On September 12, 2022, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) published a Request for Information, seeking public comment on how to structure implementing regulations for reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). Written comments are requested on or before November 14, 2022 and may be submitted through the Federal eRulemaking Portal: http://www.regulations.gov.Continue Reading CISA Requests Public Comment on Implementing Regulations for the Cyber Incident Reporting for Critical Infrastructure Act
On September 14, 2022, the Director of the Office of Management and Budget (“OMB”) issued a memorandum to the heads of executive branch departments and agencies addressing the enhancement of security of the federal software supply chain. The memorandum applies to all software (other than agency-developed software) developed or experiencing major version changes to be operated “on the agency’s information systems or otherwise affecting the agency’s information,” and requires new self-attestations from software vendors before that software can be used by agencies.
The memorandum is one among many deliverables stemming from Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). We have covered developments under this Executive Order as part of a series of monthly posts, with the first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various Government agencies to implement the Cyber EO from June 2021 through August 2022. Key requirements of the memorandum are discussed in more detail below.
Self-Attestation of Secure Development Practices and Third Party Assessments
The memorandum represents a significant step in implementation of the Cyber EO. It mandates that to use software, agencies must first obtain a self-attestation from software providers that the software developer follows the secure development processes described by NIST Secure Software Development Framework (SP 800-218) and the NIST Software Supply Chain Security Guidance (discussed here) (collectively, “NIST Guidance”). The Federal Acquisition Regulatory Council (“FAR Council”) will propose rulemaking on a standard self-attestation form, although the memorandum requires each agency to begin to obtain self-attestations from vendors regardless of whether the FAR is amended to provide a standard self-attestation form. The memorandum indicates that a self-attestation would contain at least the following elements:
- The software producer’s name;
- A description of which product or products the statement refers;
- A statement attesting that the software producer follows secure development practices and tasks that are itemized in the standard self-attestation form.
Given the lack of a FAR rule, contractors may be faced with differing, and potentially conflicting, requirements for attestation and should scrutinize the requests until a common attestation is developed.
Where a software provider cannot attest to all required security practices, then the software provider may document those practices that are in place, and describe the plan for implementing the remaining practices in a Plan of Action and Milestones (“POA&M”). The determination as to whether the implemented controls and the POA&M are satisfactory will rest with the agency.
The memorandum also notes that “[s]elf-attestation is the minimum level required,” and that in some cases the criticality of the service or product may warrant a third party assessment in addition to the self-assessment. The criticality of the software will be determined either based on the factors of a memorandum issued by OMB on August 10, 2021 (which we discussed here) or will otherwise be based on the agency’s determination. Where these third party assessments are conducted by a certified FedRAMP Third Party Assessor Organization (“3PAO”) or one approved by the agency, and where the NIST Guidance is used as assessment baseline, then a self-attestation may not be required. There is no additional guidance on how these third party assessments should be implemented.
Importantly, the term “software” for purposes of the vendor self-attestation required by the memorandum is quite broad. It expressly includes (in addition to conventional software) “firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.”
Software Bill of Materials
In addition to requiring agencies to collect self-attestations for any software used, the memorandum also provides that a Software Bill of Materials (“SBOM”) or other artifact may be required by the agency in solicitation requirements. If required, SBOMs must either be retained by the agency or posted on the website of the software producer. SBOMs must be generated in the format set forth in a report issued by the National Telecommunications and Information Administration or successor guidance by the Cybersecurity and Infrastructure Security Agency (“CISA”).
Acquisitions and Timing of Implementation
The memorandum indicates that agencies can ensure compliance either through specification of the requirements in the Request for Proposal or in other solicitation documents. The requirements are expected to be implemented by agencies at a fairly rapid pace:
- Within 120 days of publication of the memorandum (January 12, 2023), agencies are required to develop a consistent process to communicate relevant requirements in this memorandum to vendors.
- Within 270 days of publication of the memorandum (June 11, 2023), agencies are required to collect self-attestation letters from “critical software” providers.
- Within 365 days of publication of the memorandum (September 14, 2023), agencies are required to collect self-attestation letters from all software providers.
