Review: Tentative US Cyber Timeline
Biden's last week: Security, AI and Quantum.
Notice: Our FY2024 is coming in Feb 2025.
Biden Executive Order: Wired NPR Forbes White House
Executive Order on Cybersecurity.
CISA (Secretary of Homeland Security through Director of CISA)
Within 30 Days: In the Software Supply Chain category, CISA will evaluate emerging methods and provide guidance for software providers on submitting attestations to CISA's RSAA website.
Within 60 Days: In the Software Supply Chain category, CISA will evaluate emerging methods for attestations to CISA's RSAA website.
Within 90 Days: In the Federal Communications category, CISA will publish template contract language requiring DNS resolvers to support encrypted DNS.
Within 90 days of the email requirement: In the Federal Communications category, CISA shall take appropriate steps to assist agencies in meeting that requirement, including by issuing implementing directives, as well as technical guidance to address any identified capability gaps.
Within 180 Days: In the Federal Systems Cybersecurity category, CISA will develop a concept of operations for CISA to gain access to data from agency endpoint detection and response solutions.
Within 180 Days: In the Federal Communications category, CISA will release and thereafter regularly update a list of product categories in which products that support post-quantum cryptography (PQC) are widely available.
CNSS
Within 210 Days: In the NSS & Impact Systems category, CNSS will review and update policies on space system cybersecurity.
Director of OMB
Within 90 days of the study: In the Federal Systems Cybersecurity category, the Director of OMB will take appropriate steps to help ensure that space ground systems owned, managed, or operated by FCEB agencies comply with relevant cybersecurity requirements issued by OMB.
Within 120 days of final SSDF: In the Software Supply Chain category, the Director of OMB shall incorporate select practices for the secure development and delivery of software contained in NIST's updated SSDF into the requirements of OMB Memorandum M-22-18 or related requirements.
Within 180 Days: In the Federal Communications category, the Director of OMB shall establish a requirement for expanded use of authenticated transport-layer encryption between email servers used by FCEB agencies to send and receive email.
Within 90 Days: In the NSS & Impact Systems category, the Director of OMB will issue guidance requiring agencies to inventory all major information systems.
Within 3 Years: In the Aligning Policy to Practice category, the Director of OMB will issue guidance on modernizing IT and adapting practices to reduce cyber risks.
Within 60 Days of the guidelines: In the Federal Communications category, the Director of OMB, in consultation with Secretary of Commerce and Homeland Security, will take steps to require FCEB agencies to follow best practices concerning the protection and management of hardware security modules, trusted execution environments.
FAR Council
Within 120 Days: In the Software Supply Chain category, the FAR Council will review/amend regulations to implement software supply chain security recommendations.
Within 180 days of the recommendations: In the Federal Systems Cybersecurity category, the FAR Council will review/amend regulations to implement updated civil space contract cybersecurity requirements.
FCEB Agencies
Within 90 Days: In the Federal Systems Cybersecurity category, FCEB Agencies will provide CISA a list of systems requiring additional controls to prevent disruption.
Within 90 Days: In the Federal Communications category, FCEB Agencies will ensure all assigned Internet number resources are covered by an agreement with a regional Internet registry.
Within 120 Days: In the Federal Communications category, FCEB Agencies will create and publish Route Origin Authorizations for IP address blocks.
Within 120 Days: In the Federal Communications category, Each FCEB agency will technically enforce encrypted and authenticated transport for all connections between the agency's email clients and their associated email servers.
Within 180 Days: In the Federal Communications category, FCEB Agencies will enable encrypted DNS protocols wherever supported.
Within 180 Days after controls: In the Federal Systems Cybersecurity category, the heads of FCEB agencies shall enroll endpoints using an EDR solution covered by those controls in the CISA Persistent Access Capability program.
By January 2, 2030: In the Federal Communications category, FCEB Agencies will implement PQC, including support of Transport Layer Security (TLS) protocol version 1.3 or a successor version for NSS.
Within 90 days of the list: In the Federal Communications category, FCEB Agencies will take steps to include in any solicitations for products in that category a requirement that products support PQC.
General Services Administration (GSA)
Within 90 Days: In the Federal Systems Cybersecurity category, GSA will develop FedRAMP policies and practices to incentivize cloud providers to produce secure configuration baselines.
