Trump’s Cybersecurity Order Adjusts Requirements for Software, AI and Other Technologies

Recently, President Trump issued an Executive Order (EO), Sustaining Select Efforts To Strengthen the Nation's Cybersecurity and Amending Executive Order 13694 and Executive Order 14144, focused on the cybersecurity practices at federal agencies and secure technology practices by agencies and technology suppliers. As the title indicates, the new directive maintains certain federal cybersecurity efforts as well as modifies some previous EOs issued by the Biden and Obama Administrations.

Below are the key provisions in the EO that impact federal agencies and the contractors that support or supply them.

Secure Software Development Framework

The new Trump EO sustains Biden-era requirements for government contractors to submit self-attestation forms that their software complies with security standards based on the National Institute of Standards and Technology’s (NIST) Secure Software Development Framework (SSDF). However, the latest Trump’s EO stripped out the requirement in Biden’s January 2025 EO directing the development of a new Federal Acquisition Regulations (FAR) provision that would have required software vendors to submit development artifacts as proof that they comply with the NIST SSDF.

In lieu of using the FAR, Trump has directed NIST to establish a consortium with industry “that demonstrates the implementation of secure software development, security, and operations practices” based on the SSDF. The new EO also requires NIST to publish a preliminary update to the SSDF by Dec. 1, 2025, with a reviewed and final version to come within 120 days afterward.

The accompanying fact sheet noted the EO, in part, is seeking to address “unproven and burdensome software accounting processes that prioritized compliance checklists over genuine security investments.” This may be referring to the previously directed SSDF FAR provision.

Preparing for Post-Quantum Cryptography (PQC)

The new EO directs agencies to adopt the latest encryption protocols and to take steps to prepare for post-quantum cryptography (PQC).

By December 1, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA), are to release and regularly update “a list of product categories in which products that support post-quantum cryptography (PQC) are widely available.”

Also by December 1, the NSA (for National Security Systems (NSS)) and Office of Management and Budget (OMB) (for non-NSS), are to issue requirements for agencies to support Transport Layer Security (TLS) protocol version 1.3 or a successor version no later than January 2, 2030.

The new EO supports and simplifies the May 4, 2022 National Security Memorandum 10, Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems.

Artificial Intelligence (AI) Vulnerability Management

The new EO streamlines AI elements in Biden’s January 2025 cyber EO by directing the agencies leading federal AI policy to “incorporate management of AI software vulnerabilities and compromises into their respective agencies’ existing processes and interagency coordination mechanisms for vulnerability management, including through incident tracking, response, and reporting, and by sharing indicators of compromise for AI systems.” The EO also requires agencies to ensure that existing cyber defense research datasets are made accessible to the academic research community, either securely or publicly, while accounting for business confidentiality and national security. Both requirements are due by November 1, 2025. The new Trump EO eliminates elements of the January EO that launched a public/private partnership to use AI for cyber defense of critical infrastructure in the energy sector and that directed research and development of AI-based cybersecurity tools and techniques, including in vulnerability discovery, threat detection, and patch management, and enable AI security incident and vulnerability reporting.

IoT Cyber Trust Mark Contract Requirements

The new EO directs the FAR Council to amend the FAR to, by January 4, 2027, require vendors to federal agencies of consumer Internet-of-Things (IoT) products to carry U.S. Cyber Trust Mark labeling for those products.

Cyber Policy Updates

The latest EO includes additional provisions to advance cybersecurity policy and guidance across the landscape. The EO gives NIST, CISA and OMB one year to establish a pilot program of a “rules-as- code approach for machine-readable versions of policy and guidance” regarding cybersecurity.

The EO also directs OMB to update its Circular A-130, “Managing Information as a Strategic Resource,” within the next three years to “address critical risks and adapt modern practices and architectures across Federal information systems and networks.”

Contractor Implications

Many, if not most of the provisions of this latest order adjust ongoing federal cybersecurity priorities and initiatives, rather than initiating large-scale changes. From some perspectives, the latest changes buy some additional time on efforts to codify cyber regulations in federal acquisitions rules or on imposing reporting requirements on suppliers, e.g., SSDF artifacts, while certain standards continue to evolve.

Regardless of the pace of adoption, many of the cybersecurity requirements that are placed on agencies, e.g., vulnerability management and reporting, will likely continue to flow down to contractors and suppliers, which requires companies to stay in-sync with these evolving federal policies and practices.