It is also anticipated that concurrent with these implementation steps, CISA will work to develop a federal interagency software artifact repository, although full operational capability of the repository appears to be contemplated to occur much later. Extensions and waivers may be granted to agencies in certain cases.
Implications for Contractors
There is uncertainty in exactly how contractors will be impacted by the implementation of these requirements. Some initial questions are as follows:
- Scope and Nature of Third Party Assessments. The requirement for third party assessments of compliance with secure software development practices represents a potentially significant risk for developers that sell “critical” software to the Government. Along these lines, the memorandum does not establish guidance on how these assessments would occur or whether and how any deficiencies identified during an assessment may be remediated by the software developer. Moreover, the guidance does not indicate what the scope of these assessments might be. Along these lines, the memorandum indicates a preference for self-attestations to be broad, “preferably focused at the company or product line level and inclusive of all unclassified products sold to Federal agencies.” Thus, it is not clear whether an entire company would be assessed, or only the individualized product or service, or even whether such a distinction would be possible to draw given the scope of the supply chain security requirements.
- Impacts to Hardware and IT Service Providers. The memorandum is clear that these self-attestations must be obtained directly from the software producer. However, in many cases software producers are not in direct privity with the Government, and either may sell through a third party retailer, or sell to hardware or IT service providers for integration into an end-product or service. Moreover, in some cases the sales of these end-products to integrators or resellers may only represent a small amount of revenue for the software developer. Where this is the case, then obtaining a self-attestation from the software developer may be challenging. Although the memorandum contemplates that agencies may obtain an extension or a waiver, the guidance notes that waivers will be granted “only in the case of exceptional circumstances and for a limited duration.”
- Timing of Implementation. As noted, self-attestations will be required from “critical software” providers by June 11, 2023 and by all software providers by September 14, 2023. This only allows for a limited time window for those software developers to implement the supply chain security practices contemplated by the memorandum and to achieve sufficient confidence in that implementation in order to issue certifications to the Government. Even where the use of POA&Ms is possible, it is not clear what agencies will be willing to accept, which could create uncertainty for many software providers that are making determinations about where to locate software development resources and other investments that may need to be made to continue sales to the Government as an end-customer.
- Existing Software. The memorandum only requires self-attestation for new software releases and for major version changes of software. To that end, these certifications could potentially represent another hurdle to agencies facing complex software updates and mitigations. Where the marketplace has few options for alternatives, this may encourage some agencies to choose to keep old software running for longer than would otherwise be the case, and even delay planned upgrades where a obtaining a self-certification is not possible. Accordingly, some contractors could see extensions of support contracts and requests for continued patches where they are unable to attest to the new requirements.
- Artifacts. In a number of areas, contractors may be required to submit artifacts or information to agencies that address the composition of their software and the software development practices used in creating their products. The NIST Guidance recognizes that certain artifacts – “low level” artifacts generated during software development – are likely to contain intellectual property and proprietary information. As such it recommends agencies avoid seeking such information. Nonetheless, contractors will want to consider addressing how the government will secure the artifacts and information it provides and ensure that appropriate markings are included on any submission to protect intellectual property rights.
- Competitive Evaluations. The memorandum also states that agencies must “integrate the NIST Guidance into their software evaluation process…” The memorandum envisions this occurring in a number of ways including as requirements in a solicitation. They also could show up as evaluation factors. No matter how imposed, these requirements may become the focus of future bid protests.
 The memorandum describes these as “minimum requirements.”
 The 270 day mark falls on a Sunday, so the implementation deadline could occur a couple of days earlier.
This is the fifteenth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various Government agencies to implement the Cyber EO from June 2021 through June 2022. This blog describes key actions taken to implement the Cyber EO during July 2022.
