On June 6, 2025, the Trump Administration released a new Executive Order (“EO”) on cybersecurity, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144.[1] The Executive Order itself will not impose new obligations on agencies; instead, it strikes, amends, and updates certain provisions in prior Executive Orders from the Obama and Biden Administrations that have not been rescinded.
Overview
The Executive Order includes a new policy statement (replacing Section 1 in EO 14144) setting forth the Government’s current priorities, which include defending digital infrastructure, securing services and capabilities vital to the digital domain, and building capability to address key threats. China continues to be identified as the greatest cyber threat to the United States, with Russia, Iran, and North Korea also named.
New language incorporated into EO 14144 via amendments relates to software supply chain security, artificial intelligence, quantum computing, Internet-of-Things products, and updates to key federal guidance documents. With respect to EO 13694, the lone update is to specify that sanctions will apply to “any foreign person” rather than “any person.” Per the Fact Sheet accompanying the new Executive Order, this change “limits the application of cyber sanctions only to foreign malicious actors, preventing misuse against domestic political opponents and clarifying that sanctions do not apply to election-related activities.”
While the Executive Order strikes language in nearly every section of EO 14144, sections on improving cybersecurity of federal systems, securing federal communications, and National Security Systems are largely untouched. The Executive Order strikes completely the section in EO 14144 on “Solutions to Combat Cybercrime and Fraud” (former Section 5), which included considerations for Federal grant funding to assist States in developing and issuing mobile driver’s licenses, and developing digital identity verification.
Software Supply Chain Security
The Executive Order strikes certain provisions regarding the Biden Administration’s approach to secure software development requirements, including provisions directing updates to the Federal Acquisition Regulation (“FAR”) to require software providers to submit secure software attestations, artifacts, and other information to Cybersecurity and Infrastructure Security Agency (“CISA”). While these and several other changes seem to be aimed at limiting CISA’s role in this area (not surprising given recent events and debate about the proper role of CISA), it appears the current administration will continue to rely heavily on the National Institute of Standards and Technology (“NIST”) and its guidance with respect to secure software development.
Relating to third-party software supply chain security, the amendments call for several updates from NIST:
- Establish a consortium with industry at the National Cybersecurity Center of Excellence to develop guidance relating to NIST’s Publication 800-218, Secure Software Development Framework (SSDF) (by August 1, 2025).
- Update NIST Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, with guidance on “how to securely and reliably deploy patches and updates” (by September 2, 2025).
- Develop a preliminary update to NIST Publication 800-218, Secure Software Development Framework (SSDF), with practices, procedures, and examples on secure development and delivery of software (preliminary update by December 1, 2025; final update by March 31, 2026).
Those of you who have been following along know there still is an open FAR case on supply chain software security (Case No. 2023-002). This FAR Case stems from a different Biden Administration Executive Order (EO 14028, Improving the Nation’s Cybersecurity; not rescinded) and calls for FAR updates to require suppliers of software to agencies to comply, and provide attestations of compliance, with secure software development requirements. Presumably, these requirements will align with NIST Publication 800-218 (the Secure Software Development Framework), but attestations may no longer be collected and managed by CISA. Reminder there are 2 other cyber-related Open FAR cases from EO 14028, both in the post-comment stage: (1) Cyber Threat and Incident Reporting and Information Sharing (Case No. 2021-017); and (2) Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems (Case No. 2021-019) (we wrote about these here).
