Cybersecurity

A California federal judge has largely granted summary judgment in a data privacy lawsuit against Yodlee, Inc., finding that two of the five plaintiffs lacked Article III standing for all remaining claims and that the three other plaintiffs lacked Article III standing for—and failed to create genuine disputes of fact

Continue Reading California Federal Court Grants Summary Judgment on Most Claims in Data Privacy Case

On 15 January 2025, the European Commission published an action plan on the cybersecurity of hospitals and healthcare providers (the “Action Plan”). The Action Plan sets out a series of EU-level actions that are intended to better protect the healthcare sector from cyber threats. The publication of the Action Plan follows a number of high-profile incidents in recent years where healthcare providers across the European Union have been the target of cyber attacks.

Whilst the Action Plan primarily focuses on healthcare providers including hospitals, clinics, care homes, rehabilitation centres and others, the plan identifies interdependence between those providers and the healthcare industry. Therefore, some of the measures proposed address risks affecting the broader healthcare supply chain and ecosystem, and will potentially have implications for pharmaceutical and biotechnology industry players as well as medical device manufacturers.

The action that will be of most significance for industry is the plan for Member States to request that entities subject to the NIS2 Directive, including healthcare organisations, must report on ransom payments when reporting significant incidents to the competent authority under the NIS2 Directive (section 3.3, p.14). The Action Plan rationalizes this proposal by stating that the collection of further data is needed to understand the effectiveness of measures taken against ransomware attacks, and noting that such reporting would support the effective investigation of incidents. Reporting of ransomware payments is not required by the NIS2 Directive, so this would represent a significant change for in-scope entities. While this is titled a ‘national action’ to be implemented by Q4 2025, it is not immediately clear from the Action Plan if the proposal would take the form of a new EU law that imposes the obligation on Member States or otherwise.Continue Reading European Commission Publishes Action Plan on Cybersecurity of Hospitals and Healthcare Providers

This is the first blog in a series covering the Fiscal Year 2025 National Defense Authorization Act (“FY 2025 NDAA”).  This first blog will cover: (1) NDAA sections affecting acquisition policy and contract administration that may be of greatest interest to government contractors; (2) initiatives that underscore Congress’s commitment to strengthening cybersecurity, both domestically and internationally; and (3) NDAA provisions that aim to accelerate the Department of Defense’s adoption of AI and Autonomous Systems and counter efforts by U.S. adversaries to subvert them. 

Future posts in this series will address NDAA provisions targeting China, supply chain and stockpile security, the revitalized Administrative False Claims Act, and Congress’s effort to mature the Office of Strategic Capital and leverage private investment to accelerate the development of critical technologies and strengthen the defense industrial base.  Subscribe to our blog here so that you do not miss these updates.

FY 2025 NDAA Overview

On December 23, 2025, President Biden signed the FY 2025 NDAA into law.  The FY 2025 NDAA authorizes $895.2 billion in funding for the Department of Defense (“DoD”) and Department of Energy national security programs—a $9 billion or 1 percent increase over 2024.  NDAA authorizations have traditionally served as a reliable indicator of congressional sentiment on final defense appropriations. 

FY 2025 marks the 64th consecutive year in which an NDAA has been enacted, reflecting its status as “must-pass” legislation.  As in prior years, the NDAA has been used as a legislative vehicle to incorporate other measures, including the FY 2025 Department of State and Intelligence Authorization Acts, as well as provisions related to the Departments of Justice, Homeland Security, and Veterans Affairs, among others.

Below are select provisions of interest to companies across industries that engage in U.S. Government contracting, including defense contractors, technology providers, life sciences firms, and commercial-item suppliers.Continue Reading President Biden signs the National Defense Authorization Act for Fiscal Year 2025

This is part of a series of Covington blogs on the implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through October 2024.  This blog describes key actions taken to implement the Cyber EO, the U.S. National Cybersecurity Strategy, and other actions taken that support their general principles during November 2024. 

National Institute of Standards and Technology (“NIST”) Publishes Draft “Enhanced Security Requirements for Protecting Controlled Unclassified Information”

On November 13, 2024, NIST published a draft of Special Publication (“SP”) 800-172 Rev. 3 that “provides recommended security requirements to protect the confidentiality, integrity, and availability of [Controlled Unclassified Information] when it is resident in a nonfederal system and organization and is associated with a high value asset or critical program.”  In particular, the draft requirements “give organizations the capability to achieve a multidimensional, defense-in-depth protection strategy against advanced persistent threats . . . and help to ensure the resiliency of systems and organizations.”  The draft requirements “are intended for use by federal agencies in contractual vehicles or other agreements between those agencies and nonfederal organizations.”  In the publication, NIST stated that it does not expect that all requirements are needed “universally.”  Instead, the draft requirements are intended to be “selected by federal agencies based on specific mission needs and risks.”

