Following the Biden Administration's January 2025 Executive Order (EO) 14144, Strengthening and Promoting Innovation in the Nation's Cybersecurity, speculation arose regarding its future under a new administration. On June 6th, an answer was provided. 

While the Trump Administration’s new Executive Order on Sustaining Select Efforts to Strengthen the Nation's Cybersecurity introduces amendments that diverge from previous directives, it upholds the core messaging and mission for national security in cyberspace. The continuity between the new and old orders underscore a crucial point: cybersecurity isn't a partisan battle; it demands nonpartisan solutions to protect the nation's digital infrastructure.

Let's dive into the new order’s key shifts in language, which sections made the cut, and how timelines have changed. With the exception of digital identity policy, you'll quickly see that this new order is not a radical departure from past administrations' cyber efforts. 

What's Out? Notable Deletions from Previous EOs

The new order makes some strategic cuts, particularly from the Biden Administration's EO. Let's explore what's been removed from that previous directive:

• Self-Attestation Artifact and Validation Requirements for Federal Software Providers: Requirements in Section 2 regarding artifacts and validation of self-attestation for federal software providers were removed. While the core self-attestation form from EO 14028 remains untouched, the EO 14144 mandated deeper scrutiny by the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the National Cyber Director (ONCD) has been eliminated. These changes revert contractors back to implementation before January 2025. Agencies will continue to require self-attestation for new critical software and major version updates.  Enforcement will take place after an instance of fraud or non-compliance is identified.
• Phishing-Resistant Authentication: Section 3’s directive for federal agencies to implement phishing-resistant authentication was deleted. However, the Federal Zero Trust Strategy (OMB M-22-09) and its focus on stronger identity and access controls, including that strategy’s requirement for phishing-resistant multi-factor authentication (MFA) such as MFA using the FIDO Web Authentication standard remains in place. 
• Email Encryption Feasibility Study: A requirement in Section 4 for the Office of Management and Budget (OMB) to assess the feasibility of encrypting emails between agencies was also removed. Additionally, the order eliminates requirements for agencies to adopt Post Quantum Cryptography (PQC) or hybrid key establishment as soon as network security products and services in their architecture support it and for federal agencies to engage international partners in promoting NIST-standardized PQC adoption.
• Digital Identification Section: The entire Section 5, “Solutions to Combat Cybercrime and Fraud,” which focused on initiatives to combat the use of stolen and synthetic identities by driving enhancements to tools used for remote digital identity verification has been completely removed from the new order. In addition to taking steps to get practical guidance to states on how to set a high bar for security and privacy when issuing new digital counterparts to physical IDs, like mobile driver’s licenses (mDLs), this section also would have created a new “early warning system” for Americans to get an alert if their identity data was being used to apply for a government benefit without their permission.  
• Certain AI Tasks: In Section 6, some AI-related tasks were deleted, though these were generally ongoing projects like the Defense Advanced Research Projects Agency (DARPA) AI Challenge, suggesting their removal from the EO side may not indicate a policy shift.

The new order also revises the Obama Administration's EO 13694 by amending the term "any person" to "any foreign person," focusing sanctions on external malicious actors.

What's In? Key Directives and Timelines

Beyond the deletions, the EO maintains clear directives for agencies, with updated timelines extending into the fall. Here are some of the critical tasks ahead:

Section 2: Operationalizing Transparency and Security in Third-Party Software Supply Chains 

This section underscores the increasing focus on securing the software supply chain throughout development, acquisition, and use. The overall goal is a more transparent, secure, and resilient software ecosystem. New deadlines for key directives include:

• By August 1, 2025: The Secretary of Commerce, acting through the director of National Institute of Standards and Technology (NIST), is required to establish an industry consortium at the National Cybersecurity Center of Excellence (NCCoE). This consortium will guide the implementation of secure software development, security, and operations practices, referencing NIST SP 800–218, the Secure Software Development Framework (SSDF). 
• By September 2, 2025: The Secretary of Commerce, acting through the Director of NIST, must update NIST SP 800–53, Security and Privacy Controls for Information Systems and Organizations, to guide secure and reliable deployment of patches and updates.
• By December 1, 2025: 
  
  • The Secretary of Commerce, acting through the Director of NIST, will publish a preliminary update to the SSDF. This update will detail practices, procedures, controls, and implementation examples for secure and reliable software development, delivery, and inherent security. A final updated SSDF will follow within 120 days of the preliminary version's publication.

