Federal Cybersecurity Policy in 2025: What to Watch in Changing Times

January 6, 2025

Last year we made some predictions about 2024’s cyber landscape and major issues. Several proved prescient, with incident reporting, CISO scrutiny, SEC aggression, and new regulation of various sectors taking shape as the federal government accelerated its move toward mandates. All of this unfolded right as claims of agency authority to execute on the Biden Administration’s call for regulation in its National Cybersecurity Strategy hit a snag mid-year with the U.S. Supreme Court’s Loper-Bright decision overruling traditional court deference to agency authority. And, at the end of 2024, cyber in telecom took center stage with revelations and government action amidst the still-unfolding Salt Typhoon event, and outgoing leadership at the Federal Communications Commission (FCC) proposing new regulatory responses.

We confront a new Presidential Administration starting January 20 and Republican control of the 119th Congress – including a new Chairman of the Senate Homeland Security and Governmental Affairs Committee (HSGAC) who has expressed skepticism about key parts of the federal cyber apparatus. With all these dynamics, we delve again into cyber predictions and issue-spotting, to lay out some of the key questions and trends we will be watching and engaged on:

1. Will cyber incident reporting mandates proliferate or be recalibrated?

Despite Congress’ explicit policy statement in the Cybersecurity Incident Reporting for Critical Infrastructure Act (CIRCIA) that CISA should be the lead federal agency to manage cybersecurity incident reporting and there should be harmonization between CIRCIA reporting and other federal agencies incident reporting paradigms, we saw a proliferation of federal cyber incident reporting requirements in 2024. The Federal Acquisition Regulatory Council continued to push forward its proposed Federal Acquisition Regulations (FAR) rule on cyber incident reporting for federal contractors within 8 hours of discovery despite its requirements being inconsistent with the existing Defense Federal Acquisition Regulations (DFARS) requirements and reporting under CIRCIA. Government contractors will also be subject to the Cybersecurity Maturity Model Certification information security incident reporting requirement that DOD proposed in August and is distinct from both the FAR and DFARS requirements.

The Transportation Security Administration (TSA) has released a Notice of Proposed Rulemaking (NPRM) with updates to its emergency cybersecurity directive for pipelines, rail, and bus operators, and including its unique version of cyber incident reporting.

2024 provided ample opportunities to witness the operation and impact of the SEC incident reporting rule combined with the agency’s aggressive enforcement in cybersecurity cases including SolarWinds. Bad actors are rumored to have gamed the rule by attacking companies to manipulate stock prices. With this track record, combined with registered companies’ and members of Congress’ concerns with disclosing cyber incidents prior to securing networks, there may be mounting pressure on the SEC to revisit the rule in 2025.

Following CISA’s release of the CIRCIA NPRM, industry and cybersecurity leaders in Congress have objected to the overly complex and sweeping approach to reporting CISA proposed. Consequently, we may see CISA pull back from the proposed rules following pressure from Congress, industry, and the new Administration.

One of the biggest questions for 2025 is whether agencies or Congress will take one of several possible paths to harmonizing disparate requirements. Industry has championed a “common form” in supplemental CIRCIA comments that could work across agencies, but it is unclear if the agencies will go that route. Agencies could work with CISA to accept incident reports from another agency in lieu of a CIRCIA report in order to avoid duplicative reporting. Although the CIRCIA NPRM released in 2024 seemed to narrow opportunities for such agreements, we anticipate the Trump Administration’s focus on reducing government waste may reopen the opportunity for CISA/agency agreements. The FAR and TSA incident reporting rules already require reports to be filed through the CISA portal. At a minimum, greater reliance on the CISA portal and use of a common form under agencies’ incident reporting rules could provide at least some relief to companies facing duplicate requirements.

A new CISA Director could champion harmonization and pick up where the Cybersecurity Incident Reporting Council, established under CIRCIA, left off work to act on the areas identified in its report.

2. Other than incident reporting, will there be meaningful harmonization of cyber initiatives in 2025?

The Biden Administration’s 2023 National Cybersecurity Strategy promised harmonization and streamlining for federal cybersecurity regulations, and the Office of the National Cyber Director (ONCD) has taken some initial steps towards assessing the problem and developing a “reciprocity framework” pilot project. In practice, however, there has been no relief for regulated entities, and new proposed rules such as those from the TSA for rail, pipeline, and bus operators make few meaningful efforts at harmonization.

