Trump quietly throws out Biden's cyber policies
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Maura Losch/Axios
President Trump quietly took a red pen to much of the Biden administration's cyber legacy in a little-noticed move late Friday.
Why it matters: Until now, it has been unclear which Biden-era cybersecurity policies the Trump administration would keep — if any.
- Cybersecurity is a rare bipartisan area. It's pretty common for new administrations to keep their predecessors' programs in place.
Driving the news: Under an executive order signed just before the weekend, Trump is tossing out some of the major touchstones of Biden's cyber policy legacy — while keeping a few others.
- The order preserves efforts around post-quantum cryptography, advanced encryption standards, and border gateway protocol security, along with the Cyber Trust Mark program — an Energy Star-type labeling initiative for consumer smart devices.
- But hallmark programs tied to software bills of materials, zero-trust implementation, and space contractor cybersecurity requirements have been either rescinded or left in limbo.
- The new executive order amends both the Biden cyber executive order signed in January and an Obama administration order.
Zoom in: Each of the following Biden-era programs is now out the door or significantly rolled back:
- A broad requirement for federal software vendors to provide a software bill of materials — essentially an ingredient list of code components — is gone.
- Biden-era efforts to encourage federal agencies to accept digital identity documents and help states develop mobile driver's licenses were revoked.
- Several AI cybersecurity research mandates, including those focused on AI-generated code security and AI-driven patch management pilots, have been scrapped or deprioritized.
- The requirement that software contractors formally attest they followed secure development practices — and submit those attestations to a federal repository — has been cut. Instead, the National Institute of Standards and Technology will now coordinate a new industry consortium to review software security guidelines.
The big picture: If this executive order is a blueprint, Trump 2.0 appears poised to adopt a less prescriptive, more decentralized approach to cybersecurity — focused on paring back federal mandates and shifting more discretion to agencies and state governments.
Flashback: The Biden administration emphasized holding not just foreign adversaries accountable for cyberattacks, but also software makers whose insecure products left federal systems vulnerable.
- Much of that vision involved a long-term public-private effort to build stronger accountability and transparency in software development — a campaign that now appears to be on pause.
What they're saying: Reaction to the executive order has been mixed as officials have only begun to parse its full implications.
- Jordan Burris, head of public sector at identity verification company Socure, called on the administration to "put forward a new blueprint for digital identity protection and fraud prevention," noting recent Chinese and Russian attacks on digital identity infrastructure.
- Other stakeholders appeared to be reassured that the administration is continuing to focus on secure software development, even if the mechanisms are changing.
