
(A) harming, or otherwise compromising the
provision of services by, a computer or network
of computers that support one or more entities
in a critical infrastructure sector;
(B) compromising the provision of services by
one or more entities in a critical
infrastructure sector;
(C) causing a disruption to the availability
of a computer or network of computers or
compromising the integrity of the information
stored on a computer or network of computers;
(D) causing a misappropriation of funds or
economic resources, intellectual property,
proprietary or business confidential
information, personal identifiers, or financial
information for commercial or competitive
advantage or private financial gain;
(E) tampering with, altering, or causing a
misappropriation of information with the
purpose of or that involves interfering with or
undermining election processes or institutions;
or
(F) engaging in a ransomware attack, such as
extortion through malicious use of code,
encryption, or other activity to affect the
confidentiality, integrity, or availability of
data or a computer or network of computers,
against a United States person, the United
States, a United States ally or partner or a
citizen, national, or entity organized under
the laws thereof; or
(iii) any person determined by the Secretary of the
Treasury, in consultation with the Attorney General and
the Secretary of State:
(A) to be responsible for or complicit in, or
to have engaged in, directly or indirectly, the
receipt or use for commercial or competitive
advantage or private financial gain, or by a
commercial entity, outside the United States of
funds or economic resources, intellectual
property, proprietary or business confidential
information, personal identifiers, or financial
information misappropriated through cyber-
enabled means, knowing they have been
misappropriated, where the misappropriation of
such funds or economic resources, intellectual
property, proprietary or business confidential
information, personal identifiers, or financial
information is reasonably likely to result in,
or has materially contributed to, a threat to
the national security, foreign policy, or
economic health or financial stability of the
United States;
(B) to be responsible for or complicit in, or
to have engaged in, directly or indirectly,
activities related to gaining or attempting to
gain unauthorized access to a computer or
network of computers of a United States person,
the United States, a United States ally or
partner or a citizen, national, or entity
organized under the laws thereof, where such
efforts originate from or are directed by
persons located, in whole or substantial part,
outside the United States and are reasonably
likely to result in, or have materially
contributed to, a significant threat to the
national security, foreign policy, or economic
health or financial stability of the United
States;
(C) to have materially assisted, sponsored,
or provided financial, material, or
technological support for, or goods or services
to or in support of, any activity described in
subsections (a)(ii) or (a)(iii)(A) or (B) of
this section or any person whose property and
interests in property are blocked pursuant to
this order;
(D) to be owned or controlled by, or to have
acted or purported to act for or on behalf of,
directly or indirectly, any person whose
property and interests in property are blocked
pursuant to this order or that has engaged in
any activity described in subsections (a)(ii)
or (a)(iii)(A)-(C) of this section;
(E) to have attempted to engage in any of the
activities described in subsections (a)(ii) and
(a)(iii)(A)-(D) of this section; or
(F) to be or have been a leader, official,
senior executive officer, or member of the
board of directors of any person whose property
and interests in property are blocked pursuant
to this order or that has engaged in any
activity described in subsections (a)(ii) or
(a)(iii)(A)-(E) of this section.''
Sec. 10. Definitions. For purposes of this order:
(a) The term ``agency'' has the meaning ascribed to it
under 44 U.S.C. 3502(1), except for the independent regulatory
agencies described in 44 U.S.C. 3502(5).
(b) The term ``artifact'' means a record or data that is
generated manually or by automated means and may be used to
demonstrate compliance with defined practices, including for
secure software development.
(c) The term ``artificial intelligence'' or ``AI'' has the
meaning set forth in 15 U.S.C. 9401(3).
(d) The term ``AI system'' means any data system, software,
hardware, application, tool, or utility that operates in whole
or in part using AI.
(e) The term ``authentication'' means the process of
determining the validity of one or more authenticators, such as
a password, used to claim a digital identity.
(f) The term ``Border Gateway Protocol'' or ``BGP'' means
the control protocol used to distribute and compute paths
between the tens of thousands of autonomous networks that
constitute the Internet.
(g) The term ``consumer Internet-of-Things products'' means
Internet-of-Things products intended primarily for consumer
use, rather than enterprise or industrial use. Consumer
Internet-of-Things products do not include medical devices
regulated by the United States Food and Drug Administration or
motor vehicles and motor vehicle equipment regulated by the
National Highway Traffic Safety Administration.
