Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government contractors and represents her clients before the Defense Contract Audit Agency (DCAA), Inspectors General (IG), and the Department of Justice with regard to those investigations.  From 2008 to 2012, Ms. Cassidy served as in-house counsel at Northrop Grumman Corporation, one of the world’s largest defense contractors, supporting both defense and intelligence programs. Previously, Ms. Cassidy held an in-house position with Motorola Inc., leading a team of lawyers supporting sales of commercial communications products and services to US government defense and civilian agencies. Prior to going in-house, Ms. Cassidy was a litigation and government contracts partner in an international law firm headquartered in Washington, DC.

This is the twelfth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the second through eleventh blogs describe the actions taken by various Government agencies to implement the Cyber EO from June 2021 through March 2022, respectively.  This blog summarizes key actions taken to implement the Cyber EO during April 2022.  As with the steps taken during prior months, the actions described below reflect the implementation of the EO within the Government. However, these activities portend further actions, potentially in or before June 2022, that are likely to impact government contractors, particularly those who provide software products or services to the Government.

Continue Reading April 2022 Developments Under President Biden’s Cybersecurity Executive Order

This is the eleventh in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the second through tenth blogs described the actions taken by various Government agencies to implement the EO from June 2021 through February 2022, respectively.  This blog summarizes key actions taken to implement the Cyber EO during March 2022.  As with steps taken during prior months, the actions described below reflect the implementation of the EO within the Government.  However, these activities portend further actions, potentially in or before June 2022, that are likely to impact government contractors, particularly those who provide software products or services to the Government.
Continue Reading March 2022 Developments Under President Biden’s Cybersecurity Executive Order

This is the tenth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the secondthirdfourthfifthsixthseventheighth, and ninth blogs described the actions taken by various Government agencies to implement the EO from June 2021 through January 2022, respectively.

This blog summarizes key actions taken to implement the Cyber EO during February 2022.  As with steps taken during prior months, the actions described below reflect the implementation of the EO within the Government.  However, these activities portend further actions in March 2022 that are likely to impact government contractors, particularly those who provide software products or services to government agencies.

Continue Reading February 2022 Developments Under President Biden’s Cybersecurity Executive Order

On February 4, 2022, the National Institute for Standards and Technology (“NIST”) published its Recommended Criteria for Cybersecurity Labeling of Consumer Software (“Software Labeling Criteria”).  NIST also published guidance to federal agencies regarding practices for enhancing software supply chain security when they acquire software (“Supply Chain Security Guidance”).  Both the Software Labeling Criteria and the Supply Chain Security Guidance were issued by NIST pursuant to Section 4 of Executive Order 14028, “Improving the Nation’s Cybersecurity” (the “Cyber EO”), which was issued by President Biden on May 12, 2021.  The Cyber EO and its implementation are the subject of several previous Covington blogs that are available here.

These documents have relevancy to U.S. government contractors and technology companies alike.  The Software Labeling Criteria may serve as a model for labeling requirements on software products purchased by consumers, and therefore should be reviewed closely by all software developers and resellers.  The Supply Chain Security Guidance will likely have more immediate impacts, as the Cyber EO requires (1) that the Office of Management and Budget (“OMB”) take “appropriate steps” to require that agencies comply with the Guidance with respect to software purchased after the date of the EO, and (2) that the FAR to be amended to require all agencies to procure software (defined to include firmware, operating systems, applications, and cloud-based services) in accordance with the Guidance.

Continue Reading NIST Publishes Recommended Criteria for Cybersecurity Labeling for Consumer Software and Guidance to Federal Agencies on Practices to Enhance Supply Chain Security When Procuring Software

This is the ninth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, fourth, fifth, sixth, seventh, and eighth blogs described the actions taken by various government agencies to implement the EO from June through December 2021, respectively.

This blog summarizes key actions taken to implement the Cyber EO during January 2022.  As with steps taken during prior months, the actions described below reflect the implementation of the EO within Government.  However, these activities portend further actions in February 2022 that are likely to impact government contractors, particularly those who provide software products or services to government agencies.

Continue Reading January 2022 Developments Under President Biden’s Cybersecurity Executive Order

This is the eighth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, fourth, fifth, sixth, and seventh blogs described the actions taken by various government agencies to implement the EO from June through November 2021. This blog summarizes the key actions taken to implement the Cyber EO during December 2021.  Although the actions described below implement different sections of the Cyber EO, each of them portends further actions in February 2022 that are likely to impact government contractors, particularly those who provide software products or services to federal government agencies.

Continue Reading December 2021 Developments Under President Biden’s Cybersecurity Executive Order

The Department of Defense (DoD) released key documentation relating to Cybersecurity Maturity Model Certification (CMMC) 2.0 over the past several weeks, including (1) a CMMC 2.0 Model Overview document, (2) CMMC Self-Assessment Scopes for Level 1 and 2 assessments/certifications, (3) CMMC Assessment Guides for Level 1 and 2 attestations/certifications, and (4) the CMMC Artifact Hashing

This is the seventh in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, fourth, fifth, and sixth blogs described the actions taken by various government agencies to implement the EO during June, July, August, September, and October 2021, respectively.  This blog summarizes the key actions taken to implement the Cyber EO during November 2021.

Although most of the developments in November were directed at U.S. Government agencies, the standards being developed for such agencies could be imposed upon their contractors or otherwise be adopted as industry standards for all organizations that develop or acquire software.

Continue Reading November 2021 Developments Under President Biden’s Cybersecurity Executive Order

On November 9, 2021, the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body (AB) hosted a one hour Town Hall focused on CMMC Version 2.0.  Matthew Travis, CEO of the CMMC AB; Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy; David McKeown, Deputy Department of Defense (DoD) Chief Information Officer for Cybersecurity (DCIO(CS)) and DoD’s Senior Information Security Officer (SISO); and Buddy Dees, Director of CMMC, DoD gave prepared remarks and answered questions during the session.

According to Mr. Salazar, CMMC Version 2.0 has been in the making for the past 8 months, and takes into account the over 850 public comments DoD received regarding CMMC 1.0.  Mr. KcKeown explained that CMMC 1.0 may have been too broad and its requirements “too onerous” especially on small and medium sized contractors.  He described CMMC 2.0 — and its use of three levels rather than five levels in CMMC 1.0 — as being based on more of a risk based approach than the original CMMC because it is primarily focused on the type of data being protected.

Continue Reading CMMC Accreditation Body Hosts Town Hall Regarding CMMC 2.0

UPDATE: DoD withdraws the unpublished Advanced Notice of Proposed Rulemaking

On November 5, 2021, an Editorial Note was added to the Federal Register stating “An agency letter requesting withdrawal of this document was received after placement on public inspection. The document will remain on public inspection through close of business November 4, 2021. A copy of the agency’s withdrawal letter is available for inspection at the Office of the Federal Register.”   The reason for the Department of Defense withdrawal of the unpublished Advanced Notice of Proposed Rulemaking was not provided.
Continue Reading DoD Outlines Significant Changes to CMMC with Version 2.0