Trump Administration Overhauls Federal Cybersecurity Policy With New Executive Order

The Trump Administration has issued a new executive order that significantly modifies existing federal cybersecurity policies, removing several Obama and Biden-era security requirements and introducing new guidelines for comprehensive enterprise cybersecurity strategy and implementation.

The order marks a substantial shift in U.S. cybersecurity strategy, eliminating mandatory software security attestations and narrowing the scope of who can be sanctioned for cyber attacks. These changes come at a time when cyber threats continue to evolve globally, requiring organizations to adopt zero trust network access principles for enhanced security.

Changes to Existing Policy Framework

The executive order specifically targets Executive Orders 14144 and 13694, making several key modifications:

• Removes the requirement for software developers to submit attestations validating secure development practices
• Restricts sanctions to only "foreign persons" involved in hacking operations, rather than "any person"
• Eliminates mandates for U.S. government-issued digital IDs for undocumented immigrants
• Establishes new collaboration with industry through the National Cybersecurity Center of Excellence (NCCoE)

Industry Response and Implications

Security experts have expressed mixed reactions to the policy changes. Dave Gerry, CEO at Bugcrowd, warns that rolling back secure software attestations could be problematic. "This order walks away from important lessons," Gerry states. "Narrowing sanctions to only apply to foreign actors leaves a clear gap, especially when we've seen domestic enablers working in lockstep with foreign adversaries."

Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck, offers a technical perspective: "With this new executive order, the current administration reverses the software attestation requirements established in OMB memo M23-16 which was authorized under EO14028."

Future Focus on Standards and Innovation

The administration is expected to release more prescriptive guidance through NIST in 2025. Organizations, particularly small and medium businesses implementing cybersecurity measures, should prepare for significant changes. The order emphasizes:

• Collaboration with industry through NCCoE
• Focus on NIST publications SP800-218 and SP800-53
• Recognition of open-source technologies' role in American innovation
• Attention to unique risks posed by open-source software

This policy shift represents a significant change in how the federal government approaches cybersecurity, with implications for both public and private sector organizations. As these changes take effect, businesses and security professionals will need to adapt their compliance and security strategies accordingly.