Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
On 6 June, the U.S. Trump administration issued its first cybersecurity-focused executive order and a Fact Sheet summarizing associated key policies and directives.
According to Sustaining Select Efforts to Strengthen the Nation's Cybersecurity and Amending Executive Order 13694 and Executive Order 14144, the Trump Administration intends to focus cybersecurity efforts on defending digital infrastructure, combatting foreign cyber threats, reducing fraud and abuse, promoting private sector innovation of artificial intelligence and effectively securing services and capabilities within the digital domain.
In recognition of the increased sophistication and proliferation of cyber threats, the executive order calls for federal agencies to revamp incident response protocols, conduct routine cybersecurity drills and enhance transparency around cyber incidents affecting federal operations. In addition, it directs federal agencies to revise their cybersecurity frameworks with a focus on prioritizing zero-trust architectures and deploying advanced threat-detection systems.
Overview of the executive order's directives
The executive order contains several new and revised directives impacting multiple federal agencies and departments, including: the Cybersecurity and Infrastructure Security Agency, Department of Defense, Department of Energy, Department of Homeland Security, National Institute of Standards and Technology, National Security Agency, National Science Foundation, Office of the National Cyber Director, Office of the Director of National Intelligence, Office of Management and Budget and Office of Science and Technology Policy.
The chart below provides an overview of the cybersecurity executive order's key directives and their corresponding deadlines.
| Agency / Agencies | Directive | Deadline |
| NIST | Publish guidance demonstrating implementation of secure software development, security and operations practices based on NIST's Secure Software Development Framework. | 8/1/2025 |
| NIST | Revise NIST's Security and Privacy Controls for Information Systems and Organizations with new guidance on how to securely and reliably deploy patches and security updates. | 9/2/2025 |
| DOD, ODNI, DHS, OMB, ONCD and OSTP | Integrate management of AI software vulnerabilities and compromises into existing processes and interagency coordination mechanisms for vulnerability management. | 11/1/2025 |
| DHS, DOE, NSF and NIST | Take steps to ensure existing datasets for cyber defense research are accessible to the academic research community to the maximum extent feasible — in consideration of business confidentiality and national security. | 11/1/2025 |
| NSA and OMB | Establish new requirements for federal agencies to support Transport Layer Security protocol version 1.3, or a successor version that will aid in the transition to post-quantum cryptography. | 12/1/2025 |
| CISA and NSA | Publish an updated list of product categories that support post-quantum cryptography and take steps to ensure those products are made widely available and accessible. | 12/1/2025 |
| NIST | Issue a preliminary update to the Secure Software Development Framework. | 12/1/2025 |
| NIST | Issue a finalized version of the Secure Software Development Framework. | 3/31/2026 |
| Federal Acquisition Regulatory Council | Amend the Federal Acquisition Regulation to require federal vendors to use a U.S. Cyber Trust Mark label for consumer products in the Internet-of-Things sector. | 6/6/2026 |
Amending, revising prior executive orders
In addition to the directives above, the executive order amends and revises prior cybersecurity-related executive orders, including the Biden administration's Executive Order 14144, Strengthening and Promoting Innovation in the Nation's Cybersecurity; Executive Order 14028, Improving the Nation's Cybersecurity; and the Obama administration's Executive Order 13694, Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.
Some notable amendments and revisions to Executive Orders 14144, 14028 and 13694 are contained within the new executive order.
Narrowed scope of cyber threat actors. Executive Order 13694 called on federal agencies to take action against "any person" operating outside the U.S. who was engaged in certain activities that posed a cybersecurity threat. The new executive order replaced the "any person" language with "any foreign person," thereby limiting the class of individuals the federal government can target as a cyber threat.
Revisions to the use of AI tools and applications in cybersecurity. Executive Order 14144 called for collaboration and cooperation across industries in the utilization of AI tools and applications. It also directed federal agencies to analyze different ways AI could be deployed for cyber defense. The new cybersecurity order amends Executive Order 14144 to effectively refocus AI policy around innovation within the private sector and further the adoption and integration of AI within federal agencies. For example, the cybersecurity order calls for the use of AI applications and tools that aid in efforts to identify and manage vulnerabilities while "automating cyber defense."
Revisions to secure software attestations. Executive Order 14028 required federal agencies to obtain attestations from their software vendors that certify they complied with various secure software development practices. Subsequently, Executive Order 14144 called for enhancements to the vendor attestation process, including new obligations and additional regulatory oversight in collection and validation. The new cybersecurity order eliminates Executive Order 14144's enhancements related to secure software attestations. This means that only the requirement under Executive Order 14028 for federal agencies to collect and validate attestations from vendors remains in place.
Elimination of mandatory minimum cybersecurity practices. The cybersecurity executive order eliminates Executive Order 14144's directive calling on NIST to develop new guidance on "minimum cybersecurity practices." Relatedly, the new executive order eliminates a prior directive in Executive Order 14144 that called for the development of FAR language requiring certain federal contractors to comply with that NIST guidance.
Elimination of digital identity directives. Executive Order 14144 contained an initiative focused on encouraging federal agencies to accept digital identities submitted by applicants seeking access to various public benefit programs. The new executive order entirely eliminates this initiative.
Certain prior directives remain despite changes
Though the new executive order revises and modifies prior executive orders, it is important to highlight that broader cybersecurity principles and frameworks from Executive Orders 14144, 14028 and 13694 remain intact. For example, the new cybersecurity executive order:
- Preserves a portion of Executive Order 14144 that empowers the CISA with oversight authority in identifying and defending against cyber threats to federal agency systems.
- Retains Executive Order 14144's directive that the OMB requires federal agencies to comply with the NIST Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. For context, the NIST practices obligate federal agencies to implement measures related to software and technology acquisition, security testing and compliance, and associated activities.
- Retains the requirement for the OMB to issue guidance for updates to the OMB Circular Managing Information as a Strategic Resource. For context, the OMB circular provides guidance on information governance, acquisitions, records management, open data, workforce, security and privacy.
- Retains a prior directive calling on the Department of Commerce to establish a pilot program of a rules-as-code approach for machine-readable versions of federal cybersecurity policy and guidance.
- Retains Executive Order 14144's directive that DHS and DNI incorporate management of AI software vulnerabilities and compromises into their respective interagency vulnerability management protocols.
Key takeaways
The Trump administration's cybersecurity executive order signals a strategy shift in federal cybersecurity that could be described as narrower in scope with an emphasis on decentralization and a streamlined compliance framework for federal agencies and defense contractors.
Nevertheless, there is also notable overlap and consistency in terms of broader cybersecurity principles and priorities between administrations.
Patrick J. Austin, CIPM, CIPP/E, CIPP/US, FIP, PLS, is an attorney in the cybersecurity and data privacy practice group of Woods Rogers.
