Executive Order

On April 9, 2025, President Trump issued an Executive Order (“EO”), “Modernizing Defense Acquisitions and Spurring Innovation In the Defense Industrial Base,” that may have significant implications for federal government contractors doing business with the Department of Defense (“DoD”), and particularly those with touchpoints to Major Defense Acquisition Programs (“MDAPs”).

The EO requires DoD to take a number of actions, including:

  • Within 60 days (i.e., June 8th), the Secretary of Defense must submit to the President a plan to reform the DoD acquisition process to eliminate inefficiencies.  The plan must prioritize commercial solutions and the use of Other Transactions Authority (“OTA”) agreements and Rapid Capabilities Office mechanisms.  The plan must also eliminate redundant tasks and approvals, centralize decision-making, and incorporate effective risk management for all acquisition programs through a governance structure referred to as a Configuration Steering Board. 
  • Under no specified timeline, DoD is generally directed to revise internal regulations and implementation guidance — including the DoD Financial Management Regulation and the Defense Federal Acquisition Regulation Supplement — utilizing the principle from the “Unleashing Prosperity Through Deregulation” EO (Jan. 31, 2025) that for every new regulation proposed, ten existing regulations should be repealed.
  • Within 90 days (i.e., July 8th)the Secretary of Defense must review all MDAPs and consider for “potential cancellation” programs that are: (1) more than 15% behind schedule; (2) more than 15% above cost; (3) “unable to meet key performance parameters”; or (4) otherwise not aligned with DoD mission priorities.  Following this review of MDAPs, the Secretary of Defense will conduct a similar review for all remaining major systems.
  • Within 120 days (i.e. August 7th)the Secretary of Defense, in collaboration with the Military Departments, must propose a plan to overhaul the defense acquisition workforce by restructuring performance metrics, assessing workforce sizing requirements, and deploying expert-led field training teams to enhance familiarity with innovative acquisition authorities.  These reforms are intended to incentivize prudent risk-taking and expand the workforce’s fluency in commercial solutions and adaptive acquisition strategies.  
  • Within 180 days (i.e., October 6th), the Secretary of Defense, acting through the Deputy Secretary of Defense, the Secretaries of the Military Departments and the Joint Chiefs of Staff, must complete a comprehensive review of the Joint Capabilities Integration and Development System (“JCIDS”), with the aim of streamlining and accelerating acquisition.[1] 

We address the EO’s directives for acquisition process reform and MDAP review in greater detail below. Continue Reading Trump Administration Issues Executive Order Aimed At Modernizing Defense Acquisitions And Spurring Innovation

In the latest in a series of executive actions that aim to reshape much of government, President Trump signed an executive order on February 18 expanding the President’s authority over so-called independent agencies within the executive branch.  The impact of this executive order will be felt across the federal government

Continue Reading New Executive Order Gives President Veto Power Over Some FEC Rulemaking

This is part of a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs  described the actions taken by

Continue Reading March 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order

This is the twenty-sixth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken

Continue Reading June 2023 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

This is the twenty-first in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various Government agencies to implement the Cyber EO from June 2021 through December 2022.  This blog describes key actions taken to implement the Cyber EO during January 2023.

GSA Announces That It Will Require Software Vendors to Submit Letters of Attestation Beginning in June 2023.

            On January 11, 2023, the General Services Administration (“GSA”) Senior Procurement Executive and Chief Information Officer jointly issued Acquisition letter MV-23-02, “Ensuring Only Approved Software Is Acquired and Used at GSA” (the “GSA letter”).  The GSA letter establishes a June 12, 2023 effective date for implementing the secure software acquisition requirements of Office of Management and Budget (“OMB”) Memorandum M-22-18, issued pursuant to Section 4 of the Cyber EO.  That OMB memorandum directs that agencies must only use software that complies with Government-specified secure software development practices.  These practices include obtaining self-attestations of conformity with secure software development practices and in certain cases as determined by agencies, artifacts such as Software Bills of Materials (SBOMs) from software vendors to verify that the acquired software[1] was developed and produced according to NIST security guidelines and best practices.

            The GSA letter directs GSA’s IT officials to update GSA’s policies by June 12, 2023 to reflect the process for collecting, renewing, retaining, and monitoring the self-attestation information mandated by OMB M-22-18.  For existing contracts that include the use of software, the GSA letter directs GSA IT to provide an internally accessible list of the software used for each contract and to collect vendor attestations by June 12, 2023.  For new contracts that include the use of software, the GSA letter directs the relevant acquisition teams to modify the acquisition planning process to ensure that performance of such contracts begins only after the requisite attestations have been collected and considered.  Finally, with respect to GSA-administered Government-wide indefinite delivery vehicles (e.g., Federal Supply Schedule contracts, Government-Wide Acquisition Contracts, and Multi-Agency Contracts), the GSA letter directs GSA contracting activities to allow, but not require, contractors to provide attestations at the base contract level rather than the task or delivery order level, and to make those attestations available to ordering activities to the extent possible.  With this said, the GSA letter specifies that ordering agencies will ultimately be responsible for complying with OMB M-22-18.Continue Reading January 2023 Developments Under President Biden’s Cybersecurity Executive Order

This is the nineteenth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various Government agencies to implement the Cyber EO from June 2021 through October 2022.  This blog describes key actions taken to implement the Cyber EO during November 2022.

I. CISA, NSA, and ODNI Release Software Supply Chain Security Guide for Customers 

On November 17, 2022, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) released the third in a series of recommended practice guides for securing the software supply chain (the “Customer Guide”).  The first practice guide in this series – published in September 2022 – was for software developers, and the second – published in October 2022 – was for software suppliers.  Each of the three guides is intended to supplement the Secure Software Development Framework (SSDF) published by the National Institute of Standards and Technology (NIST) pursuant to Section 4 of the Cyber EO.

The Customer Guide identifies key supply chain security objectives for software customers (acquirers) and recommends several broad categories of practices to achieve those objectives including security requirements planning, secure software architecture, and maintaining the security of software and the underlying infrastructure (e.g., environment, source code review, test).  For each of these practice categories, the guide identifies examples of scenarios that could be exploited (threat scenarios) and examples of controls that could be implemented to mitigate those threat scenarios. Continue Reading November 2022 Developments Under President Biden’s Cybersecurity Executive Order