President Donald Trump has signed a new cybersecurity executive order that, according to the White House, amends problematic elements of executive orders from the Biden and Obama administrations.
Executive Order 14306 aims to improve software development, border gateway (BGP) security, post-quantum cryptography (PQC), AI security, IoT security, encryption, and sanctions, as well as to prevent the abuse of digital identities.
It targets EO 14144 — signed by Biden in January 2025 — removing a section that encourages the acceptance of digital identity documents, over fraud concerns.
For software security, the Biden EO mandated attestations for federal contractors, which the new EO removes. In the case of PQC, the Trump EO simplifies the implementation roadmap.
The new executive order also targets EO 13694, which Obama signed back in 2015 to enable authorities to sanction entities that conduct cyberattacks against the US. Trump and Biden had extended that order, but the president has now changed the phrasing to allow sanctions only against foreign persons rather than any person.
Some professionals have pointed to the changes they see as being good for the industry, while others say they don’t agree with the modifications, or highlighted some important aspects that need to be considered.
Dave Gerry, CEO, Bugcrowd:
“This order walks away from important lessons. Rolling back secure by design software attestations and limiting sanctions to only foreign actors sends the wrong message at the wrong time. Those were put in place to reduce risk across the supply chain. Also, narrowing sanctions to only apply to foreign actors leaves a clear gap, especially when we’ve seen domestic enablers working in lockstep with foreign adversaries.
The shift toward voluntary guidance sounds nice, however, in practice it often means slower adoption and fewer safeguards. It’s hard to see how this makes us safer. Cybersecurity should be a nonpartisan commitment to national resilience – not a political bargaining chip.”
Tim Mackey, Head of Software Supply Chain Risk Strategy, Black Duck:
“With the executive actions that took place early in the current administration, it was notable that the cybersecurity executive orders from the previous administration were left untouched. With EO 14306, the current administration reverses the software attestation requirements established in OMB memo M-23-16 which was authorized under EO14028. By modifying EO 14144, which was an extension of EO 14028 and built upon lessons learnt in industry, this effectively limits the impact of EO 14028.
What we should expect to see is a more prescriptive set of guidance documents from NIST in 2025; including updated secure software development framework (SSDF). By establishing a consortium with industry at the NCCoE, this executive order signals a desire by the administration to collaborate with industry on advancing the nation’s cybersecurity skills and competencies. With a focus on NIST publications SP800-218 and SP800-53, the administration recognizes that deploying secure software starts during development following secure by design principles, and ultimately cybersecurity success is based on securely deploying that software following a secure by default model. Lastly, EO 14306 recognizes both the contributions open-source technologies bring to American innovation, but also the unique risks they pose.”
Dustin Lehr, Application Security Advocate, Security Journey:
“President Trump’s executive order marks a pivotal shift in national cybersecurity strategy as it places secure software development front and center. By directing NIST to update the Secure Software Development Framework (SSDF) and tasking a new industry consortium with implementation guidance, the order acknowledges a hard truth: secure software must be a foundational design principle, not an afterthought. Long-term, this policy could reshape federal procurement expectations, inspire stronger software liability norms, and send a clear signal that provable secure development practices are now table stakes, not differentiators.
Innovation, whether it’s a new product feature or a breakthrough technology like AI, only succeeds when people trust that the systems behind it are built with quality and security in mind from the start. That trust isn’t just a safeguard against business risk; it’s also a smart investment that drives productivity. Fixing flaws late in the development cycle is significantly more expensive than addressing them early, which is why regular, practical education in engineering best practices and secure coding are essential to meeting the intent of this executive order. When quality is treated as a proactive part of development, and not a last-minute checkbox, it strengthens resilience, reduces breach-related costs, and accelerates the pace of safe, sustainable innovation.”
Nathan Jones, VP of Public Sector, Sonar:
“Even with new compliance requirements from the Executive Order, the fundamental threat landscape remains the same. Agencies still bear the unchanged responsibility of safeguarding their mission and data. The smartest federal CIOs and CISOs will, and must, continue to demand a high standard from their software partners.
