On August 25, 2022, President Biden announced a new Executive Order (“EO”) addressing the Implementation of the CHIPS Act of 2022 (“CHIPS Act”). The CHIPS Act was signed by President Biden on August 9, 2022, and, among other things, authorizes $39 billion in funding for new projects to establish semiconductor production facilities within the United States. The new EO identifies the Administration’s implementation priorities for this CHIPS Act funding and creates the CHIPS Implementation Steering Council to aid with the rollout of administrative guidance. In connection with the EO, the Department of Commerce launched CHIPS.gov, which is intended to be a centralized resource for potential applicants of CHIPS funding. The EO and new website reflect the Administration’s intent to swiftly implement the CHIPS Act and increase the domestic production of semiconductors.
This is the ninth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, fourth, fifth, sixth, seventh, and eighth blogs described the actions taken by various government agencies to implement the EO from June through December 2021, respectively.
This blog summarizes key actions taken to implement the Cyber EO during January 2022. As with steps taken during prior months, the actions described below reflect the implementation of the EO within Government. However, these activities portend further actions in February 2022 that are likely to impact government contractors, particularly those who provide software products or services to government agencies.…
This is the seventh in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, fourth, fifth, and sixth blogs described the actions taken by various government agencies to implement the EO during June, July, August, September, and October 2021, respectively. This blog summarizes the key actions taken to implement the Cyber EO during November 2021.
Although most of the developments in November were directed at U.S. Government agencies, the standards being developed for such agencies could be imposed upon their contractors or otherwise be adopted as industry standards for all organizations that develop or acquire software.…
On May 12, the Biden Administration issued an “Executive Order on Improving the Nation’s Cybersecurity.” The Order seeks to strengthen the federal government’s ability to respond to and prevent cybersecurity threats, including by modernizing federal networks, enhancing the federal government’s software supply chain security, implementing enhanced cybersecurity practices and procedures in the federal government, and creating government-wide plans for incident response. The Order covers a wide array of issues and processes, setting numerous deadlines for recommendations and actions by federal agencies, and focusing on enhancing the protection of federal networks in partnership with the service providers on which federal agencies rely. Private sector entities, including federal contractors and service providers, will have opportunities to provide input to some of these actions.
In particular, and among other things, the Order:
- seeks to remove obstacles to sharing threat information between the private sector and federal agencies;
- mandates that software purchased by the federal government meet new cybersecurity standards;
- discusses securing cloud-based systems, including information technology (IT) systems that process data, and operational technology (OT) systems that run vital machinery and infrastructure;
- seeks to impose new cyber incident[i] reporting requirements on certain IT and OT providers and software product and service vendors and establishes a Cyber Safety Review Board to review and assess such cyber incidents and other cyber incidents, and;
- addresses the creation of pilot programs related to consumer labeling in connection with the cybersecurity capabilities of Internet of Things (IoT) devices.
The Order contains eight substantive sections, which are listed here, and discussed in more detail below:
- Section 2 – Removing Barriers to Sharing Threat Information
- Section 3 – Modernizing Federal Government Cybersecurity
- Section 4 – Enhancing Software Supply Chain Security
- Section 5 – Establishing a Cyber Safety Review Board
- Section 6 – Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
- Section 7 – Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
- Section 8 – Improving the Federal Government’s Investigative and Remediation Capabilities
- Section 9 – National Security Systems
The summaries below discuss highlights from these sections, and the full text of the Order can be found here.…
On March 11, 2019, a bipartisan group of lawmakers including Sen. Mark Warner and Sen. Cory Gardner introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2019. The Act seeks “[t]o leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices.” In other words, this bill aims to shore up cybersecurity requirements for IoT devices purchased and used by the federal government, with the aim of affecting cybersecurity on IoT devices more broadly.
To accomplish this goal, the Act puts forth several action items for the Director of the National Institute of Standards and Technology (“NIST”) and the Office of Management and Budget (“OMB”). Details of these action items and their deadlines are discussed below.…
Pursuant to Executive Order 13636, the National Institute of Standards and Technology (“NIST”) established the Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, a technology-neutral, voluntary, risk-based cybersecurity framework that includes standards and processes intended to align policy, business, and technological approaches to addressing cybersecurity risks. Four years later, NIST has released an updated version of the Framework.
Continue Reading NIST Releases Updated Cybersecurity Framework
Inflection Point for IoT
In a relatively short amount of time, the adoption of the Internet of Things (IoT) and its applications — from smart cars to the myriad of interconnected sensors in the General Service Administration building reminiscent of HAL 9000 from 2001: A Space Odyssey — has rapidly proliferated, providing significant opportunities and benefits. However, the increased ubiquity of IoT comes with heightened risks to security, privacy and physical safety and without a standardized set of cybersecurity requirements, many IoT devices and systems are vulnerable to attack. Earlier this month, the National Institute of Standards and Technology (NIST) (through the Interagency International Cybersecurity Standardization Working Group (IICS WG)) released a draft report to help both federal agencies and private companies plan and develop cybersecurity standards in their use and production of IoT components, products, systems and services. The draft report stresses the importance of coordination across the private and public sectors in developing standards to bolster the security and resilience of IoT, provides a snapshot of current international cybersecurity standards, and offers recommendations for gap-filling.…