On May 12, 2021, the Biden Administration issued an Executive Order on Improving the Nation’s Cybersecurity (the “EO”).  The EO sets out a list of deliverables due from a number of governmental entities in June 2021 and successive months.  Our overall summary of the EO and its deliverables can be found here, and our discussion of the EO deliverables that were due in June 2021 can be found here.  This blog addresses the EO deliverables in July 2021.

Developments Affecting Enhancement of Software Supply Chain Security

NIST Publishes Guidance on Security Measures for Critical Software Use

On June 25, 2021, the National Institute of Standards and Technology (“NIST”) published a white paper containing a definition of “critical software” for purposes of Section 4 of the EO, “Enhancement of Software Supply Chain Security.”  Section 4(i) of the EO requires NIST, in consultation with the Cybersecurity & Infrastructure Security Agency (“CISA”) and the Office of Management and Budget (“OMB”), to publish guidance by July 11 outlining security measures for critical software as defined by NIST, “including applying practices of least privilege, network segmentation, and proper configuration.”  On July 9, 2021, NIST published the guidance called for by Section 4(i).

NIST’s guidance is aimed at federal agency use of “EO-critical software” – i.e., software defined by NIST as critical software under Section 4(g) of the EO by federal agencies in their operational environments.[1]  Although the EO was not explicit as to whether the guidance would extend beyond the government and its contractors, the guidance that was issued does not purport to cover development or acquisition of EO-critical software, nor does it purport to cover use of EO-critical software by non-governmental organizations.

The substance of the guidance consists of two main components: (a) Security Measure objectives, and (b) the Security Measures themselves.  The guidance explicitly makes these objectives and security measures applicable to both EO-critical software and to EO-critical software platforms, which it defines as the platforms on which EO-critical software runs, including endpoints, servers, and cloud resources.  Thus, it would be a mistake to view the objectives and security measures set forth in the guidance as limited to software only.  The guidance defines the Objectives as:

  1. Protect EO-critical software and EO-critical software platforms (the platforms on which EO-critical software runs, such as endpoints, servers, and cloud resources) from unauthorized access and usage.
  2. Protect the confidentiality, integrity, and availability of data used by EO-critical software and EO-critical software platforms.
  3. Identify and maintain EO-critical software platforms and the software deployed to those platforms to protect the EO-critical software from exploitation.
  4. Quickly detect, respond to, and recover from threats and incidents involving EO-critical software and EO-critical software platforms.
  5. Strengthen the understanding and performance of humans’ actions that foster the security of EO-critical software and EO-critical software platforms.

Each of these objectives has several security measures associated with it.  For example, to protect EO-critical software and EO-critical software platforms from unauthorized access and usage under Objective 1, one of the security measures is to “[u]se multi-factor authentication that is verifier impersonation-resistant for all users and administrators of EO-critical software and EO-critical software platforms.”  The FAQs indicate that “an example of a verifier impersonation-resistant protocol is client-authenticated Transport Layer Security (TLS).”  Implementation of these security measures could represent a significant effort for agencies, depending on the nature and scale of the systems that they operate.

The security measures are largely sourced from other publications, including NIST SP 800-53 and NIST’s cybersecurity framework.  Although the measures are intended to apply to agencies, NIST indicated in the response to a separate FAQ that “[t]he security measures for using EO-critical software could be applied to cloud-based environments by cloud service providers.”

NIST Publishes Guidelines Recommending Minimum Standards for Vendor Verification of Their Software Source Codes

EO Section (4r) requires NIST to publish guidelines recommending minimum standards for vendors’ testing of their software source code, including identifying recommended types of manual or automated testing (such as code review tools, static and dynamic analysis, software composition tools, and penetration testing) by July 11, 2021.  On July 9, NIST published these guidelines.  NIST indicated that “[w]hile the EO uses the term ‘vendors’ testing,’ the intent is much broader and includes developers as well.”  Given the broad scope of the potential application of the guidance and its application to vendors and software developers, it is possible that federal contractors could see these requirements imposed by certain agencies as part of their contracts with those agencies.

NIST’s recommended minimum verification standards consist of Technique Classes, Techniques, and Descriptions and References to Recommended Minimums Documents.  The Technique Classes are: (1) Threat Modeling; (2) Automated Testing; (3) Code-Based (Static) Analysis; (4) Dynamic Analysis; (5) Check Included Software; and (6) Fix Bugs.  Each of these Technique Classes includes one or more specific techniques.  For example, the Code-Based (Static) Analysis technique class includes the “Use a code scanner to look for top bugs” technique and the “Review for hardcoded secrets” technique.  The guidelines provide descriptions and references for these and all other techniques specified.

