This is part of a series of Covington blogs on the implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through October 2024. This blog describes key actions taken to implement the Cyber EO, the U.S. National Cybersecurity Strategy, and other actions taken that support their general principles during November 2024.
National Institute of Standards and Technology (“NIST”) Publishes Draft “Enhanced Security Requirements for Protecting Controlled Unclassified Information”
On November 13, 2024, NIST published a draft of Special Publication (“SP”) 800-172 Rev. 3 that “provides recommended security requirements to protect the confidentiality, integrity, and availability of [Controlled Unclassified Information] when it is resident in a nonfederal system and organization and is associated with a high value asset or critical program.” In particular, the draft requirements “give organizations the capability to achieve a multidimensional, defense-in-depth protection strategy against advanced persistent threats . . . and help to ensure the resiliency of systems and organizations.” The draft requirements “are intended for use by federal agencies in contractual vehicles or other agreements between those agencies and nonfederal organizations.” In the publication, NIST stated that it does not expect that all requirements are needed “universally.” Instead, the draft requirements are intended to be “selected by federal agencies based on specific mission needs and risks.”
These requirements serve as a supplement to NIST SP 800-171, and apply to particular high-risk entities. To that end, the current version of this NIST SP 800-172 (i.e., Rev. 2) is used by the U.S. Department of Defense (“DoD”) for its forthcoming Cybersecurity Maturity Model Certification (“CMMC”) program, which we discussed in more detail here. Specifically, contractors must implement twenty-four controls that DoD selected from SP 800-172 Rev. 2 in order to obtain the highest level of certification – Level 3. Just as the CMMC Final Rule incorporated Rev. 2 of SP 800-171 (rather than Rev. 3), the CMMC program will not immediately incorporate SP 800-172 Rev. 3 requirements. However, the draft requirements provide insight into how CMMC could evolve.
The draft requirements modify the existing SP 800-172, and the significant changes include:
- Greater specificity of the security requirements “to remove ambiguity, improve the effectiveness of implementation, and clarify the scope of assessments”;
- Greater “consistency with the source security control language in SP 800-53”;
- Additional security requirements based on “(1) the latest threat intelligence, (2) empirical data from cyber attacks, and (3) the expansion of security objectives to include integrity and availability”; and
- Removal of “outdated and redundant enhanced security requirements”; among other changes.
NIST is seeking public comment on the draft until January 10, 2025.
NIST Publishes Report on “Hardware Security Failure Scenarios: Potential Weaknesses in Hardware Design”
On November 13, 2024, NIST published a report regarding hardware security vulnerabilities. The report serves as a reminder of the importance of a holistic review of cybersecurity practices, to include both software and hardware security, and provides insight into potential future expectations for such practices. The report identified “98 security failure scenarios,” which NIST categorized under Common Weakness Enumeration (“CWE”) pillars: (1) Improper Access Control, (2) Improper Adherence to Coding Standards, (3) Improper Check or Handling of Exceptional Conditions, (4) Improper Control of a Resource Through its Lifetime, (5) Incorrect Comparison, (6) Insufficient Control Flow Management, and (7) Protection Mechanism Failure.
Department of Defense Publishes Notice of Proposed Rulemaking on Disclosure of Computer and Source Code to Foreign Entities
On November 15, 2024, DoD published a Notice of Proposed Rulemaking (“Proposed Rule”) entitled “Defense Federal Acquisition Regulation Supplement: Disclosure of Information Regarding Foreign Obligations.” The Proposed Rule would implement section 1655 of the National Defense Authorization Act for Fiscal Year 2019 (“NDAA”), which prohibits DoD from acquiring products, services, or systems related to cybersecurity, among other areas, through a contract unless the contractor provides disclosures if that contractor has shared source and computer code with foreign governments or persons in certain circumstances. The Proposed Rule would also require inclusion of a provision in DoD contracts requiring disclosure if source or computer code is disclosed to a foreign entity during a period of performance. The Proposed Rule would apply broadly to all contractors based in or outside the United States, flow down the requirement to subcontractors, and importantly, per NDAA section 1655, these disclosure obligations include activities dating back to August 13, 2013. Disclosures would be subject to review by the Defense Secretary, who may condition agreements with contractors on taking appropriate measures to mitigate risk. A more thorough discussion of the obligations is available here.