This is the thirty-second in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through November 2023. This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during December 2023. It also describes key actions taken during December 2023 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, secure software, and federal government contractors.
U.S. Department of Defense (“DoD”) Issues Proposed Rule Implementing CMMC
On December 26, 2023, DoD issued its long-awaited proposed rule to implement the Cybersecurity Maturity Model Certification (“CMMC”) Program (“Proposed Rule”). CMMC has faced a long and tortuous path that started with Executive Order (EO) 13,556 “Controlled Unclassified Information” in November 2010. This EO established a common nomenclature for marking controlled unclassified information (“CUI”) and allowed for standardized guidance on safeguarding such data.
In 2016, DoD amended the Defense Federal Acquisition Regulation Supplement (“DFARS”) to add a clause, DFARS 252.204-7012 (the DFARS 7012 clause), requiring DoD contractors to report cyber incidents and to safeguard certain DoD CUI in accordance with the 110 security controls identified in NIST SP 800-171. Four years later, DoD announced CMMC 1.0 and issued an interim rule that addressed the initial vision for CMMC. This initial rule envisioned a five-year phase in period and included five levels of safeguarding requirements. DoD received approximately 750 comments on this rule and as a result DoD conducted an internal review of CMMC. In November 2021, DoD announced CMMC 2.0, which is the basis for the current Proposed Rule.
A detailed discussion of the CMMC Proposed Rule is available in our recent summary.
U.S. Government Accountability Office (“GAO”) Releases Report on Federal Use of Artificial Intelligence (“AI”)
On December 12, 2023, the GAO released a report reviewing the implementation of AI at major federal agencies, assessing (1) current and planned uses of AI, (2) “the extent to which federal agencies’ AI reporting was comprehensive and accurate, and (3) the extent to which federal agencies have complied with selected federal policy and guidance on AI.” On the whole, the GAO found that 20 of 23 agencies “reported about 1,200 current and planned [AI] use cases – specific challenges or opportunities that AI may solve.” Overall, the GAO published “35 recommendations to 19 agencies,” including:
- Updating AI “use case inventories to include required information and take steps to ensure the data aligns with guidance[;]”
- Implementing “AI requirements with government-wide implications[;]”
- Fully implementing “AI requirements in federal law, policy, and guidance.”