The NATION’s CYBERSECURITY AND AMENDING EXECUTIVE ORDER 13694 AND 14144

By the power granted to me as President by the Constitution and U.S. laws, such as the International Emergency Economic Powers Act (50 U.S. A. A. 1701 and later. Act on National Emergencies (50 U.S. S. A. 1601 et seq. The Immigration and Nationality Act of 1952, section 212(f) (8 U.S. S. A. It is hereby ordered in accordance with section 301 of title 3 of the United States Code and section 1182(f)).

Section 1. Executive Order 14144 Amendments. The following is an amendment to Executive Order 14144 of January 16, 2025, which focuses on fostering innovation in the country’s cybersecurity.

Subsections 2(a)–(b) are struck, and subsections 2(c), 2(d), and 2(e) are renamed as 2(a), 2(b), and 2(c), respectively;).

(b) striking subsection 2(e);’s first sentence.

(c) striking subsections 3(a)-(b) and redesignating subsections 3(c), 3(d), and 3(e) as subsections 3(a), 3(b), and 3(c), respectively;.

The statement “In Executive Order 14028, I directed the Secretary of Defense and the Secretary of Homeland Security to establish procedures to immediately share threat information to strengthen the collective defense of Department of Defense and civilian networks” (d) is taken out of subsection 3(c). “;.”.

The word “novel” is struck from subsection 3(c)(i)(A).

Subsection 4(b)(iv); is struck (f).

(g) highlighting subsections 4(d)(ii)–(iii);.

(h) renaming sections 6, 7, 8, 9, 10, and 11 as sections 5, 6, 7, 8, 9, and 10, respectively, and striking section 6.

(i) removing the language “in the areas of intrusion detection, use of hardware roots of trust for secure booting, and development and deployment of security patches” from subsection 8(c). “.”.

Second. 2. Updates to Executive Order 14144. The following is the amendment to Executive Order 14144.

(a) deleting section 1 and replacing it with the contents below.

“Part One.”. policy. Cyber campaigns targeting Americans and the United States are still being carried out by foreign countries and criminals. The People’s Republic of China is the most active and persistent cyberthreat to the US government, private sector, and vital infrastructure networks, but Russia, Iran, North Korea, and other countries that compromise US cybersecurity also pose serious risks. These campaigns cost billions of dollars, compromise the security and privacy of Americans, and interfere with the provision of essential services across the country. To strengthen cybersecurity in the country against these threats, more work needs to be done. With an emphasis on protecting our digital infrastructure, safeguarding the services and capabilities that are most important to the digital realm, and enhancing our capacity to handle major threats, I am directing further measures to strengthen our nation’s cybersecurity. “;.”.

(b) removing subsection 2(c) and replacing it with the following.

(c) The following steps must be taken by pertinent executive departments and agencies (agencies).

(i) Acting through the Director of NIST, the Secretary of Commerce must form a consortium with industry at the National Cybersecurity Center of Excellence by August 1, 2025, to create guidance that illustrates the use of secure software development, security, and operations practices based on NIST Special Publication 800-218 (Secure Software Development Framework (SSDF)). The consortium will provide input as needed.

(ii) The Secretary of Commerce will update NIST Special Publication 800-53 (Security and Privacy Controls for Information Systems and Organizations) by September 2, 2025, through the Director of NIST, to include instructions on how to reliably and securely implement patches and updates.

(iii) The Secretary of Commerce will create and release an initial update to the SSDF by December 1, 2025, through the Director of NIST, after consulting with the heads of any agencies the Director of NIST determines is necessary. Practices, protocols, controls, and implementation examples pertaining to the safe and dependable development and delivery of software, as well as the security of the software itself, will be included in this preliminary update. Through the Director of NIST, the Secretary of Commerce will release the final version of the updated SSDF within 120 days of the preliminary update. “;.”.

(c) removing the sentence “Internet traffic security depends on data being correctly routed and delivered to the intended recipient network” from subsection 4(b). The Border Gateway Protocol (BGP), which is used to originate and propagate routing information across the Internet, is susceptible to errors and attacks. and substituting the following in its stead.

“The following actions shall be taken by relevant agencies:”.

(d) eliminating subsection 4(f) and substituting the following in its place.

(f) A large enough and sophisticated quantum computer, also referred to as a cryptanalytically relevant quantum computer (CRQC), will be able to crack a large portion of the public-key cryptography employed on digital systems in the US and other countries. The Federal Government was instructed to get ready to switch to cryptographic algorithms that wouldn’t be susceptible to a CRQC in National Security Memorandum 10 of May 4, 2022 (Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems).

