Cybersecurity Regulation in Flux as Trump Administration Focuses on Evolving Foreign and Tech Threats

The administration has signaled a potential softening of cyber regulation for domestic entities, with increasing focus on national security priorities and preparing for the future.

The Trump administration’s focus on reshaping the cyber regulatory environment continues with executive order 14306, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144” (EO 14306), which was released on June 6, 2025, and issues sweeping amendments to “Strengthening and Promoting Innovation in the Nation’s Cybersecurity” under President Biden (EO 14144)¹ and “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” as previously amended, under President Obama (EO 13694).²

EO 14306 and its accompanying Fact Sheet highlight the Trump administration’s priorities around protecting domestic digital infrastructure against foreign cyber threats and enhancing secure software development and technology practices, including those involving artificial intelligence (AI) and quantum cryptography.

In this blog post, we explore related recent developments, EO 14306’s main themes, and key changes made to the Biden administration’s cyber orders.

Recent Developments

• On March 18, 2025, President Trump issued an executive order titled “Achieving Efficiency Through State and Local Preparedness” (EO 14239),³ directing the creation of a “national resilience strategy” that shifts more of the burden for cyber preparedness to state and local governments while reducing federal government responsibilities. This approach stands in stark contrast to the Biden administration’s efforts to centralize cyber risk management. For more on EO 14239, see this Latham blog post.
• On April 8, 2025, the Department of Justice’s “Data Security Program” (DSP) final rule took effect.⁴ In a rare showing of continuity across administrations, the DSP is the implementing regulation enacted pursuant to the executive order titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (EO 14117),⁵ which was issued in the final days of the Biden administration. We covered the DSP in detail in this Client Alert and on-demand webcast series.
• On May 2, 2025, the administration proposed a 17% budget cut to the Cybersecurity and Infrastructure Security Agency (CISA), which imperiled more than $490 million in funding and over 1,000 jobs at the agency. Explicitly targeting the agency’s work on “misinformation and propaganda,” as well as “external engagement offices such as international affairs,” the administration sought to restore CISA to its “core mission” of “protecting the Nation’s critical systems.”⁶ The House eventually set a more modest budget reduction of $135 million.
• On June 12, 2025, the Securities and Exchange Commission (SEC) withdrew proposed rules requiring registered investment advisers and investment companies to adopt and implement written cyber policies and procedures, disclose information about cyber risks/incidents, and report certain incidents to the SEC.⁷ While no explanation was provided for the withdrawal, it is consistent with the tenor of EO 14306 in rolling back many of what EO 14306 alleges are “problematic” features of Biden-era cyber orders.

Continued Focus on Secure Software Development, Less on Acquisition

Although EO 14306 strikes provisions in EO 14144 directing federal agencies to adopt and improve secure software acquisition practices, it retains requirements for the Department of Commerce’s National Institute of Standards and Technology (NIST) regarding secure software development, security, and operations practices, with updates to the corresponding timeline. These directives are summarized as follows:

• By August 1, 2025: Establish a consortium with industry at the National Cybersecurity Center of Excellence to develop guidance for implementing secure software development, security, and operations practices.
• By September 2, 2025: Update NIST Special Publication 800-53 (Security and Privacy Controls for Information Systems and Organizations) to provide guidance on how to securely and reliably deploy patches and updates.
• By December 1, 2025: Develop a preliminary update to NIST Special Publication 800-218 (Secure Software Development Framework (SSDF)).
• Within 120 days of publishing the preliminary update to the SSDF (or no later than March 31, 2026): Publish a final version of the updated SSDF.

Notably, other EO 14144 mandates related to federal agencies’ software acquisition practices did not survive. EO 14306 strikes from EO 14144 requirements imposed on the Federal Acquisition Regulatory Council (FAR Council), including proposals for required contract language and validated attestations and artifacts for software providers, and ultimately related amendments to the Federal Acquisition Regulation (FAR). As a result, software providers that serve as federal contractors and vendors must still comply with the FAR, but will not have to implement changes to their federal contracting practices or engage in what the EO 14306 Fact Sheet describes as “unproven and burdensome software accounting processes that prioritized compliance checklists over genuine security investments.”

Impact on the Cybersecurity of Federal Communications and Systems

EO 14306 does not alter many of EO 14144’s directives in Section 4 concerning the implementation of strong identity authentication and encryption methods to improve the security of federal government communications. However, EO 14306 does remove requirements imposed on (i) the Secretary of Commerce, acting through the Director of NIST, to publish updated guidelines on the deployment of Border Gateway Protocol (BGP) security methods and other emerging technologies, (ii) the Director of the Office of Management and Budget (OMB) to require expanded use of authenticated transport-layer encryption between email servers used by Federal Civilian Executive Branch (FCEB) agencies, and (iii) the Secretary of Homeland Security, acting through the Director of CISA, to assist agencies in meeting that authenticated transport-layer encryption requirement.

EO 14306 also retains provisions from EO 14144 concerning preparing the federal government’s transition to cryptographic algorithms to protect against the capabilities of cryptanalytically relevant quantum computers (CRQC), which EO 14306 notes are “capable of breaking much of the public-key cryptography used on digital systems across the United States.” For instance, EO 14306 does not alter the requirement that CISA, in consultation with the Director of the National Security Agency (NSA), release and maintain a list of “product categories in which products that support post-quantum cryptography (PQC) are widely available,” other than providing a new deadline of December 1, 2025, for the list to be released.

