This is the twenty-first in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various Government agencies to implement the Cyber EO from June 2021 through December 2022.  This blog describes key actions taken to implement the Cyber EO during January 2023.

GSA Announces That It Will Require Software Vendors to Submit Letters of Attestation Beginning in June 2023.

            On January 11, 2023, the General Services Administration (“GSA”) Senior Procurement Executive and Chief Information Officer jointly issued Acquisition letter MV-23-02, “Ensuring Only Approved Software Is Acquired and Used at GSA” (the “GSA letter”).  The GSA letter establishes a June 12, 2023 effective date for implementing the secure software acquisition requirements of Office of Management and Budget (“OMB”) Memorandum M-22-18, issued pursuant to Section 4 of the Cyber EO.  That OMB memorandum directs that agencies must only use software that complies with Government-specified secure software development practices.  These practices include obtaining self-attestations of conformity with secure software development practices and in certain cases as determined by agencies, artifacts such as Software Bills of Materials (SBOMs) from software vendors to verify that the acquired software[1] was developed and produced according to NIST security guidelines and best practices.

            The GSA letter directs GSA’s IT officials to update GSA’s policies by June 12, 2023 to reflect the process for collecting, renewing, retaining, and monitoring the self-attestation information mandated by OMB M-22-18.  For existing contracts that include the use of software, the GSA letter directs GSA IT to provide an internally accessible list of the software used for each contract and to collect vendor attestations by June 12, 2023.  For new contracts that include the use of software, the GSA letter directs the relevant acquisition teams to modify the acquisition planning process to ensure that performance of such contracts begins only after the requisite attestations have been collected and considered.  Finally, with respect to GSA-administered Government-wide indefinite delivery vehicles (e.g., Federal Supply Schedule contracts, Government-Wide Acquisition Contracts, and Multi-Agency Contracts), the GSA letter directs GSA contracting activities to allow, but not require, contractors to provide attestations at the base contract level rather than the task or delivery order level, and to make those attestations available to ordering activities to the extent possible.  With this said, the GSA letter specifies that ordering agencies will ultimately be responsible for complying with OMB M-22-18.

Continue Reading January 2023 Developments Under President Biden’s Cybersecurity Executive Order

The Federal Energy Regulatory Commission (“FERC”) issued a final rule (Order No. 887) directing the North American Electric Reliability Corporation (“NERC”) to develop new or modified Reliability Standards that require internal network security monitoring (“INSM”) within Critical Infrastructure Protection (“CIP”) networked environments.  This Order may be of interest to entities that develop, implement, or maintain hardware or software for operational technologies associated with bulk electric systems (“BES”).

The forthcoming standards will only apply to certain high- and medium-impact BES Cyber Systems.  The final rule also requires NERC to conduct a feasibility study for implementing similar standards across all other types of BES Cyber Systems.  NERC must propose the new or modified standards within 15 months of the effective date of the final rule, which is 60 days after the date of publication in the Federal Register.  

Background

According to the FERC news release, the 2020 global supply chain attack involving the SolarWinds Orion software demonstrated how attackers can “bypass all network perimeter-based security controls traditionally used to identify malicious activity and compromise the networks of public and private organizations.”  Thus, FERC determined that current CIP Reliability Standards focus on prevention of unauthorized access at the electronic security perimeter and that CIP-networked environments are thus vulnerable to attacks that bypass perimeter-based security controls.  The new or modified Reliability Standards (“INSM Standards”) are intended to address this gap by requiring responsible entities to employ INSM in certain BES Cyber Systems.  INSM is a subset of network security monitoring that enables continuing visibility over communications between networked devices that are in the so-called “trust zone,” a term which generally describes a discrete and secure computing environment.  For purposes of the rule, the trust zone is any CIP-networked environment.  In addition to continuous visibility, INSM facilitates the detection of malicious and anomalous network activity to identify and prevent attacks in progress.  Examples provided by FERC of tools that may support INSM include anti-malware, intrusion detection systems, intrusion prevention systems, and firewalls.   

Continue Reading FERC Orders Development of New Internal Network Security Monitoring Standards

This is the nineteenth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various Government agencies to implement the Cyber EO from June 2021 through October 2022.  This blog describes key actions taken to implement the Cyber EO during November 2022.

I. CISA, NSA, and ODNI Release Software Supply Chain Security Guide for Customers 

On November 17, 2022, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) released the third in a series of recommended practice guides for securing the software supply chain (the “Customer Guide”).  The first practice guide in this series – published in September 2022 – was for software developers, and the second – published in October 2022 – was for software suppliers.  Each of the three guides is intended to supplement the Secure Software Development Framework (SSDF) published by the National Institute of Standards and Technology (NIST) pursuant to Section 4 of the Cyber EO.

