Photo of Ashden Fein

Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions -- to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks. Ashden is a retired U.S. Army officer.

Contact:Read more about Ashden FeinEmail

This is the seventh blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the Trump Administration.  The sixth blog is available here and our initial blog is available here.  This blog describes key cybersecurity developments that took place in August, September

Continue Reading August, September, and October 2025 Cybersecurity Developments Under the Trump Administration

Now that the final Cybersecurity Maturity Model Certification (CMMC) Program and Procurement Rules have been issued by the Department of War (DoW) (see our CMMC Toolkit for in-depth analysis of these Rules) and the CMMC Program is set to begin in earnest, there is some uncertainty in industry as to

Continue Reading How Will DoW Determine Which Level of CMMC Applies to My Agreement?

On September 15, 2025, the Office of the Director of National Intelligence (“ODNI”) issued the first public exclusion and removal order (the “Order”) under the framework established by the Federal Acquisition Supply Chain Security Act of 2018 (“FASCSA”).  The Order applies to all products and services produced or provided by Acronis AG as well as all subordinate, subsidiary, or affiliated organizations doing business under various names in support of Acronis AG.  The exclusionary Order has two immediate impacts on the federal supply chain.  First, federal contractors entering into new contracts or following contractual modifications are prohibited from supplying products or services from Acronis to agencies that are either subject to the Order or that have otherwise adopted it (“Covered Agencies”).  Second, contractors are prohibited from using products or services from Acronis in the performance of new and modified contracts with Covered Agencies.  In addition, certain agencies must remove these products and services from particular information systems.

Although the prohibitions apply to new contract awards, all contractors to Covered Agencies that have the applicable FASCA FAR clause (FAR 52.204-30) in their agreements must conduct diligence to determine whether they have provided or used any prohibited products or services in the performance of their contracts.  Following this review, the clause requires contractors to report the use of prohibited products or services to Covered Agencies.

Additional detail on the FASCSA exclusionary process and this first public Order is provided below.Continue Reading First Order Issued under the Federal Acquisition Supply Chain Security Act, Triggering Immediate Requirements on Contractors

This blog post discusses the Department of Defense’s (“DoD”) new cybersecurity rule that imposes certain cybersecurity requirements on relevant DoD contractors and subcontractors. The post will be of interest to all DoD contractors, subcontractors, and possibly affiliates of contractors that may be impacted by the new rule’s cybersecurity requirements.

On

Continue Reading Cybersecurity Maturity Model Certification (CMMC) Program Procurement Final Rule Announced

This is the sixth blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the Trump Administration.  The fifth blog is available here and our initial blog is available here.  This blog describes key cybersecurity developments that took place in July 2025. 

Continue Reading July 2025 Cybersecurity Developments Under the Trump Administration

In a recently announced settlement agreement with the U.S. Department of Justice (“DOJ”), Illumina, Inc. (“Illumina”) agreed to pay $9.8 million to resolve claims arising from alleged cybersecurity vulnerabilities in genomic sequencing systems that the company sold to federal agencies.  The case is the latest in a series of False

Continue Reading Latest Cybersecurity False Claims Act Settlement with Diagnostics Provider Focuses on Sensitive Health Systems

This is the fifth blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the Trump Administration.  The fourth blog is available here and our initial blog is available here.  This blog describes key cybersecurity developments that took place in June 2025. 

Continue Reading June 2025 Cybersecurity Developments Under the Trump Administration

This is the fourth blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the new Trump Administration.  This blog describes key cybersecurity developments that took place in May 2025. 

CISA Releases AI Data Security Guidance

On May 22, the Cybersecurity and Infrastructure

Continue Reading May 2025 Cybersecurity Developments Under the Trump Administration

On June 6, 2025, President Trump issued an Executive Order (“Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144”) (the “Order”) that modifies certain initiatives in prior Executive Orders issued by Presidents Obama and Biden and highlights key cybersecurity priorities for

Continue Reading White House Issues New Cybersecurity Executive Order

On May 22, 2025, the Cybersecurity and Infrastructure Security Agency (“CISA”), which sits within the Department of Homeland Security (“DHS”) released guidance for AI system operators regarding managing data security risks.  The associated press release explains that the guidance provides “best practices for system operators to mitigate cyber risks through

Continue Reading CISA Releases AI Data Security Guidance