Strengthening and Promoting Innovation in the Nation’s Cybersecurity 

In the final months of 2024, hackers associated with the Chinese government carried out a major breach known as “Salt Typhoon.” This campaign penetrated U.S. internet service providers to gather sensitive information, exposing major weaknesses in national broadband networks. Soon after, additional incidents—such as attacks on the Treasury Department—confirmed how vulnerable many federal systems remain when confronted by determined and well-resourced adversaries. 

Amid this wave of cyber threats, Executive Order (EO) 14144 was issued during the final days of the Biden administration. The order addresses security gaps by strengthening third-party supply chain requirements, improving defenses for cloud services and federal networks, and encouraging wider adoption of secure communication practices. The hope is that, by making it harder and more expensive to mount similar cyberattacks, the United States can protect both public services and private industry from further large-scale disruptions. 

A lingering question, however, is whether the order will maintain momentum under the new administration. They could refine EO 14144, relegate it, or pivot to other policy priorities. For OT/ICS organizations—even those only indirectly tied to federal systems—this uncertainty underscores the need for flexible strategies. EO 14144 signals heightened scrutiny around software supply chains, quantum-ready encryption, zero trust architectures, and identity verification, as well as expanded sanctions against foreign cyber actors. Such developments reflect the government’s growing willingness to penalize malicious entities and remind us that cyber policy remains in flux.

Stay Up to Date with Verve

Subscribe to our newsletter to stay in the loop with the latest OT cyber security best practices.
Subscribe Now

Does EO 14144 Affect Organizations Not Working Directly With Federal Systems? 

Yes—while federal agencies and their contractors are on the front lines of compliance, this Executive Order influences cybersecurity practices across a much wider landscape. Many private sector firms, including OT/ICS operators, will likely see new expectations for secure software, zero-trust architectures, and quantum-resistant encryption. These changes often trickle down from government-focused suppliers into everyday commercial offerings, raising the overall security bar for businesses of all kinds. 

How It Shapes the Broader Cybersecurity Ecosystem 

1. Stricter Software Security and SBOMs

Even if you don’t serve federal clients, you may receive Software Bills of Materials (SBOMs) by default as vendors adapt to government standards. This shift provides deeper insight into potential vulnerabilities in the software your organization relies on. 

2. Tighter Third-Party Oversight

Partners or service providers who must comply with EO 14144 may expect the same level of diligence from you. If they need evidence of secure coding or risk management, that requirement can extend throughout the supply chain. 

3. Zero-Trust and Encryption 

As cloud providers and equipment makers embrace zero-trust security or upgrade to quantum-ready encryption for federal customers, these enhancements will often become standard options for everyone else.

4. Supply Chain Pressure 

Critical infrastructure suppliers may already operate under stricter government guidelines. These rules can easily migrate into broader industry contracts and procurement processes, driving higher baseline security expectations for OT environments. 

Ultimately, EO 14144 sets a cybersecurity benchmark that’s likely to touch many corners of the private sector—not just federal agencies. Whether or not your organization contracts with the government, you’ll probably see changes in software procurement, cloud configurations, and incident response practices.

Breaking Down the Key Provisions of EO 14144

Below is a closer look at the order’s key provisions and why OT/ICS professionals in both public and private sectors should pay attention. 

1. Strengthening Software Supply Chain Security

What’s New: 
  • Machine-Readable Attestations: Software vendors must prove they follow secure development practices by submitting digital attestations to CISA’s Repository for Software Attestation and Artifacts (RSAA). 
  • FAR Updates: The Federal Acquisition Regulatory Council will update contract rules, requiring these attestations for anyone selling software to federal agencies or critical infrastructure entities. 
Why It Matters for OT/ICS: 
  • Vendor Accountability: If you buy software for ICS or SCADA systems from a vendor that also serves federal customers, that vendor must show verifiable proof of secure coding. You can request the same proof for your own peace of mind. 
  • Tighter Timelines: Once the government finalizes the contract language, suppliers will have strict deadlines to fix vulnerabilities and provide security documentation. This means improved quality in OT/ICS software—but also a potential need to review your own supplier agreements. 
  • Consortium on Secure Software Practices: NIST will create an industry consortium under the National Cybersecurity Center of Excellence. This group will issue standardized guidance on safe software delivery and patching. OT operators, who often have limited patch windows, should monitor these guidelines to help reduce downtime. 
Key Takeaway

Expect vendors to move more quickly on patches and to provide detailed security documentation. If they do not, you can hold them accountable—ultimately reducing risks in your operational environment. 

