Taking an editor’s pen to EO 14144

On Friday afternoon, the Trump White House issued its first major executive action on cybersecurity, making changes to Executive Orders 13694 (released by the Obama administration in April 2015) and 14144 (released by the Biden administration in January 2025). Given that EO 14144 came out with but three days left in the Biden administration, it’s unsurprising that President Trump and his team made changes. My three key takeaways:

• Meet the New Boss… – The 2023 National Cybersecurity Strategy explicitly built on the Trump administration’s 2018 National Cyber Strategy. At least with respect to this executive action, that pattern largely stays true: the sentiments of the 2023 Strategy and associated Biden-era executive actions remain largely intact after the Trump team’s edits. Despite nips and tucks here and there, key components—such as a commitment to secure software development, the use of procurement power to drive change, and even a focus on space system cybersecurity—remain.
• Shuffling Responsibilities – Across the board, I note a consistent reduction in specific requirements from the White House to departments and agencies. As the Trump administration says in their fact sheet, the new EO aims to shift away from “[m]icromanaging technical cybersecurity decisions better handled at the department and agency level, where budget tradeoffs and innovative solutions can be more effectively evaluated and implemented.” This is a shift from the Biden administration, which had a more involved White House who believed that specific measures were critical for accountability. Observers will do well to track how pushing decisions back to agencies affects their behaviors. In another shuffle in responsibilities, the new EO gives ONCD a stronger coordinating role than the Biden EO, perhaps an indication of the expanded vision for the office Sean Cairncross highlighted during his confirmation hearing last week.
• Identity Wipe Out – The biggest loser from the Biden version of EO 14144 was the identity section, which was excised completely. Digital identity issues were on shaky ground throughout the Biden Administration: a forthcoming digital identity executive order was first announced as part of the 2022 State of the Union. The digital identity language in EO 14144 was some of the weakest in the document, merely directing that agencies “consider” ways to accept digital identities or “seek to ensure” they are interoperable. Such vague mandates were unlikely to meaningfully alter the identity ecosystem; nonetheless, it remains to be seen what the Trump White House plans to do instead—especially as identity spoofing is a real driver of government fraud.¹

Of course, underlying implementation of the revised EO is the question: who will actually carry out the tasks contained therein? NIST, which is featured prominently as a tasked agency, is facing a 22 percent proposed budget cut, the details of which have yet to be released. CISA is also facing substantial proposed cuts, even as its responsibilities increase under the revised EO. The revised EO 14144 has the potential to significantly improve the United States’ cybersecurity posture, but only if it is actually implemented.

Section by Section Analysis

Section 1 – Unwinding Changes to the Identity Ecosystem and Scaling Back Secure Software Verification

As noted above, the new Trump EO eliminates Section 5 of EO 14144, “Solutions to Combat Cybercrime and Fraud.” This identity-focused section is the only part of EO 14144 that is eliminated entirely.

Beyond identity, the biggest changes in this portion have to do with Section 2 of EO 14144. EO 14144 built upon the secure software development lifecycle policies of EO 14028 (Biden, May 2021). While implementation of EO 14028 is incomplete—three Federal Acquisition Regulation changes to solidify requirements around secure development remain pending²—EO 14144 sought to address perceived weaknesses in the self-attestation model relied upon in the prior scheme. In the statement of policy from EO 14144, President Biden explicitly referenced improving accountability for software vendors and cloud service providers. Friday’s EO struck down that statement, as well as the requirement that vendors submit their attestations, and artifacts supporting them, to CISA for evaluation.

The implications of this change are unclear, as EO 14144 was adding to a process that has not yet been fully implemented. One could argue that a return to the EO 14028 self-attestation model lowers the pressure on software vendors. While that may prove to be the case, the most significant feature in my view is that the new EO does not amend EO 14028. If the Trump Administration carries through with implementing the currently pending FAR changes, that would still significantly change the way the federal government procures software. In Section 2, the Trump EO also updates requirements from EO 14144 that the NIST secure software development lifecycle guidance be revised, which can be read as a commitment to keep some of the Biden-era policies intact.³

Other changes include:

