Domestic sourcing requirements are not new, but the Government is always developing new tools for increasing the sourcing of goods from the U.S. and allied countries.  Both sides of the political aisle have marched to a drumbeat of increased domestic sourcing for the past several years.  Most recently, the Biden Administration implemented Executive Order 14005 to “maximize” the U.S. Government’s purchase of goods and services produced in the United States and Executive Order 14104 to increase domestic manufacturing and commercialization in certain research and development supported by federal funding.  The ongoing bi-partisan support for bolstering domestic sourcing is illustrated no better than through this year’s NDAA, which focuses on expanding the domestic supply chain for materials and supplies critical to the U.S. military, encouraging the purchase of domestic end items, and providing more opportunities for the Department of Defense (“DoD”) to engage with and purchase from domestic businesses.

A number of provisions in both chambers’ versions of the FY 2024 NDAA seek to expand DoD purchases of goods and services produced in the United States: 

  • Navy Shipbuilding:  Senate Section 866 would adjust the domestic content requirements under the Buy American Act of articles, materials, or supplies procured for use in Navy shipbuilding.  Beginning in January 2026, an article, material, or supply is “manufactured substantially” in the United States if at least 65% of the cost of a shipbuilding component is attributed to materials mined, produced, or manufactured in the United States.  That percentage would increase on a graduated scale until January 1, 2033, at which time 100% of the cost of such components must be attributable to U.S. sources.  Even shipbuilding contracts related to research, development, testing, and evaluation activities would be required to meet these thresholds.  This graduated scale would not apply to iron and steel articles, materials, or supplies, which are deemed “manufactured in the United States” only if all manufacturing processes—from initial melting through the application of coating—occur in the United States.
  • Major Defense Acquisition Programs:  House Section 869 takes this same concept to the next level, proposing to define “manufactured substantially . . . in the United States” for purposes of articles, materials, or supplies procured in connection with any major defense acquisition program (“MDAP”) under the Buy American Act.  This requirement would apply only to contracts entered into after the 2024 NDAA is enacted.  Under this section, a manufactured article, material, or supply procured in connection with an MDAP is manufactured substantially in the United States if more than 60% of the cost of any MDAP component is attributed to materials mined, produced, or manufactured in the United States.  That percentage would increase on a graduated scale until January 1, 2029, at which time at least 75% of each component article, material, or supply cost must be attributable to U.S. sources.  Section 869’s requirements would not apply to a country that is a member of the National Technology Industrial Base (“NTIB,” i.e., the United States, Canada, the United Kingdom, Australia, and New Zealand).  Because the MDAP and shipbuilding requirements propose to fall under the Buy American Act, we anticipate that these provisions will be subject to further guidance under Buy American Act regulations.
  • Components for Auxiliary Ships:  House Section 844 would include propulsion system components (including reduction gears and propellers) and other components (including alternators, diesel engines, and steam turbines) used to generate electricity to power the systems of auxiliary ships to the list of items that DoD may procure only from a member of the NTIB.
  • Tactical Vehicles:  House Section 182 would prohibit DoD from acquiring tactical tracked or wheeled vehicles constructed from a specialty metal, or that include a specialty metal component, unless that metal is melted or produced in the United States.  This same prohibition has long applied to aircraft, missile and space systems, ships, and ammunition, but if enacted, this provision could mean further expansion of this sourcing requirement and suppliers to DoD contractors could see additional sourcing requirements flowed down. 
  • Expanding Coverage of Berry Amendment:  Several provisions of the FY 2024 NDAA would expand coverage of the “Berry Amendment”—a longstanding domestic preference statute that requires DoD to buy certain items, like tools, food, and clothing, from American sources—signaling an ongoing openness among lawmakers to support efforts from domestic manufacturers to ensure their products are covered by domestic preference laws.  For instance, House Section 367 requires DoD to make recommendations to Congress on how to ensure that boots worn by members of the armed forces are compliant with the Berry Amendment.  Similarly, House Section 841 would require full Berry Amendment compliance (domestic production) for flags of the United States acquired by DoD.
  • Modification of Definition of Domestic Source for Title III of Defense Production Act of 1950:  Senate Section 1080 would include business concerns in Australia and the United Kingdom in the definition of “domestic source” under title III of the Defense Production Act of 1950 (“DPA”), but only in cases in which production and deliveries or services essential to the national defense cannot be fully addressed by U.S. and Canadian business concerns.  Title III permits the President to provide funding, purchase commitments, loans or loan guarantees to a contactor or subcontractor to create, maintain, protect, expand or restore domestic industrial base capabilities critical to DoD, mitigate industrial base shortfalls or risks, or reduce reliance on foreign supply chains.  The potential expansion of the pool of domestic sources eligible for such funding could lead to increased opportunities for businesses in allied nations to seek DPA Title III funding in some circumstances.  That said, recent DPA Title III awards have focused on U.S. and not Canadian businesses, so it is unclear the extent to which DoD may be inclined to spread its pool of DPA Title III funds outside the United States, even with broader authority to do so.

Defense contractors, technology providers, life science companies and commercial-item contractors—and those who invest in these companies—should watch this legislation carefully.  Although it is uncertain which of the below provisions will remain in the final FY 2024 NDAA, it is clear that the House and Senate—supported by the White House—are signaling strong support for increasing domestic sourcing requirements.

Following our recent overview of key topics to watch in the National Defense Authorization Act (“NDAA”) for Fiscal Year (“FY”) 2024, available here, we continue our coverage with a “deep dive” into NDAA provisions related to the People’s Republic of China (“China” or “PRC”) in each of the House and Senate bills.  DoD’s focus on strengthening U.S. deterrence and competitive positioning vis-à-vis China features prominently in the 2022 National Defense Strategy (“NDS”) and in recent national security discourse.  This focus is shared by the Select Committee on Strategic Competition Between the United States and the Chinese Communist Party (“Select Committee”), led by Chairman Mike Gallagher (R-WI) and Ranking Member Raja Krishnamoorthi (D-IL). 

It is no surprise, then, that House and Senate versions of the NDAA include hundreds of provisions—leveraging all elements of national power—intended to address what the NDS brands as China’s “pacing” challenge, including many grounded in Select Committee policy recommendations.  Because the NDAA is viewed as “must-pass” legislation, it has served in past years as a vehicle through which other bills not directly related to DoD are enacted in law.  In one respect, this year is no different—the Senate version of the NDAA incorporates both the Department of State and Intelligence 2024 Authorization bills, each of which includes provisions related to China. 

Continue Reading Not to Be Outpaced: NDAA Presents Measures Addressing China

This is the twenty-seventh in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through June 2023.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during July 2023. 

Continue Reading July 2023 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

It’s that time of year again: the House and Senate have each passed their respective version of the National Defense Authorization Act for FY 2024 (“NDAA”) (H.R. 2670, S. 2226).  The NDAA is a “must pass” set of policy programs and discretionary authorizations to fund Department of Defense (“DoD”) operations.  Lawmakers are currently undertaking the arduous process of reconciling these bills, while jockeying to include topics of importance in the final legislation.  The engrossed bills contain a number of significant provisions for defense contractors, technology providers, life science companies and commercial-item contractors – many of which we discuss briefly below and others that we will analyze in more depth in our NDAA series in the coming weeks.  Subscribe to our blog here so that you do not miss these updates.

Continue Reading Key Topics to Watch as Congress Works to Fund Next Year’s DoD Budget

Section 804 of the House-enacted version of the National Defense Authorization Act for Fiscal Year 2024 would establish a “loser pays” pilot program to require contractors to reimburse the Department of Defense for costs incurred in “processing” bid protests that are ultimately denied by the Government Accountability Office.  The accompanying House Armed Services Committee report explains the provision’s intent as “curtailing wasteful contract disputes.” 

Continue Reading <em>Should Bid Protest Losers Pay?</em>

In Honeywell International, Inc., the ASBCA declined to dismiss a roughly $151 million claim by DCMA alleging a violation of CAS 410, holding that the government’s allegations were sufficient to state a claim for improper treatment of G&A expenses.  The Board’s decision provides guidance on how to interpret CAS 410 — a topic that is often addressed by auditors, but has rarely been the subject of written opinions by the courts or boards of contract appeals.

Continue Reading ASBCA: Government Can Pursue $151 Million Claim Under CAS 410

On June 13, 2023, the Department of Defense announced that the Secretary of Defense approved recommendations for strengthening the Foreign Military Sales program and instructed FMS-implementing agencies to move forward with these recommendations.  It remains to be seen how the DoD agencies will implement the recommendations, and there is a possibility that legislative action will impact FMS reform and supplement or supersede these recommendations.

Last year, the Pentagon formed a Tiger Team to evaluate the FMS program and consider potential improvements.  As part of that process, the Tiger Team solicited industry input in the form of a November 2022 report compiled by the Aerospace Industries Association, the Professional Services Council, and NDIA, and a follow-on set of seven industry recommendations released in February of this year.  Last month, the Tiger Team released (and the DoD adopted) its own set of six recommendations which largely mirror the broad goals – if not the specific action items – set forth in the industry recommendations. 

Continue Reading The Department of Defense Targets FMS Program Enhancements

This is the twenty-sixth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through May 2023.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during June 2023.

NIST Hosts Workshop on Common Attestation Form

On June 1, 2023, NIST hosted a workshop on OMB M-22-18 Minimum Requirements for secure software self-attestations pursuant to Section 4 of the Cyber EO.  The workshop included two panels with speakers from OMB and CISA.

During the workshop, OMB announced that the deadline for self-attestations had been extended and this was confirmed in a June 9, 2023 follow up OMB Memorandum (see below).  OMB representatives also noted that they anticipate the Common Form will be finalized this Fall or Winter. 

Additionally, OMB representatives acknowledged that some agencies had already issued their own self-attestation forms and guidance earlier this year (e.g., NASA and GSA), but stated that they expect that these agencies may make some changes to the attestation process based on OMB’s updated timeline.  OMB representatives reiterated that although agencies are free to supplement the common form issued by CISA with additional requirements, they understood that most agencies did not intend to differ much from the common form.  If an agency chooses to forgo the common form and create its own form entirely, OMB representatives explained that the agency would need to follow the full Paperwork Reduction Act process. 

OMB representatives confirmed that they are working on creating a central repository for self-attestation forms.  Contractors would be able to upload their attestations to the central repository, and agencies would be able to access the repository.  They noted that one goal of the repository is to avoid duplicative asks of contractors.  This repository is still a work in progress, and until it is complete, agencies will need to collect self-attestation forms from contractors directly.

OMB representatives confirmed that contractors will be able to use a POA&M if they are unable to attest to implementing all of the requirements identified in the self-attestation form.  Contractors will not be allowed to do a partial self-attestation.  OMB representatives stated that it was unlikely that a template POA&M would be created due to the unique nature of software products.

When asked about the definition of critical software, OMB representatives responded that they understood that most agencies would be using the NIST definition of critical software.  They acknowledged that some vendors may not know that they had been identified as critical.  They encouraged vendors to reach out to agencies to discuss but did not provide more guidance. 

When asked whether OMB anticipated any guidance or memorandum that would standardize the SBOM process, the OMB representatives responded that they were considering such an approach, but more time was needed.  They reiterated that SBOMs are not part of the minimum requirements at this time, but SBOMs could be incorporated as a minimum requirement in the future.

Finally, the OMB representatives stated that they thought it would make practical sense for companies to self-attest for the entire company if possible, instead of on a product by product basis.

OMB Issues M-23-16, “Update to Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices”

On June 9, 2023, OMB published M-23-16, “Update to Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (“June 2023 Update”).  M-22-18, published in September 2022, mandates that to use software, agencies must first obtain a self-attestation from software providers that the software developer follows the secure development processes described by NIST Secure Software Development Framework (“NIST SP 800-218”) and the NIST Software Supply Chain Security Guidance.  CISA released a draft self-attestation form in late April that largely tracks the NIST standards, but the form has not yet been finalized.  The June 2023 Update provides several significant updates and clarifications to the self-attestation process. 