These requirements serve as a supplement to NIST SP 800-171, and apply to particular high-risk entities.  To that end, the current version of this NIST SP 800-172 (i.e., Rev. 2) is used by the U.S. Department of Defense (“DoD”) for its forthcoming Cybersecurity Maturity Model Certification (“CMMC”) program, which we discussed in more detail here.  Specifically, contractors must implement twenty-four controls that DoD selected from SP 800-172 Rev. 2 in order to obtain the highest level of certification – Level 3.  Just as the CMMC Final Rule incorporated Rev. 2 of SP 800-171 (rather than Rev. 3), the CMMC program will not immediately incorporate SP 800-172 Rev. 3 requirements.  However, the draft requirements provide insight into how CMMC could evolve.Continue Reading November 2024 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

On November 15, 2024, the Department of Defense (“DoD”) published a Notice of Proposed Rulemaking (“Proposed Rule”) entitled “Defense Federal Acquisition Regulation Supplement: Disclosure of Information Regarding Foreign Obligations.”  The Proposed Rule would impose new disclosure obligations on “Offeror[s]” (pre-award) and “Contractor[s]” (post-award) that are triggered in certain circumstances by review or by an obligation to allow review of their source or computer code either by a foreign government or a foreign person.  If the Proposed Rule takes effect, the obligations would apply to any “prospective contractor” or any existing contractor.  The Proposed Rule also does not distinguish between companies based in or outside the United States.

The Proposed Rule would implement the requirement of National Defense Authorization Act for Fiscal Year 2019 (“NDAA”) section 1655 which states that “[DoD] may not use a product, service, or system procured or acquired after the date of the enactment of this Act relating to information or operational technology, cybersecurity, an industrial control system, or weapons system provided by a person unless that person” makes certain disclosures related to: (1) foreign government or foreign person access to computer or source code, and (2) the person’s Export Administration Regulations (“EAR”) or International Traffic in Arms Regulations (“ITAR”) applications or licenses.  Importantly, per the NDAA, these disclosure obligations include activities dating back to August 13, 2013.

A summary of the obligations and key definitions as described by the Proposed Rule are below.

Disclosure Obligations

Disclosure of Source or Computer Code

The Proposed Rule would require any “Offeror” or “Contractor” for defense contracts to disclose in the Catalog Data Standard in the Electronic Data Access (“EDA”) system (https://piee.eb.mil) “[w]hether, and if so, when, at any time after August 12, 2013,” they (1) “allowed a foreign person or foreign government to review” or (2) “[are] under any obligation to allow a foreign person or foreign government to review, as a condition of entering into an agreement for sale or other transaction with a foreign government or with a foreign person on behalf of such a government”:

  • “The source code for any product, system, or service that DoD is using or intends to use; or
  • The computer code for any other than commercial product, system, or service developed for DoD.”

When this clause is included in a solicitation, by submitting its offer to the government or higher tier contractor, an “Offeror” is representing that it “has completed the foreign obligation disclosures in EDA and the disclosures are current, accurate, and complete.”  For post-award disclosures, the requirements would most likely first be added in new task orders, delivery orders, and options. Continue Reading Department of Defense Publishes Notice of Proposed Rulemaking on Disclosure of Computer and Source Code to Foreign Entities

On December 4, 2024, the Federal Communications Commission (the “Commission”) announced that it had selected UL Solutions to serve as the Lead Administrator for its Internet of Things Cybersecurity Labeling Program (the “IoT Labeling Program”).  The Commission also conditionally approved UL Solutions as a Cybersecurity Label Administrator (“CLA”) for the

Continue Reading FCC Takes Next Step Towards U.S. Cyber Trust Mark

On October 16, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) and the Federal Bureau of Investigation (“FBI”) published guidance on Product Security Bad Practices (the “Guidance”) that identifies “exceptionally risky” product security practices for software manufacturers.  The Guidance states that the ten identified practices—categorized as (1) Product Properties, (2) Security Features, or (3) Organizational Processes and Policies—are “dangerous and significantly elevate[] risk to national security, national economic security, and national public health and safety.”

