How does Executive Order 14306 shift the cyber strategy for government contractors?

Wyatt Sugrue, Ronald Sullivan, Melissa Ventrone, Bret Wacker, J. Chris White
Clark Hill PLC
Contact
LinkedIn
Facebook
X
Send
Embed

On June 6, a new Executive Order (EO) on cybersecurity altered the compliance landscape for federal contractors. The order pauses the imminent requirement for software vendors to formally attest compliance with the Secure Software Development Framework (SSDF) but keeps the underlying technical standards in place. Below, we dive into what this means for government contractors and provide recommendations to maintain compliance.

Key Takeaways for Contractors:

  • Threat Landscape Reinforced: The EO explicitly reinforces the threat landscape previously identified in naming China, Russia, Iran, and North Korea, as persistent threat actors targeting the United States’ cybersecurity
  • Mandatory Attestations Are Paused: The most significant change is the suspension of the requirement that software vendors submit attestations of compliance with the Secure Software Development Framework (SSDF) to a government repository. The White House cited the process as burdensome and unproven.
  • SSDF Standard Remains the Benchmark: While the attestation mandate is gone, the underlying technical standard—NIST SP 800-218, the SSDF—is not. The EO directs the National Institute of Standards and Technology (NIST) to work with an industry consortium to develop best practices based on the SSDF. It remains the key benchmark for secure software development in the federal space.
  • Shift from Government Mandate to Industry-Led Standards: The administration is signaling a clear preference for cybersecurity practices to be developed in partnership with the private sector, rather than being dictated by government checklists. Contractor participation in and monitoring of industry groups will become more critical.
  • Long-Term Initiatives Still in Play: Requirements related to Post-Quantum Cryptography (PQC) readiness and cybersecurity labeling for Internet-of-Things (IoT) devices (the U.S. Cyber Trust Mark) remain, signaling continued focus on future-proofing federal technology.

The Big Change: The Future of SSDF Compliance

The new EO halts the previous administration’s policy that required software vendors to use a government portal to formally attest—and provide evidence—that their development processes met the detailed standards of the SSDF.

While this EO removes the attestation requirement, it does not eliminate the government’s interest in contractors using secure development practices. The focus now shifts to a collaboration between NIST and an “industry consortium” to refine and promote these best practices.

What this means for government contractors: While immediate pressure of a mandatory, universal attestation is off, individual contracting officers may still ask for evidence of secure practices; proposals citing alignment with the SSDF will likely be viewed more favorably because the SSDF remains the de facto standard of care. This change does not eliminate potential liability under other statutes, like the False Claims Act.

Other Notable Policy Changes

  • Post-Quantum Cryptography (PQC): The government-wide deadline to support PQC standards by 2030 is maintained. However, the EO removes a requirement for agencies to preferentially solicit PQC-supported products now and curtails formal collaboration with foreign governments on the transition.
  • Artificial Intelligence (AI): Several government-led AI pilot programs for cyber defense are rescinded. The focus is now on making federal cyber research data available to academia and the private sector, reinforcing the theme of industry-led innovation.
  • IoT Labeling: The plan to require IoT devices sold to the government to bear the U.S. Cyber Trust Mark remains intact.

Recommendations

  1. Don’t Abandon the SSDF: Continue to use NIST SP 800-218 (SSDF) as a guide for secure software development. While the formal attestation is paused, demonstrating compliance with the SSDF will remain a significant competitive advantage and a key measure of due diligence.
  2. Review Contracts: Carefully review the cybersecurity clauses in any current/future contracts and be vigilant towards them in new solicitations. Agencies may still incorporate SSDF-like requirements on a contract-by-contract basis.
  3. Monitor Industry Developments: Pay close attention to the formation of the new NIST-industry consortium. The standards that emerge from this group will likely shape future Federal Acquisition Regulation (FAR) clauses and government expectations.
  4. Budget for PQC and IoT Security: If applicable, continue planning for the transition to post-quantum cryptography. Similarly, as applicable, prepare for the U.S. Cyber Trust Mark requirements. These are long-term, strategic initiatives that have survived the change in administration.

While this executive order changes the tactics of federal cybersecurity policy, the strategic goal remains the same: to secure the government’s software supply chain. We will continue to monitor the development of these new, industry-led standards and any forthcoming changes to the FAR. 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Clark Hill PLC

Written by:

Clark Hill PLC
Clark Hill PLC
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Clark Hill PLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide