On June 6, 2025, President Trump issued an Executive Order (“Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144”) (the “Order”) that modifies certain initiatives in prior Executive Orders issued by Presidents Obama and Biden and highlights key cybersecurity priorities for the current Administration.  Specifically, the Order (i) directs that existing federal government regulations and policy be revised to focus on securing third-party software supply chains, quantum cryptography, artificial intelligence, and Internet of Things (“IoT”) devices and (ii) more expressly focuses cybersecurity-related sanctions authorities on “foreign” persons.  Although the Order makes certain changes to prior cybersecurity related Executive Orders issued under previous administrations, it generally leaves the framework of those Executive Orders in place.  Further, it does not appear to modify other cybersecurity Executive Orders.[1]  To that end, although the Order highlights some areas where the Trump administration has taken a different approach than prior administrations, it also signals a more general alignment between administrations on core cybersecurity principles.

The first section below provides a summary of revisions to existing federal government policy.  The second section provides a chart of new directives to federal government departments and agencies.

Amendments to Prior Orders

The new Order seeks to amend existing federal government policies and regulations (as previously set by Executive Orders 14144 and 13694) to: (i) remove certain requirements for secure software development attestations, directives tied to acceptance of digital identity documentation, and certain technical hardening measures for identity verification and email encryption, and (ii) more expressly focus cybersecurity-related sanctions authorities specifically to foreign (as opposed to any) cyber threat actors that target U.S. critical infrastructure.

  • Secure Software Acquisition:  The Order removes certain requirements relating to secure software attestations that federal government contractors must submit to contracting agencies.  This includes elimination of the requirement that attestations must be in machine readable format.  This also includes elimination of the directive for centralized validation of software attestations by the Cybersecurity and Infrastructure Security Agency (“CISA”).  Likewise, the associated directive to the Federal Acquisition Regulatory Council to amend the Federal Acquisition Regulation (“FAR”) to incorporate those requirements has also been eliminated.  The Fact Sheet accompanying the Order notes that one goal was to eliminate requirements for “imposing unproven and burdensome software accounting processes that prioritized compliance checklists over genuine security investments.”  However, the Order did not address the more general requirement for software attestations that appeared in the May 2021 Executive Order No. 14028 “Improving the Nation’s Cybersecurity,” as implemented through Office of Management and Budget (“OMB”) Memoranda (M-23-16 and M-22-18) and the CISA Common Self-Attestation Form.  Thus, it is unclear whether this Administration will promulgate regulations that would implement those requirements from the 2021 EO within the FAR, suspend any requirement for further attestations until NIST issues the final update of its Secure Software Development Framework required by the Order, eliminate the requirement for attestations altogether, or impose attestation requirements  on a contract-by-contract basis and continue to maintain the CISA repository for those forms.
  • Solutions to Combat Cyber Crime and Fraud:  The Order removes prior directives for federal government agencies to accept digital identity documentation (e.g., digital driver’s licenses) for public benefit programs.
  • Identity Technologies: The Order removes prior requirements for the Federal Civilian Executive Branch (“FCEB”) to deploy commercial phishing-resistant standards such as “WebAuthn.”
  • Email Encryption: The Order removes a directive to OMB to require the expanded use of authenticated transport-layer encryption (“TLS”) between email servers used by FCEB agencies to send and receive emails.
  • Quantum Computing:  The Order scales back quantum computing initiatives, included as part of National Security Memorandum 10 (“NSM-10”)(“On Promoting United States Leadership in Quantum Computing While Mitigating Risk to Vulnerable Cryptographic Systems,” May 4, 2022) implemented through OMB Memorandum (M-23-02), that required federal agencies to adopt post-quantum cryptography (“PQC”) as quickly as feasible and encourage technology vendors to do the same, as well as pushing for it being accepted internationally.  The Order retains only a requirement for CISA to maintain a list of product categories where PQC-enabled tools are widely available.
  • Artificial Intelligence (“AI”): The Order amends E.O. 14144’s existing approach to security with and within AI as well as E.O. 14110 (“Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,” October 30, 2023), which encouraged AI-driven collaboration across industry and had tasked federal agencies with aggressively exploring artificial intelligence for cybersecurity defense.  The Order instead takes a more focused view, requiring agencies to make existing datasets for cyber defense research accessible to the academic community to the extent feasible and for agencies to incorporate AI software vulnerabilities and compromises into their existing processes for vulnerability management and disclosure.
  • Focus on “Foreign” Cyber Threat Actors: The Order amends existing cybersecurity-related sanctions authorities for malicious actors engaged in cyber-enabled activities that pose a threat to U.S. national security, foreign policy, economic health, or financial stability, including those targeting U.S. critical infrastructure, to limit these authorities to foreign malicious actors and thereby more clearly excluding domestic individuals or activities from the scope of the authorities.  The accompanying Fact Sheet further explains that the focus on foreign malicious actors is to prevent “misuse” of the sanctions authorities “against domestic political opponents,” and clarifies that “sanctions do not apply to election-related activities.”  The Order and the accompanying Fact Sheet do not provide any additional information about whether the amendments are intended to exempt foreign cyber operations directed at U.S. election activities, though the underlying sanctions authorities do still address malicious cyber-enabled activities that involve “tampering with, altering, or causing a misappropriation of information with the purpose of or that involves interfering with or undermining election processes or institutions.”

