Executive Order on Improving the Nation’s
Cybersecurity
whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nationscybersecurity
May 12, 2021
By the authority vested in me as President by the Constitution and the laws of the United
States of America, it is hereby ordered as follows:
Section 1. Policy. The United States faces persistent and increasingly sophisticated
malicious cyber campaigns that threaten the public sector, the private sector, and
ultimately the American people’s security and privacy. The Federal Government must
improve its efforts to identify, deter, protect against, detect, and respond to these actions
and actors. The Federal Government must also carefully examine what occurred during
any major cyber incident and apply lessons learned. But cybersecurity requires more than
government action. Protecting our Nation from malicious cyber actors requires the
Federal Government to partner with the private sector. The private sector must adapt to
the continuously changing threat environment, ensure its products are built and operate
securely, and partner with the Federal Government to foster a more secure cyberspace. In
the end, the trust we place in our digital infrastructure should be proportional to how
trustworthy and transparent that infrastructure is, and to the consequences we will incur
if that trust is misplaced.
Incremental improvements will not give us the security we need; instead, the Federal
Government needs to make bold changes and significant investments in order to defend
the vital institutions that underpin the American way of life. The Federal Government
must bring to bear the full scope of its authorities and resources to protect and secure its
computer systems, whether they are cloud-based, on-premises, or hybrid. The scope of
protection and security must include systems that process data (information technology
(IT)) and those that run the vital machinery that ensures our safety (operational
technology (OT)).
It is the policy of my Administration that the prevention, detection, assessment, and
remediation of cyber incidents is a top priority and essential to national and economic
security. The Federal Government must lead by example. All Federal Information
Systems should meet or exceed the standards and requirements for cybersecurity set forth
in and issued pursuant to this order.
Sec. 2. Removing Barriers to Sharing Threat Information.
(a) The Federal Government contracts with IT and OT service providers to conduct an
array of day-to-day functions on Federal Information Systems. These service providers,
including cloud service providers, have unique access to and insight into cyber threat and
incident information on Federal Information Systems. At the same time, current contract
terms or restrictions may limit the sharing of such threat or incident information with
1/18