Congress has taken an interest in this burgeoning problem, with outgoing Senate HSGAC Chairman Gary Peters (D-MI), Sen. James Lankford (R-OK), Sen. Jacky Rosen (D-NV), and Sen. Angus King (I-ME) introducing S. 4630, the Streamlining Federal Cybersecurity Regulations Act. The bill, which would designate ONCD to lead an interagency committee to develop a regulatory harmonization framework, including reciprocity for a designated set of minimum requirements, was passed out of the Senate HSGAC on December 2 with support from the White House, but Congress has passed neither S. 4630, nor a companion House bill from Rep. Clay Higgins (R-LA) as of the date of this writing.

In addition to regulatory harmonization, companies interested in collaborating with the government to improve network defense and threat intelligence continue to navigate a set of often-overlapping boards, committees, and collaboration mechanisms such as the Joint Cyber Defense Collaborative (housed at CISA) and the Enduring Security Framework (led by NSA), as well as the CISA-led Cyber Safety Review Board. We can expect Congress and the incoming Administration to take a hard look at these efforts and whether they are benefiting their private-sector customers or unnecessarily burdening participants and affected entities.

3. Will Congress and the Administration clarify authorities and roles, as between agencies and ONCD, NSC, CISA and others?

The Executive branch division of cybersecurity responsibilities during the Biden Administration revealed tensions and redundancies between the ONCD, the Deputy National Security Advisor for cybersecurity and emerging technologies (created by President Biden), and CISA. Each of these organizations was producing new cybersecurity policy, guidance, and taskings for the private sector, some of which was in conflict or addressed the same areas in an inconsistent manner.

The NSC led the charge for mandatory cybersecurity practices for pipelines, rail, aviation, and health care, and sought to impose mandates on the telecommunications sector at several different junctions. In contrast, ONCD has taken a more thoughtful approach to cybersecurity regulation by recognizing the need to harmonize the many disparate cybersecurity regulations already in place and worked with Congress to develop a road map for harmonization. Given the duplication between these White House offices, in 2025 we may see the NSC cyber role disappear as the incoming President Trump disbands Biden-era creations.

CISA may be another candidate for changes with Senator Rand Paul (R-KY), a vocal critic of CISA, taking over as Chairman of the Senate HSGAC. He has called for the elimination of CISA due to the agency’s work countering election disinformation, which he and some other conservative voices have interpreted as an infringement on the First Amendment. He may get traction on reining in that work, but Chinese cyberattacks on critical infrastructure may bolster CISA’s overall support in Congress.

4. Will reactive cybersecurity regulation continue in response to notable incidents?

High-profile cyber events sometimes beget reactive and hasty government responses. A question in 2025 is whether policymakers will take the time to understand problems and solutions, or continue to respond impulsively and with what appears to be security theater.

We saw after Colonial Pipeline TSA reacted with “emergency” directives for pipelines that were then applied to other CI sectors like passenger and freight railroads, without calibration or cost-benefit analysis … leading to a court challenge. Although Deputy National Security Advisor for Cybersecurity and Emerging Technologies Anne Neuberger recently admitted that reactionary regulation in the wake of the Colonial Pipeline cyberattack without industry input had been a mistake, we are seeing similar reactionary regulation in the wake of the Salt Typhoon Chinese threat actor attacks on telecommunications carriers. The FCC is on the verge of approving unprecedented cyber regulatory mandates on carriers, and members of the Senate have circulated draft legislation to impose European-style regulation even before federal investigations have concluded. However, we anticipate that incoming FCC Chairman Carr, and the new Republican majority in the Senate joining the House, will take a more deliberate and reasoned approach to these Chinese nation-state attacks.

5. How will Loper-Bright impact cyber regulation?

Commentators wondered if the Loper-Bright decision in summer 2024, overturning 40 years of deference to agency interpretations, would impact varied government cyber initiatives, many of which relied on older statutes that did not expressly contemplate cybersecurity regulation. 2025 started off with a bang when the U.S. Court of Appeals for the Sixth Circuit concluded in Ohio Telecom Association v. FCC, that the FCC erred in classifying broadband internet access services as telecommunications services subject to regulation under Title II rather than information services subject only to Title I treatment under the Communications Act. Notable for cyber policy in 2025, the FCC’s rationale for its reclassification was based substantially on claimed cybersecurity and national security interests, and many FCC initiatives thereafter rested at least in part on the reclassification.

Loper Bright and its progeny are likely to give agencies creating new cyber regulations pause, and may embolden regulated companies to push back when agencies use strained interpretations of their statutes to take action on cybersecurity and national security. We may see a review of several regulatory moves taken in the Biden Administration, from the proposed regulation by DOJ of certain data transfers without congressional direction, to CISA’s broad interpretations of CIRCIA to create a sweeping new reporting regime that appears at odds with Congress’ direction.

6. Will the protection of privacy and civil liberties advance consumer privacy or complicate needed surveillance along with business security and liability protections?

The contentious debate concerning the Foreign Intelligence Surveillance Act (FISA) Section 702 may reignite this year as efforts start up again to reauthorize the controversial program by April 2026. There are several important legal and policy issues involved in the debates over federal surveillance that providers should closely monitor, including the definition of electronic communications service and a possible warrant requirement. Industry should be proactive in communicating the importance of liability protections and immunity for good faith reliance on government orders or legal process and give extra scrutiny to any limiting proposals.

7. Will Department of Justice new data transfer rules help safeguard national security, or interfere with routine business transactions?

On December 27, 2024, the Department of Justice issued its final rule to implement Executive Order (EO) 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The rule is aimed at preventing six countries – the People’s Republic of China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, Venezuela, or other subsequently determined countries of concern – from exploiting government-related data or bulk U.S. sensitive personal data to the detriment of U.S. national security or the security and safety of U.S. persons. This new national security program establishes: (1) countries of concern and classes of covered persons with whom transactions involving government-related data or bulk U.S. sensitive personal data would be prohibited or restricted; (2) classes of prohibited and restricted transactions; (3) a process to issue, modify, or rescind licenses authorizing otherwise prohibited or restricted transactions; (4) a process to issue advisory opinions; and (5) recordkeeping and reporting requirements that some industry comments have characterized as data monitoring and surveillance. Under this new framework, the sensitive personal data that would trigger prohibitions include biometric, genomic, financial, precise geolocation, and health data, along with certain personal identifiers, that exceed bulk thresholds. The prohibitions would also apply to government-related data including geographic coordinates for identified government facilities. Concurrently, CISA has released Security Requirements for Restricted Transactions under EO 14117. Given the scale and breadth of the new framework, it will likely impact a wide range of commercial transactions and relationships. It remains to be seen whether this new national security program will enhance national security or act as an information-sharing impediment for transactions and international business. And we may hear more on questions about the legal basis for DOJ regulation of data transfers, which Congress has not authorized.

8. With CISA 2015 due to sunset in 2025, will Congress reauthorize with enhancements?

The Cybersecurity Information Sharing Act of 2015 (CISA 2015) is scheduled to sunset on September 30, 2025. CISA 2015 was initially hailed as a significant breakthrough to facilitate cybersecurity information sharing between private-sector entities and the federal government that included protections for privileged and proprietary information; exemptions from federal, state, and local disclosure obligations; liability protections; and privacy protections to govern the receipt, retention, use and dissemination of cyber threat information.

CISA 2015’s narrow definitions of cyber threat indicators and defensive measures and the mandate to share with CISA’s Automated Indicator Sharing (AIS) system caused this authority to be underutilized. A 2024 study by the U.S. Department of Homeland Security (DHS) Office of the Inspector General (OIG) found that sharing of cyber threat indicators declined to the lowest level since 2017 due primarily to unspecified government security concerns about transferring information. The OIG also found impediments to CISA’s ability to facilitate the sharing of cyber threats in real time. Private-sector dissatisfaction with the amount and quality of information shared by the government will continue to plague the program unless the new Administration or Congress takes action.

9. What will the federal government do on supply chain and Chinese companies’ equipment and access to U.S. markets?

Following on scrutiny of Chinese DJI UAS, or drones; Huawei and ZTE telecom equipment; Shanghai Zhenhua Heavy Industries cranes; and now TP-Link small business and home routers, we expect scrutiny of and restrictions on Chinese companies’ products, particularly those used by critical infrastructure, to continue to proliferate. The new White House and the Bureau of Industry and Security (BIS) at Commerce will have major choices to make about target selection and implementation. In the past, a focus on specific companies has led to supply chain challenges where there is a lack of alternatives. BIS is reported by The Wall Street Journal to have launched an investigation into TP-Link routers, which could result in a ban. According to the WSJ story, TP-Link dominates 65% of the home-router market in the U.S., the routers are used by DOD and other federal agencies and have been the devices most compromised by Chinese nation-state threat actors.

DJI, the world’s dominant manufacturer of UAS, is the subject of a provision included in the 2025 National Defense Authorization Act, which provides a process that may effectively ban DJI drones within a year. Further, the Department of Commerce released an Advanced Notice of Proposed Rulemaking on a rule to secure and safeguard the supply chain for UAS from threats from China and Russia.

Connected vehicles are another area that could be subject to potential supply chain disruption. BIS proposed regulation to protect the U.S. automotive supply chain by prohibiting the import of connected vehicle hardware and software provided by entities subject to the jurisdiction of China. The proposal raises important national security and cybersecurity questions surrounding connected vehicle components and information exchanged between vehicles and the cellular network. The proposed rules are comprehensive and, although they provide lead-in time, there could be unintended consequences for the U.S. supply chain.

10. What will happen with various government efforts on software security?

2024 saw significant developments in government efforts to promote secure software development best practices. In March 2024, CISA finalized an attestation form that government agencies must collect from their contractors, but significant questions remain that an ongoing Federal Acquisition Regulation rulemaking will need to address. For example, we have seen government contractors faced with conflicting requests from suppliers and industry customers to support attestation, while some agencies have taken a very broad approach to identifying software suppliers from whom they are seeking attestation. Beyond the attestation requirement, CISA has been very active in promoting its Secure by Design voluntary best practices, including rolling out a voluntary pledge, and seeking public comment on a draft guidance document identifying “bad practices” (which received some pointed comments highlighting the potential for the document to be incorporated into mandates). Looking into 2025, the key question is whether this voluntary guidance will be added to the growing list of mandatory requirements – the National Cybersecurity Strategy calls for Congress to establish a software liability regime, and federal regulators such as TSA are exploring how to embed Secure by Design principles in regulations.

11. What will happen with the FCC’s IoT Trust Mark in a new Administration?

The FCC achieved some key milestones with its IoT Cybersecurity Labeling program in 2024, bringing the “U.S. Cyber Trust Mark” closer to reality. The Commission established the administrative framework for the program and selected the Lead Administrator and first slate of Cybersecurity Labeling Administrators. 2025 should see answers to some of the major questions remaining in this program, which affects not only device manufacturers, but also retailers and application developers. For example: How will costs of the labeling program be shared among manufacturers and retailers? What will the public messaging look like (the FCC envisions a program akin to the “Energy Star” energy efficiency initiative)? Will manufacturers and retailers participate, and if they do, is there an appetite from customers for labeled products?

12. Will a changed federal AI strategy affect cyber expectations?

As we anticipated at the beginning of last year, federal regulators such as the FCC, FTC, and SEC followed up the October 2023 Executive Order 14110: Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence with multiple AI-focused workstreams, and OMB issued guidance that adds requirements, including cybersecurity incident reporting requirements, for the federal government’s acquisition of AI. Additionally, NIST announced a new program to explore cybersecurity and privacy risks from AI, as well as potential uses of AI to support cybersecurity and privacy activities. CISA also weighed in with guidance for critical infrastructure entities’ use of AI. The incoming Administration is likely to review and revise or revoke the 2023 AI Executive Order and the OMB memorandum, halting AI workstreams mandated by the Executive Order and potentially changing expectations from regulators and government customers about how organizations should be protecting AI systems or using AI for cybersecurity purposes. However, agencies still have the authority to pursue AI initiatives, and agencies like NIST and CISA who are heavily focused on both AI and cybersecurity are likely to continue releasing guidance and standards that impact the intersection of AI and cybersecurity. Additionally, members of Congress on both sides of the aisle have demonstrated interest in AI through introduction of AI legislation, and that activity is likely to continue this year. Such AI legislation could have broad implications for cybersecurity standards and use of AI to meet them.

13. Will the federal government continue to layer obligations on federal procurement, or is it time to revisit that approach?

We have seen a consistent effort to use federal procurement regulations to establish cybersecurity requirements for government contractors. DOD’s Cybersecurity Maturity Model Certification (CMMC) 2.0 program rule was finalized in 2024, while acquisition regulations on cyber incident reporting and the security of unclassified federal information systems remain in progress after public comment periods. Multiple other activities are ongoing, and contractors faced heavier scrutiny due to the Biden DOJ’s Civil Cyber Fraud Initiative. Congress, too, has explored procurement requirements such as the proposed Federal Contractor Cybersecurity Vulnerability Reduction Act.

2025 may present an opportunity for the federal government to step back from and reassess the effectiveness of those programs and the wisdom of varied requirements for companies that are both contractors and commercial operators.

****

Overall, 2025 promises to be extremely active in federal cyber policy. The new Administration and Republican control of Congress present an opportunity to advance less regulatory approaches and revisit some choices from the prior Administration. Organizations should continue to monitor the many workstreams identified here and look for areas to improve policy. Direct engagement with agencies and Congress can help.

At the same time, compliance planning and risk management continues to be key. Using NIST and industry tools and testing plans, reviewing government advisories, and engaging with senior leadership and board members remain vital.

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek