Revised Executive Order Alters Cybersecurity Obligations for Federal Contractors and Subcontractors
On June 6, 2025, President Donald Trump issued Executive Order (E.O.) 14306 to modify certain cybersecurity requirements and government-wide approaches implemented by the Biden Administration. This order has significant implications for federal contractors and subcontractors.
Suspension of Mandatory Attestations and Shift in Focus
Key removals in E.O. 14306 include the requirement for federal contractors and subcontractors to submit validated attestations and artifacts regarding secure development practices through CISA's Repository for Software Attestation and Artifacts (RSAA). While the Order eliminates the requirement for software vendors to formally attest compliance through government portals, it maintains the technical standards for secure software development and shifts the focus toward collaboration between NIST and an industry consortium to refine and promote best practices.
Continued Emphasis on Secure Software Development
The EO directs the Secretary of Commerce, via NIST, to establish a consortium to update and implement secure software development guidelines consistent with NIST SP 800-218. This illustrates continued government focus on secure coding and development frameworks, despite rolling back formal attestations.
Focus on Foreign Cyber Threats
E.O. 14306 explicitly identifies China as the most active cyber threat actor, alongside Russia, Iran, and North Korea, and limits cybersecurity sanctions to foreign threat actors. This signals an ongoing strategic focus on defending federal contracting networks from these risks.
Impact on CMMC Program
While the executive order modifies cybersecurity requirements, it leaves unaltered the Defense Federal Acquisition Regulations that require defense contractors to comply with NIST 800-171 controls for Controlled Unclassified Information. The order does not dismantle the existing Cybersecurity Maturity Model Certification (CMMC) framework but likely reduces immediate federal pressure for strict attestations, creating some uncertainty and debate in industry over cybersecurity enforcement and innovation priorities.
Industry and Expert Concerns
Cybersecurity experts have expressed concern that the EO’s rollback of some protective requirements, especially at a time of growing cyber threats, could weaken defense postures. There is apprehension about overreliance on emerging AI technologies to mitigate risks without maintaining hard, proven security controls.
Retained Requirements and Standards
The E.O. retains the requirement for federal agencies to update a list of product categories containing products that support Post-Quantum Cryptography (PQC). The order also signals a likely approach by the Trump Administration to cybersecurity policies and standards, focusing on removing requirements perceived as barriers to private sector growth while preserving key requirements that protect the U.S. government's own systems.
The E.O. notably retains the requirement for the federal government to deploy commercial security technologies to protect space system cybersecurity policies. The order also retains some standards for technical enforcement of encrypted and authenticated transport for electronic communications. Furthermore, E.O. 14306 maintains the mandate for the federal government to deploy commercial security technologies and architectures, such as hardware security modules, trusted execution environments, and other isolation technologies, to protect and audit access to cryptographic keys with extended life cycles.
In summary, EO 14306 reflects a strategic shift by the federal government to balance sustaining robust cybersecurity standards with promoting innovation and reducing compliance burdens for federal contractors. Contractors should continue following secure development practices aligned with NIST guidance, anticipate possible requests for evidence of security controls by contracting officers, and remain attentive to evolving requirements related to foreign cyber threats and software supply chain security. The CMMC program requirements remain legally in effect but may see slower or modified enforcement under this new EO.
[1] White House. (2025). Executive Order on America's Cybersecurity Strategy to Ensure Trustworthy Technology. Retrieved from https://www.whitehouse.gov/briefing-room/presidential-actions/2025/06/06/executive-order-on-americas-cybersecurity-strategy-to-ensure-trustworthy-technology/
[2] National Institute of Standards and Technology. (2021). NIST SP 800-218: Guide to Secure Software Development. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf
[3] National Institute of Standards and Technology. (2022). Cybersecurity Maturity Model Certification (CMMC). Retrieved from https://www.nist.gov/cybersecurity/cybersecurity-maturity-model-certification
[4] Cybersecurity and Infrastructure Security Agency. (2023). Repository for Software Attestation and Artifacts (RSAA). Retrieved from https://www.cisa.gov/rsaa
Cybersecurity technology continues to be a significant focus under EO 14306, as the order directs NIST to establish a consortium for updating secure software development guidelines. This emphasis on best practices demonstrates the government's intent to maintain robust cybersecurity standards while promoting innovation.
In addition, the EO retains certain technology standards, such as the mandate for the federal government to deploy commercial security technologies to protect space system cybersecurity policies, and the technical enforcement of encrypted and authenticated transport for electronic communications. This shows that despite changes in some requirements, the federal government remains dedicated to implementing technology solutions to address cybersecurity threats.
