On June 6, 2025, the current White House administration issued amendments to Executive Order (E.O.) 13694 and E.O. 14144. The amendments, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144, had been expected for several months, and like many others that preceded it, remove regulations and barriers for commerce.
Surprisingly, the amendment leaves in place most of the prior administration’s requirements, with two notable exceptions: software security and digital identity. This article focuses on these two exceptions, while touching on the amendments’ impacts to AI.
Software Security Compliance
President Biden’s E.O.14144 directed the Office of Management and Budget (OMB) to update the Federal Acquisition Regulation requiring software providers to submit machine-readable secure software development attestations and high-level artifacts to validate them. The Cybersecurity and Infrastructure Security Agency (CISA) would have validated the vendor’s attestations through its Repository for Software Attestation and Artifacts (RSAA). The Office of the National Cyber Director would publish the results of validation tests, and CISA would refer attestations that fail validation to the U.S. Attorney General.
Trump’s amendment reverts us back to E.O. 14028, Improving the Nation’s Cybersecurity (May 2021), with vendors having to self-attest to conform with secure software development practices – but without artifacts to support their claim. Per OMB M-23-16, Update to Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (June 2023), requiring agencies to collect self-attestations from software vendors remains in effect. Note: In March 2024, CISA launched the RSAA to centrally collect attestation forms while federal departments and agencies continue to assume the risk.
NIST is now tasked to establish an industry consortium by August 1, 2025. The consortium will help NIST develop guidance that “demonstrates the implementation of secure software development, security, and operations practices.” Having industry collaborating with the government is usually a good thing with the outcome of being a new Special Publication.
Per the amendment, NIST is tasked with publishing a preliminary update to the Secure Software Development Framework by December 1, 2025, including “practices, procedures, controls and implementation examples regarding the secure and reliable development and delivery of software as well as the security of the software itself.”
Mandatory, machine-readable software security compliance attestations, coupled with the submission of artifacts to support the claim, provide assurance that software in the federal government’s supply chain and procurement is secure and not riddled with security flaws. The current administration significantly derailed that momentum by eliminating artifacts to support attestations, while calling on NIST for guidance and assembling a voluntary industry consortium. Having NIST develop guidance is always good, but softening requirements weakens our national security.
Digital Identity
While the White House has been on a quest to root out fraud, waste, and abuse, it may want to take a mulligan in striking support for digital identity, since it is a critical component of cybersecurity and reducing fraud. I anticipated the current administration would amend and not rescind Biden’s E.O.s; however, I was very surprised that the digital identity components were eliminated. With a public message of being laser-focused on combatting fraud, waste, and abuse, striking digital identity makes zero sense – especially when millions of Americans receive breach notifications so often that they sadly have become viewed as junk mail.
Given the significant onslaught of cyberattacks from nation-state actors (called out by name in the E.O.) and domestic cyber criminals, along with the rapid advancement of AI and the unknown perils that quantum computing will pose for cybersecurity professionals, support for digital identity should be a top initiative.
Three Biden administration digital identity initiatives were struck by the current administration’s amendment: Mobile Driver Licenses, Attribute Validation Services, and the Identity Information Use Notification Pilot.
Mobile Driver Licenses (mDLs)
Biden had tasked:
- Federal agencies to consider providing federal grants to states to develop and issue mDLs. Note: Like a physical driver’s license, states issue mobile driver licenses, not the federal government.
- NIST to issue guidance on using mDLs for remote verification and direct agencies to consider accepting mDLs to access public benefits programs.
- NIST, through the National Cybersecurity Center of Excellence, to support remote digital identity verification using mDLs that will help issuers (states) and verifiers (e.g., agencies or retailers) of mDLs.
The truth is the amendment does not terminate state-issued mDLs. However, it forces states to assume 100% of the costs.
Attribute Validation Services
This initiative directed the Social Security Administration and other agencies chosen by OMB to consider using attribute validation services (i.e., “Yes/No” validation services) in government-operated identity verification systems and public benefits programs.
Since it is the government and not commercial entities and credit bureaus who are the authoritative sources for each of our identities, it makes little sense for the government not to play a critical role in identity verification. Attributed validation services are well-covered in my Thoughts on President Biden’s Cybersecurity Executive Order post in January, where I advocate for expanding attribute validation services as they can help thwart identity thieves, improve identity assurance, and reduce fraud.
Identity Information Use Notification Pilot
The Treasury and Geneal Services Administration (GSA) were to notify individuals and entities when their identity information is used to request payment from a public benefits program, with the option to stop potentially fraudulent transactions before they occur and report fraudulent transactions to law enforcement entities.
While this administration boldly calls our nation states in the amendment, ensuring national security and protecting the country from external threats is a fundamental role the federal government provides to its citizens. Protection is not limited to the Department of Defense and Department of Homeland Security, as other agencies like the Treasury and GSA can certainly contribute. In the digital world, knowing when our identity information is used and empowering a citizen to stop potential fraud is beneficial to both the individual, the benefits program, and the government. This type of solution should be enabled across all government programs as well as the private sector.
Artificial Intelligence
In 2025, it is neglectful not to mention AI when discussing almost anything, especially cybersecurity.
Both administrations include a focus on addressing AI software vulnerability management. Under the Trump amendment, by November 1, 2025, agencies “shall incorporate management of AI software vulnerabilities and compromises into their respective agencies’ existing processes and interagency coordination mechanisms for vulnerability management, including through incident tracking, response, and reporting, and by sharing indicators of compromise for AI systems.”
Removed by the new administration are focus areas on “promoting security with and in Artificial Intelligence,” while tasking multiple departments to support cyber defense and prioritize funding for AI cybersecurity research.
Conclusion
The stark contrast between President Trump’s and President Biden’s cybersecurity E.O.s reflects divergent visions for securing the digital infrastructure of the United States. While Biden’s January 2025 E.O. reaffirmed the federal government’s commitment to Zero Trust, secure software development practices, and support for remote digital identity verification and the acceptance of digital identity documents (including mobile driver licenses in public benefits programs), Trump’s order rolls back key safeguards – most notably by eliminating requirements to advance digital identity and supporting artifacts in software attestations. The latter undermines transparency and accountability in the software supply chain at a time when adversaries are growing more sophisticated. As the federal cybersecurity community evaluates these changes, the long-term implications for trust, resilience, and compliance must be carefully weighed.
A future blog will discuss the AI requirements in Trump’s amendment, along with other AI-related policies.
