On May 12, 2021 the Biden Administration issued an “Executive Order on Improving the Nation’s Cybersecurity” (EO).  Among other things, the EO sets out a list of deliverables from a variety of government entities.  A number of these deliverables were due in June, including a definition of “critical software,” the minimum requirements for a software bill of materials, and certain internal actions imposed on various federal agencies.
Continue Reading June 2021 Developments Under the Executive Order on Improving the Nation’s Cybersecurity

As the Senate approaches the end of its debate on the National Defense Authorization Act for Fiscal Year 2019, provisions of the bill regarding access to and review of information technology code deserve close attention.  These sections, if enacted, would significantly impact Department of Defense contractors and also would affect matters associated with investments subject to review by U.S. national security agencies.

As drafted, the provisions could expose current and prospective contractors to intrusive scrutiny and significant risks.  They lack clarity on key definitions, leaving the precise scope of those risks unclear.  We summarize major issues and concerns below.  We expect these provisions to receive scrutiny during the House-Senate conference on the NDAA over the summer. 
Continue Reading Senate Armed Services Committee Proposes Expansive but Unclear Software Review Provisions

The U.S. Food and Drug Administration recently became one of a number of federal agencies to adopt the National Institute of Standards and Technology’s (“NIST”) core cybersecurity framework.  On October 2, 2014, FDA issued final guidance on the content of premarket submissions for the management of cybersecurity in medical devices.  The final guidance sets forth recommendations for the design and development of medical devices, as well as the preparation of premarket submissions, that are intended to reduce the likelihood that medical devices will be compromised as a result of inadequate cybersecurity.  Although the final guidance is not binding, it is broadly applicable—the recommendations apply to device manufacturers submitting premarket applications and notifications (including 510(k) notifications), as well as to manufacturers implementing the requirements under the Quality System Regulation.   The guidance supplements other standards generally applicable to software included in medical devices, as well as specific standards addressing cybersecurity risks in medical devices containing off-the-shelf software.

In addition to adopting the NIST core cybersecurity framework, which FDA recently agreed to promote in a Memorandum of Understanding with the National Health Information Sharing and Analysis Center, the final guidance sets forth concrete recommendations specifically applicable to medical devices.  The final guidance suggests, for example, that device manufacturers put systems in place to detect compromises and implement safeguards to preserve critical functionality and recover previous configurations.  The final guidance also recommends that device manufacturers track all cybersecurity risks considered in the design of a device and justify in premarket submissions the safeguards put in place to addresses identified risks.  Specifically, the final guidance recommends that manufacturers justify a decision to use a particular security function, such as the use of one among many authentication processes or methods of securing the transfer of data.


Continue Reading FDA Adopts Core NIST Framework in Guidance for Management of Cybersecurity in Medical Devices