Specifically, there should be a continued demand for transparency from vendors. Ask for SBOMs; ask them to attest to their secure development practices. The most responsible vendors will have no problem providing this. SBOMs and SSDF processes are still tools and important for agencies to get ATOs (Authorization to Operate) for COTS (Commercial Off-The-Shelf) proprietary software, third-party open source, or their own created application code.
It’s also important to focus inward — you can’t control policy, but you can control your own development culture. Embed security directly into your development process with a focus on quality, and don’t let it be an afterthought. True security of software is a continuous practice; artifacts and things are changing but the main goal is to get everyone focused on it being a normal part of processes.”
Karl Holmqvist, Founder and CEO, Lastwall:
“The Trump administration’s executive order, with its seemingly bureaucratic acceleration of post-quantum cryptography timelines, represents far more than administrative efficiency. It is a controlled detonation of our current security paradigm.
The mathematics are unforgiving: every encrypted transaction, every secure communication, every protected database becomes as vulnerable as a diary left open on a park bench once a cryptographically relevant quantum computer emerges. The executive order’s timeline, requiring new security protocols by 2030, reflects a sobering reality that intelligence communities understand but rarely say publicly: the emergence of a cryptographically-relevant quantum computer (CRQC) is not a question of if, but when. And the “when” appears closer than most technology leaders want to admit. The 2030 deadline isn’t arbitrary; it’s a countdown clock.
[…]
The challenge facing organizations today requires maintaining current security while replacing its very foundations at the same time. The ability to rapidly update cryptographic systems—what we call crypto-agility—becomes not just a technical requirement but an existential necessity.
The executive order’s seemingly modest administrative adjustments mask a profound acknowledgment: the quantum era of cybersecurity has begun in earnest—not in laboratories or academic papers, but in policy and procurement requirements.”
Ofer Friedman, Digital ID and Identity Fraud Expert, AU10TIX:
“The debate around this executive order centers on the intersection of politics, legislative language, and technology, with a major concern being the potential for government-supported entitlement fraud.
From a technology standpoint, mobile device-based, encrypted digital identity credentials represent the current gold standard. Breaking such encryption is considered nearly impossible without substantial computing power and specialized expertise.
However, the transition to mobile encrypted identity credentials could open new avenues for fraud. Millions of people will need to migrate from physical documents (plastic cards and paper IDs) to digital ones. One major concern is that sophisticated fraudulent physical documents could slip through verification processes, resulting in compromised digital identities. Another critical issue is data completeness. What happens to individuals whose records are missing or outdated? These exceptions could represent a substantial challenge.
In short, mobile IDs are technically the most secure option available today, but the issuance process requires careful planning and safeguards.
On the technical front, tools for multi-layered forgery detection are robust, particularly when case-level analytics are combined with velocity-based risk detection. So, the hope is that a well-designed, end-to-end process can help mitigate these legitimate concerns.”
Michael Smith, Field CTO, DigiCert:
“While much attention has been paid to the rollback of software security attestation and validation requirements in the updated Executive Order, it’s important to recognize that the EO also reinforces critical components of the NIST Secure Software Development Framework (SSDF).
The SSDF continues to emphasize foundational best practices—such as software provenance through code signing and risk transparency through Software Bills of Materials (SBOMs). We are encouraged by the continued relevance and support of these practices, which are vital to national and global cybersecurity resilience.
Additionally, the updated EO reflects a positive shift in tone on BGP security—from philosophical encouragement to pragmatic guidance. This move signals meaningful progress toward improving the resilience of internet infrastructure by providing clearer expectations and actionable direction for implementation.”
Related: Industry Reactions to Google Buying Wiz: Feedback Friday
Related: Industry Reactions to Biden’s Cybersecurity Executive Order: Feedback Friday
