Photo of Robert Huffman

Robert Huffman

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing information security and the reporting of cyber incidents, the Cybersecurity Maturity Model Certification (CMMC) program, the requirements for secure software development self-attestations and bills of materials (SBOMs) emanating from the May 2021 Executive Order on Cybersecurity, and the various requirements for responsible AI procurement, safety, and testing currently being implemented under the October 2023 AI Executive Order. 

Bob also represents contractors in False Claims Act (FCA) litigation and investigations involving cybersecurity and other technology compliance issues, as well more traditional government contracting costs, quality, and regulatory compliance issues. These investigations include significant parallel civil/criminal proceedings growing out of the Department of Justice's Cyber Fraud Initiative. They also include investigations resulting from False Claims Act qui tam lawsuits and other enforcement proceedings. Bob has represented clients in over a dozen FCA qui tam suits.

Bob also regularly counsels clients on government contracting supply chain compliance issues, including those arising under the Buy American Act/Trade Agreements Act and Section 889 of the FY2019 National Defense Authorization Act. In addition, Bob advises government contractors on rules relating to IP, including government patent rights, technical data rights, rights in computer software, and the rules applicable to IP in the acquisition of commercial products, services, and software. He focuses this aspect of his practice on the overlap of these traditional government contracts IP rules with the IP issues associated with the acquisition of AI services and the data needed to train the large learning models on which those services are based. 

Bob is ranked by Chambers USA for his work in government contracts and he writes extensively in the areas of procurement-related AI, cybersecurity, software security, and supply chain regulation. He also teaches a course at Georgetown Law School that focuses on the technology, supply chain, and national security issues associated with energy and climate change.

This is the first in a new series of Covington blogs on the AI policies, executive orders, and other actions of the new Trump Administration.  This blog describes key actions on AI taken by the Trump Administration in January 2025.

Outgoing President Biden Issues Executive Order and Data Center Guidance for AI Infrastructure

Before turning to the Trump Administration, we note one key AI development from the final weeks of the Biden Administration.  On January 14, in one of his final acts in office, President Biden issued Executive Order 14141 on “Advancing United States Leadership in AI Infrastructure.”  This EO, which remains in force, sets out requirements and deadlines for the construction and operation of “frontier AI infrastructure,” including data centers and clean energy facilities, by private-sector entities on federal land.  Specifically, EO 14141 directs the Departments of Defense (“DOD”) and Energy (“DOE”) to lease federal lands for the construction and operation of AI data centers and clean energy facilities by the end of 2027, establishes solicitation and lease application processes for private sector applicants, directs federal agencies to take various steps to streamline and consolidate environmental permitting for AI infrastructure, and directs the DOE to take steps to update the U.S. electricity grid to meet the growing energy demands of AI. 

On January 14, and in tandem with the release of EO 14141, the Office of Management and Budget (“OMB”) issued Memorandum M-25-03 on “Implementation Guidance for the Federal Data Center Enhancement Act,” directing federal agencies to implement requirements related to the operation of data centers by federal agencies or government contractors.  Specifically, the memorandum requires federal agencies to regularly monitor and optimize data center electrical consumption, including through the use of automated tools, and to arrange for assessments by certified specialists of data center energy and water usage and efficiency, among other requirements.  Like EO 14141, Memorandum M-25-03 has yet to be rescinded by the Trump Administration.

Trump White House Revokes President Biden’s 2023 AI Executive Order

On January 20, President Trump issued Executive Order 14148 on “Initial Recissions of Harmful Executive Orders and Actions,” revoking dozens of Biden Administration executive actions, including the October 2023 Executive Order 14110 on the “Safe, Secure, and Trustworthy Development and Use of AI” (“2023 AI EO”).  To implement these revocations, Section 3 of EO 14148 directs the White House Domestic Policy Council (“DPC”) and National Economic Council (“NEC”) to “review all Federal Government actions” taken pursuant to the revoked executive orders and “take all necessary steps to rescind, replace, or amend such actions as appropriate.”  EO 14148 further directs the DPC and NEC to submit, within 45 days of the EO, lists of additional Biden Administration orders, memoranda, and proclamations that should be rescinded and “replacement orders, memoranda, or proclamations” to “increase American prosperity.”  Finally, EO 14148 directs National Security Advisor Michael Waltz to initiate a “complete and thorough review” of all National Security Memoranda (“NSMs”) issued by the Biden Administration and recommend NSMs for recission within 45 days of the EO. Continue Reading January 2025 AI Developments – Transitioning to the Trump Administration

