On March 6, President Trump signed Executive Order (EO) 14390, directing a coordinated federal response to cybercrime, fraud, and predatory schemes carried out by Transnational Criminal Organizations (TCOs). An accompanying White House Fact Sheet puts the problem in concrete terms: Americans reported losing more than $12.5 billion to cyber-enabled fraud in 2024 and 73% of U.S. adults have experienced some form of online scam or attack.

The new cybercrime EO is part of a broader cybersecurity push, with the Administration simultaneously releasing its updated National Cybersecurity Strategy (NCS), a six-pillar framework covering adversary deterrence, federal IT modernization, critical infrastructure protection, and AI-enabled defense.

Key Cybercrime EO Mandates and Agency Actions

In contrast to the broader NCS, the cybercrime EO is narrowly focused on law enforcement, TCO disruption, victim recovery, and State, local, Tribal, and territorial (SLTT) partners support. The EO directs agency actions and has other elements that are relevant to contractors and technology suppliers.

A Multi-Agency Review and Action Plan Are Required Within 120 Days

• State, Treasury, War/Defense, Justice, and Homeland Security — in consultation with the Office of the National Cyber Director (ONCD) — must review operational, technical, diplomatic, and regulatory frameworks within 60 days
• Within 120 days, those agencies must submit an Action Plan to the President that identifies the TCOs responsible for scam centers and cybercrime, and proposes solutions to prevent, disrupt, investigate, and dismantle their operations
• The Action Plan must establish a dedicated Operational Cell within the National Coordination Center (NCC) (See section 6(d) of Executive Order 14159), responsible for coordinating federal efforts to detect, disrupt, dismantle, and deter cyber-enabled criminal activity — with private sector involvement as appropriate
• The Action Plan must also describe how commercial cybersecurity firms' threat intelligence and technical capabilities will be used to enhance attribution, tracking, and disruption of malicious cyber actors

The Attorney General Has Two Distinct Directives

• The AG is directed to prioritize prosecutions of cyber-enabled fraud, scam center operations, and sextortion schemes, pursuing the most serious and provable offenses
• Separately, the AG must submit within 90 days a recommendation for a Victims Restoration Program designed to return seized, forfeited, or clawed-back TCO funds directly to fraud victims

CISA Is Directed to Expand Support for State and Local Partners

• The Cybersecurity and Infrastructure Security Agency (CISA), is directed to partner with the NCC to provide training, technical assistance, and resilience-building for State, Local, Tribal, and Territorial (SLTT) partners
• The EO specifies that this includes expanding defensive capacity, sharing threat intelligence, and hardening SLTT partners' critical infrastructure systems against cybercrime exploitation by TCOs

The State Department Is Directed to Pressure Foreign Governments

• The Secretary of State is directed to engage foreign governments and demand enforcement action against TCOs operating within their borders
• Nations that tolerate predatory activity face consequences including sanctions, visa restrictions, limits on foreign assistance, trade penalties, and expulsion of complicit officials
• State must coordinate these actions with U.S. allies and partners to enhance the consequences for non-compliant nations

Potential Contractor Opportunities

The EO establishes four concrete program mandates — commercial threat intelligence integration, NCC Operational Cell buildout, CISA SLTT expansion, and the Victims Restoration Program — each of which require new or expanded capabilities and therefore point to identifiable potential contracting activity. Further, the EO's Section 2(b) explicitly requires the AG and DHS to use commercial cybersecurity firm capabilities for attribution, tracking, and disruption activities. This language, combined with the four program mandates, may also create potential contracting opportunities.

• Commercial Threat Intelligence and TCO Attribution — The EO names commercial cybersecurity firms as a source of threat intelligence and technical capabilities for federal attribution and disruption operations. Suppliers with established threat intelligence platforms, dark web monitoring, or TCO network analysis tools are the most straightforwardly positioned, as their integration into NCC Operational Cell workflows is what the EO specifically envisions. Agencies will also need these capabilities to complete the TCO identification work required for the 120-day Action Plan. Supporting DOJ's prosecution mandate, digital forensics and malware analysis services may also be needed to build evidentiary cases against named TCOs, though the EO does not specify this directly.
• NCC Operational Cell Technology and Integration — The EO creates a new coordinating structure within the NCC and building it out will require technology support. The Operational Cell must connect and coordinate across DOJ, DHS, State, Treasury, and Department of War, which points to demand for secure collaboration environments and multi-agency data sharing platforms. The international engagement mandate — requiring State to coordinate with foreign law enforcement partners — may extend those requirements further, though how much of this flows to commercial contractors will depend on how agencies choose to implement it.
• SLTT Training, Technical Assistance, and Resilience Building — CISA's SLTT support role is explicitly scoped in the EO and covers training, technical assistance, and critical infrastructure hardening. This expands on existing CISA programs and represents an identifiable area of demand for curriculum developers, training delivery platforms, and resilience assessment services. Given the number of SLTT partners involved, agencies will likely need a scalable platform for threat intelligence sharing to meet the EO's requirements in this area, though that is an operational inference rather than a stated requirement. Federal contractors with these capabilities who are not already operating in the SLTT sector(s) may find market expansion opportunities.
• Victims Restoration Program — The Victims Restoration Program is a new DOJ initiative with no existing infrastructure, making it the most clearly defined new program opportunity in the EO. Once the AG's recommendation is accepted, DOJ will need technology to support victim identification, case documentation, adjudication, and fund disbursement. Notification systems and a public-facing portal are likely operational requirements, though the EO's current language only directs a recommendation — the program's final scope will become clearer after the 90-day submission. Because TCO proceeds are often cryptocurrency-denominated, blockchain analytics and wallet tracing capabilities may also be needed to support the underlying seizure and forfeiture workflows, though that too is an operational inference from the program's stated purpose.

Final Thoughts

The operational requirements discussed above are logical needs that agencies will likely encounter as they implement the EO’s mandates, but how they are scoped and funded will depend on decisions made during the 60- and 120-day review process. Contractors are best positioned by aligning their capabilities to the four explicit mandates first and monitoring the Action Plan for further requirements definition, as these may drive evolving or follow-on procurements.

Finally, anticipate and look for funding elements of these mandates to be included in the FY 2027 Budget Requests from DHS, DOJ and the other relevant agencies. Areas requiring significant investment or organizational changes may require congressional buy-in and budget appropriations, which could stretch out procurement timelines for some elements.