Further, EO 14306 removes requirements that solicitations for products in relevant categories include a requirement that products support PQC. Likewise, EO 14306 maintains the EO 14144 provision that instructs the Directors of the NSA and OMB to issue requirements for agencies to support Transport Layer Security protocol version 1.3 or a successor version, also updating the deadline to December 1, 2025.

Digital Identity Documents No Longer Covered

The only section of EO 14144 that EO 14306 strikes completely and does not replace with related or modified content is Section 5 (Solutions to Combat Cybercrime and Fraud), which primarily concerned the development and use of digital identity documents, such as mobile driver’s licenses. Under EO 14144, this section “strongly encourage[d] the acceptance of digital identity documents to access public benefits programs that require identity verification” as a means of combatting cybercrime perpetrated through the use of stolen and synthetic identities.

In support of this change, the EO 14306 Fact Sheet cites concerns about digital identity documents potentially “enabling illegal immigrants to improperly access public benefits,” along with a desire to manage technical cybersecurity decision-making at department and agency levels.

Identifying and Managing Vulnerabilities in AI Cybersecurity

In lockstep with other AI-related actions the Trump administration has taken — including the executive order titled “Removing Barriers to American Leadership in Artificial Intelligence”(EO 14179),⁸ summarized in this blog post — EO 14306 eliminates the Biden directives to various federal agencies to establish programs governing the use and development of AI programs in connection with cyber defense usages. For example, EO 14306 cancels the mandate for a pilot program that would have partnered federal agencies such as the Defense Advanced Research Projects Agency with private sector critical infrastructure entities to enhance cyber defense of critical infrastructure in the energy sector.

EO 14306 retains certain directives for Directors of several agencies, but sets new deadlines. Specifically, it sets forth requirements to: (i) make sure that existing datasets for cyber defense research are made accessible to the broader academic research community, and (ii) incorporate management of AI software vulnerabilities and compromises into their respective agencies’ existing processes and interagency coordination mechanisms for vulnerability management.

These AI-related directives, and more specifically the elimination of several prescriptive Biden-era directives imposed on federal agencies, follow the Trump administration’s push to “sustain and enhance America’s global AI dominance” by deregulating AI development and encouraging accelerated innovation.

Aligning Policy to Practice

Although Section 7 (now renamed Section 6) of EO 14144 provides new details and requirements, it remains focused on modernizing the IT infrastructure and networks that support agencies’ critical missions. EO 14306 directs that:

• Within three years: The Director of OMB must issue guidance, including potential revisions to OMB Circular A-130, to address critical risks and adapt modern practices and architectures across federal information systems and networks.
• Within one year: The Directors of NIST, CISA, and OMB must establish a pilot program of a rules-as-code approach for machine-readable versions of policy and guidance that NIST, CISA, and OMB publish and manage regarding cybersecurity.
• Within one year: Members of the FAR Council must jointly take steps to amend the FAR to adopt requirements for agencies to require vendors to the federal government of consumer Internet of Things products to carry United States Cyber Trust Mark labeling.

Amendment to EO 13694

In addition to the sweeping changes made to EO 14144, EO 14306 also modifies EO 13694, which was previously amended by President Trump’s executive order “Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities” (EO 13984).⁹ EO 13694, issued by President Obama in April 2015, declared a national emergency due to malicious cyber-enabled threats and authorized sanctions on individuals and entities responsible for or complicit in certain malicious cyber-enabled activities.

While the substance of EO 13694 and the sanctions it authorizes remain unchanged, EO 14306 adds the modifier “foreign” in certain places to emphasize that only foreign persons determined to be responsible for or complicit in certain malicious cyber-enabled activities should be subject to such sanctions. According to the Fact Sheet, the impetus for this modification is “preventing misuse against domestic political opponents and clarifying that sanctions do not apply to election-related activities.”

Takeaways

EO 14306 aligns with several themes revealed in the early days of the Trump administration. First, the administration is seeking to shift cybersecurity (like many other regulatory areas) to a more decentralized posture away from the federal government. Second, the administration is looking for ways to potentially soften compliance and enforcement burdens on domestic entities while ramping up the scrutiny and emphasis placed on protecting against foreign threats and threat actors. Third, the administration’s focus on AI, quantum computing, and cryptography acknowledges that technological innovations are critical to ensuring a sound national cybersecurity strategy going forward.

1. https://www.federalregister.gov/documents/2025/01/17/2025-01470/strengthening-and-promoting-innovation-in-the-nations-cybersecurity. ↩︎
2. https://www.federalregister.gov/documents/2015/04/02/2015-07788/blocking-the-property-of-certain-persons-engaging-in-significant-malicious-cyber-enabled-activities. ↩︎
3. https://www.federalregister.gov/documents/2025/03/21/2025-04973/achieving-efficiency-through-state-and-local-preparedness. ↩︎
4. https://www.govinfo.gov/content/pkg/FR-2025-01-08/pdf/2024-31486.pdf. ↩︎
5. https://www.federalregister.gov/documents/2024/03/01/2024-04573/preventing-access-to-americans-bulk-sensitive-personal-data-and-united-states-government-related#page-. ↩︎
6. https://www.whitehouse.gov/wp-content/uploads/2025/05/Fiscal-Year-2026-Discretionary-Budget-Request.pdf. ↩︎
7. https://www.sec.gov/files/rules/final/2025/33-11377.pdf. ↩︎
8. https://www.federalregister.gov/documents/2025/01/31/2025-02172/removing-barriers-to-american-leadership-in-artificial-intelligence. ↩︎
9. https://www.federalregister.gov/documents/2021/01/25/2021-01714/taking-additional-steps-to-address-the-national-emergency-with-respect-to-significant-malicious#page-. ↩︎