A new cybersecurity executive order (EO) issued by President Trump in early June 2025 rescinds an entire section on digital identity and softens several detailed requirements set forth in former President Joe Biden’s last-minute Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity (Biden EO 14144) from January. Yet, the EO retains many of Biden’s directives for agencies and businesses that work with them.
“The Trump administration is not veering so much from established policy objectives, except with a couple of exceptions,” said Holland & Knight partner Bart Huffman. In many areas, “it is same policy, same objective, but fewer actual requirements,” he told the Cybersecurity Law Report.
The EO, with the two-part title, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144,” sets 2025 deadlines for actions in several cyber policy areas, including those addressing patching, the management of AI vulnerabilities, secure software development and post-quantum cryptography.
The EO’s one major rollback is gutting an entire section in the Biden EO 14144 that sought to strengthen protection of individuals’ digital identities. The accompanying White House fact sheet (Fact Sheet) warned of potential abuse of those provisions by illegal immigrants, though the warning has been criticized as misleading.
This article highlights the EO’s key changes, the areas where it could influence private sector cybersecurity through government procurement practices and the administration’s cyber policy priorities that businesses should heed, with insights from cyber practitioners at Goodwin, Holland & Knight, the Linux Foundation and Venable.
See “Implications of the Trump AI Executive Order” (Mar. 26, 2025).
EO Covers a Large Set of Issues
The six-page EO addresses a wide range of cyber policies and standards, ranging from leading-edge challenges (like AI vulnerabilities and quantum-powered encryption), third-party cyber risk mitigation (like secure software development and supply-chain transparency) and policymaking aspects (like business-government collaboration and the federal line of command for cyber issues).
The Fact Sheet criticizes some of the prior administration’s actions as “micromanaging technical cybersecurity decisions better handled at the department and agency level, where budget tradeoffs and innovative solutions can be more effectively evaluated and implemented.” The EO removes obligations on providers to use phishing-resistant authentication and post-quantum cryptography (PQC), and to provide evidence to validate that software is securely developed.
The power of some eliminations is tempered by remaining requirements from earlier EOs, federal guidance or law, noted below. The dominant effect in several policy areas is that the administration will issue “guidance, and then department and agency CIOs will make the risk management decisions to implement as they see appropriate,” Venable cyber services director Caitlin Clarke told the Cybersecurity Law Report.
See “Reference Guide to 2025 Executive Orders for Compliance Professionals” (Apr. 9, 2025).
Digital Identification Section Entirely Cut
Actions to secure digital identity fell victim to a West Wing political agenda, cyber professionals have commented. The EO revokes the Biden EO 14144’s entire Section 5, “Solutions to Combat Cybercrime and Fraud,” which sought to reduce billions of dollars of identity theft by expanding use of digital identification. The EO ends the obligation for federal benefit programs to accept digital IDs, which the Biden EO 14144 asserted would limit “use of stolen and synthetic identities by criminal syndicates to systematically defraud public benefits programs.”
The Fact Sheet claims that the Biden EO 14144’s anti-fraud measure “risked widespread abuse by enabling illegal immigrants to improperly access public benefits.” A Better Identity Coalition (Coalition) statement expressed disappointment over this section’s repeal, clarifying that “nothing in January’s EO included a mandate for the U.S. government to issue digital IDs to anybody – immigrants or otherwise.”
Section 5 of the Biden EO 14144 “had strong bipartisan support and was praised by cybersecurity and fraud experts,” the Coalition said. The U.S. lags many other countries in adoption of mobile driver’s licenses or government IDs. This repeal also halts development of an “early warning system” to alert Americans if their identity data is used to apply for a government benefit (which cost over $100 billion in unemployment fraud during the COVID-19 pandemic).
The administration has declined to explain the cuts to at least two news organizations, and did not provide replacement provisions addressing digital identity fraud. Given the benefits of digital IDs for national security and for individuals, Huffman noted, “it’d be interesting to know if there are specific risks that they’re concerned about.”
The EO removes the deadline by which the National Institute of Standards and Technology (NIST) must provide voluntary guidance to states to secure use of digital IDs and protect privacy, but “we don’t see any reason that any of that work should be suspended, [as it] was specifically authorized by Congress in the 2022 Chips and Science Act,” Coalition coordinator Jeremy Grant, a Venable managing director of cybersecurity, told the Cybersecurity Law Report.
See our two-part series on legal and ethical issues in the use of biometrics: “Modality Selection, Implementation and State Laws” (Feb. 21, 2024), and “FIDO, Identity-Proofing and Other Options” (Feb. 28, 2024).
