Tom Temin: And you have compiled all of the big cyber developments in the federal scape here in a neat and very graphic 22-page document here. Give us the highlights. What’s the important things that happened that are going to lead us into the next year?

Townsend Bourne: Yeah. So our team at Sheppard Mullen, we did this last year and we also did it this year. We found it to be an incredibly helpful resource for our clients. But our goal was really to put together everything. Government contractors and companies and critical infrastructure sectors need to know about cybersecurity developments and what we expect in 2025 at a very high level. You covered kind of the main points, but we go in depth and to DoD’s new CMMC program, which is going to affect any company that works with the Department of Defense and establish new cybersecurity certification and assessment requirements. We have several pages in the book that walk through open FAR cases. So new rules we’re expecting to see in 2025 in the Federal Acquisition Regulation. Of course, with the new administration, there may be some changes, which I’m sure you and I will get into. We also cover AI, as you mentioned, FedRAMP, which is the federal government’s program for security authorizations for cloud service offerings, as well as incident reporting. And what the DOJ has been doing in civil cyber fraud enforcement.

        How are agencies creating future-ready cloud platforms that meet data accessibility and security requirements? Find out in our latest Executive Briefing, sponsored by Nutanix.

Tom Temin: And what are the big things coming in the FAR?

Townsend Bourne: There are a lot of open FAR cases we’ve been following, most notably in the cybersecurity area with securing federal information, but also supply chain. The main regulation that we actually saw a proposed rule on this month. So after we put out the forecast, we did get a FAR rule on contractor requirements for protection of controlled, unclassified information. So prior to this, we had a DoD regulation. Now we are looking forward to a FAR rule, which will cover all civilian agency contractors as well.

Tom Temin: The trend seems to be much more towards very descriptive requirements for contractors, not just in DoD with CMMC, but also, it’s coming over into the civilian side. Some people are expecting a CMMC civilian version even, but the idea use this standard, make sure this controls in place. It has to be NIST compliant, or NIST conforming and so on. Very prescriptive. And there’s costs associated with that.

Townsend Bourne: I think that’s right. Most of these roles have a NIST standard or some other baseline that companies are required to follow in order to meet the cybersecurity requirements. The other thing you touched on that I think we’re seeing it in some places and not others. But more and more, we’re seeing a requirement for an attestation or a certification from contractors, which I think most people that listen to this podcast know. Once you do that, you are potentially setting yourself up for False Claims Act liability if you have a false certification or other issues with affirmation.

Tom Temin: And what’s your assessment of artificial intelligence? Almost no cyber conversation happens nowadays without people saying how AI is used to understand what’s happening on your network and all this data. And also that the enemies are using AI to get better at the attacks.

Townsend Bourne: Right. This is a huge area and where we’re going to see some shifts now with our new presidential administration. President Biden put out an executive order that has since been revoked on AI. That executive order did have a lot of focus on cyber national security reporting for companies that are developing AI models in the United States, as I mentioned, that AI executive order has been revoked. But we’re expecting to see some of those same priorities in terms of security, both on the cyber side and the national security side.

Tom Temin: I guess the new administration, with respect to AI and cybersecurity for that matter, there was a late Biden administration cybersecurity EO to built on the one from 2021. That’s probably, as we speak, on the way to revocation. A more laissez-faire, maybe, expectation from the Trump administration?

Townsend Bourne: It’ll be interesting to see. As far as I know, as of this morning, the two cybersecurity executive orders put out by the Biden administration are still in play. We do expect that many of these rules are going to continue forward. I mean, the CMMC program has been around before Trump’s first administration and the CUI program really rolled out under Obama. So that that’s kind of been a consistent factor, regardless of the administration. I would expect we might see greater review of these regulations. Trump did put out an executive order requiring someone in his administration to review rules before they get published in the Federal Register. So we could see some pulling back on some of these more onerous requirements.

        Read more: Cybersecurity

Tom Temin: We’re speaking with Townsend Bourne. She’s a partner at the law firm Sheppard Mullen and led their team on creating the cyber forecast. And so the big trends this year then will be probably not all that unexpected. Even with changes in policy, there’s still going to be an onus on contractors to either a test or actually have in place lots of requirements. It’s hard to see the Trump administration pulling that concept away.

Townsend Bourne: I think that’s right. I think we will still see the focus on establishing baseline controls, ensuring that contractors sign up for those and provide the representations and certifications associated with those. I think you hit on it. AI is going to be kind of a question mark. That’s an area where I think we may see the most shift from the last administration.

Tom Temin: And the requirements to have software bills and materials. And I think the latest had built on that requirement, the one from Biden. Do you see that as something that will still be part of the mix?

Townsend Bourne: That will be interesting as well. There was a big push as a result of the cybersecurity executive order in 2021 to have commercial software providers to the federal government provide attestations. That’s been rolled out over the past year, but we haven’t seen a FAR clause or a requirement consistently applied to contractors. The concept of having secure software attestation is in the new cybersecurity executive order that Biden put out just before he left office. So that is a concept that’s still at play. But I wonder, in response to your point, if we might see a little bit of a change there, where it is going to be something that hits large commercial companies and small commercial companies equally.

Tom Temin: And what do you see, if anything, on the cybersecurity workforce? We don’t know what workforce effects will actually take place under some of the gambits that the Trump administration has signed. But presumably they still want cyber people around or could that go more to contractors?

Townsend Bourne: That’s an interesting question as well. I mean, yes, I know the federal government always needs people that are experts in cyber. There was a new initiative pushed out to have more requirements for contractors to ensure that they have qualified cyber professionals working under certain contracts. So I think we will still see that. But you’re right, there may be a little bit of push and pull as to whether those people are going to be part of the federal government or the government will be relying more on contractors for that work.

Tom Temin: All right. What have we left out? What are the important forecast elements we haven’t talked about?

        Sign up for our daily newsletter so you never miss a beat on all things federal

Townsend Bourne: I think the main one, well, two, I guess, one is on incident reporting. We are seeing that built into the FAR now with the new rule that just came out on CUI protections. There are also regulations that are supposed to be coming out from CISA this year on incident reporting for all critical infrastructure sectors. So that hits more than contractors, that hits energy, communications, various infrastructure sectors. That rule, again, will go through a Trump regulatory review so we could see changes there. And then I think the final area we cover in our forecasts alert that you referenced at the beginning of this interview is enforcement. So DOJ has really been focused on its Civil Cyber Fraud Initiative. We’ve seen multiple settlements and cases now under that initiative. I think we expect that to continue, but we might see some changes with regard to the focus under the new administration.

Tom Temin: And you mentioned the Cybersecurity and Infrastructure Security Agency. It’s unclear what the new administration wants for that component. I mean, just looking at their pattern, here, you have a lot of influence with industry and a lot of interaction with industry and infrastructure people and so forth. But it’s removed far from the White House in the sense that CISA is just a component of DHS. And I wonder if they’ll want CISA to maybe a lot of that function move to the policy side in OMB or something. I’m just guessing, but that’s kind of their instinct.

Townsend Bourne: It’s a good thought. And we’ve thought about that as well, especially with some of the opinions we know that certain people have about CISA. So it could be that some of that work is shifted. I wouldn’t be surprised.