Executive Order 14306, signed June 6, 2025, rolled back some Biden-era software-attestation and digital-identity mandates — but the obligations small DoD contractors actually live under didn't move. NIST 800-171, DFARS 252.204-7012, and CMMC are all untouched and still on track for the November 10, 2026 Phase 2 deadline. Don't let a headline about a "rollback" convince you compliance went away. It didn't.
Every time a new administration touches cybersecurity, a wave of "the rules just changed" chatter hits the contractor forums, and a few shops quietly decide to slow-roll their CMMC prep. That's a mistake I've watched cost people contracts. The order that made the news in June 2025 — EO 14306 — is real, and it did change things. But it changed things a small defense subcontractor mostly never touched, and it left the machinery that governs you exactly where it was.
Let me give you the honest read: what the order actually struck, what it kept, and why your to-do list is the same today as it was the day before it was signed.
To read EO 14306 correctly you need the two orders behind it. This is a short lineage, and it matters.
EO 14028 (May 2021) — "Improving the Nation's Cybersecurity." The order that launched the modern federal push after a run of supply-chain breaches: zero trust, mandatory MFA and encryption for agencies, software supply chain security, incident information-sharing, and a directive to standardize cybersecurity contract language. This is the root of the whole tree. We trace its full path to your desk in From Executive Order to CMMC.
EO 14144 (January 2025) — "Strengthening and Promoting Innovation in the Nation's Cybersecurity." A late-term Biden order that expanded 14028 into newer territory: broader software supply chain security, post-quantum cryptography (PQC), digital identity, and AI security. Ambitious, wide-reaching, and issued right at a change of administration — which is exactly why it became the thing the next administration revisited.
EO 14306 (June 6, 2025) — "Sustaining Select Efforts to Strengthen the Nation's Cybersecurity and Amending Executive Order 13694 and Executive Order 14144." Note the word sustaining and the word amending. This wasn't a repeal. It was a Trump-administration order that kept the parts of the prior work it judged durable and trimmed the specific mandates it chose not to carry forward. The result is a ledger, not a demolition.
Here's the accurate breakdown. Read both columns — the retained side is bigger than the headlines let on.
Look at what's in the struck column: federal software attestations, a FAR Council proposal effort, digital-identity programs, and a procurement mandate. Now ask yourself how many of those a two-truck electrical sub or a small machine shop ever interacted with directly. For most of you, the answer is none. The order pruned branches high up in the tree. Your roots — the ones connected to CUI on your network — weren't among them.
The retained column deserves a second read too, because it tells you where the puck is heading. NIST's secure software development work carrying forward means the SSDF isn't going away — it's the reference the government keeps pointing software producers toward. Keeping the DHS post-quantum cryptography product list alive, even without forcing it into every solicitation, signals that PQC is a "when," not an "if." And the IoT US Cyber Trust Mark surviving means device labeling is still a live consumer-facing program. If you build software or sell connected hardware into the federal space, none of those retained items should feel like a reprieve — they're the durable spine the new order deliberately kept. For a pure services or manufacturing sub, they're mostly background. Either way, the thing that governs you — the DFARS-and-CMMC path — sits outside this whole ledger.
This is the part to internalize, because it's what protects you from acting on a bad rumor. The requirements a small DoD contractor actually carries don't flow from EO 14144 or the provisions EO 14306 amended. They flow from a separate, older, and much more durable chain:
None of those live inside the Executive Order that got amended. They live in the defense acquisition regulations, which move on their own track and their own timeline. An EO can direct agencies to start doing something; pulling that direction back doesn't reach into a clause already written into the DFARS and already sitting in your signed contract.
There's a separate, quieter piece of good news worth naming. The DFARS clause structure is being streamlined, with CMMC (the 7021 clause) becoming the primary vehicle for cyber requirements rather than a patchwork of overlapping clauses. That's simplification, not relief — the substance you owe is the same. Don't read "streamlined" as "reduced." Read it as "the same finish line, more clearly marked."
Stop guessing whether you're behind. The one number that cuts through all the policy noise is your SPRS score — where you actually stand against the 110 controls. Our free estimator gives it to you in about two minutes, no email wall.
