Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144

6/6/2025
Executive Orders

View Original

Action Summary

  • Amendments to EO 14144: Revises language and structural sections, updating policies to better address ongoing cybersecurity threats from state and non-state actors, with a particular focus on adversaries like China, Russia, Iran, and North Korea.
  • Cybersecurity Enhancement Measures:
    • Secure Software Development: Establish a consortium with industry via the National Cybersecurity Center of Excellence and update the NIST Special Publication 800–218 (SSDF) and 800–53 to strengthen secure software practices and patch management.
    • Quantum Computing Preparations: Mandates actions to transition to post-quantum cryptography, including listing products that support PQC and establishing requirements for secure protocols (TLS 1.3 or successor) by specified deadlines.
  • Artificial Intelligence in Cyber Defense:
    • Ensures accessibility of cybersecurity research datasets to the academic community while balancing confidentiality and national security.
    • Integrates management of AI vulnerabilities into existing federal vulnerability management and incident response processes.
  • Policy and Practice Alignment:
    • Directs agencies to enhance network visibility and security controls through revised OMB guidance and a pilot program for machine-readable cybersecurity policies.
    • Includes measures to amend procurement practices, such as labeling requirements for Internet-of-Things products, to ensure cybersecurity compliance.
  • Amendments to EO 13694: Adjusts language to specifically target “foreign persons” in blocking malicious cyber-enabled activities, refining the scope of actions against cyber threats.
  • General Provisions:
    • Clarifies that the order does not impair existing authorities or functions of executive departments and OMB.
    • Ensures implementation consistent with applicable law and appropriations, with publication costs assigned to the Department of Homeland Security.

Risks & Considerations

  • The amendments to Executive Orders 13694 and 14144 emphasize strengthening the nation’s cybersecurity, which could lead to increased regulatory scrutiny and compliance requirements for institutions like Vanderbilt University. This may necessitate updates to cybersecurity protocols and infrastructure.
  • The focus on foreign cyber threats, particularly from nations like China, Russia, and North Korea, highlights the need for enhanced security measures to protect sensitive research data and intellectual property at the university.
  • The directive to develop and implement secure software development practices and post-quantum cryptography could require Vanderbilt to invest in new technologies and training for IT staff and researchers.
  • The emphasis on AI in cybersecurity presents opportunities for Vanderbilt to engage in cutting-edge research and collaboration with federal agencies, but also requires careful management of AI software vulnerabilities.
  • Changes in federal cybersecurity policies could impact funding opportunities and partnerships, necessitating strategic adjustments to align with national priorities.

Impacted Programs

  • Vanderbilt’s IT Department will need to assess and potentially upgrade its cybersecurity infrastructure to comply with new federal guidelines and protect against advanced cyber threats.
  • Research Centers focusing on cybersecurity and AI may find new opportunities for collaboration and funding, particularly in areas related to secure software development and post-quantum cryptography.
  • The Office of Research may need to implement additional measures to safeguard sensitive data and intellectual property from foreign cyber threats.
  • Academic Programs in computer science and engineering could see increased demand for courses and research opportunities related to cybersecurity and AI.

Financial Impact

  • Compliance with new cybersecurity regulations may require significant investment in technology and training, impacting the university’s budget and resource allocation.
  • Opportunities for federal funding in cybersecurity and AI research could increase, providing potential financial benefits for Vanderbilt’s research initiatives.
  • The need to protect against foreign cyber threats may lead to increased costs associated with securing research data and intellectual property.
  • Vanderbilt may need to explore partnerships with industry and government to leverage resources and expertise in addressing cybersecurity challenges.

Relevance Score: 4 (The order presents a need for potential major changes or transformations of programs.)

