On June 6, President Trump issued an Executive Order titled “Sustaining Select Efforts To Strengthen The Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144.” As the name suggests, the order amends previous cybersecurity directives and, according to some, signals a broader realignment of federal cybersecurity priorities, demonstrated by its emphasis on operational pragmatism.

The Executive Order follows last month’s announcement by the Department of Defense of its Software Fast Track Initiative, which aims to reform and accelerate how the Department acquires, tests, and authorizes secure software for warfighters. Both moves are a reflection of the reality that while secure software development is incredibly important, it’s not enough. To be as secure and resilient as possible, agencies must operate and maintain their systems with continuous attention to security.

At the Intersection of Cybersecurity, Mission Software and AI

With its focus on security at the development, operational and maintenance levels, the Executive Order sits squarely at the intersection of cybersecurity, mission software and artificial intelligence. Here’s how:

On the software development side, the Executive Order removes mandatory cybersecurity attestations in favor of a voluntary consortium approach, via NIST, wherein industry members collaborate on secure development and operations practices. By focusing less on software development and more on the operation and maintenance of software, the administration is signaling that we have to use software securely, as well as develop it that way in order to be secure. This is the difference between a compliance-driven approach and an operational approach to software security.

On the cyber operations and maintenance side of things, the order removes the digital identity requirement for accessing federal services, citing fraud and security risks. It highlights the benefits of artificial intelligence for finding vulnerabilities as well as for continuous risk monitoring to understand the cyber posture of a system in order to gauge not only whether vulnerabilities exist but use AI to determine how exploitable it is, ultimately securing a team’s ability to deliver on the mission. It also enacts a Cyber Trust Mark requirement for Federal procurement of Internet of Things connected devices, which we know are vulnerable to intrusions but critical to innovation on the battlefield of the future.

With AI, the order reinforces the importance of ensuring that teams know how to secure – not just the systems they’re using – but the AI models and data they’re using as well. This encompasses things like sound data integrity practices and checks on inherent bias. More generally speaking, it paves the way for coordination mechanisms as a matter of practice that address vulnerability management, incident tracking and response, and sharing of indicators of compromise – all things that can shorten the duration of an event and limit its damage.

A Call to Action: Engage Operational Teams Early and Often

Effective cybersecurity requires a focus on continuous monitoring and mission effectiveness. This mindset conditions teams to treat every piece of software and every solution as if it's vulnerable and compromised. This type of always-on approach drives the best outcomes and keeps systems and data secure.

In light of the current climate and the Executive Order, it is imperative to recognize that cyber is not merely an IT project; instead, it’s a mission and intelligence imperative that demands a focus on operations and maintenance together.

As such, engaging operational teams – early and often – in an assessment of how systems are used and how data is leveraged to meet the mission is critical. At GDIT, we are involving operators in our efforts – not to dictate the technology stack or the requirements – but to give them a voice in the design process.

This type of engagement is only going to become more effective as the trend toward outcomes-based acquisitions continues. Moreover, it helps to create a culture of continuous monitoring and improvement and one where operator input is solicited and encouraged. But perhaps most important, it shifts the thinking about security from being compliance-focused to one that prioritizes informed, empowered decision-making – and that’s essential for meeting and advancing the mission.