Four EO Priority Areas Focus on Procurement
In four federal cyber policy areas, the EO highlights procurement practices to boost wider security precautions, establishing deadlines for each between August and the end of 2025.
See “How the 2025 Cybersecurity Executive Order Affects Business” (Feb. 5, 2025).
1) Attestation of Secure Software Development
Since 2024, federal agencies have had to collect attestation forms from their software suppliers verifying that they comply with the Secure Software Development Framework (SSDF). Reinforcing this obligation, the EO directs NIST to establish by August 1, 2025, an industry consortium at the National Cybersecurity Center of Excellence to update the SSDF before 2026. That measure shows “the Administration’s understanding that supply chain security and secure software development remain areas needing more guidance,” Clarke said.
What the EO jettisons as “micromanaging” is the Biden EO 14144 measure requiring software companies to submit compliance artifacts to the Cybersecurity and Infrastructure Security Agency (CISA) along with their attestation. Under the Biden EO 14144, CISA was required to sample the submissions and verify whether the evidence reflected the software provider’s attestation.
“That would have made CISA a quasi-regulator because it would make a finding” about the attestation’s accuracy, Clarke observed. The Fact Sheet said the artifact submissions to CISA were “burdensome software accounting processes that prioritized compliance checklists over genuine security investments.”
However, the accountability step of CISA submissions addressed the fact that only some government contractors are conscientious enough “to seriously analyze their processes and improve them as necessary,” noted Linux Foundation director of open-source supply chain security David A. Wheeler. “Contractors will all say they take something like this seriously because they must, but that isn’t always borne out in reality,” he told the Cybersecurity Law Report.
Federal pressure on software companies to adhere to the SSDF remains important for the broader swath of private companies, said Huffman, because business supplier contracts often lack terms on software development. “Companies say ‘thou shalt not engage subcontractors without my approval, shalt not ship data to jurisdictions without my approval,’” but only rarely demand verification that “this software was built in a responsible and secure manner,” he reported.
The imperative for SSDF compliance recordkeeping is unlikely to fade despite the EO’s rollback, Goodwin partner Kaitlin Betancourt told the Cybersecurity Law Report. “Other factors are at play, like the False Claims Act, like third-party [due diligence] pressure,” she said.
2) Post-Quantum Cryptography Adoption
The EO includes directives to prepare software providers for the risk that quantum computing, sooner or later, will be able to break the current generation of encryption keys. By December 1, 2025, CISA must update a list of products that support PQC. The list will help companies because “it can be daunting to switch out all their public key cryptography,” Clarke observed.
Also retained was a deadline to issue requirements for agencies to use Transport Layer Security protocol version 1.3 or a successor version, Betancourt noted. “That is critical to making sure that organizations will have the ability to adopt post-quantum cryptography,” she said.
The EO, however, ends the need for all agency technology solicitations to request PQC capabilities. Being less prescriptive about “post-quantum cryptography makes sense because of the fast-evolving nature of the technology,” Betancourt opined.
“The EO also removes efforts to encourage foreign partners to adopt NIST-standardized PQC algorithms,” Wheeler pointed out. The “issue will be if other countries consider U.S.-recommended algorithms as subverted” and spurn them, he said.
A Biden national security memorandum also remains in effect to push vendors and agencies to upgrade to PQC, Clarke noted.
See “Six Steps to Address the SEC’s Trump Era Cyber Enforcement Priorities” (Apr. 9, 2025).
3) IoT Cyber Trust Mark
One widely applicable regulation that the EO surprisingly keeps is “the requirement to amend the Federal Acquisition Regulation so that, by January 4, 2027, federal vendors of consumer [IoT] products must display the U.S. Cyber Trust Mark,” Wheeler observed.
See “A Guided Tour of Enterprise IoT Device Hazards” (Nov. 4, 2020).
4) AI Integration Into Vulnerability Management
The EO gives federal agencies until November 1, 2025, to incorporate management of their AI operations into their overall vulnerability management programs, “including through incident tracking, response, and reporting, and by sharing indicators of compromise for AI systems.”
“It is a very critical issue because it affects the supply chain,” Betancourt highlighted. The administration’s attention to AI vulnerabilities harmonizes with other regulators’ actions, like guidance from the New York Department of Financial Services, she added.
The EO’s retention of a wide mandate around AI vulnerabilities and compromises is appropriate – as is the flexibility the EO gives companies on how to tackle the challenge, Huffman offered. Generally, “AI and vulnerability management is front and center in terms of reasonable security practices these days,” he said. Yet, how to continuously monitor for AI vulnerabilities “requires a lot of thought,” he noted. The proliferation of non-human users in companies’ clouds and AI identities across the internet are key security risks drawing attention but lacking easy remedies.
