With the authority granted to me as President under the Constitution and the laws of the United States, including the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq), the National Emergencies Act (50 U.S.C. 1601 et seq), section 212(f) of the Immigration and Nationality Act of 1952 (8 U.S.C. 1182(f)), and section 301 of title 3, United States Code, I hereby issue the following order:
Section 1. Modifications to Executive Order 14144
Executive Order 14144, issued on January 16, 2025, aimed at enhancing and promoting innovation within the nation’s cybersecurity framework, is revised as follows:
- (a) Removal of subsections 2(a)-(b), with subsequent subsections 2(c), 2(d), and 2(e) reclassified to 2(a), 2(b), and 2(c), respectively;
- (b) The elimination of the first sentence in subsection 2(e);
- (c) Removal of subsections 3(a)-(b), with subsections 3(c), 3(d), and 3(e) reclassified to 3(a), 3(b), and 3(c);
- (d) Excision of the phrase regarding the directive to the Secretary of Defense and the Secretary of Homeland Security from subsection 3(c);
- (e) Deletion of the term “novel” from subsection 3(c)(i)(A);
- (f) Striking of subsection 4(b)(iv);
- (g) Removal of subsections 4(d)(ii)-(iii);
- (h) Discarding section 5 and renumbering sections 6 through 11 as 5 through 10; and
- (i) Removal of the phrase pertaining to intrusion detection and security patches from subsection 8(c).
Sec. 2. Additional Modifications to Executive Order 14144
Further amendments to Executive Order 14144 include:
- (a) The complete removal of section 1, replaced with:
- (b) Replacement of subsection 2(c) with:
- (i) By August 1, 2025, the Secretary of Commerce, through the Director of NIST, will establish a consortium with industry partners at the National Cybersecurity Center of Excellence to produce guidance reflecting secure software development and operations based on NIST Special Publication 800–218 (Secure Software Development Framework (SSDF)).
- (ii) By September 2, 2025, the Secretary of Commerce, through the Director of NIST, shall update NIST Special Publication 800–53 (Security and Privacy Controls for Information Systems and Organizations) to provide guidance on secure and reliable patch deployment.
- (iii) By December 1, 2025, the Secretary of Commerce, through the Director of NIST, in collaboration with relevant agency heads, will develop and publish a preliminary update to the SSDF, detailing practices, controls, and examples for secure software development and delivery. A final version of the updated SSDF will follow within 120 days of this preliminary publication.”;
- (c) Replacement of a portion of subsection 4(b) with:
- (d) Replacement of subsection 4(f) with:
- (i) By December 1, 2025, the Secretary of Homeland Security, through the Director of the Cybersecurity and Infrastructure Security Agency (CISA), in consultation with the National Security Agency Director, shall regularly update a list of product categories featuring widely available products that support post-quantum cryptography (PQC).
- (ii) By December 1, 2025, the Director of the National Security Agency for National Security Systems (NSS) and the Office of Management and Budget (OMB) for non-NSS, shall each release requirements for agencies to support, as soon as feasible but no later than January 2, 2030, Transport Layer Security protocol version 1.3 or its successor version.”;
- (e) Replacement of former section 6 (now section 5) with:
- (a) By November 1, 2025, the Secretary of Commerce, through the Director of NIST; the Secretary of Energy; the Secretary of Homeland Security, through the Under Secretary for Science and Technology; and the Director of the National Science Foundation will ensure accessibility of existing datasets for cyber defense research to the broader academic community, considering business confidentiality and national security.
- (b) By November 1, 2025, the Secretary of Defense, the Secretary of Homeland Security, and the Director of National Intelligence, along with relevant officials in the Executive Office of the President, will integrate AI software vulnerability management into existing processes for vulnerability management across their agencies.”;
- (f) Replacement of section 7 with:
- (a) Within three years, the Director of OMB will issue guidance, including necessary revisions to OMB Circular A–130, to address critical risks in federal information systems and networks.
- (b) Within one year, the Secretary of Commerce, through the Director of NIST; the Secretary of Homeland Security, through the Director of CISA; and the Director of OMB will establish a pilot program implementing a rules-as-code approach for machine-readable policy and guidance regarding cybersecurity.
- (c) Within one year, agency members of the FAR Council will take steps to amend the FAR, requiring vendors supplying the Federal Government with consumer Internet-of-Things products to display United States Cyber Trust Mark labeling by January 4, 2027.”;
- (g) Replacement of subsection 8(a) with:
“Section 1. Policy. Foreign nations and criminal entities persistently engage in cyberattacks against the United States and its citizens. The People’s Republic of China remains the most active and consistent cyber adversary, posing threats to U.S. government, private sector, and critical infrastructure networks. Other notable threats come from Russia, Iran, North Korea, among others, all of whom jeopardize U.S. cybersecurity efforts. These malicious campaigns not only disrupt essential services nationwide but also result in financial losses in the billions, eroding security and privacy for Americans. Enhanced measures are critical to fortifying our nation’s cybersecurity against these dangers. I hereby mandate additional initiatives aimed at protecting our digital infrastructure, securing essential services, and amplifying our capabilities to confront significant threats.”;
“(c) Relevant executive departments and agencies (agencies) shall implement the following actions:
“Relevant agencies shall undertake the following actions:”;
“(f) A sufficiently advanced quantum computer, also referred to as a cryptanalytically relevant quantum computer (CRQC), could potentially compromise the public-key cryptography utilized within digital systems globally. National Security Memorandum 10 of May 4, 2022, directed the government to prepare for a transition to cryptographic algorithms resilient against CRQC threats.
“Sec. 5. Promoting Security with and in Artificial Intelligence. Artificial intelligence (AI) holds transformative potential for cyber defense, quickly identifying vulnerabilities and automating defense mechanisms.
“Sec. 7. Aligning Policy with Practice. Agencies must align their policies to prioritize network visibility and security controls to mitigate cyber risks. In consultation with the National Cyber Director, agencies shall:
“(a) Except as specifically noted in subsection 4(f), sections 1 through 7 of this order do not apply to Federal information systems designated as NSS or otherwise identified by the Department of Defense or the Intelligence Community as systems of debilitating impact.”;
Sec. 3. Amendments to Executive Order 13694
Executive Order 13694, issued on April 1, 2015, regarding the blocking of property belonging to individuals involved in significant malicious cyber activities, is further amended as follows:
- (a) Replacement of the phrase “any person” in subsection 1(a)(ii) with “any foreign person”; and
- (b) Similar replacement in subsection 1(a)(iii) from “any person” to “any foreign person.”
Sec. 4. General Provisions
(a) This order shall not impair or affect:
- (i) The authority granted by law to any executive department or agency, or their heads; or
- (ii) The functions of the Director of OMB concerning budgetary, administrative, or legislative proposals.
(b) Implementation of this order will adhere to applicable laws and depend on the availability of appropriations.
(c) This order is not intended to and does not create any enforceable rights or benefits for any party against the United States or its entities, officers, employees, or agents.
(d) The Department of Homeland Security will bear the costs associated with the publication of this order.
DONALD J. TRUMP
THE WHITE HOUSE,
June 6, 2025.