President Donald Trump has signed a new executive order that to a great extent reverses the cybersecurity policies put in place by the Biden administration, especially when it comes to software security requirements for federal contractors.
The new directive represents a dramatic change of focus, attempting to simplify and frame federal cyber policy to focus on more “concrete technical measures,” the White House says.
The Biden Administration had embraced the tightest compliance requests possible upon the SAP providers, in evidence the January 2025 Executive Order 14144.
Those included requiring federal contractors to make “secure software development attestations,” sometimes backed up by technical data that would support those claims.
The previous order also directed the Cybersecurity and Infrastructure Security Agency (CISA) to audit those attestations, and the Office of the National Cyber Director (ONCD) to issue the results of those audits.
The new Trump order largely disposes of those specific provisions. These changes, the White House contended, were necessitated by the fact that the Biden administration was “trying to sneak problematic and distracting issues into cybersecurity policy” and for “imposing unproven and burdensome software accounting processes that prioritized compliance checklists over genuine security investments.”
The NIST will still work with the industry to update its SSDF, but Trump’s order nullifies a requirement that federal vendors meet those updated security requirements. Also scrapped were Biden-era directives to NIST to offer guidance on minimum cybersecurity practices for federal contractors.
Outside of software security, the new executive order also scales back efforts around AI for cyber defense and a push toward rapid adoption of post-quantum cryptography. Biden’s order promised to test whether AI could be harnessed to protect the nation’s critical infrastructure and to invest in secure AI systems.
Trump’s directive has effectively swept aside most such conditions, though it does instruct the Commerce Department to collaborate with industry to enhance software protections and requires that federal defense, intelligence and homeland security agencies treat AI software flaws like any other kind of cyber risk.
While these reversals are substantial, there are nuancings of the Biden administration’s greater push on cybersecurity yet to come. A Federal Communications Commission (FCC) program, similar to the Energy Star program, that will see government seals of approval added to the technology products tested for security, survived the battle relatively unscathed.
That effectively means IoT devices that are sold to the federal government will still be required to have gone through this FCC program by January 2027.
The new order is a reflection of a different philosophy, one that emphasizes what the Trump administration regards as necessary technical measures and strips out what it sees as overly prescriptive or politically motivated mandates. The complete implementation of these changes in federal software procurement and in the overall cybersecurity posture will be seen in the months ahead.
