There is no shortage of news related to the Trump Administration, some of which we wrote about last week. I thought I’d spend a little time on the impact of the Trump Administration on cybersecurity.First, there is significant uncertainty over the future of the Cybersecurity and Infrastructure Security Agency (CISA), which is the national coordinator for critical infrastructure and resilience. Under the Biden Administration, CISA was given additional responsibilities in coordinating responses to cybersecurity incidents.
In the early part of the Trump Administration, there has been pushback against CISA’s expanded role. For the first time since CISA was established, it was not asked to address the annual gathering of secretaries of state in Washington. Homeland Security Secretary Kristi Noem said that “CISA had strayed ‘far off mission.’ She pledged to work with senators ‘should you wish to rein them in’ with legislation.” Much of this animosity appears to come from CISA’s role in assessing the security of the 2020 election, which CISA’s first director said was the “most secure in American history.”
CISA is critical to the nation’s defense. It has also issued requirements that other agencies can integrated into government contracts. Uncertainty around its role in that process impacts contractors’ ability to design cybersecurity and supply chain security programs that comply with their contractual obligations and with the needs of the country. In the wake of recent attacks by China, there is some indication that politicians recognize CISA’s importance and are backing off from attacking it.
Second, the proposed rule that determines which contracts will include CMMC is subject to the OMB’s rule freeze. When the draft rule came out, the SBA assumed that assessments would be required as early as March 1. This was consistent with other organizations’ assumptions. Now, it is unclear what the implementation schedule is for the rule, although since CMMC was initiated under the first Trump administration, we anticipate that it will move forward. Eventually.
Third, the Administration fired the recently established Cyber Safety Review Board. The Board’s early work was generally well regarded, and it is unclear if any replacement will undertake that work in the future.
In general, there does not seem to be a consistent theme to the Administration’s actions on cybersecurity. There was some early animosity to the previous Administration’s initiatives, but that has toned down as reality interjects. There will continue to be confusion, followed by lots of finger pointing after the next big issue. All contractors can do is continue to improve their own cybersecurity and prepare for the unexpected.