The FAQs included in the guidelines explain why the guidelines refer to source code “verification” rather than “testing,” which is the term used in the EO.  The response to FAQ #4 asserts that the term “testing” is often used to describe dynamic analysis only, and that the term “verification” is more technically accurate given “the myriad types of software testing referred to in the EO.”  It further states that use of the term verification “ensures that the goal of the EO is met.”  FAQ #3 explains why NIST extended the minimum standards to both vendor and developer verification even though the EO refers only to vendors.  The response to FAQ #3 notes that the software vendor and developer are not always the same, and that “verification should be done as early in the software development life cycle (SDLC) as possible, which will be by the developer,” while a vendor who is not also the software’s developer “should also perform verification but will not have the opportunity to be involved early in the process.”

Finally, FAQ #1 makes clear that the source code minimum verification standards “are guidelines and remain voluntary.”  However, section (4e) of the EO requires NIST to develop guidance for “employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at minimum prior to product, version, or update release….”  FAQ #1 states that NIST anticipates that the guidance it develops under section (4e) will reference the software source code verification guidelines.

Recommendations Regarding FAR and DFARS Contract Language

Recommendations Regarding Agency-Specific Cybersecurity Requirements

Section 2(i) of the EO directs CISA, in consultation with the National Security Agency (“NSA”), the OMB Director, and the General Services Administration (“GSA”) Administrator, to review agency-specific cybersecurity requirements that currently exist as a matter of law, policy, or contract, and to recommend to the Federal Acquisition Regulation (“FAR”) Council by July 11, 2021 “standardized contract language for appropriate cybersecurity requirements.”  The section states that CISA’s recommendations “shall include consideration of the scope of contractors and associated service providers to be covered by the proposed contract language.”  This language is likely to be of great interest to the federal contractor community, as any recommended requirements could become a condition for certain contract awards.

It is unclear at this time whether CISA submitted any recommended standardized contract language for cybersecurity requirements to the FAR Council pursuant to section 2(i).  CISA’s website notes that pursuant to the EO, it “will work with OMB to recommend contract language that makes sharing critical data easier….”   Even if CISA has recommended language, we understand that it is CISA’s policy not to publicly disclose its recommended language until the FAR Council proposes standardized contract language for public notice and comment, which it is required by EO section 2(j) to do within 60 days of receiving recommended language from CISA.

Recommendations Regarding FAR and DFARS Contract Requirements and Language for IT and OT Service Providers

Section 2(b) of the EO requires OMB, in consultation with the Secretary of Defense, the Attorney General, the secretary of Homeland Security, and the Office of the Director of National Intelligence, to review the FAR and Defense Federal Acquisition Regulation Supplement (“DFARS”) contract requirements and language for contracting with information technology (“IT”) and operational technology (“OT”) service providers and to recommend updates to such requirements and language to the FAR Council and other appropriate agencies by July 11, 2021.  The section further requires that the recommended contract language shall include descriptions of contractors to be covered by the language, and shall be designed to ensure, among other things, that such service providers collect, report, and preserve data relevant to cyber incidents or potential cyber incidents on all information systems over which they have control, including systems operated on behalf of agencies.

It is unclear at this time whether OMB has completed its review of the relevant FAR and DFARS provisions or submitted any recommended contract language to the FAR Council for IT and OT service providers pursuant to section 2(b) of the EO.

Federal Network Infrastructure Modernization, Including Cloud Services

Section 3(b) of the EO requires the head of each federal agency, by July 11, 2021, to (a) update existing agency plans to prioritize resources for the adoption and use of cloud technology as outlined in relevant OMB guidance, (b) develop a plan to implement Zero Trust Architecture, including migration steps that NIST has outlined in guidance and standards, and (c) provide a report to OMB discussing the agency’s cloud technology and Zero Trust Architecture plans. Section 3(c)(iii) of the EO requires CISA, also by July 11, to develop and issue a cloud service governance framework for federal civilian agencies.  It is unclear at this time whether either of these deadlines were met.

National Security Systems Requirements

Section 9(a) of the EO requires the NSA, in coordination with the Director of National Intelligence and the Committee on National Security Systems, to adopt requirements for National Security Systems (“NSSs”) by July 11, 2021, that are equivalent to or exceed the cybersecurity requirements set forth in the EO that are not otherwise applicable to NSSs.  In general, an NSS is an unclassified information system that involves intelligence activities, cryptologic activities related to national security; command and control of military forces; equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions.  Under the EO,  any such requirements shall be codified in a National Security Memorandum (“NSM”), but until such time as that NSM is issued, no programs, standards, or requirements established pursuant to the EO shall apply with respect to NSSs.

