Sustaining Select Efforts to Strengthen the Nations Cybersecurity and Amending Executive Order 13694 and Executive Order 14144 The White House

pBy the authority vested in me as President by the Constitution and the laws of the United States of America including the International Emergency Economic Powers Act 50 USC 1701 et seq the National Emergencies Act 50 USC 1601 et seq section 212f of the Immigration and Nationality Act of 1952 8 USC 1182f and section 301 of title 3 United States Code it is hereby orderedppSection 1  Amendments to Executive Order 14144  Executive Order 14144 of January 16 2025 Strengthening and Promoting Innovation in the Nations Cybersecurity is hereby amended byppa  striking subsections 2ab and redesignating subsections 2c 2d and 2e as subsections 2a 2b and 2c respectivelyppb  striking the first sentence of subsection 2eppc  striking subsections 3ab and redesignating subsections 3c 3d and 3e as subsections 3a 3b and 3c respectivelyppd  striking from subsection 3c the phrase In Executive Order 14028 I directed the Secretary of Defense and the Secretary of Homeland Security to establish procedures to immediately share threat information to strengthen the collective defense of Department of Defense and civilian networksppe  striking from subsection 3ciA the word novelppf  striking subsection 4bivppg  striking subsections 4diiiiipph  striking section 5 and redesignating sections 6 7 8 9 10 and 11 as sections 5 6 7 8 9 and 10 respectively andppi  striking from subsection 8c the phrase in the areas of intrusion detection use of hardware roots of trust for secure booting and development and deployment of security patchesppSec 2  Further Amendments to Executive Order 14144  Executive Order 14144 is hereby amended byppa  striking section 1 and inserting in lieu thereof the followingppSection 1  Policy  Foreign nations and criminals continue to conduct cyber campaigns targeting the United States and Americans  The Peoples Republic of China presents the most active and persistent cyber threat to United States Government private sector and critical infrastructure networks but significant threats also emanate from Russia Iran North Korea and others who undermine United States cybersecurity  These campaigns disrupt the delivery of critical services across the Nation cost billions of dollars and undermine Americans security and privacy  More must be done to improve the Nations cybersecurity against these threats  I am ordering additional actions to improve our Nations cybersecurity focusing on defending our digital infrastructure securing the services and capabilities most vital to the digital domain and building our capability to address key threatsppb  striking subsection 2c and inserting in lieu thereof the followingppc  Relevant executive departments and agencies agencies shall take the following actionsppi    By August 1 2025 the Secretary of Commerce acting through the Director of NIST shall establish a consortium with industry at the National Cybersecurity Center of Excellence to develop guidance informed by the consortium as appropriate that demonstrates the implementation of secure software development security and operations practices based on NIST Special Publication 800218 Secure Software Development Framework SSDFppii   By September 2 2025 the Secretary of Commerce acting through the Director of NIST shall update NIST Special Publication 80053 Security and Privacy Controls for Information Systems and Organizations to provide guidance on how to securely and reliably deploy patches and updatesppiii  By December 1 2025 the Secretary of Commerce acting through the Director of NIST in consultation with the heads of such agencies as the Director of NIST deems appropriate shall develop and publish a preliminary update to the SSDF  This preliminary update shall include practices procedures controls and implementation examples regarding the secure and reliable development and delivery of software as well as the security of the software itself  Within 120 days of publishing the preliminary update the Secretary of Commerce acting through the Director of NIST shall publish a final version of the updated SSDFppc  striking from subsection 4b the phrase The security of Internet traffic depends on data being correctly routed and delivered to the intended recipient network  Routing information originated and propagated across the Internet utilizing the Border Gateway Protocol BGP is vulnerable to attack and misconfiguration and inserting in lieu thereof the followingppRelevant agencies shall take the following actionsppd  striking subsection 4f and inserting in lieu thereof the followingppf  A quantum computer of sufficient size and sophistication  also known as a cryptanalytically relevant quantum computer CRQC  will be capable of breaking much of the publickey cryptography used on digital systems across the United States and around the world  National Security Memorandum 10 of May 4 2022 Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems directed the Federal Government to prepare for a transition to cryptographic algorithms that would not be vulnerable to a CRQCppi   By December 1 2025 the Secretary of Homeland Security acting through the Director of the Cybersecurity and Infrastructure Security Agency CISA and in consultation with the Director of the National