The Cybersecurity and Infrastructure Security Agency (“CISA”) released a new guide on August 2, 2024 titled, “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle” (the “Software Acquisition Guide”).  This guide addresses the cybersecurity risks associated with the acquisition and use of third-party developed software and certain related physical products in an agency enterprise environment, and provides recommendations to agency personnel for understanding, addressing, and mitigating those risks.  This guide was followed on August 6, 2024, by a separate guide issued jointly by CISA and the FBI titled, “Secure By Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem” (the “Secure By Demand Guide”).  Together, these two guides provide agency and industry personnel a series of questions that can be used to obtain information from suppliers, set technical requirements, and develop contract terms for the acquisition of secure software as contemplated by the Biden Administration’s May 2021 Cybersecurity Executive Order (“EO”) and the Office of Management and Budget (“OMB”) memoranda implementing that Order. 

The specific impact that the guides will have on federal procurements and software developers in the federal supply chain is not yet clear.  With this said, all software producers in the federal supply chain are currently required to fully comply with new secure software development minimum requirements promulgated by the Office of Management and Budget by September 8 of this year, as detailed in our prior post here.  The Software Acquisition Guide in particular builds on those requirements and thus could be adopted by agencies that opt to impose additional obligations on contractors beyond those minimum requirements.

Software Acquisition Guide

The Software Acquisition Guide is intended to be used both by government and by industry personnel and is meant to bridge gaps between other relevant security controls such as National Institutes of Standards and Technology Special Publication (“NIST SP”) 800-53 (“Security and Privacy Controls for Information Systems and Organizations”), the Federal Risk and Authorization Management Program (“FedRAMP”), and NIST SP 800-161 (“Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations”).  The Software Acquisition Guide contains an illustration that indicates how these regimes overlap with each other:

Along these lines, the Software Acquisition Guide acknowledges the ongoing efforts that are focused on software acquisition and use by the Government – notably the existing EO and OMB requirements for the submission of secure software development attestation common forms and/or third party assessment results as a condition of producing software for end-use by the federal government – and expands upon these requirements.  Notably, the guide refers to those attestations as “a necessary starting point to addressing risks passed to using enterprises” of software and physical products, and attempts to build upon them in related areas such as Software Bills of Materials (“SBOMs”) and vulnerability scanning and patching.

The Software Acquisition Guide contains the following five primary sections:  (1) Supplier Governance and Attestations; (2) Software Supply Chain Controls; (3) Secure Software Development Controls; (4) Secure Software Deployment Controls; and (5) Vulnerability Management Controls.  Each of these sections has a set of “control questions,” some of which only apply under certain conditions.  For example, the Supplier Governance and Attestations section includes 19 control questions, the first of which is: “Does the supplier provide a CISA Secure Software Development Attestation Form, or equivalent such as the GSA 7700 Secure Software Development Attestation Form, without need for a POA&M, signed by the supplier’s designated employee (Chief Executive Officer or designee that can bind the suppliers)?”  If the supplier answers “Yes” to this question, it is excused from answering 25 of the remaining 76 control questions.  Similarly, if the supplier answers all 19 of the Supplier Governance and Attestations Control questions in the affirmative, then it is excused from responding to any of the control questions in the other sections.  

Many of these questions in the document are very detailed.  As an example, one of the control questions regarding Software Supply Chain Controls asks whether the supplier “create[s] a validated SBOM in an NTIA or CISA approved machine readable format with NTIA or CISA defined minimum fields for all releases of the software, including updates.”

Additionally, the guide contains certain questions relating to the risks of artificial intelligence in the acquisition supply chain to the use of artificial intelligence, such as whether suppliers have used any generative AI solutions in the development of software, whether the supplier has and enforces policies relating to the use of AI generated code, and whether the supplier performs ongoing reviews for data leakage associated with AI code.  Further, since the guide is based on practices outlined in NIST SP 800-218 (“Secure Software Development Framework”), it is possible that the guide may eventually be supplemented or revised by NIST SP 800-218A (“Secure Software Development Practices for Generative AI and Dual-Use Foundation Models”) that was very recently issued under President Biden’s Executive Order on Artificial Intelligence to the extent that these models are incorporated into or used in the development of end-software.  We covered NIST SP 800-218A and related frameworks in more detail in our prior post here.  

Secure By Demand Guide

The Secure By Demand Guide issued jointly by CISA and the FBI also provides organizations with questions to ask suppliers or potential suppliers before conducting software procurement in order to “understand each candidate software manufacturer’s approach to product security.  These questions begin with the following “General Questions”:  (1) “Has the manufacturer taken CISA’s Secure By Design Pledge?”; (2) “What progress reports has the manufacturer published in line with its commitments to the pledge?”; (3) “How does the manufacturer make it simple for customers to install security patches?”; and (4) “Does it offer support for security patches on a widespread basis and enable functionality for automatic updates?”

