DoD

This is part of a series of Covington blogs on the implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through October 2024.  This blog describes key actions taken to implement the Cyber EO, the U.S. National Cybersecurity Strategy, and other actions taken that support their general principles during November 2024. 

National Institute of Standards and Technology (“NIST”) Publishes Draft “Enhanced Security Requirements for Protecting Controlled Unclassified Information”

On November 13, 2024, NIST published a draft of Special Publication (“SP”) 800-172 Rev. 3 that “provides recommended security requirements to protect the confidentiality, integrity, and availability of [Controlled Unclassified Information] when it is resident in a nonfederal system and organization and is associated with a high value asset or critical program.”  In particular, the draft requirements “give organizations the capability to achieve a multidimensional, defense-in-depth protection strategy against advanced persistent threats . . . and help to ensure the resiliency of systems and organizations.”  The draft requirements “are intended for use by federal agencies in contractual vehicles or other agreements between those agencies and nonfederal organizations.”  In the publication, NIST stated that it does not expect that all requirements are needed “universally.”  Instead, the draft requirements are intended to be “selected by federal agencies based on specific mission needs and risks.”

These requirements serve as a supplement to NIST SP 800-171, and apply to particular high-risk entities.  To that end, the current version of this NIST SP 800-172 (i.e., Rev. 2) is used by the U.S. Department of Defense (“DoD”) for its forthcoming Cybersecurity Maturity Model Certification (“CMMC”) program, which we discussed in more detail here.  Specifically, contractors must implement twenty-four controls that DoD selected from SP 800-172 Rev. 2 in order to obtain the highest level of certification – Level 3.  Just as the CMMC Final Rule incorporated Rev. 2 of SP 800-171 (rather than Rev. 3), the CMMC program will not immediately incorporate SP 800-172 Rev. 3 requirements.  However, the draft requirements provide insight into how CMMC could evolve.Continue Reading November 2024 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

On Tuesday, October 22, 2024, Pennsylvania State University (“Penn State”) reached a settlement with the Department of Justice (“DoJ”), agreeing to pay the US Government (“USG”) $1.25M for alleged cybersecurity compliance violations under the False Claims Act (“FCA”).  This settlement follows a qui tam action filed by a whistleblower and former employee of Penn State’s Applied Research Laboratory.  The settlement agreement provides some additional insight into the priorities of DoJ’s Civil Cyber Fraud Initiative (“CFI”) and the types of cybersecurity issues of interest to the Department.  It also highlights the extent to which DoJ is focusing on the full range of cybersecurity compliance obligations that exist in a company’s contract in enforcement actions.

DoJ’s Civil Cyber-Fraud Initiative

On October 6, 2021, following a series of ransomware and other cyberattacks on government contractors and other public and private entities, DoJ announced the CFI.  We covered the CFI as it was first announced in more detail here, and in a comprehensive separately published article here.  As explained by Deputy Attorney General Lisa Monaco and other DoJ officials, DoJ is using the civil FCA to pursue government contractors and grantees that fail to comply with mandatory cyber incident reporting requirements and other regulatory or contractual cybersecurity requirements.  Moreover, depending on the facts, DoJ Criminal likely will be interested in some of these cases.

About the Settlement

On October 5, 2022, a relator – the former chief information officer for Penn State’s Applied Research Laboratory – filed a qui tam action in the United States District Court of the Eastern District of Pennsylvania.  The relator alleged in an amended complaint from 2023 that he discovered and raised non-compliance issues, which Penn State management did not address, and that Penn State falsified compliance documentation.  On October 23, 2024, DoJ formally intervened and notified the court that it reached a settlement agreement with Penn State.  The settlement agreement alleges that Penn State violated the FCA by failing to implement adequate safeguards and to meet cybersecurity requirements set forth under National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”  As set forth in the settlement agreement, these issues related to fifteen contracts and subcontracts involving the Department of Defense (“DoD”) and the National Aeronautics and Space Administration (“NASA”) between January 2018 and November 2023. Continue Reading Penn State Agrees to Pay $1.25M in Settlement for Cybersecurity Non-Compliance False Claims Act Allegations

Following our recent overview of key topics to watch in the National Defense Authorization Act (“NDAA”) for Fiscal Year (“FY”) 2024, available here, we continue our coverage with a “deep dive” into NDAA provisions related to the People’s Republic of China (“China” or “PRC”) in each of the House and Senate bills.  DoD’s focus on strengthening U.S. deterrence and competitive positioning vis-à-vis China features prominently in the 2022 National Defense Strategy (“NDS”) and in recent national security discourse.  This focus is shared by the Select Committee on Strategic Competition Between the United States and the Chinese Communist Party (“Select Committee”), led by Chairman Mike Gallagher (R-WI) and Ranking Member Raja Krishnamoorthi (D-IL). 

It is no surprise, then, that House and Senate versions of the NDAA include hundreds of provisions—leveraging all elements of national power—intended to address what the NDS brands as China’s “pacing” challenge, including many grounded in Select Committee policy recommendations.  Because the NDAA is viewed as “must-pass” legislation, it has served in past years as a vehicle through which other bills not directly related to DoD are enacted in law.  In one respect, this year is no different—the Senate version of the NDAA incorporates both the Department of State and Intelligence 2024 Authorization bills, each of which includes provisions related to China. 

To get a flavor of the approach to China in this year’s NDAA, look no further than the “Ending China’s Developing Nation Status Act” in Section 1399L of the Senate bill, which would require U.S. opposition to granting China “developing nation” status in treaties under negotiation and by international organizations of which the U.S. and China are members, such as the World Trade Organization.  Classification as a “developing nation” affords China access to preferential loans and other economic benefits intended to increase trading opportunities, notwithstanding its current status as an upper-middle income country (as determined by the World Bank), and the world’s second largest economy, trailing only the U.S.  Not to be outdone, Section 155 of the House bill contains a provision mandating expedited deployment of advanced radars to track high-altitude balloons and other potential threats to the U.S., in direct response to the incident earlier this year in which a Chinese balloon flew across the U.S. before being shot down by the Air Force.

Given these provisions, and many more (some we discuss below), this year’s NDAA strikes us as different.  It incorporates many more China-related provisions and many of these would impose greater obligations on government contractors to limit their interactions with the PRC and entities affiliated with the PRC Government.  Whether the laundry list of China-related provisions in the current NDAA survive, and in what form, will be determined by the conference process currently underway.  But these provisions have the potential to impose significant near-term burdens on contractors—requiring them to assess their obligations and make adjustments to ensure compliance.  Indeed, these provisions may be far more disruptive than requirements imposed by prior year NDAA China provisions that contractors have navigated by reassessing supply chains and increasing due diligence.  All government contractors and suppliers to government contractors with any connection to China would be well advised to monitor how the NDAA conference approaches resolution of this legislation over the coming months.Continue Reading Not to Be Outpaced: NDAA Presents Measures Addressing China

This is the twenty-sixth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken

Continue Reading June 2023 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

The Department of Defense (“DoD” or “the Department”) released its annual report to Congress on the Military and Security Developments Involving the People’s Republic of China (“PRC”) on May 2, 2019. This annual report details DoD’s assessment of Chinese security strategy and military strategy over the next 20 years, with a particular focus on China’s future course of military-technological developments. The Secretary of Defense sends both a classified and unclassified version of the report to Congress each year to fulfill the requirements of Section 1202 of the National Defense Authorization Act for Fiscal Year (“FY”) 2000, as amended by Section 1260 of the NDAA for FY 2019. Notably, the 2019 amendments refined the scope of the reporting requirements to include elements regarding emerging efforts by the PRC on espionage, technology transfer, economic pressure, political coercion, information operations, and predatory lending under its Belt and Road initiative.

The report highlights significant strategic challenges presented by Chinese foreign and military policy.  Its tone underscores sharp differences with several recent policy decisions and comments that take a more accommodating view of Chinese policy.  The UK defense minister, for example, was recently ousted over a leak concerning Britain’s proposed decision to allow Huawei to participate in certain parts of its 5G network.  The DoD report, by contrast, describes serious threats from China’s coercive military-civilian strategy.  China is taking major steps to modernize its military capabilities and can force cooperation under its laws from all potential sources of innovation within its borders.

Industry leaders in the United States should take note of this approach.  As they engage with U.S. government leaders and policy makers, it will be important to look for ways to continue building on key innovation efforts in the United States, and with allies and partners, to harness dual-use emerging technologies for future capabilities. The report also makes clear that cybersecurity and counter-espionage protocols will be key to thwarting efforts of the Chinese government – acting either through governmental agencies or through Chinese companies – to gain insight into the military and industrial capabilities of the United States.
Continue Reading Department of Defense Releases Annual Report to Congress on the Military and Security Developments Involving the People’s Republic of China

The Senate Armed Services Committee heard testimony last week from Acting Secretary of Defense Pat Shanahan, Secretary of the Air Force Heather Wilson, Marine General Joe Dunford (Chairman of the Joint Chiefs of Staff), and Air Force General John Hyten (Commander of U.S. Strategic Command and the presumptive next Vice Chairman of the Joint Chiefs).

