EO 14144
美国前总统拜登于当地时间2025年1月16日签署了行政命令 14144 《关于加强和促进国家网络安全的行政令(Executive Oder on Strengthening and Promoting Innovation in the Nation’s Cybersecurity)(以下简称“EO14144”)。该行政令的产生源于美国政府意识到国家在网络安全保护方面的不足,导致了诸多安全漏洞,成为网络攻击的目标。EO 14144基于之前的行政命令EO 14028(《关于改善国家网络安全的行政命令》),旨在通过加强安全要求来提升网络防护能力,其中包括推动后量子密码学、建立隐私保护的数字身份、加强联邦系统、推动人工智能的安全应用、保护联邦通信安全、改善软件供应链安全(如规范软件供应商要求)以及打击网络犯罪和诈骗等。EO 14144特别提到多个政府部门及官员,诸如管理和预算办公室(OMB)、商务部长、国家标准与技术研究院(NIST)、国土安全部长、网络安全和基础设施安全局(CISA)、联邦采购监管委员会(FAR Council)、国家网络总监(National Cyber Director)等,指示他们如何协作并设立相关机制和执行计划。
特朗普的修订
美国现任总统特朗普在当地时间6月6号发布了对原有的 EO 14144 的一系列修订,使得指令更加聚焦。特朗普政府表示,修订版的目的是重新优先处理网络安全,特别是推动安全软件开发,要求各部门和机构在边界网关安全上采取行动,以打击网络连接劫持;推动采用最新的加密协议;提出技术措施制定网络安全政策,包括机器可读的政策标准,并为“物联网”产品设置正式的信任标志,确保美国公民的个人设备符合基本的安全工程原则。此外,修订版也专注于防止下一代计算架构所带来的威胁。
修订内容亮点:
- “敌对国家”列举:修订版特别列出了“中国、俄罗斯、伊朗、朝鲜”等被视为网络安全威胁的国家,与美国其他相关法规(如14117和《保护美国人数据免受外国对手攻击法》)相呼应。
- 修订后要求明确的时间表:每个相关部门需在明确的时间节点内采取相应行动并建立相关要求。
根据修订后的内容,相关政府部门需要在在2025年8月1日起逐步响应,EO 14144 对各行业的具体影响还需要持续关注。
修订内容详情:
原内容 | 修订内容 | 分析 |
Section 1 . Policy. Adversarial countries and criminals continue to conduct cyber campaigns targeting the United States and Americans, with the People's Republic of China presenting the most active and persistent cyber threat to United States Government, private sector, and critical infrastructure networks. These campaigns disrupt the delivery of critical services across the Nation, cost billions of dollars, and undermine Americans' security and privacy. More must be done to improve the Nation's cybersecurity against these threats.Building on the foundational steps I directed in Executive Order 14028 of May 12, 2021 (Improving the Nation's Cybersecurity), and the initiatives detailed in the National Cybersecurity Strategy, I am ordering additional actions to improve our Nation's cybersecurity, focusing on defending our digital infrastructure, securing the services and capabilities most vital to the digital domain, and building our capability to address key threats, including those from the People's Republic of China. Improving accountability for software and cloud service providers, strengthening the security of Federal communications and identity management systems, and promoting innovative developments and the use of emerging technologies for cybersecurity across executive departments and agencies (agencies) and with the private sector are especially critical to improvement of the Nation's cybersecurity. | 替换成:Section 1. Policy. Foreign nations and criminals continue to conduct cyber campaigns targeting the United States and Americans. The People’s Republic of China presents the most active and persistent cyber threat to United States Government, private sector, and critical infrastructure networks, but significant threats also emanate from Russia, Iran, North Korea, and others who undermine United States cybersecurity. These campaigns disrupt the delivery of critical services across the Nation, cost billions of dollars, and undermine Americans’ security and privacy. More must be done to improve the Nation’s cybersecurity against these threats. I am ordering additional actions to improve our Nation’s cybersecurity, focusing on defending our digital infrastructure, securing the services and capabilities most vital to the digital domain, and building our capability to address key threats. | 原行政令第一章提供了该行政令立法的背景和铺垫,指出中国为美国的一大关注重点。新修订简化背景和铺垫,并指出具体的该行政命令所关注的国家为中国、俄罗斯、伊朗、北韩,以及其他侵害美国网络安全的国家。 |
Sec. 2 (a) The Federal Government and our Nation's critical infrastructure rely on software providers. Yet insecure software remains a challenge for both providers and users and makes Federal Government and critical infrastructure systems vulnerable to malicious cyber incidents. The Federal Government must continue to adopt secure software acquisition practices and take steps so that software providers use secure software development practices to reduce the number and severity of vulnerabilities in software they produce.(b) Executive Order 14028 directed actions to improve the security and integrity of software critical to the Federal Government's ability to function. Executive Order 14028 directed the development of guidance on secure software development practices and on generating and providing evidence in the form of artifacts—computer records or data that are generated manually or by automated means—that demonstrate compliance with those practices. Additionally, it directed the Director of the Office of Management and Budget (OMB) to require agencies to use only software from providers that attest to using those secure software development practices. In some instances, providers of software to the Federal Government commit to following cybersecurity practices, yet do not fix well-known exploitable vulnerabilities in their software, which puts the Government at risk of compromise. The Federal Government needs to adopt more rigorous third-party risk management practices and greater assurance that software providers that support critical Government services are following the practices to which they attest.