Month: June 2025

Trump’s Executive Order 14144 Overhaul, Part 2: Analysis of Post Quantum Cryptography Clauses

Trump’s Executive Order 14144 Overhaul, Part 2: Analysis of Post Quantum Cryptography Clauses

While Part 1 explored how the amendment reinforced a sanctions-led approach and repositioned AI policy within the broader cybersecurity doctrine, this second instalment shifts focus to its most understated move — the cryptographic recalibration. Executive Order 14144’s treatment of Post-Quantum Cryptography (PQC) may appear procedural at first glance, but in its omissions and realignments lies a deeper signal about how the United States intends to balance resilience, readiness, and sovereignty in a quantum-threatened world.

Executive Summary

The June 2025 amendment to Executive Order 14144 quietly redefines the United States’ approach to Post-Quantum Cryptography (PQC). While it retains the recognition of CRQC as a threat and maintains certain tactical mandates such as TLS 1.3, it rolls back critical enforcement mechanisms and abandons global coordination. This signals a strategic recalibration, shifting from enforced transition to selective readiness. For enterprise CISOs, vendors, and cybersecurity strategists, the message is clear: leadership on PQC will now emerge from the ground up.

What the Amendment Changed

The Trump administration’s June 2025 revision to EO 14144 leaves much of the cryptographic threat framing intact, but systematically reduces deployment timelines and global mandates. Notably:

  • CRQC remains listed as a critical national threat
  • TLS 1.3 mandate remains, now with clarified deadlines
  • SSDF and patching guidance are retained
  • The CISA product list deadline is upheld

However, three key changes undermine its enforceability:

  • The 90-day procurement trigger for PQC tools is removed
  • Agencies are no longer required to deploy PQC when available
  • The international coordination clause promoting NIST PQC globally is eliminated

Why the International Clause Matters

The removal of the global coordination clause is more than a bureaucratic adjustment; it represents a strategic shift.

Possible Reasons:

  • Geopolitical pragmatism: Aligning allies behind NIST PQC may be unrealistic with Europe pursuing crypto-sovereignty and China promoting SM2
  • Avoiding early lock-in: Promoting PQC globally before commercial maturity risks advocating immature technologies
  • Supply chain nationalism: This may be a move to protect the domestic PQC ecosystem from premature exposure or standards capture
  • Sanctions-first strategy: The EO prioritises the preservation of cyber sanctions infrastructure, signalling a move from soft power (standards promotion) to hard deterrence

This aligns with the broader tone of the EO amendment, consolidating national tools while reducing forward-facing mandates.

From Mandate to Optionality: PQC Enforcement Rolled Back

The deletion of the PQC procurement requirement and deployment enforcement transforms the United States’ posture from proactive to reactive. There is no longer a mandate that agencies or vendors use post-quantum encryption; instead, it encourages awareness.

This introduces several risks:

  • Agencies may delay PQC adoption while awaiting further guidance
  • Vendors face uncertainty, questioning whether to prepare for future mandates or focus on current market readiness
  • Federal supply chains may remain vulnerable well into the 2030s

Strategic Implications: A Doctrine of Selective Resilience

This amendment reflects a broader trend: preserving the appearance of resilience without committing to costly transitions. It signifies:

  • A shift towards agency-level discretion over central enforcement
  • A belief that commercial readiness should precede policy enforcement
  • A pivot from global cyber diplomacy to domestic cyber deterrence

This is not a retreat, it is a repositioning.

What Enterprises and Vendors Should Do Now

Despite the rollback, the urgency surrounding PQC remains. Forward-thinking organisations should:

  • Inventory vulnerable cryptographic systems such as RSA and ECC
  • Introduce crypto-agility frameworks to support seamless algorithm transitions
  • Explore hybrid encryption schemes that combine classical and quantum-safe algorithms
  • Monitor NIST, NSA (CNSA 2.0), and OMB guidance closely

For vendors, supporting PQC and crypto-agility will soon become a market differentiator rather than merely a compliance requirement.

Conclusion: Optionality is Not Immunity

The Trump EO amendment does not deny the quantum threat. It simply refrains from mandating early adoption. This increases the importance of voluntary leadership. Those who embed quantum-resilient architectures today will become the trust anchors of the future.

Optionality may offer policy flexibility, but it does not eliminate risk.

References and Further Reading

  1. Executive Order 14144 (January 2025)
  2. EO Amendment (June 2025)
  3. NIST PQC Project
  4. NSA CNSA 2.0 Requirements
  5. OMB M-23-02 Memo on Cryptographic Inventory
Trump’s Executive Order 14144 Overhaul, Part 1: Sanctions, AI, and Security at the Crossroads

Trump’s Executive Order 14144 Overhaul, Part 1: Sanctions, AI, and Security at the Crossroads

I have been analysing cybersecurity legislation and policy for years — not just out of academic curiosity, but through the lens of a practitioner grounded in real-world systems and an observer tuned to the undercurrents of geopolitics. With this latest Executive Order, I took time to trace implications not only where headlines pointed, but also in the fine print. Consider this your distilled briefing: designed to help you, whether you’re in policy, security, governance, or tech. If you’re looking specifically for Post-Quantum Cryptography, hold tight — Part 2 of this series dives deep into that.

Image summarising the EO14144 Amendment

“When security becomes a moving target, resilience must become policy.” That appears to be the underlying message in the White House’s latest cybersecurity directive — a new Executive Order (June 6, 2025) that amends and updates the scope of earlier cybersecurity orders (13694 and 14144). The order introduces critical shifts in how the United States addresses digital threats, retools offensive and defensive cyber policies, and reshapes future standards for software, identity, and AI/quantum resilience.

Here’s a breakdown of the major components:

1. Recalibrating Cyber Sanctions: A Narrower Strike Zone

The Executive Order modifies EO 13694 (originally enacted under President Obama) by limiting the scope of sanctions to “foreign persons” involved in significant malicious cyber activity targeting critical infrastructure. While this aligns sanctions with diplomatic norms, it effectively removes domestic actors and certain hybrid threats from direct accountability under this framework.

More controversially, the order removes explicit provisions on election interference, which critics argue could dilute the United States’ posture against foreign influence operations in democratic processes. This omission has sparked concern among cybersecurity policy experts and election integrity advocates.

2. Digital Identity Rollback: A Missed Opportunity?

In a notable reversal, the order revokes a Biden-era initiative aimed at creating a government-backed digital identity system for securely accessing public benefits. The original programme sought to modernise digital identity verification while reducing fraud.

The administration has justified the rollback by citing concerns over entitlement fraud involving undocumented individuals, but many security professionals argue this undermines legitimate advancements in privacy-preserving, verifiable identity systems, especially as other nations accelerate national digital ID adoption.

3. AI and Quantum Security: Building Forward with Standards

In a forward-looking move, the order places renewed emphasis on AI system security and quantum-readiness. It tasks the Department of Defence (DoD), Department of Homeland Security (DHS), and Office of the Director of National Intelligence (ODNI) with establishing minimum standards and risk assessment frameworks for:

  • Artificial Intelligence (AI) system vulnerabilities in government use
  • Quantum computing risks, especially in breaking current encryption methods

A major role is assigned to NIST — to develop formal standards, update existing guidance, and expand the National Cybersecurity Centre of Excellence (NCCoE) use cases on AI threat modelling and cryptographic agility.

(We will cover the post-quantum cryptography directives in detail in Part 2 of this series.)

4. Software Security: From Documentation to Default

The Executive Order mandates a major upgrade in the federal software security lifecycle. Specifically, NIST has been directed to:

  • Expand the Secure Software Development Framework (SSDF)
  • Build an industry-led consortium for secure patching and software update mechanisms
  • Publish updates to NIST SP 800-53 to reflect stronger expectations on software supply chain controls, logging, and third-party risk visibility

This reflects a larger shift toward enforcing security-by-design in both federal software acquisitions and vendor submissions, including open-source components.

5. A Shift in Posture: From Prevention to Risk Acceptance?

Perhaps the most significant undercurrent in the EO is a philosophical pivot: moving from proactive deterrence to a model that manages exposure through layered standards and economic deterrents. Critics caution that this may downgrade national cyber defence from a proactive strategy to a posture of strategic containment.

This move seems to prioritise resilience over retaliation, but it also raises questions: what happens when deterrence is no longer a credible or immediate tool?

Final Thoughts

This Executive Order attempts to balance continuity with redirection, sustaining selective progress in software security and PQC while revoking or narrowing other key initiatives like digital identity and foreign election interference sanctions. Whether this is a strategic recalibration or a rollback in disguise remains a matter of interpretation.

As the cybersecurity landscape evolves faster than ever, one thing is clear: this is not just a policy update; it is a signal of intent. And that signal deserves close scrutiny from both allies and adversaries alike.

Further Reading

https://www.whitehouse.gov/presidential-actions/2025/06/sustaining-select-efforts-to-strengthen-the-nations-cybersecurity-and-amending-executive-order-13694-and-executive-order-14144/

Bitnami