2. Mandatory Cloud Security Baselines

What’s New: 
  • FedRAMP Role: The FedRAMP program must ensure cloud providers adopt secure configuration baselines. 
  • Plugging Misconfiguration Gaps: The EO specifically addresses one of the leading causes of breaches—poorly configured cloud assets. 
Why It Matters for OT/ICS: 
  • Cloud in OT: Many OT environments rely on cloud services for remote monitoring, analytics, or vendor support. If your ICS data streams into a cloud platform, that provider will soon have to follow stricter rules. 
  • Shared Responsibility: You can use these new baselines as a checklist to configure your cloud instances securely. Even if you don’t deal with federal agencies, major cloud providers usually roll out uniform security across all clients. 
Key Takeaway

Well-defined cloud baselines can help you close configuration gaps that attackers often exploit. Monitoring whether your cloud partners meet these standards will become an essential part of OT/ICS security strategy. 

3. Quantum-Resistant Encryption & Internet Protocol Safeguards 

What’s New: 
  • Quantum-Ready Encryption: Federal agencies must start transitioning to algorithms designed to withstand future quantum computing attacks. 
  • Internet Routing Security: The EO mandates improved Border Gateway Protocol (BGP) safeguards and encrypted DNS to prevent hijacking and eavesdropping. 
Why It Matters for OT/ICS: 
  • Quantum Threats: Although quantum computing seems futuristic, attackers can intercept encrypted data today and decrypt it later. If your OT systems have a long shelf life (often 10+ years), you need to plan ahead. 
  • Routing Integrity: Many ICS devices communicate via the open internet, whether for vendor support or real-time data sharing. Better BGP security and route origin validation will help keep that data from being diverted or intercepted. 
Key Takeaway

Even if you run private networks, planning for quantum-resistant cryptography and adopting secure routing practices are becoming industry best practices. Upgrades made now can prevent major headaches in the coming years.

4. Identity Verification and Zero Trust Acceleration

What’s New: 
  • Phishing-Resistant Authentication: Federal systems must adopt modern solutions (e.g., tokens, mobile driver’s licenses) to reduce credential theft. 
  • Data Minimization & Privacy: The EO stresses limiting the data collected for authentication and verification. 
Why It Matters for OT/ICS: 
  • Credential-Based Attacks: One of the biggest vulnerabilities in OT is stolen or weak credentials. This EO’s push for better identity proofing will likely trickle into ICS software and processes. 
  • Zero-Trust Principles: Networks that adopt “least privilege” limit how far an attacker can go if they do break in. OT operators might see new offerings—like identity-aware NAC (Network Access Control) and advanced EDR (Endpoint Detection and Response)—that integrate seamlessly with ICS. 
Key Takeaway

Better identity tools will make it harder for attackers to breach ICS networks in the first place. Multi-factor authentication, user segmentation, and robust identity verification will quickly become table stakes in OT environments.

5. Advanced Tools and AI for Cyber Defense 

What’s New: 
  • AI Pilot Programs: Federal agencies, in partnership with DARPA, will test AI-driven threat detection and automated patching—especially in energy infrastructures. 
Why It Matters for OT/ICS: 
  • Early Warning Systems: AI can spot unusual patterns or anomalies in ICS traffic faster than manual monitoring. This may prevent or limit the damage from an intrusion. 
  • Legacy Integration: While older ICS devices aren’t always AI-ready, the EO’s focus on pilot programs could lead to solutions that work even with outdated protocols or hardware. 
Key Takeaway

AI-based cybersecurity tools could be a game-changer for OT networks. They can reduce detection times, correlate events in complex industrial environments, and ultimately lower the risk of catastrophic disruptions. 

6. Expanded Sanctions for Malicious Cyber Actors 

What’s New: 
  • Wider Treasury Authority: The EO broadens the ability to sanction individuals or groups that hack or disrupt U.S. infrastructure, including ransomware crews. 
  • Global Reach: Foreign financial institutions facilitating malicious cyber activities may also be penalized. 
Why It Matters for OT/ICS: 
  • Potential Deterrent: Although sanctions won’t stop every criminal, raising their costs can reduce the frequency and duration of attacks. 
  • Compliance Challenges: If you’re hit by ransomware or uncover foreign-sponsored cyber intrusion, you must ensure you don’t accidentally violate sanctions by paying or transacting with sanctioned parties. 
Key Takeaway

This EO signals that the U.S. will aggressively prosecute and sanction attackers targeting critical infrastructure. Keep legal counsel informed if you’re dealing with a major cyber event to avoid unintended sanctions violations. 

7. Tailored Requirements for National Security Systems—and Potential Spillover 

What’s New: 
  • Separate Deadlines: The Department of Defense, the Intelligence Community, and the National Security Agency must meet more stringent security mandates. 
  • Space System Security: This includes continuous assessments for space-based assets, hardware root of trust, and strict patching procedures. 
Why It Matters for OT/ICS: 
  • Influence on Industry: Historically, what happens in national security quickly becomes a guiding principle for critical infrastructure. If NSS invests heavily in new security measures, these could soon appear in federal contracts or industry standards for ICS. 
  • Space Systems Considerations: While not all OT environments have space assets, satellite communications do power some remote operations. The EO’s push for secure command channels and continuous assessments may set future benchmarks for ICS data links. 
Key Takeaway

National security requirements often become best practices for the broader industrial sector. Keeping an eye on NSS and defense-related security standards can help your OT team anticipate future regulations or procurement mandates. 

Timelines to Track 

Federal agencies now operate under firm deadlines for adopting secure software attestation, advanced authentication methods, quantum-ready encryption, BGP routing security, and more. For OT/ICS leaders, here’s a short horizon scan: 

Within 30 to 120 Days: 
  • Revised FAR language requiring software providers to submit software attestation to CISA’s RSAA. 
  • Guidance from NIST on secure software supply chain practices and patching processes. 
  • Initial direction for digital identity documents and stronger DNS and email traffic encryption. 
Within 180 Days to 3 Years: 
  • Final updates to NIST Special Publication 800–218 (Secure Software Development Framework). 
  • Potential FedRAMP changes requiring secure key management for cloud services. 
  • Agency-wide modernization aligned with zero trust principles, including advanced EDR and persistent threat-hunting capabilities. 
  • Guidance that compels quantum-ready cryptography in new solicitations, with a 2030 target for universal compliance. 

What OT/ICS Leaders Should Do Now 

Review Vendor Contracts for Software Attestations

Federal contractors must produce verifiable, machine-readable attestations of their security posture. Insisting on the same documentation gives you early protection and ensures your supply chain meets evolving federal standards. 

Push for Secure Cloud Baselines 

As FedRAMP compels providers to adopt standardized, secure configurations, tap those same configurations for your ICS environments, cutting down on common misconfiguration risks. 

Update Encryption and Key Management Strategies 

Don’t wait for quantum threats to become mainstream. Research or begin implementing quantum-resistant protocols—especially in systems that store data long-term or that adversaries might exfiltrate for later decryption. 

Adopt Zero Trust and Advanced Identity Tools 

Strong multi-factor authentication and micro-segmentation go a long way in ICS, particularly for remote maintenance or real-time control. The EO’s emphasis on user privacy and data minimization also offers a blueprint for limiting the data you expose on ICS networks. 

Anticipate AI-Driven Threat Detection 

The EO encourages federal pilot programs for automated, AI-based anomaly detection. ICS leaders who invest in these tools early may see a significant drop in mean time to detect and respond. 

Follow the Sanctions Rules

With expanded authority to designate malicious cyber actors, you risk legal trouble if you inadvertently transact with newly sanctioned parties, including paying ransom in some instances. Keep legal counsel in the loop on any major incidents or threat intelligence gleaned from questionable sources. 

Conclusion 


Executive Order 14144 aims to strengthen cybersecurity at the federal level, but its influence clearly extends well beyond government agencies. For OT/ICS professionals, these new standards and requirements—ranging from secure software attestations to quantum-resistant encryption—are poised to reshape industry expectations and procurement practices. Even if you don’t contract directly with the federal government, your vendors and partners may adopt similar measures to meet compliance obligations, which can lead to tighter controls and more robust defenses throughout your industrial environment. 

Embracing these changes early can help your organization stay ahead of potential regulatory pressures, protect critical operations, and align with evolving best practices. By monitoring developments in areas like software security, cloud baselines, zero trust, AI-driven defense, and sanctions compliance, OT/ICS leaders can position their systems to withstand the threats of today—while also preparing for the quantum and AI-driven threats of tomorrow.