Trump Reverses Key Biden-Era Cyber Directives: Important Updates to Federal Cybersecurity Priorities

Earlier this month, President Trump issued an Executive Order, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144” (EO), which amends both Biden and Obama era cyber-related executive orders. This EO is intended to strengthen cybersecurity measures by focusing on protecting against foreign cyber threats and enhancing secure technology practices. However, the EO also removes key obligations, highlighting the balancing act between effective cybersecurity measures and varying levels of oversight. In this client alert, we provide an overview of the updates presented by the EO and highlight key aspects of the cybersecurity landscape that remain unchanged.

Key Takeaways

As a general matter, this EO sheds light on the Trump administration’s priorities and goals for cybersecurity, including fewer mandates, reduction in fraud and abuse, and encouragement of artificial intelligence innovation. These priorities should be of particular note to entities that provide products or services to government agencies, especially those that provide digital products. Such entities should familiarize themselves with the updates as federal agencies work through their cyber-related risk and vendor management of such products and services.

A Fact Sheet on the EO provides additional insight into the background and intent of the EO. For those interested in the details of the EO, we provide an overview of the substantive content of the EO below.

Overview of Existing Cybersecurity EO Landscape

The EO amends both Executive Order 14144 and Executive Order 13694. While most of these directives remain in place, the amendments set forth in the EO are significant.

As background, Executive Order 14144, “Strengthening and Promoting Innovation in the Nation’s Cybersecurity” (EO 14144) was issued by President Biden in January 2025 during his last few days in office. EO 14144 aimed to address cybersecurity issues, defend the nation’s digital infrastructure, secure online services and capabilities, and to build the capability to address key threats. Such measures included improving accountability for software and cloud service providers, strengthening the security of federal communications and identity management systems, and promoting innovation and the use of emerging technologies for cybersecurity in both the government and private sector. Notably, EO 14144 was not one of the Executive Orders revoked by the Trump Administration, such as President Biden’s Executive Order on AI, which was revoked on the third day of Trump’s presidency (see our client alert on such revocation here). This omission created questions around the Trump administration’s approach to cybersecurity governance. EO 14144 built on a prior Biden Executive Order 14028, “Improving the Nation’s Cybersecurity” (EO 14028), which was issued by President Biden in 2021. EO 14028 set deadlines for specific action items for Federal agencies to enhance cybersecurity and software supply chain integrity.

Executive Order 13694, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities” (EO 13694) was issued in April 2015 by President Obama. EO 13694 declared a national emergency to deal with cyberthreats and authorized sanctions related to malicious cyber activities.  

Key Changes

The June 2025 EO makes the following key changes:

• Software: The EO removes requirements for federal contractors to submit software development attestations and related data.

EO 14144 had amended EO 14028 on this matter and, as a result, attestations are now subject to the obligations set forth in EO 14028. Per the EO Fact Sheet, the additional attestation requirements set forth in EO 14144 were “unproven and burdensome software accounting processes that prioritized compliance checklists over genuine security investments.”

• Removal of Cybersecurity Measures: While the EO retained the requirement for federal agencies to encrypt email messages in transit, it removed certain requirements in EO 14144 related to the enforcement and expansion of the federal government’s use of email encryption (such as establishing a requirement for certain agencies to expand the use of authenticated transport-layer encryption between email servers). EO 14144 additionally set forth the directive for the issuance of implementing directives and technical guidance based on such expansion of technical measures, which also was removed.¹
• Removal of Forthcoming Cybersecurity Guidance: The EO removes the directive set forth in EO 14144 for the Secretary of Commerce and NIST to publish guidance for federal agencies on the deployment of Border Gateway Protocol (BGP) security methods for federal government networks and service providers.

The EO also removes the directive for the Secretary of Commerce and NIST to provide updated guidance on other emerging technologies to improve internet routing security and resilience, such as route leak mitigation and source address validation.

• Digital IDs and Identity Technologies: In a move that reverses efforts for digital identification, the EO completely removes Section 5 of EO 14144 on solutions to combat cybercrime and fraud. Specifically, EO 14144 set forth directives for the acceptance of digital identification for public benefit programs, which the Fact Sheet characterizes as a risk of “widespread abuse by enabling illegal immigrants to improperly access public benefits.”
• Quantum Computing and Cryptography: EO 14144 contained several requirements regarding the use of cryptanalytically relevant quantum computers (CRQC). This EO maintains the requirement that the CISA and NSA must release and regularly update a list of product categories in which products that support post-quantum cryptography (PQC) are widely available. The EO removed the directive for agencies to include in their solicitations for products in those categories that those products support PQC.
• Artificial Intelligence (AI): The EO removes certain AI directives from EO 14144, including a pilot program on the use of AI to enhance cyber defense of critical infrastructure in the energy sector as well as a directive for AI research on topics including methods for prevention, response, remediation, and recovery of cyber incidents involving AI systems.

The EO instead focuses on private sector innovation as a driving force for AI and encourages federal government use of AI for actions such as vulnerability tracking.

The EO amends EO 13694 by narrowing the scope of cyber sanctions only to “any foreign person” whereas it previously permitted sanctions to any person. Per the EO Fact Sheet, this decision to exclude US persons from cyber sanctions is intended to prevent “misuse against domestic political opponents and clarifying that sanctions do not apply to election-related activities.”

Key Maintained Directives

In addition to the amendments, we note several key directives that are maintained by this EO. Of note, the EO maintains the requirement for FAR to adopt requirements for vendors of federal agencies to carry the FCC United States Cyber Trust Mark labels for certain consumer internet-of-things (IoT) products.² The purpose of the Cyber Trust Mark is to provide consumers with a clear and recognizable label that indicates that the product meets certain basic minimum cybersecurity requirements, as such label requires testing by an accredited and recognized lab to demonstrate compliance with the FCC’s Cyber Trust Mark requirements.

In addition, the EO largely maintained certain directives for certain federal departments and agencies set forth in EO 14144, many with extended deadlines. Additional key retentions include:

• Retention of the requirement for OMB to issue guidance and any required revisions to OMB Circular A-130, which provides federal agencies guidance on information governance, acquisitions, records management, open data, workforce, security, and privacy. Such guidance and updates should address critical risks and adopt certain practices and architectures across federal information systems and networks, though certain requirements were removed.
• Retention of the directive for the Secretary of Commerce to establish and publish a pilot program of a rules-as-code approach for machine-readable versions of policy and guidance regarding cybersecurity.
• Retention of the directive for Homeland Security (via CISA and OMB) to issue recommendations on federal agencies’ use of security assessments and patching of open-source software as well as best practices for contributing to open-source software projects.
• Retention of the development of NIST guidance, including establishing guidance that demonstrates the implementation of secure software development, security, and operations practices based on NIST Special Publication 800–218 (Secure Software Development Framework) as well as updates to NIST Special Publication 800-218, and a directive for updating NIST Special Publication 800–53 (Security and Privacy Controls for Information Systems and Organizations) to provide guidance on how to securely and reliably deploy patches and updates.

END NOTES

¹ The technical measures that were removed and the corresponding guidance applied to “Federal Civilian Executive Branch (FCEB) agencies” which are all agencies except for the agencies and other components in the Department of Defense and agencies in the Intelligence Community.

² 47 CFR § 8.203 defines “Consumer IoT products” as IoT products intended primarily for consumer use, rather than enterprise or industrial use. Consumer IoT products exclude medical devices regulated by the FDA and excludes motor vehicles and motor vehicle equipment regulated by the NHTSA.