This is the twenty-sixth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through May 2023.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during June 2023.

NIST Hosts Workshop on Common Attestation Form

On June 1, 2023, NIST hosted a workshop on OMB M-22-18 Minimum Requirements for secure software self-attestations pursuant to Section 4 of the Cyber EO.  The workshop included two panels with speakers from OMB and CISA.

During the workshop, OMB announced that the deadline for self-attestations had been extended and this was confirmed in a June 9, 2023 follow up OMB Memorandum (see below).  OMB representatives also noted that they anticipate the Common Form will be finalized this Fall or Winter. 

Additionally, OMB representatives acknowledged that some agencies had already issued their own self-attestation forms and guidance earlier this year (e.g., NASA and GSA), but stated that they expect that these agencies may make some changes to the attestation process based on OMB’s updated timeline.  OMB representatives reiterated that although agencies are free to supplement the common form issued by CISA with additional requirements, they understood that most agencies did not intend to differ much from the common form.  If an agency chooses to forgo the common form and create its own form entirely, OMB representatives explained that the agency would need to follow the full Paperwork Reduction Act process. 

OMB representatives confirmed that they are working on creating a central repository for self-attestation forms.  Contractors would be able to upload their attestations to the central repository, and agencies would be able to access the repository.  They noted that one goal of the repository is to avoid duplicative asks of contractors.  This repository is still a work in progress, and until it is complete, agencies will need to collect self-attestation forms from contractors directly.

OMB representatives confirmed that contractors will be able to use a POA&M if they are unable to attest to implementing all of the requirements identified in the self-attestation form.  Contractors will not be allowed to do a partial self-attestation.  OMB representatives stated that it was unlikely that a template POA&M would be created due to the unique nature of software products.

When asked about the definition of critical software, OMB representatives responded that they understood that most agencies would be using the NIST definition of critical software.  They acknowledged that some vendors may not know that they had been identified as critical.  They encouraged vendors to reach out to agencies to discuss but did not provide more guidance. 

When asked whether OMB anticipated any guidance or memorandum that would standardize the SBOM process, the OMB representatives responded that they were considering such an approach, but more time was needed.  They reiterated that SBOMs are not part of the minimum requirements at this time, but SBOMs could be incorporated as a minimum requirement in the future.

Finally, the OMB representatives stated that they thought it would make practical sense for companies to self-attest for the entire company if possible, instead of on a product by product basis.

OMB Issues M-23-16, “Update to Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices”

On June 9, 2023, OMB published M-23-16, “Update to Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (“June 2023 Update”).  M-22-18, published in September 2022, mandates that to use software, agencies must first obtain a self-attestation from software providers that the software developer follows the secure development processes described by NIST Secure Software Development Framework (“NIST SP 800-218”) and the NIST Software Supply Chain Security Guidance.  CISA released a draft self-attestation form in late April that largely tracks the NIST standards, but the form has not yet been finalized.  The June 2023 Update provides several significant updates and clarifications to the self-attestation process. 

First, the timeline by which agencies must collect attestations or POA&Ms is extended, as the final form for attestation is not yet available.  The new deadlines for agencies to collect attestations are three months after CISA and OMB finalize the common form for critical software and six months after for all other software.

The June 2023 Update provides that agencies will only need to collect the attestations from the prime contractor, though this puts the burden on prime contractors to ensure they can provide the attestation with respect to the entire software end product, including with respect to the integration of components that may be developed by subcontractors or other third parties.

Moreover, the June 2023 Update states that agencies are not required to collect an attestation for open source software, including software that is proprietary but feely obtained and publicly available.  Additionally, agencies are not required to collect an attestation for agency-developed software, which is software that the contracting agency has sufficient control over that the agency itself is able to ensure the secure software development practices are followed throughout the entire software development lifecycle.  The memorandum further clarifies that agency CIOs are required to make the determination of whether a software can be considered agency-developed.

Where a contractor submits a POA&M instead of an attestation of current compliance, the June 2023 Update noted that the contractor must identify the specific practices to which it cannot attest and document the practices it has in place to mitigate associated risks.  The agency may continue to use the software if it finds the POA&M satisfactory, but must also provide the POA&M to OMB and seek OMB’s approval for an extension of the attestation requirement.

CISA Hosts an SBOM-a-rama

On June 14, 2023, CISA hosted an “SBOM-a-rama” to discuss the current state of Software Bill of Materials (“SBOM”) and next steps.  Sessions covered sector specific SBOM work as well as generally applicable concerns about SBOMs, like the sharing and exchanging of SBOMs and how to implement an SBOM.

One of the speakers at the SBOM-a-rama was Shon Lyublanovitz, the leader of CISA’s cyber supply chain risk management (C-SCRM) program office, which is responsible for reviewing and responding to the comments on CISA’s proposed common self-attestation form.  In response to a question regarding why there was no mention of SBOMs in the common form, Ms. Lyublanovitz stated that OMB wants to take a “crawl, walk, run” approach and therefore decided not to include a requirement for SBOMs in the proposed common form.  She noted, however, that agencies can ask for SBOMs if they want to.  She also noted that provenance is mentioned in the SSDF in the context of third-party software code, and invited comments on how stakeholders planned to address this requirement.

Following the SBOM-a-rama, CISA officials distributed to the participants a draft of “SBOM FAQs” that consisted of approximately 30 pre-existing or revised questions and answers as well as nine new questions and answers. These officials invited comments on the new and modified FAQs. When finalized, CISA intends to post the FAQs on its website as a resource for the SBOM community.

CISA Receives Comments on the Secure Software Development Attestation Common Form

As discussed above, on April 27, 2023, CISA released a 60-day Request for Comment on its draft secure software development attestation common form, which was developed in close consultation with OMB.  The Request for Comment stated that CISA would accept comments through June 26, 2023.  While the comment period deadline has passed, organizations and others have continued to submit comments.  As of June 28, 2023, CISA had received 110 comments on the draft common form, including from major trade industry groups and coalitions.  The comments have raised various points and concerns regarding the draft common form, including (but not limited to):

  • Mapping Inconsistencies – Some comments stated that the common form’s requirements are inconsistent with NIST SP 800-218. 
  • Verification Evidence and Artifacts – Some comments stated that the common form did not provide guidance regarding artifacts that agencies may require as part of the attestation process. 
  • Scope of “Software” – Some comments have raised concerns and questions about the scope of the definition of “software” under OMB Memorandum M-22-18, including whether the requirements are intended to apply to commercially available off-the-shelf products, Internet of Things (“IoT”) devices, and hardware products that may contain software and connect to government information systems.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Robert Huffman Robert Huffman

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing…

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing information security and the reporting of cyber incidents, the proposed Cybersecurity Maturity Model Certification (CMMC) program, the requirements for secure software development self-attestations and bills of materials (SBOMs) emanating from the May 2021 Executive Order on Cybersecurity, and the various requirements for responsible AI procurement, safety, and testing currently being implemented under the October 2023 AI Executive Order. 

Bob also represents contractors in False Claims Act (FCA) litigation and investigations involving cybersecurity and other technology compliance issues, as well more traditional government contracting costs, quality, and regulatory compliance issues. These investigations include significant parallel civil/criminal proceedings growing out of the Department of Justice’s Cyber Fraud Initiative. They also include investigations resulting from False Claims Act qui tam lawsuits and other enforcement proceedings. Bob has represented clients in over a dozen FCA qui tam suits.

Bob also regularly counsels clients on government contracting supply chain compliance issues, including those arising under the Buy American Act/Trade Agreements Act and Section 889 of the FY2019 National Defense Authorization Act. In addition, Bob advises government contractors on rules relating to IP, including government patent rights, technical data rights, rights in computer software, and the rules applicable to IP in the acquisition of commercial products, services, and software. He focuses this aspect of his practice on the overlap of these traditional government contracts IP rules with the IP issues associated with the acquisition of AI services and the data needed to train the large learning models on which those services are based. 

Bob writes extensively in the areas of procurement-related AI, cybersecurity, software security, and supply chain regulation. He also teaches a course at Georgetown Law School that focuses on the technology, supply chain, and national security issues associated with energy and climate change.

Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.