The EO preserves existing directives for the sharing of datasets for cyber defense research into AI, and interagency coordination on AI software vulnerabilities. Yet, it eliminates four other AI-related programs, including an energy sector initiative to use AI to drive cyber defense, and research into the security of AI coding and AI system design.
Cumulatively, the changes straddle prioritizing AI risk management and “letting the departments and agencies determine their own way ahead” in how to protect their AI use, Clarke said.
See “Restricting Super Users and Zombie IDs to Increase Cloud Security” (Jul. 31, 2024).
Other Administration Cyber Priorities
In multiple areas, the EO modifies existing obligations but dials back or alters specific expectations or programs.
See “Checklist for Building an Identity-Centric Cybersecurity Framework” (Nov. 3, 2021).
Patching
The NIST Director faces one early EO deadline of September 2, 2025, for updating Special Publication 800–53. The directive for “guidance on how to securely and reliably deploy patches and updates to software was a specific response to the CrowdStrike outage of a year ago,” Clarke explained, and companies have been seeking more guidance on what is reasonable for this operationally demanding task.
“The EO’s continuation of that effort shows that patching’s still a priority for this administration,” to help shrink supply chain risks, Clarke observed.
Multi-Factor Authentication
The EO eliminates investments in “innovative identity technologies” pilots to expand use of commercial phishing-resistant standards such as FIDO Web Authentication.
However, the Federal Zero Trust Strategy remains in effect, so agency staff, contractors and partners must all move to using phishing-resistant multi-factor authentication.
See “Amendment to NYDFS Cyber Regulation Brings New Mandates: Governance Provisions” (Dec. 13, 2023).
Securing Federal Communications
Beyond encouraging PQC implementation, the EO preserves several measures to better protect the government’s online environment by promoting federal agencies’ and vendors’ use of internet routing security technologies across different layers of architecture and hardware.
See “Cloud Attacks and Six Other Cybersecurity Dangers for 2023 and 2024” (Apr. 26, 2023).
Developing Regulations Downloadable As Code
The EO gives NIST, CISA and the Office of Management and Budget a year to launch a pilot program creating a machine-readable version of cyber regulations and guidance for organizations to upload, called “rules as code.”
This is helpful, Huffman offered. Compliance processes for employees are essential, but with AI and other technology developing, embedding compliance into companies’ software and systems “is at least equally important,” he said.
National Cyber Director and Policy Leadership
The business community “should pay attention to the section about aligning policy to practice,” which directs the Office of National Cyber Director (ONCD) to consult on EO actions, Clarke advised. “The EO positions ONCD to take a leadership role in cyber policy,” which shifts “the center of gravity on cyber policy within the Executive Office of the President,” she added.
In the Biden-Harris administration, the National Security Council and Deputy National Security Adviser often led cyber policymaking, blurring ONCD’s role. The EO offers “more clarity,” making it known to those who work in this space that they can go to ONCD with questions or to engage on cyber policy, Clarke pointed out.
Foreign and Election Policy Messages
The EO includes three foreign policy messages and one note concerning criticism of elections.
First, the EO expressly names the People’s Republic of China as the “most active and persistent threat to United States Government, private sector, and critical infrastructure networks,” and warns of “Russia, Iran, North Korea, and others who undermine United States cybersecurity.”
Second, the EO rescinds NIST’s requirement to evaluate international standards bodies’ guidelines when issuing guidance on minimum cybersecurity practices for contractors and subcontractors.
Third, it amends the sanctions policy for malicious cyber-related activities set forth in Executive Order 13694, issued in 2015. The Secretary of the Treasury previously could block any person qualifying as a threat actor, but the EO restricts sanctions to “any foreign person.” The Fact Sheet describes the change as “preventing misuse against domestic political opponents.” However, it does not rule out treating permanent legal residents or naturalized citizens as “foreign.”
Additionally, in a nod to election-denial supporters, the Fact Sheet also clarifies that “sanctions do not apply to election-related activities.”
The EO does not address other measures in the Biden EO 14144 regarding ransomware, cloud security, outer space-related cybersecurity and government-wide threat visibility, among other topics.
The EO indicates that the Trump administration is likely to take more action to adjust cybersecurity policy. It provides that its directives are meant to defend digital infrastructure, secure “the services and capabilities most vital to the digital domain,” and build the national capability to address key threats – all of which are evolving tasks.
See “How Designating TCOs As Terrorist Organizations Creates Risks for Financial Institutions and Beyond” (Jun. 4, 2025).