Security Agency shall release and thereafter regularly update a list of product categories in which products that support postquantum cryptography PQC are widely availableppii  By December 1 2025 to prepare for transition to PQC the Director of the National Security Agency with respect to National Security Systems NSS and the Director of OMB with respect to nonNSS shall each issue requirements for agencies to support as soon as practicable but not later than January 2 2030 Transport Layer Security protocol version 13 or a successor versionppe  striking former section 6 newly designated section 5 and inserting in lieu thereof the followingppSec 5  Promoting Security with and in Artificial Intelligence  Artificial intelligence AI has the potential to transform cyber defense by rapidly identifying vulnerabilities increasing the scale of threat detection techniques and automating cyber defenseppa  By November 1 2025 the Secretary of Commerce acting through the Director of NIST the Secretary of Energy the Secretary of Homeland Security acting through the Under Secretary for Science and Technology and the Director of the National Science Foundation shall ensure that existing datasets for cyber defense research have been made accessible to the broader academic research community either securely or publicly to the maximum extent feasible in consideration of business confidentiality and national securityppb  By November 1 2025 the Secretary of Defense the Secretary of Homeland Security and the Director of National Intelligence in coordination with appropriate officials within the Executive Office of the President to include officials within the Office of Science and Technology Policy the Office of the National Cyber Director and the Director of OMB shall incorporate management of AI software vulnerabilities and compromises into their respective agencies existing processes and interagency coordination mechanisms for vulnerability management including through incident tracking response and reporting and by sharing indicators of compromise for AI systemsppf  striking section 7 and inserting in lieu thereof the followingppSec 7  Aligning Policy to Practice  Agencies policies must align investments and priorities to improve network visibility and security controls to reduce cyber risks  In consultation with the National Cyber Director agencies shall take the following actionsppa  Within 3 years of the date of this order the Director of OMB shall issue guidance including any necessary revision to OMB Circular A130 to address critical risks and adapt modern practices and architectures across Federal information systems and networksppb  Within 1 year of the date of this order the Secretary of Commerce acting through the Director of NIST the Secretary of Homeland Security acting through the Director of CISA and the Director of OMB shall establish a pilot program of a rulesas code approach for machinereadable versions of policy and guidance that OMB NIST and CISA publish and manage regarding cybersecurityppc  Within 1 year of the date of this order agency members of the FAR Council shall as appropriate and consistent with applicable law jointly take steps to amend the FAR to adopt requirements for agencies to by January 4 2027 require vendors to the Federal Government of consumer InternetofThings products as defined by 47 CFR 8203b to carry United States Cyber Trust Mark labeling for those products andppg  striking subsection 8a and inserting in lieu thereof the followingppa  Except as specifically provided for in subsection 4f of this order sections 1 through 7 of this order shall not apply to Federal information systems that are NSS or are otherwise identified by the Department of Defense or the Intelligence Community as debilitating impact systemsppSec 3  Amendments to Executive Order 13694  Executive Order 13694 of April 1 2015 Blocking the Property of Certain Persons Engaging in Significant Malicious CyberEnabled Activities as amended by Executive Order 13757 of December 28 2016 Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious CyberEnabled Activities Executive Order 13984 of January 19 2021 Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious CyberEnabled Activities and Executive Order 14144 is hereby further amended byppa  striking from subsection 1aii the phrase any person and inserting in lieu thereof any foreign person andppb  striking from subsection 1aiii the phrase any person and inserting in lieu thereof any foreign personppSec 4  General Provisions  a  Nothing in this order shall be construed to impair or otherwise affectppi   the authority granted by law to an executive department or agency or the head thereof orppii  the functions of the Director of OMB relating to budgetary administrative or legislative proposalsppb  This order shall be implemented in a manner consistent with applicable law and subject to the availability of appropriationsppc  This order is not intended to and does not create any right or benefit substantive or procedural enforceable at law or in equity by any party against the United States its departments agencies or entities its officers employees or agents or any other personppd  The costs for publication of this order shall be borne by the Department of Homeland Securitypp                             DONALD J TRUMPppTHE WHITE HOUSEpp    June 6 2025p