President Donald Trump issued an order late Friday that makes modest changes to two cybersecurity executive orders issued by the Biden and Obama administrations, creating new urgency for action on several existing and developing cybersecurity challenges.

New amendments to the two existing executive orders (EO) take aim at several discrete issues rather than up-end longstanding core Federal cybersecurity policies.

The amendments aim to hurry along the government’s ongoing press for secure software development – which has been underway since 2022. They also place more urgency on post-quantum cryptography preparations and seek to elevate the use of AI technologies in cybersecurity by government agencies.

The new Trump order amends EO 14144 that President Biden issued in January 2025. That order aimed to build on the landmark EO 14028 issued by the Biden administration in May 2021, titled “Executive Order on Improving the Nation’s Cybersecurity.”

While the 2021 order features a long list of provisions, two of the most significant are to push Federal agencies to adopt cloud services and order them to move to zero trust security architectures. Neither of those provisions is altered by the new Trump order issued on June 6.

The new Trump order also amends EO 13694 issued by President Obama in 2015. That order declared a national emergency to deal with the threat of “malicious cyber-enabled activities” from outside the U.S. by blocking access to U.S.-located assets of anyone conspiring with overseas cyber adversaries.

In amending the January 2025 Biden cybersecurity order, the new Trump order states that China is the “most active and persistent cyber threat” to the U.S. and critical infrastructure networks and that Russia, Iran, and North Korea also remain threats.

“More must be done to improve the Nation’s cybersecurity against these threats,” the new Trump order says. “I am ordering additional actions to improve our Nation’s cybersecurity, focusing on defending our digital infrastructure, securing the services and capabilities most vital to the digital domain, and building our capability to address key threats.”

Secure Software Development

Under the security software development heading, the new order gives the Commerce Department and its National Institute of  Standards and Technology (NIST) until Aug. 1 to “establish a consortium with industry at the National Cybersecurity Center of Excellence to develop guidance, informed by the consortium as appropriate, that demonstrates the implementation of secure software development, security, and operations practices based on NIST Special Publication 800–218 (Secure Software Development Framework (SSDF)).”

By Sept. 2, Commerce and NIST will update NIST’s Special Publication 800–53 (Security and Privacy Controls for Information Systems and Organizations) to provide guidance on how to securely and reliably deploy patches and updates.”

By Dec. 1, Commerce and NIST will develop and publish a preliminary update to the SSDF, including “practices, procedures, controls, and implementation examples regarding the secure and reliable development and delivery of software as well as the security of the software itself.”

NIST is tasked with publishing a final update four months after that, around the end of March 2026.

Post-Quantum Crypto

The new order cites the capability of quantum computing to eventually break much of the public-key cryptography now used in the United States and around the world. It notes the Biden administration’s May 2022 National Security Memorandum directing the Federal government to prepare for a transition to cryptographic algorithms that would not be vulnerable to a cryptanalytically relevant quantum computer (CRQC).

The new order gives the Department of Homeland Security (DHS) and its Cybersecurity and Infrastructure Security Agency (CISA) component until Dec. 1 to “release and thereafter regularly update a list of product categories in which products that support post-quantum cryptography (PQC) are widely available.”

Also by Dec. 1 and in preparation for the transition to PQC, the National Security Agency (NSA) and the Office of Management and Budget (OMB) will issue “requirements for agencies to support, as soon as practicable, but not later than January 2, 2030, Transport Layer Security protocol version 1.3 or a successor version,” the new order says.

AI for Cybersecurity

On the artificial intelligence front, the new order says that AI “has the potential to transform cyber defense by rapidly identifying vulnerabilities, increasing the scale of threat detection techniques, and automating cyber defense.”

The order tasks the Commerce Department – with help from NIST, DHS, the Energy Department, and the National Science Foundation – to ensure by Nov. 1 that “existing datasets for cyber defense research have been made accessible to the broader academic research community (either securely or publicly) to the maximum extent feasible, in consideration of business confidentiality and national security.”

By the same date, DHS, the Defense Department, and the Director of National Intelligence “shall incorporate management of AI software vulnerabilities and compromises into their respective agencies’ existing processes and interagency coordination mechanisms for vulnerability management, including through incident tracking, response, and reporting, and by sharing indicators of compromise for AI systems,” the new order says.

IT Modernization, FAR Provisions

The new order gives a much longer leash – three years – for OMB to issue formal guidance that addresses risk and puts “modern practices” in technology to work at Federal agencies.

In a section called “aligning policy to practice,” the order states that agencies’ “policies must align investments and priorities to improve network visibility and security controls to reduce cyber risks.”

The order states that OMB will have three years to “issue guidance, including any necessary revision to OMB Circular A–130, to address critical risks and adapt modern practices and architectures across Federal information systems and networks.”

The new order also gives Commerce, NIST, DHS, CISA, and OMB one year to “establish a pilot program of a rules-as-code approach for machine-readable versions of policy and guidance that OMB, NIST, and CISA publish and manage regarding cybersecurity.”

The order further says that members of the Federal Acquisition Regulatory (FAR) Council will have one year to amend the FAR to “adopt requirements for agencies to, by January 4, 2027, require vendors to the Federal Government of consumer Internet-of-Things products … to carry United States Cyber Trust Mark labeling for those products.”

The White House noted that most of the new sections of the order do not apply to “Federal information systems that are NSS [national security systems] or are otherwise identified by the Department of Defense or the Intelligence Community as debilitating impact systems.”

Obama Order Change

The Trump White House’s new order amends the 2015 Obama White House order only by swapping in the specification of “foreign person” in two subsections of the order for the previous specification of “person.”

In a “fact sheet” accompanying the new order, the White House said that this change “limits the application of cyber sanctions only to foreign malicious actors, preventing misuse against domestic political opponents and clarifying that sanctions do not apply to election-related activities.”

Speaking more broadly, the fact sheet also says that the new order “strips away inappropriate measures outside of core cybersecurity focus, including removing a mandate for U.S. government issued digital IDs for illegal aliens that would have facilitated entitlement fraud and other abuse.”

Read More About
Emerging Tech
Cybersecurity
Recent
More Topics

Categories

About
John Curran
John Curran is MeriTalk's Managing Editor covering the intersection of government and technology.
Tags