The cybersecurity landscape for federal contractors shifted markedly after the issuance of Executive Order 13800 on May 11, 2018. Though the order itself was broad in its directive—aiming to enhance the resilience of federal networks and critical infrastructure—it quickly became clear that its real teeth would be felt in the supply chains supporting those networks. By late 2018, with implementing guidance emerging at a steady pace, defense contractors found themselves grappling with what compliance might truly require. The introduction of the Cybersecurity Maturity Model Certification (CMMC) framework, set for initial audits beginning in January 2019, added a further layer of urgency. For many, the mandate wasn’t just about securing their own systems anymore. It was about demonstrating, in formal and verifiable ways, that every node in their supply chain met the required standards.

 

The CMMC audits, while anticipated, sparked no small amount of confusion. Some contractors underestimated the rigor of the process, assuming that prior compliance with older frameworks—such as self-attested alignment with NIST SP 800-171—would suffice. In practice, the bar had been raised. The CMMC’s tiered structure meant that different levels of certification applied depending on the nature of the work and the sensitivity of data handled. But even firms targeting lower certification levels found that they needed to map their entire vendor and subcontractor ecosystems against prescribed controls. And this mapping wasn’t a one-time task. It was, and is, a dynamic process, demanding regular review as both business relationships and regulatory interpretations evolve.

 

A particularly challenging element has been the integration of NIST SP 800-171 control requirements into third-party software vendor assessments. Defense contractors, many of whom rely on complex webs of software solutions, have had to dig deeper into their suppliers’ practices than ever before. It’s no longer sufficient to accept a vendor’s assurances at face value. The expectation now is that contractors can document how each supplier aligns—or does not align—with specific security controls. For example, does a vendor provide multi-factor authentication for administrative access? Are data-at-rest protections in place and auditable? What measures exist for incident response and recovery? In some cases, this level of inquiry has strained relationships. Certain vendors, especially smaller ones, have been reluctant to disclose detailed security architectures or processes. Yet the risk of non-compliance, and the potential loss of federal contracts, has made these conversations unavoidable.

 

Developing a structured approach to vendor mapping is proving essential. Contractors who have made the most headway often begin with a comprehensive inventory of all third-party software tools and platforms in use—an exercise that sounds straightforward but rarely is. Over time, many organizations accumulate overlapping systems, legacy applications, and informal workarounds that complicate efforts to produce a clean, authoritative list. From there, each system must be evaluated against NIST SP 800-171’s family of controls: access control, audit and accountability, configuration management, and so on. Some firms have invested in dedicated compliance software to support this mapping, while others rely on spreadsheets and manual tracking, at least initially. Neither path is without its frustrations. The sheer volume of data points involved can feel overwhelming, particularly for firms with extensive subcontractor networks.

 

Alongside these efforts, the EO’s influence has extended into supplier attestation practices. By early 2019, it was becoming common—if not yet universal—for defense contractors to require quarterly cybersecurity attestations from their vendors. The content of these attestations varies, but typically includes statements affirming compliance with relevant security standards, disclosure of any material changes in cybersecurity posture, and confirmation of the absence of significant breaches or incidents. Here, too, challenges abound. Some suppliers view the requests as burdensome or intrusive, while others struggle to provide the necessary documentation. And there’s the ever-present question of verification: to what extent can a contractor reasonably rely on these attestations, and what due diligence must accompany them?

 

What has emerged, perhaps unsurprisingly, is a growing awareness that compliance is as much a cultural shift as it is a technical or administrative exercise. Defense contractors who once viewed cybersecurity as primarily the domain of IT departments are now finding that procurement teams, legal counsel, and executive leadership all have critical roles to play. The need to balance security imperatives with business realities—especially in competitive subcontracting environments—can generate tensions that aren’t easily resolved. And while some firms have embraced the challenge, seeing it as an opportunity to build stronger, more resilient supply chains, others are still feeling their way through, cautious and at times uncertain about where the lines of responsibility truly lie.

 

The road ahead, shaped by EO 13800 and its successors, promises further complexity. Regulatory expectations will almost certainly continue to evolve, and contractors must remain nimble if they are to stay ahead. In that sense, the lessons of 2019 remain instructive. Success depends not only on technical compliance, but on a willingness to engage deeply with suppliers, to ask hard questions, and to build the internal processes necessary to manage an increasingly intricate web of obligations.