Photo of Robert Huffman

Robert Huffman

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing information security and the reporting of cyber incidents, the Cybersecurity Maturity Model Certification (CMMC) program, the requirements for secure software development self-attestations and bills of materials (SBOMs) emanating from the May 2021 Executive Order on Cybersecurity, and the various requirements for responsible AI procurement, safety, and testing currently being implemented under the October 2023 AI Executive Order. 

Bob also represents contractors in False Claims Act (FCA) litigation and investigations involving cybersecurity and other technology compliance issues, as well more traditional government contracting costs, quality, and regulatory compliance issues. These investigations include significant parallel civil/criminal proceedings growing out of the Department of Justice's Cyber Fraud Initiative. They also include investigations resulting from False Claims Act qui tam lawsuits and other enforcement proceedings. Bob has represented clients in over a dozen FCA qui tam suits.

Bob also regularly counsels clients on government contracting supply chain compliance issues, including those arising under the Buy American Act/Trade Agreements Act and Section 889 of the FY2019 National Defense Authorization Act. In addition, Bob advises government contractors on rules relating to IP, including government patent rights, technical data rights, rights in computer software, and the rules applicable to IP in the acquisition of commercial products, services, and software. He focuses this aspect of his practice on the overlap of these traditional government contracts IP rules with the IP issues associated with the acquisition of AI services and the data needed to train the large learning models on which those services are based. 

Bob is ranked by Chambers USA for his work in government contracts and he writes extensively in the areas of procurement-related AI, cybersecurity, software security, and supply chain regulation. He also teaches a course at Georgetown Law School that focuses on the technology, supply chain, and national security issues associated with energy and climate change.

A key component of President Biden’s October 2023 Executive Order on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence is a directive to develop a mandatory industrial base survey for the development of advanced artificial intelligence (“AI”) models and computing clusters.  Leveraging authority under the Defense Production Act, President Biden charged the Department of Commerce, Bureau of Industry and Security (“BIS”) to implement this industrial base assessment.  On September 9, 2024, BIS proposed to amend its Industrial Base survey regulations by establishing reporting requirements for the development of advanced AI models and possession of large-scale computing clusters.

Section 4.2(a)(ii) of the October 2023 Executive Order directed BIS to “require companies, individuals, and other organizations or entities that acquire, develop, or possess a potential large-scale computing cluster to report any such acquisition, development, or possession,” as its authority for the proposed rule.  BIS had previously released a mandatory survey for companies it had identified as “developing or planning to develop potential dual-use foundation models.”  This proposed rule now sets forth further reporting requirements, as well additional details on the rationale for the survey – rationale that could have serious implications for government contractors.Continue Reading Every Quarter, On the Quarter:  BIS Proposes New Reporting Requirements for the Development of Advanced Artificial Intelligence Models and Possession of Large-Scale Computing Clusters

This is part of an ongoing series of Covington blogs on the implementation of Executive Order No. 14110 on the “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” (the “AI EO”), issued by President Biden on October 30, 2023.  The first blog summarized the AI EO’s key provisions and related OMB guidance, and subsequent blogs described the actions taken by various government agencies to implement the AI EO from November 2023 through July 2024.  This blog describes key actions taken to implement the AI EO during August 2024.  It also describes key actions taken by NIST and the California legislature related to the goals and concepts set out by the AI EO.  We will discuss developments during August 2024 to implement President Biden’s 2021 Executive Order on Cybersecurity in a separate post. Continue Reading August 2024 Developments Under President Biden’s AI Executive Order

This is part of a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021through July 2024.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during August 2024.  We discuss developments during August 2024 to implement President Biden’s Executive Order on Artificial Intelligence in a separate post. Continue Reading August 2024 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

The Cybersecurity and Infrastructure Security Agency (“CISA”) released a new guide on August 2, 2024 titled, “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle” (the “Software Acquisition Guide”).  This guide addresses the cybersecurity risks associated with the acquisition and use of third-party developed software and certain related physical products in an agency enterprise environment, and provides recommendations to agency personnel for understanding, addressing, and mitigating those risks.  This guide was followed on August 6, 2024, by a separate guide issued jointly by CISA and the FBI titled, “Secure By Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem” (the “Secure By Demand Guide”).  Together, these two guides provide agency and industry personnel a series of questions that can be used to obtain information from suppliers, set technical requirements, and develop contract terms for the acquisition of secure software as contemplated by the Biden Administration’s May 2021 Cybersecurity Executive Order (“EO”) and the Office of Management and Budget (“OMB”) memoranda implementing that Order. 

The specific impact that the guides will have on federal procurements and software developers in the federal supply chain is not yet clear.  With this said, all software producers in the federal supply chain are currently required to fully comply with new secure software development minimum requirements promulgated by the Office of Management and Budget by September 8 of this year, as detailed in our prior post here.  The Software Acquisition Guide in particular builds on those requirements and thus could be adopted by agencies that opt to impose additional obligations on contractors beyond those minimum requirements.Continue Reading New Guides Released Relating to Secure Software Development Requirements

This is part of an ongoing series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through June 2024.  This blog describes key actions taken to implement the Cyber EO during July 2024.  It also describes key actions taken during July 2024 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, national security, and software supply chain security.Continue Reading July 2024 Developments Under President Biden’s Cybersecurity Executive Order and AI Executive Order

This is part of an ongoing series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through May 2024.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during June 2024.  It also describes key actions taken during May 2024 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, national security, and software supply chain security.Continue Reading June 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order

This is part of an ongoing series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through April 2024.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during May 2024.  It also describes key actions taken during May 2024 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, national security, and software supply chain security.Continue Reading May 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order

This is part of an ongoing series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through March 2024.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during April 2024.  It also describes key actions taken during April 2024 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, national security, and secure software.Continue Reading April 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order

This is part of a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs  described the actions taken by various government agencies to implement the Cyber EO from June 2021through February 2024.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during March 2024.  It also describes key actions taken during March 2024 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, secure software, and federal government contractors. Continue Reading March 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order

This is the thirty-fourth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs describes described the actions taken by various government agencies to implement the Cyber EO from June 2021through January 2024.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during February 2024.  It also describes key actions taken during February 2024 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, secure software, and federal government contractors. Continue Reading February 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order