New Cybersecurity Executive Order Revises Specific Federal Policies While Retaining Core Security Principles

On June 6, 2025, the Trump Administration issued a new Executive Order, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144 (the EO) that contains new cybersecurity policies and revises specific initiatives in cybersecurity Executive Orders issued by prior administrations. The new EO directs existing federal cybersecurity policies to be revised in five key areas:

• Securing third-party software supply chains
• Quantum cryptography[1]
• Artificial intelligence (AI)
• Internet of Things (IoT) devices
• Cybersecurity-related sanctions authorities on “foreign” actors

The federal agencies and departments tasked with new directives include the Department of Commerce (DOC), Department of Defense (DOD), Department of Energy (DOE), and Department of Homeland Security (DHS), along with the Cybersecurity and Infrastructure Security Agency (CISA), the Office of Management and Budget (OMB), the National Institute of Standards and Technology (NIST), the Office of the Director of National Intelligence (ODNI), the National Security Agency (NSA), the National Science Foundation (NSF), the Office of Science and Technology Policy (OSTP), and the Office of the National Cyber Director (ONCD).

Overview of New Cybersecurity Directives and Initiatives

The EO directs the agencies and departments listed above to take the following actions within varying timeframes. The time horizon for many of these actions is fairly aggressive with agencies and departments being tasked with developing new guidance and processes by the end of the year.

• August 1, 2025: NIST is directed to develop guidance that demonstrates the implementation of secure software development, security, and operations practices based on NIST Special Publication 800–218, the Secure Software Development Framework (SSDF).
• September 2, 2025: NIST is directed to update NIST SP 800-53 with guidance on how to securely and reliably deploy patches and updates.
• November 1, 2025: DHS, DOE, NSF, and NIST are directed to ensure that existing datasets for cyber defense research are made accessible to the broader academic research community (either securely or publicly) to the maximum extent feasible, in consideration of business confidentiality and national security.
• November 1, 2025: DOD, ODNI, DHS, OMB, ONCD, and OSTP are directed to incorporate management of AI software vulnerabilities and compromises into existing processes and interagency coordination mechanisms for vulnerability management. This includes managing AI software vulnerabilities via incident tracking, response, and reporting.
• December 1, 2025: NIST is directed to develop and publish a preliminary update to the SSDF, with a final version of the SSDF due by March 31, 2026 (120 days from the publication of the preliminary update).
• December 1, 2025: CISA and NSA are directed to release and regularly update a list of product categories in which products that support post-quantum cryptography are made widely available and accessible.
• December 1, 2025: NSA and OMB are directed to issue new requirements for federal agencies to support Transport Layer Security protocol version 1.3, or a successor version to prepare for transition to post-quantum cryptography.
• June 6, 2026: Agency members of the Federal Acquisition Regulatory (FAR) Council are directed to take steps to amend the Federal FAR to obligate federal vendors to use a U.S. Cyber Trust Mark label for consumer Internet-of-Things products.
• June 6, 2026: CISA, NIST, ONCD, and OMB are directed to establish a pilot program of a approach for machine-readable versions of policy and guidance that OMB, NIST, and CISA publish and manage regarding cybersecurity.
• June 6, 2028: OMB and ONCD are directed to issue guidance, including any necessary revision to OMB Circular A–130, to address critical risks and adapt modern practices and architectures across Federal information systems and networks.

Amendments to Prior Cybersecurity-Related Executive Orders

As mentioned, the EO amends cybersecurity Executive Orders issued by prior administrations, specifically Executive Order 14144 (pdf) and Executive Order 13694. Notable amendments to these Executive Orders include:

• Use of AI in Cybersecurity: The EO amends Executive Order 14144, which encouraged AI-driven collaboration across industries and tasked federal agencies with assessing ways to use AI for cybersecurity defense. The new EO requires federal agencies to make existing datasets for cyber defense research accessible to the academic community to the extent feasible and for agencies to incorporate AI software vulnerabilities and compromises into existing processes for vulnerability management and disclosure.
• Targeting “Foreign” Cyber Threat Actors: The EO amends existing cybersecurity-related sanctions authorities for malicious actors engaged in cyber-enabled activities that pose a threat to U.S. national security, foreign policy, economic health, or financial stability, including those targeting U.S. critical infrastructure. Specifically, the EO limits these authorities to “foreign malicious actors” and effectively excludes domestic individuals or activities from the scope of these authorities.
• Secure Software Attestations: The EO removes certain requirements relating to secure software attestations that federal government contractors must submit to contracting agencies. This includes elimination of the requirement that attestations must be in machine readable format. This also includes elimination of the directive for centralized validation of software attestations by CISA.
• Restrictions on Digital Identity Documentation: The EO removes prior directives for federal agencies to accept digital identity documentation (e.g., digital licenses) for individuals to access certain public benefit programs.
• Federal Identification Technologies: The EO removes requirements for the Federal Civilian Executive Branch (FCEB) to deploy commercial phishing-resistant standards (e.g., WebAuthn).
• Email Encryption Requirements: The EO removes a directive to OMB requiring the expanded use of authenticated transport-layer encryption (TLS) between email servers used by FCEB agencies to send and receive emails.
• Quantum Computing: The EO scales back prior quantum computing initiatives that were part of National Security Memorandum 10 and implemented through OMB Memorandum M-23-02 (pdf). The prior initiatives required federal agencies to adopt post-quantum cryptography as quickly as feasible and encouraged technology vendors to do the same. The EO retains only a requirement for CISA to maintain a list of product categories where PQC-enabled tools are widely available.

It is worth noting that the EO does not outright repeal or rescind the cybersecurity frameworks contained in Executive Orders 14144 and 13694. In addition, the EO does not amend or rescind other cybersecurity-related Executive Orders. This is an indicator that, despite the EO containing new approaches to specific cybersecurity issues, it also generally aligns with prior administrations on key cybersecurity principles.

[1] Quantum cryptography involves the use of quantum mechanics to help secure communication and data. It leverages the inherent properties of quantum particles, like photons, to ensure the security of cryptographic keys and prevent eavesdropping.