(i) Within 30 days of the date of this order, the Director of OMB, in consultation with the Secretary of Commerce, acting through the Director of the National Institute of Standards and Technology (NIST), and the Secretary of Homeland Security, acting through the Director of the Cybersecurity and Infrastructure Security Agency (CISA), shall recommend to the Federal Acquisition Regulatory Council (FAR Council) contract language requiring software providers to submit to CISA through CISA's Repository for Software Attestation and Artifacts (RSAA):(A) machine-readable secure software development attestations;(B) high-level artifacts to validate those attestations; and(C) a list of the providers' Federal Civilian Executive Branch (FCEB) agency software customers.(ii) Within 120 days of the receipt of the recommendations described in subsection (b)(i) of this section, the FAR Council shall review the recommendations and, as appropriate and consistent with applicable law, the Secretary of Defense, the Administrator of General Services, and the Administrator of the National Aeronautics and Space Administration (the agency members of the FAR Council) shall jointly take steps to amend the Federal Acquisition Regulation (FAR) to implement those recommendations. The agency members of the FAR Council are strongly encouraged to consider issuing an interim final rule, as appropriate and consistent with applicable law.(iii) Within 60 days of the date of the issuance of the recommendations described in subsection (b)(i) of this section, the Secretary of Homeland Security, acting through the Director of CISA, shall evaluate emerging methods of generating, receiving, and verifying machine-readable secure software development attestations and artifacts and, as appropriate, shall provide guidance for software providers on submitting them to CISA's RSAA website, including a common data schema and format.(iv) Within 30 days of the date of any amendments to the FAR described in subsection (b)(ii) of this section, the Secretary of Homeland Security, acting through the Director of CISA, shall develop a program to centrally verify the completeness of all attestation forms. CISA shall continuously validate a sample of the complete attestations using high-level artifacts in the RSAA.(v) If CISA finds that attestations are incomplete or artifacts are insufficient for validating the attestations, the Director of CISA shall notify the software provider and the contracting agency. The Director of CISA shall provide a process for the software provider to respond to CISA's initial determination and shall duly consider the response.(vi) For attestations that undergo validation, the Director of CISA shall inform the National Cyber Director, who shall publicly post the results, identifying the software providers and software version. The National Cyber Director is encouraged to refer attestations that fail validation to the Attorney General for action as appropriate. | 删除该章节 | 原行政令第 14144 号第二章(a)和(b)节指出,联邦政府及关键基础设施高度依赖第三方软件提供商,但这些软件往往存在安全隐患,可能成为恶意网络攻击的入口。为此,联邦政府必须改进其软件采购策略,并推动软件提供商采用安全开发流程,以减少漏洞的数量和严重程度。该章节进一步要求第三方软件提供商进行验证,作为三方风险的管理的一环。修订版删除了相关内容,变相减轻了对第三方软件提供商的要求。 |
Sec. 2(c) Secure software development practices are not sufficient to address the potential for cyber incidents from resourced and determined nation-state actors. To mitigate the risk of such incidents occurring, software providers must also address how software is delivered and the security of the software itself. The Federal Government must identify a coordinated set of practical and effective security practices to require when it procures software.(i) Within 60 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST, shall establish a consortium with industry at the National Cybersecurity Center of Excellence to develop guidance, informed by the consortium as appropriate, that demonstrates the implementation of secure software development, security, and operations practices based on NIST Special Publication 800-218 ( Secure Software Development Framework (SSDF)).(ii) Within 90 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST, shall update NIST Special Publication 800-53 ( Security and Privacy Controls for Information Systems and Organizations) to provide guidance on how to securely and reliably deploy patches and updates.(iii) Within 180 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST, in consultation with the heads of such agencies as the Director of NIST deems appropriate, shall develop and publish a preliminary update to the SSDF. This update shall include practices, procedures, controls, and implementation examples regarding the secure and reliable development and delivery of software as well as the security of the software itself. Within 120 days of publishing the preliminary update, the Secretary of Commerce, acting through the Director of NIST, shall publish a final version of the updated SSDF.(iv) Within 120 days of the final update to the SSDF described in subsection (c)(iii) of this section, the Director of OMB shall incorporate select practices for the secure development and delivery of software contained in NIST's updated SSDF into the requirements of OMB Memorandum M-22-18 ( Enhancing the Security of the Software Supply Chain through Secure Software Development Practices) or related requirements.