The Guidance offers recommendations to remediate each of the identified practices and states that adoption of the recommendations indicates software manufacturers “are taking ownership of customer security outcomes.”  Provided below are the ten practices and associated recommendations.

I.               Product Properties

  • Development Not in Memory Safe Languages – The Guidance recommends software manufacturers protect against “memory safety vulnerabilities,” such as through the use of a memory safe language or protective hardware.
  • Inclusion of User-Provided Input in SQL Query Strings – The Guidance encourages product designs “that systematically prevent the introduction of SQL injection vulnerabilities, such as by consistently enforcing the use of parametrized queries.”
  • Inclusion of User-Provided Input in Operating System Command Strings – The Guidance recommends product designs “that systematically prevent[] command injection vulnerabilities, such as by consistently ensuring that command inputs are clearly delineated from the contents of a command itself.”
  • Presence of Default Passwords – The Guidance suggests the use of (among others) “instance-unique initial passwords,” requiring users to create new passwords during installation, and “time-limited setup passwords.”
  • Presence of Known Exploited Vulnerabilities – The Guidance states that known exploited vulnerabilities (“KEV”) should be patched before a product is deployed.  The Guidance also recommends that software manufacturers should offer a free and timely patch to customers when CISA’s catalog introduces a new KEV and advise customers “of the associated risks of not installing the patch.”
  • Presence of Open Source Software with Known Exploitable Vulnerabilities – The Guidance encourages software manufacturers to make “a reasonable effort to evaluate and secure their open source software dependencies.”  In particular, the Guidance recommends to conduct security scans on the initial and subsequent versions of open source software that are incorporated into the product and “[r]outinely monitor for Common Vulnerabilities and Exposures (CVEs) or other security-relevant alerts . . . in all open source software dependencies and update them as necessary,” among other recommended steps.  The Guidance further encourages the use of “a software bill of materials” to offer to customers.

Continue Reading CISA and FBI Publish Product Security Bad Practices

On Tuesday, October 22, 2024, Pennsylvania State University (“Penn State”) reached a settlement with the Department of Justice (“DoJ”), agreeing to pay the US Government (“USG”) $1.25M for alleged cybersecurity compliance violations under the False Claims Act (“FCA”).  This settlement follows a qui tam action filed by a whistleblower and former employee of Penn State’s Applied Research Laboratory.  The settlement agreement provides some additional insight into the priorities of DoJ’s Civil Cyber Fraud Initiative (“CFI”) and the types of cybersecurity issues of interest to the Department.  It also highlights the extent to which DoJ is focusing on the full range of cybersecurity compliance obligations that exist in a company’s contract in enforcement actions.

DoJ’s Civil Cyber-Fraud Initiative

On October 6, 2021, following a series of ransomware and other cyberattacks on government contractors and other public and private entities, DoJ announced the CFI.  We covered the CFI as it was first announced in more detail here, and in a comprehensive separately published article here.  As explained by Deputy Attorney General Lisa Monaco and other DoJ officials, DoJ is using the civil FCA to pursue government contractors and grantees that fail to comply with mandatory cyber incident reporting requirements and other regulatory or contractual cybersecurity requirements.  Moreover, depending on the facts, DoJ Criminal likely will be interested in some of these cases.

About the Settlement

On October 5, 2022, a relator – the former chief information officer for Penn State’s Applied Research Laboratory – filed a qui tam action in the United States District Court of the Eastern District of Pennsylvania.  The relator alleged in an amended complaint from 2023 that he discovered and raised non-compliance issues, which Penn State management did not address, and that Penn State falsified compliance documentation.  On October 23, 2024, DoJ formally intervened and notified the court that it reached a settlement agreement with Penn State.  The settlement agreement alleges that Penn State violated the FCA by failing to implement adequate safeguards and to meet cybersecurity requirements set forth under National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”  As set forth in the settlement agreement, these issues related to fifteen contracts and subcontracts involving the Department of Defense (“DoD”) and the National Aeronautics and Space Administration (“NASA”) between January 2018 and November 2023. Continue Reading Penn State Agrees to Pay $1.25M in Settlement for Cybersecurity Non-Compliance False Claims Act Allegations

The UK Government has announced that it intends to introduce the Cyber Security and Resilience Bill (the “Bill”) to Parliament in 2025. Formally proposed as part of the King’s Speech in July, this Bill is intended to strengthen the UK’s cross-sectoral cyber security legislation to better protect the

Continue Reading What to expect from the UK’s Cyber Security and Resilience Bill (and when)