Cybersecurity Awareness Month is a good time to highlight one trend in federal efforts to address cyber risk: proscriptive regulation of the information and communications technology and services (“ICTS”) supply chain.

Supply chain risk management is a broad field encompassing, among other things, federal efforts to improve software security, and proposals to revise the FAR to standardize cybersecurity and incident reporting requirements for US government contractors. This Legal Update concerns a different trend toward restricting use of equipment and services with ties to jurisdictions viewed as high-risk by the US government. That regulatory impulse has implications for buyers and sellers alike: it signals the salience of the issue from a cybersecurity standpoint, it leads to limitations on what companies in the United States can purchase, and it may encourage the development of so-called “trusted markets” in other jurisdictions. Here, we outline the origin of those authorities and provide the current status on how they have been deployed so far, according to public information.

Continue reading.