This is the twenty-seventh in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through June 2023. This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during July 2023.
White House Releases Implementation Plan for the National Cybersecurity Strategy
On July 13, 2023, the White House published the National Cybersecurity Strategy Implementation Plan (“NCSIP”) to guide implementation of the U.S. National Cybersecurity Strategy, which was released earlier this year. The NCSIP identified 65 initiatives that will be led by 18 different departments and agencies. Among the many initiatives, the NCSIP outlined several specific initiatives of particular relevance to government contractors that are to be implemented over the next three years, including:
- FAR Changes Under the Cyber EO – In the first quarter of FY2024, the Administration plans to propose Federal Acquisition Regulation (“FAR”) changes that are required under the Cyber EO to standardize cybersecurity requirements for unclassified federal information systems (FAR Case 2021-019), cyber threat and incident reporting and information sharing (FAR Case 2021-017), and supply chain software security (FAR Case 2023-002).
- Secure-by-Design – Also in the first quarter of FY 2024, the Department of Energy, along with the Cybersecurity and Infrastructure Security Agency (“CISA”) and the Office of the National Cyber Director (“ONCD”), will “drive adoption of cyber secure-by-design principles by incorporating them into Federal projects.” As part of this effort, the ONCD will host a legal symposium on the creation of a “software liability framework,” which will “explore different approaches to a software liability framework that draw from different areas of regulatory law and reflect inputs from computer scientists as to the extent that software liability may or may not be like these other regimes.”
- IoT Labeling – By the end of FY2023, the Administration intends to implement its Internet of Things (“IoT”) labeling program and – in line with the IoT Cybersecurity Improvement Act of 2020 – propose corresponding changes to the FAR.
- Cybersecurity Framework 2.0 – By the first quarter of FY2025, the National Institute of Standards and Technology (“NIST”) plans to publish its Cybersecurity Framework 2.0. The Plan describes the update as “significant” and notes that it will address, among other things, alignment of regulations with international standards.
- Software Bills of Materials (“SBOMs”) – During the second quarter of FY2025, CISA will work with key stakeholders to identify and reduce gaps in software bills of materials (“SBOMs”) and explore requirements for a globally-accessible database for end-of-life/end-of-support software.
- Critical Infrastructure – The NCSIP targets the second quarter of FY2025 for setting cybersecurity requirements across critical infrastructure sectors and the fourth quarter of FY2025 for cyber incident reporting requirements for critical infrastructure.
- False Claims Act Enforcement – The Department of Justice (“DOJ”) will be tasked with expanding its efforts to leverage the False Claims Act to pursue civil actions against government contractors who fail to meet cybersecurity obligations. Although the Plan targets the fourth quarter of 2025, contractors are already seeing a more active DOJ, including with its Civil Cyber Fraud Initiative that was announced in October 2021.
For additional information on the NCSIP, please see our post on Covington’s Inside Privacy blog.
ONCD Issues Request for Information on Harmonizing Cybersecurity Regulations
On July 19, 2023, the ONCD issued a request for information (“RFI”) seeking input from stakeholders to “understand existing challenges with regulatory overlap and inconsistency in order to explore a framework for reciprocal recognition by regulators of compliance with common baseline cybersecurity requirements.” The RFI is broken down into nine topics with questions on each topic. These include requests for information on conflicting regulations, existing frameworks, third party frameworks, and the treatment of cloud services. Responses to the RFI are due by October 31, 2023.
The FCC Leads an Initiative to Create a U.S. Cyber Trust Mark for Internet-of-Things (“IoT”) Devices
On July 18, 2023, the Biden Administration announced that the Federal Communications Commission (“FCC”) would take the lead in developing a “U.S. Cyber Trust Mark” for IoT devices such as smart refrigerators, smart televisions, smart climate control systems, and smart fitness trackers. The FCC will create this mark using the criteria that NIST developed under the Cyber EO for consumer IoT devices.
NIST Issues Draft Zero Trust Architecture Practice Guides
On July 19, 2023, NIST issued for public comment a draft third version of volumes B and C of its preliminary practice guide SP-1800-35, “Implementing a Zero Trust Architecture.” According to NIST, these two volumes “describe ten ZTA implementations” and “demonstrat[e] how blends of commercially available technologies can be integrated and brought into play to build various types of ZTAs.” The draft comment period for these two draft implementation guides is open through September 4, 2023.