U.S. President Donald J. Trump signed a sweeping Executive Order that reorients U.S. cybersecurity strategy by focusing on critical protections against foreign cyber threats and enhancing secure technology practices. The move amends ‘problematic elements’ of Executive Orders (14144 and 13694), issued by former Presidents Joe Biden and Barack Obama. In their place, the Trump move seeks to lay out a technical agenda built around securing infrastructure, cleaning up federal practices, and confronting next-generation threats.
President Trump has directed the federal government to prioritize the advancement of secure software development across all systems and platforms. The Executive Order instructs federal departments and agencies to take action on securing border gateway protocols in order to prevent the hijacking of network interconnections. It also calls for agency-level efforts to adopt post-quantum cryptographic standards, ensuring long-term protection against threats that could emerge from future computing architectures.
The executive order identified that foreign nations and criminals continue to conduct cyber campaigns targeting the U.S. The People’s Republic of China (PRC) presents the most active and persistent cyber threat to the U.S. government, private sector, and critical infrastructure networks, but significant threats also emanate from Russia, Iran, North Korea, and others who undermine U.S. cybersecurity. These campaigns disrupt the delivery of critical services across the nation, cost billions of dollars, and undermine Americans’ security and privacy. Clearly, more must be done to improve the nation’s cybersecurity against these threats.
According to a Fact Sheet published Friday by the White House, the Order mandates the implementation of the latest encryption protocols across government systems. The directive refocuses artificial intelligence (AI) cybersecurity efforts towards identifying and managing vulnerabilities, rather than censorship. The Order also directs technical measures to promulgate cybersecurity policy, including machine-readable policy standards and formal trust designations for ‘Internet of Things,’ as a way to ensure that Americans can know that their personal and home devices meet basic security engineering principles.
The Order also limits the application of cyber sanctions only to foreign malicious actors, preventing misuse against domestic political opponents and clarifying that sanctions do not apply to election-related activities. It also strips away inappropriate measures outside of core cybersecurity focus, including removing a mandate for U.S. government-issued digital IDs for illegal aliens that would have facilitated entitlement fraud and other abuse.
The White House said it is taking decisive action to address real technical challenges and enduring cybersecurity threats. It recognized that advancing national cybersecurity is necessary to protect the safety and privacy of all Americans and will do what it takes to make America cyber secure, including focusing relentlessly on technical and organizational professionalism to improve the security and resilience of the nation’s information systems and networks.
Noting that President Trump has, since the first day he entered office, been steadfast in his commitment to eliminate fraud and abuse across the Federal Government. Moreover, President Trump has already taken action to remove barriers to AI innovation, ensuring that the nation’s technology sector remains competitive at the cutting edge of new developments and free from ideological bias.
The Executive Order prescribes that by August 1, this year, the Secretary of Commerce, acting through the director of National Institute of Standards and Technology (NIST), shall establish a consortium with industry at the National Cybersecurity Center of Excellence (NCCoE0 to develop guidance, informed by the consortium as appropriate, that demonstrates the implementation of secure software development, security, and operations practices based on NIST Special Publication 800–218 (Secure Software Development Framework (SSDF).
Also, by September 2, the Secretary of Commerce, acting through the director of NIST, shall update NIST Special Publication 800–53 (Security and Privacy Controls for Information Systems and Organizations) to provide guidance on how to securely and reliably deploy patches and updates.
President Trump also stipulated that by December, the Secretary of Commerce, acting through the director of NIST, in consultation with the heads of such agencies as the director of NIST deems appropriate, shall develop and publish a preliminary update to the Secure Software Development Framework (SSDF). This preliminary update shall include practices, procedures, controls, and implementation examples regarding the secure and reliable development and delivery of software, as well as the security of the software itself. Within 120 days of publishing the preliminary update, the Secretary of Commerce, acting through the director of NIST, shall publish a final version of the updated SSDF.
Addressing post-quantum cryptography, President Trump has directed that By December 1, 2025, the Secretary of Homeland Security, acting through the director of the Cybersecurity and Infrastructure Security Agency (CISA), and in consultation with the director of the National Security Agency (NSA), shall release and thereafter regularly update a list of product categories in which products that support post-quantum cryptography (PQC) are widely available.
Additionally, by December, he said to prepare for transition to PQC, the director of the NSA concerning National Security Systems (NSS), and the director of the Office of Management and Budget (OMB) for non-NSS, shall each issue requirements for agencies to support, as soon as practicable, but not later than January 2, 2030, Transport Layer Security protocol version 1.3 or a successor version.
President Trump also said that by November 1, this year, the Secretaries of Commerce, Energy, and Homeland Security, along with the Director of the National Science Foundation, must ensure that existing datasets related to cyber defense research are made accessible to the broader academic community. This access should be granted either publicly or through secure channels, depending on the sensitivity of the data, and must take into account national security concerns and business confidentiality. The goal is to support wider research efforts without compromising critical protections.
By the same deadline, the Secretaries of Defense and Homeland Security, together with the Director of National Intelligence, are required to integrate the management of AI software vulnerabilities into their existing vulnerability management and incident response processes. The effort, coordinated with the Executive Office of the President, including the Office of Science and Technology Policy, the Office of the National Cyber Director (ONCD), and the OMB, must include tracking, responding to, and reporting AI-related incidents. It also requires sharing indicators of compromise for AI systems across agencies to improve federal readiness against emerging threats.
President Trump has directed that federal agencies align their cybersecurity investments and priorities to improve network visibility and strengthen security controls in order to reduce cyber risks. This strategic alignment must be developed in consultation with the National Cyber Director and executed through specific agency-level actions.
Within three years of the date of the order, the director of the OMB is required to issue updated guidance, potentially including revisions to OMB Circular A–130, that addresses critical risks and incorporates modern security practices and architectures across federal information systems and networks.
Within one year, the Secretary of Commerce, acting through the director of the NIST, the Secretary of Homeland Security, acting through the director of the CISA, and the director of OMB must launch a pilot program to implement a ‘rules-as-code’ approach. The initiative will produce machine-readable versions of federal cybersecurity policy and guidance published by OMB, NIST, and CISA to enhance automation, clarity, and accessibility.
Also, within one year, agency members of the Federal Acquisition Regulatory (FAR) Council must begin steps, consistent with applicable law, to amend the FAR. The goal is to establish a requirement that, by January 4, 2027, vendors providing consumer IoT products to the federal government ensure those products carry the U.S. Cyber Trust Mark label.
In March, President Trump extended in a Presidential document the national emergency concerning ongoing malicious cyber activities against the country for another year. The national emergency was first issued in April 2015 to deal with the unusual and extraordinary threat to the national security, foreign policy, and economy of the U.S., constituted by the increasing prevalence and severity of malicious cyber-enabled activities originating from or directed by persons located, in whole or in substantial part, outside the country.
