Photo of Ryan Burnette

Ryan Burnette

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain, artificial intelligence, and software development requirements.

Ryan also advises on Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) compliance, public policy matters, agency disputes, and government cost accounting, drawing on his prior experience in providing overall direction for the federal contracting system to offer insight on the practical implications of regulations. He has assisted industry clients with the resolution of complex civil and criminal investigations by the Department of Justice, and he regularly speaks and writes on government contracts, cybersecurity, national security, and emerging technology topics.

Ryan is especially experienced with:

  • Government cybersecurity standards, including the Federal Risk and Authorization Management Program (FedRAMP); DFARS 252.204-7012, DFARS 252.204-7020, and other agency cybersecurity requirements; National Institute of Standards and Technology (NIST) publications, such as NIST SP 800-171; and the Cybersecurity Maturity Model Certification (CMMC) program.
  • Software and artificial intelligence (AI) requirements, including federal secure software development frameworks and software security attestations; software bill of materials requirements; and current and forthcoming AI data disclosure, validation, and configuration requirements, including unique requirements that are applicable to the use of large language models (LLMs) and dual use foundation models.
  • Supply chain requirements, including Section 889 of the FY19 National Defense Authorization Act; restrictions on covered semiconductors and printed circuit boards; Information and Communications Technology and Services (ICTS) restrictions; and federal exclusionary authorities, such as matters relating to the Federal Acquisition Security Council (FASC).
  • Information handling, marking, and dissemination requirements, including those relating to Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).
  • Federal Cost Accounting Standards and FAR Part 31 allocation and reimbursement requirements.

Prior to joining Covington, Ryan served in the Office of Federal Procurement Policy in the Executive Office of the President, where he focused on the development and implementation of government-wide contracting regulations and administrative actions affecting more than $400 billion dollars’ worth of goods and services each year.  While in government, Ryan helped develop several contracting-related Executive Orders, and worked with White House and agency officials on regulatory and policy matters affecting contractor disclosure and agency responsibility determinations, labor and employment issues, IT contracting, commercial item acquisitions, performance contracting, schedule contracting and interagency acquisitions, competition requirements, and suspension and debarment, among others.  Additionally, Ryan was selected to serve on a core team that led reform of security processes affecting federal background investigations for cleared federal employees and contractors in the wake of significant issues affecting the program.  These efforts resulted in the establishment of a semi-autonomous U.S. Government agency to conduct and manage background investigations.

This is part of an ongoing series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through March 2024.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during April 2024.  It also describes key actions taken during April 2024 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, national security, and secure software.Continue Reading April 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order

Today, the Federal Acquisition Regulatory Council (“FAR Council”) released an Advance Notice of Proposed Rulemaking (the “ANPRM”) describing the agencies’ plan to implement Section 5949 of the National Defense Authorization Act (“NDAA”) for FY 23 (Pub. L. 117-263).

Section 5949 prohibits the Federal Government from procuring certain semiconductor parts, products, or services traceable to named Chinese companies and potentially other foreign countries of concern.  To that end, the ANPRM invites public comment on the proposed contents of an implementing FAR clause, to take effect December 23, 2027.

As discussed below, the FAR Council proposed applying the regulations broadly to all solicitations and contracts, including commercial item and commercially available off-the-shelf (“COTS”) contracts, subject only to a limited waiver.  Although not set out in the statute, the clause would require contractors to conduct a “reasonable inquiry” into their supply chain to detect potential violations.  It would also require both disclosure and the taking of corrective action in the event that nonconforming products or services are discovered. 

More details are below, and our previous coverage of Section 5949 is available here.Continue Reading Chips on the Table: FAR Council Releases Advance Notice of Proposed Rulemaking to Implement Prohibition on Purchase and Use of Certain Semiconductors

This is part of a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs  described the actions taken by various government agencies to implement the Cyber EO from June 2021through February 2024.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during March 2024.  It also describes key actions taken during March 2024 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, secure software, and federal government contractors. Continue Reading March 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order

This is the thirty-fourth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs describes described the actions taken by various government agencies to implement the Cyber EO from June 2021through January 2024.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during February 2024.  It also describes key actions taken during February 2024 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, secure software, and federal government contractors. Continue Reading February 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order

On March 12, 2024, the Department of Defense (DoD) published a final rule, revising the eligibility criteria for the voluntary DoD Defense Industrial Base (DIB) Cybersecurity (CS) Activities Program.  The intent of the rule is to permit all defense contractors that own or operate unclassified information systems that process, store, or transmit covered defense information to participate in the program.  Previously, only cleared contractors were permitted to participate in the sharing of this information.  The final rule also amends identity proofing requirements by eliminating the need to obtain a medium security certificate to participate in either the voluntary or mandatory reporting regimes.  The rule will take effect on April 11, 2024, and DoD anticipates a significant increase in contractor participation.

Additional information about the rule is outlined below.Continue Reading DoD Expands Contractor Cybersecurity Information Sharing Program

On March 11, 2024 the Cybersecurity Infrastructure Security Agency (CISA), released the much anticipated final version of its common Secure Software Development Attestation Form.  Finalization of the form is a notable development for developers of software that is sold to the U.S. Government for two reasons.  First, the form is expected to be used widely by Government agencies to fulfill requirements set forth in recent OMB memoranda for those agencies to ensure that the software they procure or use is secure by requiring attestations from software developers.  Second, as set forth under OMB guidance, final approval of the form by the Office of Information and Regulatory Affairs (OIRA) triggers a countdown wherein agencies need to begin collection of the forms within three months for “critical software” and within six months for all other software.Continue Reading OMB Approves Final CISA Secure Software Attestation Common Form, Triggering Clock for Collection

This is the thirty-third in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken

Continue Reading January 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order

This is the thirty-second in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through November 2023.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during December 2023.  It also describes key actions taken during December 2023 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, secure software, and federal government contractors.Continue Reading December 2023 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order

On January 4, 2024, the U.S. Attorney’s Office for the District of New Jersey announced that it has filed criminal wire fraud and false statement charges against the Chief Executive Officer (CEO) of a company that knowingly sold certain surveillance and security cameras to prosecutors’ offices, sheriffs’ offices, and police

Continue Reading U.S. Government Brings Criminal Charges Against Individual Alleged to be Responsible for Falsely Representing that Cameras Sold to Government Customers were Compliant with Section 889 Requirements

On October 3, 2023, the Federal Acquisition Regulation (FAR) Council released two new proposed cybersecurity rules. The first of the two, covered in a separate blog, is titled “Cyber Threat and Incident Reporting and Information Sharing,” and adds new requirements to the cybersecurity incident reporting obligations of federal contractors. The second rule, titled “Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems,” covers cybersecurity contractual requirements for unclassified Federal information systems.

Both rules arise from Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). We have covered developments under this Executive Order as part of a series of monthly posts. The first blog summarized the Cyber EO’s key provisions and timelines, and subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through November 2023. This blog describes key requirements imposed by the proposed “Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems” rule (the “Proposed Standardizing Rule”)

Proposed Cybersecurity Requirements for Unclassified Federal Information Systems

As directed by the Cyber EO, the Proposed Standardizing Rule would establish cybersecurity policies, procedures, and requirements for contractors that develop, implement, operate, or maintain Federal Information Systems (“FIS”). Under the rule, a FIS is defined as “an information system used or operated by an agency, by a contractor of an agency, or by another organization on behalf of an agency.”Continue Reading Proposed FAR Rule: “Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems”