Skip to content

On May 12, the Biden Administration issued an “Executive Order on Improving the Nation’s Cybersecurity.”  The Order seeks to strengthen the federal government’s ability to respond to and prevent cybersecurity threats, including by modernizing federal networks, enhancing the federal government’s software supply chain security, implementing enhanced cybersecurity practices and procedures in the federal government, and creating government-wide plans for incident response.  The Order covers a wide array of issues and processes, setting numerous deadlines for recommendations and actions by federal agencies, and focusing on enhancing the protection of federal networks in partnership with the service providers on which federal agencies rely.  Private sector entities, including federal contractors and service providers, will have opportunities to provide input to some of these actions.In particular, and among other things, the Order:
  • seeks to remove obstacles to sharing threat information between the private sector and federal agencies;
  • mandates that software purchased by the federal government meet new cybersecurity standards;
  • discusses securing cloud-based systems, including information technology (IT) systems that process data, and operational technology (OT) systems that run vital machinery and infrastructure;
  • seeks to impose new cyber incident[1] reporting requirements on certain IT and OT providers and software product and service vendors and establishes a Cyber Safety Review Board to review and assess such cyber incidents and other cyber incidents; and
  • addresses the creation of pilot programs related to consumer labeling in connection with the cybersecurity capabilities of Internet of Things (IoT) devices.

The Order contains eight substantive sections, which are listed here, and discussed in more detail below:

  • Section 2 – Removing Barriers to Sharing Threat Information
  • Section 3 – Modernizing Federal Government Cybersecurity
  • Section 4 – Enhancing Software Supply Chain Security
  • Section 5 – Establishing a Cyber Safety Review Board
  • Section 6 – Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
  • Section 7 – Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
  • Section 8 – Improving the Federal Government’s Investigative and Remediation Capabilities
  • Section 9 – National Security Systems

The summaries below discuss highlights from these sections, and the full text of the Order can be found here.


Continue Reading President Biden Signs Executive Order Aimed at Improving Government Cybersecurity

As the recent SolarWinds Orion attack makes clear, cybersecurity will be a focus in the coming years for both governmental and non-governmental entities alike.  In the federal contracting community, it has long been predicted that the government’s increased cybersecurity requirements will eventually lead to a corresponding increase in False Claims Act (FCA) litigation involving cybersecurity

As described in an earlier blog post, the Department of Defense (DoD) released an Interim Rule on September 29, 2020 that address DoD’s increased requirements for assessing whether contractors are compliant with the 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171).[1]  Under this new

On May 5, 2020 the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (“CISA”) Information and Communications Technology (“ICT”) Supply Chain Risk Management (“SCRM”) Task Force (the “Task Force”) released a six-step guide for organizations to start implementing organizational SCRM practices to improve their overall security resilience.  The Task Force also released a revised fact sheet to further raise awareness about ICT supply chain risk.

As we discussed in a prior blog post on the Task Force’s efforts, the Task Force was established in 2018 with representatives from 17 different defense and civilian agencies, as well as industry representatives across the information technology and communications sectors.  The Task Force has been focused on assessing and protecting security vulnerabilities in government supply chains.  Since its founding, the Task Force has inventoried existing SCRM efforts across the government and industry, including some of the practices reflected in the guide.

The six step guide (key points from which are described in the table below) captures the basic blocking and tackling that companies should consider when establishing their SCRM processes and procedures.
Continue Reading CISA Information and Communications Technology Supply Chain Risk Management Task Force Releases New Guidance on Security Resiliency

The new year has already brought significant news for companies that do business with the U.S. government, and for those that trade in materials and technology that represent priorities for national security stakeholders.  Our colleagues in the firm’s CFIUS practice thoughtfully analyzed the regulations implementing the Foreign Investment Risk Review Modernization Act, and other experts

