The recent cybersecurity Executive Order, prompted by escalating threats from China, Russia, Iran, and other nation-state actors, mandates significant enhancements to U.S. cybersecurity through new requirements and updates to executive orders issued under the previous administration. These directives specifically target AI security, secure software development, and vulnerability management, positioning these areas as critical pillars of contemporary cyber defense.
So, what changed and how do those changes affect these critical security gaps?
Standardizing “Secure by Design” and Moving Past PDFs
The Executive Order reinforces the push for “Secure By Design” efforts, which shifts the responsibility of securing technology to tech suppliers rather than tech buyers, and emphasizes the need to secure our software supply chains. In the aftermath of vulnerabilities and compromises in open-source libraries such as Polyfill.io and XZ-utils, and more advanced cases like the Lebanese pager attack, this administration recognizes that software supply chains are not just a technical concern but a matter of national security.
Here are some of the key updates to existing software supply chain security and secure-by-design policies, but also the gaps left behind or omitted:
The Update: Removing the requirement that companies have to upload SSDF attestations (PDFs of little security value) reduces painful administrative overhead.
The Gap: If the goal is to reduce software supply chain risk, we need to think about how the U.S. government will collect meaningful data about its software supply chains. Agencies must be required to collect some level of data and quantitative risk assessment from their suppliers, not just compliance documents that promise good behavior. This is an opportunity for the White House to position themselves as more tech-forward and data-driven by reviving the original concept of using the Software Bill of Materials (SBOM) as a key supply chain security artifact, one that is easy for companies to generate and that protects their sensitive source-code.
---
The Update: NIST will update the Secure Software Development Framework (SSDF) and establish an industry consortium at the National Cybersecurity Center of Excellence to develop guidance on implementing secure software development, security, and operations practices.
The Gap: The private and public sector need to come together to develop agile and efficient guidelines for all organizations. Standardizing on “secure by design” will ensure software is developed more securely, and that vendors and agencies have a shared understanding of how to assess risk. That said, the output of the SSDF update and new consortium must be actionable. This means the guidance needs to be realistic, practical, and automated so organizations implement it regardless of team size or resource constraints.
---
The Update: The Federal Acquisition Regulatory (FAR) Council will require, by law, that vendors selling consumer IoT products meet the standards for and display the U.S. Cyber Trust Mark.
The Gap: What’s missing is a plan or a guide that enables IoT manufacturers to obtain the stamp of approval at scale and allows their customers to validate device security and respond effectively to new vulnerabilities. While obtaining the U.S. Cyber Trust Mark requires data sharing, lab testing, and alignment with NIST standards, it currently lacks an operational perspective.
All of the above make one thing clear: software supply chain security is becoming foundational to federal software policy. While some requirements are easing, others are tightening, especially around transparency and vendor accountability.
In this environment, SBOMs are essential. They provide a clear, standardized way to show what’s inside of software, how it’s secured, and how risks are managed. For agencies and vendors alike, SBOMs are the fastest path to meeting new mandates and staying ahead of growing scrutiny.
The First Step in a Very Long AI Marathon
Following the OMB memos promoting rapid and widespread adoption of the latest AI technologies across the federal government, the Executive Order provides further guidance on the need for AI security and risk mitigations.
The Update: Federal agencies must begin tracking and sharing AI vulnerabilities, indicators of compromise (IOCs), and incidents.
The Gap(s): Overall, this is a major step in the right direction, as security is often an afterthought when it comes to AI. However, there are several gaps in the implementation of this commendable directive:
- Establishing a national AI vulnerability database. The National Vulnerability Database (NVD), the U.S. government’s central repository for software vulnerabilities, doesn’t currently include AI-specific vulnerabilities and risks, and it was nearly entirely defunded earlier this year. The government needs to clarify: Will the NVD’s remit expand to include AI risks and vulnerabilities? If not, where will those vulnerabilities be tracked? And if so, will NIST, the agency behind NVD, get more resources to support such an initiative?
- Expanding the scope for AI vulnerabilities. The Executive Order says China, Russia, Iran, North Korea pose a threat to our AI, which is absolutely correct. However, the previous OMB memos and guidance have focused on foundation models such as OpenAI’s GPT models, or Anthropic’s Claude models, and do not require agencies to scour their AI systems built on open-weight or open-source models. Just as the U.S. government has identified the need to secure open-source software, it must direct federal agencies to take the same approach to open-weight models.
- Capturing the legal and license risks of using AI models. The recent Executive Order only mentions “vulnerabilities” in AI, but not other risks, such as legality. A good threat model factors in legal and licensing risk, and AI usage is no different. Open-weight or open-source AI models have varying licensing terms that may prohibit their usage for military, defense, nuclear, surveillance, or other government use cases. Agencies must verify whether their specific use cases are permitted under each model provider’s license.
As agencies move forward, the U.S. government must invest in building a robust, transparent AI vulnerability infrastructure, or risk falling behind the threat landscape.
Preparing for a Post-Quantum Cryptography World
Reinforcing NSM 10 from 2022, the Executive Order emphasizes the need for quantum-resistant cryptographic algorithms, to shield critical systems across the government from future attacks from quantum computers.
The Update: Reduces reliance on vulnerable cryptographic technologies, creates a list of product categories where post-quantum cryptography (PQC) is widely available to enable adoption by federal agencies, and mandates the use of TLS 1.3 or later.
The Gap: Federal agencies—and, if we’re being honest, much of the private sector—currently lack the infrastructure and processes needed to identify, analyze, and inventory cryptographic technologies.
Why this Matters
Suppliers and buyers of both software and AI across private and public sectors are profoundly affected by these actions. While some of the Executive Order’s forward-looking requirements are commendable, most organizations lack the capabilities and the tools needed to effectively comply with many of these new directives.
Both those inside and outside the federal government must be prepared to invest in implementing and scaling software supply chain security best practices, especially as AI becomes increasingly integrated into software. This includes:
- SBOM and AI SBOM generation, verification, attestation, and management
- C-SCRM tooling to identify nation-state risk in supply chains
- Provenance and lineage tracking
- Detection of vulnerabilities in open-weight models and datasets
- Legal risk assessments for open-weight AI
- Automated tooling to inventory cryptographic algorithms and their vulnerabilities
At Manifest, our mission is to help organizations build and buy more secure software and AI. We work with critical companies and government agencies around the world to secure every layer of their software and AI supply chains. If you're preparing for the latest Executive Order, our team is here to help, reach out to get started.
