This is part of an ongoing series of Covington blogs on the implementation of Executive Order No. 14110 on the “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” (the “AI EO”), issued by President Biden on October 30, 2023. The first blog summarized the AI EO’s key provisions and
Continue Reading October 2024 Developments Under President Biden’s AI Executive OrderSusan B. Cassidy
Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan's in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”
Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.
In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:
- Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
- Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
- Federal Acquisition Security Council (FASC) regulations and product exclusions,
- Controlled unclassified information (CUI) obligations, and
- M&A government cybersecurity due diligence.
Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:
- Procurement fraud and FAR mandatory disclosure requirements,
- Cyber incidents and data spills involving sensitive government information,
- Allegations of violations of national security requirements, and
- Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.
In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.
Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.
Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.
Penn State Agrees to Pay $1.25M in Settlement for Cybersecurity Non-Compliance False Claims Act Allegations
On Tuesday, October 22, 2024, Pennsylvania State University (“Penn State”) reached a settlement with the Department of Justice (“DoJ”), agreeing to pay the US Government (“USG”) $1.25M for alleged cybersecurity compliance violations under the False Claims Act (“FCA”). This settlement follows a qui tam action filed by a whistleblower and former employee of Penn State’s Applied Research Laboratory. The settlement agreement provides some additional insight into the priorities of DoJ’s Civil Cyber Fraud Initiative (“CFI”) and the types of cybersecurity issues of interest to the Department. It also highlights the extent to which DoJ is focusing on the full range of cybersecurity compliance obligations that exist in a company’s contract in enforcement actions.
DoJ’s Civil Cyber-Fraud Initiative
On October 6, 2021, following a series of ransomware and other cyberattacks on government contractors and other public and private entities, DoJ announced the CFI. We covered the CFI as it was first announced in more detail here, and in a comprehensive separately published article here. As explained by Deputy Attorney General Lisa Monaco and other DoJ officials, DoJ is using the civil FCA to pursue government contractors and grantees that fail to comply with mandatory cyber incident reporting requirements and other regulatory or contractual cybersecurity requirements. Moreover, depending on the facts, DoJ Criminal likely will be interested in some of these cases.
About the Settlement
On October 5, 2022, a relator – the former chief information officer for Penn State’s Applied Research Laboratory – filed a qui tam action in the United States District Court of the Eastern District of Pennsylvania. The relator alleged in an amended complaint from 2023 that he discovered and raised non-compliance issues, which Penn State management did not address, and that Penn State falsified compliance documentation. On October 23, 2024, DoJ formally intervened and notified the court that it reached a settlement agreement with Penn State. The settlement agreement alleges that Penn State violated the FCA by failing to implement adequate safeguards and to meet cybersecurity requirements set forth under National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” As set forth in the settlement agreement, these issues related to fifteen contracts and subcontracts involving the Department of Defense (“DoD”) and the National Aeronautics and Space Administration (“NASA”) between January 2018 and November 2023. Continue Reading Penn State Agrees to Pay $1.25M in Settlement for Cybersecurity Non-Compliance False Claims Act Allegations
March 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order
This is part of a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by…
Continue Reading March 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive OrderFebruary 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order
This is the thirty-fourth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs describes described the actions taken by various government agencies to implement the Cyber EO from June 2021through January 2024. This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during February 2024. It also describes key actions taken during February 2024 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, secure software, and federal government contractors.
NIST Publishes Cybersecurity Framework 2.0
On February 26, 2024, the U.S. National Institute of Standards and Technology (“NIST”) published version 2.0 of its Cybersecurity Framework. The NIST Cybersecurity Framework (“CSF” or “Framework”) provides a taxonomy of high-level cybersecurity outcomes that can be used by any organization, regardless of its size, sector, or relative maturity, to better understand, assess, prioritize, and communicate its cybersecurity efforts. CSF 2.0 makes some significant changes to the Framework, particularly in the areas of Governance and Cybersecurity Supply Chain Risk Management (“C-SCRM”). Covington’s Privacy and Cybersecurity group has posted a blog that discusses CSF 2.0 and those changes in greater detail.
NTIA Requests Comment Regarding “Open Weight”
Dual-Use Foundation AI Models
Also on February 26, the National Telecommunications and Information Administration (“NTIA”) published a request for comments on the risks, benefits, and possible regulation of “dual-use foundation models for which the model weights are widely available.” Among other questions raised by NTIA in the document are whether the availability of public model weights could pose risks to infrastructure or the defense sector. NTIA is seeking comments in order to prepare a report that the AI EO requires by July 26, 2024 on the risks and benefits of private companies making the weights of their foundational AI models publicly available. NTIA’s request for comments notes that “openness” or “wide availability” are terms without clear definition, and that “more information [is] needed to detail the relationship between openness and the wide availability of both model weights and open foundation models more generally.” NTIA also requests comments on potential regulatory regimes for dual-use foundation models with widely available model weights, as well as the kinds of regulatory structures “that could deal with not only the large scale of these foundation models, but also the declining level of computing resources needed to fine-tune and retrain them.”Continue Reading February 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order
June 2023 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy
This is the twenty-sixth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken…
Continue Reading June 2023 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity StrategyApril 2023 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy
This is the twenty-fourth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through March 2023. This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during April 2023.
CISA Requests Comment on Secure Software Self-Attestation Common Form
On April 27, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) released a 60-day Request for Comment on a draft secure software self-attestation common form. Comments will be accepted through June 26, 2023 and may be submitted through Regulations.gov. The draft common form, developed in close consultation with the U.S. Office of Management and Budget (“OMB”), is a key step in implementation of OMB Memorandum M-22-18, which was issued pursuant to Section 4 of the Cyber EO and directs agencies to only use software that complies with Government-specified secure software development practices (the “OMB Memorandum”). Specifically, and among other requirements, the OMB Memorandum directs that software providers self-attest that the software developer follows the secure development processes described by NIST Secure Software Development Framework (SP 800-218) and the NIST Software Supply Chain Security Guidance. The key provisions of the OMB Memorandum are discussed in more detail in our prior blog.
Scope. The OMB Memorandum applies to all software (other than agency-developed software) developed or experiencing major version changes to be operated “on the agency’s information systems or otherwise affecting the agency’s information.” CISA’s draft common form further specifies that the “following software requires self-attestation:
- Software developed after September 14, 2022;
- Existing software that is modified by major version changes […] after September 14, 2022; and
- Software to which the producer delivers continuous changes to the software code (such as software-as-a-service products or other products using continuous delivery/continuous deployment).”
January 2023 Developments Under President Biden’s Cybersecurity Executive Order
This is the twenty-first in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various Government agencies to implement the Cyber EO from June 2021 through December 2022. This blog describes key actions taken to implement the Cyber EO during January 2023.
GSA Announces That It Will Require Software Vendors to Submit Letters of Attestation Beginning in June 2023.
On January 11, 2023, the General Services Administration (“GSA”) Senior Procurement Executive and Chief Information Officer jointly issued Acquisition letter MV-23-02, “Ensuring Only Approved Software Is Acquired and Used at GSA” (the “GSA letter”). The GSA letter establishes a June 12, 2023 effective date for implementing the secure software acquisition requirements of Office of Management and Budget (“OMB”) Memorandum M-22-18, issued pursuant to Section 4 of the Cyber EO. That OMB memorandum directs that agencies must only use software that complies with Government-specified secure software development practices. These practices include obtaining self-attestations of conformity with secure software development practices and in certain cases as determined by agencies, artifacts such as Software Bills of Materials (SBOMs) from software vendors to verify that the acquired software[1] was developed and produced according to NIST security guidelines and best practices.
The GSA letter directs GSA’s IT officials to update GSA’s policies by June 12, 2023 to reflect the process for collecting, renewing, retaining, and monitoring the self-attestation information mandated by OMB M-22-18. For existing contracts that include the use of software, the GSA letter directs GSA IT to provide an internally accessible list of the software used for each contract and to collect vendor attestations by June 12, 2023. For new contracts that include the use of software, the GSA letter directs the relevant acquisition teams to modify the acquisition planning process to ensure that performance of such contracts begins only after the requisite attestations have been collected and considered. Finally, with respect to GSA-administered Government-wide indefinite delivery vehicles (e.g., Federal Supply Schedule contracts, Government-Wide Acquisition Contracts, and Multi-Agency Contracts), the GSA letter directs GSA contracting activities to allow, but not require, contractors to provide attestations at the base contract level rather than the task or delivery order level, and to make those attestations available to ordering activities to the extent possible. With this said, the GSA letter specifies that ordering agencies will ultimately be responsible for complying with OMB M-22-18.Continue Reading January 2023 Developments Under President Biden’s Cybersecurity Executive Order
November 2022 Developments Under President Biden’s Cybersecurity Executive Order
This is the nineteenth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various Government agencies to implement the Cyber EO from June 2021 through October 2022. This blog describes key actions taken to implement the Cyber EO during November 2022.
I. CISA, NSA, and ODNI Release Software Supply Chain Security Guide for Customers
On November 17, 2022, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) released the third in a series of recommended practice guides for securing the software supply chain (the “Customer Guide”). The first practice guide in this series – published in September 2022 – was for software developers, and the second – published in October 2022 – was for software suppliers. Each of the three guides is intended to supplement the Secure Software Development Framework (SSDF) published by the National Institute of Standards and Technology (NIST) pursuant to Section 4 of the Cyber EO.
The Customer Guide identifies key supply chain security objectives for software customers (acquirers) and recommends several broad categories of practices to achieve those objectives including security requirements planning, secure software architecture, and maintaining the security of software and the underlying infrastructure (e.g., environment, source code review, test). For each of these practice categories, the guide identifies examples of scenarios that could be exploited (threat scenarios) and examples of controls that could be implemented to mitigate those threat scenarios. Continue Reading November 2022 Developments Under President Biden’s Cybersecurity Executive Order
February 2022 Developments Under President Biden’s Cybersecurity Executive Order
This is the tenth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, fourth, fifth, sixth, seventh, eighth, and ninth blogs described the actions taken by various Government agencies to implement the EO from June 2021 through January 2022, respectively.
This blog summarizes key actions taken to implement the Cyber EO during February 2022. As with steps taken during prior months, the actions described below reflect the implementation of the EO within the Government. However, these activities portend further actions in March 2022 that are likely to impact government contractors, particularly those who provide software products or services to government agencies.
NIST Publishes Guidance to Federal Agencies on Practices to Enhance Supply Chain Security When Procuring Software
Section 4(e) of the Cyber EO requires the National Institute of Standards and Technology (NIST) to publish guidelines on practices for software supply security for use by U.S. Government acquisition and procurement officials. Section 4(k) of the EO requires the Office of Management and Budget, within 30 days of the publication of this guidance (or March 4, 2022), to “take appropriate steps to require that agencies comply with such guidelines with respect to software procured after the date of the EO. Section 4(n) of the EO states that within one year of the date of the EO (or May 12, 2023), the Secretary of Homeland Security…shall recommend to the FAR Council contract language requiring suppliers of software available for purchase by agencies to comply with, and attest to complying with, any requirements issued pursuant to subsections (g) through (k) of this section.”
NIST issued the Supply Chain Security Guidance called for by Section 4(e) of the EO on February 4, 2022. The Supply Chain Security Guidance states that it “provides recommendations to federal agencies on ensuring that the producers of software they procure have been following a risk-based approach for secure software development throughout the software life cycle,” and that “[t]hese recommendations are intended to help federal agencies gather the information they need from software producers in a form they can use to make risk-based decisions about procuring software.” The scope of the Supply Chain Security Guidance is expressly limited to “federal agency procurement of software, which includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.” The Guidance further provides that “the location of the implemented software, such as on-premises or cloud-hosted, is irrelevant,” and also excludes open source software and software developed by federal agencies. However, open-source software that is bundled, integrated, or otherwise used by software purchased by a federal agency is within the scope of the Guidance.
The Supply Chain Security Guidance defines minimum recommendations for federal agencies as they acquire software or a product containing software:
- Use the Secure Software Development Framework (SSDF) terminology and structure to organize communications about secure software development requirements.
- Require attestation to cover secure software development practices performed as part of processes and procedures throughout the software life cycle.
- Accept first-party attestation of conformity with SSDF practices unless a risk-based approach determines that second or third-party attestation is required.
- When requesting artifacts of conformance, request high-level artifacts.
Continue Reading February 2022 Developments Under President Biden’s Cybersecurity Executive Order
January 2022 Developments Under President Biden’s Cybersecurity Executive Order
This is the ninth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, fourth, fifth, sixth, seventh, and eighth blogs described the actions taken by various government agencies to implement the EO from June through December 2021, respectively.
This blog summarizes key actions taken to implement the Cyber EO during January 2022. As with steps taken during prior months, the actions described below reflect the implementation of the EO within Government. However, these activities portend further actions in February 2022 that are likely to impact government contractors, particularly those who provide software products or services to government agencies.
National Security Memorandum Issued on Application of Cyber EO Requirements to National Security Systems
On January 19, 2022, President Biden signed National Security Memorandum-8, “Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems” (the NSM). The NSM sets forth requirements for National Security Systems (NSS) that are equivalent to or exceed the cyber requirements for Federal Information Systems set forth in the Cyber EO. The NSM also establishes methods for obtaining exceptions to these requirements for unique mission needs.
Section 1 of the NSM addresses how requirements set forth in the Cyber EO will be applied to NSS. In general, NSS are systems that involve: intelligence activities, cryptologic activities related to national security, command and control of military forces, equipment that is an integral part of a weapon or weapons system, or are critical to the direct fulfillment of military or intelligence missions.[1] The NSM states that Cyber EO Sections 1 (“Policy”) and 2 (“Removing Barriers to Sharing Threat Information”) apply to NSS in their entirety, except that the Director of the National Security Agency (“NSA”) (defined as the “National Manager”) shall exercise with respect to NSS the authorities granted the OMB Director and the Secretary of Homeland Security under Section 2 of the Cyber EO. This means, among other things, that companies that contract with DOD and other national security agencies and whose performance involves NSS, may be subject to the cyber incident reporting and standard contractual clauses promulgated in the Federal Acquisition Regulation pursuant to section 2 of the Cyber EO.
Section 1 of the NSM also requires the Committee on National Security Systems (CNSS) and the national security/intelligence agencies to take several actions to modernize NSS consistent with Section 3 of the Cyber EO. For example, the NSM requires all agencies that own or operate NSS to update their existing plans to use cloud technology and to develop plans to implement Zero Trust Architecture by March 18, 2022. The NSM further requires owners or operators of NSS to implement multifactor authentication and encryption of data-in-transit and data-at-rest on such systems by July 18, 2022. The NSM also requires NSS owners and operators to adhere to the standards for enhancing software supply chain security developed under section 4 of the Cyber EO except where “otherwise authorized by law” or where the National Manager grants an exception. Section 3 of the NSM sets forth the procedures and conditions for granting exceptions to NSS from the requirements of the Cyber EO.
In addition to the requirements described above, the NSM requires national security agencies to adhere to a process to be developed by the Director of NSA to identify and then inventory the NSS under their control according by April 19, 2022. This guidance and inventory will be critical to defining the scope of application of the requirements of the memorandum.
The NSM also requires such agencies to report all known or suspected compromises of or unauthorized access to such NSS to the Director of NSA in accordance with procedures to be developed by the Director of NSA. The NSM authorizes the Director of NSA to issue Emergency Directives and Binding Operational Directives to NSS owners and operators that are similar to the directives that the Cybersecurity and Infrastructure Security Agency (CISA) is authorized to issue to civilian agencies.
Continue Reading January 2022 Developments Under President Biden’s Cybersecurity Executive Order