Trump Reverses Key Directives of Biden Cyber Executive Order, Maintains Others
During his last few days in office, on January 16, 2025, President Biden issued Executive Order 14144, "Strengthening and Promoting Innovation in the Nation's Cybersecurity" (EO 14144). Building heavily on the May 2021 Executive Order 14028, "Improving the Nation's Cybersecurity" (EO 14028), EO 14144 aimed to strengthen the cybersecurity posture of the federal government and nation through efforts including formalization of security attestation requirements for federal software providers, developments of and updates to key security guidance, initiatives to drive adoption of digital identity for federal programs, adoption of post-quantum cryptography, improvements of network and communications security, and research on AI for cyber defenses, among others. Notably, EO 14144 was not included on President Trump's Inauguration Day list of revoked executive orders, likely because the Biden Administration and prior Trump Administration agreed on many cybersecurity initiatives. We previously analyzed EO 14144 in detail in a prior post.
However, on June 6, 2025, less than six months after taking office, President Trump issued a new executive order titled "Sustaining Select Efforts to Strengthen the Nation's Cybersecurity and Amending Executive Order 13694 and Executive Order 14144" (Trump EO). While not revoking EO 14144, the Trump EO makes substantial amendments to EO 14144, reflecting a shift in federal cybersecurity strategy toward a somewhat more limited scope, decentralization, and fewer and simpler compliance mandates for federal agencies and their contractors. A White House factsheet accompanying the Trump EO (Factsheet) touts various improvements to EO 14144, including the reversal of directives "[m]icromanaging technical cybersecurity decisions" centrally rather than at the agency level.
At the same time, the Trump EO kept many of EO 14144's directives in place, indicating substantial overlap in cybersecurity priorities between the two administrations. The Trump EO also made small but crucial amendments to Executive Order 13694, "Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities," issued by President Obama in 2015.
EO 14144 directed numerous efforts to improve federal cybersecurity in several key areas. We discuss below the Trump EO's amendments to EO 14144 in each of those key areas and describe which directives from EO 14144 remain in place.
Elimination of Software Security Attestation Enhancements
Section 2 of EO 14144 sought to significantly enhance and formalize requirements for software vendors to federal agencies established in EO 14028. Under EO 14028, which we analyzed in a prior post, federal agencies were required to collect attestations from their software vendors certifying that the providers follow various secure software development practices. The burden of collecting these attestations was on agencies. There was no formal requirement on vendors in the Federal Acquisition Regulation (FAR) or elsewhere to provide these attestations. The attestation form that agencies had to use was published by CISA, but CISA had no official role in collecting or validating the completeness of vendors' attestations.
Citing concerns that federal software vendors still were failing to adequately secure their software post-EO 14028, EO 14144 directed several enhancements to the attestation regime for federal software suppliers. EO 14144 sought to formalize the attestation requirement and give CISA a more centralized role in collecting and validating vendors' attestations. Among other things, EO 14144 directed the development of contract language for the FAR requiring vendors to submit to CISA: (i) attestations in a machine-readable format; (ii) high-level artifacts (for example, a "software bill of materials" or "SBOM") to support their attestations; and (iii) a list of the vendor's federal agency customers. CISA was directed to "centrally verify the completeness of all attestation forms" and to inform the National Cyber Director of the results of its validations. The National Cyber Director would have publicly posted the results of CISA's validations and was "encouraged" to refer attestations that failed CISA validation to the U.S. Attorney General.
The Trump EO completely eliminates EO 14144's enhancements related to secure software attestations. As a result, EO 14028's regime requiring agencies to collect and validate attestations from their vendors based on the CISA form remains in place. The Factsheet touts the removal of "unproven and burdensome software accounting processes that prioritized compliance checklists over genuine security investments."
Updates to Federal Cybersecurity and Supply Chain Security Guidance Mostly Retained
Some of EO 14144's most ambitious directives were aimed at developing new guidance for federal agencies and contractors setting forth requirements on "minimum cybersecurity practices." That guidance was to be developed by NIST, and new contract language for the FAR was to be developed to require federal contracts to comply with the NIST guidance. The Trump EO entirely removes EO 14144's directives to create these requirements and the follow-on FAR language.
Many of EO 14144's directives on federal cybersecurity guidance were retained, however. EO 14144 directed the federal government to update several key cybersecurity guidance documents to include software considerations related to software supply chain security. The Trump EO largely retained these directives but extended several due dates. Accordingly, NIST now must: (i) by August 1, 2025, lead the development of guidance on the implementation of secure software development, security, and operations practices based on its Secure Software Development Framework (SSDF); (ii) by September 2, 2025, update its Special Publication 800-53, "Security and Privacy Controls for Information Systems and Organizations," (NIST 800-53) to provide guidance on securely deploying patches and updates; and (iii) by December 1, 2025, update its SSDF, which is provided in NIST Special Publication 800-218 (NIST 800-218), to address "secure and reliable development and delivery of software as well as the security of the software itself." NIST first developed the SSDF in response to EO 14028. At the same time, the Trump EO eliminates a follow-on requirement that the Office of Management and Budget (OMB) revise its Memorandum M-22-18, which directs federal agencies on securing their software supply chains, based on NIST's updates to the SSDF.
The Trump EO also retains but substantially reduces a directive to OMB to issue cybersecurity guidance, including "any necessary revision to OMB Circular A-130," to federal agencies. EO 14144 directed that such guidance touch upon various cybersecurity best practices, including zero-trust architecture, endpoint detection and response (EDR) capabilities, encryption, and IT vendor concentration (a repeat concern of the Biden Administration). The revised directive now simply directs OMB to issue guidance "to address critical risks and adapt modern practices and architectures across Federal information systems and networks." The removal of EO 14144's directive for OMB to update Memorandum M-22-18 and the simplification of this directive to issue cybersecurity guidance to agencies may reflect the Trump Administration's prerogative to give agencies more discretion over their security practices, as stated in the Factsheet.
The Trump EO retains EO 14144's directive that OMB require federal agencies to comply with NIST Special Publication 800-161, "Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations" (NIST 800-161). Agencies' implementation of NIST 800-161 will impact software vendors and other federal technology contractors directly; NIST 800-161 requires agencies to take numerous steps related to software and technology acquisition, security testing and compliance, and other activities. Additionally, CISA and OMB remain directed to jointly issue recommendations to federal agencies on the use of security assessments and patching of open-source software and best practices for contributing to open-source software projects.
Despite the substantial amount of material retained from EO 14144 in this area, the Trump EO eliminates an EO 14144 directive that NIST develop new guidance on "minimum cybersecurity practices." The Trump EO likewise eliminates a directive for the development of FAR language that would have required certain federal contractors to comply with that NIST guidance. These now-removed directives were some of EO 14144's most ambitious prescriptions.
FedRAMP Developments Retained
The Trump EO retains key development to the Federal Risk and Authorization Management Program (FedRAMP), a cybersecurity authorization and oversight program for cloud service providers (CSPs) to federal agencies. Among other things, EO 14144 directed FedRAMP to "incentivize or require" CSPs to issue security specifications and recommendations for federal agencies when configuring cloud services and to develop guidelines for the secure management of access tokens and cryptographic keys used by cloud service providers. As we discussed in a recent post, FedRAMP is currently undergoing a significant overhaul to simplify, automate and decentralize the program.
Digital Identity Directives Eliminated Entirely
Section 5 of EO 14144 directed NIST to lead an initiative to encourage the acceptance of digital identities to grant access to public benefits programs. EO 14144 touted this initiative as a way to combat digital fraud against those programs and their participants. The Trump EO eliminates section 5 in its entirely. The Factsheet accompanying the Trump EO explained this removal by stating that EO 14144's digital identity initiatives "risked widespread abuse by enabling illegal immigrants to improperly access public benefits."
Certain Directives Related To Hardening Federal Systems and Communications Infrastructure Removed, But Most Retained
The Trump EO eliminates several directives of EO 14144 intended to improve the security of federal systems and communications infrastructure. Among other things, the Trump EO removes directives that NIST issue guidance for use of the border gateway protocol (BGP) and that OMB require agencies to expand their use of Transport Layer Security (TLS) for sending and receiving email. The Trump EO also removes a directive to agencies to pilot uses of commercial phishing-resistant authentication standards such as WebAuthn.
