While the Order preserves significant portions of President Biden’s most recent cyber executive order—including provisions aimed at securing the software supply chain, federal government systems, and federal communications—other policies have been scrapped, in some cases for atypical reasons.
The more pointed changes include:
- the elimination of a digital identity verification initiative out of concern that it “risked widespread abuse by enabling illegal immigrants to improperly access public benefits”
- the discontinuation of certain government-led AI cybersecurity research initiatives, in order to refocus such efforts “towards identifying and managing vulnerabilities, rather than censorship”
- limiting cyber sanctions to foreign actors to prevent “misuse against domestic political opponents” and to clarify that “sanctions do not apply to election-related activities.” Fact Sheet: President Donald J. Trump Reprioritizes Cybersecurity Efforts to Protect America (June 6, 2025).
Other key changes include the removal of attestation requirements for federal software providers and the rollback of agency obligations to adopt post-quantum cryptography tools. The Order also revises implementation timelines for a range of federal agency actions. Taken together, these changes reflect a shift toward increased flexibility at the agency level and more modest federal cybersecurity mandates.
According to the White House Fact Sheet, the Order is intended to move away from what is described as the prior administration’s prioritization of “compliance checklists over genuine security investments” and “micromanaging” of technical cybersecurity decisions, instead empowering individual departments and agencies to evaluate and implement solutions that best align with their operational needs and budgetary constraints.
Changes to Executive Order 14144
Software supply chain security
The Order introduces several changes to President Biden’s Executive Order 14144 (“Strengthening and Promoting Innovation in the Nation’s Cybersecurity”) related to the security of government software supply chains. Under the previous order, software providers would have been required to submit machine-readable attestations that they follow secure development practices, along with supporting high-level artifacts to validate those attestations. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) was tasked with creating a centralized verification repository of these submissions and publicly reporting the results.
The new Order removes those directives but has kept others in place (with new timelines). By August 1, 2025, the National Institute of Standards and Technology (NIST) must establish a consortium with industry at the National Cybersecurity Center of Excellence to develop implementation guidance on NIST SP 800-218 (“Secure Software Development Framework (SSDF)”).
By September 2, 2025, NIST is also directed to update NIST SP 800–53 (“Security and Privacy Controls for Information Systems and Organizations”) to include guidance on the secure and reliable deployment of software patches and updates. In addition, NIST is required to publish a preliminary update to the SSDF by December 1, 2025, with a final version to follow within 120 days.
Digital identities
The Order eliminates a Biden Administration effort to promote the acceptance of digital identity documents as digital identity verification to access public benefits programs, as well as to assist states in developing and issuing mobile driver’s licenses. The aim of this program was to combat the use of stolen and synthetic identities by criminal syndicates to systematically defraud public benefits programs. In ending the initiative, the Trump Administration stated the digital identities would be at risk of widespread abuse by illegal aliens.
Quantum computing
The Order also revises the provisions on quantum cryptography in EO 14144. CISA is now directed to publish and maintain a list of product categories that support post-quantum cryptography (PQC) by December 1, 2025. In addition, the directors of the National Security Agency (NSA) (for national security systems) and Office of Management and Budget (OMB) (for non-national security systems) are instructed to ensure agencies support the Transport Layer Security (TLS) protocol version 1.3 by January 2, 2030—an important step to facilitate future upgrades and the integration of PQC key exchange algorithms.
At the same time, the Order eliminates previous requirements for agencies to mandate PQC support for certain product categories, to implement PQC key establishment “as soon as practicable,” and to engage with foreign governments and industry groups to promote the adoption of PQC algorithms.
Artificial intelligence
The Order makes several notable changes regarding the use of AI in cybersecurity. It removes the directive for the Defense Advanced Research Projects Agency (DARPA) and the Department of Homeland Security (DHS) to launch a pilot program on the use of AI to enhance cyber defense of critical infrastructure in the energy sector. (See A&O Shearman’s previous analysis on cybersecurity and energy-sector critical infrastructure.) It also eliminates federal research priorities related to human-AI interaction for cyber defense, the security of AI-assisted coding, secure AI system design, and cyber incident response involving AI systems.
Some AI-related directives remain. By November 1, 2025, NIST, Department of Energy (DOE), DHS, and the National Science Foundation (NSF) are required to make existing datasets for cyber defense research accessible to the broader academic research community, to the maximum extent feasible and in consideration of business confidentiality and national security. Also, by November 1, the Department of Defense (DOD), DHS, and the Office of the Director of National Intelligence (ODNI) are directed to incorporate the management of AI software vulnerabilities and compromises into their agencies’ existing vulnerability management processes and interagency coordination mechanisms.
Federal government systems
The Order rescinds mandates for the deployment of commercial phishing-resistant standards, such as WebAuthn, across Federal Civilian Executive Branch (FCEB) agencies. It also removes the requirement to expand the use of authenticated transport-layer encryption between FCEB agency email servers. Additionally, the Order withdraws the directive for NIST to issue updated guidance on the deployment of Border Gateway Protocol (BGP) security methods for federal networks and service providers.
Looking ahead, by June 6, 2028, OMB is instructed to issue guidance to address “critical risks and adapt modern practices and architectures across Federal information systems and networks,” including any necessary updates to OMB Circular A–130. By June 6, 2026, NIST, CISA, and OMB are to launch a pilot program for a rules-as-code approach for machine-readable versions of cybersecurity policy and guidance.
Federal contractors
As noted above, the Order modifies security attestation and verification requirements applicable to contractors providing software to the federal government. The Order also maintains a range of other measures relevant to federal contractors. The Federal Acquisition Regulatory (FAR) Council agencies are directed to continue the development of new, risk-based cybersecurity requirements for contractors of civil space systems. In addition, the FAR Council agencies are instructed to establish requirements mandating that contractors adopt and implement Internet routing security technologies related to BGP. Furthermore, by June 6, 2026, the FAR Council agencies are directed to amend the FAR to require, by January 4, 2027, that vendors supplying consumer Internet-of-Things products to the federal government ensure those products carry United States Cyber Trust Mark labeling.
Changes to Executive Order 13694
The Order revises President Obama’s Executive Order 13694 (“Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities”) to clarify the application of cyber sanctions authorities to foreign, rather than domestic, persons. The 2015 order authorizes the U.S. government to sanction individuals or entities determined to be responsible for, complicit in, or benefitting from significant malicious cyber-enabled activities that threaten the national security, foreign policy, or economic health or financial stability of the United States. The Trump administration’s revision limits the application of these authorities from “any person” to “any foreign person” responsible for the malicious cyber activity in question.
