Submit to Digest

The Identity Gap: Why Executive Order 14306 Needs a Legislative Answer

Cybersecurity Commentary National Security

Faran Kiani is a technology lawyer, author and Senior Manager, Contracts and Corporate Affairs at Soloinsight, Inc., where he leads technology transactions, data privacy, AI governance, and IP. He holds an LL.M. in Technology Law from Wake Forest University and a certificate in “AI and Law: Navigating the New Legal Landscape” from Harvard Law School’s Executive Education Program.


In cybersecurity, the most consequential question is often the simplest one: who is allowed in? The discipline that answers it is identity and access management, or “IAM,” the set of systems and policies that verify who a user is and govern what that user may reach. [1] For most of the past decade, the federal government has treated ‘identity’ as the foundation of its defenses, making it the first pillar of the federal zero trust strategy. [2] That history is what makes a quiet change in the summer of 2025 so troubling. In June, Executive Order 14306 removed three concrete identity-relevant implementation mechanisms, and it did so at the precise moment a Chinese intelligence service was exploiting identity and authentication weaknesses across American telecommunications, government, and military networks. [3] The President had the legal authority to make those changes, but that is not what should worry us. What should worry us is the gap those changes left—and the fact that the right way to close it is not another executive order, but an act of Congress.

To see the gap, we must start with what came before it. After the SolarWinds breach, Executive Order 14028 committed the federal government to a zero trust model and to multifactor authentication across agencies. [4] The Office of Management and Budget followed with Memorandum M-22-09, which required agencies to adopt enterprise-managed identities and phishing-resistant multifactor authentication—the kind that cannot be defeated by a stolen password or a tricked employee. [5] The Cybersecurity and Infrastructure Security Agency (CISA) then operationalized this through its Zero Trust Maturity Model, which placed identity among its five pillars, recognizing that controlling who enters a system is a critical step in defending it. [6] This was not one administration’s project. It was built incrementally, across administrations of both parties, on a shared premise: identity is the front door.

In its final days, the Biden administration issued Executive Order 14144, which added three identity-relevant directives to the zero trust foundation. [7] The first directed federal agencies to begin pilot deployments of phishing-resistant authentication standards such as WebAuthn. The second required CISA to centrally validate the security attestations that software vendors submit, a check on the supply chain that underpins identity systems. The third encouraged agencies to accept digital identity documents to fight fraud committed with stolen and synthetic identities, the only executive-level directive treating digital identity verification as a cybersecurity tool. Executive Order 14306, under the Trump administration, struck all three. [8] It preserved the broader architecture, leaving the zero trust mandate and the foundational instruments in force, but removed the specific mechanisms (the authentication pilots, the attestation validation, and the digital identity initiative) meant to carry that architecture into practice. The White House explained that the attestation process was “unproven and burdensome,” [9] and that the digital identity provision risked enabling improper access to public benefits. [10]

None of this would matter as much if the threat were hypothetical. It is not. Salt Typhoon is the name given to a hacking group tied to China’s Ministry of State Security. [11] Active since at least 2021, Salt Typhoon carried out one of the most serious cyber-espionage campaigns in recent memory. This campaign compromised at least nine major U.S. telecommunications providers, including AT&T and Verizon, and breached carriers’ lawful-intercept systems. [12] Those intercept systems exist to allow the government to conduct lawful, court-authorized surveillance. [13] Compromising them does not merely expose data; it degrades a core counterintelligence capability. By August 2025, the FBI confirmed that the campaign had reached organizations in more than 80 countries. [14] A Department of Homeland Security memorandum revealed that Salt Typhoon had lived inside a state National Guard network for roughly nine months, exfiltrating administrator credentials, network diagrams, and the personal data of service members. [15]

The detail that matters most for this argument is how the group got in. The joint FBI, CISA, and NSA advisory identified the primary access vectors as known software vulnerabilities, unpatched edge devices, and stolen credentials. [16] CISA’s own July 2025 assessment singled out cloud identity infrastructure, token authentication, and key management as the strategic weak points that nation-state actors were exploiting. [17] Put plainly, the adversary’s most effective entry point was identity, and the provisions that Executive Order 14306 deleted were precisely the ones designed to harden identity. Phishing-resistant authentication, the very control the deleted pilot was meant to accelerate, is a leading defense against exactly the stolen-credential attacks Salt Typhoon favored. [18] The government removed several of its locks while a burglar was demonstrably testing those same locks.

