In the last two months, the federal government has issued a number of cybersecurity-related regulations that are or will be directly or indirectly applicable to a wide range of federal contractors and subcontractors, and more rules are expected. The three recent rules discussed here on controlled unclassified information, defense industrial base cyber reporting, and network penetration protection and reporting present a complex and inter-related set of requirements and standards that federal contractors and companies in their supply chains should understand.