Revised cybersecurity measures for federal contractors and subcontractors are instituted via a recent executive order.
In a significant move, President Donald Trump issued Executive Order (E.O.) 14306 on June 6, 2025, scaling back cybersecurity requirements and government-wide approaches implemented by the Biden Administration. One of the most notable impacts of this order is the final regulatory stage of the Cybersecurity Maturity Model Certification (CMMC) program for federal contractors and subcontractors.
The Cybersecurity Maturity Model Certification (CMMC) program is set to become a mandatory requirement for nearly all Department of Defense (DoD) contracts starting October 1, 2025. The DoD has nearly finalized an acquisition rule that will trigger the implementation of the CMMC Program.
The Department of Defense finalized the proposed DFARS rule (DFARS Case 2019-D041), which integrates CMMC requirements into federal contracting language. This rule was submitted to the Office of Information and Regulatory Affairs (OIRA)/Office of Management and Budget (OMB) in July 2025 for final review, the last step before publication. Once approved and published in the Federal Register—expected by late 2025—the rule will require contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) to have a valid CMMC certification or self-assessment posted in the Supplier Performance Risk System (SPRS).
The new requirement affects an estimated 80,000 companies needing at least Level 2 certification, although concerns exist about the limited number of certified assessors currently available. Contractors are urged to prepare promptly to meet the enhanced cybersecurity standards that CMMC 2.0 introduces, ensuring eligibility for future DoD contracts.
While E.O. 14306 modifies several cybersecurity policies, it does not change existing directives to review and update space system cybersecurity policies, such as those pertaining to debilitating impact systems. The order also retains some standards for technical enforcement of encrypted and authenticated transport for electronic communications.
However, the order removes a requirement for the National Institute of Standards and Technology (NIST) to evaluate common cybersecurity practices across industry sectors, international standards bodies, and other risk management programs to issue minimum cybersecurity practices guidance. It also removes references to the use of Border Gateway Protocol (BGP) security methods for routing information.
E.O. 14306 notably requires federal agencies to ensure that assigned internet number resources, such as IP address blocks and Autonomous System Numbers, will be covered by a Registration Services Agreement with the American Registry for Internet Numbers or an analogous internet registry. The order also retains the requirement for the Federal Acquisition Regulation (FAR) Council to amend the FAR to require vendors of the federal government of Internet of Things products to carry US Cyber Trust Mark labeling for those products.
In summary, E.O. 14306 significantly alters the cybersecurity landscape for federal contractors. The CMMC program, which is about to become mandatory, will require companies to assess (or in some cases have third parties assess) certain cybersecurity standards at progressively advanced levels depending on the type and sensitivity of the information they process, store or transmit. While the order rescinds certain cybersecurity policies, it does not change existing directives related to space system cybersecurity and retains some technical enforcement standards for electronic communications.
The Department of Defense (DoD) is preparing to implement the Cybersecurity Maturity Model Certification (CMMC) Program, making it mandatory for nearly all DoD contracts starting October 1, 2025, due to the finalization of the proposed DFARS rule (DFARS Case 2019-D041) which integrates CMMC requirements into federal contracting language. This required rule, currently under review by the Office of Information and Regulatory Affairs (OIRA)/Office of Management and Budget (OMB), will necessitate contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) to have a valid CMMC certification or self-assessment.
The Cybersecurity Maturity Model Certification (CMMC) program encompasses various levels of cybersecurity standards, with an estimated 80,000 companies needing at least Level 2 certification, to ensure eligibility for future DoD contracts. The new requirement involves the use of technology to assess and validate these cybersecurity standards.
