Trump reshapes U.S. cybersecurity by amending Biden, Obama-era policies to prioritize technical standards

In a sweeping overhaul of federal cybersecurity policy, President Donald J. Trump signed an executive order on Friday that amends key provisions of Executive Orders 14144 and 13694. The new presidential order signals a shift away from identity-focused and election-related cybersecurity safeguards toward a more technically defined approach centered on artificial intelligence, post-quantum cryptography, and secure software development.

The new order, titled “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity,” eliminates or rewrites multiple components of the Biden-era EO 14144, while further narrowing the scope of Obama’s 2015 EO 13694—particularly with regard to cyber sanctions enforcement. Instead of reinforcing expansive government mandates, the revised directives prioritize standards development via the National Institute of Standards and Technology (NIST), enhanced federal procurement rules for consumer Internet-of-Things (IoT) security, and the advancement of cryptographic readiness for a post-quantum era.

What amendments were made to EO 14144 and EO 13694?

The June 6 executive order eliminates several sections of Executive Order 14144, including mandates on federal digital identity frameworks, specific references to Border Gateway Protocol (BGP) integrity, and early-stage experimental hardware-based threat detection mechanisms. It also rescinds Section 5 of EO 14144, which previously framed cybersecurity as a public safety initiative that extended into entitlement services and digital identification systems.

In tandem, EO 13694 has been revised to narrow the definition of actionable cyber threats. The amended language now restricts sanctionable offenses to “foreign persons” only—removing the previous blanket category of “any person.” This change, while legally specific, has drawn concern from election cybersecurity experts who fear that it creates a policy blind spot for hybrid or domestic cyber actors targeting critical infrastructure, including electoral systems.

What technical standards are now prioritized by the federal government?

In place of the rescinded mandates, the Trump administration’s order introduces an aggressive calendar of technical benchmarks for agencies. By August 1, 2025, the Secretary of Commerce, acting through the Director of NIST, is tasked with forming a public-private consortium at the National Cybersecurity Center of Excellence to develop updated guidance based on NIST Special Publication 800–218, also known as the Secure Software Development Framework (SSDF).

A separate update to NIST SP 800–53 must be completed by September 2 to improve guidelines on software patching and deployment. A preliminary revision to the SSDF is also due by December 1, 2025, with the final version required within 120 days thereafter. These publications will guide how agencies—and eventually federal vendors—design, test, and distribute secure software.

Post-quantum encryption also receives institutional support in the order. By December 1, 2025, both the National Security Agency and the Office of Management and Budget (OMB) must issue timelines for federal agencies to adopt Transport Layer Security (TLS) version 1.3 or a successor and implement cryptographic systems resistant to quantum computing attacks. The ultimate compliance deadline is set for January 2, 2030.

How is AI addressed in federal cybersecurity under this new order?

One of the most forward-looking provisions in the order is its treatment of artificial intelligence in cybersecurity. The Secretary of Defense, Secretary of Homeland Security, and Director of National Intelligence are now required to integrate AI software vulnerabilities into their agencies’ cyber incident response frameworks by November 1, 2025.

Additionally, the Department of Commerce, Department of Energy, Department of Homeland Security, and the National Science Foundation must ensure that existing federal datasets useful for AI-enabled cyber defense research are accessible to academic researchers. This move aims to create broader public-private collaboration without compromising national security or commercial confidentiality.

Why were digital identity provisions and election-related sanctions rolled back?

The executive order’s removal of digital identity systems—particularly those linked to mobile driver’s licenses or public benefit verification—reflects a broader ideological pivot. According to the White House, these systems present a “significant entitlement fraud risk,” especially in the context of undocumented immigrants accessing federal services.

While this rationale aligns with longstanding conservative critiques, cybersecurity researchers and some former federal officials argue that eliminating secure digital identity requirements weakens the integrity of authentication systems critical to secure transactions and citizen services.

Election-related cybersecurity also appears to be de-prioritized. By removing the applicability of cyber sanctions to non-foreign actors, the order eliminates a mechanism that had previously enabled the federal government to act against hybrid or domestic sources of disinformation or interference. Legal scholars note that this could lead to regulatory paralysis in scenarios involving proxy cyber actors operating within U.S. borders.

What is the reaction from industry and policy experts?

The response to the June 6 order has been mixed. Mark Montgomery of the Foundation for Defense of Democracies, a prominent voice on national cyber defense, criticized the decision to revoke digital ID mandates, noting that these were “instrumental in reducing phishing and fraud across federal systems.”

On the other hand, industry stakeholders with ties to the cybersecurity vendor ecosystem expressed guarded optimism. Analysts at CyberArk and Palo Alto Networks interpreted the order’s new focus on secure software pipelines and quantum-resistant algorithms as “a rational refocusing” on high-priority threat domains. Several praised the move to integrate AI compromise detection mechanisms into formal federal frameworks as a long-overdue modernization step.

How will these changes impact federal IT vendors and cybersecurity contractors?

While the policy changes are administrative in nature, they will likely have downstream implications for technology vendors serving federal contracts. Companies working in post-quantum cryptography—particularly those aligned with NIST’s recent PQC standard selections such as CRYSTALS-Kyber—may benefit from increased demand as agencies accelerate cryptographic transitions before the 2030 deadline.

Likewise, the emergence of secure software mandates through NIST’s SSDF and SP 800–53 updates will create immediate opportunities for secure DevOps platform providers. Firms specializing in code signing, threat detection, and patch orchestration may see stronger engagement from both defense and civilian agencies.

IoT manufacturers will also face new regulatory expectations. By January 4, 2027, vendors offering consumer-grade Internet-of-Things products to the federal government must adhere to new Cyber Trust Mark labeling standards, as established via forthcoming revisions to the Federal Acquisition Regulation (FAR).

What comes next for implementation and oversight?

The Office of Management and Budget is expected to issue implementation guidance for the order by mid-2026, including revisions to OMB Circular A–130 to align cybersecurity budgets and policies with the revised strategy. Meanwhile, NIST and CISA will likely take the lead in operationalizing pilot programs using “rules-as-code” frameworks for machine-readable versions of cybersecurity guidance.

Analysts also expect broader procurement shifts as agency compliance timelines begin to mature. If fully enacted, these changes could signal a market realignment in cybersecurity contracting, especially in sectors tied to AI security, software assurance, and federal IoT infrastructure.