This is part of a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by
Continue Reading March 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive OrderRyan Burnette
Ryan Burnette is a government contracts and technology-focused lawyer that advises defense and civilian contractors on federal contracting compliance and on civil and internal investigations that stem from these obligations. Ryan has particular experience with clients that hold defense and intelligence community contracts and subcontracts, and has recognized expertise in national security related matters, including those matters that relate to federal cybersecurity and supply chain security. Ryan also advises on FAR and DFARS compliance, public policy matters, agency disputes, and government cost accounting. He speaks and writes regularly on government contracts and cybersecurity topics, drawing significantly on his prior experience in government to provide insight on the practical implications of regulations.
Ryan is especially experienced with:
- Government cybersecurity standards, including the Federal Risk and Authorization Management Program (FedRAMP); Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 and 252.204-7020; National Institute of Standards and Technology (NIST) publications, such as NIST SP 800-171; software and artificial intelligence security, attestations, and bill of materials requirements; and the Cybersecurity Maturity Model Certification (CMMC) program.
- Supply chain requirements, including Section 889 of the FY19 National Defense Authorization Act; restrictions on covered semiconductors and printed circuit boards; Information and Communications Technology and Services (ICTS) restrictions; and matters relating to the Federal Acquisition Security Council (FASC).
- Information handling, marking, and dissemination requirements, including those relating to Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).
- Federal Cost Accounting Standards and FAR Part 31 allocation and reimbursement requirements.
Prior to joining Covington, Ryan served in the Office of Federal Procurement Policy in the Executive Office of the President, where he developed and implemented government-wide contracting regulations and administrative actions affecting more than $400 billion dollars’ worth of goods and services each year. While in government, Ryan worked on several contracting-related Executive Orders, and worked with White House and agency officials on regulatory and policy matters affecting contractor disclosure and agency responsibility determinations, labor and employment issues, IT contracting, commercial item acquisitions, performance contracting, GSA Schedules and interagency acquisitions, competition requirements, and suspension and debarment, among others.
Additionally, in the wake of significant incidents affecting the program, Ryan was selected to serve on a core team that led reform of security processes affecting federal background investigations for cleared employees and contractors. These efforts resulted in the establishment of a new federal bureau to conduct and manage background investigations.
February 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order
This is the thirty-fourth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs describes described the actions taken by various government agencies to implement the Cyber EO from June 2021through January 2024. This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during February 2024. It also describes key actions taken during February 2024 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, secure software, and federal government contractors.
NIST Publishes Cybersecurity Framework 2.0
On February 26, 2024, the U.S. National Institute of Standards and Technology (“NIST”) published version 2.0 of its Cybersecurity Framework. The NIST Cybersecurity Framework (“CSF” or “Framework”) provides a taxonomy of high-level cybersecurity outcomes that can be used by any organization, regardless of its size, sector, or relative maturity, to better understand, assess, prioritize, and communicate its cybersecurity efforts. CSF 2.0 makes some significant changes to the Framework, particularly in the areas of Governance and Cybersecurity Supply Chain Risk Management (“C-SCRM”). Covington’s Privacy and Cybersecurity group has posted a blog that discusses CSF 2.0 and those changes in greater detail.
NTIA Requests Comment Regarding “Open Weight”
Dual-Use Foundation AI Models
Also on February 26, the National Telecommunications and Information Administration (“NTIA”) published a request for comments on the risks, benefits, and possible regulation of “dual-use foundation models for which the model weights are widely available.” Among other questions raised by NTIA in the document are whether the availability of public model weights could pose risks to infrastructure or the defense sector. NTIA is seeking comments in order to prepare a report that the AI EO requires by July 26, 2024 on the risks and benefits of private companies making the weights of their foundational AI models publicly available. NTIA’s request for comments notes that “openness” or “wide availability” are terms without clear definition, and that “more information [is] needed to detail the relationship between openness and the wide availability of both model weights and open foundation models more generally.” NTIA also requests comments on potential regulatory regimes for dual-use foundation models with widely available model weights, as well as the kinds of regulatory structures “that could deal with not only the large scale of these foundation models, but also the declining level of computing resources needed to fine-tune and retrain them.”Continue Reading February 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order
OMB Issues First Governmentwide AI Policy for Federal Agencies
On March 28, the White House Office of Management and Budget (OMB) released guidance on governance and risk management for federal agency use of artificial intelligence (AI). The guidance was issued in furtherance of last fall’s White House AI Executive Order, which established goals to promote the safe, secure, and…
Continue Reading OMB Issues First Governmentwide AI Policy for Federal AgenciesJune 2023 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy
This is the twenty-sixth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken…
Continue Reading June 2023 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity StrategyApril 2023 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy
This is the twenty-fourth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through March 2023. This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during April 2023.
CISA Requests Comment on Secure Software Self-Attestation Common Form
On April 27, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) released a 60-day Request for Comment on a draft secure software self-attestation common form. Comments will be accepted through June 26, 2023 and may be submitted through Regulations.gov. The draft common form, developed in close consultation with the U.S. Office of Management and Budget (“OMB”), is a key step in implementation of OMB Memorandum M-22-18, which was issued pursuant to Section 4 of the Cyber EO and directs agencies to only use software that complies with Government-specified secure software development practices (the “OMB Memorandum”). Specifically, and among other requirements, the OMB Memorandum directs that software providers self-attest that the software developer follows the secure development processes described by NIST Secure Software Development Framework (SP 800-218) and the NIST Software Supply Chain Security Guidance. The key provisions of the OMB Memorandum are discussed in more detail in our prior blog.
Scope. The OMB Memorandum applies to all software (other than agency-developed software) developed or experiencing major version changes to be operated “on the agency’s information systems or otherwise affecting the agency’s information.” CISA’s draft common form further specifies that the “following software requires self-attestation:
- Software developed after September 14, 2022;
- Existing software that is modified by major version changes […] after September 14, 2022; and
- Software to which the producer delivers continuous changes to the software code (such as software-as-a-service products or other products using continuous delivery/continuous deployment).”
January 2023 Developments Under President Biden’s Cybersecurity Executive Order
This is the twenty-first in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various Government agencies to implement the Cyber EO from June 2021 through December 2022. This blog describes key actions taken to implement the Cyber EO during January 2023.
GSA Announces That It Will Require Software Vendors to Submit Letters of Attestation Beginning in June 2023.
On January 11, 2023, the General Services Administration (“GSA”) Senior Procurement Executive and Chief Information Officer jointly issued Acquisition letter MV-23-02, “Ensuring Only Approved Software Is Acquired and Used at GSA” (the “GSA letter”). The GSA letter establishes a June 12, 2023 effective date for implementing the secure software acquisition requirements of Office of Management and Budget (“OMB”) Memorandum M-22-18, issued pursuant to Section 4 of the Cyber EO. That OMB memorandum directs that agencies must only use software that complies with Government-specified secure software development practices. These practices include obtaining self-attestations of conformity with secure software development practices and in certain cases as determined by agencies, artifacts such as Software Bills of Materials (SBOMs) from software vendors to verify that the acquired software[1] was developed and produced according to NIST security guidelines and best practices.
The GSA letter directs GSA’s IT officials to update GSA’s policies by June 12, 2023 to reflect the process for collecting, renewing, retaining, and monitoring the self-attestation information mandated by OMB M-22-18. For existing contracts that include the use of software, the GSA letter directs GSA IT to provide an internally accessible list of the software used for each contract and to collect vendor attestations by June 12, 2023. For new contracts that include the use of software, the GSA letter directs the relevant acquisition teams to modify the acquisition planning process to ensure that performance of such contracts begins only after the requisite attestations have been collected and considered. Finally, with respect to GSA-administered Government-wide indefinite delivery vehicles (e.g., Federal Supply Schedule contracts, Government-Wide Acquisition Contracts, and Multi-Agency Contracts), the GSA letter directs GSA contracting activities to allow, but not require, contractors to provide attestations at the base contract level rather than the task or delivery order level, and to make those attestations available to ordering activities to the extent possible. With this said, the GSA letter specifies that ordering agencies will ultimately be responsible for complying with OMB M-22-18.Continue Reading January 2023 Developments Under President Biden’s Cybersecurity Executive Order
NDAA Prohibits Government Purchase and Use of Certain Semiconductors
Section 5949 of the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 (“FY2023 NDAA”) contains two significant prohibitions regarding the procurement and use of semiconductor products and services from specific Chinese companies and other foreign countries of concern (the “Semiconductor Prohibitions”). Although many aspects of the prohibitions remain unclear, the legislation portends noteworthy obligations in the coming years for government contractors, their suppliers, and those who may be interested in entering into agreements with the United States.
A timeline of noteworthy events and requirements associated with the Semiconductor Prohibitions is available here.
I. The Prohibitions
A. Prohibition Text
The Semiconductor Prohibitions are divided into two subsections:
- Section 5949(a)(1)(A) (“Part A”) provides that the head of an executive agency may not “procure or obtain, or extend or renew a contract to procure or obtain, any electronic parts, products, or services that include covered semiconductor products or services.”
- Section 5949(a)(1)(B) (“Part B”) provides that the head of an executive agency may not “enter into a contract (or extend or renew a contract) with an entity to procure or obtain electronic parts or products that use any electronic parts or products that include covered semiconductor products or services.”
Continue Reading NDAA Prohibits Government Purchase and Use of Certain Semiconductors
November 2022 Developments Under President Biden’s Cybersecurity Executive Order
This is the nineteenth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various Government agencies to implement the Cyber EO from June 2021 through October 2022. This blog describes key actions taken to implement the Cyber EO during November 2022.
I. CISA, NSA, and ODNI Release Software Supply Chain Security Guide for Customers
On November 17, 2022, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) released the third in a series of recommended practice guides for securing the software supply chain (the “Customer Guide”). The first practice guide in this series – published in September 2022 – was for software developers, and the second – published in October 2022 – was for software suppliers. Each of the three guides is intended to supplement the Secure Software Development Framework (SSDF) published by the National Institute of Standards and Technology (NIST) pursuant to Section 4 of the Cyber EO.
The Customer Guide identifies key supply chain security objectives for software customers (acquirers) and recommends several broad categories of practices to achieve those objectives including security requirements planning, secure software architecture, and maintaining the security of software and the underlying infrastructure (e.g., environment, source code review, test). For each of these practice categories, the guide identifies examples of scenarios that could be exploited (threat scenarios) and examples of controls that could be implemented to mitigate those threat scenarios. Continue Reading November 2022 Developments Under President Biden’s Cybersecurity Executive Order
February 2022 Developments Under President Biden’s Cybersecurity Executive Order
This is the tenth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, fourth, fifth, sixth, seventh, eighth, and ninth blogs described the actions taken by various Government agencies to implement the EO from June 2021 through January 2022, respectively.
This blog summarizes key actions taken to implement the Cyber EO during February 2022. As with steps taken during prior months, the actions described below reflect the implementation of the EO within the Government. However, these activities portend further actions in March 2022 that are likely to impact government contractors, particularly those who provide software products or services to government agencies.
NIST Publishes Guidance to Federal Agencies on Practices to Enhance Supply Chain Security When Procuring Software
Section 4(e) of the Cyber EO requires the National Institute of Standards and Technology (NIST) to publish guidelines on practices for software supply security for use by U.S. Government acquisition and procurement officials. Section 4(k) of the EO requires the Office of Management and Budget, within 30 days of the publication of this guidance (or March 4, 2022), to “take appropriate steps to require that agencies comply with such guidelines with respect to software procured after the date of the EO. Section 4(n) of the EO states that within one year of the date of the EO (or May 12, 2023), the Secretary of Homeland Security…shall recommend to the FAR Council contract language requiring suppliers of software available for purchase by agencies to comply with, and attest to complying with, any requirements issued pursuant to subsections (g) through (k) of this section.”
NIST issued the Supply Chain Security Guidance called for by Section 4(e) of the EO on February 4, 2022. The Supply Chain Security Guidance states that it “provides recommendations to federal agencies on ensuring that the producers of software they procure have been following a risk-based approach for secure software development throughout the software life cycle,” and that “[t]hese recommendations are intended to help federal agencies gather the information they need from software producers in a form they can use to make risk-based decisions about procuring software.” The scope of the Supply Chain Security Guidance is expressly limited to “federal agency procurement of software, which includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.” The Guidance further provides that “the location of the implemented software, such as on-premises or cloud-hosted, is irrelevant,” and also excludes open source software and software developed by federal agencies. However, open-source software that is bundled, integrated, or otherwise used by software purchased by a federal agency is within the scope of the Guidance.
