The Trump Administration recently released its “Cyber Strategy for America” (Strategy) emphasizing modernization of federal networks, streamlined “common sense” regulation, and supply chain risk reduction across several policy pillars. The strategy will guide implementation of an “unprecedented coordination” across government and the private sector to secure global dominance in cyber space. Whether these pillars can co-exist with one another is a different question. Below, PilieroMazza highlights key aspects of the strategy and its potential impact on federal contractors.
Key Pillars Affecting Contractors
The strategy prioritizes modernizing federal networks through the adoption of cybersecurity best practices, post-quantum cryptography, zero-trust architecture, and cloud transition. Greater investment and new competitive contract opportunities seeking to revamp civilian and defense agencies’ information systems will likely increase. And in competing for these, agencies may begin to more frequently evaluate how contractors can defend federal networks and deter intrusions with AI-powered cybersecurity solutions.
The Trump Administration has also committed to removing “barriers to entry” so that the government can buy and use the best technology quickly. Towards that end, “burdensome, ineffective regulations” will be removed and replaced with streamlined regulations that promote “common sense.” Consistent with the Administration’s overhaul of the Federal Acquisition Regulation, it appears further slashing of pre-existing cyber regulations could be in our future.
But what will that mean for the Cybersecurity Maturity Model Certification (CMMC) program which, since its inception, has received pushback from industry regarding costly and burdensome compliance costs. Further, it’s unclear whether this pillar is consistent with other recent cybersecurity developments such as the General Services Administration’s (GSA) revised, robust internal policy governing the handling of controlled unclassified information on non-federal systems.
The strategy goes on to discuss more supply chain scrutiny too. We have already seen increased emphasis on protecting federal supply chains in recent years, including through Federal Acquisition Supply Chain Security Act Orders and the TikTok ban. However, it appears more supply chain restrictions and sanctions are on the way.
Defense contractors are faced with heightened cybersecurity-related documentation requirements and compliance concerns through CMMC, while civilian contractors must navigate an array of vigorous agency-specific regulations and policies, including but not limited to those implemented by the GSA, the U.S. Department of Homeland Security (48 C.F.R. § 3052.204-72, as discussed here), and the U.S. Department of Veterans Affairs (48 C.F.R. § 852.204-71, as discussed here). Only time will tell whether the strategy will push agencies toward reducing (or adding more) cybersecurity- and supply chain-related requirements.
Recommendations
- Continuously Monitor Supply Chain. Creating organization-wide policies and procedures for conducting inquiries into your supply chain will save time in the future when new prohibitions or sanctions are implemented.
- Ensure Subcontracts Have Proper Flowdowns. Proper subcontract management is imperative when performing as a federal contractor, whether as a prime contractor or higher-tier subcontractor. Provisions that allow for the audit of subcontractor systems or records, or which require timely cyber incident notifications, will ensure compliance with current and future cybersecurity-related requirements.
- Mitigate Exposure to False Claims Act (FCA) Liability and Administrative Proceedings. Establishing regular reviews of cybersecurity-related assessments and procedures from technical and legal personnel will help screen for errors that could save thousands in future legal fees associated with FCA litigation and/or suspension and debarment proceedings.
If you have questions regarding the Trump Administration’s new cyber strategy or cybersecurity generally, please contact Cy Alba, Daniel Figuenick, or another member of PilieroMazza’s Cybersecurity & Data Privacy or Government Contracts practice groups. Also visit this link to check out the replay of our recent webinar “CMMC Mission Readiness: Navigating Growth, Costs, and Competition for Defense Contractors.”
