Trump’s New Cybersecurity Order – What Changed and Why It Matters – Quantum Perspective

A New Executive Order Reshapes Cybersecurity Policy: On June 6, 2025, President Donald J. Trump signed a sweeping Executive Order titled “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity”, which explicitly amends two earlier orders: Obama-era Executive Order 13694 (2015) and the outgoing Biden administration’s Executive Order 14144 (January 16, 2025). This new order largely preserves the overall framework of those prior cybersecurity initiatives, but it strikes or revises many specific mandates – particularly those related to post-quantum cryptography, digital identity, and other advanced security measures. In essence, the Trump administration is paring back several forward-looking cybersecurity requirements put in place in late 2024, while doubling down on a more narrow set of “core” cyber defenses.

One of the most significant changes is the rollback of quantum-resistant security mandates. Executive Order 14144, signed in the final days of the previous administration, had directed federal agencies to begin adopting post-quantum cryptography (PQC) “as quickly as feasible” and even urged technology vendors and allied nations to follow suit. That ambitious push has now been curtailed. The new order removes those urgent PQC adoption requirements and strips out directives that would have soon included PQC standards in federal procurement. Instead, it leaves only two modest quantum-security provisions in place: a requirement for the Cybersecurity and Infrastructure Security Agency (CISA) to keep a list of product categories where PQC-capable tools are widely available, and a long-term deadline for agencies to support the latest encryption protocols (Transport Layer Security 1.3 or its successor) by 2030. In other words, where the prior policy had agencies gearing up for a rapid transition to quantum-safe encryption, the new policy presses pause – pushing any broad PQC implementation out toward the end of the decade. Gone, too, are the instructions that agencies include PQC requirements in solicitations for new products and begin using “hybrid” quantum-resistant key exchanges once available, as well as an Obama/Biden-era initiative to encourage U.S. allies to adopt the NIST-approved PQC algorithms internationally. These quantum-security rollbacks mark a notable shift in federal posture, effectively delaying government-wide PQC migration timelines and easing pressure on contractors to upgrade their cryptography in the near term.

Beyond the quantum realm, the Executive Order eliminates or revises several other cybersecurity measures from EO 14144. It completely scraps the section on digital identity verification (Section 5 of the previous order) which had promoted initiatives like mobile driver’s licenses and improved ID vetting to combat fraud. In line with that deletion, a planned pilot program to help states issue secure digital IDs and an “early warning system” for identity theft in government benefits were dropped. The new order also drops mandates for phishing-resistant authentication and certain email security upgrades. Biden’s EO 14144 had directed federal civilian agencies to implement phishing-resistant multi-factor logins (such as FIDO/WebAuthn tokens) and instructed the Office of Management and Budget (OMB) to require enhanced encryption for email transit between agencies. Both of those requirements have been removed – a rollback partially softened by the fact that other policies (like OMB’s existing Zero Trust strategy) still call for strong authentication measures. Similarly, a feasibility study on implementing end-to-end encryption for federal email was axed. In place of these omitted items, the order emphasizes a few more traditional cybersecurity efforts: it directs NIST to update guidance on secure software development and patching, urges agencies to improve internet routing security (BGP) and IoT device security labels, and refocuses federal use of artificial intelligence toward finding vulnerabilities rather than “censorship” or other contested areas.

The adjustments to Executive Order 13694 – which since 2015 has authorized sanctions against malicious cyber actors – are more minimal but symbolically important. The new language narrows those cyber sanctions to apply only to “foreign” malicious actors, rather than “any person” as originally written. The White House’s fact sheet explains that this is meant to prevent any misuse of cyber sanctions against domestic political opponents and to clarify that they don’t apply to U.S. election-related activities. In practical terms, this means U.S. cyber sanctions can no longer target Americans or entities engaging in domestic cyber activity – a notable change prompted by concerns over potential overreach. Aside from that tweak, no other major Obama-era or Trump-era cybersecurity executive orders (such as 2017’s EO 13800 or 2021’s EO 14028) were rescinded or altered by this action.

Impact on PQC Adoption and Modernization: The practical effect of these revisions is to slow down some of the federal government’s previously aggressive cybersecurity timelines. In particular, the retreat from the post-quantum cryptography mandates means agencies have more breathing room – but at the cost of postponing critical upgrades. Under the prior EO 14144 and accompanying memos, agencies were expected to begin the transition to quantum-safe encryption immediately and include PQC requirements in new contracts within months. Those hard deadlines have now been removed. Without a White House mandate or near-term procurement requirements, experts worry that government adoption of PQC could slip by years. The federal enterprise will still move toward quantum-resistant systems – but likely on a stretched timetable, with 2030 now set as the outer marker for adopting updated protocols like TLS 1.3. From an agency procurement standpoint, contractors are no longer compelled to provide proof of PQC support in order to win certain federal contracts in the immediate future. This may reduce compliance burdens in the short run, yet it also diminishes the incentive for vendors to accelerate development of quantum-safe solutions for government use. More broadly, several pieces of the prior administration’s cyber modernization agenda – from advanced identity solutions to ubiquitous encryption of government data in transit – have been dialed back or delayed. The new order “sustains” some efforts (like software supply-chain security and IoT standards) but selectively prunes others that were deemed outside core cybersecurity. The result is a recalibration of federal priorities: an emphasis on foundational cyber hygiene and threat-focused defenses, with less directive from the top on innovative or long-range protections such as quantum readiness. This calibrated approach has drawn both support and criticism – support from those who felt the previous mandates were too onerous or premature, and concern from those who believe the window for quantum-proofing our infrastructure is narrowing with each passing year.

My Perspective on These Changes

I have been working in the trenches on quantum readiness and cybersecurity policy, and from that vantage point, the changes in this executive order are deeply concerning. To be clear, I agree with the goal of focusing on immediate cyber threats – no one disputes that nation-state hackers and ransomware crews are active right now. But scaling back our preparations for the quantum threat is a risky gamble. The danger of “harvest now, decrypt later” isn’t hypothetical – it’s happening today. Adversaries are already siphoning up encrypted sensitive data, assuming that in 5 or 10 years a powerful quantum computer will let them decrypt it at will. Intelligence officials have been warning about this for some time, and it was precisely why the previous policy pushed agencies to adopt PQC urgently. By removing that urgency – by saying, in effect, “we can wait until closer to 2030 to really get quantum-ready” – we are widening the window of vulnerability for any long-lived secrets. Every additional year that federal agencies continue using legacy encryption for high-value data is another year that hostile actors can intercept those communications and archive them, betting that a future cryptanalytically relevant quantum computer (CRQC) will crack them open. From classified intelligence and military communications to citizens’ personal data held in government systems, the stakes are enormous. I worry that without a mandate, some agencies will quietly put off the hard work of upgrading cryptography – and by the time a looming quantum decryption capability becomes undeniable, it could be too late to retrofit our security in time.

Another concern is the loss of U.S. leadership in the global transition to PQC. Until now, the United States has been at the forefront: NIST led the world in selecting quantum-resistant algorithms, and federal policymakers signaled that America would be first in line to deploy them. EO 14144 even instructed agencies to work with international partners to promote NIST’s standards abroad. All of that sent a powerful message that the U.S. was serious about driving a coordinated, worldwide move to safer cryptography. Now, that message has grown muddled. By stripping out the requirement to include PQC in federal solicitations and by dropping the call to rally allies around our standards, the new order creates a vacuum. Allies who were watching U.S. timelines closely might now slow their own efforts, or worse, question the viability of the NIST-chosen algorithms if the U.S. government appears less than fully committed. Competing nations could seize the opportunity to push their homegrown post-quantum solutions as alternatives. In the race to secure the future internet, consistency and leadership matter – and I fear the U.S. just signaled a step back at a time when we need to be sprinting forward. Global standardization efforts thrive on momentum and unity; losing either could result in a fragmented security landscape where not everyone is protected equally against the coming quantum decryption capability.

From my perspective as someone deeply involved in quantum security, the biggest risk is complacency. Federal agencies have no shortage of cybersecurity fires to fight; if Washington is no longer emphatically prioritizing post-quantum migration, it will fall off many people’s radar. I’ve seen this pattern before: when a requirement is rolled back, busy program managers tend to assume it’s something they can table for later. The problem is that quantum preparedness can’t just be flipped on at the last minute. It’s a massive undertaking – inventorying all our cryptographic systems, updating standards, testing new solutions, swapping out or retrofitting hardware in some cases, and doing it all without breaking legacy systems. That process takes years, and it needs sustained political will to drive it. By easing the pressure now, we’re almost guaranteeing a more chaotic scramble down the road when quantum threats can no longer be ignored. The timeline hadn’t been overly cautious to begin with: even under the prior plan, the federal target for full implementation of quantum-safe cryptography was 2035, which many of us already viewed as optimistic. With this new order, I worry some agencies will slip even further behind, especially if funding for PQC initiatives gets diverted to other uses in the interim.

