Information Technology

On January 23, 2026, the Office of Management and Budget (OMB) issued Memorandum M-26-05 “Adopting a Risk-based Approach to Software and Hardware Security,” which rescinds a previous Biden Administration’s requirement for all federal agencies to obtain a self-attestation from software producers in the “Common Form” developed by the Cybersecurity and Infrastructure Security Agency (CISA) before using certain third-party software.  As its rationale, OMB noted that the prior memoranda diverted agencies from developing tailored assurance requirements and failed to account for threats posed by insecure hardware.  Memorandum M-26-05 signals that the federal government is moving away from a “one-size fits-all” approach to software security and will instead allow each agency to develop tailored requirements.  In creating their own assurance requirements, agencies may still require a self-attestation and/or Software Bill of Materials (SBOM) from the software vendor if the agency determines that such assurances are necessary based on the risks involved and the agency’s needs.

Continue Reading OMB Rescinds the “Common Form” Secure Software Attestation Requirement

On March 20, 2025, President Trump issued executive order (“EO”) Eliminating Waste and Saving Taxpayer Dollars by Consolidating Procurement, which will have significant effects on federal government contracting.  The EO is intended to consolidate “domestic Federal procurement” within the General Services Administration (“GSA”) to “eliminate waste and duplication.”

The EO has two primary objectives:

  1. It grants GSA an increased role in the U.S. Government’s acquisition of “common goods and services”.
  2. It designates the GSA Administrator as “the executive agent for all Government-wide acquisition contracts for information technology” pursuant to 40 U.S.C. § 11302(e).[1]

We have summarized key provisions and potential effects of the EO further below.

Continue Reading Executive Order Issued To Expand GSA’s Role in Acquisition of “Common Goods and Services” and Information Technology

This is the twenty-seventh in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through June 2023.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during July 2023. 

Continue Reading July 2023 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

This is the twenty-sixth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken

Continue Reading June 2023 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

This is the twenty-fifth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through April 2023.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during May 2023. 

Continue Reading May 2023 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

This is the twenty-fourth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through March 2023.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during April 2023. 

Continue Reading April 2023 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

This is the twenty-third in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through February 2023.  This blog describes key actions taken to implement the Cyber EO during March 2023.

Continue Reading March 2023 Developments Under President Biden’s Cybersecurity Executive Order

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (“CISA”) Information and Communications Technology (“ICT”) Supply Chain Risk Management Task Force (the “Task Force”) recently released an interim public report.  The report describes the Task Force’s efforts over the last year to develop recommendations for securing the Government’s supply chain, and outlines the potential focus areas of each of its working groups over the coming year.

The report is particularly relevant to contractors that either sell ICT related products or services to the Government, or that sell ICT related components to higher tier contractors, because it offers some insight into potential supply chain risk management (“SCRM”) best practices, as well as requirements that the Government may seek to impose on contractors in the future.
Continue Reading CISA Information and Communications Technology Supply Chain Risk Management Task Force Issues New Interim Report

On December 30th, the Department of Defense (DoD) issued a Second Interim Rule amending its “Network Penetration Reporting and Contracting for Cloud Services” Interim Rule and giving  contractors until December 31, 2017 to implement the NIST SP 800-171 security controls required by DFARS 252.204-7012.  As noted in a previous post, DoD has already issued a class deviation giving covered contractors up to nine (9) months (from the date of contract award or modification incorporating the new clause(s)) to satisfy the requirement for “multifactor authentication for local and network access” found in Section 3.5.3 of NIST SP 800-171.  This current revision appears responsive to significant concerns raised by Industry about compliance with the remaining safeguarding requirements imposed overnight on contractors on August 26, 2015.

The Second Interim Rule imposes the following changes:
Continue Reading Time Is On My Side: DoD Hears Industry Concerns – Additional Time Provided to Implement Security Controls Under New Cyber Rule

On March 16, U.S. Customs and Border Protection (“CBP”) issued a final country of origin determination that will be of interest to the consumer electronics device industry generally.  CBP ruled that under four different scenarios involving the manufacture and assembly of laptops abroad, downloading an operating system was not enough to change the computers’ country of origin for purposes of U.S. Government procurement.

CBP found each of the four scenarios presented in the ruling request failed to satisfy the “substantial transformation” test under the Trade Agreements Act, and squarely rejected the argument that downloading firmware, including a basic input/output system (“BIOS”), transforms “discrete and inoperable components into a finished product with a different name, character and use.”
Continue Reading Downloading An Operating System Does Not Substantially Transform Laptops for Purposes of U.S. Government Procurement