Fact Check: "Trump's EO removes requirement for federal contractors to ensure secure software compliance."
What We Know
On June 6, 2025, President Donald Trump signed an Executive Order (EO) aimed at strengthening the nation’s cybersecurity efforts. This EO modifies several aspects of previous directives from the Obama and Biden administrations, particularly regarding software security compliance for federal contractors. The order maintains certain requirements for contractors to provide self-attestation of software security compliance based on the National Institute of Standards and Technology’s (NIST) Secure Software Development Framework. However, it removes a section from Biden's EO that mandated the development of new Federal Acquisition Regulations requiring software vendors to provide proof of compliance with these security standards (source-1, source-3).
The Trump EO directs NIST to establish an industry consortium to develop guidance for secure software development practices, effectively shifting the responsibility of defining compliance standards from the federal government to the private sector (source-3, source-5). This change has raised concerns among industry experts who argue that it may weaken the accountability of software vendors regarding the security of their products (source-3).
Analysis
The claim that Trump's EO removes the requirement for federal contractors to ensure secure software compliance is partially true. While it is accurate that the EO eliminates the mandate for contractors to provide proof of compliance with NIST standards, it does not completely remove the requirement for self-attestation. Contractors are still required to certify that they comply with the existing software security standards, albeit without the additional verification that was proposed under Biden's EO (source-3, source-5).
The sources used in this analysis are credible, with the first being an official White House fact sheet outlining the Executive Order and its implications. The second source is a news article from Federal News Network, a reputable outlet focused on federal government news. These sources provide a clear understanding of the changes made by the EO and the ongoing requirements for contractors.
However, the removal of the proof requirement is significant, as it may lead to less rigorous oversight of software security practices, potentially increasing the risk of vulnerabilities in software supplied to the government (source-3, source-7). The shift toward an industry-led approach to developing security standards could also result in inconsistencies in how security compliance is enforced across different contractors.
Conclusion
The verdict on the claim is Partially True. While Trump's Executive Order does remove the requirement for federal contractors to provide proof of compliance with secure software standards, it does not eliminate the requirement for self-attestation. This nuanced change indicates a shift in approach rather than a complete removal of security compliance obligations.
Sources
- Fact Sheet: President Donald J. Trump Reprioritizes Cybersecurity Efforts to Protect America
- Trump EO pumps brakes on software security requirements
- New Executive Order Modifies Cybersecurity Requirements to be Imposed on Federal Contractors and Subcontractors
- Trump Reverses Key Directives of Biden Cyber Executive Order
