Trump directive rewrites cybersecurity policy, strips digital ID framework

In a sweeping redirection of U.S. cybersecurity strategy, President Donald Trump has signed a new Executive Order (EO) that is aimed at dismantling key elements of his Democratic predecessors’ cyber policies while installing his own framework that is centered on foreign threat deterrence, technical control, and digital identity rollback.

The move comes just days after the White House proposed deep budget and yet more staffing cuts at the Cybersecurity and Infrastructure Security Agency (CISA), a move critics and former CISA officials warn will seriously weaken U.S. cyber defenses.

Trump’s Executive Order, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity, represents the most significant recalibration of U.S. cybersecurity policy since the Biden administration’s January EO, Strengthening and Promoting Innovation in the Nation’s Cybersecurity.

At the forefront of the Trump administration’s cybersecurity shift is the categorical removal of Biden-era digital identity initiatives which had encouraged federal agencies to accept digital identity documents to access public benefit programs and promoted federal grants to help states develop secure mobile driver’s licenses.

Biden’s EO also laid the groundwork for federal standards around digital identity that emphasized anti-surveillance safeguards. Trump’s EO eliminates these provisions entirely, arguing that they enabled “illegal immigrants to improperly access public benefits” and facilitated “entitlement fraud and other abuse.”

Critics of Trump’s EO, including Mark Montgomery, senior director of the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation, argue that Trump’s focus on rolling back digital identity provisions prioritizes immigration politics over proven cybersecurity strategies. Digital identity advocates have warned that eliminating these efforts leaves the U.S. vulnerable to fraud and online impersonation threats without offering any replacement mechanisms.

“The fixation on revoking digital ID mandates is prioritizing questionable immigration benefits over proven cybersecurity benefits,” Montgomery said.

“Nothing in [Biden’s] January’s EO included a mandate for the U.S. government to issue digital IDs to anybody – immigrants, or otherwise,” added Jeremy Grant, association coordinator for the Better identity Coalition.

The Trump White House remains steadfast in its framing, however. It’s June 6 fact sheet accuses the outgoing Biden administration of “sneaking problematic and distracting issues into cybersecurity policy,” contending that identity programs would have expanded access for ineligible beneficiaries and turned cybersecurity into a tool for social policy. Trump’s EO does not offer a replacement framework for secure digital identity.

Beyond digital ID, the order strikes or modifies significant components of Biden’s Executive Order 14144 and Obama-era EO 13694, citing overreach and ideological bias. It eliminates the requirement that software vendors attesting to federal contracts demonstrate compliance with secure development practices. Instead, the National Institute of Standards and Technology (NIST) is directed to convene a public-private consortium to demonstrate the application of NIST’s Secure Software Development Framework. The preliminary results are expected by December 1.

This represents a fundamental shift away from the Biden-era compliance model, which emphasized attestation and certification following incidents like the SolarWinds breach. The Trump administration has labeled these measures “unproven and burdensome software accounting processes that prioritized compliance checklists over genuine security investments.”

Trump’s order also revises AI-focused cybersecurity strategy. Biden’s directive had encouraged federal agencies to research secure AI systems and apply AI to protect critical infrastructure. Trump’s EO strikes these directives and instead reorients federal AI use toward identifying and managing AI-related vulnerabilities. Agencies must now treat AI security flaws like traditional cybersecurity risks and share indicators of compromise across government networks.

According to Kevin Bocek, senior vice president of innovation at CyberArk, AI-driven cybersecurity still holds enormous potential. Bocek praised Trump’s inclusion of predictive defense language and emphasized that securing AI itself must remain a top priority given the rise of machine identities.

“Proper AI development is a tool for predictive defense, threat detection at scale, and securing the rapidly growing ecosystem of machine identities, but we must also ensure we secure the AI itself,” Bocek said

Trump’s EO also revisits the U.S.’s approach to post-quantum cryptography (PQC). While Biden’s order required agencies to adopt quantum-resistant encryption “as soon as practicable,” Trump’s directive removes that urgency. Instead, it calls on the National Security Agency and Office of Management and Budget (OMB) to issue PQC guidelines by December, with the aim of achieving full implementation by 2030.

