CISA

On March 11, 2024 the Cybersecurity Infrastructure Security Agency (CISA), released the much anticipated final version of its common Secure Software Development Attestation Form.  Finalization of the form is a notable development for developers of software that is sold to the U.S. Government for two reasons.  First, the form is expected to be used widely by Government agencies to fulfill requirements set forth in recent OMB memoranda for those agencies to ensure that the software they procure or use is secure by requiring attestations from software developers.  Second, as set forth under OMB guidance, final approval of the form by the Office of Information and Regulatory Affairs (OIRA) triggers a countdown wherein agencies need to begin collection of the forms within three months for “critical software” and within six months for all other software.Continue Reading OMB Approves Final CISA Secure Software Attestation Common Form, Triggering Clock for Collection

Last week, the U.S. Cybersecurity and Infrastructure Security Agency released guidance on Security-by-Design and Security-by-Default principles for technology manufacturers that was jointly developed by the Federal Bureau of Investigation and the National Security Agency, as well as cybersecurity authorities in Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand.  The guidance builds on the White

This is the eleventh in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the second through tenth blogs described the actions taken by various Government agencies to implement the EO from June 2021 through February 2022, respectively.  This blog summarizes key actions taken to implement the Cyber EO during March 2022.  As with steps taken during prior months, the actions described below reflect the implementation of the EO within the Government.  However, these activities portend further actions, potentially in or before June 2022, that are likely to impact government contractors, particularly those who provide software products or services to the Government.
Continue Reading March 2022 Developments Under President Biden’s Cybersecurity Executive Order

On May 5, 2020 the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (“CISA”) Information and Communications Technology (“ICT”) Supply Chain Risk Management (“SCRM”) Task Force (the “Task Force”) released a six-step guide for organizations to start implementing organizational SCRM practices to improve their overall security resilience.  The Task Force also released a revised fact sheet to further raise awareness about ICT supply chain risk.

As we discussed in a prior blog post on the Task Force’s efforts, the Task Force was established in 2018 with representatives from 17 different defense and civilian agencies, as well as industry representatives across the information technology and communications sectors.  The Task Force has been focused on assessing and protecting security vulnerabilities in government supply chains.  Since its founding, the Task Force has inventoried existing SCRM efforts across the government and industry, including some of the practices reflected in the guide.
Continue Reading CISA Information and Communications Technology Supply Chain Risk Management Task Force Releases New Guidance on Security Resiliency

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (“CISA”) Information and Communications Technology (“ICT”) Supply Chain Risk Management Task Force (the “Task Force”) recently released an interim public report.  The report describes the Task Force’s efforts over the last year to develop recommendations for securing the Government’s supply chain, and outlines the potential focus areas of each of its working groups over the coming year.

The report is particularly relevant to contractors that either sell ICT related products or services to the Government, or that sell ICT related components to higher tier contractors, because it offers some insight into potential supply chain risk management (“SCRM”) best practices, as well as requirements that the Government may seek to impose on contractors in the future.
Continue Reading CISA Information and Communications Technology Supply Chain Risk Management Task Force Issues New Interim Report

There are currently three major cybersecurity-related bills pending in the 114th Congress that address information sharing among private entities and between private entities and the federal government: the Protecting Cyber Networks Act (PCNA), H.R. 1560, the National Cybersecurity Protection Advancement Act of 2015 (NCPAA), H.R. 1731, and the Cyber Security Information Act of 2015 (CISA), S. 754. Some of the key issues that need to be resolved across these bills include: which agency will be designated as the lead as a clearinghouse for cyber threat information, what liability protections will be granted to those companies that do share information, and whether the structures established under any of these bills will also facilitate greater sharing of government threat information with the private sector. Although the bills all provide that existing reporting requirements will not be disturbed, such as those for Department of Defense “(DOD”) contractors, it remains unclear how these different reporting schemes will interact. Similarly, these bills do not address a provision in the House version of the 2016 National Defense Authorization Act that would provide liability protection to certain DOD contractors for properly reporting cyber incidents on their networks and information systems.

Restrictions on the sharing of cyber threat and vulnerability information are often raised as significant barriers to effective cybersecurity. But the sharing of such information is not without risk. In particular, private entities have raised concerns about how the government would use this information and whether such disclosures could result in antitrust, privacy or other legal complications. These bills look to increase incentives for cooperation between the government and the private sector in fending off cyber-attacks by encouraging private companies to voluntarily share information about the particular traits of cyber-attacks—what the bills refer to as “cyber threat indicators”—that they have previously encountered. In response to some of the concerns previously voiced by industry, these bills provide civil suit immunity for private entities that elect to share their information with each other and with the government. The bills also contain liability protection for contractors who monitor government computer systems. What follows is a brief comparison of all three major bills and why their different approaches may or may not benefit government contractors.Continue Reading Competing Bills Focus on Cybersecurity Information Sharing But Final Language and Ultimate Passage Remain Unknown

Following Obama’ s February 13, 2015 Executive Order to promote the sharing of cybersecurity risks and incidents between the federal government and the private sector, Congress has introduced a slew of information-sharing legislation.  Such legislation includes the Cybersecurity Information Sharing Act of 2015 (“CISA”), which was marked up and approved 14-1 by the Senate Intelligence Committee in a closed session on March 12.

CISA, which has been met with some criticism in the press, provides for the promulgation of policies and procedures for the voluntary sharing of “cyber threat indicators” among the federal government and the private sector.  The bill defines “cyber threat indicators” as “information necessary to describe or identify –

  • malicious reconnaissance . . .;
  • a method of defeating a security control or exploitation of a security vulnerability;
  • a security vulnerability;
  • a method of causing a user with legitimate access to an information system . . . to unwittingly enable the defeat of a security control or exploitation of a security vulnerability;
  • malicious cyber command and control;
  • the actual or potential harm cause by an incident . . .; or
  • any other attribute of a cybersecurity threat.”

As currently drafted, CISA would apply to contractors in two ways:Continue Reading Controversial Cyber Information Sharing Bill May Impact Government Contractors