The timing is made worse by a parallel hollowing of the institutions meant to enforce what remains. Since early 2025, CISA has lost roughly a third of its workforce to buyouts, retirements, and layoffs, including personnel who supported zero trust implementation and threat-intelligence sharing. [19] The Cyber Safety Review Board, which had been investigating the Salt Typhoon intrusions, was dissolved before it could finish. [20] And the agency still has no Senate-confirmed director, its lone nominee having withdrawn in April 2026 after nearly a year of Senate holds. [21] The obligations that survived Executive Order 14306 now rest on paper, while the institutional capacity to implement, validate, and enforce them has been cut. A mandate without an enforcer is only an aspiration. Meanwhile, a related Chinese group, Volt Typhoon, has been found pre-positioned inside U.S. critical infrastructure for potential disruption in a future conflict—a reminder that identity weaknesses are not only an ongoing espionage problem, but a wartime one. [22]

In fairness, the administration’s action rests on solid legal ground, and any honest argument should say so. Executive orders are instruments of presidential policy, not statutes, and every president may revise a predecessor’s orders under their authority over the executive branch. [23] Nothing here suggests that the President was acting against the will of Congress, [24] and though Executive Order 14144 was signed just four days before the transition, revisiting a predecessor’s last-minute directives is an ordinary, bipartisan feature of presidential transitions. Furthermore, the administration had a policy rationale. It argued that some of the deleted requirements, particularly the central validation of software attestations, had calcified into compliance exercises that consumed resources without measurably improving security. [25] That critique is not frivolous. Checklists can crowd out genuine security investment, and a leaner posture has serious defenders. [26] This is not a story about an unlawful or irrational act.

But legality is not adequacy, and that distinction is critical. The fact that a president may remove identity-enforcement mechanisms does not mean that the nation can afford for those mechanisms to appear and disappear with each administration. Salt Typhoon does not pause for presidential transitions. The deeper lesson of Executive Order 14306 is structural: when a security practice is too important to depend on the discretion of whoever currently holds the pen, the answer is to take it out of the four-year cycle altogether.

Recent events have made that volatility concrete. On June 2, 2026, the same administration that issued Executive Order 14306 signed Executive Order 14409. This new order directed CISA, on a thirty-day clock, to issue new binding operational directives, expand AI-enabled defensive tooling, and broaden access to federal cybersecurity services for agencies and critical-infrastructure operators, with a companion provision directing the expansion of federal cybersecurity hiring and placement pathways. [27] Within a single year, and under the same administration, the executive posture toward CISA swung from pruning its mandates and thinning its ranks to enlisting it for an aggressive new cyber-defense push. That reversal is not reassurance that the danger has passed. It is proof that even the same pen-holder changes direction, and that Executive Order 14409, no less than Executive Order 14306 before it, is an executive instrument that creates no enforceable rights and can be revoked as readily as it was signed. The whiplash is the argument. Only legislation ends it.

This is not a fringe concern. Congress saw this coming. As early as April 2025, the House Oversight Committee convened a hearing on securing the nation’s telecommunications from state-sponsored attacks, where members of both parties described Salt Typhoon in the starkest terms, [28] with the ranking member calling it one of the worst breaches the country has ever faced. [29] The political will to treat identity security as a national-security priority already reaches across the aisle. What is missing is the durable legal form that would keep that commitment from evaporating with the next change of administration.

Congress has done exactly that before. The Federal Information Security Modernization Act (FISMA) codified durable federal information-security roles that no executive order can erase. [30] The REAL ID Act set statutory security standards for identity documents. [31] The Cyber Incident Reporting for Critical Infrastructure Act of 2022 turned incident reporting from practice into binding obligation. [32] Each began as something discretionary and became something permanent because Congress concluded it was too important to leave to chance. Identity security deserves the same treatment, and four steps would deliver it.

