Skip to content
All about technology.All about cybersecurity.

Federal administration introduces decree aimed at addressing vulnerabilities in federal cybersecurity systems.

"Townsend Bourne stated that this executive order primarily consists of deletions and updates from previous executive orders, not introducing any unique demands independently."

 and  Administrator
3 min read
Federal government mandates actions to address vulnerabilities in its digital defense...
Federal government mandates actions to address vulnerabilities in its digital defense infrastructure

Federal administration introduces decree aimed at addressing vulnerabilities in federal cybersecurity systems.

The U.S. President's June 6, 2023 executive order on cybersecurity introduces significant changes for federal government contractors, particularly in the areas of third-party software security and AI vulnerability management.

### Changes in Third-Party Software Security

The order modifies security attestation and verification requirements for contractors providing software to the federal government, raising the standards for secure software development. By August 1, 2025, NIST is mandated to launch a public-private consortium to develop new secure software development guidance, reinforcing secure-by-design principles in software code. Agencies are required to receive an update to the NIST Secure Software Development Framework (SP 800-218) by December 1, 2025, with a final version released shortly after.

The order also directs the Federal Acquisition Regulatory (FAR) Council to develop risk-based cybersecurity requirements for contractors, particularly for civil space systems, and mandates Internet routing security technologies related to BGP for contractors. By January 4, 2027, vendors supplying consumer IoT products to the federal government must comply with the United States Cyber Trust Mark labeling, ensuring higher security standards for IoT devices procured by the government.

### Emphasis on AI Vulnerability Management

The executive order requires federal agencies to integrate AI vulnerability management and compromise response protocols into their incident response playbooks, impacting contractors supporting these agencies by extension. The order also calls for opening cybersecurity datasets for research by November 1, 2025, promoting transparency and aiding in identifying AI-related security risks.

### Implications for Contractors

Federal contractors providing software must prepare for stricter software security verification, adopt secure-by-design principles aligned with updated NIST standards, and comply with new FAR cybersecurity requirements. Contractors involved with AI technologies will also face enhanced expectations around managing AI vulnerabilities and incorporating specific compromise response measures into their operational practices. Failure to meet these requirements risks exclusion from federal contracts.

The changes in the executive order related to requirements for third-party software security have significant implications for federal government contractors. The new executive order includes a provision that will require companies providing consumer Internet of Things technology to have the U.S. Cyber Trust Mark in the FAR at some point. The open FAR case report is expected to be watched closely for changes related to software supply chain security.

Townsend Bourne, a partner in the Governmental Practice at Shepherd Mullin's Washington, D.C. office, noted that the new executive order leaves intact some provisions from the earlier Biden executive order that call for updates to the Federal Acquisition Regulation (FAR). However, the new order strikes out certain sections relating to third-party software security, suggesting possible changes to how software attestations might be collected. The new policy statement from the Trump administration in the executive order outlines key cybersecurity risks and countries posing threats to the U.S.

The new policy does not specify who will collect and analyze the data related to AI vulnerability management. The Biden executive order in January added a role for CISA in collecting software attestations and overseeing some of that effort. The new executive order does not impose new requirements but includes deletions and updates to prior executive orders.

The federal workforce faces a reimagined landscape due to the President's June 6, 2023 executive order on cybersecurity, with policy-and-legislation changes impacting technology sectors. This order mandates stricter third-party software security requirements for federal government contractors, including the establishment of a public-private consortium for secure software development guidance (workforce reimagined). Furthermore, the order emphasizes AI vulnerability management by integrating AI compromise response protocols into federal incident response playbooks (politics).

Specifically, the order directs the Federal Acquisition Regulatory (FAR) Council to develop risk-based cybersecurity requirements, such as for civil space systems, and mandates Internet routing security technologies (general-news). Vendors providing consumer IoT products to the federal government must eventually comply with the United States Cyber Trust Mark labeling (technology).

The order also calls for opening cybersecurity datasets for research by November 1, 2025, promoting transparency and aiding in identifying AI-related security risks (policy-and-legislation). Yet, it does not specify who will collect and analyze the data related to AI vulnerability management (uncertainty).

Read also:

    Related

    Latest