Article

Supply chain security in focus: Navigating amendments to Executive Orders 13694 and 14144

Jul 18, 2025 · Authored by Leo Alvarez, Molly Menoni

In response to escalating cyber threats from foreign adversaries and criminal actors, former President Joe Biden signed Executive Order (E.O.) 14144, “Strengthening and Promoting Innovation in the Nation’s Cybersecurity”, just four days before leaving office. While the order addressed a broad range of cybersecurity priorities, it placed particular emphasis on supply chain risk management (SCRM) requirements for third-party software providers. These included mandates for software attestation and validation, secure development practices and the management of open-source software (OSS).

Following the transition to a new administration, President Donald J. Trump issued several executive orders, including the “Initial Recissions of Harmful Executive Orders and Actions” on Jan. 20, 2025. This order revoked 78 actions from the Biden administration and paused the issuance of new rules pending review by presidential appointees. Although E.O. 14144 was not immediately affected, the Trump administration later issued a new cybersecurity order (E.O. 14306) on June 6, 2025, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Orders 13694 and 14144.”

This new order reaffirms the federal government’s commitment to cybersecurity by preserving and refining key provisions from both E.O. 14144 (President Biden, 2025) and E.O. 13694 (President Obama, 2015). It streamlines E.O. 14144 to address evolving threats, with a focus on secure software development, post-quantum cryptography and artificial intelligence (AI) risk management. Meanwhile, E.O. 13694 was amended to narrow the scope of sanctions to foreign actors engaged in malicious cyber activities. Importantly, the E.O. requires the development of a preliminary update to National Institute of Standards and Technology (NIST) Publication 800-218, Secure Software Development Framework (SSDF) by December 2025, with practices, procedures and examples on secure development and delivery of software.

A timeline of critical milestones presented under the latest E.O. is outlined below.

Uncertainty around software supplier attestations persists

While federal agencies continue to collect secure software development attestations, there is currently no finalized Federal Acquisition Regulation (FAR) clause mandating software producers to submit these attestations as a contractual requirement to the Cybersecurity and Infrastructure Security Agency (CISA). To date, evolving federal guidance has led to the development of CISA’s Secure Software Development Attestation Form (commonly referred to as the “Common Form”), which is grounded in NIST Special Publication 800-218, the Secure Software Development Framework (SSDF). Software suppliers have been expected to use this form to demonstrate compliance.

A proposed FAR rule (Case No. 2023-0021) has been in development since 2023. However, the recent Executive Order 14306, issued on June 6, 2025, appears to remove language that previously directed the creation of such a clause. This development introduces uncertainty regarding the future of attestation collection and enforcement. Without a clear regulatory mandate, it remains unclear whether CISA will continue to oversee or enforce these requirements.

Despite this ambiguity, the executive order signals continued support for enhancing NIST SP 800-218, suggesting that the SSDF will likely remain a foundational standard moving forward. Additionally, existing Office of Management and Budget (OMB) directives may still guide agencies in maintaining some form of the attestation process.

As the rulemaking process continues, industry stakeholders should closely monitor regulatory developments. The outcome could have significant implications for compliance obligations across the federal software supply chain.

Reflecting on the first half of 2025, and looking ahead under a new administration

As the federal government continues to establish its cybersecurity priorities, recent executive actions have not only reshaped national cyber policy but also reinforced the importance of securing the federal supply chain. A key example came in March 2025, when the General Services Administration (GSA) awarded Blanket Purchase Agreements (BPAs) to nine industry partners under its new Supply Chain Risk Illumination Professional Tools and Services (“SCRIPTS”) program. This initiative reflects a broader government-wide effort to strengthen supply chain security.

The SCRIPTS BPAs provide federal, state, local, tribal and territorial agencies with streamlined access to commercial tools and services that help identify and manage supply chain risks. These efforts align with Executive Order 14240, which promotes centralized procurement, and Executive Order 13873, which focuses on securing the information and communications technology (ICT) supply chain—both signed by President Trump.

In parallel, as agencies and contractors work to mature their SCRM programs amid evolving regulations and guidance, the NIST released Special Publication (SP) 800-18 Revision 2 for public comment. This update provides detailed guidance for developing and maintaining system security plans (SSPs) as part of broader risk management efforts. Specifically, it:

Outlines key content elements for system plans
Encourages automation to manage plans throughout the system lifecycle—including secure sharing and protection of plan data
Provides supplemental resources such as example outlines and updated roles and responsibilities.

While federal agencies are required to follow these guidelines, nonfederal organizations may also adopt them to align with their own risk strategies.

As the federal government continues to adapt its cybersecurity posture under new leadership, recent executive actions underscore a sustained commitment to strengthening national resilience—particularly through secure software practices and robust supply chain risk management. The evolution of Executive Orders 13694 and 14144, alongside initiatives like GSA’s SCRIPTS program and NIST’s updated guidance, reflects a coordinated effort to enhance existing cybersecurity frameworks while addressing emerging threats. As agencies and contractors navigate this shifting landscape, alignment to these evolving standards will be critical to safeguarding mission-critical systems.

Baker Tilly is here to help

Baker Tilly is here to assist with solidifying your C-SCRM practices and performing gap assessments or other evaluation procedures to assess your risk. We can also help you understand the aspects of this new guidance that are applicable to your organization, while helping you best allocate time and resources to understand what is “fit for purpose” for your C-SCRM program.

Additionally, your organization may require a C-SCRM plan, either now or in the future. These plans explore the processes you currently have in place to manage your third-party risk and often require an in-depth understanding of governmental standards. We regularly assist organizations with preparing SCRM plans in order to avoid complications that may arise with federal review and evaluation of these plans.

As the pandemic and recent supply chain “shocks” make clear, risk management procedures and business continuity plans can be tested at any time. Federal contractors should look to develop an effective C-SCRM program that puts the systems, policies and processes in place that will allow them to effectively mitigate and manage ongoing supplier risks. Baker Tilly stands ready to support your organization.

For more information on this topic, or to learn how Baker Tilly specialists can help — please contact us.

Let's go there, together