Trump’s Executive Order Rollback on Cybersecurity

Overview of the New Executive Order

On June 6, 2025, the White House issued a sweeping executive order that rescinds several cornerstone cybersecurity directives enacted under the previous administration. The order eliminates or relaxes requirements spanning secure software development, quantum-resistant encryption, routing security, phishing-resistant authentication, and digital identity initiatives. Government agencies, contractors, and the private sector now face a significantly altered compliance landscape.

• Quantum-Safe Encryption: Requirements to adopt NIST Approval Level algorithms such as CRYSTALS-Kyber for key encapsulation and CRYSTALS-Dilithium for digital signatures have been withdrawn.
• Secure Software Development Framework (SSDF): Federal self-attestation under NIST SP 800-218 is replaced by a nonbinding reference implementation.
• Phishing-Resistant Authentication: Mandates to implement WebAuthn and FIDO2 second-factor solutions are relaxed.
• BGP Routing Security: Directives for Resource Public Key Infrastructure (RPKI) deployment and creation of Route Origin Authorizations (ROAs) have been dropped.
• Digital Identity: Plans to encourage mobile driver licenses and federated digital ID systems are abandoned.

Technical Implications

Changes to the Secure Software Development Framework

Under the canceled Biden order, CISA enforced a self-attestation process requiring federal vendors to declare compliance across the four core SSDF functions defined in NIST SP 800-218: Prepare, Protect, Detect, and Respond. Companies had to certify via a senior officer that they had integrated threat modeling, secure coding practices, software composition analysis (SCA), static application security testing (SAST), and continuous integration/continuous delivery (CI/CD) pipelines hardened against supply chain attacks. The new order directs NIST to publish reference guidance without any attestation or enforcement mechanism. Critics warn this invites checkbox compliance rather than verifiable security hardening.

Rollback of Quantum-Resistant Cryptography Mandates

President Biden’s original order aimed to accelerate adoption of post-quantum cryptography (PQC) by mandating agencies and their contractors migrate to NIST’s approved algorithms once they reached Federal Information Processing Standards (FIPS) validation. Selected primitives such as Kyber (KEM) and Dilithium (digital signature) underwent extensive evaluation, measuring security margins against Shor’s algorithm and analyzing computational overhead. By rescinding these mandates, the administration removes the enforcement lever for migrating TLS, VPN, and database encryption stacks to quantum-safe alternatives, pushing back what many experts consider one of the largest crypto-migration projects since the DES to AES transition.

BGP Security and Internet Routing

The order also strikes language labeling the Border Gateway Protocol (BGP) as vulnerable and eliminates requirements for the Commerce Department and NIST to publish guidance on implementing RPKI and ROAs. These tools provide cryptographic validation of Internet route origination to prevent IP prefix hijacking and route leaks. Large network operators that began upgrading router firmware to support Origin Validation and BGPsec may now abandon or delay those efforts, exposing critical infrastructure to outages and interception events similar to past high-profile hijacks of banking and DNS servers.

Impact on Federal Cyber Defense Posture

Removing binding directives undermines the Executive Branch’s ability to deploy standardized security across over 100 cabinet‐level agencies. CISA’s Binding Operational Directive 22-01, which mandated monthly vulnerability scanning and quarterly red team exercises, remains in place. However, without alignment to secure coding and quantum-resistant encryption standards, agencies will face inconsistencies in threat modeling approaches, patching cadences, and supply chain risk management. This fragmentation weakens situational awareness across the federal network ecosystem at a time when sophisticated adversaries exploit zero-day vulnerabilities and advanced persistent threat (APT) toolkits.

Industry Response and Mitigation Strategies

Leading cloud providers and defense contractors are adapting by creating voluntary compliance frameworks. For example, a consortium of firms led by AWS, Google Cloud, and Microsoft has published a joint whitepaper detailing an end-to-end SSDF pipeline with automated SAST/DAST integration, binary provenance tracking using signed containers, and hardware root of trust attestation via Trusted Platform Modules (TPMs) and Intel SGX enclaves. Several organizations plan to continue private PQC pilots, integrating quantum-safe TLS libraries such as Open Quantum Safe (liboqs) into production environments ahead of federal mandates.

The Road to Quantum Migration: Technical Hurdles Ahead

Migrating an entire government IT estate to quantum-resistant algorithms involves multiple technical challenges:

1. Compatibility: Ensuring legacy systems and embedded devices support larger key sizes and new algorithm parameters without performance degradation.
2. Standardization: Completing FIPS validation, updating ANSI X9.82 for financial systems, and aligning with ISO/IEC standards for global interoperability.
3. Operational Overhead: Managing hybrid crypto modes during transition, certificate lifecycle, and CA infrastructures while preserving backward compatibility.
4. Performance: Benchmarking post-quantum algorithms reveals key encapsulation times up to 10× slower and signature sizes several kilobytes larger than ECDSA, requiring hardware acceleration.

Expert Opinions

Jake Williams, former NSA hacker and VP of R&D at Hunter Strategy, warns that the SSDF rollback permits mere checkbox compliance, saying “organizations will copy reference code verbatim without enforcing secure build environments, leaving critical vulnerabilities unaddressed.”

Alex Sharpe, cybersecurity governance veteran, emphasizes the quantum transition as “one of the largest crypto overhauls ever,” cautioning that without enforcement, “many agencies won’t prioritize updating encryption, leaving data exposed to future quantum decryption attacks.”

Conclusion

The new executive order marks a significant pivot toward deregulation in federal cybersecurity policy. While proponents argue it reduces compliance burdens and accelerates procurement, security experts warn that eliminating enforcement risks undermining resilience across government and private networks. As geopolitical tensions rise and quantum computing capabilities advance, the absence of binding standards for secure software, routing integrity, and post-quantum encryption may leave the digital infrastructure of the United States perilously exposed to next-generation threats.