Executive Order 14306: A Shift in U.S. Cybersecurity Policy

On June 6, 2025, President Donald Trump issued Executive Order 14306 (E.O. 14306), marking a significant pivot in the United States’ approach to cybersecurity. This order rescinds several cybersecurity requirements and policies established during the Biden Administration, particularly those affecting federal contractors and subcontractors. While E.O. 14306 aims to streamline regulations perceived as barriers to private sector growth, it retains essential protections against cyber threats, particularly from foreign adversaries.

Background of E.O. 14306

E.O. 14306 amends two previous executive orders: E.O. 13694 and E.O. 14144. E.O. 13694, signed by President Barack Obama in 2015, authorized sanctions against actors engaging in malicious cyber activities that threaten critical infrastructure and economic stability. E.O. 14144, issued by President Joe Biden in January 2025, directed federal agencies to impose stricter cybersecurity requirements on contractors, including mandates for software developers to attest to their cybersecurity practices.

The new executive order significantly alters the landscape established by E.O. 14144, repealing certain provisions while retaining others deemed crucial for national security.

Key Changes Introduced by E.O. 14306

Scaling Back Cybersecurity Requirements

E.O. 14306 is characterized as a "reprioritization" of cybersecurity efforts. The Trump Administration argues that previous requirements micromanaged technical decisions better suited for individual agencies. Key removals include:

1. Attestations and Artifacts Requirements: The order eliminates the requirement for contractors to submit validated attestations regarding secure software development practices. This shift aims to reduce bureaucratic burdens and empower industry leaders to develop their own validation practices.

2. Digital Identity Verification Systems: E.O. 14306 removes mandates for federal agencies to accept digital identity documents for accessing public benefits, citing concerns over potential misuse by unauthorized individuals.

3. Modifications to Cybersecurity Policies: The order modifies existing policies to explicitly name China as the primary cyber threat while downplaying the urgency of certain cybersecurity measures, such as the use of advanced AI for cyber defense.

Retained Protections

Despite the scaling back of several requirements, E.O. 14306 retains critical protections, particularly those related to the Defense Federal Acquisition Regulations. Notably:

• NIST Security Requirements: Defense contractors must still comply with 110 security requirements for controlled unclassified information, ensuring a baseline level of cybersecurity.

• Cybersecurity Maturity Model Certification (CMMC): The Department of Defense is finalizing rules for the CMMC program, which mandates that contractors assess their cybersecurity standards based on the sensitivity of the information they handle.

Implications for Federal Contractors

The changes introduced by E.O. 14306 signal a shift in how the federal government will approach cybersecurity regulations. Contractors and subcontractors must remain vigilant in monitoring these developments to understand which requirements are still in effect and how they will be enforced.

Ongoing Compliance Obligations

While many provisions from E.O. 14144 have been rolled back, several key obligations remain intact. These include:

• Internet Number Resources: Agencies must ensure that assigned internet resources are covered by appropriate agreements with internet registries.

• DNS Resolver Security: Requirements for DNS resolvers to support encrypted DNS remain unchanged, emphasizing the importance of securing internet routing.

• Cyber Trust Mark Labeling: Vendors providing Internet of Things products to the federal government must continue to label their products with the US Cyber Trust Mark, ensuring a standard for cybersecurity in consumer devices.

Conclusion

E.O. 14306 represents a significant shift in U.S. cybersecurity policy, scaling back many compliance obligations while retaining essential protections against cyber threats. As the federal government navigates this new landscape, contractors and subcontractors must adapt their cybersecurity strategies to align with the evolving requirements. The order serves as a roadmap for understanding how federal cybersecurity standards may continue to evolve, highlighting the need for ongoing vigilance and adaptability in the face of emerging cyber threats.