Information Technology Contracting

On December 23, 2022, President Biden signed the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 (the “FY2023 NDAA”) into law.  As described in Covington’s Client Alert, FY23 NDAA: Provisions of Interest for Almost All Government Contractors, the FY23 NDAA contains provisions of interest for almost all U.S. Government contractors.  One provision likely to be of particular interest to U.S. contractors who provide or plan to provide cloud computing services to the U.S. Government is the FedRAMP Authorization Act (the “Act”), which codifies the Federal Risk and Authorization Management Program (“FedRAMP”).

Of note, the Act creates a “presumption of adequacy” that cloud providers with authorization from one agency can use that authorization with other agencies. This is an expansion compared to the current process which allows authorizations by the FedRAMP Joint Authorization Board, but not authorizations from individual agencies, to serve as the basis for an agency’s own authorization process.  It also creates the Federal Secure Cloud Advisory Committee, comprised of 15 members of the public and private sector, to provide recommendations regarding FedRAMP and the acquisition of cloud services more generally.

Continue Reading FY2023 NDAA Makes Notable Changes to FedRAMP Program

On December 23, 2022, President Biden signed the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 into law.  The Act contains two significant prohibitions regarding the procurement and use of semiconductor products and services from specific Chinese companies and other foreign countries of concern that will come into effect in December 2027. 

Continue Reading NDAA Prohibits Government Purchase and Use of Certain Semiconductors

Last Friday, the National Telecommunications and Information Administration (“NTIA”) took a major step in furtherance of the Biden Administration’s goal of connecting all Americans to broadband by releasing its widely anticipated Notice of Funding Opportunity (“NOFO”) for the landmark $42.5 billion Broadband Equity, Access, and Deployment (“BEAD”) Program, along with NOFOs for two smaller programs. 

This is the eleventh in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the second through tenth blogs described the actions taken by various Government agencies to implement the EO from June 2021 through February 2022, respectively.  This blog summarizes key actions taken to implement the Cyber EO during March 2022.  As with steps taken during prior months, the actions described below reflect the implementation of the EO within the Government.  However, these activities portend further actions, potentially in or before June 2022, that are likely to impact government contractors, particularly those who provide software products or services to the Government.
Continue Reading March 2022 Developments Under President Biden’s Cybersecurity Executive Order

This is the tenth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the secondthirdfourthfifthsixthseventheighth, and ninth blogs described the actions taken by various Government agencies to implement the EO from June 2021 through January 2022, respectively.

This blog summarizes key actions taken to implement the Cyber EO during February 2022.  As with steps taken during prior months, the actions described below reflect the implementation of the EO within the Government.  However, these activities portend further actions in March 2022 that are likely to impact government contractors, particularly those who provide software products or services to government agencies.

Continue Reading February 2022 Developments Under President Biden’s Cybersecurity Executive Order

This is the sixth in the series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, fourth, and fifth blogs described the actions taken by various federal agencies to implement the EO during June, July, August, and September 2021, respectively.  This blog summarizes key actions taken to implement the Cyber EO during October 2021.

Although the recent developments this month are directly applicable to the U.S. Government, the standards being established for U.S. Government agencies could be adopted as industry standards for all organizations that develop or acquire software similar to various industries adopting the NIST Cybersecurity Framework as a security controls baseline.

Continue Reading October 2021 Developments Under President Biden’s Cybersecurity Executive Order

This is the fifth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity”, issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, and fourth blogs described the actions taken by various federal government agencies to implement the EO during June, July, and August 2021, respectively.  This blog summarizes  key actions taken to implement the Cyber EO during September 2021.

I.   Actions Taken During September 2021 to Modernize Federal Government Cybersecurity

The Office of Management and Budget (OMB) publically released a draft zero trust architecture strategy for federal agencies on September 9, 2021.  On that same day, the Cybersecurity and Infrastructure Agency (CISA) issued two draft documents designed to further OMB’s zero trust strategy: the Zero Trust Maturity Model and the Cloud Security Technical Reference Architecture.  Each of these documents was required by Section 3 of the Cyber EO to modernize and standardize federal government agency approaches to cybersecurity.

Continue Reading September 2021 Developments Under President Biden’s Cybersecurity Executive Order

This blog continues Covington’s review of important deadlines and milestones in implementing the Executive Order on Improving the Nations’ Cybersecurity (E.O. 14028, or the “Cyber EO”) issued by President Biden on May 12, 2021.  Previous blogs have discussed developments under the Cyber EO in June 2021 and July 2021.  This blog focuses on developments affecting the EO that occurred during August 2021.

The Cyber EO requires federal agencies to meet several important deadlines in August 2021.  These deadlines are in the areas of enhancing critical software supply chain security, improving the federal government’s investigative and remediation capabilities, and modernizing federal agency approaches to cybersecurity.  In addition, the National Institute of Standards and Technology (“NIST”) took several significant actions related to supply chain security in August 2021, not all of which were driven by deadlines in the Cyber EO.  This blog examines the actions taken by federal agencies to meet the EO’s August deadlines as well as the NIST actions referred to above.

Continue Reading August 2021 Developments Under President Biden’s Cybersecurity Executive Order

On May 12, 2021, the Biden Administration issued an Executive Order on Improving the Nation’s Cybersecurity (the “EO”).  The EO sets out a list of deliverables due from a number of governmental entities in June 2021 and successive months.  Our overall summary of the EO and its deliverables can be found here, and our discussion of the EO deliverables that were due in June 2021 can be found here.  This blog addresses the EO deliverables in July 2021.
Continue Reading July 2021 Developments Under the Executive Order on Improving the Nation’s Cybersecurity

On May 12, 2021 the Biden Administration issued an “Executive Order on Improving the Nation’s Cybersecurity” (EO).  Among other things, the EO sets out a list of deliverables from a variety of government entities.  A number of these deliverables were due in June, including a definition of “critical software,” the minimum requirements for a software bill of materials, and certain internal actions imposed on various federal agencies.
Continue Reading June 2021 Developments Under the Executive Order on Improving the Nation’s Cybersecurity