Executive Order 14306 — signed June 2025, amending EO 13694 and EO 14144 — directs NIST to finalize an updated Secure Software Development Framework (SP 800-218) and push agencies toward machine-readable, auditable compliance: software bills of materials, attestations, and consolidated shared services like DHS's Continuous Diagnostics and Mitigation (CDM) program. The mechanism is boring but powerful. Every additional vendor in a federal or critical-infrastructure security stack is another attestation to chase, another SBOM to reconcile, another audit surface. Procurement officers facing that paperwork don't reward the best point solution — they reward the fewest vendors. That structural bias toward consolidation is now written into how Washington buys cyber tools, and it reshapes which companies get the renewal.

Who cashes in: