This is the thirteenth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs describe the actions taken by various Government agencies to implement the Cyber EO from June 2021 through April 2022.  This blog reflects on the one year anniversary of the Cyber EO and discusses the status of various implementation activities.  It also describes key actions taken to implement the Cyber EO during May 2022.Continue Reading May 2022 Developments Under President Biden’s Cybersecurity Executive Order: One Year Anniversary Update

On March 15, 2022, President Biden signed the Consolidated Appropriations Act 2022, a $1.5 trillion omnibus spending package to fund the government through September 2022.  The omnibus spending package includes the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Act”), which establishes two cyber incident reporting requirements for covered critical infrastructure entities:  a

The Government Accountability Office (“GAO”) released a decision on Friday finding that the Department of Homeland Security (“DHS”) followed the wrong order of succession after Secretary Kirstjen Nielsen resigned in April 2019.  As a result, the Acting Secretaries who have served since then were invalidly selected.  In particular, GAO has questioned the appointments of Acting Secretary Chad Wolf, former Acting Secretary Kevin McAleenan, and Deputy Secretary Kenneth Cuccinelli.

GAO’s decision tees up a thorny question for DHS contractors:  If these officials were invalidly selected, what does it mean for the agency’s policies and procurement decisions made during their tenure?Continue Reading [Updated] If the Acting DHS Secretary Was Unlawfully Selected, What Does that Mean for DHS Procurements?

Last week, the Fourth Circuit Court of Appeals affirmed a lower court decision to dismiss a Telephone Consumer Protection Act (“TCPA”) lawsuit against General Dynamics Information Technology, Inc. (“GDIT”), on the basis that GDIT was immune from suit as a government contractor under what is known as the “Yearsley doctrine.”  Craig Cunningham v. GDIT, No. 17-1592 (Apr. 24, 2018). The decision follows a long line of Fourth Circuit decisions in which contractors have been granted protection from liability when they perform work that supports important governmental functions. 
Continue Reading Fourth Circuit Embraces Expansive View of Derivative Sovereign Immunity for Government Contractors

The Department of Defense (“DoD”) has updated portions of its internal guidance addressing compliance with the requirements of Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.”
Continue Reading DoD Updates Internal Guidance on DFARS Cyber Rule

On Monday, our colleague Caleb Skeath posted on Inside Privacy an engaging article that discusses the new Office of Management and Budget policy setting forth minimum standards for federal agencies in preparing for and responding to breaches of personally identifiable information (PII) and the expected contractual changes that agencies will impose on contractors whose systems

President Obama unveiled on February 9, 2015 his Cybersecurity National Action Plan (CNAP), a combination of near-term actions and long-term strategy to “enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security.”  In conjunction with this unveiling, President Obama signed two Executive Orders directed at improving cybersecurity in both the private and public sectors by establishing groups of informed stakeholders to issue federal recommendations for cybersecurity and privacy protections.
Continue Reading President Obama Unveils Cybersecurity National Action Plan and Issues Two New Executive Orders Directed at Cybersecurity and Privacy Concerns

Last week, on October 8th, DoD issued a class deviation replacing DFARS 252.204-7012 and 252.204-7008 with revised clauses that give covered contractors up to nine (9) months (from the date of contract award or modification incorporating the new clause(s)) to satisfy the requirement for “multifactor authentication for local and network access” found in Section 3.5.3 of National Institute of Standards and Technology (NIST) Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

We previously reported on the August 26th Department of Defense (DoD) interim rule that greatly expanded the obligations imposed on defense contractors for safeguarding “covered defense information” and for reporting cybersecurity incidents involving unclassified information systems that house such information. The interim rule, which went into effect immediately, requires non-cloud contractors to comply with several new requirements, including those in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting” and DFARS 252.204-7008, “Compliance with Safeguarding Covered Defense Information Controls.”  While the class deviation is a welcomed development for contractors that may struggle to implement the NIST SP 800-171 requirements for multifactor authentication, the deviation: (1) requires contractors to notify the government if they need more time to satisfy those requirements, and (2) does not alter any other aspect of the August 26th interim rule. 
Continue Reading DoD Issues Targeted Class Deviation Updating Recently Adopted Cybersecurity DFARS Clauses

Earlier this month, the U.S. General Services Administration (GSA) issued a Request for Information (RFI) soliciting feedback from industry on ways to improve the sale of Cybersecurity and Information Assurance (CyberIA) products and services through GSA’s multi-billion dollar Information Technology (IT) Schedule 70. IT Schedule 70 currently features more than a dozen special item numbers (SINs) for cybersecurity products and services.[1] In this RFI, GSA seeks information from vendors and federal agencies as to whether it should consolidate those SINs into one major CyberIA grouping, with a number of categories and subcategories.

The RFI, which was issued just weeks before the Office of Management and Budget (OMB) and the Department of Defense (DoD) announced their own major cybersecurity initiatives, is yet another sign that the federal government is leveraging its substantial buying power to harden government and contractor networks against cyber intrusions. As explained below, GSA’s appeal to industry offers a tremendous opportunity for the private sector to help shape the way commercial CyberIA products and services are bought by and sold to the government.
Continue Reading GSA Seeks Industry Input on Cybersecurity Schedule Offerings

By final rule issued January 27, the Department of Defense (DoD) updated its Privacy Program, meaning that effective February 26, 2015, certain DoD contractors will be required to comply with additional “rules of conduct.”  These rules of conduct are consistent with the types of requirements imposed on federal agencies by the Privacy Act.

The final rule applies to all DoD components and to all DoD contractors (and any employee of such a contractor) involved in the “design, development, operation, or maintenance of any system of records.”[1]  Such contractors will be required to comply with expanded rules of conduct.  Specifically contractors must (new requirements are in bold):

  • preserve the security and confidentiality of Personally Identifiable Information (PII) on its systems;
  • refrain from disclosing any PII, except as authorized by applicable statutes, or be subject to criminal penalties and/or administrative sanctions;
  • report unauthorized disclosures of PII or any maintenance of a system of records not authorized by the DoD Privacy Program to the relevant privacy point of contact;
  • ensure anyone with access to a system of records is properly trained under the DoD Privacy Program;
  • prepare any required system of records notices (SORNs) for publication in the Federal Register;
  • refrain from maintaining a system of records without first ensuring a SORN was published in the Federal Register, or face criminal penalties and/or administrative sanctions;
  • minimize the collection of PII to that which is relevant and necessary to accomplish a DoD purpose;
  • refrain from maintaining records describing how any individual exercises his/her First Amendment rights, except when (1) authorized by statute; (2) authorized by the individual the record is about; (3) the record is pertinent and within the scope of an authorized law enforcement activity (including intelligence or administrative activities);
  • safeguard the privacy of all individuals and the confidentiality of all PII;
  • limit the availability of records containing PII to DoD personnel and contractors with a need to know;
  • prohibit unlawful possession, collection, or disclosure of PII whether or not within a system of records; and
  • maintain all records in a mixed system of records (a system that comingles the data of U.S. citizens and non-citizens) as if all records are subject to the Privacy Act.

Continue Reading DoD’s Updated Privacy Program Imposes Stringent Rules for Protection of PII