{"id":3501,"date":"2025-06-09T21:32:40","date_gmt":"2025-06-09T21:32:40","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3501"},"modified":"2025-06-09T21:32:40","modified_gmt":"2025-06-09T21:32:40","slug":"trump-takes-aim-at-bidens-cyber-executive-order-but-leaves-it-largely-untouched","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3501","title":{"rendered":"Trump takes aim at Biden\u2019s cyber executive order but leaves it largely untouched"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The Trump administration issued an executive order<\/a> entitled \u201cSustaining Select Efforts to Strengthen the Nation\u2019s Cybersecurity and Amending Executive Order 13694 <\/a>and Executive Order 14144.\u201d<\/p>\n

A fact sheet<\/a> accompanying the order says that President Trump\u2019s EO modifies \u201cproblematic and distracting issues\u201d of Obama- and Biden-era cybersecurity EOs, particularly \u201cdigital identity mandates that risked widespread abuse by enabling illegal immigrants to improperly access public benefits.\u201d<\/p>\n

Virtually all of the changes implemented by the Trump administration address a wide-ranging executive order<\/a> that the Biden administration issued on Jan. 15 ahead of Trump\u2019s inauguration. That order contained nine sections mandating dozens of agency actions across the federal government, including supporting digital identities, improving supply chain risk management, addressing threats from nation-state actors, particularly China, and more.<\/p>\n

Although Trump\u2019s order eliminates a crucial component of Biden\u2019s EO, the digital identity sections, and rolls back the EO\u2019s required attestations for secure software development, it otherwise maintains the central provisions of the January order. Moreover, unlike the unusual and partisan fact sheet, the EO itself is a straightforward policy document devoid of political sniping.<\/p>\n

\u201cI\u2019m pleased to see that there\u2019s a lot of consistency between what was in the last administration\u2019s order and what they\u2019re going forward with,\u201d Caitlin Clarke<\/a>, a former senior cyber leader on the National Security Council and now a senior director for cybersecurity services at Venable LLP, told CSO. \u201cFor the most part, it\u2019s fairly consistent in its view that cybersecurity is critical for federal networks and critical infrastructure networks, while driving forward some key actions that will help protect both federal and critical infrastructure networks.\u201d<\/p>\n

Rescinding Biden EO\u2019s digital identity development section<\/h2>\n

Exploiting digital identities<\/a> has become an increasingly popular way for threat actors to gain unauthorized access to otherwise highly protected networks and assets. Cybercriminals and nation-states can frequently penetrate systems undetected by posing as insiders or stealing legitimate credentials.<\/p>\n

To address this trend, Biden\u2019s January EO directed the National Institute of Standards and Technology (NIST) to support remote digital identity verification using digital identity documents to help issuers and verifiers of digital identity documents. The EO also urged federal agencies to consider accepting digital identity documents and to implement guardrails to protect the privacy of digital identities.<\/p>\n

Trump\u2019s EO, on the other hand, has eliminated what the fact sheet calls digital identity \u201cmandates,\u201d saying US government-issued IDs for \u201cillegal aliens\u201d would have facilitated \u201centitlement fraud and other abuse.\u201d<\/p>\n

\u201cWe\u2019re disappointed to see the administration repeal the digital identity section of January\u2019s cybersecurity executive order \u2014 especially given that this language had strong bipartisan support and was praised by cybersecurity and fraud experts,\u201d Jeremy Grant<\/a>, coordinator of the Better Identity Coalition, said in a statement.<\/p>\n

\u201cThe core of the identity section focused on having NIST create guidance that agencies at all levels of government could use to make digital identity tools more secure, as well as encouraging federal agencies to start accepting these secure credentials to help prevent fraud in public benefits programs.\u201d<\/p>\n

Grant added, \u201cNothing in January\u2019s EO included a mandate for the US government to issue digital IDs to anybody \u2014 immigrants, or otherwise.\u201d<\/p>\n