Almost a year after Assistant Secretary of the Navy James Geurts issued his September 28, 2018 memorandum (Geurts Memo) imposing enhanced security controls on “critical” Navy programs, the Navy has issued an update to the Navy Marine Corps Acquisition Regulations Supplement (NMCARS) to implement those changes more formally across the Navy.  Pursuant to this update, a new Annex 16 in the NMCARS provides Statement of Work (SOW) language that must be added into Navy solicitations and contracts where the Navy has determined “the risk to a critical program and/or technology warrants its inclusion.”  In addition to the technical requirements reflected in the Geurts Memo, the Navy has added Subpart 5204.73 to the NMCARS that, among other things, instructs Contracting Officers (COs) to seek equitable reductions or consider reducing or suspending progress payments for contractor non-compliance with the Annex 16 and DFARS 252.204-7012 (DFARS clause) requirements.

SUBPART 5204.73

Equitable Price Reductions/Suspension and Reduction of Progress Payments.  The Navy added Subpart 5204.73 “Safeguarding Covered Defense Information and Cyber Incident Reporting” to the NMCARS.  This Subpart provides direction to COs in three areas.  First, it provides that Annex 16 must be included in the SOWs of relevant solicitations, contracts and task or delivery orders.  Second, the Subpart directs COs to consider the DFARS clause, Annex 16 and the Geurts Memo as material requirements.[1]  Finally, if COs accept supplies or services with “critical or major non-conformances (e.g., failure to comply with material requirement)” they are directed to impose an equitable price reduction.  The Subpart identifies a “reasonable amount” for this reduction as 5% of the total contract value.  That amount can be increased if there is an increased risk from the non-conformance.  If the CO decides to require correction of nonconforming services or supplies rather than acceptance, the CO is directed to withhold/reduce or suspend progress payments if correction is not made in a timely manner.

This revision to the NMCARS represents a powerful enforcement mechanism for the Navy.  Until now, DOD has stated that the failure to comply with the DFARS clause requirements would be treated as a contract performance issue.  Although that basic concept continues, the Subpart explicitly defines the DFARS clause, Annex 16 and the Geurts Memo as “material requirements” of the contract.  A failure to comply with a material requirement would make contractors potentially liable for significant equitable reductions or for a suspension or reduction of progress payments.  Read literally, a contractor that reports a cyber incident 76 hours (and not 72 hours) after discovery may be violating a material requirement of the contract. Contractors may derive some comfort from the NMCARS’ reliance on FAR 32.503-6, “Suspension or reduction of payments,” which at least requires COs to “act fairly and reasonably” and “base decisions on substantial evidence.”  However, the nonconforming supplies or services provision  in FAR 46.407 does not impose a similar fairness requirement on COs.

ANNEX 16

The Navy’s Annex 16 covers five areas: (1) System Security Plans (SSPs) and Plans of Action and Milestones (POA&Ms) Reviews; (2) Compliance with NIST Special Publication (SP) 800-171; (3) Cyber Incident Response; (4) Naval Criminal Investigative Service (NCIS) Outreach; and (5) NCIS/Industry Monitoring.  The requirements of Annex 16 are similar to various requirements that have been included in various Navy solicitations over the past year.  As described below, although the Annex provides more detail than the Geurts Memo, significant questions remain about how each of these requirements will be interpreted by the Navy going forward.
Continue Reading Navy Modifies Acquisition Supplement to Tighten Cybersecurity Requirements and Implement the Geurts Memorandum

On September 4, the Office of the Assistant Secretary of Defense for Acquisition released Version 0.4 of its draft Cybersecurity Maturity Model Certification (CMMC) for public comment.  The CMMC was created in response to growing concerns by Congress and within DoD over the increased presence of cyber threats and intrusions aimed at the Defense Industrial

We and the third parties that provide content, functionality, or business services on our website may use cookies to collect information about your browsing activities in order to provide you with more relevant content and promotional materials, on and off the website, and help us understand your interests and improve the website. Privacy Policy

AcceptReject