“Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity...”

“Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity…”

August 2025, Anne Purtell, CREST International

On June 6, 2025, President Trump signed a modified Executive Order (EO) 14144, titled “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity…” Combined with cuts to cyber security funding in the President’s 2026 budget proposal, these recent actions signal a definitive shift away from centralized cybersecurity oversight and compliance at the federal level. Reducing risk from cyber security incidents will fall more and more to private industry as they take on a greater role in assuring resilience and trust. The support given to private industry by high quality cyber service providers, that have been independently assured against internationally recognized standards, has never been greater.

Modifications made to the previous EO 14144 include;

Directing the Federal government to advance secure software development and patch deployment through updates to the National Institute of Standards and Technology’s (NIST) Secure Software Development Framework (SSDF) and Security and Privacy Controls for Information Systems and Organizations. Guidance will be delivered in lieu of submission of software development attestations and related data.
Removal of certain AI directives from the previous EO 14144, including a pilot program on the use of AI to enhance cyber defense of critical infrastructure in the energy sector as well as a directive for AI research on topics including methods for prevention, response, remediation, and recovery of cyber incidents involving AI systems. Instead, the EO focuses on private sector innovation as a driving force for AI and encourages federal government management of AI software vulnerabilities and compromises for vulnerability management, including through incident tracking, response, and reporting, and by sharing indicators of compromise for AI systems.
Requires the Cybersecurity and Infrastructure Security Agency (CISA) to keep a list of product categories where post-quantum cryptography (PQC)-capable tools are widely available but no longer instructs agencies include PQC requirements in solicitations for new products. The requirement for federal agencies to begin adopting PQC “as quickly as feasible” and request to technology vendors and foreign governments to follow suit has been eliminated.

The EO continues to prioritize several key cyber security directives

NIST, the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) are to establish and publish a pilot program of a rules-as-code approach for machine-readable versions of policy and guidance regarding cybersecurity.
The Department of Homeland Security (via CISA and OMB) is to issue recommendations on federal agencies’ use of security assessments and patching of open-source software as well as best practices for contributing to open-source software projects.
The Federal Acquisition Register (FAR) Council is to amend the FAR to reflect the requirement for vendors to the Federal Government of consumer Internet-of-Things products, to carry the Cyber Trust Mark labeling for those products.

The White House framed the EO as a means to bolster public cybersecurity through strategic policymaking, but achieving this goal will need to be balanced with their proposed $1.23 billion cut to the federal cyber budget—a 10% decrease from 2024 levels. These reductions are not uniformly applied across agency budgets: while some agencies face deep cuts, others see increases in their funding.

The Social Security Administration and the Department of Transportation would receive the highest percentage increases (31% and 30%, respectively).
The Department of the Treasury faces a 57% budget reduction, and the Environmental Protection Agency would see a 38% cut.
USAID and the National Science Foundation have lost all cyber security funding
The Department of Energy retains the largest cybersecurity budget but would face a 13% decrease—from $1.159 billion to $1.028 billion.

CISA is expected to reduce its workforce by nearly 30% and to lose $495 million from its budget. The Cybersecurity Division specifically would lose $216 million—18% of its current funding—it is yet to be seen whether these cuts can be absorbed without impacting its role in securing government networks and critical infrastructure.

As the direction of travel for federal strategy moves toward limiting regulatory scope, prioritizing decentralization, and with fewer and simpler compliance mandates for federal agencies and their contractors, robust cyber security efforts within private industry will be critical. Combined with federal funding cuts, these changes in policy direction create a significant opportunity to drive demand for responsible industry innovation and adaptability in order to maintain national cyber resilience.

With the removal of software development attestations relating to NIST’s SSDF, other internationally recognized frameworks will need to come to the fore. For example, CREST’s Accreditation Framework (specifically the CREST Application Security testing accreditation – OWASP Verification Standard (OVS)), offers a practical and voluntary model for cyber service providers to demonstrate capability, essential where trust from both software developers and their consumers is critical but regulation has been scaled back.

According to the Whitehouse, “President Trump has made it clear that this Administration will do what it takes to make America cyber secure—including focusing relentlessly on technical and organizational professionalism to improve the security and resilience of the nation’s information systems and networks.” Properly executed, reductions in cyber security spending and regulation can be balanced by thoughtful and robust self-regulation. CREST’s established framework for accrediting organizations and certifying professionals enables exactly this kind of self-governance. It offers a structured, independent way for industry to demonstrate professionalism and maturity, without waiting for regulatory prompts. To find a trusted cyber service provider or to apply for CREST accreditation, please visit www.crest-approved.org.