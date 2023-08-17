The White House is warning government agencies that they’re failing to meet the Biden administration’s expectations for protecting their computer systems from hackers.

“Multiple departments and agencies have … failed to fully comply” with a June 30 deadline for reaching vital cybersecurity milestones, “leaving the U.S. government exposed to malicious cyber intrusions and undermining the example the government must set for adequate cybersecurity practices,” National Security Adviser Jake Sullivan wrote in an Aug. 15 memo to department and agency leaders obtained by The Messenger.

President Joe Biden issued a cyber executive order in May 2021 that, among many other things, directed agencies to rapidly implement five critical security protections: encrypting federal data to prevent it from being deciphered if stolen; establishing well-trained cyber defense teams; requiring all logins to use multi-factor authentication, which adds an extra step on top of the traditional password; installing cyberattack monitoring software on all computers and enabling logging features, which record network activity for later review.

The National Security Council held a high-level meeting in March to emphasize the importance of encryption and multi-factor authentication in particular, Sullivan wrote, and at that meeting, agency leaders agreed to implement both of those technologies on 90 percent of their systems by June 30. But according to Sullivan, many agencies failed to achieve that goal.

“On behalf of the President, I ask that you convene your leadership teams” to push for implementation of the five-prong plan, Sullivan wrote in his memo.

A view of the West Wing of the White House in Washington, DC, on July 5, 2023 BRENDAN SMIALOWSKI/AFP via Getty Images

When Biden issued his executive order, he declared that “the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security,” and “the federal government must lead by example.” But agencies failed to fully or even mostly close several of the critical security gaps that he identified — nearly a year after Biden issued the order, encryption and MFA statistics remained lackluster.

Federal agencies likely have already implemented the changes required by the executive order on most of the computer systems where doing so is easy. The remaining systems are likely either so old or so bespoke that they don’t support modern protections, or perhaps they’re so critical they can’t be taken offline for upgrades.

Sullivan’s memo, first reported by CNN, suggests that the administration has lost patience with agencies’ plodding progress.

Sullivan asked agency chiefs to ensure their computer systems fully comply with the executive order’s requirements by December 31. He asked for a “detailed plan” to meet those requirements by Sept. 30. Around then, Sullivan and the director of the Office of Management and Budget will report to the president on individual departments and agencies’ progress, Sullivan wrote in the memo.

Asked about the memo, an NSC spokesperson told The Messenger that the Biden administration “has had a relentless focus on strengthening the cybersecurity of nation’s most critical sectors since day one and will continue to work to secure our cyber defenses.”