(v) Within 30 days of the issuance of OMB's updated requirements described in subsection (c)(iv) of this section, the Director of CISA shall prepare any revisions to CISA's common form for Secure Software Development Attestation to conform to OMB's requirements and shall initiate any process required to obtain clearance of the revised form under the Paperwork Reduction Act, 44 U.S.C. 3501 et seq. | 替换成:(c) Relevant executive departments and agencies (agencies) shall take the following actions:(i) By August 1, 2025, the Secretary of Commerce, acting through the Director of NIST, shall establish a consortium with industry at the National Cybersecurity Center of Excellence to develop guidance, informed by the consortium as appropriate, that demonstrates the implementation of secure software development, security, and operations practices based on NIST Special Publication 800–218 (Secure Software Development Framework (SSDF)).(ii) By September 2, 2025, the Secretary of Commerce, acting through the Director of NIST, shall update NIST Special Publication 800–53 (Security and Privacy Controls for Information Systems and Organizations) to provide guidance on how to securely and reliably deploy patches and updates.(iii) By December 1, 2025, the Secretary of Commerce, acting through the Director of NIST, in consultation with the heads of such agencies as the Director of NIST deems appropriate, shall develop and publish a preliminary update to the SSDF. This preliminary update shall include practices, procedures, controls, and implementation examples regarding the secure and reliable development and delivery of software as well as the security of the software itself. Within 120 days of publishing the preliminary update, the Secretary of Commerce, acting through the Director of NIST, shall publish a final version of the updated SSDF.(iv) Within 120 days of the final update to the SSDF described in subsection (c)(iii) of this section, the Director of OMB shall incorporate select practices for the secure development and delivery of software contained in NIST's updated SSDF into the requirements of OMB Memorandum M-22-18 ( Enhancing the Security of the Software Supply Chain through Secure Software Development Practices) or related requirements.(v) Within 30 days of the issuance of OMB's updated requirements described in subsection (c)(iv) of this section, the Director of CISA shall prepare any revisions to CISA's common form for Secure Software Development Attestation to conform to OMB's requirements and shall initiate any process required to obtain clearance of the revised form under the Paperwork Reduction Act, 44 U.S.C. 3501 et seq. | 修订后内容删除了背景信息相关内容。内容部分删除了对CISA和OMB的要求,但对商务部和NIST的要求不变。 |
Sec. 2 (e) Open source software plays a critical role in Federal information systems. To help the Federal Government continue to reap the innovation and cost benefits of open source software and contribute to the cybersecurity of the open source software ecosystem, agencies must better manage their use of open source software. Within 120 days of the date of this order, the Secretary of Homeland Security, acting through the Director of CISA, and the Director of OMB, in consultation with the Administrator of General Services and the heads of other agencies as appropriate, shall jointly issue recommendations to agencies on the use of security assessments and patching of open source software and best practices for contributing to open source software projects. | (e) Open source software plays a critical role in Federal information systems. To help the Federal Government continue to reap the innovation and cost benefits of open source software and contribute to the cybersecurity of the open source software ecosystem, agencies must better manage their use of open source software. Within 120 days of the date of this order, the Secretary of Homeland Security, acting through the Director of CISA, and the Director of OMB, in consultation with the Administrator of General Services and the heads of other agencies as appropriate, shall jointly issue recommendations to agencies on the use of security assessments and patching of open source software and best practices for contributing to open source software projects. | 修订后内容删除了背景信息。 |
Sec. 3 . Improving the Cybersecurity of Federal Systems. (a) The Federal Government must adopt proven security practices from industry—to include in identity and access management—in order to improve visibility of security threats across networks and strengthen cloud security.(b) To prioritize investments in the innovative identity technologies and processes of the future and phishing-resistant authentication options, FCEB agencies shall begin using, in pilot deployments or in larger deployments as appropriate, commercial phishing-resistant standards such as WebAuthn, building on the deployments that OMB and CISA have developed and established since the issuance of Executive Order 14028. These pilot deployments shall be used to inform future directions for Federal identity, credentialing, and access management strategies. | 删除该章节f | 原行政令第 14144 号第三章(a)和(b)节含有铺垫的内容和对OMB和CISA的要求,删除该内容把要求从由CISA和OMB中央管理减轻,相当于把要求下放到更底层的部门。 |
