Cybersecurity practitioners to transition from policy theory to practical application due to new executive order

Cybersecurity practitioners to transition from policy theory to practical application due to new executive order

In a significant move, President Trump's Executive Order (EO) 14306, issued on June 6, 2025, has introduced several key changes and implications for federal cybersecurity. The amendment to Executive Orders 14144 (Biden) and 13694 (Obama) focuses on software supply chain security, AI security, post-quantum cryptography, IoT security, and framework revisions.

1. Narrowed Cyber Threat Actor Scope: The amendment now targets only "foreign persons" in cybersecurity-related sanctions and actions, refining the focus on foreign cyber threats specifically. Notably, China, Russia, Iran, and North Korea have been identified as significant cyber threat actors[3][5].
2. Secure Software Development and Delivery: The EO emphasises secure software development and delivery as a priority. The Secretary of Commerce is directed to lead industry consortia for developing updated guidance on secure software development, following NIST Special Publication 800-218 (Secure Software Development Framework, SSDF)[1][5].
3. Shift in AI Security: The amendments to EO 14144 refocus AI policy to encourage innovation primarily within the private sector, while also promoting greater AI adoption and integration within federal agencies. AI tools are highlighted as means to automate cyber defense, identify and manage vulnerabilities, and enhance proactive cybersecurity capabilities[2][3].
4. Post-Quantum Cryptography (PQC): The EO calls for preparation and adoption of quantum-resistant technologies by 2025-2030. This strategic move aims to accelerate the development and deployment of post-quantum cryptographic standards to secure systems against emerging quantum computing threats[1].
5. IoT Security: The order explicitly highlights the need to secure Internet of Things (IoT) devices as part of federal cybersecurity priorities, aligning federal policy to tackle growing risks in IoT device security, which are integral to critical infrastructure and government operations[2].
6. Reduction in Federal Oversight and Attestations: The amendments remove certain federal requirements such as CISA attestations, signaling a strategic pivot to reduce federal mandates and oversight, expecting organisations to independently enhance cybersecurity capabilities[1][5].

In addition, vendors will no longer be able to fulfil their responsibilities with vague security claims due to the updated guidance on software security. The National Institute of Standards and Technology is being directed to update and enforce secure software development guidance (SP 800-218 and SP 800-53) with hard deadlines starting August 2023.

This article is copyrighted and owned by [specific platform]. For a lasting impact, there is a need to channel this momentum into more durable directives, regulatory frameworks, and legislation. The EO opens the door for the community, which includes practitioners, policymakers, and vendors, to walk through and lock in the changes.

1. Reimagined Federal Workforce: The updated software security guidelines, backed by hard deadlines starting in August 2023, necessitate a reimagined federal workforce that is adept at handling data-and-cloud-computing and technology-related cybersecurity challenges.
2. Secured Federal Cybersecurity Ecosystem: The federal workforce, under the new directives, will work towards securing the entire cybersecurity ecosystem, including software delivery, AI security, post-quantum cryptography, IoT security, and other revised frameworks, outlined in President Trump's Executive Order 14306.

Read also: