McCarter & English, LLP | Contents of this website may contain attorney advertising. | Results may vary depending on your particular facts and legal circumstances.

Share

Alternative Dispute Resolution & Mediation
Artificial Intelligence
Bankruptcy, Restructuring & Litigation
Blockchain, Smart Contracts & Digital Currencies
Business Litigation
Cannabis
Corporate
Crisis Management
Cybersecurity & Data Privacy
Delaware Corporate, LLC & Partnership Law
Design, Fashion & Luxury
E-Discovery & Records Management
Energy & Utilities
Environment & Energy
Financial Institutions
Food & Beverage
Government Affairs
Government Contracts & Global Trade
Government Investigations & White Collar Defense
Healthcare
Hospitality
Immigration
Impact Investing
Insurance Recovery, Litigation & Counseling
Intellectual Property
Labor & Employment
Latin America
Life Sciences
Manufacturing
Products Liability, Mass Torts & Consumer Class Actions
Public Finance
Real Estate
Renewable Energy
Sports & Entertainment
Tax & Employee Benefits
Technology Transactions
Transportation, Logistics & Supply Chain Management
Trusts, Estates & Private Clients
Venture Capital & Emerging Growth Companies
Search By:

6.17.2025

On June 6, 2025, President Donald Trump issued a new executive order, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity” (Executive Order), ushering in sweeping reforms for federal cybersecurity policy. This directive targets five high-impact areas: secure software development, quantum-resistant encryption, AI security, Internet of Things (IoT) device compliance, and sanctions against foreign cyber threats. Federal contractors and tech companies must prepare immediately or risk exclusion from federal procurement.

Key Takeaways:

  1. Secure Software Development Now Mandated
  2. NIST Consortium Launch by August 1, 2025: Will guide industry and government on secure software best practices.
  3. Updated NIST SP 800-218 by December 1, 2025: Contractors must adopt “secure-by-design” principles or face disqualification from federal opportunities.
  4. Quantum Computing Is Here and Encryption Must Evolve
  5. Post-quantum cryptography (PQC) guidance is due from the government by Dec. 1, 2025.
  6. Mandatory TLS 1.3 support by January 2, 2030: All federal systems must use the latest cryptographic protocols, validated under FIPS 140-3.
  7. Federal vendors must audit cryptographic systems now for PQC readiness and compliance with FIPS standards.
  8. AI Security Is a Federal Requirement
  9. Agencies must integrate AI-specific vulnerability detection into their response playbooks.
  10. By November 1, 2025, vendors must ensure AI systems feature:
    1. Transparent vulnerability reporting
    1. Runtime monitoring
    1. Dataset protection
    1. Support for federal cybersecurity research
  11. IoT Devices Must Carry the US Cyber Trust Mark by January 4, 2027
  12. Based on NIST SP 800-213, this new label will be a nonnegotiable procurement standard.
  13. Devices lacking the mark will be barred from federal sales.
  14. Vendors must demonstrate end-to-end security across the entire supply chain.
  15. Cyber Sanctions Narrowed but Supply Chain Risks Expanded
  16. The Executive Order limits cyber sanctions to foreign persons, clarifying domestic exclusions.
  17. US firms must vet international partners to avoid ties to sanctioned entities or state-linked cyber threats.
  18. One weak link—such as a foreign IoT component or software library—can result in serious liability or loss of federal access.

Strategic Implications:

  1. “Rules as code” pilot launching by June 2026: Compliance will shift from interpretive audits to automated, machine-readable enforcement. Vendors must prepare for real-time compliance verification.
  2. Deadlines are stacked and imminent. From NIST’s secure software guidance (August/December 2025) to mandatory PQC and IoT requirements (2027–2030), companies need a multiyear road map.
  3. Inaction = Disqualification. Federal contracts and subcontracts will soon require proof—not promises—of cyber resilience.

In light of the sweeping changes introduced by the Executive Order, businesses must act decisively. Start by conducting a comprehensive cybersecurity readiness assessment to uncover any gaps in quantum-resistant encryption, AI security, software development practices, and IoT device compliance. Simultaneously, review and update contracts and internal policies to reflect the new federal cybersecurity mandates, ensuring that expectations around secure development, PQC, and AI vulnerability management are clearly defined and contractually enforceable. As compliance increasingly becomes machine-readable under the “rules as code” initiative, IT systems must be modernized to support real-time, automated enforcement of federal standards.

Equally critical is securing your supply chain. Companies must rigorously vet international vendors and third-party components for cybersecurity risks, as even an indirect link to a compromised or sanctioned entity can jeopardize federal eligibility. The bottom line is clear: This Executive Order is more than a policy shift—it is a fundamental transformation of how cybersecurity is regulated, assessed, and enforced across the federal landscape. Those who adapt quickly will gain a competitive edge; those who hesitate may soon find themselves shut out of the federal market entirely.

For a full examination of the Executive Order, please see the recent blog posting at www.governmentcontractslaw.com