First, the timeline by which agencies must collect attestations or POA&Ms is extended, as the final form for attestation is not yet available.  The new deadlines for agencies to collect attestations are three months after CISA and OMB finalize the common form for critical software and six months after for all other software.

The June 2023 Update provides that agencies will only need to collect the attestations from the prime contractor, though this puts the burden on prime contractors to ensure they can provide the attestation with respect to the entire software end product, including with respect to the integration of components that may be developed by subcontractors or other third parties.

Moreover, the June 2023 Update states that agencies are not required to collect an attestation for open source software, including software that is proprietary but feely obtained and publicly available.  Additionally, agencies are not required to collect an attestation for agency-developed software, which is software that the contracting agency has sufficient control over that the agency itself is able to ensure the secure software development practices are followed throughout the entire software development lifecycle.  The memorandum further clarifies that agency CIOs are required to make the determination of whether a software can be considered agency-developed.

Where a contractor submits a POA&M instead of an attestation of current compliance, the June 2023 Update noted that the contractor must identify the specific practices to which it cannot attest and document the practices it has in place to mitigate associated risks.  The agency may continue to use the software if it finds the POA&M satisfactory, but must also provide the POA&M to OMB and seek OMB’s approval for an extension of the attestation requirement.

CISA Hosts an SBOM-a-rama

On June 14, 2023, CISA hosted an “SBOM-a-rama” to discuss the current state of Software Bill of Materials (“SBOM”) and next steps.  Sessions covered sector specific SBOM work as well as generally applicable concerns about SBOMs, like the sharing and exchanging of SBOMs and how to implement an SBOM.

One of the speakers at the SBOM-a-rama was Shon Lyublanovitz, the leader of CISA’s cyber supply chain risk management (C-SCRM) program office, which is responsible for reviewing and responding to the comments on CISA’s proposed common self-attestation form.  In response to a question regarding why there was no mention of SBOMs in the common form, Ms. Lyublanovitz stated that OMB wants to take a “crawl, walk, run” approach and therefore decided not to include a requirement for SBOMs in the proposed common form.  She noted, however, that agencies can ask for SBOMs if they want to.  She also noted that provenance is mentioned in the SSDF in the context of third-party software code, and invited comments on how stakeholders planned to address this requirement.

Following the SBOM-a-rama, CISA officials distributed to the participants a draft of “SBOM FAQs” that consisted of approximately 30 pre-existing or revised questions and answers as well as nine new questions and answers. These officials invited comments on the new and modified FAQs. When finalized, CISA intends to post the FAQs on its website as a resource for the SBOM community.

CISA Receives Comments on the Secure Software Development Attestation Common Form

As discussed above, on April 27, 2023, CISA released a 60-day Request for Comment on its draft secure software development attestation common form, which was developed in close consultation with OMB.  The Request for Comment stated that CISA would accept comments through June 26, 2023.  While the comment period deadline has passed, organizations and others have continued to submit comments.  As of June 28, 2023, CISA had received 110 comments on the draft common form, including from major trade industry groups and coalitions.  The comments have raised various points and concerns regarding the draft common form, including (but not limited to):

  • Mapping Inconsistencies – Some comments stated that the common form’s requirements are inconsistent with NIST SP 800-218. 
  • Verification Evidence and Artifacts – Some comments stated that the common form did not provide guidance regarding artifacts that agencies may require as part of the attestation process. 
  • Scope of “Software” – Some comments have raised concerns and questions about the scope of the definition of “software” under OMB Memorandum M-22-18, including whether the requirements are intended to apply to commercially available off-the-shelf products, Internet of Things (“IoT”) devices, and hardware products that may contain software and connect to government information systems.

