President Trump issued an Executive Order on June 6, 2025, that sheds light on the Administration’s approach to cybersecurity and AI by highlighting foreign threats to U.S. cybersecurity, emphasizing federal agencies’ management of AI-related vulnerabilities, and rescinding prescriptive Biden-era requirements for agencies and contractors in favor of more flexible guidance.
While the Executive Order primarily applies to federal agencies and contractors, it provides the private sector with a window into the Administration’s position on important cyber and AI security questions.
In this blog post, we outline key aspects of the Executive Order and explore possible implications for private companies, including software providers.
Overview of the Executive Order
On June 6, 2025, President Trump issued an Executive Order, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144, along with an accompanying fact sheet (the “Fact Sheet”), setting forth the Administration’s cybersecurity priorities and revoking or modifying certain aspects of President Obama’s 2015 Executive Order and President Biden’s January 2025 Executive Order on cybersecurity (the “Obama Order” and the “Biden Order,” respectively).
Key aspects of the Executive Order include:
- a new policy statement underscoring foreign nation-state threats to U.S. cybersecurity;
- a focus on agency management of AI-related vulnerabilities;
- removal of Biden-era prescriptive requirements on agency security practices in favor of more flexible guidance;
- continued emphasis on the security of federal systems, including through secure software development (albeit less prescriptive than prior executive orders), post-quantum cryptography, strengthened cloud security, and protection of space systems;
- preservation of the Federal Communications Commission’s “U.S. Cyber Trust Mark” labeling program for Internet-of-Things products; and
- elimination of provisions in the Biden Order that encouraged federal agencies to accept digital identity documents for access to public benefits programs.
Key Takeaways
- Focus on Foreign Threats
The Executive Order directly refers to China as “the most active and persistent cyber threat to the United States Government, private sector, and critical infrastructure” and also identifies Russia, Iran, and North Korea as “significant threats” to U.S. cybersecurity.
Although it is notable that the Executive Order expressly names these specific countries, concern over cyber threats posed by these countries has spanned administrations. Under the Biden Administration, for example, the Department of Justice issued the “Final Rule on Preventing Access to Sensitive Data” (the “DOJ Rule”), which we have previously discussed in detail. The DOJ Rule, which went into effect on April 8, 2025, established a comprehensive export control regime to restrict the transfer of bulk sensitive data to “countries of concern” deemed threats to U.S. national security—including China, Russia, Iran, and North Korea. Thus far, the Trump Administration has retained the DOJ Rule, although it extended the enforcement date.
These measures reflect past and present administrations’ efforts to address the rise in state-sponsored cyberattacks, particularly emanating from the countries identified by the Executive Order and DOJ Rule (e.g., the 2024 Salt Typhoon attacks on the U.S. telecommunications industry and the North Korean IT worker scams).
The Executive Order also narrows the application of cyber sanctions to foreign persons only. In 2015, the Obama Order established a framework for imposing cyber-related sanctions against “any person” determined to be involved in cyber activity that presents a significant threat to U.S. national security, foreign policy, economic health, or financial stability. The Executive Order replaces the term “any person” with “foreign person.” According to the Fact Sheet, the change is intended to “prevent[] misuse against domestic political opponents and clarify[] that sanctions do not apply to election-related activities.”
The Executive Order’s focus on foreign threats to the cybersecurity of the U.S. government and private sector is a reminder that companies should consider:
- assessing their cyber preparedness based on indicators of compromise and tactics commonly associated with nation-state-sponsored threat groups;
- enhancing their hiring, background check, and identity verification processes for remote IT workers; and
- analyzing whether the DOJ Rule applies to them, and if so, taking steps to ensure compliance or to determine whether any exemptions are available.
- AI-Related Risks & Opportunities for Cybersecurity
The Executive Order acknowledges that AI creates both challenges and opportunities for cybersecurity. As we’ve previously discussed here, here, and here, AI presents a variety of cybersecurity risks, including (i) vulnerabilities arising from AI systems themselves; (ii) reliance on third-party providers who may be vulnerable to attacks; and (iii) the use of AI by threat actors to develop malware, identify vulnerabilities, and carry out more targeted and persuasive social engineering attacks.
