The recent amendment to executive orders 14144 and 13694 marks a pivotal moment for the cybersecurity community. For years, we’ve discussed best practices, frameworks and the evolving threat landscape, but this latest EO from the White House sends a clear message: The time for theory is over. It’s time to operationalize.
It sends a signal that the federal government is aligning its muscles, mandates and timelines around what security practitioners have been asking for: real-world execution, standards with teeth and a shared defense posture that keeps pace with modern threats.
That said, it’s also a reminder of how much more progress we need to lock in. EOs, while powerful in setting direction, are not permanent. They reflect a strong signal of intent, but for lasting change, we need to follow through with durable regulations, binding mandates and legislative action. This EO sets the aspiration. Now it’s on us, across the public and private sectors, to carry it forward.
Software supply chain: An actionable response
For years, securing the software supply chain has been a major challenge. Now, the National Institute of Standards and Technology is being directed to partner with industry to update and enforce secure software development guidance (SP 800-218 and SP 800-53), with hard deadlines starting this August.
This is huge. It means vendors can no longer fulfill their responsibilities with vague security claims. It also means practitioners in government and the private sector will finally have standardized, practical guidance they can point to and require in contracts, audits and assessments. If you build, buy or manage software, this will affect you.
AI security isn’t optional anymore
AI is revolutionizing everything, from threat detection to social engineering. But until now, AI security has been largely undefined, with few frameworks for managing vulnerabilities in AI systems.
This EO changes that. It directs that AI software vulnerabilities, prompt injection, data poisoning and model theft must be folded into existing vulnerability management and incident response workflows. It’s a formal recognition that AI systems need to be treated like any other critical software asset, which includes risk tracking, patching and the sharing of indicators of compromise.
Hackers have been using AI to launch attacks for some time now, and this is a formal call to ensure that the AI being used in products is defensible and intelligent.
Post-quantum cryptography gets a real deadline
We’ve all been hearing about quantum computing and the coming crypto-apocalypse, but this order sets a firm milestone: Federal agencies must support TLS 1.3 or a post-quantum successor by January 2, 2030.
That might sound far off, but anyone managing cryptographic infrastructure knows what a lift that is. Between key management, legacy hardware and software dependencies, this change will take years of planning. The implication? Start now.
And with the Department of Homeland Security and the National Security Agency directed to publish lists of commercially available post-quantum cryptography-ready products by the end of this year, the pressure will cascade down to vendors to quantum-harden their offerings fast.
Compliance will get more automated (and less painful!)
One of the most forward-thinking aspects of this EO is the pilot of “rules-as-code” or machine-readable cybersecurity policies published by NIST, the Cybersecurity and Infrastructure Security Agency and the Office of Management and Budget.
While this might not make headlines, it could revolutionize compliance. Instead of trying to interpret dozens of static documents, imagine being able to automatically validate that your configurations meet government mandates. As someone who’s dealt with the time and efforts associated with manual audits, this is the kind of innovation that increases speed to decision, promotes organizational efficiency and allows teams to focus on actual defense.
IoT vendors face a new security mandate
Starting in 2027, federal agencies will only be allowed to procure IoT products that carry the U.S. Cyber Trust Mark. This creates a clear baseline for device security and could extend beyond government procurement into broader market expectations.
Security practitioners should be ready to demand more transparency and assurance from IoT vendors, especially in healthcare, manufacturing and smart infrastructure, where connected devices are foundational.
So, what does it all mean?
In a word: momentum.
This EO tells the cybersecurity community that the federal government is not going to let perfection get in the way of progress. It’s leaning into practical standards, accountable timelines and enforceable outcomes. It’s asking vendors to step up. It’s treating AI and quantum computing threats seriously. And it’s starting to give us the tools and frameworks to do our jobs better with less friction and more clarity.
But as practitioners, we must also recognize the temporary nature of EOs. They’re powerful signals but not permanent safeguards. If we want lasting impact, we need to channel this momentum into more durable directives, regulatory frameworks and, ultimately, legislation. The EO opens the door. It’s up to the community, which includes practitioners, policymakers and vendors, to walk through it and lock it in.
Tom Guarente is vice president of external and government affairs at Armis Federal.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