On June 21, 2023, DHS published a final rule that amends the Homeland Security Acquisition Regulation (HSAR) both by modifying the existing regulations through removing and updating existing clauses and by adding new contract clauses to include certain requirements for the safeguarding of Controlled Unclassified Information (CUI).  The final rule, first released in proposed form by DHS in January 2017, implements security and privacy measures to safeguard CUI and facilitates improved incident reporting to DHS .  DHS has said the new measures are “necessary because of the urgent need to protect CUI and respond appropriately when DHS contractors experience incidents with DHS information,” in light of “[p]ersistent and pervasive high-profile breaches of Federal information” in government contracts.

Below we summarize certain key requirements from the rule, consider how the new DHS rule may impact government contractors, and discuss best practices for contractors impacted by the rule.

Department of Homeland Security Final Rule on Safeguarding CUI

At a high level, the rule “strengthens and expands existing HSAR language to ensure adequate security when: (1) contractor and/or subcontractor employees will have access to CUI; (2) CUI will be collected or maintained on behalf of the agency; or (3) Federal information systems, which include contractor information systems operated on behalf of the agency, are used to collect, process, store, or transmit CUI.”  Government contractors should take particular note of the three DHS contract clauses covered by the rule and discussed in more detail below.

3052.204–71 Contractor Employee Access Clause

The first contract clause in the DHS rule concerns contractor employee access to CUI.  The clause is required in DHS contracts when contractor and/or subcontractor personnel require “recurring access to government facilities or access to CUI.”  In particular, “Contractor employees” working on contracts that incorporate the clause will be required to “complete such forms as may be necessary for security or other reasons, including the conduct of background investigations to determine suitability” and to submit such forms as directed by the contracting officer.  The contracting officer will have the authority to require to the contractor to prohibit individuals from working on the contract if determined to be contrary to the public interest for any reason, including carelessness and incompetence.  Additionally, “[a]ll Contractor employees requiring recurring access to government facilities or access to CUI or information resources are required to have a favorably adjudicated background investigation prior to commencing work [on their respective contracts] unless this requirement is waived under departmental procedures.”  Additional security requirements apply where contractor employees need access to Federal information systems during contract performance.

 The clause also contains a very broad non-disclosure prohibition stating that contractors  “shall not disclose, orally or in writing, CUI for any other purpose to any person unless authorized in writing by the Contracting Officer.”  Given the continuing challenge that contractors (and the government) face with regard to identifying which data relating to a contract qualifies as CUI, many contractors may default to taking an expansive view of what qualifies as CUI.  Moreover, this provision imposes training requirements addressing the protection and disclosure of CUI on contractor employees who will access CUI under the contract.  This training must take place no later than 60 days after contract award, with refresher training every two years.  Finally, this clause must be flowed down to all subcontractors “at any tier where the subcontractor may have access to government facilities, CUI, or information resources.”  

3052.204–72 and ALT.1 Safeguarding of Controlled Unclassified Information Clause

The second contract clause imposes precautions that contractors must take to safeguard and properly handle CUI, incident reporting and response requirements, and a requirement to sanitize government and government-activity related files and information upon conclusion of the contract.  The base clause applies when contractor and/or subcontractor employees will have access to CUI; or CUI will be collected or maintained on behalf of DHS.  The ALT 1 version of the clause applies to information system that a contractor is operating on behalf of DHS, which is used to collect, process, store, or transmit CUI. Under the ALT 1 version of the clause, contractors cannot operate a system on behalf of DHS until they receive an authority to operation (ATO).

Regarding the handling of CUI, “Contractors and subcontractors must provide adequate security to protect CUI from unauthorized access and disclosure.”  In turn, the regulations define “Adequate security” to mean compliance with “DHS policies and procedures in effect at the time of contract award.”  Additionally, the clause prohibits contractors from maintaining Sensitive Personally Identifiable Information (SPII) in their invoicing, billing, or other recordkeeping systems.  The clause requires contractors to report known or suspected incidents involving Personally Identifiable Information (PII) or SPII within 1 hour of discovery, and other incidents within 8 hours of discovery.  It further specifies that CUI must only be transmitted via email through encrypted means or within secure communications systems.  The safeguarding requirements include a link to DHS policies and procedures in place at the time of award, which include numerous directives, handbooks, guidelines, and templates.  

