This is part of a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through September 2024. This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during October 2024. We discuss developments during October 2024 to implement President Biden’s Executive Order on Artificial Intelligence in a separate post.
Cybersecurity Maturity Model Certification (“CMMC”) Program Final Rule Announced
On October 15, 2024, the U.S. Department of Defense (“DoD”) released the final CMMC Program Rule (“the Rule”). The Rule formally establishes the CMMC Program for DoD and will solidify CMMC as the governing program for measuring and validating DOD contractor compliance with safeguarding requirements imposed on such contractors by the Federal Acquisition Regulation (“FAR”) and Defense Federal Acquisition Regulation Supplement (“DFARS”) for Federal Contract Information (“FCI”) and Covered Defense Information (“CDI”). It is one of two complementary sets of regulations that, in combination, will govern operation of the Program and will impose new assessment and affirmation processes for all contractors to be eligible for certain contracts with DoD. The Rule is set to become effective December 16, 2024, sixty days after publication. Once the related DFARS rule is implemented, the CMMC Program will likely have a significant impact on defense contractors and subcontractors storing, processing, or transmitting FCI or CDI. A more thorough discussion of the Rule is available in our October client alert.
U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) Releases Guidance on Minimum Expectations for Software Bill of Materials (“SBOM”)
On October 15, 2024, CISA published SBOM guidance through the third edition of Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM) (dated September 3, 2024) (the “Guidance”). The Guidance provides “a minimum expectation for creating a baseline SBOM.” As CISA has noted, “[an SBOM] has emerged as a key building block in software security and software supply chain risk management.” SBOMs are defined by CISA as “a formal record containing the details and supply chain relationships of various components used in building software.” In light of the Government’s increasing interest in the use of SBOMs, both as evidenced through the reference to a requirement for SBOMs in the proposed FAR Cyber Threat and Incident Reporting and Information Sharing Rule (discussed here) and in the Office of Management and Budget’s Secure Software Development Framework (discussed here), the Guidance could help inform future SBOM minimum requirements for government contractors as well as the broader software supplier community. A more thorough discussion of the new CISA guidance is available here.