On January 23, 2026, the Office of Management and Budget (OMB) issued Memorandum M-26-05 “Adopting a Risk-based Approach to Software and Hardware Security,” which rescinds a previous Biden Administration’s requirement for all federal agencies to obtain a self-attestation from software producers in the “Common Form” developed by the Cybersecurity and Infrastructure Security Agency (CISA) before using certain third-party software. As its rationale, OMB noted that the prior memoranda diverted agencies from developing tailored assurance requirements and failed to account for threats posed by insecure hardware. Memorandum M-26-05 signals that the federal government is moving away from a “one-size fits-all” approach to software security and will instead allow each agency to develop tailored requirements. In creating their own assurance requirements, agencies may still require a self-attestation and/or Software Bill of Materials (SBOM) from the software vendor if the agency determines that such assurances are necessary based on the risks involved and the agency’s needs.Continue Reading OMB Rescinds the “Common Form” Secure Software Attestation Requirement
Pentagon Releases Artificial Intelligence Strategy
The past month has marked a series of announcements from the Department of War (the “Department”) emphasizing rapid deployment of artificial intelligence (“AI”) industry partnerships. These announcements signal opportunities for not only the defense industrial base, but also nontraditional defense contractors focused on technology and data.
On January 9, 2026, the Department released two key memoranda: (1) Artificial Intelligence Strategy for the Department of War, setting out measurable pace-setting projects, barrier removal authorities, and mandated data access; and (2) Transforming the Defense Innovation Ecosystem to Accelerate Warfighting Advantage, which aims to unify the defense innovation ecosystem under the Under Secretary of War for Research & Engineering as Chief Technology Officer (“CTO”).
Shortly after, on January 12, Secretary Hegseth delivered a speech, presenting an overhaul of the Department’s innovation and acquisition ecosystems.
The January 9 memoranda and Secretary Hegseth’s speech signal the Department’s intent to formalize a single, CTO-led innovation operating system designed to produce three outputs: next-generation technology, scalable products, and new ways of fighting—and to do it at “wartime speed,” with AI as the first major proving ground.Continue Reading Pentagon Releases Artificial Intelligence Strategy
CISA Releases Cybersecurity Performance Goals 2.0 for Critical Infrastructure
On December 11, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) released its Cybersecurity Performance Goals 2.0 (“CPG 2.0”), an update to its core set of recommended cybersecurity practices for critical infrastructure owners and operators, which we previously wrote about here. Established by the 2021 National Security Memorandum
Continue Reading CISA Releases Cybersecurity Performance Goals 2.0 for Critical InfrastructureAugust, September, and October 2025 Cybersecurity Developments Under the Trump Administration
This is the seventh blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the Trump Administration. The sixth blog is available here and our initial blog is available here. This blog describes key cybersecurity developments that took place in August, September
Continue Reading August, September, and October 2025 Cybersecurity Developments Under the Trump AdministrationHow Will DoW Determine Which Level of CMMC Applies to My Agreement?
Now that the final Cybersecurity Maturity Model Certification (CMMC) Program and Procurement Rules have been issued by the Department of War (DoW) (see our CMMC Toolkit for in-depth analysis of these Rules) and the CMMC Program is set to begin in earnest, there is some uncertainty in industry as to
Continue Reading How Will DoW Determine Which Level of CMMC Applies to My Agreement?Cybersecurity Maturity Model Certification (CMMC) Program Procurement Final Rule Announced
This blog post discusses the Department of Defense’s (“DoD”) new cybersecurity rule that imposes certain cybersecurity requirements on relevant DoD contractors and subcontractors. The post will be of interest to all DoD contractors, subcontractors, and possibly affiliates of contractors that may be impacted by the new rule’s cybersecurity requirements.
On
Continue Reading Cybersecurity Maturity Model Certification (CMMC) Program Procurement Final Rule AnnouncedJuly 2025 Cybersecurity Developments Under the Trump Administration
This is the sixth blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the Trump Administration. The fifth blog is available here and our initial blog is available here. This blog describes key cybersecurity developments that took place in July 2025.
Continue Reading July 2025 Cybersecurity Developments Under the Trump AdministrationLatest Cybersecurity False Claims Act Settlement with Diagnostics Provider Focuses on Sensitive Health Systems
In a recently announced settlement agreement with the U.S. Department of Justice (“DOJ”), Illumina, Inc. (“Illumina”) agreed to pay $9.8 million to resolve claims arising from alleged cybersecurity vulnerabilities in genomic sequencing systems that the company sold to federal agencies. The case is the latest in a series of False
Continue Reading Latest Cybersecurity False Claims Act Settlement with Diagnostics Provider Focuses on Sensitive Health SystemsJune 2025 Cybersecurity Developments Under the Trump Administration
This is the fifth blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the Trump Administration. The fourth blog is available here and our initial blog is available here. This blog describes key cybersecurity developments that took place in June 2025.
Continue Reading June 2025 Cybersecurity Developments Under the Trump AdministrationMay 2025 Cybersecurity Developments Under the Trump Administration
This is the fourth blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the new Trump Administration. This blog describes key cybersecurity developments that took place in May 2025.
CISA Releases AI Data Security Guidance
On May 22, the Cybersecurity and Infrastructure
Continue Reading May 2025 Cybersecurity Developments Under the Trump Administration