In the past year, we\u2019ve seen the U.S. federal government taking a leadership role in adopting new cyber security standards in several key areas. These gains are the direct result of several mandates issued in the past two to three years.Now, a bill currently under consideration in the House would give DHS the power to ban federal contractors that present cybersecurity risks.There\u2019s no doubt that federal contractors need to be held to the same stringent cybersecurity standards as the federal government itself. However, the House bill\u2019s \u201cban hammer\u201d is a blunt instrument.A better approach is illustrated by the White House and the Department of Homeland Security, whose specific, actionable, and carefully written mandates to federal agencies have produced remarkable improvements in the government\u2019s cybersecurity posture.Anatomy of a well-structured mandateStarting in 2015, a policy directive from the White House required agencies to begin adopting HTTPS for encrypting web connections. Then in late 2017, the DHS\u2019s binding operational directive (BOD) 18-01 specified technologies for improving email and web security, and BOD 18-02 provided a framework for agencies to inventory and secure their high-value assets.The most impactful of these directives, BOD 18-01, had all the ingredients needed for a successful technology mandate. It included clear, specific instructions; provided plenty of technical background material to support agencies in complying; and spelled out an explicit timeline. Most importantly, it centered on open, proven standards whose implementation status is easy to measure.The timeline is purposefully aggressive, with many milestones falling within 30 to 60 days of the issuance of BOD 18-01 to create focus and because of associated risk of not implementing the three required standards. An understandable grievance is that the directive has no associated budget allocation to help agencies with compliance. Given the timeline and lack of budgeting, mandating that every federal agency implement new security technologies could even be viewed as unrealistic. .And yet BOD 18-01 has succeeded wildly, thanks to the specificity and care with which it was drafted. To take just one example: When the directive was first issued on October 15, 2017, barely 18 percent of U.S. federal domains had begun the process of authenticating themselves (using the mandated standard, known as DMARC); today that number stands at over 70 percent. What\u2019s more, over 40 percent of federal domains have completed the authentication process and are now protected from being impersonated by phishing attackers pretending to be them. There\u2019s much more work to be done, but the progress to date is remarkable.A similar story holds true for encrypted web sessions. In mid-2015, a little more than 25 percent of government domains supported HTTPS; that had risen to about 75 percent by the end of 2015, thanks to the White House-issued policy. Today, thanks to the additional provisions of BOD 18-01, about 65 percent are using HSTS and are encrypted by default.All this goes to show that the federal government can be nimble and tech-savvy when planning and directives are crafted with deep knowledge of the technologies in question and the will to see it through. Clearly-defined goals with aggressive yet reasonable deadlines \u2014 backed up with plenty of tech-savvy supporting information \u2014 have been key to the government\u2019s success in increasing the security of both web-based and email communications. And these directives have put the government in an undisputed leadership position.Let\u2019s use this playbookHowever, there\u2019s one area where the government remains vulnerable: The contractors who provide an enormous proportion of government services to, and on behalf of, federal agencies.For instance, a recent survey of the U.S. government supply chain by the Government Accountability Office found that many vulnerabilities exist in the government\u2019s IT supply chain. These include the existence of malicious or counterfeit software and hardware as well as defective or misconfigured services. In response, GAO recommends that three of the agencies it studied (Justice, Energy, and DHS) take specific actions to \u201cdevelop and document policies, procedures, and monitoring capabilities that address IT supply chain risk.\u201dHackers know that a target is only as secure as its weakest link. For instance, when you look at the email authentication rates among the top 100 federal contractors (by dollar value of their 2017 contracts), their progress lags significantly behind their public-sector counterparts. To a hacker, that represents opportunity. If an agency they\u2019re targeting is impervious to impersonation via email and has locked down its websites with mandatory encryption, hackers may find another way in via more-vulnerable contractors.Indeed, while regulation is often seen as antithetical to technological progress, this is an area where clearly-defined, reasonable directives have had a tremendously positive effect on the security and technological leadership of the U.S. government.Instead of a \u201chammer\u201d approach, it would be more productive to extend the same requirements to the contractors that do business with the federal government, helping ensure that they, too, lock down their websites and email domains, and eliminate one more set of weak links. The key is making sure that those requirements are specific, detailed, actionable and have an aggressive yet realistic timeline.