Photo of Evan D. WolffPhoto of Michael G. Gruden, CIPP/GPhoto of Kate GrowleyPhoto of Jacob HarrisonPhoto of Caitlyn Weeks

On June 6, 2025 President Trump signed an Executive OrderSustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144 (the “Trump Cyber EO”). The Trump Cyber EO rescinds and modifies select Biden administration guidance from EO 14144 covering several cybersecurity regimes, including digital identity verification, artificial intelligence, and secure software development practices, and it amends Obama administration guidance from EO 13694 authorizing sanctions on persons involved in malicious cyber activities. We have provided a summary of significant changes made by the Trump Cyber EO below.

Notable Trump Cyber EO Changes to EOs 14144 and 13694

  • CISA SSDF Attestation Requirements Are in Limbo. EO 14144 built on prior Biden Administration Cybersecurity and Infrastructure Security Agency (CISA) Secure Software Development Framework (SSDF) guidance in EO 14028 and OMB Memorandums M-22-18 and M-23-16—which require federal agencies to collect SSDF attestation forms from their software suppliers—by directing Federal Acquisition Regulation (FAR) amendments to standardize and enhance enforcement of the SSDF attestation process. The Trump Cyber EO removes the portions of EO 14144 requiring the SSDF FAR amendments but does not rescind EO 14028 or the relevant OMB Memorandums, leaving the future of SSDF attestation requirements unclear. The Trump Cyber EO does retain EO 14144 language requiring the National Institute of Standards and Technology (NIST) to update SSDF practices and relevant security standards, including NIST Special Publication 800-218, which may indicate that SSDF attestations are not being abolished entirely.
  • Post-Quantum Cryptography Requirements are Stripped Down. EO 14144 directed several activities to encourage federal government adoption of products that support post-quantum cryptography (PQC). The Trump Cyber EO preserves EO 14144 mandates requiring CISA to compile a list of PQC-enabled products and for agencies to support Transport Layer Security protocol 1.3 (or a successor version) by 2030, but the Trump Cyber EO eliminates provisions directing the inclusion of PQC requirements in solicitations for certain products, agency PQC key establishment, and efforts to encourage key foreign partners to adopt NIST-standardized PQC algorithms.
  • Cyber Trust Mark and Machine-Readable Cyber Standard Requirements Remain in Place. Trump’s Cyber EO leaves intact two key technical measures from EO 14144, including the requirement to amend the FAR so that, by January 4, 2027, federal vendors of consumer IoT products must display the U.S. Cyber Trust Mark—a certification program launched by the previous administration to improve cybersecurity transparency and build consumer confidence. The order also preserves the directive to develop, within one year, a pilot program for a rules-as-code approach to develop machine-readable versions of cybersecurity policy and guidance issued by OMB, NIST, and CISA.
  • Reduced AI Cyber Defense and Threat Response Activities. The Trump Cyber EO rescinds several provisions from Section 6 of EO 14144, aiming to refocus “AI cybersecurity efforts towards identifying and managing vulnerabilities, rather than censorship.” Revoked measures include a pilot program to explore AI applications for securing critical infrastructure in the energy sector, a mandate for the Department of Defense to adopt advanced AI models for cyber defense, and the prioritization of federal research into secure AI design, the security of AI-generated code, and AI-assisted incident response. Notably, two Biden-era directives remain in place, including the release of existing federal cyber defense datasets to the broader research community and the incorporation of AI vulnerability management into DHS, DoD, and the Director of National Intelligence agency cybersecurity frameworks.
  • Digital Identity Verification Efforts are Scrapped. Section 5 of EO 14144 proposed various measures to encourage adoption of and to standardize digital identity documentation to address “the use of stolen and synthetic identities by criminal syndicates to systemically defraud public benefits programs.” The Trump Cyber EO removes Section 5 in its entirety.
  • EO 13694 Sanctions for Malicious Cyber Activity are Limited to “foreign persons” Only. EO 13694 allowed the federal government to impose economic sanctions on “any person” it determined had engaged in cyber-enabled malicious activities, including misappropriation of trade secrets or other activities representing a serious threat to the United States’ national security or economic health. The Trump Cyber EO limits the scope of EO 13694 sanctions to “any foreign” The Trump Administration explained in a Fact Sheet that this change is intended to “prevent[] misuse against domestic political opponents and clarify[] that sanctions do not apply to election-related activities.”

Key Takeaways

The Trump Cyber EO rescinds or modifies portions of previous administrations’ EOs while leaving their overall frameworks mostly intact. As a result, it may take impacted federal agencies some time to parse which initiatives have been canceled and which remain in effect. Federal government software suppliers should pay close attention to updates from CISA and their customer agencies regarding the future of SSDF attestations, as the Trump Cyber EO rolls back select SSDF activities but does not appear to terminate the attestation process altogether.

Tags: Executive Order, government contracts
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.

Read more about Evan D. Wolff
Show more Show less
Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Read more about Michael G. Gruden, CIPP/G
Show more Show less
Photo of Kate Growley Kate Growley

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy…

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy and regulatory environment for some of the most complex data issues facing multinational companies, including cybersecurity, privacy, and digital transformation. Kate has worked with clients across every major sector, with particular experience in technology, health care, manufacturing, and aerospace and defense. Kate is a Certified Information Privacy Professional (CIPP) in both the U.S. private and government sectors by the International Association of Privacy Professionals (IAPP). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Read more about Kate Growley
Show more Show less
Photo of Jacob Harrison Jacob Harrison

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including for cybersecurity compliance reviews, risk assessments, and data breaches.

In his international practice, Jake represents foreign and domestic clients in Foreign Sovereign Immunities Act and Anti-Terrorism Act litigation. He also has experience advising clients involved in cross-border commercial arbitration proceedings.

During law school, Jake served as an associate editor of the Emory Law Journal and interned at the Supreme Court of Georgia and the Georgia House Democratic Caucus. Before attending law school, Jake worked in politics and state government.

Read more about Jacob Harrison
Show more Show less
Related Posts
Fastest 5 Minutes: Executive Order – “Modernizing Defense Acquisitions and Spurring Innovation in the Defense Industrial Base”
April 23, 2025
Agencies to Curtail Unique, Customized Acquisitions in Favor of Commercial Products and Services
April 23, 2025
Trump’s “Cost Efficiency Initiative” Expected to Decrease Federal Contracting, Grant, and Loan Funding
March 3, 2025