OVERVIEW
On June 6, 2025, President Donald Trump issued a new Executive Order (EO), "Sustaining Select Efforts to Strengthen the Nation's Cybersecurity and Amending Executive Order 13694 and Executive Order 14144," which both amends and supersedes portions of President Biden's January 2025 EO 14144 (which we discussed in a January Legal Update) and revises President Obama's 2015 EO 13694.
The new directive preserves many of the strategic aims of the previous Administration, such as the focus on secure software development, federal network visibility, and combating malicious cyber-enabled activities. However, it alters the federal government's approach, including by narrowing the scope of the prior EO's directives, removing some of the most prescriptive requirements imposed by the Biden EO, and ending certain digital identity initiatives.
The EO also places a renewed emphasis on the use of artificial intelligence (AI) to enhance cybersecurity, asserting that AI "has the potential to transform cyber defense by rapidly identifying vulnerabilities, increasing the scale of threat detection techniques, and automating cyber defense."
Companies that develop or provide software, hardware, cloud services, or other digital products and services to US federal agencies may particularly benefit from familiarizing themselves with the updated EO, and consider its implications for cybersecurity risk management as well as government engagement.
KEY THEMES AND STRATEGIC SHIFTS
Less Prescription, More Flexibility: The EO eliminates many of the detailed directives and deadlines imposed on agencies by the prior EO.
Continued Emphasis on Modernization: The EO reaffirms federal cyber priorities, such as improved cloud security, threat hunting, space systems protection, and preparation for post-quantum computing (PQC), albeit with more discretion left to agencies on implementation.
Targeted AI Security Focus: The EO narrows contemplated federal government activities on artificial intelligence cybersecurity, concentrating on vulnerability tracking and mitigation rather than broader research or sector-specific pilot programs.
Elimination of Digital Identification Efforts: The EO withdraws directives regarding the increased use and offering of digital identification documents. The Fact Sheet accompanying the EO asserts that these directives would have "facilitated entitlement fraud and other abuse" by foreign nationals.
SUMMARY OF KEY SECTIONS
Below we provide a summary of the resulting EO after implementing the changes directed by President Trump:
Sec. 2. Operationalizing Transparency and Security in Third-Party Software Supply Chains: The Department of Commerce will, through NIST, update the Secure Software Development Framework (SSDF) and NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations) and convene a public-private consortium to develop further guidance. However, the EO rescinds EO 14144's mandate to implement CISA attestation requirements into the FAR.
Sec. 3. Improving the Cybersecurity of Federal Systems: Agencies must continue improving network visibility, strengthening cloud configurations, and enabling CISA to conduct proactive threat hunting through its Persistent Access Capabilities initiative. The EO also calls for enhanced FedRAMP security baselines and the protection of space systems. Specific pilots on phishing-resistant identity management have been rescinded.
Sec. 4. Securing Federal Communications: The EO maintains directives related to secure internet routing, encryption of DNS traffic, and planning for a government-wide transition to PQC. It withdraws specific requirements to include PQC support in all relevant agency solicitations, and omits earlier mandates for end-to-end encryption of government email exchanges.
Sec. 5. Promoting Security with and in Artificial Intelligence: The Departments of Defense and Homeland Security must incorporate AI-related software vulnerabilities into existing vulnerability management programs. The EO withdraws broader directives for AI security research and energy-sector pilot projects.
Sec. 6. Aligning Policy to Practice: Agencies must prioritize investments that enhance network visibility and security controls. In addition, the FAR Council must implement a "US Cyber Trust Mark" consumer Internet of Things labeling requirement for relevant vendors to the federal government. The EO removes explicit references to zero trust architecture, endpoint detection and response deployment, and vendor concentration risks.
Revisions to Executive Order 13694: The EO limits the application of cyber sanctions only to "foreign persons," reflecting a policy decision to cabin potential liability against US persons.
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2025. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.