The Trump EO also dials back some of EO 14144's directives related to the adoption of post-quantum cryptography (PQC). While the Trump EO retains an EO 14144 directive that CISA regularly publish a list of technology product categories in which products that support PQC are readily available, it eliminates EO 14144's directives that agencies include PQC requirements in their technology solicitations and that the Departments of State and Commerce encourage countries to adopt PQC standards issued by NIST.
That said, the Trump EO largely keeps in place EO 14144's numerous directives in these areas (contained in Sections 3 and 4 of EO 14144), including that: Federal civilian agencies take certain steps to secure their use of BGP; the National Cyber Director develop contract language for the FAR to require that providers of internet services to agencies adopt and deploy internet routing security technologies; CISA propose template contract language for the FAR requiring any product that acts as a Domain Name System (DNS) host resolver to support encrypted DNS; the Director of the National Security Agency (NSA) and the Committee on National Security Systems (CNSS) develop cybersecurity requirements for National Security Systems (NSS); federal civil agencies encrypt email messages in transit; and that federal civil agencies support use of TLS version 1.3 (the latest version of TLS, which allows for easier integration of PQC algorithms) by 2030.
The Trump EO largely preserves CISA's centralized role in identifying and defending against cyber threats to federal agencies' systems as directed in Section 3 of EO 14144. In fact, the Trump EO strikes the word "novel" from EO 14144's directive that CISA develop the technical capacity to gain timely access to federal agencies' cyber threat detection tools to enable "timely hunting and identification of novel cyber threats and vulnerabilities…." (emphasis added). The removal of that word seemingly expands the scope of the types of cyber threats and vulnerabilities that CISA must help federal agencies identify and defend against. CISA may not be well-positioned to take on greater mandates, however, given that its workforce has been but by nearly one third in the last few months and that the agency faces significant budget cuts.
Internet-of-Things (IoT) Security Initiatives Retained
The Trump EO retains EO 14144's directive that FAR amendments be developed to require vendors of IoT products to federal agencies to carry the U.S Cyber Trust Mark label. The U.S. Cyber Trust Mark program is administered by the Federal Commissions Commission (FCC) and has been likened to an EnergyStar program for IoT cybersecurity.
Research on AI for Cyber Defense Scaled Back
EO 14144 directed various initiatives to explore the use of AI for cyber defenses. The Trump EO eliminates several of these directives, including a pilot program involving the Department of Defense (DOD), Department of Energy (DOE), and Department of Homeland Security (DHS) "on the use of AI to enhance cyber defense of critical infrastructure in the energy sector." The Trump EO also eliminates a directive that various federal agencies prioritize research on topics including human-AI interaction to assist in defensive cyber analysis, security of AI-generated code, and the security of AI systems. The Trump EO maintains several of EO 14144's directives on AI and cybersecurity, including a directive that DHS and the Director of National Intelligence incorporate management of AI software vulnerabilities and compromises into their interagency vulnerability management processes. However, the Trump EO expressly requires involvement of the Office of the President in that effort.
Amendments to EO 13694
The Trump EO also amends Executive Order 13694, "Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities," (EO 13694), which President Obama issued in 2015. EO 14144 made numerous amendments to expand EO 13694, such as by removing various qualifiers (e.g., those limiting the government's ability to act against only "significant" malicious activities) and adding new grounds on which the Department of the Treasury may impose sanctions under EO 13694.
Prior to the Trump EO, EO 13964 empowered the government to act against "any person" operating outside of the United States engaged in certain activities. The Trump EO replaces "any person" with "any foreign person" (emphasis added), thereby limiting the class of persons the government may target under EO 13964. The Factsheet states that this change "prevent[s] misuse against domestic political opponents and clarif[ies] that sanctions do not apply to election-related activities."
Conclusion
The Trump EO reverses many of President Biden's directives in EO 14144, including by removing various mandates for federal contractors, eliminating a push to develop digital identities for federal benefits programs, and decentralizing certain responsibilities for federal cybersecurity. Even so, the Trump EO preserves many of EO 14144's directives, including numerous initiatives to update federal security guidance and for federal agencies to adopt next-generation security technologies.
DWT's information security team will continue to monitor implementation of the Executive Order and other initiatives to improve federal cybersecurity—particularly those with implications for federal cloud service providers and other federal contractors.
