Sustaining Select Efforts To Strengthen the Nation's Cybersecurity and Amending Executive Order 13694 and Executive Order 14144
Executive Order 14306, signed in June 2025, amends two prior cybersecurity orders (EO 14144 and EO 13694) to strengthen the nation’s cyber defenses. Its core thrust is to accelerate modernization across government cyber policy and practice, with a strong emphasis on artificial intelligence, software supply chain security, patching and vulnerability management, and quantum-readiness (post-quantum cryptography). Key actions include creating AI-focused cybersecurity initiatives, expanding data sharing with the academic community for defense research, updating and implementing secure software development practices, and pursuing new policy tools like machine-readable guidance and labeling for IoT devices. It also tightens sanctions policy by narrowing the target to “foreign persons” and clarifies that some sensitive systems (notably certain NSS or IC-deemed debilitating systems) are exempt from broad provisions. In short, the order reorganizes and extends existing cybersecurity efforts to prioritize AI, quantum threats, and modern governance tools, while setting concrete deadlines for agency actions and new standards. It aims to make cyber risk management more integrated, transparent, and future-proof across the federal government and its suppliers.
Key Points
- 1AI and cybersecurity governance through EO 14144: Creates an overarching framework to promote AI-enabled cyber defense, including data-access provisions for research and integration of AI vulnerability management across agencies. Establishes a new policy area focused on AI in cyber defense and security.
- 2Data access and AI vulnerability management (Sec. 5): By set deadlines in 2025, federal agencies shall (a) make existing cyber-defense datasets available to the academic community (as feasible), and (b) incorporate management of AI software vulnerabilities into their incident response and coordination processes, including sharing indicators of compromise for AI systems.
- 3Secure software development and patching (EO 14144 updates): Agencies must implement guidance and improvements tied to the Secure Software Development Framework (SSDF) and patch/deployment practices. This includes updating NIST SP 800-53 for patch management and delivering an updated SSDF with concrete practices and implementation examples.
- 4Quantum readiness and cryptography (Sec. 4(d)/(4f) updates): Adds emphasis on post-quantum cryptography readiness, including a DHS/CISA-NSA-led timeline for identifying products that support PQC and requirements to transition to TLS 1.3 (or successor) by 2030 for all agencies, to mitigate risks from quantum-capable computers.
- 5Policy modernization and industry approach (Sec. 7): Pursues practical governance tools: a) OMB to revise Circular A-130 within 3 years to address modern risks; b) a 1-year pilot of “rules-as-code” for machine-readable cybersecurity policy; c) a 1-year effort by the FAR Council to require US Cyber Trust Mark labeling for certain consumer IoT products through federal procurement; and d) alignment of policy with practice to better manage visibility and security controls.
- 6Exemptions and scope adjustments (Sec. 3 and 4): Amendments to EO 13694 narrow sanctions language from “any person” to “any foreign person,” and carve out protections for NSS and certain high-impact DoD/IC systems from the full set of provisions, preserving agency authority and law.