New executive order targets federal cybersecurity gaps

Terry Gerton: You have had a couple of weeks now, along with the rest of the government contracting space, to sort out this recent president’s executive order on cybersecurity. Give us your key takeaways.

Townsend Bourne: Thank you, yes. So this executive order, as you mentioned, we’ve had some time to digest it. We’ve been through the different sections. As I mentioned in the article that our team wrote, this executive that came out on June 6 by itself doesn’t impose any particular new requirements, but it includes deletions and updates to prior executive orders. So what our team did was basically redline a Biden executive order that came out in January that’s now being amended by this new executive order. By doing that, we’re able to see exactly what’s deleted, what’s updated, what’s been added. Here we’ve got a new policy statement from the Trump administration on an approach to cybersecurity. As you can imagine, it does point out some of the key cybersecurity risks as they see it — some of the countries that are the largest threats to the U.S. right now in terms of cyber. I’d say kind of the new overarching policy statement, some of the cuts are fairly significant. I think we’ll probably go into a little more detail on those, but the one I see as probably most significant for federal government contractors relates to requirements for third-party software security and what that means for contractors in terms of meeting particular security requirements and attesting to compliance with those particular security requirements.

Townsend Bourne: In some of the other sections, we do see some updates regarding deadlines for revisions to certain key standards and publications that form guidance for federal government contractors. We are always keeping an eye on those — what those changes look like — and any guidance accompanying those standards is always helpful. We do see in terms of AI and some of the other large topic areas that we’ve been following, there are some minor changes. There are also some different focus areas in those spaces. The article that we wrote really focuses on anticipated updates to the Federal Acquisition Regulation and what those might look like for contractors. But realizing this executive order does go more broadly than that, it does talk about federal agency initiatives with regard to AI and some other topic areas of interest.

Terry Gerton: That’s a really great overview. Let’s dig back into some of the specifics that you mentioned, and let’s start with the supply chain security, especially for software providers. Tell us a little bit more about the specifics there. What are the changes that you notice?

Townsend Bourne: This one is fairly complicated just because of the history. I know we’ve covered that on previous iterations of this show, so I’ll go over it really quickly. There was an executive order that came out in 2021 that actually set forth some requirements for securing third-party software supply chain, making sure that NIST — which is the National Institute of Standards and Technology — had a timeline for developing a standard on this issue, as well as certain guidance documents. That’s been underway now for over four years. This executive order that came out on June 6 updates provisions from the Biden executive order that came out this past January relating to CISA’s role in collecting secure software attestations from industry and some of the other aspects of that process. Where we currently stand under that executive order from January 2021, there is an open Federal Acquisition Regulation case right now that says eventually there should be a FAR regulation coming out that would require federal contractors to meet the Secure Software Development Framework, which is a NIST publication, and also provide attestations of compliance with that standard. That’s currently still an open FAR case.

Townsend Bourne: What the Biden executive order in January 2025 did was add to that requirement, and it mentioned more of a role for CISA — the Cybersecurity and Infrastructure Security Agency — in collecting those attestations and participating, kind of overseeing some of that effort. Some of the changes in the executive order from a couple of weeks ago strike out certain sections relating to third-party software security. They actually do still show that we’re going to be getting updates to NIST’s Secure Software Development Framework and reliance on NIST as the entity responsible for those security standards. But it’s looking like, based on the updates, there may be some changes to how software attestations might be collected. Right now, there’s a form that’s being used for those and a repository managed by CISA. It’s possible that could change based on some of these amendments in the executive order.

Terry Gerton: I’m speaking with Townsend Bourne. She’s a partner in the governmental practice at Shepard Mullin’s Washington, D.C., office. So much to still watch for between the executive order and the development of the new FAR.

Townsend Bourne: I think that’s right. We’re always tracking the open FAR and DFARS case reports, which are updated almost every week. Those are usually available updates on Fridays. So we track those and then, in conjunction, other agency initiatives and executive orders that might impact what goes into those open FAR case reports.

Terry Gerton: You also mentioned some changes around the use of AI and quantum computing in cybersecurity. Fill us in on those details.

Townsend Bourne: Sure. Some of the provisions of the Biden January 2025 executive order are struck in this new executive order that came out a couple weeks ago. With respect to AI, there’s still language about enhancing cyber defense through AI, which is a consistent policy initiative, but the language changes a bit. The other update on AI relates to a mandate for agencies to incorporate into their existing vulnerability management processes AI software — tracking incidents, incident response and sharing indicators of compromise about AI systems throughout the federal government. Managing that process a little bit more is an initiative spelled out in the new executive order as well.

Terry Gerton: Does it say who will collect that data and do that analysis?

Townsend Bourne: It does not. It talks about agency sharing of that data, so I think the idea is it would be worked into existing processes that agencies have for sharing some of that information, like IOCs.

Terry Gerton: So the changes seem somewhat at the margins of the processes and not so much at the middle. But if you were a government contractor now, what should you be watching for? What changes should you be making in your own practices to better prepare for all of these new directions?

Townsend Bourne: It’s a great question. We get inquiries all the time, as you can imagine, from clients when new executive orders come out: What should we be looking for? What should we be doing? It’s a good reminder that executive orders generally dictate actions for executive agencies to take. They don’t impose immediate regulations or obligations on companies as a general matter. So what we look for, in terms of counseling our clients — most of whom are in the federal government contracting space — are some of these broader policy initiatives. For example, the AI vulnerability management issue — how might that be rolled out to companies in the future through memoranda, guidance or regulations? We also look at, in each of these cybersecurity executive orders that have come out over the years, mandates for the FAR Council to get recommendations on language to update the FAR from various agencies and then take steps to actually amend the FAR. That’s what we’ve kind of focused on. We track those through the open FAR case report. In this executive order that came out recently, the new FAR implications relate to software supply chain security. That open FAR case that’s existing — we’ll be looking pretty closely to see how that changes, or if that goes away potentially and another one replaces it. The executive order from the beginning of June leaves intact some of the provisions from the earlier Biden executive order that call for updates to the FAR. So those are still part of this new executive order, and those relate to initiatives to update cybersecurity requirements based on civil space contracts — contracts relating to the space industry. We may see some FAR updates there. There are also provisions in the executive order about cybersecurity for internet service providers — securing internet routing technology and communications relating to the federal government.

Townsend Bourne: There’s also a provision that will require, in the FAR at some point, that companies providing consumer Internet of Things technology have what’s being called the U.S. Cyber Trust Mark. That’s a label the U.S. government is rolling out as a cybersecurity guarantee so consumers can see certain Internet of Things products have met particular cybersecurity standards. So a lot here. And like you said, some of it is a bit on the fringes or it’s not quite as developed within the executive order. But where these executive orders call for particular updates to the FAR, that’s where we really hone in, and we’re watching that open FAR case report to see things as they’re added. And then as the dates progress, when we might actually see a proposed regulation and when requirements might actually start flowing into federal government contracts.