Key Actions

  • Vanderbilt’s Information Technology Department should enhance its cybersecurity measures by aligning with the updated NIST guidelines on secure software development and operations. This will ensure that the university’s digital infrastructure is protected against emerging cyber threats.
  • The School of Engineering should explore research opportunities in quantum computing and post-quantum cryptography. By collaborating with federal agencies and industry partners, the school can contribute to advancements in cybersecurity technologies and prepare for future cryptographic transitions.
  • Vanderbilt’s Data Science Institute should leverage AI to improve cyber defense capabilities. By accessing datasets for cyber defense research, the institute can develop innovative solutions for threat detection and vulnerability management.
  • The Office of Federal Relations should monitor developments in federal cybersecurity policies and engage with policymakers to ensure Vanderbilt’s interests are represented in national cybersecurity initiatives.
  • Vanderbilt’s Center for Technology Transfer and Commercialization should identify potential commercialization opportunities for cybersecurity innovations developed at the university. This could enhance Vanderbilt’s reputation as a leader in cybersecurity research and innovation.

Opportunities

  • The executive order provides an opportunity for Vanderbilt’s School of Engineering to expand its research in secure software development and operations. By collaborating with the National Cybersecurity Center of Excellence, the school can contribute to the development of industry standards and best practices.
  • Vanderbilt can capitalize on the focus on AI in cybersecurity by developing new programs and partnerships with federal agencies and industry leaders. This could include joint research initiatives, student internships, and collaborative projects, enhancing Vanderbilt’s role in the cybersecurity sector.
  • The emphasis on post-quantum cryptography offers an opportunity for Vanderbilt’s Department of Mathematics to engage in research and development of new cryptographic algorithms. By providing expertise in this area, the department can influence the future of secure communications.
  • By engaging with the broader cybersecurity community and policymakers, Vanderbilt can position itself as a leader in the national conversation on cybersecurity. Hosting conferences, workshops, and public forums on the implications of cybersecurity policies can further establish Vanderbilt as a hub for innovative cybersecurity thought and practice.

Relevance Score: 4 (The order presents the potential for major process changes required for Vanderbilt’s programs due to cybersecurity impacts.)

Average Relevance Score: 4.2

Timeline for Implementation

  • By August 1, 2025: The Secretary of Commerce, through the Director of NIST, shall establish a consortium with industry at the National Cybersecurity Center of Excellence to develop guidance for secure software development based on NIST SP 800–218.
  • By September 2, 2025: The Secretary of Commerce, acting through the Director of NIST, shall update NIST Special Publication 800–53 to provide guidance on securely deploying patches and updates.
  • By November 1, 2025: The Secretaries of Commerce, Energy, Homeland Security, and the Director of the National Science Foundation shall ensure that cyber defense research datasets are made accessible and integrate management of AI vulnerabilities into existing processes.
  • By December 1, 2025: Two parallel actions are required:
    • The Secretary of Commerce, through the Director of NIST, shall develop and publish a preliminary update to the Secure Software Development Framework (SSDF), with a final version due within 120 days thereafter.
    • The Secretary of Homeland Security, through the Director of CISA (in consultation with the Director of the National Security Agency), shall release and regularly update a list of product categories supporting post-quantum cryptography.
  • Other deadlines:
    • Within 1 year: Establish a pilot program for a rules-as-code approach and amend the FAR for IoT product labeling by January 4, 2027.
    • Within 3 years: The Director of OMB shall issue guidance revising OMB Circular A–130 to address critical cybersecurity risks.

Analysis: The shortest deadline is by August 1, 2025, which is approximately 56 days from the issuance date of June 6, 2025.

Relevance Score: 4

Impacted Government Organizations

  • Department of Commerce – National Institute of Standards and Technology (NIST): NIST, operating under the Secretary of Commerce, is directed to develop and update cybersecurity guidance including secure software development practices and security controls, particularly through its National Cybersecurity Center of Excellence.
  • Department of Homeland Security (DHS): DHS, through the Secretary of Homeland Security and its subordinate agency CISA, is tasked with releasing updates on post‑quantum cryptography products and ensuring secure deployment of cyber defense measures.
  • Cybersecurity and Infrastructure Security Agency (CISA): Acting under DHS, CISA is instructed to oversee threat information sharing and update cybersecurity protocols to defend digital infrastructures.
  • National Security Agency (NSA): The NSA is involved in preparing for the transition to quantum-resistant cryptographic algorithms as part of national security system requirements.
  • Office of Management and Budget (OMB): OMB, including its Director, has responsibilities for issuing guidance on federal information systems and integrating rules-as-code approaches for cybersecurity policies.
  • Department of Defense (DoD): DoD is referenced in ensuring that policies exclude NSS (National Security Systems) from certain cybersecurity provisions while coordinating on artificial intelligence vulnerability management.
  • Department of Energy (DOE): DOE is included in the collaborative effort to make cyber defense research datasets accessible to the broader academic community, particularly in the context of AI-enhanced defense.
  • National Science Foundation (NSF): NSF is tasked with ensuring that existing cyber defense research datasets are accessible, supporting academic and research partnerships.
  • Office of National Cyber Director: The Office is implied in the interagency coordination efforts to modernize cybersecurity practices and policy guidance across federal systems.
  • Office of the Director of National Intelligence (ODNI): ODNI, through its Director, is required to coordinate with other agencies on AI vulnerability management and integration of cybersecurity measures.
  • Office of Science and Technology Policy (OSTP): OSTP is involved in coordinating with the Executive Office of the President and other agencies on integrating cybersecurity and AI risk management measures.
  • FAR Council: Agency members of the FAR Council are directed to amend procurement regulations to incorporate cybersecurity requirements, such as the U.S. Cyber Trust Mark labeling for consumer IoT products.
  • Executive Office of the President: The President’s office, along with its cybersecurity and policy advisors, plays a central role in interagency coordination overseeing the overall execution and compliance of the order’s directives.

Relevance Score: 4 (A significant number of Federal agencies and executive departments are impacted by the amendments, reflecting a broad reach across various aspects of cybersecurity policy.)

Responsible Officials

  • Secretary of Commerce, acting through the Director of NIST – Tasked with establishing a consortium to develop and update guidance on secure software development (including NIST SP 800-218 and SP 800-53) and publishing updates to the secure software development framework.
  • Director of NIST – Responsible for formulating and disseminating secure software development practices and coordinating with industry as directed by the order.
  • Secretary of Homeland Security, acting through the Director of CISA – Charged with releasing and updating the list of product categories supporting post‐quantum cryptography, and with establishing pilot programs for rules‐as‐code initiatives related to cybersecurity policy.
  • Director of CISA – Implements aspects of cybersecurity guidance and aids in pilot program development as directed by the Secretary of Homeland Security.
  • Director of the National Security Agency – Consulted for cybersecurity initiatives involving national security systems, particularly in preparation for the transition to post‐quantum cryptography.
  • Director of OMB – Charged with issuing guidance (including revisions to OMB Circular A–130), setting requirements for TLS protocol transitions, and collaborating on cybersecurity policy modernization across Federal agencies.
  • Secretary of Energy – Instructed to ensure that existing cyber defense research datasets are made accessible for research purposes, in coordination with other agencies.
  • Secretary of Defense – Required to incorporate management of artificial intelligence software vulnerabilities into existing vulnerability management and interagency coordination mechanisms.
  • Director of National Intelligence – Involved in the coordination efforts to include AI vulnerability management protocols within intelligence community processes.
  • Officials within the Executive Office of the President (including representatives from the Office of Science and Technology Policy and the Office of the National Cyber Director) – Tasked with supporting the coordination for managing AI software vulnerabilities and overall cybersecurity guidance.
  • Director of the National Science Foundation – Responsible for facilitating access to cyber defense research datasets to the broader academic community.
  • Agency Members of the FAR Council – Directed to take steps to amend procurement regulations, specifically to incorporate cybersecurity labeling requirements for certain consumer Internet-of-Things products.

Relevance Score: 5 (Directives affect top-level cabinet officials and agency heads across multiple critical cybersecurity domains.)

You might also like
Capitol Hill Touts Benefits of the One Big Beautiful Bill
Withdrawing The United States From The World Health Organization
Restoring America’s Maritime Dominance
Addressing Risks from Paul Weiss
Fact Sheet: President Donald J. Trump Secures Unprecedented U.S.–Japan Strategic Trade and Investment Agreement
Establishing the White House Task Force on the 2028 Summer Olympics