(i) By December 1, 2025, the Secretary of Homeland Security, acting through the Director of the Cybersecurity and Infrastructure Security Agency (CISA) and after consulting with the Director of the National Security Agency, will publish and update a list of product categories that include widely accessible products that support post-quantum cryptography (PQC).

(ii) The National Security Agency’s (NSS) and OMB’s (non-NSS) directors will, by December 1, 2025, issue requirements for agencies to support Transport Layer Security protocol version 1.3 or a successor version as soon as possible, but no later than January 2, 2030, in order to prepare for the transition to PQC. “;.

(e) removing the old section 6 (now known as section 5) and replacing it with the following.

“Sec. 5. . using and advancing artificial intelligence for security. By quickly detecting vulnerabilities, expanding the scope of threat detection methods, and automating cyber defense, artificial intelligence (AI) has the potential to revolutionize cyber defense.

(a) By November 1, 2025, the Secretary of Commerce, through the Director of NIST; the Secretary of Energy; the Secretary of Homeland Security, through the Under Secretary for Science and Technology; and the Director of the National Science Foundation will make sure that, to the greatest extent possible, existing datasets for cyber defense research have been made available to the larger academic research community (either securely or publicly), taking into account national security and business confidentiality.

(b) By November 1, 2025, the Director of National Intelligence, the Secretary of Defense, and the Secretary of Homeland Security, in collaboration with the relevant officials in the Executive Office of the President, including those in the Office of Science and Technology Policy, the Office of the National Cyber Director, and the Director of OMB, will integrate the management of AI software vulnerabilities and compromises into the existing processes and interagency coordination mechanisms for vulnerability management. This will include sharing indicators of compromise for AI systems and maintaining incident tracking, response, and reporting. “;.”.

(f) eliminating Section 7 and substituting the following in its place.

Second. 7. . Policy and Practice Alignment. To lower cyber risks, agencies’ policies must match investments and priorities to enhance network visibility and security controls. Agencies will do the following after consulting with the National Cyber Director.

(a) Within three years following the date of this order, the Director of OMB will provide guidance, including any necessary revisions to OMB Circular A-130, to address critical risks and adapt contemporary practices and architectures across Federal networks and information systems.

(b) The Secretary of Commerce, through the Director of NIST; the Secretary of Homeland Security, through the Director of CISA; and the Director of OMB are required to pilot a rules-as-code approach for machine-readable versions of cybersecurity policy and guidance that OMB, NIST, and CISA publish and oversee within a year of the date of this order.

(c) Agency members of the FAR Council shall, as appropriate and in accordance with applicable law, jointly take steps to amend the FAR to adopt requirements for agencies to require vendors of consumer Internet-of-things products, as defined by 47 CFR 8.203(b), to carry United States Cyber Trust Mark labeling for those products by January 4, 2027. This must be done within a year of the date of this order. and.

(g) removing subsection 8(a) and replacing it with the following.

(a) Sections 1 through 7 of this order shall not apply to Federal information systems that are NSS or that have been identified by the Department of Defense or the Intelligence Community as debilitating impact systems, unless otherwise specified in subsection 4(f) of this order. “.”.

sec. 3. Executive Order 13694 amendments. The following further amends Executive Order 13694 of April 1, 2015 (Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities), as amended by Executive Order 13757 of December 28, 2016 (Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities), Executive Order 13984 of January 19, 2021 (Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities), and Executive Order 14144.

(a) striking from subsection 1(a)(ii) the phrase “any person” and inserting in lieu thereof “any foreign person”; and.

(b) removing “any person” from subsection 1(a)(iii) and replacing it with “any foreign person.”. “”.

Sec. 4. . General Clauses. (a) Nothing in this order should be interpreted as affecting or impairing anything.

(i) the legal authority that an executive department or agency, or its head, has been given.

(ii) the duties of the OMB Director concerning legislative, administrative, or budgetary proposals.

(b) Depending on appropriations availability, this order will be implemented in a way that complies with applicable law.

(c) The United States, its departments, agencies, or entities, its officers, employees, or agents, or any other individual, are not entitled to any substantive or procedural rights or benefits that can be enforced in court or in equity by any party.

(d) The Department of Homeland Security will cover the costs associated with publishing this order.

DALD J. Trump.

The white house.

June 6, 2025. .