• 1(b) – strikes a line about open-source software (“Open source software plays a critical role in Federal information systems.”). This is a bit puzzling, as open source software does underlie almost all software, including federal systems; however, removing it does not alter policy in any way.
• 1(c)  – removes a requirement related to the deployment of phishing-resistant multi-factor authentication on federal systems. The requirement for pilot programs on MFA did not come with a specific date, so this is not a major change.
• 1(d) – strikes a line referencing EO 14028. Importantly, the EO retains the requirement that CISA finally implement authorities for “no-knock” threat hunting given them by Congress in the Fiscal Year 2021 National Defense Authorization Act,⁴ which the Biden Administration failed to carry out. The Trump EO also retains language relating to the cybersecurity of civil space systems.
• 1(e) – ensures that CISA’s threat hunting can be carried out with respect to cyber activities that aren’t “novel.” In practice, this should have minimal effect.
• 1(f) – removes a requirement for NIST to provide updated Border Gateway Protocol (BGP) guidance. Given resource limitations at NIST, it seems unlikely that this guidance would have been produced in a timely manner. The Trump EO does retain provisions requiring agencies to implement route origin security to protect against certain BGP attacks.
• 1(g) – rolls back requirements related to email encryption. The requirements in EO 14144—and the associated timelines–were ambitious, extending beyond server-to-client interactions to include server-to-server sessions. As more federal email traffic becomes cloud-based, it’s also unclear what proportion of traffic the previous requirement would have applied to.
• 1(i) – removes specific guidance to the Committee on National Security Systems about what controls to consider in updates to their space system cybersecurity requirements (specifically, “in the areas of intrusion detection, use of hardware roots of trust for secure booting, and development and deployment of security patches”). This change signals a step backwards from the previous EO, which dictated priority areas for cyber defense in space, despite significant effort from the National Space Council, ONCD, and NSC last administration. Notably, these changes are not present in the civil space section.

Section 2 – Putting the Administration’s Spin on Things

Section 2 contains several updates to taskings in EO 14144, presumably to align them with the new Administration’s agenda. In several cases, the edits make the overall document more prescriptive with respect to timelines while kicking some of the more specific elements of taskings back to individual agencies.

• 2(a) – removes reference to EO 14028 in the statement of policy and explicitly includes reference to threats from “Russia, Iran, North Korea, and others who undermine United States cybersecurity.” In contrast, EO 14144 only referenced the People’s Republic of China explicitly.
• 2(b) – updates timelines with regard to the publication of a new version of NIST Special Publication 800–218 (Secure Software Development Framework (SSDF)). Per the new EO, NIST is now required to establish a consortium with industry by August 1 and then publish a new version of the SSDF no later than March 31, 2026. The guidance will focus in particular on the secure and reliable deployment of patches, precipitated by the CrowdStrike incident last July. Beyond changes to the timing, the requirements from EO 14144 in regards to the NIST publication remain the same.
• 2(c) – removes statements about the centrality of BGP to internet security, but does not change associated taskings for agencies.
• 2(d) – strikes requirements related to post-quantum cryptographic (PQC) algorithm deployment. Notably, the EO removes a requirement that NIST work with international partners to encourage adoption of PQC algorithms and that agencies prioritize procurement of products with PQC once they are widely available. These are both relatively soft requirements, however, and the more concrete tasks, particularly those requiring the transition of federal systems to TLS 1.3, remain in place.
• 2(e) – trims down requirements related to AI and cybersecurity. It maintains EO 14144’s task for scientific agencies to make data available to cyber defenders. The new EO also strikes requirements related to two pilot projects, including the DARPA AI Grand Challenge and removes reference to agencies’ research agendas. Finally, it designates additional Executive Office of the President components, the Office of Science and Technology Policy and ONCD, to review AI vulnerability handling. This de-emphasis on federal research aligns with the Administration’s budget request.
• 2(f)  – alters tasks related to ensuring consistency across government policies. In the front matter, the EO adds ONCD as coordinator of the entire section of tasks, a notable change. The EO maintains the previous requirement for OMB to update Circular A-130, albeit without specific guidance from the President. It puts a one-year timeline on a pilot for a rules-as-code approach for machine-readable versions of policy and guidance (the previous EO had no established timeline for this program). Most importantly, it eliminates a very broad task that NIST identify minimum cybersecurity practices. Finally, the EO maintains a direction to the FAR Council that agencies only procure items that have the Cyber Trust Mark label. This last is particularly interesting, as it indicates that the White House plans to continue the FCC’s program.
• 2(g) – makes a conforming change based on other edits to the EO.

Section 3 – Tweaking Cyber Sanctions

Section 3 further alters the thrice-amended cyber sanctions executive order by limiting its application to foreign persons. While the cyber sanctions EO has never been used to target U.S. persons, Section 203 of the International Emergency Economic Powers Act (IEEPA) does not limit the President’s sanctions authority to foreign persons. While an interesting bit of signaling from the Trump Administration, it would take Congressional action to alter the scope of IEEPA in a way that would bind future administrations.

¹ In the White House fact sheet, the Administration claims that the identity section would have allowed “illegal immigrants to improperly access public benefits.” That rhetoric appears completely divorced from the actual language of EO 14144, which does not mention immigrants at all.

² This includes some requirements for artifacts, such as software bills of materials (SBOM), the requirement for which is in FAR Case 2021-017.

³ Whether NIST will have the funding to carry out this work remains an open question.

⁴ Section 1705, Public Law 116-283, 116th Congress.