Trump scraps Biden software security, AI, post-quantum encryption efforts in new executive order

Trump scraps Biden software security, AI, post-quantum encryption efforts in new executive order

President Donald Trump signed an executive order on Friday that eliminated or revised several key cybersecurity initiatives launched by the Biden administration. The White House justified the move by accusing the previous administration of attempting to "sneak problematic and distracting issues into cybersecurity policy" in its final days.

Key Programs Eliminated or Revised:

• Software Security Requirements: The order eliminates mandates for federal contractors to provide "secure software development attestations" and supporting data. It also scraps requirements for the Cybersecurity and Infrastructure Security Agency (CISA) to verify these attestations and for the Office of the National Cyber Director (ONCD) to publish results and refer failures to the Department of Justice. The Trump administration called these requirements "imposing unproven and burdensome software accounting processes that prioritized compliance checklists over genuine security investments." While NIST will continue collaborating with industry on software security standards, the requirement for federal vendors to follow them is removed.
• AI in Cyber Defense: Initiatives to test AI's capability in critical infrastructure cyber defense, prioritize federal research into AI-powered coding security and secure AI system design, and require the Pentagon to use advanced AI for cyber defense were all cut.
• Post-Quantum Encryption (PQC): The push to accelerate government adoption of quantum-resistant encryption was significantly scaled back. Requirements for agencies to use PQC "as soon as practicable" and for vendors to use it when technologically possible were eliminated. Only the requirement for CISA to maintain a list of available PQC products remains. Efforts to encourage foreign allies to adopt NIST's PQC algorithms were also dropped.
• Other Cuts: Provisions requiring agencies to test phishing-resistant authentication, NIST to advise on internet routing security, and agencies to use strong email encryption were removed. Guidance on addressing IT vendor concentration risks and digital identity initiatives were also eliminated, with digital identity efforts described as "inappropriate."

Program Preserved:

• The Federal Communications Commission (FCC) program to apply government seals of approval to technology products undergoing security testing remains intact. The requirement for companies selling internet-of-things (IoT) devices to the federal government to go through this program by January 2027 was preserved.

The order also tweaked Obama-era sanctions authorities for cyberattacks, specifying they apply only to foreigners, which the White House stated would prevent "misuse against domestic political opponents."

President Trump emphasized the administration's focus on "technical and organizational professionalism to improve the security and resilience of the nation’s information systems and networks."