Crossing Administrations: The Focus on Federal Cybersecurity Continues

Bottom Line Up Front

Federal contractors, including defense contractors, should prepare for the emergence of new requirements in the coming months that are designed to strengthen software supply chain security, impose more stringent cybersecurity obligations, combat cybercrime, and encourage the development of more advanced identity verification technology. To date, cybersecurity-focused programs and initiatives advanced late in the Biden Administration remain active, despite the Trump Administration’s recent recission of a number of other Biden Executive Orders. This alert discusses a recent proposed revision to applicable regulations governing contractors that handle certain sensitive federal information, a Biden Executive Order focused on cybersecurity issued in his final days in office, and an overview of the regulatory framework that has provided the foundation for both.

Background

Nearly two decades ago, federal executive agencies employed various ad hoc, agency-specific policies, procedures, and markings designed to protect, safeguard, and control information that involved privacy, security, proprietary business interests, and law enforcement investigations. As a result, across the federal government there was an inconsistent use of markings and safeguarding of documents, unclear or unnecessarily restrictive dissemination policies, and impediments that restricted authorized information sharing. This lack of coordination led to the widely-held perception that the federal government was unable to protect certain sensitive information, which was detrimental to U.S. national security interests.

On November 4, 2010, President Obama issued Executive Order (E.O.) 13556, which established the Controlled Unclassified Information (CUI) program and designated the National Archives and Records Administration (NARA) as the executive agency in charge of administering it. The CUI program was intended to be an open and uniform program for managing information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies.

Six years later, NARA published a final rule which implemented CUI requirements (81 FR 63324) and officially established the federal government's policy for marking, safeguarding, disseminating, decontrolling, and disposing of CUI. This final rule also established policies applicable to federal contractors that are responsible for handling, collecting, transmitting, processing or storing CUI during contract performance. The final rule provided that businesses that entered into agreements and arrangements with the federal government, including but not limited to contracts, grants, licenses, certificates, memoranda of agreement/arrangement or understanding, and information-sharing agreements or arrangements, were to comply with the promulgated rules when CUI was being handled.

During that period, the federal government was also working to establish cybersecurity requirements for information systems of federal contractors. In May 2016, the government mandated that all federal contractors protect their systems with 15 basic cybersecurity requirements, as described in Federal Acquisition Regulation (FAR) 52.204-21 Basic Safeguarding of Covered Contractor Information Systems. Additionally, the Department of Defense (DOD) published Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. DFARS 252.204-7012 requires defense contractors to provide “adequate security” for certain information that is processed, stored, or transmitted on the contractor’s internal information system or network, and requires the DOD to mark, or otherwise identify in the contract, any covered defense information that is provided to the contractor. To provide adequate security, the contractor must, at a minimum, implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

On May 12, 2021, President Biden issued E.O. 14028, Improving the Nation’s Cybersecurity, with the goal of improving the federal government’s response to cybersecurity threats and engaging the private sector as a partner to secure IT systems through the implementation of a series of standards and requirements. This E.O. modernized security practices to better protect against current and ever evolving cyberthreats posed by sophisticated adversaries, including nation state actors. The foundational requirements of this E.O. were: (1) the removal of barriers to threat information sharing, (2) the modernization of federal government cybersecurity; (3) the enhancement of software supply chain security, (4) the establishment of a Cyber Safety Review Board, (5) the standardization of the federal government’s playbook for responding to cybersecurity vulnerabilities and incidents, and (6) the improvement of the federal government’s investigative and remediation capabilities.

Concurrent with these efforts, the DOD has also been slowly rolling out what we now know to be Cybersecurity Maturity Model Certification (CMMC) 2.0, which is the DOD-specific framework intended to enhance protection of unclassified information that is designated as either federal contract information (FCI) or CUI throughout the DOD supply chain. The DOD will use the CMMC 2.0 framework to ensure that defense contractors are meeting federal cybersecurity requirements. The DOD published a Final Rule implementing the CMMC 2.0 that went into effect on December 16, 2024 and issued a proposed DFARS amendment that will require contracting officers to specify the CMMC level that will be required to be set forth in the solicitation. Goodwin covered the CMMC 2.0 implementation and proposed DFARS amendment here.

Recent Actions

On January 15, 2025, the DOD, General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) (collectively the “FAR Council”) proposed a rule, 90 Fed. Reg. 4278 (Proposed FAR CUI Rule) amending the Federal Acquisition Regulation (FAR) to implement the 2010 Obama-era E.O.. The Proposed FAR CUI Rule’s comment period closed on March 17, 2025 and is expected to create two new clauses (FAR 52.204-XX, Controlled Unclassified Information and FAR 52.204-YY, Identifying and Reporting Information That Is Potentially Controlled Unclassified Information), and a new FAR provision (FAR 52.204-WW, Notice of Controlled Unclassified Information Requirements). The FAR Council has stated that it intends the clauses and provision to be used by executive agencies to create uniformity in the way CUI is managed throughout the procurement process from solicitation through contract award and administration.

