An executive order issued Friday by President Donald Trump rolls back rules for federal software acquisition and sets strict deadlines for government agencies to create new rules about quantum and AI-related cybersecurity measures.
The directive amends previously issued cybersecurity executive orders from former presidents Joe Biden and Barack Obama.
Adjustment to Biden order
The Biden order, issued in January just days before he left office, included sanctions threats targeting “any person” who engaged in a variety of attacks on U.S.-based systems — including those accused of “tampering with, altering, or causing a misappropriation of information … undermining election processes or institutions.”
The Trump administration, in the executive order and in a statement, changed the term “any person” to “any foreign person” and said its goal is to limit “the application of cyber sanctions only to foreign malicious actors, preventing misuse against domestic political opponents and clarifying that sanctions do not apply to election-related activities.”
Since taking office in January, Trump administration officials have repeatedly criticized U.S. agencies for their past attempts to limit or stop Russian and Chinese disinformation campaigns, claiming the effort also censored conservative voices.
The Trump administration statement says cybersecurity is “too important to be reduced to a mere political football” but then criticizes the Biden administration for attempting to “sneak problematic and distracting issues into cybersecurity policy.”
Rolling back software security rules
The order makes sweeping removals of Biden administration rules that said agencies could only use software from providers that attest to using secure development practices. The Trump administration said these rules were “imposing unproven and burdensome software accounting processes that prioritized compliance checklists over genuine security investments.”
Trump officials said Biden was “micromanaging technical cybersecurity decisions better handled at the department and agency level, where budget tradeoffs and innovative solutions can be more effectively evaluated and implemented.”
Quantum and AI
Trump’s order warns that quantum computers will soon be able to breach most of the digital systems used by the U.S. government and demands that the Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) “release and thereafter regularly update a list of product categories in which products that support post-quantum cryptography (PQC) are widely available” by December 1.
The same deadline is set for the director of the NSA to issue requirements for agencies to implement Transport Layer Security (TLS) protocol version 1.3 or a successor version. TLS is a cryptographic protocol that provides secure communication over a computer network typically used to protect sensitive data.
Agencies will have until January 2, 2030, to implement any quantum-resistant requirements issued by the NSA.
Artificial intelligence features prominently in the executive order. By November 1, the director of the National Institute of Standards and Technology (NIST) has to work with other senior government leaders to “incorporate management of AI software vulnerabilities and compromises into their respective agencies’ existing processes and interagency coordination mechanisms for vulnerability management, including through incident tracking, response, and reporting, and by sharing indicators of compromise for AI systems.”
November 1 is also the deadline set for a number of other AI-related initiatives, including the sharing of cyber defense research data sets with “the broader academic research community.”
Several Biden-era initiatives around using AI and post-quantum cryptography to defend critical infrastructure, military systems and more were also removed in Trump’s executive order.
Secure government systems and devices
Several other deadlines are set for federal agencies to be provided with cybersecurity guidelines or security standards that need to be implemented.
The Federal Acquisition Regulatory Council (FAR Council), which coordinates government-wide procurement policy, is ordered to mandate that all consumer internet of things (IoT) products purchased carry the U.S. Cyber Trust Mark — a key Biden initiative that verifies a product complies with cybersecurity standards created by NIST.
NIST is also ordered to establish a consortium that by August 1 will develop guidance on implementing secure software development, security, and operations practices. In September, NIST will have to update rules on how agencies need to securely and reliably deploy patches and updates.
NIST will be tasked with updating the Secure Software Development Framework by December 1 so that it includes “practices, procedures, controls, and implementation examples regarding the secure and reliable development and delivery of software as well as the security of the software itself.”
Some of the directives are more vague, ordering the Office of the National Cyber Director and others to make any “necessary revisions” to federal government rules that may “address critical risks and adapt modern practices and architectures across federal information systems and networks.”
In one year, NIST has to work with CISA and other agencies to “establish a pilot program of a rules-as-code approach for machine-readable versions of policy and guidance.”
Other changes
Several parts of Trump’s executive order simply remove parts of the original Biden guidance issued in January. The White House claimed it was amending “problematic elements of Obama and Biden-era Executive Orders.”
The Trump administration removed a line that ordered the secretary of Defense and secretary of Homeland Security to “establish procedures to immediately share threat information.”
The new order also amends a key policy paragraph about cyberthreats from the government of China to include that “significant threats also emanate from Russia, Iran, North Korea, and others who undermine United States cybersecurity.”
“These campaigns disrupt the delivery of critical services across the Nation, cost billions of dollars, and undermine Americans’ security and privacy,” both the Trump and Biden versions of the executive order say.