There will be another one. Administrations change, incidents happen, and cyber policy gets rewritten on a cycle. So instead of reacting to each headline, keep a simple filter handy — the same one that would have kept you calm through EO 14306.
First, ask who the order actually commands. An Executive Order directs federal agencies. If a provision tells CISA to stand up a repository or tells the FAR Council to draft language, that's agency plumbing. It only reaches you later, indirectly, if an agency turns it into a rule and a contracting officer puts that rule in your contract. A headline that says "cyber rules rolled back" is almost always describing agency-level plumbing, not the clause in your signed award.
Second, ask whether it touches the DFARS or the CMMC rule. Your obligations live in the defense acquisition regulations, and those change through their own rulemaking process — Federal Register notices, comment periods, effective dates — not through the stroke of an Executive Order pen. If an order doesn't amend the DFARS clauses or the CMMC program rule, your day-to-day compliance duties are almost certainly untouched. EO 14306 didn't, so they weren't.
Third, watch the effective dates, not the press release. The one number that has consistently mattered for small contractors is the CMMC phase-in calendar, and it's held steady while the political weather changed around it. Anchor your planning to dates in the rules. Treat everything else as context.
Run any future order through those three questions and you'll almost never be the shop that pauses its prep on a rumor and scrambles at the deadline. That's the whole point of understanding the machinery instead of just watching the news about it.
Nothing about EO 14306 changes the work. If anything, it removes an excuse to delay it. Here's the plain to-do list:
If you want to make all of that cheaper to satisfy, scope your CUI into a small boundary before you build — the approach in The CUI Enclave Method — and get a clear-eyed look at the real dollars in CMMC Compliance Cost for Small Business (2026). The order didn't shrink your obligation. Smart scoping actually can.
CMMC still ends in paperwork — an SSP, the 20 required policies, a POA&M, and a SPRS scorer. The CMMC Level 2 DIY Compliance Kit is all of it, editable, mapped to every one of the 110 controls, built for a small shop doing this without a six-figure consultant. Same finish line the June 2025 order left exactly in place.
No. EO 14306 (June 6, 2025) amended prior cybersecurity Executive Orders and struck some software-attestation and digital-identity mandates, but it did nothing to NIST 800-171, DFARS 252.204-7012, or CMMC. Those obligations flow through the defense acquisition rules, not through the provisions the order changed. CMMC is still on track for its November 10, 2026 Phase 2 deadline.
It struck the requirement for contractors to submit secure-software-development attestations and artifacts to CISA's Repository for Software Attestation and Artifacts (RSAA), the FAR Council mandate to propose standardized software contract language, and several digital-identity provisions. It also removed the mandate to include the DHS post-quantum cryptography product list in solicitations, though the list itself continues.
It retained NIST's secure software development work, including updates to the Secure Software Development Framework; the DHS post-quantum cryptography product list; the IoT US Cyber Trust Mark labeling requirement; and ongoing work on internet routing and DNS encryption security. The core NIST-plus-DFARS-plus-CMMC machinery that governs defense contractors was untouched.
No. The November 10, 2026 start of CMMC Phase 2 — when Level 2 C3PAO third-party certification becomes a required condition of award on applicable DoD contracts — is unaffected by EO 14306. Self-assessment and affirmation requirements are already appearing in contracts today. Nothing in the order slowed the CMMC timeline.
For the vast majority of small DoD subcontractors, no. The provisions EO 14306 changed dealt with federal software attestations and identity programs most small shops never touched directly. Your job is unchanged: implement NIST 800-171, keep a current SSP and SPRS score, report incidents under DFARS 7012, and get ready for your CMMC assessment.
EO 14028 (May 2021) launched the modern federal cybersecurity push. EO 14144 (January 2025) expanded it into software supply chain, post-quantum cryptography, digital identity, and AI security. EO 14306 (June 2025) amended 14144 and an earlier order — keeping the durable technical work and trimming specific mandates the new administration chose not to carry forward. None of the three changed the DFARS and CMMC rules that bind defense contractors.