Notably, the Proposed FAR CUI Rule applies to all federal contractors and subcontractors who handle CUI while performing federal contracts. DoD contractors should find most of what is contained familiar, but there will be new cybersecurity obligations for contractors who do not provide goods and services to the DOD. Some of the new requirements include, but are not limited to, tasks such as adopting access controls to limit who can view or handle CUI, requiring data encryption during information transmission and storage, the imposition of routine monitoring and logging of system access and activity, and implementation of incident response plans to address security incidents and data breaches. Prime contractors will be required to ensure that all subcontractors comply with the same safeguarding requirements for CUI and will need to train their employees on CUI handling, safeguarding, and reporting requirements.

The very next day, on January 16, 2025, President Biden issued E.O. 14144, Strengthening and Promoting Innovation in the Nation’s Cybersecurity. This E.O. continued the efforts outlined in E.O. 14028 and set forth additional actions designed to improve the United States’ cybersecurity posture by focusing on defending digital infrastructure, securing the services and capabilities most vital to the digital domain, and building capability to address key threats from foreign adversaries. The E.O. contains a number of provisions addressing cybercrime, and requires the establishment of public-private pilot programs focused on using advanced Artificial Intelligence models for cyber defense. Finally, the E.O. requires that federal contractors selling certain devices obtain by January 4, 2027 the U.S. Cyber Trust Mark, which was rolled out by the Federal Communications Commission in March 2024 with the goal of increasing transparency and incentivizing secure practices in consumer Internet of Things (IoT) devices. Federal contractors, both foreign and United States, will need to ensure that their IoT have the Cyber Trust Mark prior to being sold to federal agencies.¹ As of the date of this alert, this E.O. remains in force and has not been rescinded by President Trump.

Department of Justice Focus on Cybersecurity

With new cybersecurity requirements being put in place, businesses that will be subject to these requirements should be focused on the very real risk associated with non-compliance. During the Federal Bar Association’s February Annual Qui Tam Conference, Department of Justice (DOJ) personnel reminded attendees of enforcement priorities for the False Claims Act (FCA) and highlighted cybersecurity as a continued area of focus for the DOJ in the new administration. The DOJ launched its Civil Cyber-Fraud Initiative in 2021 and signaled its intent to use the FCA to pursue cybersecurity related fraud by government contractors and grant recipients. The FCA is the government’s primary civil tool to redress false claims for federal funds and property involving government contracts, grants, programs and operations.

Since the Cyber-Fraud Initiative’s launch, the DOJ has brought a number of enforcement actions related to compliance with required cybersecurity standards. In February 2025, the DOJ announced a significant FCA settlement related to a DOD contractor that allegedly falsely certified compliance with DOD cybersecurity contract requirements between 2015 and 2018. This settlement, underscored by statements by DOJ leadership, suggests that the DOJ will continue to leverage the FCA to enforce evolving and increasing cybersecurity requirements against companies that do business with the federal government.

Takeaways

1. Review and revise compliance program to meet new requirements. The new requirements will likely contain more stringent obligations on contractors performing federal contracts. To ensure appropriate compliance, contractors should review their current compliance policies and procedures and assess compliance with NIST SP 800-171. If the current policies and procedures are not comprehensive enough or do not address new obligations, contractors should revise policies and procedures, as needed, and ensure that employees are properly trained. 
2. Inform subcontractors of possible compliance requirements. Contractors will likely be responsible for managing subcontractors’ compliance and informing subcontractors of CUI requirements by providing a new CUI Standard Form that is being proposed for use. As such, contractors should prepare their subcontractors for any possible changes or adjustments in procedures by communicating promptly with them as these new requirements go into effect. 
3. Review and document any current contracts that contain CUI. Since the Proposed FAR CUI Rule focuses on regulating how CUI is handled, disseminated, and controlled, contractors should start reviewing and documenting any contracts where they handle, control, use, disseminate, or manage CUI. By doing so, contractors can be prepared to provide such information when requested, once the rule is finalized.
4. Mitigate risk associated with breaches and non-compliance. As new cybersecurity obligations are imposed in existing and future government contracts, subcontracts, grants and other forms of funding, companies should ensure that they have appropriate incident response plans in place and operationalize internal whistleblowing and remediation protocols.

Goodwin attorneys in the Government Contracts & Grants, Data, Privacy & Cybersecurity, and Government Investigations, Enforcement & White Collar Defense practices have significant experience counseling clients across industries on matters involving government contracts and grants compliance, cybersecurity, and FCA matters. These include issues ranging from identifying concerns during due diligence to assisting with the implementation of mitigation measures, appropriate employee training, and ensuring compliance with evolving regulatory and contractual obligations, as well as responding to and resolving government fraud investigations and enforcement actions.

^[1] Manufacturers outside of the U.S. will be eligible to apply for the U.S. Cyber Trust Mark for their products as long as they are not otherwise prohibited from participating in the program. Manufacturers and other entities owned or controlled by, or affiliated with, any of the following sources are prohibited from the program:

• FCC Covered List;
• Department of Commerce’s Entity List;
• Department of Defense's List of Chinese Military Companies; and Products produced by any entity owned or controlled by or affiliated with any person or entity that has been suspended or debarred from receiving federal procurements or financial awards, to include all entities and individuals published as ineligible for award on the General Service Administration’s System for Award Management.

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.