Skip to content

This is the tenth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the secondthirdfourthfifthsixthseventheighth, and ninth blogs described the actions taken by various Government agencies to implement the EO from June 2021 through January 2022, respectively.

This blog summarizes key actions taken to implement the Cyber EO during February 2022.  As with steps taken during prior months, the actions described below reflect the implementation of the EO within the Government.  However, these activities portend further actions in March 2022 that are likely to impact government contractors, particularly those who provide software products or services to government agencies.

NIST Publishes Guidance to Federal Agencies on Practices to Enhance Supply Chain Security When Procuring Software

Section 4(e) of the Cyber EO requires the National Institute of Standards and Technology (NIST) to publish guidelines on practices for software supply security for use by U.S. Government acquisition and procurement officials.  Section 4(k) of the EO requires the Office of Management and Budget, within 30 days of the publication of this guidance (or March 4, 2022), to “take appropriate steps to require that agencies comply with such guidelines with respect to software procured after the date of the EO.  Section 4(n) of the EO states that within one year of the date of the EO (or May 12, 2023), the Secretary of Homeland Security…shall recommend to the FAR Council contract language requiring suppliers of software available for purchase by agencies to comply with, and attest to complying with, any requirements issued pursuant to subsections (g) through (k) of this section.”

NIST issued the Supply Chain Security Guidance called for by Section 4(e) of the EO on February 4, 2022.  The Supply Chain Security Guidance states that it “provides recommendations to federal agencies on ensuring that the producers of software they procure have been following a risk-based approach for secure software development throughout the software life cycle,” and that “[t]hese recommendations are intended to help federal agencies gather the information they need from software producers in a form they can use to make risk-based decisions about procuring software.”  The scope of the Supply Chain Security Guidance is expressly limited to “federal agency procurement of software, which includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.”  The Guidance further provides that “the location of the implemented software, such as on-premises or cloud-hosted, is irrelevant,” and also excludes open source software and software developed by federal agencies.  However, open-source software that is bundled, integrated, or otherwise used by software purchased by a federal agency is within the scope of the Guidance.

The Supply Chain Security Guidance defines minimum recommendations for federal agencies as they acquire software or a product containing software:

  1. Use the Secure Software Development Framework (SSDF) terminology and structure to organize communications about secure software development requirements.
  2. Require attestation to cover secure software development practices performed as part of processes and procedures throughout the software life cycle.
  3. Accept first-party attestation of conformity with SSDF practices unless a risk-based approach determines that second or third-party attestation is required.
  4. When requesting artifacts of conformance, request high-level artifacts.


Continue Reading February 2022 Developments Under President Biden’s Cybersecurity Executive Order

Last Tuesday, GAO released its Fiscal Year 2021 protest statistics, which as always contains a wealth of interesting information about GAO’s protest system.

  • Protest filings dropped by 12% from FY20.  After remaining fairly steady in FY19 and FY20, filings dropped in FY21, with the lowest number of cases filed since FY08.  It seems likely,

Federal government contractors face many uncertainties as they implement President Biden’s COVID-19 vaccine mandate. This includes the distinct possibility of civil lawsuits arising out of their implementation of the mandate, including potential allegations of invasion of privacy, wrongful termination, lost wages, discrimination, personal injury or other common law claims or statutory violations. At least 

This is the fifth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity”, issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, and fourth blogs described the actions taken by various

On September 24, the Safer Federal Workforce Task Force released guidance on workplace safety protocols for federal contractors and subcontractors related to COVID-19 (“the Guidance”).  The Guidance was issued pursuant to President Biden’s Executive Order on Ensuring Adequate COVID Safety Protocols for Federal Contractors.

As expected, the Guidance covers a broad range of contract

For the last several years, GSA has been piloting just such an alternative:  the Transactional Data Reporting (“TDR”) program, through which the government collects transaction-level data on products and services purchased through the Schedule to make data-driven decisions that save taxpayer dollars.  GSA has been running a TDR pilot program for several years to test the potential for a new regulatory regime, though the program sometimes has been the source of criticism and controversy.  Now that controversy has heightened further:  GSA’s Office of Inspector General published an audit report on June 24, 2021 that is sharply critical of the program, only to see GSA’s Federal Acquisition Service (“FAS”) Commissioner publicly reject the report’s conclusions and defend TDR’s effectiveness.
Continue Reading The End of CSP and PRC Requirements? — GSA’s TDR Pilot Program Faces Further Internal Criticism

We and the third parties that provide content, functionality, or business services on our website may use cookies to collect information about your browsing activities in order to provide you with more relevant content and promotional materials, on and off the website, and help us understand your interests and improve the website. Privacy Policy

AcceptReject