So, what should happen next? In the absence of a top-down mandate, the impetus falls on the rest of us – agencies, industry vendors, and lawmakers – to keep the momentum alive. First, federal agencies that understand the stakes should continue their quantum-readiness work voluntarily. It’s worth noting that National Security Memorandum-10 (NSM-10) from May 2022, which laid out the roadmap for U.S. quantum readiness, is still in effect, as is the follow-on OMB guidance (Memo M-23-02) that gave agencies specific deadlines for inventorying and upgrading systems. The new executive order doesn’t erase those; it simply isn’t reinforcing them. I would urge agency leaders, especially CIOs and CISOs in the defense, intelligence, and critical infrastructure sectors, to treat NSM-10 and the OMB timelines as de facto requirements. Continue identifying where your sensitive communications use quantum-vulnerable encryption, continue testing PQC implementations (many agencies have pilot projects with the NIST algorithms already), and even without a White House push, start including PQC language in your contracts where feasible. In fact, some contracts may still effectively require it – consider that CISA will publish the list of PQC-ready product categories by the end of this year as directed. Nothing stops an agency from deciding, “list or no list, we’re going to prefer vendors who offer quantum-safe capabilities” – and I believe the most forward-thinking agencies will do exactly that to future-proof their procurements.

Private-sector vendors likewise shouldn’t slow down. Many tech companies and federal contractors have invested heavily in developing quantum-resistant encryption for their products over the past two years. That investment was driven in part by the expectation of looming federal requirements. Even though the official requirement got rolled back, the fundamental risk – and thus the eventual market demand – remains. Enterprises in finance, healthcare, and other industries aren’t going to wait for the government if they see a quantum threat on the horizon; some are already starting their migrations to PQC for long-lived data. Vendors that continue to build PQC into their offerings will have a competitive edge both globally and in the private U.S. market (and they’ll be ready when federal mandates inevitably return). In short, it’s the right business decision and the right security decision to stay on course. I’d also note that our adversaries are not hitting pause – companies need to assume that hostile actors are still trying to breach systems today to steal data, knowing they might decrypt it in a decade. If that doesn’t justify pressing forward with quantum-safe encryption, I don’t know what will.

Finally, Congress and other policymakers can step up to fill the void left by this executive order. We’ve seen in the past that when executive action slows, legislative action sometimes takes its place. For example, Congress could incorporate PQC adoption mandates or reporting requirements into law – perhaps as part of the annual National Defense Authorization Act (NDAA) or future cybersecurity legislation. A straightforward step would be requiring agencies to report on their progress toward quantum-resistant encryption by certain dates, keeping the pressure on via oversight rather than executive fiat. Lawmakers could also earmark funding specifically for post-quantum transition efforts. One of the challenges frequently cited by agencies is cost – the OMB estimated over $7 billion may be needed this decade for the PQC transition. Without clear direction, that funding might dry up or get re-prioritized. Congress ensuring those resources remain available (and tied to concrete milestones) would make a big difference. Additionally, continuing to support NIST and the international standards process is key. The algorithms have been chosen, but implementation standards (for example, how to integrate PQC into protocols like TLS, IPsec, etc.) are still being refined. U.S. representation and leadership in those technical standards bodies will help keep the world on track, even if the White House is less vocal at the moment.

In conclusion, I find myself both disappointed and determined. Disappointed that an opportunity to boldly fortify global cyber defenses against tomorrow’s threats has been tempered – but determined to continue the mission through other avenues. Quantum computing’s ability to break our encryption is often called a looming “Y2Q” event (a reference to the Y2K bug), and in my view we should treat it with similar urgency. Even without an Executive Order forcing the issue, we know what needs to be done. My hope is that the cybersecurity community will treat this not as a full stop, but as a call to action to redouble our efforts from the ground up.