Within 60 Days of the guidelines: In the Federal Communications category, GSA will develop updated FedRAMP requirements, incorporating the guidelines for cryptographic key management.
NIST
Within 90 Days: In the Software Supply Chain category, NIST will update Special Publication 800-53 to provide guidance on secure patch deployment.
Within 180 Days: In the Software Supply Chain category, NIST will publish a preliminary update to the Secure Software Development Framework (SSDF).
Within 180 Days: In the Federal Communications category, NIST will publish updated guidance on BGP security and emerging technologies to improve internet routing security.
Within 270 Days: In the Federal Communications category, NIST will develop guidelines for the secure management of cryptographic keys by cloud service providers.
National Cyber Director (with other agencies)
Within 120 Days: In the Federal Communications category, the National Cyber Director will recommend contract language to the FAR Council requiring internet service providers to adopt and deploy Internet routing security technologies.
OMB (with Commerce & Homeland Security)
Within 30 Days: In the Software Supply Chain category, OMB, with Commerce & Homeland Security, will recommend contract language for software provider attestations, artifacts, and customer lists.
Within 90 Days: In the Software Supply Chain category, OMB will require agencies to comply with the guidance in NIST Special Publication 800-161.
OMB, with CISA, Defense, NIST, and others
Within 180 Days: In the Federal Communications category, the Director of OMB, in coordination with other agencies, shall take steps to require agencies to use encryption for voice, video conferencing, and messaging.
Within 60 Days of the guidelines: In the Federal Communications category, The Director of OMB, in consultation with other agencies, shall take steps to require FCEB agencies to follow best practices concerning the protection and management of hardware security modules, trusted execution environments.
Secretary of Commerce
Within 60 Days: In the Software Supply Chain category, the Secretary of Commerce will establish a consortium with industry at the National Cybersecurity Center of Excellence to develop guidance that demonstrates the implementation of secure software development.
Within 270 Days: In the Combat Cybercrime & Fraud category, The Secretary of Commerce will issue practical guidance to support remote digital identity verification.
Secretary of Defense (through Director of NSA)
Within 90 Days: In the NSS & Impact Systems category, the Secretary of Defense (through the Director of NSA) will develop requirements for NSS and debilitating impact systems.
Secretary of Defense
Within 270 Days: In the Federal Systems Cybersecurity category, the Secretary of Defense will establish a program to use advanced AI models for cyber defense.
Secretary of Homeland Security and OMB
Within 120 Days: In the Software Supply Chain category, the Secretary of Homeland Security and OMB will issue recommendations to agencies on the use of security assessments and patching of open-source software.
Secretary of Interior, Secretary of Commerce, and Administrator of NASA
Within 180 Days: In the Federal Systems Cybersecurity category, these agencies will recommend updates to civil space system cybersecurity requirements.
Secretary of Energy
Within 180 Days after DARPA Challenge: In the Promoting Security with AI category, the Secretary of Energy will launch a pilot program, involving collaboration with private sector critical infrastructure entities as appropriate, on the use of AI to enhance cyber defense of critical infrastructure in the energy sector.
Agencies with grantmaking authority
Within 90 Days: In the Combat Cybercrime & Fraud category, Agencies with grantmaking authority will consider funding for mobile driver's licenses.
Agencies
By January 4, 2027: In the Aligning Policy to Practice category, Agencies must require vendors of consumer IoT to carry Cyber Trust Mark.
The National Cyber DirectorWithin 270 Days: In the Federal Systems Cybersecurity category, The National Cyber Director will submit a study of FCEB space ground systems.
Various Agencies
Within 150 Days: In the Promoting Security with AI category, Various agencies will prioritize research on topics related to human-AI interaction methods to assist defensive cyber analysis and other cybersecurity-related topics.
Within 150 Days: In the Promoting Security with AI category, Various agencies will incorporate management of AI software vulnerabilities and compromises into their agencies’ existing processes and interagency coordination mechanisms.
CISA
Within 30 days of the above*: In the Software Supply Chain category, CISA shall prepare any revisions to CISA's common form for Secure Software Development Attestation to conform to OMB's requirements.
