Cybersecurity

On February 17, 2026, the Federal Acquisition Regulatory Council released a Notice of Proposed Rulemaking, proposing amendments to the FAR to implement Section 5949 of the FY23 National Defense Authorization Act (“NDAA”).  Section 5949 prohibits executive agencies from obtaining semiconductor parts, products, or services traceable to certain named Chinese companies – currently, Semiconductor Manufacturing International Corporation (“SMIC”), ChangXin Memory Technologies (“CXMT”), and Yangtze Memory Technologies Corp (“YMTC”) – subject to limited exceptions.  In accordance with the statute, the proposed amendments to the FAR would become effective on December 23, 2027.  The proposed rule is not yet final and is open for public comment until April 20, 2026. 

Continue Reading FAR Council Issues Notice of Proposed Rulemaking to Implement Prohibition on Acquisition of Certain Semiconductors

On January 23, 2026, the Office of Management and Budget (OMB) issued Memorandum M-26-05 “Adopting a Risk-based Approach to Software and Hardware Security,” which rescinds a previous Biden Administration’s requirement for all federal agencies to obtain a self-attestation from software producers in the “Common Form” developed by the Cybersecurity and Infrastructure Security Agency (CISA) before using certain third-party software.  As its rationale, OMB noted that the prior memoranda diverted agencies from developing tailored assurance requirements and failed to account for threats posed by insecure hardware.  Memorandum M-26-05 signals that the federal government is moving away from a “one-size fits-all” approach to software security and will instead allow each agency to develop tailored requirements.  In creating their own assurance requirements, agencies may still require a self-attestation and/or Software Bill of Materials (SBOM) from the software vendor if the agency determines that such assurances are necessary based on the risks involved and the agency’s needs.

Continue Reading OMB Rescinds the “Common Form” Secure Software Attestation Requirement

On December 11, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) released its Cybersecurity Performance Goals 2.0 (“CPG 2.0”), an update to its core set of recommended cybersecurity practices for critical infrastructure owners and operators, which we previously wrote about here.  Established by the 2021 National Security Memorandum

Continue Reading CISA Releases Cybersecurity Performance Goals 2.0 for Critical Infrastructure

This is the seventh blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the Trump Administration.  The sixth blog is available here and our initial blog is available here.  This blog describes key cybersecurity developments that took place in August, September

Continue Reading August, September, and October 2025 Cybersecurity Developments Under the Trump Administration

Now that the final Cybersecurity Maturity Model Certification (CMMC) Program and Procurement Rules have been issued by the Department of War (DoW) (see our CMMC Toolkit for in-depth analysis of these Rules) and the CMMC Program is set to begin in earnest, there is some uncertainty in industry as to

Continue Reading How Will DoW Determine Which Level of CMMC Applies to My Agreement?

This blog post discusses the Department of Defense’s (“DoD”) new cybersecurity rule that imposes certain cybersecurity requirements on relevant DoD contractors and subcontractors. The post will be of interest to all DoD contractors, subcontractors, and possibly affiliates of contractors that may be impacted by the new rule’s cybersecurity requirements.

On

Continue Reading Cybersecurity Maturity Model Certification (CMMC) Program Procurement Final Rule Announced

This is the sixth blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the Trump Administration.  The fifth blog is available here and our initial blog is available here.  This blog describes key cybersecurity developments that took place in July 2025. 

Continue Reading July 2025 Cybersecurity Developments Under the Trump Administration

In a recently announced settlement agreement with the U.S. Department of Justice (“DOJ”), Illumina, Inc. (“Illumina”) agreed to pay $9.8 million to resolve claims arising from alleged cybersecurity vulnerabilities in genomic sequencing systems that the company sold to federal agencies.  The case is the latest in a series of False

Continue Reading Latest Cybersecurity False Claims Act Settlement with Diagnostics Provider Focuses on Sensitive Health Systems

On July 14, 2025, the U.S. Department of Justice (DoJ) and General Services Administration (GSA) announced a $14.75 million settlement of Civil False Claims Act allegations against IT company Hill ASC Inc. (Hill).  This settlement is consistent with the current Administration’s focus on “fraud, waste, and abuse” in government procurement

Continue Reading Recent Cybersecurity FCA Settlement Demonstrates Heightened FCA Risk to Government Contractors

On July 23, the White House released its AI Action Plan, outlining the key priorities of the Trump Administration’s AI policy agenda.  In parallel, President Trump signed three AI executive orders directing the Executive Branch to implement the AI Action Plan’s policies on “Preventing Woke AI in

Continue Reading Trump Administration Issues AI Action Plan and Series of AI Executive Orders