To that end, the Executive Order maintains the Biden Order’s directive for federal agencies to “incorporate management of AI software vulnerabilities and compromises into their . . . existing processes and interagency coordination mechanisms for vulnerability management, including through incident tracking, response, and reporting, and by sharing indicators of compromise for AI systems.” While this directive is aimed at federal entities, it may signal the expectation for private companies to align with these practices.
Meanwhile, AI can be leveraged to improve cybersecurity in both the public and private sectors. The Executive Order states that AI “has the potential to transform cyber defense by rapidly identifying vulnerabilities, increasing the scale of threat detection techniques, and automating cyber defense.”
Despite recognizing the opportunities that AI offers to enhance cyber defenses, the Executive Order scales back several provisions from the Biden Order that encouraged research into, and adoption of, AI to improve U.S. cybersecurity.
Specifically, the Executive Order strikes provisions of the Biden Order that instructed agencies to (i) prioritize research at the intersection of AI and cybersecurity; (ii) launch a pilot program on the use of AI to enhance the cybersecurity of energy sector critical infrastructure; or (iii) establish a program to use advanced AI models for cyber defense. While the Executive Order preserves the requirement that agencies make existing datasets for cyber defense research available to the research community to the extent feasible, it removes the Biden Order’s directive to prioritize funding for development of new datasets.
The removal of these provisions mandating agency action related to AI comports with the Trump Administration’s broader goal to “remove barriers to AI innovation” by minimizing AI-related regulation, both of private companies and of the government itself. Shortly after taking office in January 2025, President Trump ordered an immediate review of all existing AI-related policies, directives, regulations, and orders that were inconsistent with the goal of enhancing “America’s global AI dominance.” And, since then, President Trump has rescinded the Biden-era AI Diffusion Rule to undo what the Trump Administration called “burdensome new regulatory requirements” that would have “stifled American innovation,” as well as included a proposed moratorium on all state AI legislation as part of the “One Big Beautiful Bill,” which passed the House of Representatives on May 22 and is currently pending in the Senate.
The intersection between AI and cybersecurity continues to grow rapidly in importance. While the future of AI regulation in the United States remains uncertain, companies should stay vigilant about AI-related vulnerabilities and AI-enabled cyberattacks.
- Secure Software Development—Here to Stay
Notably, the Executive Order removes the prescriptive requirements imposed on contractors for secure software development in the Biden Order but maintains the overall emphasis on secure software development.
As part of the National Cybersecurity Strategy announced in March 2023, President Biden called for enhanced secure software development practices across the private and public sectors. The strategy encouraged public-private collaboration and proposed shifting liability for insecure software from users to software manufacturers and providers through legislation.
The strategy received sharp criticism, including from Committee on Homeland Security Chairman Mark E. Green, MD (R-TN), and Subcommittee on Cybersecurity and Infrastructure Protection Chairman Andrew Garbarino (R-NY), who argued that Biden’s strategy promoted “regulation, bureaucracy, and red tape” and would create additional burdens, confusion, and redundancies.
The Trump Administration has chosen to retain President Biden’s directive to establish an industry consortium and develop NIST guidance, signaling support for the idea, but stopping short of embracing the more prescriptive elements.
It will be important for software companies to closely monitor for forthcoming guidance, particularly since the Executive Order does not address Biden’s proposal to develop liability-shifting legislation.
The authors would like to thank Debevoise Summer Associate Gonzalo Núñez for his contribution to this blog post.
***
To subscribe to the Data Blog, please click here.
The Debevoise Data Portal is an online suite of tools that help our clients quickly assess their federal, state, and international breach notification and substantive cybersecurity obligations. Please contact us at dataportal@debevoise.com for more information.
The cover art used in this blog post was generated by Microsoft Copilot.