Photo of Ryan Burnette Ryan Burnette

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain…

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain, artificial intelligence, and software development requirements.

Ryan also advises on Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) compliance, public policy matters, agency disputes, and government cost accounting, drawing on his prior experience in providing overall direction for the federal contracting system to offer insight on the practical implications of regulations. He has assisted industry clients with the resolution of complex civil and criminal investigations by the Department of Justice, and he regularly speaks and writes on government contracts, cybersecurity, national security, and emerging technology topics.

Ryan is especially experienced with:

  • Government cybersecurity standards, including the Federal Risk and Authorization Management Program (FedRAMP); DFARS 252.204-7012, DFARS 252.204-7020, and other agency cybersecurity requirements; National Institute of Standards and Technology (NIST) publications, such as NIST SP 800-171; and the Cybersecurity Maturity Model Certification (CMMC) program.
  • Software and artificial intelligence (AI) requirements, including federal secure software development frameworks and software security attestations; software bill of materials requirements; and current and forthcoming AI data disclosure, validation, and configuration requirements, including unique requirements that are applicable to the use of large language models (LLMs) and dual use foundation models.
  • Supply chain requirements, including Section 889 of the FY19 National Defense Authorization Act; restrictions on covered semiconductors and printed circuit boards; Information and Communications Technology and Services (ICTS) restrictions; and federal exclusionary authorities, such as matters relating to the Federal Acquisition Security Council (FASC).
  • Information handling, marking, and dissemination requirements, including those relating to Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).
  • Federal Cost Accounting Standards and FAR Part 31 allocation and reimbursement requirements.

Prior to joining Covington, Ryan served in the Office of Federal Procurement Policy in the Executive Office of the President, where he focused on the development and implementation of government-wide contracting regulations and administrative actions affecting more than $400 billion dollars’ worth of goods and services each year.  While in government, Ryan helped develop several contracting-related Executive Orders, and worked with White House and agency officials on regulatory and policy matters affecting contractor disclosure and agency responsibility determinations, labor and employment issues, IT contracting, commercial item acquisitions, performance contracting, schedule contracting and interagency acquisitions, competition requirements, and suspension and debarment, among others.  Additionally, Ryan was selected to serve on a core team that led reform of security processes affecting federal background investigations for cleared federal employees and contractors in the wake of significant issues affecting the program.  These efforts resulted in the establishment of a semi-autonomous U.S. Government agency to conduct and manage background investigations.

Photo of Darby Rourick Darby Rourick

Darby Rourick advises defense and civilian contractors on a range of issues related to government contracting and has particular experience in federal cybersecurity and information technology supply chain issues. She has an active investigations practice and has experience representing clients in internal and…

Darby Rourick advises defense and civilian contractors on a range of issues related to government contracting and has particular experience in federal cybersecurity and information technology supply chain issues. She has an active investigations practice and has experience representing clients in internal and government investigations, including conducting witness interviews and managing government subpoena and CID responses. She also counsels clients on cybersecurity incident response; compliance with federal cybersecurity laws, regulations, and standards; supplier and subcontractor security issues; and cybersecurity related investigations.

Photo of Matthew Harden Matthew Harden

Matthew Harden is a cybersecurity and litigation associate in the firm’s New York office. He advises on a broad range of cybersecurity, data privacy, and national security matters, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, and regulatory inquiries. He…

Matthew Harden is a cybersecurity and litigation associate in the firm’s New York office. He advises on a broad range of cybersecurity, data privacy, and national security matters, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, and regulatory inquiries. He works with clients across industries, including in the technology, financial services, defense, entertainment and media, life sciences, and healthcare industries.

As part of his cybersecurity practice, Matthew provides strategic advice on cybersecurity and data privacy issues, including cybersecurity investigations, cybersecurity incident response, artificial intelligence, and Internet of Things (IoT). He also assists clients with drafting, designing, and assessing enterprise cybersecurity and information security policies, procedures, and plans.

As part of his litigation and investigations practice, Matthew leverages his cybersecurity experience to advise clients on high-stakes litigation matters and investigations. He also maintains an active pro bono practice focused on veterans’ rights.

Matthew currently serves as a Judge Advocate in the U.S. Coast Guard Reserve.