Trump's latest cybersecurity executive order addresses measures made in older EOs while outlining new goals - all at the same time that CISA is experiencing serious cuts.
On June 6, 2025 President Donald Trump signed a cybersecurity executive order (EO 14144), partly in response to the eleventh hour executive order Biden instated as he was leaving the office, and an earlier 2015 executive order from Obama. Trump’s directive disallows domestic actors from being sanctioned for “malicious cyber-enabled activities” as described in Obama’s order, by limiting the breadth of the mandate to “any foreign person.” Additionally, it prevents sanctions from being applied “to election-related activities”, seemingly reinforcing the administration’s beliefs that election-related disinformation should not be a national cybersecurity priority.
The directive also cut out the fifth section of Biden’s 2025 order, “Solutions to Combat Cybercrime and Fraud.” The order originally encouraged federal government agencies to accept digital identity documents, calling the Office of Management and Budget (OMB) and National Security Council (NSC) staff to develop mobile driver’s licenses, and asking the Director of the National Institute of Science and Technology (NIST) to support remote digital identity verification. Trump struck this down, with the White House saying the rule “strips away inappropriate measures outside of core cybersecurity focus, including removing a mandate for US government issued digital IDs for illegal aliens that would have facilitated entitlement fraud and other abuse.”
There has been some pushback on this part of the new EO, with the Better Identity Coalition (a project by the Center for Cybersecurity Policy and Law, “working with policymakers to improve digital security, privacy and convenience for everyone”), releasing a statement on X, formerly known as Twitter: “...we’re disappointed to see the administration repeal the digital identity section of January’s cybersecurity executive order - especially given that this language had strong bipartisan support and was praised by cybersecurity and fraud experts…Nothing in January’s EO included a mandate for the US government to issue digital IDs to anybody - immigrants, or otherwise.”
The head of public sector at Socure, Jordan Burris, also voiced concern about the change: “Every day, nation-states, crime rings, and fraudsters are launching coordinated attacks at a relentless velocity, pilfering government programs and victimizing Americans whose identities are stolen. The Trump administration has a meaningful opportunity to encourage the adoption of accurate, modern digital identity verification that will secure our digital leadership and address digital identity fraud at its root.”
Besides the limited sanctions for cybercrime and the end of the digital identity initiative, Trump’s order includes other measures, some of which have received more positive reception. EO 14144 directs the government to push secure software development, post-quantum cryptography remediation, more modern encryption policies, and the certification of secure devices through the Cyber Trust Mark. Cybersecurity and AI Policy Director at OpenPolicy, Michelle Sahar, called the order “a really positive step forward.”
It’s worth noting that some of these changes are still referential to cybersecurity actions from previous administrations, even if not explicitly so. The fact sheet says the new EO “refocuses artificial intelligence (AI) cybersecurity efforts towards identifying and managing vulnerabilities, rather than censorship.” This echoes Trump’s repeal of Biden’s 2023 EO on AI in the first days of his second term. The latest EO suggests that the Biden administration’s calls for AI regulation will still be rebuffed by the current administration.
Adding to the cloudiness of this mixed response, is the uncertainty around the nation’s top cybersecurity agency - the Cybersecurity and Infrastructure Security Agency (CISA). Like many other federal agencies, CISA has been haunted by sweeping budget cuts and staff layoffs. Reportedly, the agency has lost nearly a third of its workforce since Trump came into office. By the end of May, the heads of nearly all (five out of six) of CISA’s operational divisions, limiting the capabilities of more than half (six out of 10) regional offices. Most recently, the acting director of the agency for the last five months, Bridget Bean officially retired from the position, making room for Dr. Madhu Gottumukkala to step up.
This internal shuffle around leadership mirrors the agency’s attempts to work under a senate-confirmed leader. Sean Plankey was nominated to be CISA’s director in March, but has not yet been officially appointed three months later. Plankey’s confirmation has been held up by Senator Ron Wyden (D-OR), who has blocked the action until CISA releases a 2022 report on the security of US telecommunications (a bigger concern since the monumental Salt Typhoon hack).
Even after the personnel turnover is taken into account, CISA still has to work through deep budget cuts. The Trump administration first proposed a $495 million cut that would also eliminate well over 1,000 positions in the FY 2026 budget proposal. This week, CISA was able to walk away with just a $135 million cut (leaving them $2.7 billion to budget), although they may already be 1,000 employees lighter than they were in the last administration. The cut was approved by the House Appropriations Subcommittee on Homeland Security, by a vote of 8-4.
Republicans like Tom Cole (R-OK) defended the smaller budget saying, “the bill provides critical support for cybersecurity technology,” while Democrats like Lauren Underwood (D-IL) criticized the limitations: “The only people who benefit from this bill’s failure to invest here are cybercriminals in China, Russia and around the world who will now find it easier to attack Americans.”
CISA’s shrinking budget and workforce appear a bit at odds with the ambitious goals around advancing key technology described in Trump’s new executive order. Vice president of public sector at Black Kite, Tony Monell, labeled the issue as a “challenge,” and asked what the solution could be: “The challenge is they just let a lot of people go. Agencies were already struggling to find people who are qualified to do this and with the loss of talent we will still have a problem. How do you find people to do the cyber supply chain risk management mission, which is already vastly underfunded?" While the answer is still unclear, it will likely lie in how CISA manages a lighter budget and significantly smaller staff.