Robert Huffman

Subscribe to Robert Huffman's Posts
Follow: Email

This blog continues Covington’s review of important deadlines and milestones in implementing the Executive Order on Improving the Nations’ Cybersecurity (E.O. 14028, or the “Cyber EO”) issued by President Biden on May 12, 2021.  Previous blogs have discussed developments under the Cyber EO in June 2021 and July 2021.  This blog focuses on developments affecting the EO that occurred during August 2021.

The Cyber EO requires federal agencies to meet several important deadlines in August 2021.  These deadlines are in the areas of enhancing critical software supply chain security, improving the federal government’s investigative and remediation capabilities, and modernizing federal agency approaches to cybersecurity.  In addition, the National Institute of Standards and Technology (“NIST”) took several significant actions related to supply chain security in August 2021, not all of which were driven by deadlines in the Cyber EO.  This blog examines the actions taken by federal agencies to meet the EO’s August deadlines as well as the NIST actions referred to above.


Continue Reading August 2021 Developments Under President Biden’s Cybersecurity Executive Order

On May 12, 2021, the Biden Administration issued an Executive Order on Improving the Nation’s Cybersecurity (the “EO”).  The EO sets out a list of deliverables due from a number of governmental entities in June 2021 and successive months.  Our overall summary of the EO and its deliverables can be found here, and our discussion of the EO deliverables that were due in June 2021 can be found here.  This blog addresses the EO deliverables in July 2021.
Continue Reading July 2021 Developments Under the Executive Order on Improving the Nation’s Cybersecurity

On May 12, 2021 the Biden Administration issued an “Executive Order on Improving the Nation’s Cybersecurity” (EO).  Among other things, the EO sets out a list of deliverables from a variety of government entities.  A number of these deliverables were due in June, including a definition of “critical software,” the minimum requirements for a software bill of materials, and certain internal actions imposed on various federal agencies.
Continue Reading June 2021 Developments Under the Executive Order on Improving the Nation’s Cybersecurity

On June 11, 2021, the White House released new guidance on its plans to limit waivers of domestic sourcing laws, bolstering its January 2021 Executive Order on “Ensuring the Future is Made in All of America by All of America’s Workers.”  The guidance, entitled “Increasing Opportunities for Domestic Sourcing and Reducing the Need for Waivers from Made in America Laws,” provides insight on how the Biden Administration intends to enforce domestic sourcing laws such as the Buy American Act (“BAA”) over the coming years.

We have previously written about the January 2021 Executive Order here.  Among other things the Executive Order established a federal Made in America Office (“MIAO”) to review agency decisions to waive laws such as the BAA from procurements, grants, and other government contracting activities.  It also directed the Office of Management and Budget to establish reporting and oversight procedures to promote enforcement of the Made in America Laws.  The guidance fulfills that requirement.

Among other things, the guidance:

  • Requires each agency to designate a Senior Accountable Official, an official responsible for coordinating with the Made in America Director to implement the waiver review process,
  • Establishes the procedures for review of waiver requests by the Made in America Office (“MIAO”),
  • Implements the Executive Order’s requirement that acquiring activities prepare agency reports on compliance with Made in America Laws, and
  • Explains the process to develop the public database of all proposed waivers by early fiscal year 2022.

Importantly, the guidance creates an “initial phase” of implementation for the Executive Order, indicating that future phases will follow.  In this “initial phase,” the Biden Administration will focus on (1) Jones Act waivers and (2) non-availability procurement waivers pursuant to the BAA proposed by the 24 agencies subject to the Chief Financial Officers (“CFO”) Act.  During the first quarter of fiscal year 2022, the MIAO will phase in reviews of waivers proposed by non-CFO Act agencies and other types of waiver requests.

In a blog post announcing the guidance, the new Director of the Made in America Office, Celeste Drake, stated that the guidance is intended “to improve practices and processes to ensure that Made in America laws are not a mere compliance exercise,” as well as “reinforc[e] the actions announced in the 100-Day Supply Chain Review.”


Continue Reading White House Issues Guidance on Limiting Waivers of Domestic Sourcing Laws – What Contractors Need to Know

On May 12, the Biden Administration issued an “Executive Order on Improving the Nation’s Cybersecurity.”  The Order seeks to strengthen the federal government’s ability to respond to and prevent cybersecurity threats, including by modernizing federal networks, enhancing the federal government’s software supply chain security, implementing enhanced cybersecurity practices and procedures in the federal government, and creating government-wide plans for incident response.  The Order covers a wide array of issues and processes, setting numerous deadlines for recommendations and actions by federal agencies, and focusing on enhancing the protection of federal networks in partnership with the service providers on which federal agencies rely.  Private sector entities, including federal contractors and service providers, will have opportunities to provide input to some of these actions.

In particular, and among other things, the Order:

  • seeks to remove obstacles to sharing threat information between the private sector and federal agencies;
  • mandates that software purchased by the federal government meet new cybersecurity standards;
  • discusses securing cloud-based systems, including information technology (IT) systems that process data, and operational technology (OT) systems that run vital machinery and infrastructure;
  • seeks to impose new cyber incident[i] reporting requirements on certain IT and OT providers and software product and service vendors and establishes a Cyber Safety Review Board to review and assess such cyber incidents and other cyber incidents, and;
  • addresses the creation of pilot programs related to consumer labeling in connection with the cybersecurity capabilities of Internet of Things (IoT) devices.

The Order contains eight substantive sections, which are listed here, and discussed in more detail below:

  • Section 2 – Removing Barriers to Sharing Threat Information
  • Section 3 – Modernizing Federal Government Cybersecurity
  • Section 4 – Enhancing Software Supply Chain Security
  • Section 5 – Establishing a Cyber Safety Review Board
  • Section 6 – Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
  • Section 7 – Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
  • Section 8 – Improving the Federal Government’s Investigative and Remediation Capabilities
  • Section 9 – National Security Systems

The summaries below discuss highlights from these sections, and the full text of the Order can be found here.


Continue Reading President Biden Signs Executive Order Aimed at Improving Government Cybersecurity

The American Rescue Plan, signed into law last month, includes $1.9 trillion in economic stimulus, healthcare, and related funding.  And just last week the Biden administration released an infrastructure proposal, the American Jobs Plan, that includes $2.3 trillion in transportation, connectivity, power, and other critical infrastructure investments.

Contractors are right to view these plans as massive opportunities — but should be cognizant of the regulatory strings that often attach to government spending.  In general, these can include Federal Acquisition Regulation (FAR) and agency-specific FAR supplements for federal procurements, as well as the nonprocurement uniform requirements (2 C.F.R. Part 200) and related agency-specific regulations that attach to Federal grant funds even when disbursed by state or local entities.

Now, some Congressional members are seeking to add new restrictions that would significantly overhaul the existing domestic preference regime for Federal procurements — mere weeks after the promulgation of new Buy American regulations and the release of a new Executive Order to further tighten the application of these rules.


Continue Reading U.S. Senators Propose Trade-Pact Waivers Amidst Focus on Domestic Preference Laws