Although HSAR 3052.204–72 addresses obligations of contractors employees who access CUI, it specifically reserves any statement as to  security safeguards on nonfederal  information systems that store, process, or transmit CUI, indicating that “[t]he rule is intentionally silent on the security requirements applicable to nonfederal information systems because NARA is working with the FAR Councils, in which DHS is a participant, to develop a FAR CUI rule that addresses the requirements nonfederal information systems must meet before processing, storing, or transmitting CUI.”  Instead, the clause formalizes certain processes where a contract operates an information system on behalf of a federal agency that is used to store, process, or transmit CUI (i.e., federal information systems), including ATO procedures and continuous monitoring obligations.

3052.204–73 Notification and Credit Monitoring Requirements for Personally Identifiable Information Incidents Clause

The third, and final, contract clause relates to notification and credit monitoring requirements for PII.  After an incident involving PII or SPII occurs, the clause requires contractors to “notify any individual whose PII or SPII was either under the control of the Contractor or resided in an information system under control of the Contractor at the time the incident occurred” within 5 business days of being directed to do so by their Contracting Officer.  The rule presumably is targeting DHS employee PII or SPII that is “under the control of the Contractor” or “resid[es] in an information system under control of the Contractor”, rather than contractor employee information. 

The final rule will take effect thirty days after its publication in the Federal Register, on July 21, 2023.

Takeaways for Government Contractors

DHS’s new final rule is the most recent cybersecurity regulation at the federal level, and it explicitly recognizes that additional FAR rules are expected.  Its publication, however, highlights several important takeaways for those in the contractor community.

Employee Vetting Requirements.

The rule imposes stringent vetting requirements where contractor employees require access to CUI in performance of a DHS contract.  This is a broad requirement that could potentially impact a large portion of a contractor’s workforce where those employees perform work for DHS.  Additionally, the rule leaves open the possibility that vetting requirements may vary by contract.  Contractors should ensure that the costs of these efforts are appropriately built into their cost or pricing proposal.  Contractors should also develop a clear understanding of who within their workforce could potentially access CUI relating to a DHS contract (including third parties), and take steps to ensure that access is appropriately restricted to those employees unless they are read on to the contract.

Reporting Requirements.

The rule significantly shortens applicable incident reporting timelines as compared to other agencies.  For example, the Department of Defense requires contractors to report cybersecurity incidents within 72 hours of discovery.  As noted above, the DHS rule requires incidents to be reported within 8 hours of discovery, and incidents involving PII or SPII within 1 hour of discovery.  Contractors should accordingly take steps to revise their incident reporting policies appropriately to ensure that these timeframes are met.

Identification of CUI.

The significant safeguarding, incident reporting, training, and background investigation requirements imposed by this rule are all premised on contractors being able to determine which employees are accessing CUI, including which data the contractor generates during performance of a contract qualifies as CUI.  Effective communication both with the government and contractor employees will be necessary to ensure that contractors and the government are aligned on which data are CUI, thereby triggering some of these requirements.

Forthcoming FAR Rules.

This rule foreshadows the publication of three long-awaited FAR rules.  The first is a rule (FAR Case 2017-016) that would provide implementing regulations to address agency policies for “designating, safeguarding, disseminating, marking, decontrolling and disposing of CUI.”  As noted above, a common understanding of what data qualifies as CUI is the cornerstone to safeguarding the data and to recognizing when an incident occurs.  In addition, two other related FAR rules are expected to “standardiz[e]common cybersecurity contractual requirements across Federal agencies (FAR Case 2021-019),” and impose Executive Branch-wide requirements for reporting cyber incidents and sharing information about cyber threats (FAR Case 2021-017).  As of June 23, 2023, drafts of all three proposed rules had been sent to OIRA for final review before publication.  Contractors should continue to track the progress of these three key proposed rules, as they will supplement DHS’s new final rule and also impose common baseline cybersecurity requirements for all federal agencies.

This is the twenty-fifth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through April 2023.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during May 2023. 

Continue Reading May 2023 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy