COMMENTARY: President Trump’s June 6 cybersecurity
executive order reverses some Biden-era policies, eliminating secure software attestations and digital identity mandates, while shifting responsibility away from the government.
All of this drastically changes the international supply chain. In a climate of record-high cybersecurity threats, particularly from nation-states, the new executive
order, while prioritizing flexibility and industry collaboration within cybersecurity models, has raised concerns about supply chain vulnerability. Businesses must now compensate for the gaps left by policy reversals.
The end of software attestations
Under
President Biden’s cybersecurity initiative, software vendors selling to the federal government were required to certify that their offerings complied with secure development practices. The certifications helped ensure compliance with strict security standards, and vulnerabilities were addressed in advance before the distribution of software to government agencies and private sector partners.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
The Trump administration’s withdrawal of this provision denies companies a vital assurance mechanism, increasing the chances that undetected weaknesses enter the supply chain. Cybercriminals and state-sponsored hackers are notorious for exploiting weak software components, and without attestations, businesses now inherit greater security uncertainties regarding their vendors.
For companies that rely on third-party software providers, this change necessitates a swift response. Companies must create their own rigorous internal validation procedures to compensate for this reversal of policy. Failing to do so may open the gates to cyberattacks, leading to data breaches, ransomware incidents, and substantial financial losses.
The impact of the digital identity policy shift
Digital identity verification has become a critical component in securing supply chains by enhancing authentication processes that guarantee companies only deal with authorized entities. By eliminating these government-backed safeguards, fraud threats rise, subjecting companies to identity theft, fake vendors, and unauthorized transactions.
Supply chains depend on safe authentication to screen suppliers, contractors, and logistics partners. Without standardized identity protections, businesses must now handle this verification themselves.
Such fragmentation of security measures can lead to compliance challenges, particularly for multinational companies that have operations spanning multiple jurisdictions.
A diluted digital identity framework creates an easy environment for bad actors to impersonate legitimate enterprises, enter into fraudulent agreements, or jeopardize financial transactions. Without federal enforcement, private businesses are left to create their own security protocols, a costly and labor-intensive endeavor that not all companies have the means to apply.
Can industry handle the cybersecurity burden?
While innovation and flexibility are crucial in transforming cybersecurity, the absence of standard enforcement may lead to fragmented security procedures, rendering risk management inconsistent within sectors.
On a theoretical level, permitting the private sector to regulate itself could result in more individualized cybersecurity strategies tailored to their specific needs. But in reality, this lack of uniformity undermines shared defenses, exposing critical infrastructure to concerted cyberattacks. Enterprises now take complete responsibility for establishing cybersecurity norms in their businesses, which could result in vulnerable connections in the supply chain.
In the absence of federal cybersecurity attestations, companies will implement different levels of security depending on their budget, leading to uneven implementation of security measures.
Small and medium-sized organizations can often not afford robust cybersecurity systems, increasing their vulnerability to breaches. Compliance confusion can ensue because internationally operating companies will experience challenges in conforming to global cybersecurity standards.
Although President Trump’s order does direct NIST to collaborate with industry, relying on voluntary security frameworks is a risky gamble when nation-state cyber threats are escalating. Businesses that fail to step up their security investments could become prime targets for adversaries seeking to exploit vulnerabilities.
Addressing the supply chain gaps
To counteract the risks introduced by the Trump administration’s recent executive order, companies must:
Strengthen third-party risk management: With attestations removed, businesses must implement independent vendor security evaluations to ensure that software providers adhere to rigorous cybersecurity standards.
Update supply chain risk assessments: Keep the picture of risk across the supply chain up-to-date by identifying the highest-risk suppliers based on criticality and geographical location, recently acquired suppliers where the risk posture could still be undefined, and recently terminated suppliers.
Follow a robust process when terminating supplier relationships: If a business decision is made to discontinue operations with a specific vendor, ensure that all information is securely deleted using data sanitation techniques (cryptographic erase), all physical and network access is revoked, and all user access, including cloud-based shared data, is removed.
Test the company’s incident response plan: Prepare for a potential scenario where a key supplier is impacted or needs to be isolated. Consider creating and workshopping various scenarios and running tabletop cyber incident exercises to test the effectiveness of your response plans.
Engage in cross-industry collaboration: Businesses must work beyond sector boundaries to establish collective defense mechanisms, ensuring interoperability between cybersecurity protocols despite the lack of federal mandates.
Increase efforts to manage supply chain risks: Enhance management of high-risk suppliers by doing the following:
Ensure all important contact information is kept up-to-date.
Update evaluation questionnaires with specific security clauses (vendors’ cyber resilience status).
Use continuous monitoring techniques, such as open source intelligence to ensure SSL certificates are up-to-date and perform non-intrusive surface scanning.
Identify potential vulnerabilities in the supply chain and push software vendors to prioritize prompt remediation.
Explore new initiatives to assess supplier security, focusing on strong software security (Supply Chain Levels for Software Artifacts (SLSA), Software Bill of Materials (SBOM)).
Prioritize cyber resilience: Organizations should implement zero-trust security models, AI-powered threat detection, and blockchain-based supply chain tracking to fortify security.
Business leaders cannot afford to remain passive in response to the cybersecurity rollbacks in President Trump’s executive order. They must take proactive steps to secure their digital infrastructure and supply chains before vulnerabilities escalate into full-blown crises. Organizations need to tighten supply chain security, rigorously enforce vendor vetting, and put fraud prevention center stage. Otherwise, companies risk becoming soft targets.
Steve Durbin, chief executive, Information Security Forum
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