Other retained technical components from Biden and Obama-era directives include maintaining progress on securing Border Gateway Protocol routing and requiring cybersecurity standards for Internet of Things (IoT) devices. By January 2027, all government-purchased smart devices must carry a “Cyber Trust Mark,” confirming adherence to baseline security requirements. This IoT labeling initiative originally emerged under Biden and is now fully adopted by the Trump administration.

Additionally, Trump’s Executive Order places emphasis on policy modernization. It instructs OMB to revise Circular A-130, the government’s foundational guidance on managing federal IT systems, within three years. Simultaneously, agencies must launch a pilot program to develop “rules-as-code” initiatives, enabling policies and regulations to be encoded in machine-readable formats for more efficient deployment and oversight.

One of the more politically charged changes in Trump’s EO is its narrowing of cyber sanctions. It repeals Obama’s framework that enabled the U.S. to apply cyber sanctions to individuals or entities engaged in hostile cyber operations, instead limiting such sanctions strictly to “foreign malicious actors.” The fact sheet accompanying the EO argues this amendment will prevent the political misuse of cyber enforcement tools against domestic opponents and clarify that cyber sanctions are not applicable to election-related activities.

This provision has drawn sharp criticism from cybersecurity experts who worry it undermines the deterrent effect of sanctions, especially in the face of domestic threats and politically motivated cyber campaigns. The order echoes long-standing grievances within the Trump political orbit about alleged surveillance and cyber enforcement targeting campaign associates.

This marks a key departure from the Obama-era Executive Order 13694 which had authorized sanctions against both foreign and domestic persons implicated in malicious cyber-enabled activities, including those influencing U.S. elections. By omitting election interference, the EO appears to remove state-sponsored election meddling from its sanctionable offense list, casting potential ambiguity over foreign election interference such as that witnessed in 2016.

Supporters assert the move aims to prevent misuse of sanctions tools against domestic political opponents and ensure election activities remain outside the purview of cyber enforcement.

Despite the rollback of Biden-era mandates, Trump’s administration does preserve and extend certain strategic cyber initiatives. These include strengthening the CISA’s role in defending civilian federal networks and promoting encryption modernization across agencies. The EO directs the adoption of the latest encryption protocols and calls for enhanced collaboration between federal departments to secure critical digital infrastructure.

The White House justifies its action by saying it is a reorientation toward what it describes as real technical challenges, rather than ideological frameworks. It argues that cybersecurity must be restored to a place of neutral competence, focused on actionable protections against adversaries. President Trump, in the statement accompanying the EO, positioned the move as part of a broader administrative philosophy aimed at removing political bias and restoring “technical and organizational professionalism.”

Yet, the political ramifications of the order are substantial. By tying digital identity to immigration enforcement, framing AI policy through an anti-censorship lens, and redefining cybersecurity compliance as regulatory overreach, the EO continues a pattern of politicizing technology policy that many experts say must remain nonpartisan. While the administration asserts that it is cutting through red tape, critics argue it is gutting forward-leaning protections that were designed to evolve federal cyber posture amid a rapidly changing threat landscape.

The transformation of cybersecurity under Trump reflects a broader shift in federal cybersecurity policy. While the administration emphasizes streamlining and refocusing agency missions, the resulting focus, attrition, and program cuts have prompted concerns about the nation’s preparedness to confront cyber threats. The coming months will be critical in assessing the impact of these changes and determining the path forward for the nation’s cybersecurity infrastructure.

Article Topics

cybersecurity  |  digital ID  |  digital identity  |  identity document  |  identity verification  |  mDL (mobile driver's license)  |  NIST  |  NIST Cybersecurity Framework  |  U.S. Government