The recently updated Executive Order on cybersecurity marks a decisive shift from broad mandates to streamlined execution and strategic enablement. Gone are many of the heavy compliance burdens of previous directives. In their place, we see a renewed focus on scalable policy, agile guidance, and deeper public-private partnership.
At Merlin Cyber, we view this evolution as a critical moment for industry and government to move forward—together. As agencies pivot from reporting obligations to implementation, and as technology providers recalibrate their development pipelines, Merlin stands ready to deliver clarity, speed, and innovation where it is needed most.
Below, we break down key components of the new Executive Order and how Merlin Cyber provides direct value to our federal customers and technology partners.
Software Supply Chain Security: From Attestation to Enablement
The new EO amends earlier directives by removing the requirement for vendors to submit attestations and artifacts to CISA’s RSAA. Instead, the focus shifts to NIST-led updates of the Secure Software Development Framework (SSDF) and NIST SP 800-53.
At Merlin, we help our partners and customers make sense of the shifting regulatory landscape. Our CGC platform continues to deliver on the promise of secure software delivery, now with even greater flexibility and speed. We provide a managed environment that supports modern DevSecOps practices, aligning development pipelines with NIST’s evolving SSDF guidance. Whether it is navigating new documentation requirements or deploying software at the speed of mission, Merlin enables security to be baked in—not bolted on.
Identity and Access Management: Simplified, Yet Essential
Sections 3a and 3b of the previous EO were rescinded, scaling back mandates for mobile driver's licenses and specific pilot deployments. The new EO signals trust in agency-led flexibility for identity modernization.
Even in the absence of mandates, Merlin continues to prioritize identity as the foundation of Zero Trust. We guide our customers through the deployment of modern identity technologies, such as phishing-resistant authentication, risk-based access, and seamless integrations with cloud services. Working with strategic partners like CyberArk, we help ensure agencies are secure from the first login—enabling adaptive identity security that keeps pace with the mission, without creating friction for the user.
Artificial Intelligence: Refined Requirements, Renewed Role
The new EO simplifies AI-related requirements, removing prior mandates for pilots and research. Agencies now need only to ensure access to cyber defense datasets and integrate AI vulnerability tracking into incident response frameworks by November 1, 2025.
Merlin is actively helping our customers operationalize AI securely and strategically. We help agencies build cyber operations that are faster, smarter, and more resilient. From machine-speed anomaly detection to automated playbook execution, our AI-driven security tools are not just advanced, they are battle-tested. We also help integrate AI-specific vulnerabilities into broader security frameworks, ensuring alignment with emerging federal oversight and best practices.
Post-Quantum Cryptography (PQC): Precision in Readiness
The PQC section of the EO has been streamlined to focus on two critical deliverables: a PQC product list (by Dec 1, 2025) and TLS 1.3 (or successor) adoption for NSS and non-NSS systems. The NSA now plays a lead role alongside CISA.
Quantum computing poses a real threat, and Merlin is already helping partners and agencies get ahead of it. We are working with software vendors like InfoSec Global Federal to ensure agencies perform cryptographic inventory and align with NIST standards and NSA guidance. On the agency side, we are guiding TLS 1.3 transitions and helping integrate crypto agility into enterprise architecture planning. When the shift to quantum-resistant cryptography comes, our customers will not be scrambling, they will be ready.
Looking Forward
This Executive Order sharpens focus on real outcomes. It moves beyond box-checking and toward meaningful modernization. And it does so by enabling agencies and their partners to work smarter, faster, and more collaboratively.
At Merlin Cyber, we welcome this evolution. We were built for it. With deep expertise in secure cloud, identity, Zero Trust, compliance automation, and software assurance, we help turn cybersecurity policy into mission-ready execution.
We are standing ready. Let's get to work. To learn more about our capabilities download our one-pager or email us at ZeroTrust@merlincyber.com.
