This is the eighth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, fourth, fifth, sixth, and seventh blogs described the actions taken by various government agencies to implement the EO from June through November 2021. This blog summarizes the key actions taken to implement the Cyber EO during December 2021. Although the actions described below implement different sections of the Cyber EO, each of them portends further actions in February 2022 that are likely to impact government contractors, particularly those who provide software products or services to federal government agencies.
Continue Reading December 2021 Developments Under President Biden’s Cybersecurity Executive Order
DoD Releases Updated CMMC Program Documentation
The Department of Defense (DoD) released key documentation relating to Cybersecurity Maturity Model Certification (CMMC) 2.0 over the past several weeks, including (1) a CMMC 2.0 Model Overview document, (2) CMMC Self-Assessment Scopes for Level 1 and 2 assessments/certifications, (3) CMMC Assessment Guides for Level 1 and 2 attestations/certifications, and (4) the CMMC Artifact Hashing
November 2021 Developments Under President Biden’s Cybersecurity Executive Order
This is the seventh in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, fourth, fifth, and sixth blogs described the actions taken by various government agencies to implement the EO during June, July, August, September, and October 2021, respectively. This blog summarizes the key actions taken to implement the Cyber EO during November 2021.
Although most of the developments in November were directed at U.S. Government agencies, the standards being developed for such agencies could be imposed upon their contractors or otherwise be adopted as industry standards for all organizations that develop or acquire software.
Continue Reading November 2021 Developments Under President Biden’s Cybersecurity Executive Order
CMMC Accreditation Body Hosts Town Hall Regarding CMMC 2.0
On November 9, 2021, the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body (AB) hosted a one hour Town Hall focused on CMMC Version 2.0. Matthew Travis, CEO of the CMMC AB; Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy; David McKeown, Deputy Department of Defense (DoD) Chief Information Officer for Cybersecurity (DCIO(CS)) and DoD’s Senior Information Security Officer (SISO); and Buddy Dees, Director of CMMC, DoD gave prepared remarks and answered questions during the session.
According to Mr. Salazar, CMMC Version 2.0 has been in the making for the past 8 months, and takes into account the over 850 public comments DoD received regarding CMMC 1.0. Mr. KcKeown explained that CMMC 1.0 may have been too broad and its requirements “too onerous” especially on small and medium sized contractors. He described CMMC 2.0 — and its use of three levels rather than five levels in CMMC 1.0 — as being based on more of a risk based approach than the original CMMC because it is primarily focused on the type of data being protected.
Continue Reading CMMC Accreditation Body Hosts Town Hall Regarding CMMC 2.0
DoD Outlines Significant Changes to CMMC with Version 2.0
UPDATE: DoD withdraws the unpublished Advanced Notice of Proposed Rulemaking
On November 5, 2021, an Editorial Note was added to the Federal Register stating “An agency letter requesting withdrawal of this document was received after placement on public inspection. The document will remain on public inspection through close of business November 4, 2021. A copy of the agency’s withdrawal letter is available for inspection at the Office of the Federal Register.” The reason for the Department of Defense withdrawal of the unpublished Advanced Notice of Proposed Rulemaking was not provided.
Continue Reading DoD Outlines Significant Changes to CMMC with Version 2.0
October 2021 Developments Under President Biden’s Cybersecurity Executive Order
This is the sixth in the series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, fourth, and fifth blogs described the actions taken by various federal agencies to implement the EO during June, July, August, and September 2021, respectively. This blog summarizes key actions taken to implement the Cyber EO during October 2021.
Although the recent developments this month are directly applicable to the U.S. Government, the standards being established for U.S. Government agencies could be adopted as industry standards for all organizations that develop or acquire software similar to various industries adopting the NIST Cybersecurity Framework as a security controls baseline.
Continue Reading October 2021 Developments Under President Biden’s Cybersecurity Executive Order
DOJ Announces New Civil Cyber-Fraud Initiative
In a December 2020 speech, Deputy Assistant Attorney General Michael Granston warned that cybersecurity fraud could see enhanced enforcement under the False Claims Act (“FCA”). On October 6, 2021, Deputy Attorney General Lisa Monaco announced that the Department of Justice (“DOJ”) would be following through on that warning with the launch of the DOJ’s Civil Cyber-Fraud Initiative. The key component of the initiative is the use of the FCA against Government contractors and subcontractors that fail to comply with cybersecurity requirements, including information security standards and cyber incident reporting obligations, imposed by contract, statute, or regulation.
Under the FCA, the Government can recover treble damages and penalties from federal contractors and subcontractors that knowingly submit false claims for payment. Notably, the FCA incentivizes private citizens (relators), including contractor employees, to file qui tam suits on behalf of the Government by guaranteeing them between 15 and 30 percent of the recovery. DOJ stated that it intended to work with federal agencies, subject matter experts, and law enforcement partners on the Civil Cyber-Fraud Initiative. Recently, Assistant Attorney General Brian Boynton confirmed that this initiative was also intended to incentivize relators and the aggressive relators’ bar to focus their attention on potential cybersecurity noncompliance as the basis for qui tam actions.
Continue Reading DOJ Announces New Civil Cyber-Fraud Initiative
September 2021 Developments Under President Biden’s Cybersecurity Executive Order
This is the fifth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity”, issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, and fourth blogs described the actions taken by various federal government agencies to implement the EO during June, July, and August 2021, respectively. This blog summarizes key actions taken to implement the Cyber EO during September 2021.
I. Actions Taken During September 2021 to Modernize Federal Government Cybersecurity
The Office of Management and Budget (OMB) publically released a draft zero trust architecture strategy for federal agencies on September 9, 2021. On that same day, the Cybersecurity and Infrastructure Agency (CISA) issued two draft documents designed to further OMB’s zero trust strategy: the Zero Trust Maturity Model and the Cloud Security Technical Reference Architecture. Each of these documents was required by Section 3 of the Cyber EO to modernize and standardize federal government agency approaches to cybersecurity.
Continue Reading September 2021 Developments Under President Biden’s Cybersecurity Executive Order
August 2021 Developments Under President Biden’s Cybersecurity Executive Order
This blog continues Covington’s review of important deadlines and milestones in implementing the Executive Order on Improving the Nations’ Cybersecurity (E.O. 14028, or the “Cyber EO”) issued by President Biden on May 12, 2021. Previous blogs have discussed developments under the Cyber EO in June 2021 and July 2021. This blog focuses on developments affecting the EO that occurred during August 2021.
The Cyber EO requires federal agencies to meet several important deadlines in August 2021. These deadlines are in the areas of enhancing critical software supply chain security, improving the federal government’s investigative and remediation capabilities, and modernizing federal agency approaches to cybersecurity. In addition, the National Institute of Standards and Technology (“NIST”) took several significant actions related to supply chain security in August 2021, not all of which were driven by deadlines in the Cyber EO. This blog examines the actions taken by federal agencies to meet the EO’s August deadlines as well as the NIST actions referred to above.
Continue Reading August 2021 Developments Under President Biden’s Cybersecurity Executive Order
July 2021 Developments Under the Executive Order on Improving the Nation’s Cybersecurity
On May 12, 2021, the Biden Administration issued an Executive Order on Improving the Nation’s Cybersecurity (the “EO”). The EO sets out a list of deliverables due from a number of governmental entities in June 2021 and successive months. Our overall summary of the EO and its deliverables can be found here, and our discussion of the EO deliverables that were due in June 2021 can be found here. This blog addresses the EO deliverables in July 2021.
Continue Reading July 2021 Developments Under the Executive Order on Improving the Nation’s Cybersecurity