Article

Supply chain security in focus: Navigating amendments to Executive Orders 13694 and 14144

July 18, 2025 · Authored by Leo Alvarez, Molly Menoni

In response to escalating cyber threats from foreign adversaries and criminal actors, former President Joe Biden signed Executive Order (E.O.) 14144, “Strengthening and Promoting Innovation in the Nation’s Cybersecurity”, just four days before leaving office. While the order addressed a broad range of cybersecurity priorities, it placed particular emphasis on supply chain risk management (SCRM) requirements for third-party software providers. These included mandates for software attestation and validation, secure development practices and the management of open-source software (OSS). 

Following the transition to a new administration, President Donald J. Trump issued several executive orders, including the “Initial Recissions of Harmful Executive Orders and Actions” on Jan. 20, 2025. This order revoked 78 actions from the Biden administration and paused the issuance of new rules pending review by presidential appointees. Although E.O. 14144 was not immediately affected, the Trump administration later issued a new cybersecurity order (E.O. 14306) on June 6, 2025, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Orders 13694 and 14144.” 

This new order reaffirms the federal government’s commitment to cybersecurity by preserving and refining key provisions from both E.O. 14144 (President Biden, 2025) and E.O. 13694 (President Obama, 2015). It streamlines E.O. 14144 to address evolving threats, with a focus on secure software development, post-quantum cryptography and artificial intelligence (AI) risk management. Meanwhile, E.O. 13694 was amended to narrow the scope of sanctions to foreign actors engaged in malicious cyber activities. Importantly, the E.O. requires the development of a preliminary update to National Institute of Standards and Technology (NIST) Publication 800-218, Secure Software Development Framework (SSDF) by December 2025, with practices, procedures and examples on secure development and delivery of software. 

A timeline of critical milestones presented under the latest E.O. is outlined below.