The Customer Guide identifies key supply chain security objectives for software customers (acquirers) and recommends several broad categories of practices to achieve those objectives including security requirements planning, secure software architecture, and maintaining the security of software and the underlying infrastructure (e.g., environment, source code review, test).  For each of these practice categories, the guide identifies examples of scenarios that could be exploited (threat scenarios) and examples of controls that could be implemented to mitigate those threat scenarios. 

Continue Reading November 2022 Developments Under President Biden’s Cybersecurity Executive Order

The UK Government’s (UKG) proposals for new, sector-specific cybersecurity rules continue to take shape. Following the announcement of a Product Security and Telecommunications Infrastructure Bill and a consultation on the security of apps and app stores in the Queen’s Speech (which we briefly discuss here), the UKG issued a call for views on whether action is needed to ensure cyber security in data centres and cloud services (described here).

In recent weeks, the UKG has made two further announcements:

  • On 30 August 2022, it issued a response to its public consultation on the draft Electronic Communications (Security measures) Regulations 2022 (Draft Regulations) and a draft Telecommunications Security code of practice (COP), before laying a revised version of the Draft Regulations before Parliament on 5 September.
  • On 1 September 2022, it issued a call for information on the risks associated with unauthorized access to individuals’ online accounts and personal data, and measures that could be taken to limit that risk.

We set out below further detail on these latest developments.

*****

Continue Reading A packed end to the UK’s cyber summer: Government moves forward with telecoms cybersecurity proposals and consults on a Cyber Duty to Protect

This past week, co-defendants in a class action related to the theft of cryptocurrency engaged in their own lawsuit over alleged security failures.  IRA Financial Trust, a retirement account provider offering crypto-assets, sued class action co-defendant Gemini Trust Company, LLC, a crypto-asset exchange owned by the Winklevoss twins, following a breach of IRA customer accounts. 

On April 20, 2022, the cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom—the so-called “Five Eye” governments—announced the publication of Alert AA22-110A, a Joint Cybersecurity Advisory (the “Advisory”) warning critical infrastructure organizations throughout the world that the Russian invasion of Ukraine could expose them “to increased malicious cyber activity from Russian state-sponsored cyber actors or Russian-aligned cybercrime groups.”  The Advisory is intended to update a January 2022 Joint Cybersecurity Advisory, which provided an overview of Russian state-sponsored cyber operations and tactics, techniques, and procedures (“TTPs”).

In its announcement, the authorities urged critical infrastructure network defenders in particular “to prepare for and mitigate potential cyber threats by hardening their cyber defenses” as recommended in the Advisory.

Overview.  The Advisory notes that “evolving intelligence” indicates that the Russian government is exploring options for potential cyber attacks and that some cybercrime groups have recently publicly pledged support for the Russian government and threatened to conduct cyber operations on behalf of the Russian government.  The Advisory summarizes TTPs used by five state-sponsored advanced persistent threat (“APT”) groups, two Russian-aligned cyber threat groups, and eight Russian-aligned cybercrime groups.  Additionally, it provides a list of mitigations and suggests that critical infrastructure organizations should implement certain mitigations “immediately.”

Russian State-Sponsored Cyber Operations.  The Advisory notes that Russian state-sponsored cyber actors have “demonstrated capabilities” to compromise networks; maintain long-term, persistent access to networks; exfiltrate sensitive data from information technology (“IT”) and operational technology (“OT”) networks; and disrupt critical industrial control systems (“ICS”) and OT networks by deploying destructive malware.  The Advisory details five Russian APT groups:
Continue Reading International Cybersecurity Authorities Issue Joint Advisory on Russian Cyber Threats to Critical Infrastructure

Generating and sustaining the United States’ global economic and military superiority over more than the last half century has depended on a dominant U.S. global economic position and perpetual technological innovation. The United States has increasingly relied on a global industrial supply chain and a relatively open environment for foreign investment in early stage technology development to sustain this dominant position, but in so doing has built risk into the foundation of its competitive advantage. The U.S. Government has growing concerns that these past practices meant to extend the U.S. economic and military advantage are contributing to its erosion. As a result, the Department of Defense (DoD), other Executive agencies, and Congress are taking steps to mitigate risks across the defense industrial and innovation supply chains that provide hardware, software, and services to the U.S. Government.
Continue Reading How Well Do You Know Your Supply Chain? New Policy Developments Affect Defense and Security Contractors

On July 28, 2014, the U.S. House of Representatives (“House”) passed three cybersecurity bills, the National Cybersecurity and Critical Infrastructure Protection Act of 2014 (H.R. 3696) (“NCCIP Act”), the Critical Infrastructure Research and Development Advancement Act (H.R. 2952) (“CIRDA Act”), and the Homeland Security Cybersecurity Boots-on-the-Ground Act (H.R. 3107) (“Boots-on-the-Ground Act”) with broad bipartisan support.