On June 6, 2025, the Trump Administration released Executive Order 14306 (E.O. 14306) titled Sustaining Select Efforts to Strengthen the Nation's Cybersecurity and Amending Executive Order 13694 and Executive Order 14144. This E.O. marks a shift from previous administrations on cyber policy—and in particular, within the narrower area of cybersecurity policy. Where other administrations had previously sought greater consolidation of cybersecurity responsibilities at the federal level, E.O. 14306 seeks to redistribute these responsibilities among industry participants or remove the responsibilities altogether. This CRS Insight explores these changes in a historical context.
Cyber is a broader term to refer to any information technology, system, network, data, or digital thing. Cybersecurity is a narrower term referring to the protection of an information technology, system, network, data or digital thing. |
Two decades ago, the federal government's cyber policy, in general, was largely centered around encouraging voluntary actions by the private sector and establishing public-private partnerships. While those are still tenets of the federal government's cybersecurity strategy, additional policies have supplemented or replaced previous ones to direct more specific actions from federal agencies and drive larger changes in the private sector. The Biden Administration's presidential actions were the most extensive set of policies, and sought to shift cybersecurity responsibilities away from each individual company toward those companies and entities that provide information technology (IT) goods and services (e.g., cloud service providers and software companies). It also established greater federal leadership on cybersecurity issues.
Executive Order 14144 (E.O. 14144) titled Strengthening and Promoting Innovation in the Nation's Cybersecurity was released by the Biden Administration on January 16, 2025. It sought to build upon the cybersecurity work of Executive Order 14028, but since it was released in the waning days of the administration, many of its efforts did not start and/or were not taken up by the Trump Administration.
Polices set forth in E.O. 14144 include
Executive Order 13694 (E.O. 13694) titled Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities was released by the Obama Administration on April 1, 2015. It established the federal policies around using authorities granted by the International Emergency Economic Powers Act (IEEPA), the National Emergencies Act (NEA), and the Immigration and Nationality Act of 1952 (INA) to issue sanctions against malicious actors who use cyberspace to carry out their attacks. E.O. 13694 limited sanctions to "significant" events. E.O. 14144 removed that threshold.
The Trump Administration did not revoke previous cybersecurity executive orders, nor did it direct a review of prior ones, as was done with critical infrastructure security and resilience policy. Instead, E.O. 14306 kept the text from E.O. 14144 and E.O. 13694 in place and performed line edits to remove text or policies with which the administration disagrees. In doing so, the Administration established policies to reduce the involvement of federal agencies in shaping the nation's cybersecurity posture while also giving the private sector greater influence.
Policy changes include
Some policies persist across these executive orders:
The President's nominees for the National Cyber Director and Director of the Cybersecurity and Infrastructure Security Agency are pending confirmation in the Senate. If confirmed, their potential work toward a new national cybersecurity strategy could provide greater detail on how agencies may implement administration priorities. Currently, the President's Budget for FY2026 and agency budgets offer some indications of how the Trump Administration is generally seeking to allocate cybersecurity resources—largely through reduced cybersecurity allocations at agencies.
Policymakers may choose to scrutinize both the executive order and the President's Budget as they pertain to congressional prerogatives, which could include