The Federal Communications Commission’s cybersecurity labeling program, Cybersecurity Labeling for Internet of Things (proposed rule, 47 CFR Part 8) has remained.  This program was modeled after the Energy Star efficiency label and will certify internet-connected consumer products, such as IoT devices, based on whether they meet certain cybersecurity criteria verified by accredited labs.

Timeline of New Directives

The below table outlines the directives to federal government departments and agencies, including: the Departments of Commerce, Defense, Energy, and Homeland Security as well as CISA, OMB, the National Institute of Standards and Technology (“NIST”), the Office of the Director of National Intelligence (“ODNI”), the National Security Agency (“NSA”), the National Science Foundation (“NSF”), the Office of Science and Technology Policy (“OSTP”), and the Office of the National Cyber Director (“ONCD”).[2]

Table 1:  Summary of directives to Departments and Agencies.

[1] Section 2 also provides, “Except as specifically provided for in subsection 4(f) of [Executive Order 14144], sections 1 through 7 of [Executive Order 14144] shall not apply to Federal information systems that are NSS or are otherwise identified by the Department of Defense or the Intelligence Community as debilitating impact systems.”

[2] For example, the Order does not rescind or modify Biden’s Executive Order 14028 (“Including Biden’s Executive Order 14028”). 

Tags: Artificial Intelligence, Artificial Intelligence (AI), Cybersecurity, U.S. National Cybersecurity Strategy Cybersecurity Data Security
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Ashden currently serves as a Judge Advocate in the
U.S. Army Reserve.

Read more about Ashden FeinEmail
Show more Show less
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
Federal Acquisition Security Council (FASC) regulations and product exclusions,
Controlled unclassified information (CUI) obligations, and
M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

Procurement fraud and FAR mandatory disclosure requirements,
Cyber incidents and data spills involving sensitive government information,
Allegations of violations of national security requirements, and
Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.

Read more about Susan B. CassidyEmail
Show more Show less
Photo of Robert Huffman Robert Huffman

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing…

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing information security and the reporting of cyber incidents, the Cybersecurity Maturity Model Certification (CMMC) program, the requirements for secure software development self-attestations and bills of materials (SBOMs) emanating from the May 2021 Executive Order on Cybersecurity, and the various requirements for responsible AI procurement, safety, and testing currently being implemented under the October 2023 AI Executive Order. 

Bob also represents contractors in False Claims Act (FCA) litigation and investigations involving cybersecurity and other technology compliance issues, as well more traditional government contracting costs, quality, and regulatory compliance issues. These investigations include significant parallel civil/criminal proceedings growing out of the Department of Justice’s Cyber Fraud Initiative. They also include investigations resulting from False Claims Act qui tam lawsuits and other enforcement proceedings. Bob has represented clients in over a dozen FCA qui tam suits.

Bob also regularly counsels clients on government contracting supply chain compliance issues, including those arising under the Buy American Act/Trade Agreements Act and Section 889 of the FY2019 National Defense Authorization Act. In addition, Bob advises government contractors on rules relating to IP, including government patent rights, technical data rights, rights in computer software, and the rules applicable to IP in the acquisition of commercial products, services, and software. He focuses this aspect of his practice on the overlap of these traditional government contracts IP rules with the IP issues associated with the acquisition of AI services and the data needed to train the large learning models on which those services are based. 

Bob is ranked by Chambers USA for his work in government contracts and he writes extensively in the areas of procurement-related AI, cybersecurity, software security, and supply chain regulation. He also teaches a course at Georgetown Law School that focuses on the technology, supply chain, and national security issues associated with energy and climate change.

Read more about Robert HuffmanEmail
Show more Show less
Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other…

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and she regularly represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Read more about Micaela McMurroughEmail
Show more Show less
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.

Read more about Caleb SkeathEmail
Show more Show less
Photo of Joshua Williams Joshua Williams

Josh Williams helps clients assess and manage the impact of U.S. economic sanctions and export controls on their global operations. He has deep expertise in the economic sanctions laws and regulations administered and enforced by the U.S. Treasury Department and State Department, and…

Josh Williams helps clients assess and manage the impact of U.S. economic sanctions and export controls on their global operations. He has deep expertise in the economic sanctions laws and regulations administered and enforced by the U.S. Treasury Department and State Department, and in the export control laws and regulations administered and enforced by the U.S. Commerce Department, State Department, and Census Bureau.

Josh advises leading U.S. and non-U.S. companies across a range of industries, including companies operating in the energy, financial services, pharmaceutical, technology, aerospace and defense, telecommunications, consulting, and consumer products sectors.

Josh regularly assists clients with complex trade controls compliance, enforcement, licensing, and transactional matters. He also has significant experience leading trade controls risk assessments and counseling companies seeking to develop or strengthen their compliance programs.

Read more about Joshua WilliamsEmail
Show more Show less
Photo of Ryan Burnette Ryan Burnette

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain…

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain, artificial intelligence, and software development requirements.

Ryan also advises on Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) compliance, public policy matters, agency disputes, and government cost accounting, drawing on his prior experience in providing overall direction for the federal contracting system to offer insight on the practical implications of regulations. He has assisted industry clients with the resolution of complex civil and criminal investigations by the Department of Justice, and he regularly speaks and writes on government contracts, cybersecurity, national security, and emerging technology topics.

Ryan is especially experienced with:

Government cybersecurity standards, including the Federal Risk and Authorization Management Program (FedRAMP); DFARS 252.204-7012, DFARS 252.204-7020, and other agency cybersecurity requirements; National Institute of Standards and Technology (NIST) publications, such as NIST SP 800-171; and the Cybersecurity Maturity Model Certification (CMMC) program.
Software and artificial intelligence (AI) requirements, including federal secure software development frameworks and software security attestations; software bill of materials requirements; and current and forthcoming AI data disclosure, validation, and configuration requirements, including unique requirements that are applicable to the use of large language models (LLMs) and dual use foundation models.
Supply chain requirements, including Section 889 of the FY19 National Defense Authorization Act; restrictions on covered semiconductors and printed circuit boards; Information and Communications Technology and Services (ICTS) restrictions; and federal exclusionary authorities, such as matters relating to the Federal Acquisition Security Council (FASC).
Information handling, marking, and dissemination requirements, including those relating to Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).
Federal Cost Accounting Standards and FAR Part 31 allocation and reimbursement requirements.

