On June 6, 2025, President Trump issued an Executive Order (EO) on Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity, amending certain prior directives established by the Biden and Obama administrations. Importantly, the administration’s new directive maintains continuity of the cybersecurity goals of prior administrations and demonstrates that cybersecurity remains a bipartisan priority. However, the new EO narrows the scope of the federal government’s role and introduces a new strategy for achieving said goals.
Key changes include:
- Secure Software Development Attestations: The requirement that federal agencies collect Secure Software Development Framework (SSDF) attestation forms from software suppliers that was established in the Biden-era EO 14144 are stricken by the new EO. With that said, the attestation form requirements contained in EO 14028 remain untouched. Additionally, the EO does not rescind the prior language requiring the National Institute of Standards and Technology (NIST) to update SSDF practices and the corresponding security standards. The EO requires NIST to establish a consortium with industry to develop updated guidance on SSDF, including guidance on deploying patches and updates. At the very least, SSDF remains a focus of the administration, and the attestation requirement may persist in some manner.
- Digital Identity Verification: The EO eliminates prior measures encouraging the U.S. government to use standardized digital IDs. According to the fact sheet that accompanied the EO, such policy would lead to “entitlement fraud and other abuse.”
- Cyber Sanctions: Cyber sanctions under the new EO apply only to “foreign” persons, revising the Obama-era directive that allowed the federal government to impose sanctions on “any person” that it determined engaged in cyber-enabled malicious activities. This is a notable change amid the recent increase in threat actors believed to operate within the U.S.
- AI Cyber Defense: Although the EO reinforces the need for the Department of Homeland Security and Department of Defense to incorporate protection against AI software vulnerabilities into their vulnerability management programs (requirements that could flow down to government contractors), several other AI-related directives are removed. For example, the new EO scraps a pilot program to assess use of AI to secure critical infrastructure in the energy sector, as well as a mandate for the Department of Defense to adopted advanced AI models for cyber defense.
- Post-Quantum Cryptography (PQC): The new EO eliminates the requirements that agencies establish PQC keys and that certain contract solicitations contain products that support PQC.
In general, the overarching frameworks of previous administrations’ cybersecurity policy remain untouched by the new cyber EO. Some of the more prescriptive mandates of the Biden administration have been stricken, establishing the new priorities of the current administration without dramatically shifting national cybersecurity policy.
