The US Executive Order
On 6 June 2025, amendments were made to Executive Order of 16 January 2025 (Strengthening and Promoting Innovation in the Nation’s Cybersecurity).
It included an update to section 7:
“Within 1 year of the date of this order, the Secretary of Commerce, acting through the Director of NIST; the Secretary of Homeland Security, acting through the Director of CISA; and the Director of OMB shall establish a pilot program of a rules-as-code approach for machine-readable versions of policy and guidance that OMB, NIST, and CISA publish and manage regarding cybersecurity.”
What the Executive Order means for Rules as Code
This Executive Order has put Rules as Code into the spotlight at the highest level in government.
Importantly, the order says policy that’s “published and managed” suggesting the Rules as Code pilot could be for new policy (as part of the publishing process) and/or existing rules. While the ideal implementation point for Rules as Code in the policy lifecycle is at the start (i.e. drafting stage) with so much legislation and policy in existence around the world, governments will need to take this two-pronged approach. Prototypes or pilots will allow governments to experiment with Rules as Code when both drafting new policy and converting existing policy to a machine-readable form.
The choice of cybersecurity is also an interesting one. As we all know, cybersecurity continues to be one of the biggest considerations for governments, corporations and individuals. Using Rules as Code for cybersecurity policy and frameworks will make it much easier for everyone to follow and comply with these policies and frameworks.
Australia and Rules as Code
Australia is at the forefront of Rules as Code, through the Department of Finance’s/GovCMS’ Rules as Code . GovCMS began experimenting with Rules as Code as a method of personalisation back in 2022, when it gave the greenlight to a Salsa Rules as Code proof of concept proposal. That original prototype looked at COVID vaccination rules of the day. From there, GovCMS started the Rules as Code sandpit , which lets Australian Federal agencies experiment with Rules as Code via a proof of concept. With the sandpit program about to come to an end and productionisation in full , Australia is poised to continue its position as a leading Rules as Code nation.
Salsa Digital’s take
This is an exciting time for Rules as Code, bringing Rules as Code to the fore for government both in the US and hopefully around the world. It’s especially timely on the back of the G7 Rules as Code briefing and recommendations (see our insight about G7 Rules as Code briefing) and the amazing inroads happening in Australia. We’re looking forward to continuing our role in Rules as Code. And who knows, maybe cybersecurity is next for a proof of concept here in Australia.
About OMB, NIST and CISA
The Office of Management and Budget (OMB) is the government department that helps the US president execute policy objectives.
The National Institute of Standards and Technology (NIST) has been around for a while (since 1901!) and promotes innovation and industrial competitiveness in the US. In the context of cybersecurity, NIST runs the Cybersecurity Framework (read our overview of the NIST Cybersecurity Framework for more information).
Finally, America’s Cybersecurity and Infrastructure Security Agency (CISA) includes a dedicated cybersecurity division and its mission is to “to defend and secure cyberspace by leading national efforts to drive and enable effective national cyber defense, resilience of national critical functions, and a robust technology ecosystem.”
These are the agencies at the heart of this Executive Order.
Related case studies and insights
G7 Rules as Code policy brief
Find out about the Rules as Code recommendations for the G7 nations.
BenefitMe — coding NZ’s Social Security Act (Rules as Code)
Coding NZ’s Social Security Act using OpenFisca to help NZ citizens check their eligibility for key social security benefits.