On February 6, the White House Office of Science & Technology Policy (“OSTP”) and National Science Foundation (“NSF”) issued a Request for Information (“RFI”) seeking public input on the “Development of an Artificial Intelligence Action Plan.”  The RFI marks a first step toward the implementation of the Trump Administration’s January

Continue Reading Trump Administration Seeks Public Comment on AI Action Plan

On January 14, 2025, the Biden Administration issued an Executive Order on “Advancing United States Leadership in Artificial Intelligence Infrastructure” (the “EO”), with the goals of preserving U.S. economic competitiveness and access to powerful AI models, preventing U.S. dependence on foreign infrastructure, and promoting U.S. clean energy production to power the development and operation of AI.  Pursuant to these goals, the EO outlines criteria and timeframes for the construction and operation of “frontier AI infrastructure,” including data centers and clean energy resources, by private-sector entities on federal land.  The EO builds upon a series of actions on AI issued by the Biden Administration, including the October 2023 Executive Order on Safe, Secure, and Trustworthy AI and an October 2024 AI National Security Memorandum.

I. Federal Sites for AI Data Centers & Clean Energy Facilities

The EO contains various requirements for soliciting and leasing federal sites for AI infrastructure, including:

The EO directs the Departments of Defense (“DOD”) and Energy (“DOE”) to each identify and lease, by the end of 2027, at least three federal sites to private-sector entities for the construction and operation of “frontier AI data centers” and “clean energy facilities” to power them (“frontier AI infrastructure”).  Additionally, the EO directs the Department of the Interior (“DOI”) to identify (1) federal sites suitable for additional private-sector clean energy facilities as components of frontier AI infrastructure, and (2) at least five “Priority Geothermal Zones” suitable for geothermal power generation.  Finally, the EO directs the DOD and DOE to publish a joint list of ten high-priority federal sites that are most conducive for nuclear power capacities that can be readily available to serve AI data centers by December 31, 2035.

  • Public Solicitations.  By March 31, 2025, the DOD and DOE must launch competitive, 30-day public solicitations for private-sector proposals to lease federal land for frontier AI infrastructure construction.  In addition to identifying proposed sides for AI infrastructure construction, solicitations will require applicants to submit detailed plans regarding:
  • Timelines, financing methods, and technical construction plans for the site;
  • Proposed frontier AI training work to occur on the site once operational;
  • Use of high labor and construction standards at the site; and
  • Proposed lab-security measures, including personnel and material access requirements, associated with the operation of frontier AI infrastructure.

The DOD and DOE must select winning proposals by June 30, 2025, taking into account effects on competition in the broader AI ecosystem and other selection criteria, including an applicant’s proposed financing and funding sources; plans for high-quality AI training, resource efficiency, labor standards, and commercialization of IP developed at the site; safety and security measures and capabilities; AI workforce capabilities; and prior experience with comparable construction projects.  Continue Reading Biden Administration Releases Executive Order on AI Infrastructure

This is part of a series of Covington blogs on the implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through October 2024.  This blog describes key actions taken to implement the Cyber EO, the U.S. National Cybersecurity Strategy, and other actions taken that support their general principles during November 2024. 

National Institute of Standards and Technology (“NIST”) Publishes Draft “Enhanced Security Requirements for Protecting Controlled Unclassified Information”

On November 13, 2024, NIST published a draft of Special Publication (“SP”) 800-172 Rev. 3 that “provides recommended security requirements to protect the confidentiality, integrity, and availability of [Controlled Unclassified Information] when it is resident in a nonfederal system and organization and is associated with a high value asset or critical program.”  In particular, the draft requirements “give organizations the capability to achieve a multidimensional, defense-in-depth protection strategy against advanced persistent threats . . . and help to ensure the resiliency of systems and organizations.”  The draft requirements “are intended for use by federal agencies in contractual vehicles or other agreements between those agencies and nonfederal organizations.”  In the publication, NIST stated that it does not expect that all requirements are needed “universally.”  Instead, the draft requirements are intended to be “selected by federal agencies based on specific mission needs and risks.”