[1] As discussed in our prior post, NIST defined EO-Critical Software as:

any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:

– is designed to run with elevated privilege or manage privileges;

– has direct or privileged access to networking or computing resources;

– is designed to control access to data or operational technology;

– performs a function critical to trust; or,

– operates outside of normal trust boundaries with privileged access.

Photo of Robert Huffman Robert Huffman

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing…

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing information security and the reporting of cyber incidents, the Cybersecurity Maturity Model Certification (CMMC) program, the requirements for secure software development self-attestations and bills of materials (SBOMs) emanating from the May 2021 Executive Order on Cybersecurity, and the various requirements for responsible AI procurement, safety, and testing currently being implemented under the October 2023 AI Executive Order. 

Bob also represents contractors in False Claims Act (FCA) litigation and investigations involving cybersecurity and other technology compliance issues, as well more traditional government contracting costs, quality, and regulatory compliance issues. These investigations include significant parallel civil/criminal proceedings growing out of the Department of Justice’s Cyber Fraud Initiative. They also include investigations resulting from False Claims Act qui tam lawsuits and other enforcement proceedings. Bob has represented clients in over a dozen FCA qui tam suits.

Bob also regularly counsels clients on government contracting supply chain compliance issues, including those arising under the Buy American Act/Trade Agreements Act and Section 889 of the FY2019 National Defense Authorization Act. In addition, Bob advises government contractors on rules relating to IP, including government patent rights, technical data rights, rights in computer software, and the rules applicable to IP in the acquisition of commercial products, services, and software. He focuses this aspect of his practice on the overlap of these traditional government contracts IP rules with the IP issues associated with the acquisition of AI services and the data needed to train the large learning models on which those services are based. 

Bob is ranked by Chambers USA for his work in government contracts and he writes extensively in the areas of procurement-related AI, cybersecurity, software security, and supply chain regulation. He also teaches a course at Georgetown Law School that focuses on the technology, supply chain, and national security issues associated with energy and climate change.

Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.

Photo of Ryan Burnette Ryan Burnette

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain…

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain, artificial intelligence, and software development requirements.

Ryan also advises on Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) compliance, public policy matters, agency disputes, and government cost accounting, drawing on his prior experience in providing overall direction for the federal contracting system to offer insight on the practical implications of regulations. He has assisted industry clients with the resolution of complex civil and criminal investigations by the Department of Justice, and he regularly speaks and writes on government contracts, cybersecurity, national security, and emerging technology topics.

Ryan is especially experienced with:

  • Government cybersecurity standards, including the Federal Risk and Authorization Management Program (FedRAMP); DFARS 252.204-7012, DFARS 252.204-7020, and other agency cybersecurity requirements; National Institute of Standards and Technology (NIST) publications, such as NIST SP 800-171; and the Cybersecurity Maturity Model Certification (CMMC) program.
  • Software and artificial intelligence (AI) requirements, including federal secure software development frameworks and software security attestations; software bill of materials requirements; and current and forthcoming AI data disclosure, validation, and configuration requirements, including unique requirements that are applicable to the use of large language models (LLMs) and dual use foundation models.
  • Supply chain requirements, including Section 889 of the FY19 National Defense Authorization Act; restrictions on covered semiconductors and printed circuit boards; Information and Communications Technology and Services (ICTS) restrictions; and federal exclusionary authorities, such as matters relating to the Federal Acquisition Security Council (FASC).
  • Information handling, marking, and dissemination requirements, including those relating to Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).
  • Federal Cost Accounting Standards and FAR Part 31 allocation and reimbursement requirements.

Prior to joining Covington, Ryan served in the Office of Federal Procurement Policy in the Executive Office of the President, where he focused on the development and implementation of government-wide contracting regulations and administrative actions affecting more than $400 billion dollars’ worth of goods and services each year.  While in government, Ryan helped develop several contracting-related Executive Orders, and worked with White House and agency officials on regulatory and policy matters affecting contractor disclosure and agency responsibility determinations, labor and employment issues, IT contracting, commercial item acquisitions, performance contracting, schedule contracting and interagency acquisitions, competition requirements, and suspension and debarment, among others.  Additionally, Ryan was selected to serve on a core team that led reform of security processes affecting federal background investigations for cleared federal employees and contractors in the wake of significant issues affecting the program.  These efforts resulted in the establishment of a semi-autonomous U.S. Government agency to conduct and manage background investigations.