Following these questions, the Secure By Demand Guide provides questions tailored to the following subjects (1) Authentication; (2) Eliminating Classes of Vulnerability; (3) Evidence of Intrusions; (4) Software Supply Chain Security; and (5) Vulnerability Disclosures and Reporting.  Many of these questions are detailed and refer to existing or forthcoming requirements.  For example, within the Software Supply Chain Security category, the Secure By Demand Guide recommends that “the software manufacturer should maintain and share provenance data of third-party dependencies and have processes to govern its use of and contributions to, open source software components,” and provides the following questions to ask its software manufacturers:

  • “Does the manufacturer generate a Software Bill of Materials (SBOM) in a standard, machine-readable format and make this available to customers?  Does the SBOM enumerate all third-party dependencies, including open source software components?”
  • “How does the manufacturer vet the security of the open source software components to incorporate and facilitate contributions back to help sustain these open source projects?  Does the software manufacturer have an established process to do so, such as through an open source program office (OSPO)?”
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.

Photo of Robert Huffman Robert Huffman

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing…

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing information security and the reporting of cyber incidents, the Cybersecurity Maturity Model Certification (CMMC) program, the requirements for secure software development self-attestations and bills of materials (SBOMs) emanating from the May 2021 Executive Order on Cybersecurity, and the various requirements for responsible AI procurement, safety, and testing currently being implemented under the October 2023 AI Executive Order. 

Bob also represents contractors in False Claims Act (FCA) litigation and investigations involving cybersecurity and other technology compliance issues, as well more traditional government contracting costs, quality, and regulatory compliance issues. These investigations include significant parallel civil/criminal proceedings growing out of the Department of Justice’s Cyber Fraud Initiative. They also include investigations resulting from False Claims Act qui tam lawsuits and other enforcement proceedings. Bob has represented clients in over a dozen FCA qui tam suits.

Bob also regularly counsels clients on government contracting supply chain compliance issues, including those arising under the Buy American Act/Trade Agreements Act and Section 889 of the FY2019 National Defense Authorization Act. In addition, Bob advises government contractors on rules relating to IP, including government patent rights, technical data rights, rights in computer software, and the rules applicable to IP in the acquisition of commercial products, services, and software. He focuses this aspect of his practice on the overlap of these traditional government contracts IP rules with the IP issues associated with the acquisition of AI services and the data needed to train the large learning models on which those services are based. 

Bob is ranked by Chambers USA for his work in government contracts and he writes extensively in the areas of procurement-related AI, cybersecurity, software security, and supply chain regulation. He also teaches a course at Georgetown Law School that focuses on the technology, supply chain, and national security issues associated with energy and climate change.

Photo of Ryan Burnette Ryan Burnette

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain…

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain, artificial intelligence, and software development requirements.

Ryan also advises on Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) compliance, public policy matters, agency disputes, and government cost accounting, drawing on his prior experience in providing overall direction for the federal contracting system to offer insight on the practical implications of regulations. He has assisted industry clients with the resolution of complex civil and criminal investigations by the Department of Justice, and he regularly speaks and writes on government contracts, cybersecurity, national security, and emerging technology topics.

Ryan is especially experienced with:

  • Government cybersecurity standards, including the Federal Risk and Authorization Management Program (FedRAMP); DFARS 252.204-7012, DFARS 252.204-7020, and other agency cybersecurity requirements; National Institute of Standards and Technology (NIST) publications, such as NIST SP 800-171; and the Cybersecurity Maturity Model Certification (CMMC) program.
  • Software and artificial intelligence (AI) requirements, including federal secure software development frameworks and software security attestations; software bill of materials requirements; and current and forthcoming AI data disclosure, validation, and configuration requirements, including unique requirements that are applicable to the use of large language models (LLMs) and dual use foundation models.
  • Supply chain requirements, including Section 889 of the FY19 National Defense Authorization Act; restrictions on covered semiconductors and printed circuit boards; Information and Communications Technology and Services (ICTS) restrictions; and federal exclusionary authorities, such as matters relating to the Federal Acquisition Security Council (FASC).
  • Information handling, marking, and dissemination requirements, including those relating to Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).
  • Federal Cost Accounting Standards and FAR Part 31 allocation and reimbursement requirements.

Prior to joining Covington, Ryan served in the Office of Federal Procurement Policy in the Executive Office of the President, where he focused on the development and implementation of government-wide contracting regulations and administrative actions affecting more than $400 billion dollars’ worth of goods and services each year.  While in government, Ryan helped develop several contracting-related Executive Orders, and worked with White House and agency officials on regulatory and policy matters affecting contractor disclosure and agency responsibility determinations, labor and employment issues, IT contracting, commercial item acquisitions, performance contracting, schedule contracting and interagency acquisitions, competition requirements, and suspension and debarment, among others.  Additionally, Ryan was selected to serve on a core team that led reform of security processes affecting federal background investigations for cleared federal employees and contractors in the wake of significant issues affecting the program.  These efforts resulted in the establishment of a semi-autonomous U.S. Government agency to conduct and manage background investigations.