[ifso_geo_override options="AU,PK" default-option="Location" geo-type="countryCode" ajax-render="yes" show-flags="yes" classname="default-location-override"]
A new US Executive Order is set to reshape cybersecurity. Learn how it impacts the software supply chain, Zero Trust, AI, and more. A must-read for CISOs. Discover its key provisions, business impact, and compliance steps.
In an era of increasing cyber threats, proactive and innovative defence strategies are more crucial than ever. To address these challenges, the US government has recently taken a significant step by issuing a new Executive Order focused on strengthening and promoting innovation in the nation’s cybersecurity. This order is set to reshape cybersecurity compliance and drive substantial advancements in protecting digital infrastructure.
With the increase in cyberattacks targeting software vendors, the Executive Order introduces stricter measures to secure software supply chains. This includes adhering to established NIST frameworks and guidelines, and significantly increases transparency and accountability for software providers working with the Federal Government.
Operationalising Transparency and Security in Third-Party Software Supply Chains
This section of the Executive Order focuses on enhancing the security of software used by the Federal Government and critical infrastructure by requiring more rigorous third-party risk management practices. Key aspects include:
Attestation and Artifact Submission (RSAA): Within 30 days of the order, OMB, in consultation with NIST and CISA, will recommend contract language requiring software providers to submit the following to CISA's Repository for Software Attestation and Artifacts (RSAA):
The FAR Council will then review these recommendations and amend the Federal Acquisition Regulation (FAR) within 120 days of receiving them. CISA will also provide guidance on submitting these attestations and artifacts, including a common data schema and format, within 60 days of the initial recommendations.
Attestation Verification and Validation: CISA will develop a programme to centrally verify the completeness of attestation forms within 30 days of the FAR amendments. CISA will also continuously validate a sample of these attestations using the high-level artifacts in the RSAA. If attestations are incomplete or artifacts are insufficient, CISA will notify the software provider and the contracting agency, providing a process for the provider to respond. Validated attestation results will be publicly posted by the National Cyber Director, who may refer failed validations to the Attorney General.
Secure Software Development, Security, and Operations Practices: Recognising that secure development practices alone are not enough, the Executive Order mandates further action to address software delivery and security.
Cybersecurity Supply Chain Risk Management (C-SCRM): Within 90 days, OMB, in coordination with NIST, the Administrator of General Services, and the Federal Acquisition Security Council (FASC), will require agencies to comply with NIST SP 800-161 Revision 1 (Cybersecurity Supply Chain Risk Management Practices for Systems and Organisations). Agencies will provide annual updates to OMB on their implementation progress. OMB's requirements will address integrating cybersecurity into the acquisition lifecycle.
Open Source Software: Within 120 days, CISA and OMB, in consultation with the Administrator of General Services and other agency heads, will jointly issue recommendations to agencies on security assessments and patching of open source software and best practices for contributing to open source software projects.
To support businesses in achieving compliance and securing their software supply chains, Risk Associates offers essential services such as Source Code Reviews, Risk Assessments, and Application Security Assessments. These services are designed to help businesses evaluate and strengthen the security of their software, ensuring that their development practices align with industry standards and remain resilient to potential cyber threats.
A major focus of the Executive Order is mitigating risks arising from third-party vendors, who often act as gateways for cyber threats. With this in mind, adopting NIST SP 800-161 supply chain risk management (SCRM) practices has become mandatory for organisations working with federal clients.
For businesses, this means conducting ongoing risk evaluations of vendors, ensuring trust, transparency, and accountability at every stage of the vendor lifecycle. It’s no longer enough to assess risks once; organisations must maintain continuous vigilance.
Risk Associates simplifies this process with its extensive expertise in SWIFT Assessments, Threat Intelligence, PCI DSS Compliance, and PCI ASV Scans. These services help businesses safeguard their supply chains, ensuring they remain resilient against evolving cyber threats and vulnerabilities, while maintaining compliance with the latest industry standards.
AI is more than just a buzzword—it represents the future of threat detection and mitigation. Recognising its immense potential, the Executive Order encourages the adoption of AI-driven tools across critical infrastructure sectors such as energy and healthcare.
AI empowers organisations to detect threats in real time, automate repetitive tasks, and proactively identify vulnerabilities before they can be exploited. However, to harness AI securely and effectively, compliance with established standards is crucial.
Risk Associates helps businesses unlock the potential of AI while ensuring compliance with industry standards through its Threat Intelligence Services and ISO/IEC 42001 compliance assessments. These services provide clients with actionable insights, automated solutions, and a structured framework to manage AI risks, enabling them to stay one step ahead of adversaries with confidence.
The traditional approach of trusting anything or anyone within a network perimeter is no longer viable. Zero Trust Architecture (ZTA) has become the gold standard for securing network access, requiring organisations to continuously verify user identities, enforce least-privilege policies, and deploy advanced threat detection measures.
For businesses, this means embedding phishing-resistant multi-factor authentication (MFA), endpoint detection and response (EDR), and robust identity verification across every layer of their infrastructure to stay ahead of evolving threats.
Risk Associates plays a crucial role in assisting organisations achieve and maintain Zero Trust security principles. Through Penetration Testing, Firewall Configuration Reviews, and Application Security Assessments, Risk Associates empowers businesses to identify vulnerabilities.
The Executive Order highlights the growing need for stronger cybersecurity standards among cloud service providers, ensuring that cloud services used by federal agencies and critical infrastructure remain secure and resilient. It emphasises the importance of adhering to FedRAMP baselines, particularly for organisations handling sensitive federal data, to safeguard the integrity and scalability of their cloud environments.
For businesses relying on cloud services, ensuring that their providers comply with these enhanced cybersecurity standards is essential to protect data and operations. In this evolving landscape, Risk Associates consistently provides valuable services, such as CSA STAR Assessments, PCI ASV Scans. These services are designed to help organisations assess and strengthen the security of their cloud services, ensuring they meet the necessary standards while enhancing operational efficiency and resilience.
Organisations that invest in proactive measures such as Penetration Testing and Vulnerability Assessments are better positioned to identify and mitigate risks before they escalate.
By simulating real-world attack scenarios, businesses gain valuable insights into potential weaknesses, aligning with the executive order’s emphasis on resilience and innovation in cybersecurity.
Risk Associates offers a comprehensive suite of offensive security services, including Compromise Assessments, Penetration Testing, and Social Engineering Evaluations, enabling organisations to strengthen their defences and ensure operational continuity in an increasingly complex threat landscape.
The executive order highlights the evolving cybersecurity landscape, recognising the potential threats posed by emerging technologies such as quantum computing and the importance of robust risk management frameworks like the Center for Internet Security (CIS) Controls.
Quantum computing presents a significant challenge to existing encryption methods, necessitating the development of quantum-resistant cryptographic standards. Organisations must proactively assess and update their encryption strategies to ensure resilience in the quantum era. At the same time, adopting established frameworks such as CIS Controls helps organisations build a solid foundation for identifying, managing, and mitigating risks related to ransomware, insider threats, and supply chain vulnerabilities.
Risk Associates offers comprehensive solutions to address these challenges, including Risk Assessments to evaluate current encryption practices and formulate transition strategies for quantum-resistant solutions. Additionally, Risk Associates provides Compromise Assessments, Threat Intelligence, and Incident Response Readiness services, equipping organisations with the tools needed to detect, respond to, and recover from evolving cyber threats with confidence.
The cybersecurity landscape is evolving rapidly, and the Executive Order on Strengthening and Promoting Innovation in the USA’s Cybersecurity, announced on 16 January 2025, is a testament to this transformation. This directive focuses on enhancing innovation, collaboration, and resilience in response to emerging threats.
From Zero Trust Architecture (ZTA) to Artificial Intelligence (AI), the order places a strategic emphasis on adaptability and forward-thinking security measures. For businesses, aligning with these initiatives is not merely about compliance—it is about staying ahead in an era where cyber threats are becoming increasingly sophisticated.
Let us explore how this executive order impacts key cybersecurity areas and how Risk Associates can assist your organisation’s journey towards compliance and resilience.
The primary goal is to strengthen national cybersecurity by promoting innovation, enhancing collaboration between the public and private sectors, and improving resilience in critical areas like software supply chain security, AI-powered threat detection, and Zero Trust Architectures (ZTA).
The order mandates stricter controls for software vendors, requiring them to submit attestations and artifacts to the CISA Repository for Software Attestation and Artifacts (RSAA) to demonstrate compliance with secure development frameworks.
Zero Trust is a security framework that operates on the principle of "never trust, always verify." It requires continuous authentication and authorization for every user and device, regardless of their location within the network. The order emphasizes ZTA as a crucial strategy for strengthening digital resilience.
The order encourages the adoption of AI-driven tools for threat detection, vulnerability management, and automated response capabilities, particularly within critical infrastructure sectors.
Yes, if you are operating in the USA or running a business in America and want to work with the federal government, you must comply with the provisions of this Executive Order.
Risk Associates offers a range of services, including penetration testing, vulnerability assessments, source code reviews, risk assessments, compliance assessments (PCI DSS, NIST frameworks, SOC 2, CSA STAR), and threat intelligence, to help organizations align with the order's requirements.
To comply with the Executive Order, your business must align with the new cybersecurity requirements, especially if you’re involved in federal government contracts.
