Cybersecurity Awareness Month is a good time to highlight one trend in federal efforts to address cyber risk: proscriptive regulation of the information and communications technology and services (“ICTS”) supply chain.
Supply chain risk management is a broad field encompassing, among other things, federal efforts to improve software security, and proposals to revise the FAR
Recent high-profile cyber incidents involving exploitation of software vulnerabilities—such as the SolarWinds and MOVEit incidents—have increased scrutiny of the security of the software upon which corporate and government customers rely. Though phishing and social engineering continue to be leading causes of cyber incidents, there is growing potential legal exposure for companies from security vulnerabilities in
Last week, the government announced two sets of proposed revisions to the Federal Acquisition Regulation (FAR) to improve the cybersecurity of the government’s information systems. Both sets of revisions relate to President Biden’s May 2021 Executive Order 14028 on Improving the Nation’s Cybersecurity.
First, the Department of Defense (DoD), the General Services Administration
The Biden administration released its National Cybersecurity Strategy (“Strategy”) on March 2, 2023.1 The Strategy builds on previous policy actions by the Biden administration that sought to strengthen cybersecurity in critical infrastructure and protect personal data, including through regulatory action, government procurement requirements, and an emphasis on software security. The Strategy calls for (1)
On September 14, 2022, the US Office of Management and Budget (OMB) published a memorandum, M-22-18, requiring federal agencies to comply with previously announced guidelines for ensuring the integrity of third-party software on an agency’s information systems or that otherwise affects government information. Applicable to firmware, operating systems, applications, and application services (e.g., cloud-based
In remarks on October 13, 2021, at the Cybersecurity and Infrastructure Security Agency (“CISA”) National Cybersecurity Summit, Acting Assistant Attorney General Brian Boynton fleshed out the Department of Justice’s (“DOJ”) thinking regarding the nature of the cybersecurity failures that are likely targets for potential False Claims Act (“FCA”)1 enforcement under the Civil Cyber-Fraud Initiative
On October 6, 2021, the US Department of Justice (DOJ) announced a new initiative to address cyber-fraud and that focuses on government contractors. Specifically, DOJ has launched a “Civil Cyber-Fraud Initiative” (Initiative), which will combine DOJ’s “expertise in civil fraud enforcement, government procurement and cybersecurity to combat new and emerging cyber threats to the security
The William (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (“NDAA”) enacts major changes to America’s cyber defenses, reshaping how the private sector can combat growing cyber threats, as well as realigning roles and responsibilities of federal government agencies. This Legal Update discusses select cyber provisions in the NDAA and highlights key takeaways
The recent enactment of the “Internet of Things Cybersecurity Improvement Act of 2020” (the “Act”) promises new scrutiny of security in the Internet of Things (“IoT”)—the broad array of connected devices that are increasingly integrated into every aspect of modern life. This important legislation provides for the creation of IoT security guidelines for devices sold
On January 31, 2020, the US Department of Defense (DoD) Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) released Cybersecurity Maturity Model Certification (CMMC) Version 1.0. DoD developed the CMMC to provide a unified cybersecurity standard for defense contractors and suppliers across all of the Defense Industrial Base (DIB), which,