(h) The term ``cyber incident'' has the meaning given to
the term ``incident'' under 44 U.S.C. 3552(b)(2).
(i) The term ``debilitating impact systems'' means systems
as described by 44 U.S.C. 3553(e)(2) and 3553(e)(3) for
Department of Defense and Intelligence Community purposes,
respectively.
(j) The term ``digital identity document'' means an
electronic, reusable, cryptographically verifiable identity
credential issued by a Government source, such as a State-
issued mobile driver's license or an electronic passport.
(k) The term ``digital identity verification'' means
identity verification that a user performs online.
(l) The term ``endpoint'' means any device that can be
connected to a computer network creating an entry or exit point
for data communications. Examples of endpoints include desktop
and laptop computers, smartphones, tablets, servers,
workstations, virtual machines, and consumer Internet-of-Things
products.
(m) The term ``endpoint detection and response'' means
cybersecurity tools and capabilities that combine real-time
continuous monitoring and collection of endpoint data (for
example, networked computing device such as workstations,
mobile phones, servers) with rules-based automated response and
analysis capabilities.
(n) The term ``Federal Civilian Executive Branch agencies''
or ``FCEB agencies'' includes all agencies except for the
agencies and other components in the Department of Defense and
agencies in the Intelligence Community.
(o) The term ``Federal information system'' means an
information system used or operated by an agency, a contractor
of an agency, or another organization on behalf of an agency.
(p) The term ``Government-operated identity verification
system'' means a system owned and operated by a Federal, State,
local, Tribal, or territorial Government entity that performs
identity verification, including single-agency systems and
shared services that provide service to multiple agencies.
(q) The term ``hardware root of trust'' means an inherently
trusted combination of hardware and firmware that helps to
maintain the integrity of information.
(r) The term ``hybrid key establishment'' means a key
establishment scheme that is a combination of two or more
components that are themselves cryptographic key-establishment
schemes.
(s) The term ``identity verification'' means the process of
collecting identity information or evidence, validating its
legitimacy, and confirming that it is associated with the real
person providing it.
(t) The term ``Intelligence Community'' has the meaning
given to it under 50 U.S.C. 3003(4).
(u) The term ``key establishment'' means the process by
which a cryptographic key is securely shared between two or
more entities.
(v) The term ``least privilege'' means the principle that a
security architecture is designed so that each entity is
granted the minimum system resources and authorizations that
the entity needs to perform its function.
(w) The term ``machine-readable'' means that the product
output is in a structured format that can be consumed by
another program using consistent processing logic.
(x) The term ``national security systems'' or ``NSS'' has
the meaning given to it under 44 U.S.C. 3552(b)(6).
(y) The term ``patch'' means a software component that,
when installed, directly modifies files or device settings
related to a different software component without changing the
version number or release details for the related software
component.
(z) The term ``rules-as-code approach'' means a coded
version of rules (for example, those contained in legislation,
regulation, or policy) that can be understood and used by a
computer.
(aa) The term ``secure booting'' means a security feature
that prevents malicious software from running when a computer
system starts up. The security feature performs a series of
checks during the boot sequence that helps ensure only trusted
software is loaded.
(bb) The term ``security control outcome'' means the
results of the performance or non-performance of safeguards or
countermeasures prescribed for an information system or an
organization to protect the confidentiality, integrity, and
availability of the system and its information.
(cc) The term ``zero trust architecture'' has the meaning
given to it in Executive Order 14028.
Sec. 11. General Provisions. (a) Nothing in this order
shall be construed to impair or otherwise affect:
(i) the authority granted by law to an executive
department or agency, or the head thereof; or
(ii) the functions of the Director of the Office of
Management and Budget relating to budgetary,
administrative, or legislative proposals.
(b) This order shall be implemented in a manner consistent
with applicable law and subject to the availability of
appropriations.
(c) This order is not intended to, and does not, create any
right or benefit, substantive or procedural, enforceable at law
or in equity by any party against the United States, its
departments, agencies, or entities, its officers, employees, or
agents, or any other person.
Joseph R. Biden, Jr.
The White House, January 16, 2025.
[all]