  1. Confirm a leader. Most immediately, the Senate should confirm a permanent CISA director, and the administration should give the agency the stable, empowered leadership that enforcement requires. Even Executive Order 14409 names the Director of CISA again and again as the official who must deliver its most urgent directives, from issuing binding operational directives within thirty days to helping stand up a vulnerability clearinghouse and a voluntary framework for covered frontier models. [33] Yet, the agency has gone the entire administration without a Senate-confirmed director. A government cannot route its most pressing cyber mandates through a directorship it has never filled by confirmation and an agency it has hollowed out.
  2. Codify a baseline. Congress should enact statutory IAM standards for federal agencies and critical-infrastructure operators, building on FISMA, so that phishing-resistant authentication and related controls no longer rise and fall with each executive order.
  3. Protect the enforcer. Legislation should insulate CISA’s core identity functions, its attestation validation and identity-focused threat intelligence, from being hollowed out by staffing and budget discretion alone. Congress could, for example, set statutory floors for the staffing and appropriations dedicated to these functions, or require advance congressional notification before any reorganization or reduction in force that reaches them.
  4. Decouple digital identity from immigration. A standalone digital identity framework, enacted on its own merits, would let the country pursue fraud prevention and cybersecurity without sacrificing either to an unrelated political fight. [34]

The obvious objection to codification is that statutes are rigid while threats evolve by the week, so a law written today risks being obsolete tomorrow. But that is a solved problem. The right approach is to legislate durable principles, such as a binding obligation to use phishing-resistant authentication, while delegating the technical specifics to NIST and CISA, exactly as FISMA already does for federal information security. Congress sets the floor and the standards bodies keep it current. That structure is how the law has long handled fast-moving technical domains, and there is no reason identity security should be the exception.

The federal government already agrees, on paper, that identity is the front door to every system its adversaries want to enter. Executive Order 14306 left the doorway standing while quietly removing several of its locks, and Salt Typhoon has shown, in documented and ongoing fashion, what an unlocked door costs. The gap here is not one of legal authority. It is the distance between commitments that remain formally in place and the institutional and statutory capacity to make them real. Closing that distance is not a partisan project. It is a matter of putting identity security beyond the reach of the next transition, and the only instrument that can do that is legislation.


[1] Identity and Access Management, Nat’l Inst. of Standards & Tech., https://www.nist.gov/identity-access-management.

[2] Off. of Mgmt. & Budget, Exec. Off. of the President, M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles (Jan. 26, 2022).

[3] Exec. Order 14,306, 90 Fed. Reg. 24723 (June 6, 2025).

[4] Exec. Order 14,028, 86 Fed. Reg. 26633 (May 12, 2021).

[5] Off. of Mgmt. & Budget, supra note 2, at 4–5.

[6] Cybersecurity & Infrastructure Sec. Agency, Zero Trust Maturity Model Version 2.0 (Apr. 2023), https://www.cisa.gov/zero-trust-maturity-model.

[7] Exec. Order 14,144, 90 Fed. Reg. 6755 (Jan. 16, 2025).

[8] Exec. Order 14,306, 90 Fed. Reg. 24723 (June 6, 2025).

[9] President Donald J. Trump Reprioritizes Cybersecurity Efforts to Protect America, The White House (June 6, 2025), https://www.whitehouse.gov/fact-sheets/2025/06/fact-sheet-president-donald-j-trump-reprioritizes-cybersecurity-efforts-to-protect-america/.

[10] Justin Doubleday, Trump Revokes Digital Identity Actions in New Cyber Executive Order, Fed. News Network (June 6, 2025, at 18:56 ET), https://federalnewsnetwork.com/cybersecurity/2025/06/trump-revokes-digital-identity-actions-in-new-cyber-executive-order/

[11] Chris Jaikaran, Cong. Rsch. Serv., IF12798, Salt Typhoon Hacks of Telecommunications Companies and Federal Response Implications 1 (2025).

[12] Press Release, S. Comm. on Com., Sci., & Transp., Experts Agree U.S. Communications Networks Remain Vulnerable Following Salt Typhoon Hack (Dec. 2, 2025), https://www.commerce.senate.gov/2025/12/experts-agree-u-s-communications-networks-remain-vulnerable-following-salt-typhoon-hack

[13] Communications Assistance for Law Enforcement Act, 47 U.S.C. § 1002 (1994) (requiring telecommunications carriers to ensure their systems can isolate and enable court-authorized interception).

[14] David DiMolfetta, Salt Typhoon Hackers Targeted Over 80 Countries, FBI Says, Nextgov/FCW (Aug. 27, 2025), https://www.nextgov.com/cybersecurity/2025/08/salt-typhoon-hackers-targeted-over-80-countries-fbi-says/407719/.

[15] Kevin Collier, National Guard Hacked by Chinese ‘Salt Typhoon’ Campaign for Nearly a Year, DHS Memo Says, NBC News (July 15, 2025, at 15:06 ET), https://www.nbcnews.com/tech/security/national-guard-was-hacked-chinas-salt-typhoon-group-dhs-says-rcna218648.

[16] Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System, Cybersecurity & Infrastructure Sec. Agency (Sep. 3, 2025), https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a.

[17] Securing Core Cloud Identity Infrastructure: Addressing Advanced Threats Through Public-Private Collaboration, Cybersecurity & Infrastructure Sec. Agency (July 15, 2025), https://www.cisa.gov/news-events/news/securing-core-cloud-identity-infrastructure-addressing-advanced-threats-through-public-private.

[18] See Off. of Mgmt. & Budget, supra note 2, at 5 n.6, 7 (defining phishing-resistant authentication as processes “designed to detect and prevent disclosure of authentication secrets and outputs” to sites masquerading as legitimate systems, in contrast to one-time codes and push notifications that users can be tricked into revealing).

[19] Sam Sabin, One-Third of Top U.S. Cyber Force has Left Since Trump Took Office, Axios (June 3, 2025), https://www.axios.com/2025/06/03/cisa-staff-layoffs-resignations-trump-cuts.

[20] Nicole Sganga, DHS Terminates All Its Advisory Committees, Ending Its Investigation Into the Chinese-Linked Telecom Hack, CBS News (Jan. 22, 2025, at 17:38 ET), https://www.cbsnews.com/news/dhs-terminates-all-advisory-committees-ends-investigation-chinese-linked-telecom-hack-salt-typhoon/.

[21] Justin Doubleday, Plankey Withdraws as CISA Nominee, Fed. News Network, (Apr. 22, 2026, at 17:16 ET), https://federalnewsnetwork.com/cybersecurity/2026/04/plankey-withdraws-as-cisa-nominee/.

[22] PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure, Cybersecurity & Infrastructure Sec. Agency (Feb. 7, 2024), https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a.

[23] See, e.g., Exec. Order 14,306, 90 Fed. Reg. 24723 (June 6, 2025) (amending Executive Order 13,694 and rescinding provisions of Executive Order 14,144).

[24] Youngstown Sheet & Tube Co. v. Sawyer, 343 U.S. 579, 635–38 (1952) (Jackson, J., concurring).

[25] President Donald J. Trump Reprioritizes Cybersecurity Efforts to Protect America, supra note 9 (characterizing the rescinded attestation process as having “prioritized compliance checklists over genuine security investments”).

[26] Id.

[27] Exec. Order 14,409, 91 Fed. Reg. 34565 (June 2, 2026).

[28] Press Release, William Timmons, Chairman, Subcomm. on Mil. & Foreign Affs., H. Comm. on Oversight & Gov’t Reform, Timmons Opens Hearing on Securing America’s Telecommunications from State-Sponsored Cyber Attacks (Apr. 2, 2025), https://oversight.house.gov/release/timmons-opens-hearing-on-securing-americas-telecommunications-from-state-sponsored-cyber-attacks.

[29] House of Representatives, At Hearing on Securing America’s Phones, Republicans Defend Trump Officials Sharing Military Plans on Signal and Gmail (Apr. 2, 2025), https://oversightdemocrats.house.gov/news/press-releases/hearing-securing-americas-phones-republicans-defend-trump-officials-sharing.

[30] Federal Information Security Modernization Act of 2014, Pub. L. No. 113-283, 128 Stat. 3073 (codified at 44 U.S.C. §§ 3551–3558).

[31] REAL ID Act of 2005, Pub. L. No. 109-13, div. B, 119 Stat. 231, 302.

[32] Cyber Incident Reporting for Critical Infrastructure Act of 2022, Pub. L. No. 117-103, div. Y, 136 Stat. 49, 1038 (codified at 6 U.S.C. §§ 681–681g).

[33] Exec. Order 14,409 §§ 2(c)–(d), 3, 91 Fed. Reg. at 34565–66.

[34] See Doubleday, supra note 10 (reporting that the digital identity directive was rescinded on the ground that it risked enabling undocumented immigrants to access public benefits); President Donald J. Trump Reprioritizes Cybersecurity Efforts to Protect America, supra note 9.