¶ºÒõ¹Ý

Recent updates to the White House’s have sparked a wave of commentary—some of it measured, some sensationalized. Many headlines are zeroing in on the rollback of previously established initiatives, like software attestation and validation requirements.

But a closer read of the order, paired with the , reveals a more nuanced picture: The latest EO isn’t a wholesale dismantling of cybersecurity progress but rather a reframing of priorities and an evolution of tone.

Mandates help—but they're not the whole strategy

It’s important to acknowledge that federal mandates can be drivers of progress. They serve to create alignment across agencies, establish accountability, and set minimum standards that help elevate industry-wide practices. Previous Executive Orders and OMB Memoranda have initiated action inside the U.S. Federal Government to protect itself and the private sector. Ìý

But the absence or modification of such mandates doesn’t remove an organization’s responsibility to act. After all, cybersecurity should be apolitical—it’s a business imperative based on fiduciary responsibility and mitigation of risk.

The threats posed by quantum computing, software supply chain vulnerabilities, and increasingly sophisticated attackers transcend administrations. Forward-thinking enterprises understand this. They’re investing in cryptographic agility, modernizing their infrastructure, and preparing for a post-quantum world. The stakes are too high not to.

Secure software practices still matter

One of the most misunderstood elements of the updated Executive Order is the perceived abandonment of secure software development practices. While the EO does roll back certain compliance and attestation requirements for federal vendors, it continues to reinforce the NIST Secure Software Development Framework (SSDF) as the backbone of secure coding. The SSDF remains clear in its emphasis on software provenance through code signing and the importance of risk transparency via Software Bills of Materials (SBOMs). These practices aren’t just bureaucratic checkboxes—they’re foundational to software integrity in today’s threat landscape.Ìý

SBOMs are gaining traction globally, with countries like the UK, Germany, and Japan integrating them into their national cybersecurity strategies. Likewise, post-quantum cryptography (PQC) is a worldwide priority. The EU, Canada, and Australia have all released guidance or launched initiatives to prepare public and private sectors for a cryptographic transition that’s as inevitable as it is complex.

The continued presence of these measures in the updated EO is encouraging. Organizations should view the updates not as compliance burdens, but as tools that strengthen trust, improve accountability, and allow organizations to make data-backed decisions on their exposure to risk.

Real progress on internet infrastructure security

The updated EO reflects a meaningful and pragmatic shift in tone regarding the security of Border Gateway Protocol (BGP), the roadmap of the internet. Best practices for BGP today include the use of Routing Public Key Infrastructure (RPKI) to sign routes to provide assurance that network traffic arrives at the correct destination. Ìý

Previous guidance leaned heavily on aspirational language, suggesting that stakeholders "should" adopt best practices. The new order moves beyond suggestion and offers clear, actionable steps. This change signals progress—not regression—and reflects a deeper understanding of the technical realities involved in securing global internet infrastructure.

Future-proofing through crypto-agility

The concerns surrounding the de-emphasis of certain previously established requirements are still valid. There’s a risk that loosening compliance and audit obligations could lead some organizations to deprioritize important cybersecurity measures. But astute cybersecurity managers will continue to plan for and deploy upgrades to their technology stacks—not because they’re forced to, but because they understand the value of future-proofing as risks and threat environments evolve.

The quantum threat, for example, isn’t a theoretical issue for the distant future. It’s a very real challenge that requires action today: inventorying cryptographic assets, implementing certificate management strategies, and building the infrastructure for cryptographical agility.Ìý

Crypto-agility is particularly critical at this moment. As NIST finalizes its PQC standards and browser vendors begin enforcing shortened certificate lifespans, the ability to quickly adapt cryptographic systems is no longer optional—it’s a requirement for maintaining digital trust and responding to evolving standards over time. Enterprises that lack this agility will find themselves vulnerable not just to quantum threats, but to operational disruption and reputational damage.Ìý

The main takeaway: Don’t wait for policy

This EO should serve as a prompt for organizations to take greater ownership of their cybersecurity strategies. The government’s role is to guide, signal priorities, and support innovation. Ìý

Don't mistake modified EOs as permission to slow down. Cybersecurity excellence has never depended on government policy alone—and it never should.

The latest developments in digital trust

Want to learn more about topics like certificate management, compliance, and PQC? Subscribe to the ¶ºÒõ¹Ý blog to ensure you never miss a story.