Office of Management and Budget

The Cybersecurity and Infrastructure Security Agency (“CISA”) released a new guide on August 2, 2024 titled, “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle” (the “Software Acquisition Guide”).  This guide addresses the cybersecurity risks associated with the acquisition and use of third-party developed software and certain related physical products in an agency enterprise environment, and provides recommendations to agency personnel for understanding, addressing, and mitigating those risks.  This guide was followed on August 6, 2024, by a separate guide issued jointly by CISA and the FBI titled, “Secure By Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem” (the “Secure By Demand Guide”).  Together, these two guides provide agency and industry personnel a series of questions that can be used to obtain information from suppliers, set technical requirements, and develop contract terms for the acquisition of secure software as contemplated by the Biden Administration’s May 2021 Cybersecurity Executive Order (“EO”) and the Office of Management and Budget (“OMB”) memoranda implementing that Order. 

The specific impact that the guides will have on federal procurements and software developers in the federal supply chain is not yet clear.  With this said, all software producers in the federal supply chain are currently required to fully comply with new secure software development minimum requirements promulgated by the Office of Management and Budget by September 8 of this year, as detailed in our prior post here.  The Software Acquisition Guide in particular builds on those requirements and thus could be adopted by agencies that opt to impose additional obligations on contractors beyond those minimum requirements.Continue Reading New Guides Released Relating to Secure Software Development Requirements

The Trump Administration has declared this month National Slavery and Human Trafficking Prevention Month, calling on industry associations, law enforcement, private businesses, and others to work toward ending modern slavery and human trafficking. This proclamation follows the Administration’s efforts to combat human trafficking, which we have previously discussed here, and comes on the heels of an OMB memorandum released last fall aimed at “enhanc[ing] the effectiveness of anti-trafficking requirements in Federal acquisition while helping contractors manage and reduce the burden associated with meeting these responsibilities.”
Continue Reading Trump Administration Renews Focus on Anti-Human Trafficking Efforts

During his first State of the Union address on January 30, 2018, President Trump informed the country that “it is time to rebuild our crumbling infrastructure.”  He called on Congress to “produce a bill that generates at least $1.5 trillion for the new infrastructure investment we need.”  And, the President suggested that “every Federal dollar should be leveraged by partnering with State and local governments and, where appropriate, tapping into private sector investment — to permanently fix the infrastructure deficit.”

The President’s full infrastructure plan has yet to be unveiled, but a leaked summary of the plan from January 22 suggests that the plan will heavily depend upon encouraging “state, local and private investment” by providing incentives in the forms of grants.  Fixing federal infrastructure may be made difficult, however, due to the budgetary scoring rules implemented by the Office of Management & Budget (“OMB”).
Continue Reading Will President Trump’s Infrastructure Plan Address OMB Scoring?

Last Thursday, President Trump and his senior advisors met with representatives of organizations committed to fighting human trafficking. As reported by several news outlets (e.g., AP, NYT, and Reuters), the President stated during the meeting that he would commit the “full force and weight” of the U.S. government against what he views as an “epidemic” of human trafficking around the world.  He explained that he would “direct the Department of Justice, Department of Homeland Security, and other federal agencies that have a role in preventing human trafficking to take a hard look at the resources and personnel that they are currently devoting to this fight.”  He noted that these agencies “are devoting a lot, but we are going to be devoting more.”  The next day, President Trump appeared to reiterate his commitment on Twitter.
Continue Reading Trump’s Commitment Against Human Trafficking Brings Greater Uncertainty for Contractors

On December 7, the Office of Management and Budget, the Department of Labor, and the Office to Monitor and Combat Trafficking in Persons in the Department of State, issued a proposed memorandum titled “Anti-Trafficking Risk Management Best Practices & Mitigation Considerations.”  The document is intended, at least in part, to “promote clarity and consistency in the implementation of anti-trafficking requirements” imposed by Executive Order 13627, Title XVII of the FY 2013 National Defense Authorization Act, and the implementing regulatory provisions applicable to all federal contractors at FAR 22.17 and FAR 52.222-50.  Although the guidance document is in draft form, it is important for contractors to consider closely because it (1) outlines the government’s contemplated expectations on anti-trafficking risk mitigation, and (2) informs agencies that they may immediately take the contents of the memorandum “into consideration in applying the anti-trafficking requirements in the Federal Acquisition Regulation.”

In addition to reiterating the basic requirements of the anti-trafficking FAR rule (which we have covered in other posts), the memorandum outlines a series of “best practices and mitigation considerations” designed to inform contracting officers’ assessments of whether contractors are effectively carrying out their compliance responsibilities.  Although the guidance states that it is “not intended to augment or otherwise change existing regulatory requirements,” it does specify that, in the event the government becomes aware of a trafficking violation, a contractor’s compliance with the practices identified in the guidance are to be construed as mitigating considerations weighing in the contractor’s favor.  
Continue Reading New Guidance on Contractor Risk Management Under the Human Trafficking Rule Released

On December 18, 2014, President Obama signed a bill reforming the Federal Information Security Management Act of 2002 (“FISMA”). The new law updates and modernizes FISMA to provide a leadership role for the Department of Homeland Security, include security incident reporting requirements, and other key changes.

Background:  FISMA was originally passed in 2002 to provide a framework for the development and maintenance of minimum security controls to protect federal information systems. FISMA charged the Director of the Office of Management and Budget (“OMB”) with oversight of agency information security policies and practices.

Changes:  The newly signed law, the “Federal Information Security Modernization Act of 2014” (FISMA 2014”), makes several key changes to FISMA.

First, the law authorizes the Secretary of the Department of Homeland Security (“DHS”) to assist the OMB Director in administering the implementation of agency information and security practices for federal information systems. Among the Secretary’s responsibilities are convening meetings with senior agency officials, coordinating government-wide efforts for information security, consulting with the Director of the National Institute of Standards and Technology (“NIST”), and providing operational and technical assistance to agencies. Perhaps most importantly, the Secretary is tasked with developing and overseeing the implementation of “binding operational directives” to agencies to implement policies, principles, standards, and guidelines developed by the OMB Director. “Binding operational directives” are defined in FISMA 2014 as a “compulsory direction” to an agency “for the purposes of safeguarding Federal information and information systems from a known or reasonably suspected information security threat, vulnerability or risk.”

This delegation of responsibility is likely related to another new law codifying DHS’s cybersecurity role, and authorizing a cybersecurity information-sharing hub, the National Cybersecurity and Communications Integrations Center.
Continue Reading FISMA Updated and Modernized