Rolling back secure software attestations<\/h2>\n

Biden\u2019s EO did mandate<\/a> that software vendors supplying the federal government attest to their adherence to secure software development practices as part of a broad push to secure the software supply chain<\/a>.<\/p>\n

Those mandates followed Biden\u2019s first cyber executive order<\/a>, issued in May 2021, which required agencies to comply with several software security guidelines issued by NIST. The Office of Management and Budget later issued guidance<\/a> on how to comply with the 2021 order.<\/p>\n

Biden\u2019s second cyber EO in January aimed to give the OMB guidance teeth by mandating attestations, or formal, evidence-backed declarations of artifacts, which are computer records or data generated manually or by automated means that demonstrate compliance with those practices.\u00a0<\/p>\n

\u201cTowards the end of the Biden-Harris administration, we thought there needed to be more emphasis beyond just a checklist, and therefore, we sought some additional evidence that people were following the principles of secure software development as put out by NIST,\u201d Venable\u2019s Clarke said.<\/p>\n

Trump\u2019s cyber order eliminates the attestations, saying in the fact sheet they were \u201cimposing unproven and burdensome software accounting processes that prioritized compliance checklists over genuine security investments.\u201d However, Trump\u2019s EO also directs NIST to establish a consortium with industry at the National Cybersecurity Center of Excellence to develop guidance to better demonstrate secure software development practices.<\/p>\n

Using AI to tackle vulnerabilities, setting post-quantum deadlines<\/h2>\n

Trump\u2019s EO aligns with Biden\u2019s order regarding the importance of artificial intelligence, stating that AI has the \u201cpotential to transform cyber defense by rapidly identifying vulnerabilities, increasing the scale of threat detection techniques, and automating cyber defense.\u201d<\/p>\n

Tim Miller<\/a>, field CTO and public sector cyber lead at Dataminr, told CSO that the EO recognizes that \u201cAI is not about replacing humans, but about empowering them with the ability to leverage AI in looking at their defenses, whether it\u2019s around vulnerability risks and threat actors becoming more efficient in operationalizing that or zero days and how quickly they break.\u201d<\/p>\n

Trump\u2019s order also directs various government agencies to make AI data sets accessible to the broader academic research community and to establish proper management of AI software vulnerabilities.<\/p>\n

Another area of agreement between the two orders is pushing agencies toward more secure post-quantum cryptography postures<\/a>. Trump\u2019s EO directs the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency, and the National Security Agency (NSA) to develop product categories by Dec. 1, 2025, in which products that support post-quantum cryptography (PQC)<\/a> are widely available.<\/p>\n

It also gives NSA and OMB a Dec. 1, 2025, deadline to get ready for a PQC world by requiring agencies to support Transport Layer Security protocol version 1.3 or a successor by Jan. 2, 2030.<\/p>\n

The only real change Trump made to Obama\u2019s policy was to tinker with the language in Executive Order 13694<\/a>, which imposed sanctions on \u201cpersons\u201d who had launched malicious cyber activities against the United States. The Trump EO modifies this language to clarify that the sanctions apply to \u201cforeign persons.\u201d<\/p>\n

Regarding what she considers mostly minor revocations of Trump\u2019s predecessor\u2019s cyber policies, Clarke said, \u201cIt\u2019s a good thing that there is more of a through line [from Obama to Biden to Trump], which is something we\u2019ve always said: Cybersecurity is nonpartisan. Trump\u2019s EO reflects that when you really read it.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The Trump administration issued an executive order entitled \u201cSustaining Select Efforts to Strengthen the Nation\u2019s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144.\u201d A fact sheet accompanying the order says that President Trump\u2019s EO modifies \u201cproblematic and distracting issues\u201d of Obama- and Biden-era cybersecurity EOs, particularly \u201cdigital identity mandates that risked widespread abuse […]<\/p>\n","protected":false},"author":0,"featured_media":3500,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3501","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3501"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3501"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3501\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3500"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3501"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3501"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3501"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}