The Trump administration issued an executive order entitled “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144.”
A fact sheet accompanying the order says that President Trump’s EO modifies “problematic and distracting issues” of Obama- and Biden-era cybersecurity EOs, particularly “digital identity mandates that risked widespread abuse by enabling illegal immigrants to improperly access public benefits.”
Virtually all of the changes implemented by the Trump administration address a wide-ranging executive order that the Biden administration issued on Jan. 15 ahead of Trump’s inauguration. That order contained nine sections mandating dozens of agency actions across the federal government, including supporting digital identities, improving supply chain risk management, addressing threats from nation-state actors, particularly China, and more.
Although Trump’s order eliminates a crucial component of Biden’s EO, the digital identity sections, and rolls back the EO’s required attestations for secure software development, it otherwise maintains the central provisions of the January order. Moreover, unlike the unusual and partisan fact sheet, the EO itself is a straightforward policy document devoid of political sniping.
“I’m pleased to see that there’s a lot of consistency between what was in the last administration’s order and what they’re going forward with,” Caitlin Clarke, a former senior cyber leader on the National Security Council and now a senior director for cybersecurity services at Venable LLP, told CSO. “For the most part, it’s fairly consistent in its view that cybersecurity is critical for federal networks and critical infrastructure networks, while driving forward some key actions that will help protect both federal and critical infrastructure networks.”
Rescinding Biden EO’s digital identity development section
Exploiting digital identities has become an increasingly popular way for threat actors to gain unauthorized access to otherwise highly protected networks and assets. Cybercriminals and nation-states can frequently penetrate systems undetected by posing as insiders or stealing legitimate credentials.
To address this trend, Biden’s January EO directed the National Institute of Standards and Technology (NIST) to support remote digital identity verification using digital identity documents to help issuers and verifiers of digital identity documents. The EO also urged federal agencies to consider accepting digital identity documents and to implement guardrails to protect the privacy of digital identities.
Trump’s EO, on the other hand, has eliminated what the fact sheet calls digital identity “mandates,” saying US government-issued IDs for “illegal aliens” would have facilitated “entitlement fraud and other abuse.”
“We’re disappointed to see the administration repeal the digital identity section of January’s cybersecurity executive order — especially given that this language had strong bipartisan support and was praised by cybersecurity and fraud experts,” Jeremy Grant, coordinator of the Better Identity Coalition, said in a statement.
“The core of the identity section focused on having NIST create guidance that agencies at all levels of government could use to make digital identity tools more secure, as well as encouraging federal agencies to start accepting these secure credentials to help prevent fraud in public benefits programs.”
Grant added, “Nothing in January’s EO included a mandate for the US government to issue digital IDs to anybody — immigrants, or otherwise.”
Rolling back secure software attestations
Biden’s EO did mandate that software vendors supplying the federal government attest to their adherence to secure software development practices as part of a broad push to secure the software supply chain.
Those mandates followed Biden’s first cyber executive order, issued in May 2021, which required agencies to comply with several software security guidelines issued by NIST. The Office of Management and Budget later issued guidance on how to comply with the 2021 order.
Biden’s second cyber EO in January aimed to give the OMB guidance teeth by mandating attestations, or formal, evidence-backed declarations of artifacts, which are computer records or data generated manually or by automated means that demonstrate compliance with those practices.
“Towards the end of the Biden-Harris administration, we thought there needed to be more emphasis beyond just a checklist, and therefore, we sought some additional evidence that people were following the principles of secure software development as put out by NIST,” Venable’s Clarke said.
Trump’s cyber order eliminates the attestations, saying in the fact sheet they were “imposing unproven and burdensome software accounting processes that prioritized compliance checklists over genuine security investments.” However, Trump’s EO also directs NIST to establish a consortium with industry at the National Cybersecurity Center of Excellence to develop guidance to better demonstrate secure software development practices.
Using AI to tackle vulnerabilities, setting post-quantum deadlines
Trump’s EO aligns with Biden’s order regarding the importance of artificial intelligence, stating that AI has the “potential to transform cyber defense by rapidly identifying vulnerabilities, increasing the scale of threat detection techniques, and automating cyber defense.”
Tim Miller, field CTO and public sector cyber lead at Dataminr, told CSO that the EO recognizes that “AI is not about replacing humans, but about empowering them with the ability to leverage AI in looking at their defenses, whether it’s around vulnerability risks and threat actors becoming more efficient in operationalizing that or zero days and how quickly they break.”
Trump’s order also directs various government agencies to make AI data sets accessible to the broader academic research community and to establish proper management of AI software vulnerabilities.
Another area of agreement between the two orders is pushing agencies toward more secure post-quantum cryptography postures. Trump’s EO directs the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency, and the National Security Agency (NSA) to develop product categories by Dec. 1, 2025, in which products that support post-quantum cryptography (PQC) are widely available.
It also gives NSA and OMB a Dec. 1, 2025, deadline to get ready for a PQC world by requiring agencies to support Transport Layer Security protocol version 1.3 or a successor by Jan. 2, 2030.
The only real change Trump made to Obama’s policy was to tinker with the language in Executive Order 13694, which imposed sanctions on “persons” who had launched malicious cyber activities against the United States. The Trump EO modifies this language to clarify that the sanctions apply to “foreign persons.”
Regarding what she considers mostly minor revocations of Trump’s predecessor’s cyber policies, Clarke said, “It’s a good thing that there is more of a through line [from Obama to Biden to Trump], which is something we’ve always said: Cybersecurity is nonpartisan. Trump’s EO reflects that when you really read it.”