Sec.3 (c) The Federal Government must maintain the ability to rapidly and effectively identify threats across the Federal enterprise. In Executive Order 14028, I directed the Secretary of Defense and the Secretary of Homeland Security to establish procedures to immediately share threat information to strengthen the collective defense of Department of Defense and civilian networks. To enable identification of threat activity, CISA's capability to hunt for and identify threats across FCEB agencies under 44 U.S.C. 3553(b)(7) must be strengthened.(i) The Secretary of Homeland Security, acting through the Director of CISA, in coordination with the Federal Chief Information Officer (CIO) Council and Federal Chief Information Security Officer (CISO) Council, shall develop the technical capability to gain timely access to required data from FCEB agency endpoint detection and response (EDR) solutions and from FCEB agency security operation centers to enable:(A) timely hunting and identification of novel cyber threats and vulnerabilities across the Federal civilian enterprise;... | (c) The Federal Government must maintain the ability to rapidly and effectively identify threats across the Federal enterprise. In Executive Order 14028, I directed the Secretary of Defense and the Secretary of Homeland Security to establish procedures to immediately share threat information to strengthen the collective defense of Department of Defense and civilian networks. To enable identification of threat activity, CISA's capability to hunt for and identify threats across FCEB agencies under 44 U.S.C. 3553(b)(7) must be strengthened.(i) The Secretary of Homeland Security, acting through the Director of CISA, in coordination with the Federal Chief Information Officer (CIO) Council and Federal Chief Information Security Officer (CISO) Council, shall develop the technical capability to gain timely access to required data from FCEB agency endpoint detection and response (EDR) solutions and from FCEB agency security operation centers to enable:(A) timely hunting and identification of novel cyber threats and vulnerabilities across the Federal civilian enterprise;... | 修订版与原文差别不大,主要删减了一些背景信息和形容。 |
Sec. 4 .(b) The security of internet traffic depends on data being correctly routed and delivered to the intended recipient network. Routing information originated and propagated across the internet, utilizing the Border Gateway Protocol (BGP), is vulnerable to attack and misconfiguration.(i) Within 90 days of the date of this order, FCEB agencies shall take steps to ensure that all of their assigned internet number resources (internet Protocol (IP) address blocks and Autonomous System Numbers) are covered by a Registration Services Agreement with the American Registry for internet Numbers or another appropriate regional internet registry. Thereafter, FCEB agencies shall annually review and update in their regional internet registry accounts organizational identifiers related to assigned number resources such as organization names, points of contact, and associated email addresses.... | 替换成:Sec. 4 .(b) Relevant agencies shall take the following actions:(i) Within 90 days of the date of this order, FCEB agencies shall take steps to ensure that all of their assigned internet number resources (internet Protocol (IP) address blocks and Autonomous System Numbers) are covered by a Registration Services Agreement with the American Registry for internet Numbers or another appropriate regional internet registry. Thereafter, FCEB agencies shall annually review and update in their regional internet registry accounts organizational identifiers related to assigned number resources such as organization names, points of contact, and associated email addresses.... | 修订版与原文差别不大,主要删减了一些背景信息。 |
Sec. 4 . (b) (iv) Within 180 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST, shall publish updated guidance to agencies on deployment of current, operationally viable BGP security methods for Federal Government networks and service providers. The Secretary of Commerce, acting through the Director of NIST, shall also provide updated guidance on other emerging technologies to improve internet routing security and resilience, such as route leak mitigation and source address validation. | 删除该章节 | 删除了对NIST出版指南的要求,减轻“中央化”管理。 |
Sec. 4 . (d)(ii) Within 180 days of the date of this order, the Director of OMB shall establish a requirement for expanded use of authenticated transport-layer encryption between email servers used by FCEB agencies to send and receive email.(iii) Within 90 days of the establishment of the requirement described in subsection (d)(ii) of this section, the Secretary of Homeland Security, acting through the Director of CISA, shall take appropriate steps to assist agencies in meeting that requirement, including by issuing implementing directives, as well as technical guidance to address any identified capability gaps. | 删除该章节 | 删除了对 OMB 和 CISA 的要求,减轻“中央化”管理。 |