These requirements serve as a supplement to NIST SP 800-171, and apply to particular high-risk entities.  To that end, the current version of this NIST SP 800-172 (i.e., Rev. 2) is used by the U.S. Department of Defense (“DoD”) for its forthcoming Cybersecurity Maturity Model Certification (“CMMC”) program, which we discussed in more detail here.  Specifically, contractors must implement twenty-four controls that DoD selected from SP 800-172 Rev. 2 in order to obtain the highest level of certification – Level 3.  Just as the CMMC Final Rule incorporated Rev. 2 of SP 800-171 (rather than Rev. 3), the CMMC program will not immediately incorporate SP 800-172 Rev. 3 requirements.  However, the draft requirements provide insight into how CMMC could evolve.Continue Reading November 2024 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

On November 15, 2024, the Department of Defense (“DoD”) published a Notice of Proposed Rulemaking (“Proposed Rule”) entitled “Defense Federal Acquisition Regulation Supplement: Disclosure of Information Regarding Foreign Obligations.”  The Proposed Rule would impose new disclosure obligations on “Offeror[s]” (pre-award) and “Contractor[s]” (post-award) that are triggered in certain circumstances by review or by an obligation to allow review of their source or computer code either by a foreign government or a foreign person.  If the Proposed Rule takes effect, the obligations would apply to any “prospective contractor” or any existing contractor.  The Proposed Rule also does not distinguish between companies based in or outside the United States.

The Proposed Rule would implement the requirement of National Defense Authorization Act for Fiscal Year 2019 (“NDAA”) section 1655 which states that “[DoD] may not use a product, service, or system procured or acquired after the date of the enactment of this Act relating to information or operational technology, cybersecurity, an industrial control system, or weapons system provided by a person unless that person” makes certain disclosures related to: (1) foreign government or foreign person access to computer or source code, and (2) the person’s Export Administration Regulations (“EAR”) or International Traffic in Arms Regulations (“ITAR”) applications or licenses.  Importantly, per the NDAA, these disclosure obligations include activities dating back to August 13, 2013.

A summary of the obligations and key definitions as described by the Proposed Rule are below.

Disclosure Obligations

Disclosure of Source or Computer Code

The Proposed Rule would require any “Offeror” or “Contractor” for defense contracts to disclose in the Catalog Data Standard in the Electronic Data Access (“EDA”) system (https://piee.eb.mil) “[w]hether, and if so, when, at any time after August 12, 2013,” they (1) “allowed a foreign person or foreign government to review” or (2) “[are] under any obligation to allow a foreign person or foreign government to review, as a condition of entering into an agreement for sale or other transaction with a foreign government or with a foreign person on behalf of such a government”:

  • “The source code for any product, system, or service that DoD is using or intends to use; or
  • The computer code for any other than commercial product, system, or service developed for DoD.”

When this clause is included in a solicitation, by submitting its offer to the government or higher tier contractor, an “Offeror” is representing that it “has completed the foreign obligation disclosures in EDA and the disclosures are current, accurate, and complete.”  For post-award disclosures, the requirements would most likely first be added in new task orders, delivery orders, and options. Continue Reading Department of Defense Publishes Notice of Proposed Rulemaking on Disclosure of Computer and Source Code to Foreign Entities

This is part of an ongoing series of Covington blogs on the implementation of Executive Order No. 14110 on the “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” (the “AI EO”), issued by President Biden on October 30, 2023.  The first blog summarized the AI EO’s key provisions and

Continue Reading October 2024 Developments Under President Biden’s AI Executive Order

On Tuesday, October 22, 2024, Pennsylvania State University (“Penn State”) reached a settlement with the Department of Justice (“DoJ”), agreeing to pay the US Government (“USG”) $1.25M for alleged cybersecurity compliance violations under the False Claims Act (“FCA”).  This settlement follows a qui tam action filed by a whistleblower and former employee of Penn State’s Applied Research Laboratory.  The settlement agreement provides some additional insight into the priorities of DoJ’s Civil Cyber Fraud Initiative (“CFI”) and the types of cybersecurity issues of interest to the Department.  It also highlights the extent to which DoJ is focusing on the full range of cybersecurity compliance obligations that exist in a company’s contract in enforcement actions.

DoJ’s Civil Cyber-Fraud Initiative

On October 6, 2021, following a series of ransomware and other cyberattacks on government contractors and other public and private entities, DoJ announced the CFI.  We covered the CFI as it was first announced in more detail here, and in a comprehensive separately published article here.  As explained by Deputy Attorney General Lisa Monaco and other DoJ officials, DoJ is using the civil FCA to pursue government contractors and grantees that fail to comply with mandatory cyber incident reporting requirements and other regulatory or contractual cybersecurity requirements.  Moreover, depending on the facts, DoJ Criminal likely will be interested in some of these cases.

About the Settlement

On October 5, 2022, a relator – the former chief information officer for Penn State’s Applied Research Laboratory – filed a qui tam action in the United States District Court of the Eastern District of Pennsylvania.  The relator alleged in an amended complaint from 2023 that he discovered and raised non-compliance issues, which Penn State management did not address, and that Penn State falsified compliance documentation.  On October 23, 2024, DoJ formally intervened and notified the court that it reached a settlement agreement with Penn State.  The settlement agreement alleges that Penn State violated the FCA by failing to implement adequate safeguards and to meet cybersecurity requirements set forth under National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”  As set forth in the settlement agreement, these issues related to fifteen contracts and subcontracts involving the Department of Defense (“DoD”) and the National Aeronautics and Space Administration (“NASA”) between January 2018 and November 2023. Continue Reading Penn State Agrees to Pay $1.25M in Settlement for Cybersecurity Non-Compliance False Claims Act Allegations

This is part of a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs  described the actions taken by

Continue Reading March 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order

This is the thirty-fourth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs describes described the actions taken by various government agencies to implement the Cyber EO from June 2021through January 2024.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during February 2024.  It also describes key actions taken during February 2024 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, secure software, and federal government contractors. 

NIST Publishes Cybersecurity Framework 2.0

            On February 26, 2024, the U.S. National Institute of Standards and Technology (“NIST”) published version 2.0 of its Cybersecurity Framework.  The NIST Cybersecurity Framework (“CSF” or “Framework”) provides a taxonomy of high-level cybersecurity outcomes that can be used by any organization, regardless of its size, sector, or relative maturity, to better understand, assess, prioritize, and communicate its cybersecurity efforts.  CSF 2.0 makes some significant changes to the Framework, particularly in the areas of Governance and Cybersecurity Supply Chain Risk Management (“C-SCRM”).  Covington’s Privacy and Cybersecurity group has posted a blog that discusses CSF 2.0 and those changes in greater detail.

NTIA Requests Comment Regarding “Open Weight”

Dual-Use Foundation AI Models

            Also on February 26, the National Telecommunications and Information Administration (“NTIA”) published a request for comments on the risks, benefits, and possible regulation of “dual-use foundation models for which the model weights are widely available.”  Among other questions raised by NTIA in the document are whether the availability of public model weights could pose risks to infrastructure or the defense sector.  NTIA is seeking comments in order to prepare a report that the AI EO requires by July 26, 2024 on the risks and benefits of private companies making the weights of their foundational AI models publicly available.  NTIA’s request for comments notes that “openness” or “wide availability” are terms without clear definition, and that “more information [is] needed to detail the relationship between openness and the wide availability of both model weights and open foundation models more generally.”  NTIA also requests comments on potential regulatory regimes for dual-use foundation models with widely available model weights, as well as the kinds of regulatory structures “that could deal with not only the large scale of these foundation models, but also the declining level of computing resources needed to fine-tune and retrain them.”Continue Reading February 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order

On March 28, the White House Office of Management and Budget (OMB) released guidance on governance and risk management for federal agency use of artificial intelligence (AI).  The guidance was issued in furtherance of last fall’s White House AI Executive Order, which established goals to promote the safe, secure, and

Continue Reading OMB Issues First Governmentwide AI Policy for Federal Agencies