The White House ordered federal agencies to shore up their cybersecurity after agencies have lagged in implementing a key executive order President Joe Biden issued in 2021, according to a memo first obtained by CNN.
Multiple federal departments and agencies have, as of the end of June, “failed to fully comply” with critical security practices prescribed by the executive order, “leaving the U.S. Government exposed to malicious cyber intrusions and undermining the example the Government must set for adequate cybersecurity practices,” national security adviser Jake Sullivan said in a memo to Cabinet secretaries this week.
Sullivan asked senior officials from across the departments to ensure they achieve “full compliance” with the executive order’s security requirements by the end of the year. His memo is addressed to agencies outside of the Pentagon.
“This morning the National Security Advisor shared a memo with federal departments and agencies to ensure their cyber infrastructure is compliant with the President’s Executive Order to improve the nation’s cybersecurity,” a National Security Council spokesperson told CNN. “As we’ve said, the Biden-Harris Administration has had a relentless focus on strengthening the cybersecurity of nation’s most critical sectors since day one, and will continue to work to secure our cyber defenses.”
Sullivan’s memo reflects frustration among senior US officials that the government hasn’t gone far enough in protecting itself from a barrage of state-backed and cybercriminal attacks.
Biden’s first months in office were shaped by multiple damaging hacks. The administration had to deal with the aftermath of the sprawling 2020 Russian intrusion into federal networks via software made by SolarWinds, as well as a ransomware attack that temporarily shut the nation’s largest fuel pipeline operator.
The administration responded with a sweeping May 2021 executive order that required agencies to implement a series of security practices that make it harder for hackers to break in. It also requires federal contractors to raise their cyber defenses to continue working with the government. The directive does not apply to the Pentagon.
While US officials say agencies have much better visibility into the cyber threats on their networks, the progress has been too slow for the White House. In the memo, Sullivan asked agencies to provide a “detailed plan” for implementing the executive order by the end of September.
The pace of cyberattacks targeting the US government has not let up. An alleged Chinese hacking campaign discovered in June breached the email accounts of the US ambassador to China and the secretary of commerce, US previously reported.
This story has been updated with additional details.