This is the first in a new series of Covington blogs on cybersecurity policies, executive orders, and other actions of the new Trump Administration. This blog describes key cybersecurity developments that took place in January and February 2025. Below, we outline three developments affecting cybersecurity in January and February 2025, including one from the Biden Administration, which has not been rescinded.
Biden Administration Issues Second Cybersecurity Executive Order
On January 16, in one of the final acts of the Biden Administration, the White House issued Executive Order (”EO”) 14144 on “Strengthening and Promoting Innovation in the Nation’s Cybersecurity.” EO 14144 expands on the National Cybersecurity Strategy and EO 14028, Improving the Nation’s Cybersecurity, which we first previously wrote about here. This new EO requires a range of additional security enhancements to U.S. government and supporting digital infrastructure, including improving accountability for software and cloud service providers, strengthening the security of Federal communications and identity management systems, and promoting innovative developments and use of emerging technologies for cybersecurity across agencies and with the private sector.
For example, to enhance third-party risk management practices, EO 14144 directs the Office of Management and Budget to recommend to the Federal Acquisition Regulation (“FAR”) Council contract language requiring software providers to submit to the Cybersecurity and Infrastructure Security Agency (“CISA”) (a) machine-readable secure software development attestations; (b) high-level artifacts to validate those attestations; and (c) a list of the providers’ Federal Civilian Executive Branch (“FCEB”) agency software customers. If CISA finds the attestations incomplete or the artifacts insufficient to validate the attestation, CISA will notify the software provider and establish a process for the provider to meet the requirements necessary to undergo validation. For attestations that undergo validation, the National Cyber Director is encouraged to refer attestations that fail validation to the Attorney General for action as appropriate.
EO 14144 also requires Federal agencies to adopt security practices from industry including deploying identity management practices, such as phishing-resistant authentication standards, to enhance secure communications by implementing encryption, and to include contract language for internet service providers to adopt and deploy internet routing security technologies. In addition, the EO directs CISA to develop the technical capability to gain access to data from Federal agencies to support coordinated cyber threat hunting and identification and vulnerability detection. It also calls for an update to FedRAMP policies such that cloud service providers will produce baseline specifications and recommendations for agency configuration of cloud-based systems to enhance security of Federal data.
The EO also focuses on the expanded use of Artificial Intelligence (“AI”) in promoting cybersecurity, providing for the creation of AI pilot programs and enhanced research to assist with vulnerability detection, automatic patch management, and the identification and categorization of malicious activity across government IT systems.
Trump Administration Rescinds 78 Biden Administration Executive Orders, But Not the Biden Administration’s Cybersecurity Executive Orders
On the first day of his second term, President Trump rescinded 78 EOs issued by President Biden, including EO 14110, “Safe, Secure, and Trustworthy Development and Use of AI.” (We covered the recission of the AI EO here.) However, President Trump did not rescind or modify President Biden’s first or second cybersecurity EOs, even though the second cyber EO, EO 14144 (see section above), was issued less than a week before President Trump assumed office. The survival of those two EOs may suggest the Trump Administration’s willingness to continue, at least in part, the cybersecurity policies of the Biden Administration. Still, the Trump Administration announced that it is continuing to review Biden Administration EOs and policies, which means that the continued existence of the two Biden cybersecurity EOs– and the policies reflected therein– remains uncertain.
Hiring of New DoD CISO, Katie Arrington, Suggests a Renewed Focus on CMMC
The government’s hiring of Ms. Katie Arrington on February 18, 2025 as the new Chief Information Security Officer (“CISO”) for the Department of Defense (“DoD”) and subsequent designation as the Acting Chief Information Officer for DoD represents a development in cybersecurity. Katie Arrington, while previously serving at DoD in the Office of the Under Secretary of Defense for Acquisition and Sustainment in the first Trump Administration, was a key figure in the development of design of the Cybersecurity Maturity Model Certification (“CMMC”) Program. Accordingly, it seems likely DoD will continue prioritizing implementation of the CMMC Program within the Department.
The CMMC Program, which we most recently wrote about here, is the governing Program for imposing and enforcing safeguarding requirements on DoD contractors for Federal Contract Information and Controlled Unclassified Information. On October 15, 2024, DoD released the final CMMC Program Rule (which took effect on December 16, 2024), formally establishing CMMC and laying out an implementation plan for the Rule, once the related and implementing Defense Federal Acquisition Regulation Supplement (“DFARS”) rule is finalized. The specific timing of finalization of the DFARS rule is still uncertain.