The witnesses presented unified support for the creation of the Space Force. Secretary Wilson, notably, voiced support for the proposal, which would put the new Space Force under the Air Force.  That structure mimics the design of the Marine Corps and the Department of the Navy; Wilson acknowledged that she had previously been critical of proposals that would establish a new independent department for space.  From the perspective of continuity, the key testimony came from General Hyten; both Wilson and Dunford are lame ducks, and Shanahan’s nomination for Secretary remains uncertain.  Many of the Senators voiced concerns about the fundamental need for a Space Force and the significant bureaucratic expansion contemplated by the proposal.

It was clear from the hearing that the Administration and the Department still have much to do to market this Space Force proposal to the Congress.  Given the reactions so far, it is extremely unlikely to be included as written in the Fiscal Year 2020 National Defense Authorization Act. While Congress continues to debate the proposal, now is the window to engage with the congressional defense committees with comments on the proposal and suggestions for how to modify it.
Continue Reading Senators Question the Administration’s Space Force Proposal

The aerospace and defense industry, including those in the defense trade press, have since late evening of November 6, 2018 been wrestling with the implications of the midterm elections for U.S. defense policy and spending over the next two years.  Quite frankly, it is too early to say with certainty. As Leo Rosten, the famous political scientist and humorist, once said, “Some things are so unexpected that no one is prepared for them.” That statement seems an appropriate caution given the current tumult of U.S. domestic politics.

That caution given, we can offer a couple, dare we say, steadfast observations about what is likely to be “normal” even given change to control of the House:

  • The President retains significant power to determine national security policy, and often enjoys first-mover advantage in this area; continuity, rather than change, will likely be the broad theme.
  • Congress has passed an annual National Defense Authorization Act for 58 consecutive years, and we expect them to do so again. This remains a must-pass piece of legislation, including policy issues in the jurisdiction of other committees (for example, the Foreign Investment Risk Review Modernization Act that governs the Committee on Foreign Investment in the United States was included in last year’s defense bill).

But with the change in control of the House, we do expect a more contentious and potentially drawn out debate regarding key defense policy priorities of the Trump administration and congressional Republicans. 
Continue Reading Implications of the 2018 Midterm Elections for U.S. National Defense Policy and Spending

(This article was originally published in Law360 and has been modified for the blog.)

Peter Navarro, assistant to the president for trade and manufacturing policy, recently offered in a New York Times op-ed that “[a] strong manufacturing base is critical to both economic prosperity and national defense.” The Trump Administration’s maxim that “economic security is national security” is rooted in several government initiatives, ranging from large-scale policy reforms (like renegotiating the North American Free Trade Agreement and strengthening the so-called “Buy American Laws”) to more granular contracting procedures (like the Department of Defense’s proposed changes to commercial item contracting and increased scrutiny of security across all levels of defense supply chains).

Business leaders should therefore pay close attention to the government’s long-awaited interagency assessment of the manufacturing and defense industrial base, available in unclassified form here.  The report was commissioned by Executive Order 13806, which described “[s]trategic support for a vibrant domestic manufacturing sector, a vibrant defense industrial base, and resilient supply chains” as “a significant national priority.”  The Department of Defense served as the lead agency coordinating the report, in partnership with the White House’s Office of Trade and Manufacturing Policy.

Throughout the 140-page report, the Interagency Task Force (the “Task Force”) identifies myriad threats, risks and gaps in the country’s manufacturing and industrial base, and concludes that “[a]ll facets of the manufacturing and defense industrial base are currently under threat, at a time when strategic competitors and revisionist powers appear to be growing in strength and capability.”  To address these concerns, the Task Force lays out a methodology, diagnosis, and framework for policy recommendations and gives the government significant flexibility in crafting responses.  The report recommends – and we expect the President to issue – a follow-on Executive Order directing action on those responses.  That creates an opportunity for industry to participate in shaping the major implementing policies and regulations that are coming.Continue Reading “Economic Security Is National Security”: Key Takeaways from the Defense Industrial Base Report

Generating and sustaining the United States’ global economic and military superiority over more than the last half century has depended on a dominant U.S. global economic position and perpetual technological innovation. The United States has increasingly relied on a global industrial supply chain and a relatively open environment for foreign investment in early stage technology development to sustain this dominant position, but in so doing has built risk into the foundation of its competitive advantage. The U.S. Government has growing concerns that these past practices meant to extend the U.S. economic and military advantage are contributing to its erosion. As a result, the Department of Defense (DoD), other Executive agencies, and Congress are taking steps to mitigate risks across the defense industrial and innovation supply chains that provide hardware, software, and services to the U.S. Government.
Continue Reading How Well Do You Know Your Supply Chain? New Policy Developments Affect Defense and Security Contractors