Trump Signs Executive Order Overhauling Federal Cybersecurity Policy, Refocusing on Technical Defense and Threat Mitigation
President Donald Trump has signed a new Executive Order aimed at reinforcing the country’s defenses against foreign cyber threats.
The order strips away what the administration describes as “political distractions” from previous directives, prioritizing hands-on technical safeguards over bureaucratic mandates.
The new order amends and replaces key elements of two Obama- and Biden-era Executive Orders (14144 and 13694) declaring a return to cybersecurity fundamentals: protecting digital infrastructure, defending against state-backed cyber campaigns, and preparing the U.S. for next-generation threats like quantum computing.
A Return to Technical Rigor
Key technical initiatives outlined in the order include:
- Advancing Secure Software Development: By August, the National Institute of Standards and Technology (NIST) will partner with industry to update the Secure Software Development Framework (SSDF) and establish a consortium at the National Cybersecurity Center of Excellence. A final version of the revised SSDF will be published early next year.
- Protecting Internet Infrastructure: The order directs agencies to harden border gateway protocol (BGP) routing, an area frequently exploited for traffic hijacking and espionage.
- Preparing for the Quantum Future: Recognizing the disruptive potential of quantum computers, the order sets deadlines for agencies to transition to post-quantum cryptography (PQC). PQC-capable product categories will be identified by December 1, 2025, and protocols like TLS 1.3 will become mandatory across federal systems by 2030.
- Upgrading Encryption Across the Board: The directive mandates the adoption of the latest encryption standards in all federal systems, reducing exposure to known cryptographic weaknesses.
A New Focus on AI in Cybersecurity
In contrast to earlier directives that emphasized regulating AI content, Trump’s order refocuses AI policy on technical vulnerability management.
By November, agencies including the Department of Defense and the Department of Homeland Security must begin tracking and responding to vulnerabilities specific to AI systems, including sharing compromise indicators and incident data. Public and academic access to cybersecurity datasets will also be expanded to accelerate research.
Simplifying and Securing the Internet of Things
The order also launches a new machine-readable policy initiative designed to bring transparency and automation to federal cybersecurity rules. NIST, CISA, and the Office of Management and Budget (OMB) will jointly establish a pilot program to encode cybersecurity policy into “rules-as-code” format.
And in a notable consumer-focused move, by 2027, all Internet-of-Things (IoT) products sold to the government must display a “U.S. Cyber Trust Mark”, a formal security assurance label under the Federal Acquisition Regulation (FAR).
Stripping Away the Bloat
The order doesn’t just add, it removes. Several provisions from the previous EO 14144 were struck down or rewritten, including:
- Digital ID requirements for undocumented immigrants, which the administration said could have facilitated entitlement fraud.
- Broad software inventory mandates that critics said created more red tape than security value.
- Provisions that centralized technical decisions in the White House rather than empowering agency-level innovation and risk assessment.
Geopolitical Context: Eyes on China
The revised EO doesn’t mince words about foreign threats. The People’s Republic of China is named as “the most active and persistent cyber threat” to the United States, followed by Russia, Iran, and North Korea. These adversaries are blamed for ongoing campaigns targeting federal systems, critical infrastructure, and the private sector.
The updated national policy now explicitly prioritizes defenses against these adversaries’ known tactics, aligning cybersecurity posture more closely with national security concerns.
With deadlines as early as August, agencies now face a tight window to align with the new direction. But for a government under relentless cyber pressure, urgency may not be a bad thing.
Walking Away From Important Lessons
Dave Gerry, CEO at Bugcrowd says: “This order walks away from important lessons. Rolling back secure by design software attestations and limiting sanctions to only foreign actors sends the wrong message at the wrong time. Those were put in place to reduce risk across the supply chain. Also, narrowing sanctions to only apply to foreign actors leaves a clear gap, especially when we’ve seen domestic enablers working in lockstep with foreign adversaries.”
Gerry adds that while the shift toward voluntary guidance sounds nice, in practice it often means slower adoption and fewer safeguards. “It’s hard to see how this makes us safer. Cybersecurity should be a nonpartisan commitment to national resilience, not a political bargaining chip.”
Mike McGuire, Senior Security Solutions Manager at Black Duck, comments that with the executive actions that took place early in the current administration, it was notable that the cybersecurity executive orders from the previous administration were left untouched.
“With this new executive order, the current administration reverses the software attestation requirements established in OMB memo M23-16 which was authorized under EO14028. By modifying EO14144, which was an extension of EO14028 and built upon lessons learnt in industry, EO14028 is practically rescinded.”
What we should expect to see is a more prescriptive set of guidance documents from NIST in 2025, says McGuire. “By establishing a consortium with industry at the NCCoE, this executive order signals a desire by the administration to collaborate with industry on advancing the nation’s cybersecurity skills and competencies. With a focus on NIST publications SP800-218 and SP800-53, the administration recognizes that deploying secure software starts at development, and ultimately, cybersecurity success is based on securely deploying that software. Lastly, this order recognizes both the contributions open-source technologies bring to American innovation, but also the unique risks they pose.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.