- It almost pains me to say it, but Microsoft Edge is great on Linux - you should try it
- UK MoD Launches New Cyber Warfare Command
- “AI 비서가 팀 단위로 지원하는 효과”···퍼플렉시티, AI 프로젝트 10분 완성 도구 ‘랩스’ 출시
- Interlock ransomware: what you need to know
- Better Together: How MFA and Strong Password Practices Can Help Bolster Security
NIST’s Responsibilities Under the January 2025 Executive Order
While NIST frameworks are typically not mandatory for most organizations, they are still being called on to do some heavy lifting to bolster the nation’s cybersecurity defenses.
Under the January 2025 Executive Order (EO) on Strengthening and Promoting Innovation in the Nation’s Cybersecurity, the National Institute of Standards and Technology (NIST) was charged, along with several other agencies, with the following tasks:
- Enhancing security accountability for software and cloud service providers.
- Improving the security of Federal communications and identity management systems.
- Encouraging new and innovative uses of emerging technologies in cybersecurity.
This blog will outline some of the major duties for which the agency is directly accountable under the EO, and what these changes mean for US cybersecurity and critical national infrastructure (CNI).
Making Supply Chains More Transparent
Supply chain security has long been the subject of many high-level debates, especially given the significant impact of recent third-party attacks on critical infrastructure. From the landmark 2021 attack on Colonial Pipeline, which resulted in far-reaching fuel disruptions across the East Coast, to the 2024 compromise of Change Healthcare, the payments processor for the US’ single largest healthcare group, UnitedHealth, supply chain attacks have critically affected the wellbeing of the nation’s critical sectors (“Healthcare and Public Health” was elevated to CNI status last year).
The January Executive Order requires NIST to update NIST SP 800-53, a framework with strong third-party requirements (mandatory for federal agencies) to include guidance on securely deploying patches. It also requires the agency to update its Secure Software Development Framework (SSDF), a set of best practices for implementing security-by-design principles into the software development cycle. Both are integral for reducing third-party risk via the supply chain and software supply chain alike.
Boosting AI Security – and the Secure Use of AI
Under this requirement (“Promoting Security with and in Artificial Intelligence”), NIST is tasked with finding ways to improve the use of artificial intelligence (AI) in bolstering cyber defense. That directive is outlined in a few requirements. NIST is to prioritize research on:
- “Human-AI interaction methods,” or prompt-engineering, that can assist defensive cyber analysis.
- Making AI coding assistance more secure.
- Designing more secure AI systems generally.
- Incident response methods for cyberattacks involving AI systems.
Additionally, the agency must put at the forefront of its funding priorities the development of large-scale datasets required to do this research. It must also make any existing datasets (created for the purpose of cyber defense research) available to the academic community to the furthest extent possible.
It is estimated that 40% of all cyberattacks are now AI driven, an astronomical leap from the pre-ChatGPT days of less than three years ago. AI is attackers’ weapon of choice, and many cybersecurity solutions have been quick to implement AI in their own technology arsenals.
Last year, the Department of Homeland Security (DHS) released a “groundbreaking framework for the safe and secure deployment of AI in critical infrastructure,” expressing the need to fight fire with fire. As stated by former US Secretary of Homeland Security Alejandro N. Mayorkas, “AI offers a once-in-a-generation opportunity to improve the strength and resilience of U.S. critical infrastructure, and we must seize it while minimizing its potential harms.”
These mandates underscore not only the need to limit the dangers of insecure AI in development, but to use its powerful capabilities to fight today’s international cybercrime on equal footing.
Secure Federal Communications
Another major responsibility assigned to NIST in the coming year is to update the standard of security used to transmit federal communications. Surprisingly, Signal isn’t on the list.
Under this directive, NIST is to provide updated guidance on the Border Gateway Protocol (BGP) security methods currently in use by Federal Government service providers and networks, along with additional recommendations for other emerging technologies that could further improve the security of Internet routing for sensitive intelligence.
The agency is also to encourage a massive shift by international governments and key sectors to the latest Post-Quantum Cryptography (PCQ) algorithms, which have been standardized by NIST. And finally, they are to establish guidelines to be used by cloud service providers for the secure management of cryptographic keys and access tokens.
A November 2025 Deadline
NIST deadlines for complying with the EO began in March and continues until November of this year. As AI, nation-state actors, supply chain threats and insecure federal communication practices continue to make the news, these NIST requirements couldn’t come at a better time.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra.