The Supply Chain Security Guidance defines minimum recommendations for federal agencies as they acquire software or a product containing software:
- Use the Secure Software Development Framework (SSDF) terminology and structure to organize communications about secure software development requirements.
- Require attestation to cover secure software development practices performed as part of processes and procedures throughout the software life cycle.
- Accept first-party attestation of conformity with SSDF practices unless a risk-based approach determines that second or third-party attestation is required.
- When requesting artifacts of conformance, request high-level artifacts.
Continue Reading February 2022 Developments Under President Biden’s Cybersecurity Executive Order
January 2022 Developments Under President Biden’s Cybersecurity Executive Order
This is the ninth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, fourth, fifth, sixth, seventh, and eighth blogs described the actions taken by various government agencies to implement the EO from June through December 2021, respectively.
This blog summarizes key actions taken to implement the Cyber EO during January 2022. As with steps taken during prior months, the actions described below reflect the implementation of the EO within Government. However, these activities portend further actions in February 2022 that are likely to impact government contractors, particularly those who provide software products or services to government agencies.
National Security Memorandum Issued on Application of Cyber EO Requirements to National Security Systems
On January 19, 2022, President Biden signed National Security Memorandum-8, “Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems” (the NSM). The NSM sets forth requirements for National Security Systems (NSS) that are equivalent to or exceed the cyber requirements for Federal Information Systems set forth in the Cyber EO. The NSM also establishes methods for obtaining exceptions to these requirements for unique mission needs.
Section 1 of the NSM addresses how requirements set forth in the Cyber EO will be applied to NSS. In general, NSS are systems that involve: intelligence activities, cryptologic activities related to national security, command and control of military forces, equipment that is an integral part of a weapon or weapons system, or are critical to the direct fulfillment of military or intelligence missions.[1] The NSM states that Cyber EO Sections 1 (“Policy”) and 2 (“Removing Barriers to Sharing Threat Information”) apply to NSS in their entirety, except that the Director of the National Security Agency (“NSA”) (defined as the “National Manager”) shall exercise with respect to NSS the authorities granted the OMB Director and the Secretary of Homeland Security under Section 2 of the Cyber EO. This means, among other things, that companies that contract with DOD and other national security agencies and whose performance involves NSS, may be subject to the cyber incident reporting and standard contractual clauses promulgated in the Federal Acquisition Regulation pursuant to section 2 of the Cyber EO.
Section 1 of the NSM also requires the Committee on National Security Systems (CNSS) and the national security/intelligence agencies to take several actions to modernize NSS consistent with Section 3 of the Cyber EO. For example, the NSM requires all agencies that own or operate NSS to update their existing plans to use cloud technology and to develop plans to implement Zero Trust Architecture by March 18, 2022. The NSM further requires owners or operators of NSS to implement multifactor authentication and encryption of data-in-transit and data-at-rest on such systems by July 18, 2022. The NSM also requires NSS owners and operators to adhere to the standards for enhancing software supply chain security developed under section 4 of the Cyber EO except where “otherwise authorized by law” or where the National Manager grants an exception. Section 3 of the NSM sets forth the procedures and conditions for granting exceptions to NSS from the requirements of the Cyber EO.
In addition to the requirements described above, the NSM requires national security agencies to adhere to a process to be developed by the Director of NSA to identify and then inventory the NSS under their control according by April 19, 2022. This guidance and inventory will be critical to defining the scope of application of the requirements of the memorandum.
The NSM also requires such agencies to report all known or suspected compromises of or unauthorized access to such NSS to the Director of NSA in accordance with procedures to be developed by the Director of NSA. The NSM authorizes the Director of NSA to issue Emergency Directives and Binding Operational Directives to NSS owners and operators that are similar to the directives that the Cybersecurity and Infrastructure Security Agency (CISA) is authorized to issue to civilian agencies.
Continue Reading January 2022 Developments Under President Biden’s Cybersecurity Executive Order