Photo of Susan B. Cassidy

Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan's in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
Federal Acquisition Security Council (FASC) regulations and product exclusions,
Controlled unclassified information (CUI) obligations, and
M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

Procurement fraud and FAR mandatory disclosure requirements,
Cyber incidents and data spills involving sensitive government information,
Allegations of violations of national security requirements, and
Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.

Contact:Read more about Susan B. CassidyEmail

This is part of a series of Covington blogs on the implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through October 2024.  This blog describes key actions taken to implement the Cyber EO, the U.S. National Cybersecurity Strategy, and other actions taken that support their general principles during November 2024. 

National Institute of Standards and Technology (“NIST”) Publishes Draft “Enhanced Security Requirements for Protecting Controlled Unclassified Information”

On November 13, 2024, NIST published a draft of Special Publication (“SP”) 800-172 Rev. 3 that “provides recommended security requirements to protect the confidentiality, integrity, and availability of [Controlled Unclassified Information] when it is resident in a nonfederal system and organization and is associated with a high value asset or critical program.”  In particular, the draft requirements “give organizations the capability to achieve a multidimensional, defense-in-depth protection strategy against advanced persistent threats . . . and help to ensure the resiliency of systems and organizations.”  The draft requirements “are intended for use by federal agencies in contractual vehicles or other agreements between those agencies and nonfederal organizations.”  In the publication, NIST stated that it does not expect that all requirements are needed “universally.”  Instead, the draft requirements are intended to be “selected by federal agencies based on specific mission needs and risks.”

These requirements serve as a supplement to NIST SP 800-171, and apply to particular high-risk entities.  To that end, the current version of this NIST SP 800-172 (i.e., Rev. 2) is used by the U.S. Department of Defense (“DoD”) for its forthcoming Cybersecurity Maturity Model Certification (“CMMC”) program, which we discussed in more detail here.  Specifically, contractors must implement twenty-four controls that DoD selected from SP 800-172 Rev. 2 in order to obtain the highest level of certification – Level 3.  Just as the CMMC Final Rule incorporated Rev. 2 of SP 800-171 (rather than Rev. 3), the CMMC program will not immediately incorporate SP 800-172 Rev. 3 requirements.  However, the draft requirements provide insight into how CMMC could evolve.Continue Reading November 2024 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

On November 15, 2024, the Department of Defense (“DoD”) published a Notice of Proposed Rulemaking (“Proposed Rule”) entitled “Defense Federal Acquisition Regulation Supplement: Disclosure of Information Regarding Foreign Obligations.”  The Proposed Rule would impose new disclosure obligations on “Offeror[s]” (pre-award) and “Contractor[s]” (post-award) that are triggered in certain circumstances by review or by an obligation to allow review of their source or computer code either by a foreign government or a foreign person.  If the Proposed Rule takes effect, the obligations would apply to any “prospective contractor” or any existing contractor.  The Proposed Rule also does not distinguish between companies based in or outside the United States.

The Proposed Rule would implement the requirement of National Defense Authorization Act for Fiscal Year 2019 (“NDAA”) section 1655 which states that “[DoD] may not use a product, service, or system procured or acquired after the date of the enactment of this Act relating to information or operational technology, cybersecurity, an industrial control system, or weapons system provided by a person unless that person” makes certain disclosures related to: (1) foreign government or foreign person access to computer or source code, and (2) the person’s Export Administration Regulations (“EAR”) or International Traffic in Arms Regulations (“ITAR”) applications or licenses.  Importantly, per the NDAA, these disclosure obligations include activities dating back to August 13, 2013.

A summary of the obligations and key definitions as described by the Proposed Rule are below.

Disclosure Obligations

Disclosure of Source or Computer Code

The Proposed Rule would require any “Offeror” or “Contractor” for defense contracts to disclose in the Catalog Data Standard in the Electronic Data Access (“EDA”) system (https://piee.eb.mil) “[w]hether, and if so, when, at any time after August 12, 2013,” they (1) “allowed a foreign person or foreign government to review” or (2) “[are] under any obligation to allow a foreign person or foreign government to review, as a condition of entering into an agreement for sale or other transaction with a foreign government or with a foreign person on behalf of such a government”:

  • “The source code for any product, system, or service that DoD is using or intends to use; or
  • The computer code for any other than commercial product, system, or service developed for DoD.”