Sec. 4 .(f) Alongside their benefits, quantum computers pose significant risk to the national security, including the economic security, of the United States. Most notably, a quantum computer of sufficient size and sophistication—also known as a cryptanalytically relevant quantum computer (CRQC)—will be capable of breaking much of the public-key cryptography used on digital systems across the United States and around the world. In National Security Memorandum 10 of May 4, 2022 (Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems), I directed the Federal Government to prepare for a transition to cryptographic algorithms that would not be vulnerable to a CRQC.(i) Within 180 days of the date of this order, the Secretary of Homeland Security, acting through the Director of CISA, shall release and thereafter regularly update a list of product categories in which products that support post-quantum cryptography (PQC) are widely available.(ii) Within 90 days of a product category being placed on the list described in subsection (f)(i) of this section, agencies shall take steps to include in any solicitations for products in that category a requirement that products support PQC.(iii) Agencies shall implement PQC key establishment or hybrid key establishment including a PQC algorithm as soon as practicable upon support being provided by network security products and services already deployed in their network architectures.(iv) Within 90 days of the date of this order, the Secretary of State and the Secretary of Commerce, acting through the Director of NIST and the Under Secretary for International Trade, shall identify and engage foreign governments and industry groups in key countries to encourage their transition to PQC algorithms standardized by NIST.(v) Within 180 days of the date of this order, to prepare for transition to PQC, the Secretary of Defense with respect to National Security Systems (NSS), and the Director of OMB with respect to non-NSS, shall each issue requirements for agencies to support, as soon as practicable, but not later than January 2, 2030, Transport Layer Security protocol version 1.3 or a successor version. | 替换和删改成:Sec. 4 .(f) A quantum computer of sufficient size and sophistication — also known as a cryptanalytically relevant quantum computer (CRQC) — will be capable of breaking much of the public-key cryptography used on digital systems across the United States and around the world. National Security Memorandum 10 of May 4, 2022 (Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems), directed the Federal Government to prepare for a transition to cryptographic algorithms that would not be vulnerable to a CRQC.(i) By December 1, 2025, the Secretary of Homeland Security, acting through the Director of the Cybersecurity and Infrastructure Security Agency (CISA), and in consultation with the Director of the National Security Agency, shall release and thereafter regularly update a list of product categories in which products that support post-quantum cryptography (PQC) are widely available.(ii) By December 1, 2025, to prepare for transition to PQC, the Director of the National Security Agency with respect to National Security Systems (NSS), and the Director of OMB with respect to non-NSS, shall each issue requirements for agencies to support, as soon as practicable, but not later than January 2, 2030, Transport Layer Security protocol version 1.3 or a successor version. | 修订版相当于删减了 (ii), (iii), 和(iv),以及修改了原有的内容,减去背景信息,并把实施时间变成了具体的日期。 |
Sec. 5 . Solutions to Combat Cybercrime and Fraud. (a) The use of stolen and synthetic identities by criminal syndicates to systemically defraud public benefits programs costs taxpayers and wastes Federal Government funds. To help address these crimes it is the policy of the executive branch to strongly encourage the acceptance of digital identity documents to access public benefits programs that require identity verification, so long as it is done in a manner that preserves broad program access for vulnerable populations and supports the principles of privacy, data minimization, and interoperability.(i) Within 90 days of the date of this order, agencies with grantmaking authority are encouraged to consider, in coordination with OMB and the National Security Council staff, whether Federal grant funding is available to assist States in developing and issuing mobile driver's licenses that achieve the policies and principles described in this section.(ii) Within 270 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST, shall issue practical implementation guidance, in collaboration with relevant agencies and other stakeholders through the National Cybersecurity Center of Excellence, to support remote digital identity verification using digital identity documents that will help issuers and verifiers of digital identity documents advance the policies and principles described in this section.(iii) Agencies should consider accepting digital identity documents as digital identity verification evidence to access public benefits programs, but only if the use of these documents is consistent with the policies and principles described in this section.