Federal government imposes revised cybersecurity standards on contractors and subcontractors through a new executive order
Executive Order 14306, signed by President Donald Trump on June 6, 2025, impacts federal contractors and subcontractors by modifying some cybersecurity requirements while maintaining the overall government-wide cybersecurity framework.
The Department of Defense has nearly finalized an acquisition rule that will trigger the implementation of the new Cybersecurity Maturity Model Certification (CMMC) Program. However, EO 14306 suspends the previously mandated requirement for contractors and software vendors to submit formal attestations of compliance to the Cybersecurity and Infrastructure Security Agency (CISA). This pause affects the attestation process tied to the Secure Software Development Framework (SSDF), although the technical standards themselves remain in force.
Despite the suspension of the attestation requirement, the overall framework urging contractors to meet cybersecurity maturity standards remains. The new CMMC program will require companies to assess (or in some cases have third parties assess) certain cybersecurity standards at progressively advanced levels depending on the type and sensitivity of the information they process, store, or transmit.
E.O. 14306 also maintains a government-wide approach emphasizing defense against significant foreign cyber threat actors, notably China, Russia, Iran, and North Korea. It directs NIST to collaborate with industry to update and publish secure software development guidance consistent with NIST SP 800-218.
The Defense Federal Acquisition Regulations requiring that defense contractors comply with 110 National Institute of Standards and Technology (NIST) security requirements for controlled unclassified information remain in effect. Certain technical requirements as implemented by agencies for federal government contractors still remain in place, such as requirements pertaining to internet protocol (IP) address blocks, Domain Name System (DNS) resolver systems, and mandatory cybersecurity labeling.
E.O. 14306 does not change E.O. 14144's mandate for the Secretary of Homeland Security to publish template contract language requiring any system acting as a DNS resolver for the federal government to support encrypted DNS. It also leaves unchanged E.O. 14144's directive for the federal government to deploy commercial security technologies and architectures to protect and audit access to cryptographic keys with extended life cycles.
The new E.O. retains some standards for technical enforcement of encrypted and authenticated transport for electronic communications, but removes provisions directing requirements for agencies to expand the use of authenticated transport layer encryption. It further amends E.O. 13694 to restrict sanctions only to "any foreign person" and clarifies that sanctions do not apply to election-related activities.
Regarding the CMMC Program, while EO 14306 does not explicitly mention it, the suspension of the attestation requirement likely affects how compliance certification is demonstrated or enforced in the near term. The associated Fact Sheet for E.O. 14306 can be found online.
[1] Source 1 [2] Source 2 [3] Source 3 [4] Source 4
Technology plays a crucial role in the implementation of the new Cybersecurity Maturity Model Certification (CMMC) Program, as it will require companies to assess their cybersecurity standards using technical assessment methods. The Executive Order 14306, despite suspending the formal attestation requirement, still maintains a government-wide focus on cybersecurity, including a continuing emphasis on defense against foreign cyber threat actors.
