On January 23, 2026, the Office of Management and Budget (OMB) issued Memorandum M-26-05 “Adopting a Risk-based Approach to Software and Hardware Security,” which rescinds a previous Biden Administration’s requirement for all federal agencies to obtain a self-attestation from software producers in the “Common Form” developed by the Cybersecurity and Infrastructure Security Agency (CISA) before using certain third-party software. As its rationale, OMB noted that the prior memoranda diverted agencies from developing tailored assurance requirements and failed to account for threats posed by insecure hardware. Memorandum M-26-05 signals that the federal government is moving away from a “one-size fits-all” approach to software security and will instead allow each agency to develop tailored requirements. In creating their own assurance requirements, agencies may still require a self-attestation and/or Software Bill of Materials (SBOM) from the software vendor if the agency determines that such assurances are necessary based on the risks involved and the agency’s needs.
Continue Reading OMB Rescinds the “Common Form” Secure Software Attestation RequirementCybersecurity
CISA Releases Cybersecurity Performance Goals 2.0 for Critical Infrastructure
Posted in Cybersecurity
On December 11, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) released its Cybersecurity Performance Goals 2.0 (“CPG 2.0”), an update to its core set of recommended cybersecurity practices for critical infrastructure owners and operators, which we previously wrote about here. Established by the 2021 National Security Memorandum…
Continue Reading CISA Releases Cybersecurity Performance Goals 2.0 for Critical InfrastructureAugust, September, and October 2025 Cybersecurity Developments Under the Trump Administration
Posted in Cybersecurity
This is the seventh blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the Trump Administration. The sixth blog is available here and our initial blog is available here. This blog describes key cybersecurity developments that took place in August, September…
Continue Reading August, September, and October 2025 Cybersecurity Developments Under the Trump AdministrationHow Will DoW Determine Which Level of CMMC Applies to My Agreement?
Posted in Cybersecurity
Now that the final Cybersecurity Maturity Model Certification (CMMC) Program and Procurement Rules have been issued by the Department of War (DoW) (see our CMMC Toolkit for in-depth analysis of these Rules) and the CMMC Program is set to begin in earnest, there is some uncertainty in industry as to…
Continue Reading How Will DoW Determine Which Level of CMMC Applies to My Agreement?Cybersecurity Maturity Model Certification (CMMC) Program Procurement Final Rule Announced
Posted in Cybersecurity
This blog post discusses the Department of Defense’s (“DoD”) new cybersecurity rule that imposes certain cybersecurity requirements on relevant DoD contractors and subcontractors. The post will be of interest to all DoD contractors, subcontractors, and possibly affiliates of contractors that may be impacted by the new rule’s cybersecurity requirements.
On…
Continue Reading Cybersecurity Maturity Model Certification (CMMC) Program Procurement Final Rule AnnouncedJuly 2025 Cybersecurity Developments Under the Trump Administration
This is the sixth blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the Trump Administration. The fifth blog is available here and our initial blog is available here. This blog describes key cybersecurity developments that took place in July 2025. …
Continue Reading July 2025 Cybersecurity Developments Under the Trump AdministrationLatest Cybersecurity False Claims Act Settlement with Diagnostics Provider Focuses on Sensitive Health Systems
In a recently announced settlement agreement with the U.S. Department of Justice (“DOJ”), Illumina, Inc. (“Illumina”) agreed to pay $9.8 million to resolve claims arising from alleged cybersecurity vulnerabilities in genomic sequencing systems that the company sold to federal agencies. The case is the latest in a series of False…
Continue Reading Latest Cybersecurity False Claims Act Settlement with Diagnostics Provider Focuses on Sensitive Health SystemsRecent Cybersecurity FCA Settlement Demonstrates Heightened FCA Risk to Government Contractors
Posted in Cybersecurity, False Claims Act
On July 14, 2025, the U.S. Department of Justice (DoJ) and General Services Administration (GSA) announced a $14.75 million settlement of Civil False Claims Act allegations against IT company Hill ASC Inc. (Hill). This settlement is consistent with the current Administration’s focus on “fraud, waste, and abuse” in government procurement…
Continue Reading Recent Cybersecurity FCA Settlement Demonstrates Heightened FCA Risk to Government ContractorsTrump Administration Issues AI Action Plan and Series of AI Executive Orders
On July 23, the White House released its AI Action Plan, outlining the key priorities of the Trump Administration’s AI policy agenda. In parallel, President Trump signed three AI executive orders directing the Executive Branch to implement the AI Action Plan’s policies on “Preventing Woke AI in…
Continue Reading Trump Administration Issues AI Action Plan and Series of AI Executive OrdersJune 2025 Cybersecurity Developments Under the Trump Administration
Posted in Cybersecurity
This is the fifth blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the Trump Administration. The fourth blog is available here and our initial blog is available here. This blog describes key cybersecurity developments that took place in June 2025. …
Continue Reading June 2025 Cybersecurity Developments Under the Trump Administration