That’s a lot of red pen.
The Trump administration released an executive order (EO) that aims to sustain “select efforts” to strengthen national cybersecurity and amends the executive order from the Biden administration that was released just days before the current administration took office. As a result, a significant portion of the Biden EO has been replaced.
“More must be done to improve the nation’s cybersecurity against these threats,” the EO states. “I am ordering additional actions to improve our nation’s cybersecurity, focusing on defending our digital infrastructure, securing the services and capabilities most vital to the digital domain, and building our capability to address key threats.”
Here’s what the directive does to the Biden-era order:
Removes an entire section on actions to combat cybercrime and fraud. The Trump directive does not replace the fifth section of Biden’s last cyber EO, which aims to have solutions for cybercrime and fraud.
Biden’s January cyber EO states, “The use of stolen and synthetic identities by criminal syndicates to systemically defraud public benefits programs costs taxpayers and wastes federal government funds.”
The EO asks the executive branch to “strongly encourage” the acceptance of digital identity documents to access public benefits programs that require identity verification, “so long as it is done in a manner that preserves broad program access for vulnerable populations and supports the principles of privacy, data minimization, and interoperability.”
Trump’s directive from June strikes the fifth section entirely and redesignates subsequent sections.
The fact sheet also states that the Biden administration “attempted to sneak problematic and distracting issues into cybersecurity policy,” which the administration said includes the introduction of digital identity mandates.
New section five, AI. The Trump administration moves section six up to fifth place and erases language from the Biden EO that says the federal government “must accelerate the development and deployment of AI, explore ways to improve the cybersecurity of critical infrastructure using AI, and accelerate research at the intersection of AI and cybersecurity.”
Instead, the president inserted requirements for the Department of Commerce (DOC), the Department of Homeland Security (DHS), the National Science Foundation, and the Department of Energy to ensure that “existing datasets for cyber defense research” are accessible to the broader academic research community, “either securely or publicly” and “to the maximum extent feasible.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
DOC, DHS, the director of national intelligence, and other executive branch offices also are required to incorporate the management of AI software vulnerabilities and compromises into respective processes and interagency coordination mechanisms for vulnerability management.
Establishes a consortium. The executive order directs the DOC’s secretary to act through the director of the National Institute of Standards and Technology (NIST) to establish a consortium with industry.
Trump directs DOC to establish the consortium at the National Cybersecurity Center of Excellence in order to develop guidance based on a NIST special publication regarding the Secure Software Development Framework (SSDF) that offers recommendations for mitigating the risks around software vulnerabilities.
On Dec. 1, DOC (with other appropriate agencies) are required to publish a preliminary update to SSDF that includes “practices, procedures, controls, and implementation examples regarding the secure and reliable development and delivery of software as well as the security of the software itself.”
Additionally, by Sept. 2, DOC must update another NIST special publication (SP 800-53) that outlines security and privacy controls for information systems and organization. NIST has to update the publication, according to the directive, to provide guidance on deploying patches and updates for systems.
Changes for aligning policy to practice. The current administration declared that agencies have to align investments and priorities for improving network visibility and security to reduce cyber risks. The current president revised Biden’s cyber EO to omit a section regarding the need to modernize agencies’ IT infrastructure and networks that support their critical missions.
The Trump administration requires the Office of Management and Budget director to issue guidance and revisions to existing policy regarding managing information as a strategic resource to address “critical risks and adapt modern practices and architectures across federal information systems and networks” within three years.
Changes to post-quantum cryptography language. The order also erases some lines on the Biden administration’s work on post-quantum cryptography (PQC), and extends the deadline for DHS, acting through the Cybersecurity and Infrastructure Security Agency, to release a list of product categories where items that support PQC are “widely available.”