In June 2025, President Trump signed Executive Order 14306 (EO), titled “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144,” which amends and supersedes portions of President Biden’s[1] and President Obama’s[2] executive orders on cybersecurity. The EO was accompanied by a Fact Sheet, which provides further reasoning for the revisions. Although the EO amends and supersedes portions of President Biden’s and President Obama’s executive orders, it generally leaves the framework established by these orders in place. Below, PilieroMazza outlines key takeaways from the EO that government contractors must be aware of to stay compliant with changes to the federal government’s AI and cybersecurity policy.
Focus on Significant Foreign Cyber Threat Actors
The EO specifically identifies China as the most active and persistent cyber threat to the United States, the private sector, and critical infrastructure. The EO also identifies Russia, Iran, and North Korea as significant cyber threat actors. Lastly, the EO limits the application of cyber sanctions only to foreign cyber threat actors.
Secure Software Development and Elimination of Requirement for CISA Attestations
The EO places continued emphasis on the need for secure software development. It directs the Secretary of Commerce, through NIST, to establish a consortium with industry at the National Cybersecurity Center of Excellence to develop guidance implementing secure software development, security, and operations consistent with NIST Special Publication 800-218 (Secure Software Development Framework (SSDF)). Additionally, the EO directs the development and publication of a preliminary update to the SSDF, which includes practices, procedures, controls, and implementation examples regarding the secure and reliable development, delivery, and security of software.
Lastly, the EO eliminates the requirement from Biden’s EO for contractors to submit attestations to the Cybersecurity and Infrastructure Security Agency (“CISA”) regarding their software’s compliance with secure software development practices. Biden’s EO directed agencies to only procure software from software providers that attested that the software complied with certain security software development practices. Biden’s EO also directed the FAR council to amend the FAR to add contract language requiring software providers to submit these attestations to a central repository operated by CISA. The Trump EO strikes the requirement from the Biden EO for contractors to submit the attestation form to CISA’s repository for validation and also strikes the directive to the FAR council. However, government contractors that provide software to the government remain obligated to comply with applicable secure software development practices. Government contractors should carefully review their contracts to ensure that they continue to comply with all software development requirements, including any software-related attestation requirements therein, unless and until the contract is amended to remove such requirements.
Aligning Policy to Practice
The EO emphasizes the need for agency policies to align investments and priorities to improve network visibility and security controls to reduce cyber risks. To that end, the EO directs the Office of Management and Budget (OMB) to issue guidance, including any necessary revisions to OMB Circular A-130, “Managing Information as a Strategic Resource,” to address critical risks and adapt modern practices and architecture across federal information systems and networks. Additionally, the EO directs the establishment of a pilot program of a rule-as-code approach for machine-readable versions of policy and guidance regarding cybersecurity that OMB, NIST, and CISA publish and manage. Lastly, the EO further directs that the Federal Acquisition Regulation (FAR) Council take steps to amend the FAR to adopt requirements for agencies to require vendors to the federal government of consumer Internet-of-Things products (as defined by 47 C.F.R. § 8.203(b)), to carry “United States Cyber Trust Mark” labeling for such products.
Elimination of Digital Identity Requirements
Citing the facilitation of fraud, the EO removes prior directives that government agencies accept digital identities for public benefits programs.
Impact on Artificial Intelligence (AI)
The Fact Sheet explains that the EO “refocuses artificial intelligence (AI) cybersecurity efforts towards identifying and managing vulnerabilities, rather than censorship.” This is in line with the Trump Administration’s previously expressed AI policies in recent OMB memoranda addressing AI and embracing its use within the federal government. The EO states, “[a]rtificial intelligence (AI) has the potential to transform cyber defense by rapidly identifying vulnerabilities, increasing the scale of threat detection techniques, and automating cyber defense.” While the concerns surrounding AI’s ability to generate false content and create security risks remain, this EO would have the government use AI to its advantage in cyberspace rather than try to protect against its use.
The EO mandates that by November 1, 2025, the Secretary of Defense, the Secretary of Homeland Security, and the Director of National Intelligence—in partnership with the Executive Office of the President, the Office of Science and Technology Policy, the Office of the National Cyber Director, and the Director of OMB—must “incorporate management of AI software vulnerabilities and compromises into their respective agencies’ existing processes and interagency coordination mechanisms for vulnerability management, including through incident tracking, response, and reporting, and by sharing indicators of compromise for AI systems.” This furthers the policies discussed in our prior blog covering OMB Memo M-25-21, which called for proactive, interagency cooperation in the development of AI. Based on this EO, AI systems and their associated software will be subject to the same vulnerability identification, patching, and incident response protocols as traditional software.
If you have questions regarding this EO, cybersecurity, or AI generally, please contact Jackie Unger, Joseph Loman, Ryan Boonstra, or another member of PilieroMazza’s Government Contracts, Cybersecurity and Data Privacy, or Intellectual Property & Technology Rights practice groups. Also, visit our Government Contract Executive Orders resource center for additional coverage.
________________
If you’re seeking practical insights to gain a competitive edge by understanding the government’s compliance requirements, tune into PilieroMazza’s podcasts: GovCon Live!, Clocking in with PilieroMazza, and Ex Rel. Radio.
________________
[1] EO 14144, Strengthening and Promoting Innovation in the Nation’s Cybersecurity
[2] EO 13694, Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities
