Federal Government Amends Cybersecurity Obligations for Contractors and Subcontractors via New Executive Mandate
President Donald Trump issued Executive Order 14306 on June 6, 2025, aiming to enhance the resilience of the defense supply chain against emerging cyber threats. This order signals a likely approach to cybersecurity policies and standards by the Trump Administration, focusing on removing requirements perceived as barriers to private sector growth while preserving key requirements that protect the U.S. government's own systems against cyber threats.
Cybersecurity Maturity Model Certification (CMMC) Program
The Department of Defense has nearly finalized an acquisition rule for the new CMMC Program. Starting October 1, 2025, nearly all new Department of Defense (DoD) contracts involving Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) will require contractors to hold a valid CMMC certification as a prerequisite to contract award.
The CMMC program requires contractors across the Defense Industrial Base to meet cybersecurity standards to protect sensitive defense data. Level 2 is the new minimum certification standard for contractors handling CUI, aligning with NIST SP 800-171 security controls. Certification must be achieved through independent third-party assessments, replacing prior self-assessment approaches.
The interim rollout phase for voluntary or targeted implementation will cease by September 30, 2025, with full mandatory enforcement commencing October 1, 2025. Federal contractors and subcontractors seeking or renewing DoD contracts must prepare to comply fully with the CMMC 2.0 program requirements, ensuring certification before contract award from October onward.
Internet of Things (IoT) Products and Cyber Trust Mark
The E.O. notably retains the requirement for the Federal Acquisition Regulation (FAR) Council to amend the FAR to require vendors of the federal government of IoT products to carry the US Cyber Trust Mark labeling for those products.
Removal of Requirements for Software Attestations
The order removes the requirement for federal contractors and subcontractors providing computer software to submit validated attestations and artifacts regarding secure development practices through CISA's Repository for Software Attestation and Artifacts (RSAA).
Defense Federal Acquisition Regulations and NIST Security Requirements
The Defense Federal Acquisition Regulations requiring defense contractors to comply with 110 National Institute of Standards and Technology (NIST) security requirements for controlled unclassified information remain in effect.
Other Key Provisions
- The order mandates that the National Cyber Director recommend contract language to the FAR Council to require contracted providers of internet services to federal agencies to adopt and deploy internet routing security technologies.
- The E.O. retains some standards for technical enforcement of encrypted and authenticated transport for electronic communications, but removes provisions directing requirements for agencies to expand the use of authenticated transport layer encryption.
- The order directs the federal government to deploy commercial security technologies and architectures, such as hardware security modules, trusted execution environments, and other isolation technologies, to protect and audit access to cryptographic keys with extended life cycles.
- The E.O. 14306 modifies the policy statement to explicitly name the People's Republic of China, Russia, Iran, North Korea, and others as significant cybersecurity threats to the U.S. government, private sector, and critical infrastructure networks.
- The order aims to scale back cybersecurity requirements and government-wide approaches implemented by the Biden Administration.
In conclusion, Executive Order 14306 represents a significant step towards strengthening America's cybersecurity posture, particularly in the defense supply chain and federal contracting. The order's provisions reflect a focus on preserving key cybersecurity requirements while removing perceived barriers to private sector growth.
Cybersecurity Maturity Model Certification (CMMC) Program is set to become a mandatory requirement for nearly all new Department of Defense (DoD) contracts starting October 1, 2025, as contractors handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) will need a valid CMMC certification for contract award. The program focuses on enhancing cybersecurity standards to protect sensitive defense data.
The Executive Order 14306 retains the requirement for vendors of internet services to federal agencies to carry the US Cyber Trust Mark labeling for those products, indicating a continued focus on technology-related cybersecurity measures in federal acquisitions.
