Tighter Cybersecurity Regulations Loom for Federal Contractors Under Latest Directive

Tighter Cybersecurity Regulations Loom for Federal Contractors Under Latest Directive

The White House has unveiled a significant move in cybersecurity reform with the implementation of Executive Order (EO) 14306. This order marks a pivotal moment towards enhancing the security of federal operations.

The EO, which emphasises secure software development, supply chain risk management, AI risk management, IoT security, and alignment of agency policies, is not just about immediate fortification but serves as a proactive step in strengthening the future resilience of the federal information infrastructure.

Key details of the EO include the revision of federal regulations to secure third-party software supply chains, support post-quantum cryptography, and manage AI and IoT device risks. The Office of Management and Budget (OMB) has been directed to issue updated guidance and align investments and priorities for cybersecurity across federal agencies.

The EO also establishes a pilot program for a "rule-as-code" approach, producing machine-readable versions of cybersecurity policies and guidance. CISA retains its oversight role in federal agency cybersecurity threat defense, while the OMB continues to enforce NIST cybersecurity supply chain practices.

However, the new order also presents logistical difficulties, especially for smaller contractors with limited cybersecurity infrastructures. Achieving full compliance with the new standards may prove challenging, and concerns about enforcement and verification mechanisms have been raised, particularly with the elimination of software security attestation submissions to CISA.

Industry experts and analysts have also highlighted other challenges, such as the potential reduction of accountability and the removal of language pressing Internet Service Providers to address vulnerabilities. Balancing streamlined regulatory burden and decentralization without weakening overall cybersecurity posture is a key concern.

Government contractors must carefully review current contract requirements, as many software security obligations remain contractually binding despite the rollback of federal attestation mandates.

The EO signals a refocused but narrower cybersecurity strategy, emphasising agency discretion, regulatory simplification, and innovation support. However, industry concerns about reduced central accountability and security standards enforcement persist.

As cybersecurity threats continue to evolve, the EO demands reflection on potential areas for improvement. By imposing stricter regulations on contractors, the government reinforces its commitment to securing valuable and sensitive data against cyber threats. The new EO is a significant step towards a more secure federal cyber landscape.

References:

1. White House (2022) Executive Order on Improving the Nation's Cybersecurity. [Online] Available at: https://www.whitehouse.gov/briefing-room/presidential-actions/2022/03/02/executive-order-on-improving-the-nations-cybersecurity/
2. Government Technology (2022) Biden's New Cybersecurity Order: What It Means for Federal Contractors. [Online] Available at: https://www.govtech.com/security/Bidens-New-Cybersecurity-Order-What-It-Means-for-Federal-Contractors.html
3. Nextgov (2022) Biden's New Cybersecurity Order: What It Means for Federal Contractors. [Online] Available at: https://www.nextgov.com/cybersecurity/2022/03/bidens-new-cybersecurity-order-what-it-means-federal-contractors/409869/
4. Federal News Network (2022) Biden's new cybersecurity order: What contractors need to know. [Online] Available at: https://federalnewsnetwork.com/cybersecurity/2022/03/bidens-new-cybersecurity-order-what-contractors-need-to-know/
5. MeriTalk (2022) Biden's New Cybersecurity Order: What It Means for Federal Contractors. [Online] Available at: https://www.meritalk.com/articles/bidens-new-cybersecurity-order-what-it-means-for-federal-contractors/
6. The revised federal regulations under Executive Order 14306 aim to secure third-party software supply chains, a move that necessitates encryption and access control measures to maintain confidentiality and integrity of software.
7. The Office of Management and Budget (OMB) has been tasked with issuing updated cybersecurity guidance, which includes the promotion of post-quantum cryptography and management of AI and IoT device risks, as per the order.
8. The pilot program for a "rule-as-code" approach, as established under the new order, signifies a shift towards encyclopedia-like, machine-readable versions of cybersecurity policies and guidance, enhancing compliance and audit process efficiency.
9. Industry experts have raised concerns about reduced central accountability and security standards enforcement, despite the refocused cybersecurity strategy under EO 14306, emphasizing agency discretion, regulatory simplification, and innovation support.

Read also: