Cybersecurity

Last Monday, April 28, 2025, the House passed a bill titled Removing Our Unsecure Technologies to Ensure Reliability and Security (“ROUTERS”) Act (H.R. 866), which directs the Secretary of Commerce to study national security risks and cybersecurity vulnerabilities “posed by consumer routers, modems, and devices that combine a modem and router, that are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the influence of a covered country.”  Similar to some other recent supply chain requirements imposed on federal contractors, the bill defines “covered countries” by reference to 10 U.S.C. 4872, which prohibits the acquisition of sensitive materials from North Korea, Russia, Iran, and China.Continue Reading ROUTERS Act on the Horizon: U.S. House Passes New Legislation

This is the second blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the new Trump Administration.  This blog describes key cybersecurity developments that took place in March 2025. 

Trump Administration Executive Order on Achieving Efficiency

On March 19, 2025, the Trump

Continue Reading March 2025 Cybersecurity Developments Under the Trump Administration

This is the first in a new series of Covington blogs on cybersecurity policies, executive orders, and other actions of the new Trump Administration.  This blog describes key cybersecurity developments that took place in January and February 2025.  Below, we outline three developments affecting cybersecurity in January and February 2025, including one from the Biden Administration, which has not been rescinded.

Biden Administration Issues Second Cybersecurity Executive Order

On January 16, in one of the final acts of the Biden Administration, the White House issued Executive Order (”EO”) 14144 on “Strengthening and Promoting Innovation in the Nation’s Cybersecurity.”  EO 14144 expands on the National Cybersecurity Strategy and EO 14028, Improving the Nation’s Cybersecurity, which we first previously wrote about here.  This new EO requires a range of additional security enhancements to U.S. government and supporting digital infrastructure, including improving accountability for software and cloud service providers, strengthening the security of Federal communications and identity management systems, and promoting innovative developments and use of emerging technologies for cybersecurity across agencies and with the private sector. Continue Reading January and February 2025 Cybersecurity Developments Under the Biden and Trump Administrations

On January 15, 2025, the Federal Acquisition Regulation (“FAR”) Council proposed a new FAR Controlled Unclassified Information (“CUI”) rule (“proposed rule”) to establish uniform requirements for handling CUI with broad applicability to solicitations and contracts across the federal government.

The proposed rule, in development for roughly a decade, represents a

Continue Reading FAR Council Proposes New FAR CUI Rule

This is the first blog in a series covering the Fiscal Year 2025 National Defense Authorization Act (“FY 2025 NDAA”).  This first blog will cover: (1) NDAA sections affecting acquisition policy and contract administration that may be of greatest interest to government contractors; (2) initiatives that underscore Congress’s commitment to strengthening cybersecurity, both domestically and internationally; and (3) NDAA provisions that aim to accelerate the Department of Defense’s adoption of AI and Autonomous Systems and counter efforts by U.S. adversaries to subvert them. 
Continue Reading President Biden signs the National Defense Authorization Act for Fiscal Year 2025

This is part of a series of Covington blogs on the implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken

Continue Reading November 2024 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

On November 15, 2024, the Department of Defense (“DoD”) published a Notice of Proposed Rulemaking (“Proposed Rule”) entitled “Defense Federal Acquisition Regulation Supplement: Disclosure of Information Regarding Foreign Obligations.”  The Proposed Rule would impose new disclosure obligations on “Offeror[s]” (pre-award) and “Contractor[s]” (post-award) that are triggered in certain

Continue Reading Department of Defense Publishes Notice of Proposed Rulemaking on Disclosure of Computer and Source Code to Foreign Entities

This is part of a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by

Continue Reading October 2024 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

On October 15, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) published software bill of materials (“SBOM”) guidance through the third edition of Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM) (dated September 3, 2024) (the “Guidance”).  The Guidance provides “a minimum expectation for creating

Continue Reading CISA Releases Guidance on Minimum Expectations for Software Bill of Materials

On Tuesday, October 22, 2024, Pennsylvania State University (“Penn State”) reached a settlement with the Department of Justice (“DoJ”), agreeing to pay the US Government (“USG”) $1.25M for alleged cybersecurity compliance violations under the False Claims Act (“FCA”).  This settlement follows a qui tam action filed by a whistleblower and former employee of Penn State’s Applied Research Laboratory.  The settlement agreement provides some additional insight into the priorities of DoJ’s Civil Cyber Fraud Initiative (“CFI”) and the types of cybersecurity issues of interest to the Department.  It also highlights the extent to which DoJ is focusing on the full range of cybersecurity compliance obligations that exist in a company’s contract in enforcement actions.Continue Reading Penn State Agrees to Pay $1.25M in Settlement for Cybersecurity Non-Compliance False Claims Act Allegations