Trump Issues Executive Order on Cybersecurity Rolling Back Some Prior Policies and Introducing New Ones

Last week, the Trump administration made its priorities clear for the nation’s cybersecurity posture in the form of the newly issued executive order entitled “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13964 and Executive Order 14114” (the “Order”). The Order, issued on June 6,  was accompanied by a fact sheet that explained the intentions behind the Order and included rationales for certain departures from the January 2025 cybersecurity executive order issued by President Biden at the end of his administration, and another earlier Obama-era executive order.

Below we summarize key provisions with general applicability and expand upon the impacts to federal agencies and government contractors, in particular.

Important Policy Updates and General Initiatives

As set forth on the fact sheet, the Order aims to strengthen, reprioritize, and advance U.S. cybersecurity efforts by amending and removing measures from prior administrations that were “outside of core cybersecurity focus” and introducing new cyber directives.

• Cyber Threats by Foreign Adversaries: The Order quickly sets the stage for the policy drivers behind it by expressly characterizing China as “the most active and persistent cyber threat.” It further highlights Russia, Iran, and North Korea as posing “significant threats” that undermine American’s security and privacy. The spotlight on those regimes is consistent with recent U.S. efforts to protect Americans’ data from access by foreign adversaries: the Order comes on the heels of the groundbreaking U.S. Department of Justice Data Security Program, which came into force in April and restricts, and in some cases, prohibits U.S. companies from making sensitive data accessible to those same countries named in the Order, among others. 
• Domestic Exclusion from Cyber Sanctions: Notably, the Order narrows the application of cyber sanctions, which will now only apply to “foreign” persons. According to the administration’s accompanying fact sheet, this limitation is aimed at “preventing misuse against domestic political opponents and clarifying that sanctions do not apply to election-related activities.” While the cyber threat landscape has seen a recent increase in cyber threats believed to originate from U.S. actors, the landscape is still heavily dominated by foreign cyber criminals and state-sponsored actors.
• Prioritizing Post-Quantum Cryptography (PQC): While both the Biden and Trump administrations seemingly agree on risks associated with quantum computing—including the eventual capability to break much of the public-key cryptography leveraged around the globe—the Order sets forth streamlined directives for federal departments and agencies to address those threats. These efforts are in line with global concerns, including those expressed by the National Institute of Standards and Technology (NIST), about effective security in a post-quantum world. (See our MoFo Minute addressing this issue.) Specifically, the Order requires that, by December 1, 2025: (i) the Secretary of Homeland Security (acting through the Director of the Cybersecurity and Infrastructure Security Agency (CISA)) must release and update a list of product categories that support PQC, and (ii) the National Security Agency (NSA) Director (for national security systems) and Office of Management and Budget (“OMB”) Director (for civilian systems) must issue requirements for agencies to support Transport Layer Security (TLS) v. 1.3 protocol or a successor version no later than January 2, 2030.
• Deletion of Digital Identity Verification: Citing risks of entitlement fraud and other abuse, the Order fully repeals an initiative from the Biden executive order that pushed for U.S. government acceptance of digital identity documents in connection with public benefits programs. 
• Shifting Focus to Artificial Intelligence (AI) Vulnerability Management: The Order “refocuses” AI cybersecurity efforts around vulnerability identification and management “rather than censorship” by mandating that existing cyber defense research datasets be made accessible to the research community, either securely or publicly, while balancing business confidentiality and national security. In addition, as detailed below, the Order requires agencies to manage AI software vulnerabilities by incorporating them into existing vulnerability management programs, including through incident tracking, response, and reporting, and by sharing indicators of compromise for AI systems.

Impact on Federal Agencies and Contractors

In addition to the general initiatives discussed above, the Order sets forth a number of provisions that directly impact federal agencies and contractors.

• Secure Software Development: Perhaps most notably for federal contractors, the Order, at least in the short term, alters prior obligations concerning secure software development attestations. Under the Biden executive order and prior OMB memoranda, OMB required agencies to only use software from software providers that had attested that their software complies with specified security software development practices. These attestations, together with supporting artifacts, were to be compiled in a centralized government-managed repository, and the Federal Acquisition Regulation (FAR) was to be amended to require compliance with attestation requirements. The Order strikes these requirements as previously formulated but does leave intact general statements about the need for secure software development practices in federal procurement. 
  
  The Order further directs NIST to establish a consortium with industry to develop guidance based on its Secure Software Development Framework (Special Publication 800-218) (SSDF), to update the SSDF, and to modify Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, to provide additional guidance on deploying patches and updates. Special Publication 800-53 is the security standard upon which the Federal Risk and Authorization Management Program (“FedRAMP”), which authorizes cloud-based software for federal government use, is based. After these NIST updates are completed (by March/April 2026 according to the Order’s timeline), the Order directs OMB and CISA to update CISA’s common form for security software development attestation in line with the revised requirements.
• Risks Assessments and Procurement Processes: The Order maintains prior requirements that agencies integrate cybersecurity risk assessment into their procurement processes, and better manage use of open-source software. The Order also does not change recommendations that FedRAMP cloud service providers be required “to produce baselines with specifications and recommendations for agency configuration of agency cloud-based systems” and to incorporate new guidelines for the secure management of access tokens and cryptographic keys.
• Enhanced Security Measures: The Order also directs agencies to implement measures, including through use of end point detection and response tools, to prevent the hijacking of network interconnections and strengthen gateway security in government IT systems.
  
  As noted above, agencies must now use the latest encryption protocol for secure communications, TLS v. 1.3 or later, which means that contractors’ products and services must be able to meet these requirements.
• IoT Cyber Trust Mark: The FAR Council is directed to implement, by no later than January 4, 2027, requirements for those that sell consumer Internet-of-Things (IoT) products to the federal government, to carry U.S. Cyber Trust Mark labeling for those products.
• National Security Systems: National Security Systems are subject to their own unique requirements, to be further implemented by appropriate authorities. These classified systems are used or operated by an agency or contractor in connection with intelligence activities, cryptologic activities, command and control of military forces, operation of equipment that is integral to weapons systems, and the like.
• AI Systems: Finally, as noted above, the Order maintains and elaborates on federal agencies’ obligation to manage AI software vulnerabilities by incorporating them into their existing vulnerability management frameworks, and to coordinate on developing mechanisms to address vulnerability management in AI systems. As a result, it is very likely that agencies may only be able to meet these obligations by imposing reporting requirements on companies that provide AI tools and systems to the federal government.

The Order establishes new priorities around U.S. cybersecurity strategy, emphasizing efficient implementation of enhanced technical controls and processes, and incorporating collaboration with industry stakeholders while moving away from comprehensive compliance requirements. Given the administration’s focus on cyber resilience against threats by foreign adversaries to Americans’ security and privacy, additional executive actions expanding upon the Order’s initiatives may be on the horizon.