Section 4: Securing Federal Communications

This section focuses on the foundational technologies and protocols used to secure online communication, including internet routing security, PQC implementation, and secure management of access tokens. To support this transition, the order directs the following actions by a new deadline of December 1, 2025:

• The Secretary of Homeland Security, acting through the Director of CISA, and in consultation with the Director of the National Security Agency (NSA), will release and regularly update a list of product categories where post-quantum cryptography (PQC) supporting products are widely available.
• The Director of the NSA with respect to National Security Systems (NSS), and the Director of OMB, will issue requirements for agencies to support Transport Layer Security protocol version 1.3 or a successor version by Jan. 2, 2030, in preparation for PQC transition.
  

Section 6: Promoting Security with and in Artificial Intelligence

The new order cautions that quantum computers will soon be able to breach most of the digital security protecting U.S. government systems. It also highlights the transformative potential of AI in cybersecurity, particularly in identifying vulnerabilities, scaling threat detection, and automating defenses. To harness AI for enhanced security, the order sets the following directives by a new deadline of November 1, 2025:

• The Secretaries of Commerce, Energy, and Homeland Security, alongside the National Science Foundation Director, must ensure existing cyber defense research datasets are accessible to the academic research community, balancing national security and business confidentiality with supporting wider research efforts.
• The Secretaries of Defense and Homeland Security, with the Director of National Intelligence, must integrate AI software vulnerability management into their existing processes. This coordinated effort, involving the Executive Office of the President, requires tracking, responding to, and reporting AI-related incidents, along with sharing indicators of compromise for AI systems across agencies to enhance federal readiness against emerging threats.
  

Section 7: Aligning Policy to Practice

This section focuses on implementing cybersecurity policy through practical measures. It calls for modernizing federal IT infrastructure, and also establishes a pilot program to develop machine-readable policies using a “rules-as-code” approach. The order outlines a phased approach to implementing modern cybersecurity practices across federal agencies.

A subtle yet significant change is the new requirement for agencies to consult with the National Cyber Director when developing guidance and updating the Federal Acquisition Regulation (FAR). By formally involving ONCD in the policy process, the EO aims to better connect high-level strategy with implementation. This aligns with recent statements by Sean Cairncross, currently nominated to be National Cyber Director, indicating a need for stronger leadership and coordination in federal cybersecurity; a more unified, responsive approach to reducing cyber risks across federal networks. Key directives include:

• Within one year of the order (extended from the original 180-day timeline):  
  
  • NIST, CISA, and OMB must launch a "rules-as-code" pilot program. This initiative will create machine-readable versions of federal cybersecurity policy and guidance from OMB, NIST, and CISA, enhancing automation, clarity, and accessibility.
  • The FAR Council must, where appropriate and consistent with law, begin amending the FAR to require that, by January 4, 2027, vendors providing consumer Internet-of-Things (IoT) products to the federal government carry the U.S. Cyber Trust Mark labeling.
• Within three years of the order: The OMB Director must issue updated guidance, potentially revising OMB Circular A-130, to address critical risks and integrate modern security practices and architectures across all federal information systems and networks.

What becomes clear upon reviewing this latest order is a reassuring sense of continuity. This outcome firmly solidifies the understanding that cybersecurity stands as a paramount bipartisan concern, demonstrating a shared commitment that extends well beyond sides of an aisle. It's a powerful testament to the idea that protecting our digital frontier is, and must always be, a unified national imperative. 

‍