Prior to joining Covington, Ryan served in the Office of Federal Procurement Policy in the Executive Office of the President, where he focused on the development and implementation of government-wide contracting regulations and administrative actions affecting more than $400 billion dollars’ worth of goods and services each year.  While in government, Ryan helped develop several contracting-related Executive Orders, and worked with White House and agency officials on regulatory and policy matters affecting contractor disclosure and agency responsibility determinations, labor and employment issues, IT contracting, commercial item acquisitions, performance contracting, schedule contracting and interagency acquisitions, competition requirements, and suspension and debarment, among others.  Additionally, Ryan was selected to serve on a core team that led reform of security processes affecting federal background investigations for cleared federal employees and contractors in the wake of significant issues affecting the program.  These efforts resulted in the establishment of a semi-autonomous U.S. Government agency to conduct and manage background investigations.

Read more about Ryan BurnetteEmail
Show more Show less
Photo of Shayan Karbassi Shayan Karbassi

Shayan Karbassi helps clients across industries navigate complex national security and cybersecurity matters to include government and internal investigations, incident and crisis response, regulatory compliance, and litigation.

As part of his cyber practice, Shayan assists clients with cybersecurity incident response and notification obligations…

Shayan Karbassi helps clients across industries navigate complex national security and cybersecurity matters to include government and internal investigations, incident and crisis response, regulatory compliance, and litigation.

As part of his cyber practice, Shayan assists clients with cybersecurity incident response and notification obligations, government and internal investigations of False Claims Act (FCA) issues and insider threats, and compliance with new and evolving federal and state cybersecurity regulations. Shayan also advises U.S. government contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), Federal Risk and Authorization Management Program (FedRAMP), and other U.S. government cybersecurity regulations.

More broadly, Shayan helps clients navigate potential civil and criminal legal risks stemming from operations in certain high-risk jurisdictions. This includes advising clients on U.S. criminal and civil antiterrorism laws, conducting internal investigations of terrorism-financing and related issues, and litigating Anti-Terrorism Act (ATA) claims.

Shayan maintains an active pro bono litigation practice with a focus on human rights, freedom of information, and free media issues.

Before joining Covington, Shayan served as a member of the U.S. intelligence community, where he routinely provided strategic analysis to the President and other senior U.S. policymakers.

Read more about Shayan KarbassiEmail
Show more Show less
Photo of Sierra Stubbs Sierra Stubbs

Sierra Stubbs advises clients on a wide range of cybersecurity, data privacy, artificial intelligence, and public policy matters. As part of her data privacy and cybersecurity practice, Sierra helps clients navigate government and internal investigations, cybersecurity incident response, and compliance with U.S. state…

Sierra Stubbs advises clients on a wide range of cybersecurity, data privacy, artificial intelligence, and public policy matters. As part of her data privacy and cybersecurity practice, Sierra helps clients navigate government and internal investigations, cybersecurity incident response, and compliance with U.S. state and federal privacy and cybersecurity laws and standards. As part of her public policy practice, Sierra supports the development of clients’ public policy strategies and initiatives, including those related to intellectual property, innovation, and artificial intelligence.

Prior to joining Covington, Sierra served in the Office of the Chief of Staff to the U.S. Secretary of Commerce, most recently as a Special Advisor.

Read more about Sierra StubbsEmail
Show more Show less
Krissy Chapman

Kristen “Krissy” Chapman is an associate in the firm’s Washington, DC office. She represents and advises clients on a range of cybersecurity, data privacy, and government contracts issues, including cyber and data security incident response and preparedness, cross-border privacy law, government and internal…

Kristen “Krissy” Chapman is an associate in the firm’s Washington, DC office. She represents and advises clients on a range of cybersecurity, data privacy, and government contracts issues, including cyber and data security incident response and preparedness, cross-border privacy law, government and internal investigations, and regulatory compliance.

Prior to joining the firm, Krissy served as a consultant in both the private and public sectors, advising clients across a range of industries, including transportation and infrastructure, life sciences and healthcare, and national security.

Read more about Krissy ChapmanEmail
Show more Show less