This is part of a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by
Continue Reading October 2024 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity StrategyCybersecurity
CISA Releases Guidance on Minimum Expectations for Software Bill of Materials
On October 15, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) published software bill of materials (“SBOM”) guidance through the third edition of Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM) (dated September 3, 2024) (the “Guidance”). The Guidance provides “a minimum expectation for creating…
Continue Reading CISA Releases Guidance on Minimum Expectations for Software Bill of MaterialsPenn State Agrees to Pay $1.25M in Settlement for Cybersecurity Non-Compliance False Claims Act Allegations
On Tuesday, October 22, 2024, Pennsylvania State University (“Penn State”) reached a settlement with the Department of Justice (“DoJ”), agreeing to pay the US Government (“USG”) $1.25M for alleged cybersecurity compliance violations under the False Claims Act (“FCA”). This settlement follows a qui tam action filed by a whistleblower and former employee of Penn State’s Applied Research Laboratory. The settlement agreement provides some additional insight into the priorities of DoJ’s Civil Cyber Fraud Initiative (“CFI”) and the types of cybersecurity issues of interest to the Department. It also highlights the extent to which DoJ is focusing on the full range of cybersecurity compliance obligations that exist in a company’s contract in enforcement actions.Continue Reading Penn State Agrees to Pay $1.25M in Settlement for Cybersecurity Non-Compliance False Claims Act Allegations
September 2024 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy
This is part of a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through August 2024. This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during September 2024. We discuss developments during September 2024 to implement President Biden’s Executive Order on Artificial Intelligence in a separate post. Continue Reading September 2024 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy
Cybersecurity Maturity Model Certification (CMMC) Program Final Rule Announced
On October 11, 2024, the U.S. Department of Defense (“DoD”) released an unpublished version of the Cybersecurity Maturity Model Certification (“CMMC”) Program Rule. The final rule will be published in the Federal Register on October 15, 2024 and will become effective sixty days after publication. This rule formally establishes the CMMC Program for DoD and is one of two complementary sets of regulations that govern operation of the Program. Continue Reading Cybersecurity Maturity Model Certification (CMMC) Program Final Rule Announced
Every Quarter, On the Quarter: BIS Proposes New Reporting Requirements for the Development of Advanced Artificial Intelligence Models and Possession of Large-Scale Computing Clusters
A key component of President Biden’s October 2023 Executive Order on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence is a directive to develop a mandatory industrial base survey for the development of advanced artificial intelligence (“AI”) models and computing clusters. Leveraging authority under the Defense Production Act, President Biden charged the Department of Commerce, Bureau of Industry and Security (“BIS”) to implement this industrial base assessment. On September 9, 2024, BIS proposed to amend its Industrial Base survey regulations by establishing reporting requirements for the development of advanced AI models and possession of large-scale computing clusters.
Section 4.2(a)(ii) of the October 2023 Executive Order directed BIS to “require companies, individuals, and other organizations or entities that acquire, develop, or possess a potential large-scale computing cluster to report any such acquisition, development, or possession,” as its authority for the proposed rule. BIS had previously released a mandatory survey for companies it had identified as “developing or planning to develop potential dual-use foundation models.” This proposed rule now sets forth further reporting requirements, as well additional details on the rationale for the survey – rationale that could have serious implications for government contractors.Continue Reading Every Quarter, On the Quarter: BIS Proposes New Reporting Requirements for the Development of Advanced Artificial Intelligence Models and Possession of Large-Scale Computing Clusters
August 2024 Developments Under President Biden’s AI Executive Order
This is part of an ongoing series of Covington blogs on the implementation of Executive Order No. 14110 on the “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” (the “AI EO”), issued by President Biden on October 30, 2023. The first blog summarized the AI EO’s key provisions and related OMB guidance, and subsequent blogs described the actions taken by various government agencies to implement the AI EO from November 2023 through July 2024. This blog describes key actions taken to implement the AI EO during August 2024. It also describes key actions taken by NIST and the California legislature related to the goals and concepts set out by the AI EO. We will discuss developments during August 2024 to implement President Biden’s 2021 Executive Order on Cybersecurity in a separate post. Continue Reading August 2024 Developments Under President Biden’s AI Executive Order
August 2024 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy
This is part of a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021through July 2024. This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during August 2024. We discuss developments during August 2024 to implement President Biden’s Executive Order on Artificial Intelligence in a separate post. Continue Reading August 2024 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy
New Guides Released Relating to Secure Software Development Requirements
The Cybersecurity and Infrastructure Security Agency (“CISA”) released a new guide on August 2, 2024 titled, “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle” (the “Software Acquisition Guide”). This guide addresses the cybersecurity risks associated with the acquisition and use of third-party developed software and certain related physical products in an agency enterprise environment, and provides recommendations to agency personnel for understanding, addressing, and mitigating those risks. This guide was followed on August 6, 2024, by a separate guide issued jointly by CISA and the FBI titled, “Secure By Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem” (the “Secure By Demand Guide”). Together, these two guides provide agency and industry personnel a series of questions that can be used to obtain information from suppliers, set technical requirements, and develop contract terms for the acquisition of secure software as contemplated by the Biden Administration’s May 2021 Cybersecurity Executive Order (“EO”) and the Office of Management and Budget (“OMB”) memoranda implementing that Order.
The specific impact that the guides will have on federal procurements and software developers in the federal supply chain is not yet clear. With this said, all software producers in the federal supply chain are currently required to fully comply with new secure software development minimum requirements promulgated by the Office of Management and Budget by September 8 of this year, as detailed in our prior post here. The Software Acquisition Guide in particular builds on those requirements and thus could be adopted by agencies that opt to impose additional obligations on contractors beyond those minimum requirements.Continue Reading New Guides Released Relating to Secure Software Development Requirements
July 2024 Developments Under President Biden’s Cybersecurity Executive Order and AI Executive Order
This is part of an ongoing series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through June 2024. This blog describes key actions taken to implement the Cyber EO during July 2024. It also describes key actions taken during July 2024 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, national security, and software supply chain security.Continue Reading July 2024 Developments Under President Biden’s Cybersecurity Executive Order and AI Executive Order