(iv) Agencies should, consistent with applicable law, seek to ensure that digital identity documents accepted as digital identity verification evidence to access public benefits programs:(A) are interoperable with relevant standards and trust frameworks, so that the public can use any standards-compliant hardware or software containing an official Government-issued digital identity document, regardless of manufacturer or developer;(B) do not enable authorities that issue digital identity documents, device manufacturers, or any other third party to surveil or track presentation of the digital identity document, including user device location at the time of presentation; and(C) support user privacy and data minimization by ensuring only the minimum information required for a transaction—often a “yes” or “no” response to a question, such as whether an individual is older than a specific age—is requested from the holder of the digital identity document.(b) The use of “Yes/No” validation services, also referred to as attribute validation services, can enable more privacy-preserving means to reduce identity fraud. These services allow programs to confirm, via a privacy-preserving “yes” or “no” response, that applicant-provided identity information is consistent with information already contained in official records, without needing to share the contents of those official records. To support the use of such services, the Commissioner of Social Security, and the head of any other agency designated by the Director of OMB, shall, as appropriate and consistent with applicable law, consider taking steps to develop or modify services—including through, as appropriate, the initiation of a proposed rulemaking or the publication of a notice of a new or significantly modified routine use of records—related to Government-operated identity verification systems and public benefits programs, with consideration given to having such systems and programs submit applicant-provided identity information to the agency providing the service and receive a “yes” or “no” response as to whether the applicant-provided identity information is consistent with the information on file with the agency providing the service. In doing so, the heads of these agencies shall specifically consider seeking to ensure, consistent with applicable law, that:(i) any applicant-provided identity information submitted to the services and any “yes” or “no” response provided by the services are used only to assist with identity verification, program administration, anti-fraud operations, or investigation and prosecution of fraud related to the public benefits program for which the identity information was submitted;(ii) the services are made available, to the maximum extent permissible and as appropriate, to public benefits programs; Government-operated identity verification systems, including shared-service providers; payment integrity programs; and United States-regulated financial institutions; and(iii) the agencies, public benefits programs, or institutions using the services provide reimbursement to appropriately cover costs and support the ongoing maintenance, improvement, and broad accessibility of the services.(c) The Secretary of the Treasury, in consultation with the Administrator of General Services, shall research, develop, and conduct a pilot program for technology that notifies individuals and entities when their identity information is used to request a payment from a public benefits program, gives individuals and entities the option to stop potentially fraudulent transactions before they occur, and reports fraudulent transactions to law enforcement entities. | 删除该章节 | 原文要求政府部门加强政策力度,打击网犯罪和诈骗。修订版直接把该章节删除。 |
Sec. 8 . (c) To help protect space NSS with cybersecurity measures that keep pace with emerging threats, within 210 days of the date of this order, the CNSS shall review and update, as appropriate, relevant policies and guidance regarding space system cybersecurity. In addition to appropriate updates, the CNSS shall identify and address appropriate requirements to implement cyber defenses on Federal Government-procured space NSS in the areas of intrusion detection, use of hardware roots of trust for secure booting, and development and deployment of security patches. | Sec. 8 . (c) To help protect space NSS with cybersecurity measures that keep pace with emerging threats, within 210 days of the date of this order, the CNSS shall review and update, as appropriate, relevant policies and guidance regarding space system cybersecurity. In addition to appropriate updates, the CNSS shall identify and address appropriate requirements to implement cyber defenses on Federal Government-procured space NSS in the areas of intrusion detection, use of hardware roots of trust for secure booting, and development and deployment of security patches. | 修订版放宽了网络防御的范围。 |
Sec. 6 . Promoting Security with and in Artificial Intelligence. Artificial intelligence (AI) has the potential to transform cyber defense by rapidly identifying new vulnerabilities, increasing the scale of threat detection techniques, and automating cyber defense. The Federal Government must accelerate the development and deployment of AI, explore ways to improve the cybersecurity of critical infrastructure using AI, and accelerate research at the intersection of AI and cybersecurity.(a) Within 180 days of the date of the completion of the Defense Advanced Research Projects Agency's 2025 Artificial Intelligence Cyber Challenge, the Secretary of Energy, in coordination with the Secretary of Defense, acting through the Director of the Defense Advanced Research Projects Agency, and the Secretary of Homeland Security, shall launch a pilot program, involving collaboration with private sector critical infrastructure entities as appropriate and consistent with applicable law, on the use of AI to enhance cyber defense of critical infrastructure in the energy sector, and conduct an assessment of the pilot program upon its completion. This pilot program, and accompanying assessment, may include vulnerability detection, automatic patch management, and the identification and categorization of anomalous and malicious activity across information technology (IT) or operational technology systems.(b) Within 270 days of the date of this order, the Secretary of Defense shall establish a program to use advanced AI models for cyber defense.(c) Within 150 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST; the Secretary of Energy; the Secretary of Homeland Security, acting through the Under Secretary for Science and Technology; and the Director of the National Science Foundation (NSF) shall each prioritize funding for their respective programs that encourage the development of large-scale, labeled datasets needed to make progress on cyber defense research, and ensure that existing datasets for cyber defense research have been made accessible to the broader academic research community (either securely or publicly) to the maximum extent feasible, in consideration of business confidentiality and national security.(d) Within 150 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST; the Secretary of Energy; the Secretary of Homeland Security, acting through the Under Secretary for Science and Technology; and the Director of the NSF shall prioritize research on the following topics:(i) human-AI interaction methods to assist defensive cyber analysis;(ii) security of AI coding assistance, including security of AI-generated code;(iii) methods for designing secure AI systems; and(iv) methods for prevention, response, remediation, and recovery of cyber incidents involving AI systems.(e) Within 150 days of the date of this order, the Secretary of Defense, the Secretary of Homeland Security, and the Director of National Intelligence, in coordination with the Director of OMB, shall incorporate management of AI software vulnerabilities and compromises into their respective agencies' existing processes and interagency coordination mechanisms for vulnerability management, including through incident tracking, response, and reporting, and by sharing indicators of compromise for AI systems. | 替换成:Promoting Security with and in Artificial Intelligence. Artificial intelligence (AI) has the potential to transform cyber defense by rapidly identifying vulnerabilities, increasing the scale of threat detection techniques, and automating cyber defense.(a) By November 1, 2025, the Secretary of Commerce, acting through the Director of NIST; the Secretary of Energy; the Secretary of Homeland Security, acting through the Under Secretary for Science and Technology; and the Director of the National Science Foundation shall ensure that existing datasets for cyber defense research have been made accessible to the broader academic research community (either securely or publicly) to the maximum extent feasible, in consideration of business confidentiality and national security.(b) By November 1, 2025, the Secretary of Defense, the Secretary of Homeland Security, and the Director of National Intelligence, in coordination with appropriate officials within the Executive Office of the President, to include officials within the Office of Science and Technology Policy, the Office of the National Cyber Director, and the Director of OMB, shall incorporate management of AI software vulnerabilities and compromises into their respective agencies’ existing processes and interagency coordination mechanisms for vulnerability management, including through incident tracking, response, and reporting, and by sharing indicators of compromise for AI systems. | 修订版等同于删减了原版的(a)、(b)和(d),并把原版的(c)和(e)实施时间变成了具体的日期。 |
Sec. 7 . Aligning Policy to Practice. (a) IT infrastructure and networks that support agencies' critical missions need to be modernized. Agencies' policies must align investments and priorities to improve network visibility and security controls to reduce cyber risks.(i) Within 3 years of the date of this order, the Director of OMB shall issue guidance, including any necessary revision to OMB Circular A-130, to address critical risks and adapt modern practices and architectures across Federal information systems and networks. This guidance shall, at a minimum:(A) outline expectations for agency cybersecurity information sharing and exchange, enterprise visibility, and accountability for enterprise-wide cybersecurity programs by agency CISOs;(B) revise OMB Circular A-130 to be less technically prescriptive in key areas, where appropriate, to more clearly promote the adoption of evolving cybersecurity best practices across Federal systems, and to include migration to zero trust architectures and implementation of critical elements such as EDR capabilities, encryption, network segmentation, and phishing-resistant multi-factor authentication; and(C) address how agencies should identify, assess, respond to, and mitigate risks to mission essential functions presented by concentration of IT vendors and services.(ii) The Secretary of Commerce, acting through the Director of NIST; the Secretary of Homeland Security, acting through the Director of CISA; and the Director of OMB shall establish a pilot program of a rules-as-code approach for machine-readable versions of policy and guidance that OMB, NIST, and CISA publish and manage regarding cybersecurity.(b) Managing cybersecurity risks is now a part of everyday industry practice and should be expected for all types of businesses. Minimum cybersecurity requirements can make it costlier and harder for threat actors to compromise networks. Within 240 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST, shall evaluate common cybersecurity practices and security control outcomes that are commonly used or recommended across industry sectors, international standards bodies, and other risk management programs, and based on that evaluation issue guidance identifying minimum cybersecurity practices. In developing this guidance, the Secretary of Commerce, acting through the Director of NIST, shall solicit input from the Federal Government, the private sector, academia, and other appropriate actors.(c) Agencies face multiple cybersecurity risks when purchasing products and services. While agencies have already made significant advances to improve their supply chain risk management, additional actions are needed to keep pace with the evolving threat landscape. Within 180 days of the issuance of the guidance described in subsection (b) of this section, the FAR Council shall review the guidance and, as appropriate and consistent with applicable law, the agency members of the FAR Council shall jointly take steps to amend the FAR to:(i) require that contractors with the Federal Government follow applicable minimum cybersecurity practices identified in NIST's guidance pursuant to subsection (b) of this section with respect to work performed under agency contracts or when developing, maintaining, or supporting IT services or products that are provided to the Federal Government; and(ii) adopt requirements for agencies to, by January 4, 2027, require vendors to the Federal Government of consumer internet-of-Things products, as defined by 47 CFR 8.203(b), to carry United States Cyber Trust Mark labeling for those products. | 替换成:Sec. 7. Aligning Policy to Practice. Agencies’ policies must align investments and priorities to improve network visibility and security controls to reduce cyber risks. In consultation with the National Cyber Director, agencies shall take the following actions:(a) Within 3 years of the date of this order, the Director of OMB shall issue guidance, including any necessary revision to OMB Circular A–130, to address critical risks and adapt modern practices and architectures across Federal information systems and networks.(b) Within 1 year of the date of this order, the Secretary of Commerce, acting through the Director of NIST; the Secretary of Homeland Security, acting through the Director of CISA; and the Director of OMB shall establish a pilot program of a rules-as- code approach for machine-readable versions of policy and guidance that OMB, NIST, and CISA publish and manage regarding cybersecurity.(c) Within 1 year of the date of this order, agency members of the FAR Council shall, as appropriate and consistent with applicable law, jointly take steps to amend the FAR to adopt requirements for agencies to, by January 4, 2027, require vendors to the Federal Government of consumer Internet-of-Things products, as defined by 47 CFR 8.203(b), to carry United States Cyber Trust Mark labeling for those products. | 修订版删减了背景形容。原文的(a)部分仅保留了对 A-130通告 进行修订的一般性要求,子项(A)至(C)(例如零信任架构、防网络钓鱼的多因素认证)已被删除。原文的(b)部分,代码试点项目实质内容未作更改,仅设定了1年的完成期限。原文的(c)部分仅保留了关于物联网产品需贴附“美国网络信任标志”(Cyber Trust Mark)的要求,期限保持不变。更广泛的承包商网络安全义务(原子项(i))已被删除。同时,全章节中与NIST评估并发布跨行业最低网络安全实践相关的要求亦已被删除。 |
Sec. 8 . National Security Systems and Debilitating Impact Systems. (a) Except as specifically provided for in section 4(f)(v) of this order, sections 1 through 7 of this order shall not apply to Federal information systems that are NSS or are otherwise identified by the Department of Defense or the Intelligence Community as debilitating impact systems. | 替换成:(a) Except as specifically provided for in subsection 4(f) of this order, sections 1 through 7 of this order shall not apply to Federal information systems that are NSS or are otherwise identified by the Department of Defense or the Intelligence Community as debilitating impact systems. | 原版本中特别排除了 NSS 系统适用的例外仅限于 4(f)(v)(即 TLS 1.3 的过渡要求)。
修订版本将例外的适用范围扩大为 整个 4(f) 条款,意味着NSS 系统不仅适用于 TLS 1.3 的要求,也将被纳入整个后量子加密(PQC)过渡和技术路线图的适用范围。 |
EO 14144 原文:https://www.federalregister.gov/documents/2025/01/17/2025-01470/strengthening-and-promoting-innovation-in-the-nations-cybersecurity
特朗普修订:https://www.whitehouse.gov/presidential-actions/2025/06/sustaining-select-efforts-to-strengthen-the-nations-cybersecurity-and-amending-executive-order-13694-and-executive-order-14144/
