Federal Cybersecurity Cuts Raise Risks—Here’s How to Respond

In June 2025, a dramatic executive order sent shockwaves through the cybersecurity world, gutting key federal cybersecurity protections and shifting the burden onto the private sector. Overnight, requirements for secure software attestations and Software Bills of Materials (SBOMs) were wiped out. Encryption and phishing-resistant multi-factor authentication (MFA) standards were weakened. And with it, the government signaled a continued retreat from its previous leadership role in cybersecurity oversight, leaving businesses, nonprofits, and critical infrastructure providers to fend for themselves.

If your organization purchases software, works with government contractors, or is part of any critical supply chain, this rollback affects you. The pressure to maintain strong cybersecurity practices has largely shifted from federal mandates to private enforcement, and that means your team must act decisively to fill the gaps. Let’s dive into what’s changed and how to secure your organization.

What the Rollbacks Mean for Federal Cybersecurity and Your Organization

For the past few years, federal cybersecurity initiatives have helped drive better standards across industries. Secure software attestations and SBOMs weren’t just compliance paperwork, they were major components of a more transparent, resilient software supply chain.

Now, those requirements are gone.

“Previously, a contractor would formally submit attestation paperwork to CISA stating they followed secure software development practices,” stated Matt Durrin, director of research and training for LMG Security. “That will no longer be required.”

“This rollback doesn’t just affect federal agencies. It affects the entire private sector that depends on secure software,” shared Sherri Davidoff, founder of LMG Security. “These are the same developers selling software to nonprofits, corporations, and state governments. Without mandatory attestations or SBOMs, it’s now up to individual organizations to request transparency and verify it.”

To learn more about supply chain risks and how to manage them, check our blog on Software Supply Chain Security.

SBOMs Are (Mostly) Dead, But Still Vital

The rollback of SBOM requirements was one of the most disappointing elements of the new executive order.

SBOMs act like an ingredient label for software. They help organizations quickly identify which components are vulnerable when a new exploit like Log4J is discovered.

“Log4J is a great example of why your organization should require SBOMs,” Durrin stated. “The internet was on fire after that vulnerability was found. Everyone was trying to figure out if any of the software they used included that vulnerable package. SBOMs could have helped us all remediate that threat much faster.”

While SBOMs are no longer federally mandated, generating them is still easy, thanks to free tools. We strongly suggest that every organization should still require SBOMs from its vendors. Federal cybersecurity policy may have shifted, but your organization’s risk hasn’t.

Reduced Oversight for MFA, Encryption, and Identity

This same June 2025 executive order also rolled back internal federal requirements for phishing-resistant MFA and data encryption at rest. This rollback removes a powerful source of pressure for widespread adoption. As the federal government steps back, CISOs and IT leaders must step up.

“We used to look to the government to model standards like phishing-resistant MFA,” Davidoff shared. “Now, we’re on our own, and the private sector has to pick up that ball.”

These rollbacks are happening at a dangerous time. IBM’s 2024 Cost of a Data Breach report found that 42% of breaches involve compromised credentials. Weak or missing MFA and encryption controls open the door to attackers and can massively increase your recovery costs.

Echoes of PCI: When Industry Must Lead

The rollback of federal cybersecurity requirements mirrors what happened in the early 2000s with PCI compliance. Facing rising credit card fraud, lawmakers considered regulation—but the payment card industry pushed for self-regulation instead.

That approach helped, but it also pushed the burden of enforcement (and liability) onto merchants, small businesses, and banks. We’re now seeing a similar dynamic: a move from federal mandates to industry-led cybersecurity enforcement.

What Still Stands: A Glimmer of Federal Cybersecurity Support

Not everything was cut. Here’s what remains:

• Post-Quantum Cryptography (PQC): The Department of Homeland Security is tasked with releasing guidance on PQC product categories by December 1, 2025. This is critical, as quantum computing threatens to break today’s public-key encryption. Listen to our PQC podcast or read our blog for more details.
• FTC Cyber Trust Mark: Designed like an Energy Star rating for IoT devices, this label signifies basic security features like default password changes and firmware update capability. While the mark can be spoofed (e.g., fake QR codes), it’s a step toward consumer awareness. It is also completely voluntary. Listen to our Cyberside Chats episode on the Cyber Trust Mark for more details.
• AI Vulnerability Coordination: The executive order includes provisions for improving inter-agency coordination and vulnerability tracking related to artificial intelligence, an area of growing risk for many organizations.

Even with these protections intact, the broader rollback means private-sector security leaders must be proactive in bridging the gap.

Key Takeaways: What Your Organization Should Do Now

With federal guidance receding, it’s time to take control of your organization’s cyber risk posture. Here’s what you should do now:

• Don’t Drop SBOMs or Attestations: Make SBOMs and secure development attestations part of your vendor contracts, even if they’re no longer federally required. Transparency is your best defense against software supply chain attacks. You can even make them yourself if needed. There are several open source tools that make scanning your software easy.
• Re-Evaluate Your Third-Party Software Risk Practices: Without centralized validation, it’s up to you to assess the claims made by vendors. Require documentation, perform independent audits, and review software components regularly. Consider using a third-party risk management platform to simplify the process. Read our blog on TPRM best practices, and contact us if you need help implementing a solution.
• Watch for Gaps in MFA, Encryption, and Identity Standards: With federal cybersecurity standards now optional, don’t assume your vendors are enforcing strong MFA for both their systems and their products. Verify that phishing-resistant MFA, encryption at rest and in transit, and robust access controls are in place.
• Prepare for Industry-Led Enforcement: Cyber insurers, large enterprise customers, and professional associations will likely enforce software security standards. Align your policies with frameworks like NIST 800-53 and ensure compliance across your supply chain.
• Treat Risk Like It’s Yours—Because It Is: The rollback transfers the burden of defense from the federal government to individual organizations. You need to be assertive in your cybersecurity expectations and contractual requirements.
• Follow Best Practices from Established Frameworks: While the mandates are gone, implementing respected frameworks like the NIST CSF can help you manage your cybersecurity controls.

Final Thoughts: Federal Cybersecurity Is Changing—Are You Ready?

The 2025 rollback of federal cybersecurity mandates marks a turning point. The shift away from government regulation means security standards will increasingly be defined by market forces—buyers, insurers, and industry coalitions.

For organizations like yours, that means more responsibility, more scrutiny, and more need for action. Now is the time to re-evaluate your vendor requirements, tighten third-party risk management, and reinforce your MFA, encryption, and identity frameworks.

Need help? Contact our team of cybersecurity experts for policy development guidance, risk assessments, third-party risk management solutions, and more.