NIST Issues Report to White House on Software Supply Chain Security Deliverables Mandated by the Cyber EO
On July 5, 2022, the Department of Commerce publicly released its May 11, 2022 Report to the President on its progress to implement Section 4 of the Cyber EO, including its software supply chain security provisions. Although the report touts certain progress made by the Department of Commerce to implement the EO, the Report discloses that the deliverables required by Sections 4(n), (o), and (p) have not yet been delivered:
- Section 4(n) requires the Department of Homeland Security (“DHS”) to recommend to the Federal Acquisition Regulatory Council (“FAR Council”) by May 12, 2022 contract language requiring suppliers of software available for purchase by federal government agencies to comply with, and attest to complying with, the guidance for security measures for critical software use issued by the National Institute for Standards and Technology (“NIST”) on July 9, 2021.
- Section 4(o) states that after receiving DHS’s recommendations, the FAR Council shall review the recommendations and, as appropriate and consistent with applicable law, amend the FAR.
- Section 4(p) states that following the issuance of any final FAR rule, agencies shall, as appropriate and consistent with applicable law, remove software products that do not meet the requirements of the amended FAR from all indefinite delivery indefinite quantity contracts, Federal Supply Schedules, Government-wide Acquisition Contracts, Blanket Purchase Agreements, and Multiple Award Contracts.
Regarding the DHS recommendations required by section 4(n), the Commerce Report states that “Work is in Progress.” Regarding the FAR amendment requirements of sections 4(o) and (p), the Report states that “[r]ecommendations have not yet been received by the FAR Council,” and that “[t]he FAR final rule has not yet been issued.” However, it notes that FAR (contract) language requiring software providers to comply with and attest to complying with the NIST supply chain security guidelines is “an important security criteria enforcement mechanism for reducing the vulnerability of critical systems to nation-state or criminal attacks,” and urges DHS, OMB, and the FAR Council to complete the FAR revision process contemplated by sections 4(n)-(p) of the Cyber EO.
Cyber Safety Review Board Issues Report on Log 4j Event and Recommends the Government Explore Imposing a Baseline Requirement for Software Transparency on Government Contractors
On July 11, 2022, the Cyber Safety Review Board established by the Cyber EO issued a report on its review of the December 2021 Log 4j Event. In reviewing the vulnerability and its impact on organizations, the Board highlighted that the organizations that were able to respond most effectively had “technical resources and mature processes to manage assets, assess risk, and mobilize their organization and key partners to action.” The Board noted however that few organizations were able to achieve this type of response.
Drawing on these and other observations, the report contains numerous recommendations that span from those centered on to dealing with the Log4j vulnerability itself, to improving security hygiene, to building a better software ecosystem, to making certain investments in the future. Two notable recommendations include: (1) improving Software Bill of Materials (“SBOM”) tooling and adaptability, and (2) exploring a baseline requirement for software transparency for federal government vendors.
Regarding SBOM tooling and adaptability, the Board’s report notes that “[o]rganizations need the ability to quickly identify vulnerable software to facilitate swift response. Traceability capabilities, such as SBOMs that can catalog the components of software, are promising possibilities, but at present are limited.” The report states that “[t]he Board anticipates future improvements in SBOM implementations and adoption, which may enable organizations to leverage SBOMs for vulnerability management.” Pending such improvements, the Board recommends that “software developers should generate and ship SBOMs with their software, and be prepared to incorporate improvements in the tooling and processes as they become available to the industry.” The Board also notes that the Cyber EO “provides a roadmap for the inclusion of SBOMs when providing software to the federal government.”
Regarding a baseline requirement for software transparency in federal procurement, the Report states that the US Government is a significant consumer of software, and “should be a driver of change in the marketplace around requirements for software transparency.” The Report recommends that OMB and the FAR Council “use various mechanisms to minimize the US government’s use of software without provenance and dependency information,” and should consider using “procurement requirements, federal standards and guidelines, and investments in automation and tooling, to create clear and achievable expectations for baseline SBOM information.” The Report further states that OMB should set a specific timeframe to achieve these goals.
In a related development, Section 1627 of the Senate FY2023 National Defense Authorization Act bill (S.4543) released on July 18, 2022 would require DOD to amend the DFARS to require an SBOM for all noncommercial software created for or acquired by DOD. Section 1627 would also require DOD to study whether to acquire SBOMs for such software already acquired by DOD, and, in consultation with industry, to develop an approach for “operationalizing” SBOMs for commercial software acquired by DOD.
NIST Releases Second Volume of Zero Trust Practice Guide
The NIST National Cybersecurity Center of Excellence published a preliminary draft of the second volume SP 1800-35B, “Implementing a Zero Trust Architecture.” See also NIST Computer Security Resource Center, SP 1800-35. This particular volume contains “use cases” for using commercially available technology to build Zero Trust Architecture (“ZTA”) example implementations consistent with the standards in NIST SP 800-207, “Zero Trust Architecture.”
The guidance is part of a broader publication that is intended to allow organizations to enable secure access to enterprise resources that are distributed across on-premises and cloud environments. The project involves NIST’s collaboration with a number of ZTA technology providers. Although the drafts are evolving, the guidance is currently comprised of multiple parts:
- NIST SP 1800-35A: Executive Summary. This is intended to be used to allow business decision makers to “to understand the drivers for the guide, the cybersecurity challenge we address, our approach to solving this challenge, and how the solution could benefit your organization.”
- NIST SP 1800-35B: Approach, Architecture, and Security Characteristics. This is intended to be used by technology, security, and privacy program managers to allow them to understand, assess, and mitigate risk and will “describe what we built and why, including the risk analysis performed and the security/privacy control mappings.”
- NIST SP 1800-35C: How To Guides. These are intended to be used by IT professionals and “will provide specific product installation, configuration, and integration instructions for building this project’s example implementations, allowing them to be replicated in whole or in part.”
- NIST SP 1800-35D: Functional Demonstrations: This is also targeted to IT professionals, and highlights use cases to showcase ZTA security capabilities and the results of demonstrating them with each of the example implementations.
On Thursday, September 15, 2022, an en banc panel of the Fourth Circuit Court of Appeals heard oral argument in the rehearing of an important case concerning the “knowledge” element of the False Claims Act—United States ex rel. Sheldon v. Allergan, No. 20-2330. The panel was active, posing numerous questions for both parties during the oral argument, which spanned approximately 94 minutes. The audio recording of this hearing is available here.
As Covington has reported in the past, this appeal concerns questions related to the scope of the False Claims Act’s “knowledge” requirement. In its January 25, 2022 decision, the Fourth Circuit upheld the district court’s dismissal, finding that under the FCA “a defendant cannot act ‘knowingly’ as a matter of law if it bases its actions on an objectively reasonable interpretation of the relevant statute when it has not be warned away from the interpretation by authoritative guidance” and that “this objective standard precludes inquiry into a defendant’s subjective intent.” United States ex rel. Sheldon v. Allergan Sales, LLC, 24 F.4th 340, 348 (4th Cir. 2022). That opinion was also subject to a strong dissent by Judge Wynn, which argued that the majority opinion disregarded two of the three FCA’s enumerated forms of knowledge (actual knowledge and deliberate ignorance), focusing only on the Safeco test for objective recklessness.Continue Reading En Banc Rehearing of Fourth Circuit Sheldon Decision Addresses FCA’s Falsity And Knowledge Requirements
Last December, President Biden issued Executive Order 14057, “Catalyzing Clean Energy Industries and Jobs Through Federal Sustainability,” which directed the government to adopt cleaner and more sustainable procurement practices, with the ultimate objective of net-zero emissions by 2050.
Pursuant to that directive, GSA has issued a new RFI seeking information regarding domestically manufactured solar photovoltaic (PV) panels and systems, as well as PV system installation. GSA intends to use the information to develop a solar PV procurement strategy and a procurement standard for use in future solicitations — including solicitations for Power Purchase Agreements (PPA), Energy Savings Performance Contracts (ESPCs), Utility Energy Service Contracts (UESCs), and other vehicles.
Given the RFI’s emphasis on sourcing and country of origin, it is possible that any new procurement standards for civilian contracting would parallel existing regulations at DFARS 252.225-7017, which generally require DoD contractors to make use of PV devices originating from the United States or certain designated or qualifying countries. Of course, the ultimate impact of the RFI on future procurement strategy remains to be seen. What is certain, however, is that the Administration is committed to clean technology procurements and that domestic preferences remain an overriding and central concern.
Comments in response to the RFI are due by November 18, 2022. More detail about specific topics covered in the RFI is below.
Questions for Manufacturers
Consistent with the current intense focus on reshoring U.S. industry, the RFI includes multiple questions aimed at assessing the current state of domestic PV manufacturing. For example, the RFI asks PV manufacturer respondents to provide their “production capacity of domestically manufactured solar panels,” and similarly asks those respondents to list the countries of origin for both components and raw materials. It also asks respondents to describe their traceability and supply chain controls, and one question is specifically focused on understanding the administrative burden imposed by the Uyghur Forced Labor Prevention Act (UFLPA). (The UFLPA has particular significance in the PV industry due to the amount of polysilicon sourced from the Xinjiang region).
At the same time, the RFI also directly asks manufacturers whether they are able to comply with the 55% domestic content threshold for manufactured products incorporated into infrastructure projects under the Infrastructure Investment and Jobs Act (IIJA). The RFI further asks whether manufacturers will be able to comply with the new Buy American domestic content threshold for certain other types of procurements; that threshold is set to rise to 60% on October 25, 2022, increase to 65% in 2024, and then to 75% in 2029.
Questions for Installers & Developers
GSA is evaluating not only the market for PV manufacturing, but also the markets for PV installation and solar generation facility development. To that end, the RFI asks installers to provide information about their use of domestically-produced PV panels and components, as well as whether they can identify any “barriers’ to using domestically manufactured PV panels and components in their future projects. Separately, the RFI also asks developers whether there are “obstacles to identifying skilled labor to complete the installations.”
Questions for Energy Producers
Finally, the RFI also asks respondents to identify the “likely impacts of the Government requiring in its procurements that solar energy under such contracts be generated using domestically manufactured PV panels or components.” Respondents are asked to identify both the benefits and drawbacks of such an approach; developers are also asked whether such a requirement would change their willingness to participate in future federal opportunities.
On September 12, 2022, President Biden issued an Executive Order (“E.O.”) announcing the National Biotechnology and Biomanufacturing Initiative, a “whole-of-government” effort to further biotechnology and biomanufacturing innovations in health, climate change, energy, food security, agriculture, supply chain resilience, and national and economic security. The White House subsequently announced that the Initiative would cost $2 billion. If successful, the Initiative could have sweeping impacts across the entire biotechnology research and development (“R&D”) lifecycle. A summary of the E.O., its requirements, and key takeaways are set forth below.Continue Reading President Biden Issues Executive Order on National Biotechnology and Biomanufacturing Initiative
With continued inflation putting pressure on the defense supply chain, the Department of Defense (“DoD”) has released guidance encouraging contracting officers to provide mutually agreeable relief to fixed-price contractors facing untenable costs.
DoD’s guidance, dated September 9, 2022 and available at the link here, follows a similar guidance earlier this summer which recommended that contracting officers consider including economic price adjustment clauses in new solicitations. We previously wrote about that guidance here.
The latest guidance acknowledges that firm-fixed-price contractors face the burden and risk of cost increases due to inflation. Through this guidance, DoD expresses sympathy for contractors in this situation, and as a potential remedy, encourages contracting officers to work with contractors to combat the impacts of rising costs by “mutual agreement.” For example, DoD provides that contract amendments could be executed to the benefit of both parties, such as schedule adjustments for contractors in exchange for “adequate consideration” for the government. It is not entirely clear what is meant by adequate consideration—nor is it clear how a schedule extension would alleviate rising costs. However, the latest guidance provides support for contractors in difficult situations to approach their contracting officers and seek a negotiated solution.
The guidance also indicates that DoD contracting officers may account for current economic conditions by granting requests for “Extraordinary Contractual Relief” under Public Law 85-804, as implemented by Subpart 50.1 of Federal Acquisition Regulation. Although this authority can only be used “to facilitate the national defense” when “other legal authority . . . is deemed to be lacking or inadequate” to remedy the situation—amongst other “stringent criteria” that must be met—it ultimately allows for the amendment of contracts without consideration.
DoD’s invocation of Public Law 85-804 is a promising sign for contractors, and it remains to be seen how DoD will use this authority. Public Law 85-804 has traditionally been invoked, for example, to provide indemnities to contractors working on hazardous projects. But it has a broader potential application in cases affecting the national defense, and it is welcome news for the contractor community to see the Department recognizing this in the current economic climate. The memorandum also provides that DoD will be collecting all Public Law 85-804 requests related to inflation.
While this guidance isn’t exactly a homerun for firm-fixed-price contractors, it is slightly more optimistic than DoD’s previous guidance, which primarily denied remedies for contractors under firm-fixed-price contracts and instead focused on language that could be included to avoid a similar fate under future contracts. Even for contractors that ultimately decide against submitting a Public Law 85-804 request, this slightly more sympathetic tone from DoD may encourage contracting officers to take a harder look at requests for equitable adjustments or find common ground for a contractual amendment.
Update as of September 15, 2022: OFCCP has extended the deadline by one month for contractors to submit objections to the FOIA request described in this article. The new deadline is October 19, 2022. Additionally, in an effort to clarify which government contractors are covered by this FOIA request, OFCCP has indicated that it will be reaching out to “contractors that OFCCP believes are covered by this FOIA request” using the “email addresses provided as a contact for the EEO-1 report” through OFCCP’s Contractor Portal.
* * *
In response to a broad Freedom of Information Act (“FOIA”) request the Office of Federal Contract Compliance Programs (“OFCCP”) may produce the Employment Information (“EEO-1”) Type 2 filings of up to 15,000 government contractors unless written objections are filed by September 19, 2022. This blog post explains the information that OFCCP has been asked to release and factors that government contractors should consider in deciding whether an objection to the release of this information is appropriate and advisable.Continue Reading OFCCP Seeks Input On Potential FOIA Disclosure of Contractor Employment Information
UPDATED AS OF 9/1/2022: On August 31, 2022, the Safer Federal Workforce Task Force officially announced that the Federal Government will not enforce the federal government contractor vaccination mandate, absent further written notice. The Task Force announcement is posted on its website here.
An analysis of the Eleventh Circuit decision that preceded this announcement is below.
On Friday, August 26, 2022, the U.S. Court of Appeals for the Eleventh Circuit upheld but narrowed a preliminary injunction currently in place against the Biden Administration’s COVID-19 vaccine mandate for federal government contractors (“the mandate”). As discussed in our previous post, in December 2021, the U.S. District Court for the Southern District of Georgia issued a nationwide preliminary injunction blocking the mandate. The Eleventh Circuit’s decision drops the nationwide injunction, and now blocks enforcement of the mandate only with respect to the plaintiffs in the case: Alabama, Georgia, Idaho, Kansas, South Carolina, Utah, and West Virginia, and the construction trade group Associated Builders and Contractors, Inc.Continue Reading Eleventh Circuit Upholds But Narrows Federal Contractor Vaccine Mandate Injunction
On August 25, 2022, President Biden announced a new Executive Order (“EO”) addressing the Implementation of the CHIPS Act of 2022 (“CHIPS Act”). The CHIPS Act was signed by President Biden on August 9, 2022, and, among other things, authorizes $39 billion in funding for new projects to establish semiconductor production facilities within the United States. The new EO identifies the Administration’s implementation priorities for this CHIPS Act funding and creates the CHIPS Implementation Steering Council to aid with the rollout of administrative guidance. In connection with the EO, the Department of Commerce launched CHIPS.gov, which is intended to be a centralized resource for potential applicants of CHIPS funding. The EO and new website reflect the Administration’s intent to swiftly implement the CHIPS Act and increase the domestic production of semiconductors.Continue Reading Biden Administration Announces Priorities for the Implementation of the CHIPS Act of 2022