When this clause is included in a solicitation, by submitting its offer to the government or higher tier contractor, an “Offeror” is representing that it “has completed the foreign obligation disclosures in EDA and the disclosures are current, accurate, and complete.”  For post-award disclosures, the requirements would most likely first be added in new task orders, delivery orders, and options. Continue Reading Department of Defense Publishes Notice of Proposed Rulemaking on Disclosure of Computer and Source Code to Foreign Entities

This is part of an ongoing series of Covington blogs on the implementation of Executive Order No. 14110 on the “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” (the “AI EO”), issued by President Biden on October 30, 2023.  The first blog summarized the AI EO’s key provisions and

Continue Reading October 2024 Developments Under President Biden’s AI Executive Order

On Tuesday, October 22, 2024, Pennsylvania State University (“Penn State”) reached a settlement with the Department of Justice (“DoJ”), agreeing to pay the US Government (“USG”) $1.25M for alleged cybersecurity compliance violations under the False Claims Act (“FCA”).  This settlement follows a qui tam action filed by a whistleblower and former employee of Penn State’s Applied Research Laboratory.  The settlement agreement provides some additional insight into the priorities of DoJ’s Civil Cyber Fraud Initiative (“CFI”) and the types of cybersecurity issues of interest to the Department.  It also highlights the extent to which DoJ is focusing on the full range of cybersecurity compliance obligations that exist in a company’s contract in enforcement actions.

DoJ’s Civil Cyber-Fraud Initiative

On October 6, 2021, following a series of ransomware and other cyberattacks on government contractors and other public and private entities, DoJ announced the CFI.  We covered the CFI as it was first announced in more detail here, and in a comprehensive separately published article here.  As explained by Deputy Attorney General Lisa Monaco and other DoJ officials, DoJ is using the civil FCA to pursue government contractors and grantees that fail to comply with mandatory cyber incident reporting requirements and other regulatory or contractual cybersecurity requirements.  Moreover, depending on the facts, DoJ Criminal likely will be interested in some of these cases.

About the Settlement

On October 5, 2022, a relator – the former chief information officer for Penn State’s Applied Research Laboratory – filed a qui tam action in the United States District Court of the Eastern District of Pennsylvania.  The relator alleged in an amended complaint from 2023 that he discovered and raised non-compliance issues, which Penn State management did not address, and that Penn State falsified compliance documentation.  On October 23, 2024, DoJ formally intervened and notified the court that it reached a settlement agreement with Penn State.  The settlement agreement alleges that Penn State violated the FCA by failing to implement adequate safeguards and to meet cybersecurity requirements set forth under National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”  As set forth in the settlement agreement, these issues related to fifteen contracts and subcontracts involving the Department of Defense (“DoD”) and the National Aeronautics and Space Administration (“NASA”) between January 2018 and November 2023. Continue Reading Penn State Agrees to Pay $1.25M in Settlement for Cybersecurity Non-Compliance False Claims Act Allegations

This is part of a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs  described the actions taken by

Continue Reading March 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order

This is the thirty-fourth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs describes described the actions taken by various government agencies to implement the Cyber EO from June 2021through January 2024.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during February 2024.  It also describes key actions taken during February 2024 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, secure software, and federal government contractors. 

NIST Publishes Cybersecurity Framework 2.0

            On February 26, 2024, the U.S. National Institute of Standards and Technology (“NIST”) published version 2.0 of its Cybersecurity Framework.  The NIST Cybersecurity Framework (“CSF” or “Framework”) provides a taxonomy of high-level cybersecurity outcomes that can be used by any organization, regardless of its size, sector, or relative maturity, to better understand, assess, prioritize, and communicate its cybersecurity efforts.  CSF 2.0 makes some significant changes to the Framework, particularly in the areas of Governance and Cybersecurity Supply Chain Risk Management (“C-SCRM”).  Covington’s Privacy and Cybersecurity group has posted a blog that discusses CSF 2.0 and those changes in greater detail.

NTIA Requests Comment Regarding “Open Weight”

Dual-Use Foundation AI Models

            Also on February 26, the National Telecommunications and Information Administration (“NTIA”) published a request for comments on the risks, benefits, and possible regulation of “dual-use foundation models for which the model weights are widely available.”  Among other questions raised by NTIA in the document are whether the availability of public model weights could pose risks to infrastructure or the defense sector.  NTIA is seeking comments in order to prepare a report that the AI EO requires by July 26, 2024 on the risks and benefits of private companies making the weights of their foundational AI models publicly available.  NTIA’s request for comments notes that “openness” or “wide availability” are terms without clear definition, and that “more information [is] needed to detail the relationship between openness and the wide availability of both model weights and open foundation models more generally.”  NTIA also requests comments on potential regulatory regimes for dual-use foundation models with widely available model weights, as well as the kinds of regulatory structures “that could deal with not only the large scale of these foundation models, but also the declining level of computing resources needed to fine-tune and retrain them.”Continue Reading February 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order

This is the twenty-sixth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken

Continue Reading June 2023 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

This is the twenty-fourth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through March 2023.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during April 2023. 

CISA Requests Comment on Secure Software Self-Attestation Common Form

On April 27, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) released a 60-day Request for Comment on a draft secure software self-attestation common form.  Comments will be accepted through June 26, 2023 and may be submitted through Regulations.gov.  The draft common form, developed in close consultation with the U.S. Office of Management and Budget (“OMB”), is a key step in implementation of OMB Memorandum M-22-18, which was issued pursuant to Section 4 of the Cyber EO and directs agencies to only use software that complies with Government-specified secure software development practices (the “OMB Memorandum”).  Specifically, and among other requirements, the OMB Memorandum directs that software providers self-attest that the software developer follows the secure development processes described by NIST Secure Software Development Framework (SP 800-218) and the NIST Software Supply Chain Security Guidance.  The key provisions of the OMB Memorandum are discussed in more detail in our prior blog

Scope.  The OMB Memorandum applies to all software (other than agency-developed software) developed or experiencing major version changes to be operated “on the agency’s information systems or otherwise affecting the agency’s information.”  CISA’s draft common form further specifies that the “following software requires self-attestation:

  1. Software developed after September 14, 2022;
  2. Existing software that is modified by major version changes […] after September 14, 2022; and
  3. Software to which the producer delivers continuous changes to the software code (such as software-as-a-service products or other products using continuous delivery/continuous deployment).”

Continue Reading April 2023 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

This is the twenty-first in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various Government agencies to implement the Cyber EO from June 2021 through December 2022.  This blog describes key actions taken to implement the Cyber EO during January 2023.

GSA Announces That It Will Require Software Vendors to Submit Letters of Attestation Beginning in June 2023.

            On January 11, 2023, the General Services Administration (“GSA”) Senior Procurement Executive and Chief Information Officer jointly issued Acquisition letter MV-23-02, “Ensuring Only Approved Software Is Acquired and Used at GSA” (the “GSA letter”).  The GSA letter establishes a June 12, 2023 effective date for implementing the secure software acquisition requirements of Office of Management and Budget (“OMB”) Memorandum M-22-18, issued pursuant to Section 4 of the Cyber EO.  That OMB memorandum directs that agencies must only use software that complies with Government-specified secure software development practices.  These practices include obtaining self-attestations of conformity with secure software development practices and in certain cases as determined by agencies, artifacts such as Software Bills of Materials (SBOMs) from software vendors to verify that the acquired software[1] was developed and produced according to NIST security guidelines and best practices.

            The GSA letter directs GSA’s IT officials to update GSA’s policies by June 12, 2023 to reflect the process for collecting, renewing, retaining, and monitoring the self-attestation information mandated by OMB M-22-18.  For existing contracts that include the use of software, the GSA letter directs GSA IT to provide an internally accessible list of the software used for each contract and to collect vendor attestations by June 12, 2023.  For new contracts that include the use of software, the GSA letter directs the relevant acquisition teams to modify the acquisition planning process to ensure that performance of such contracts begins only after the requisite attestations have been collected and considered.  Finally, with respect to GSA-administered Government-wide indefinite delivery vehicles (e.g., Federal Supply Schedule contracts, Government-Wide Acquisition Contracts, and Multi-Agency Contracts), the GSA letter directs GSA contracting activities to allow, but not require, contractors to provide attestations at the base contract level rather than the task or delivery order level, and to make those attestations available to ordering activities to the extent possible.  With this said, the GSA letter specifies that ordering agencies will ultimately be responsible for complying with OMB M-22-18.Continue Reading January 2023 Developments Under President Biden’s Cybersecurity Executive Order

This is the nineteenth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various Government agencies to implement the Cyber EO from June 2021 through October 2022.  This blog describes key actions taken to implement the Cyber EO during November 2022.

I. CISA, NSA, and ODNI Release Software Supply Chain Security Guide for Customers 

On November 17, 2022, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) released the third in a series of recommended practice guides for securing the software supply chain (the “Customer Guide”).  The first practice guide in this series – published in September 2022 – was for software developers, and the second – published in October 2022 – was for software suppliers.  Each of the three guides is intended to supplement the Secure Software Development Framework (SSDF) published by the National Institute of Standards and Technology (NIST) pursuant to Section 4 of the Cyber EO.

The Customer Guide identifies key supply chain security objectives for software customers (acquirers) and recommends several broad categories of practices to achieve those objectives including security requirements planning, secure software architecture, and maintaining the security of software and the underlying infrastructure (e.g., environment, source code review, test).  For each of these practice categories, the guide identifies examples of scenarios that could be exploited (threat scenarios) and examples of controls that could be implemented to mitigate those threat scenarios. Continue Reading November 2022 Developments Under President Biden’s Cybersecurity Executive Order