Stricter cybersecurity guidelines to be imposed on federal contractors under the latest government order.
The White House has recently issued a new Executive Order (EO) aimed at bolstering the cybersecurity measures of federal contractors and subcontractors. This proactive step is a significant move towards enhancing the future resilience of the federal information infrastructure.
The EO mandates modern security measures to protect data integrity and confidentiality. However, achieving full compliance may present challenges, especially for smaller contractors with limited cybersecurity infrastructures. They will need to navigate the complexities of compliance, balancing enhanced security with feasible operational practices.
One of the key changes compared to previous Biden administration directives is the elimination of the requirement for contractors to submit attestations to the Cybersecurity and Infrastructure Security Agency (CISA) about compliance with secure software development practices. While contractors must still adhere to these practices, the prior mandate to submit attestations and the associated Federal Acquisition Regulation (FAR) council directive are removed.
The EO also directs federal agencies to better align their policies, investments, and priorities to improve network visibility and security controls to reduce cyber risks. The Office of Management and Budget (OMB) is tasked with issuing updated guidance, including revisions to OMB Circular A-130 (“Managing Information as a Strategic Resource”), to address evolving cybersecurity risks and modernize practices across federal information systems.
The FAR Council is also directed to amend acquisition regulations to require vendors supplying consumer Internet-of-Things (IoT) products to carry a “United States Cyber Trust Mark” labeling, expanding federal security requirements into IoT device procurement.
The EO retains CISA’s oversight authority for identifying and defending against cyber threats to federal agency systems and directs the continuation of the pilot program for rule-as-code—machine-readable versions of federal cybersecurity policies—to be managed jointly by OMB, NIST, and CISA.
Some prior Biden order mandates have been removed, including those related to NIST developing new minimum cybersecurity guidance, requirements for federal systems to deploy phishing-resistant multi-factor authentication, and pilot projects related to defense-related AI cyber challenges.
The initiative introduces robust oversight mechanisms, including internal evaluations by contractors and external assessments by federal agencies. Enhanced encryption protocols and comprehensive access control mechanisms are crucial components of compliance. Agencies have been tasked with conducting evaluations to measure the efficacy of these newly enacted protocols.
The implementation of this Executive Order is a significant step towards comprehensive cybersecurity reform across federal operations. Insights gleaned from these assessments will likely influence future iterations of cybersecurity policies. The EO represents a recalibration focusing on decentralization, aligning practice with policy, and targeted risk reduction rather than expansive new mandates.
- The Executive Order (EO) mandates the usage of enhanced encryption protocols and comprehensive access control mechanisms as crucial components of compliance for federal contractors.
- Achieving full compliance with the EO may challenge smaller contractors, as they need to balance enhanced security with feasible operational practices.
- The Office of Management and Budget (OMB) is tasked with issuing updated guidance, including revisions to OMB Circular A-130, to address evolving cybersecurity risks and modernize practices across federal information systems.
- The FAR Council is directed to amend acquisition regulations to require vendors supplying consumer Internet-of-Things (IoT) products to carry a "United States Cyber Trust Mark" labeling, expanding federal security requirements into IoT device procurement.
