Morrison Foerster’s Government Contracts Insights provides our in-depth analysis of developments and trends impacting government contracting. Through Insights, our attorneys offer a real-time assessment of the statutory, regulatory, legal, and business-related developments and trends that are shaping the industry. We also examine a full array of non-U.S. public procurement issues, mindful that our clients compete in a global marketplace.Morrison Foerster’s nationally recognized Government Contracts and Public Procurement practice represents the world’s leading companies in the aerospace and defense, intelligence, cybersecurity, information technology, financial and professional services, education, healthcare, infrastructure, and logistics support sectors. We are enlisted to address our clients’ most complex and important legal issues. Our work includes contract and subcontract negotiation and other transactional matters, business and regulatory compliance counseling, internal investigations, bid protests, and a wide array of enforcement and litigation matters. Our clients range from Fortune 50 companies to small and medium-sized companies just entering the public sector. We advise both U.S. and non-U.S. companies involved in municipal, state, federal, and non-U.S. procurement matters.<h2>ABOUT MORRISON FOERSTER</h2>Morrison Foerster is a leading global law firm that transforms complexity into advantage for its clients. Our clients include some of the largest financial institutions, banks, consulting and accounting firms, and Fortune 100, technology, and life sciences companies. Highlighting the firm’s commitment to client service, leadership in market-changing deals and impact litigation, and values-based culture, Morrison Foerster has been repeatedly recognized as one of the top 10 firms on The American Lawyer’s A-List. Year after year, the firm receives significant recognition from Chambers and The Legal 500 across their various guides, including Global, USA, Asia‑Pacific, Europe, UK, Latin America, and FinTech Legal. Our lawyers passionately care about delivering legal excellence while living our values. Morrison Foerster has a long-standing commitment to creating a culture that respects and celebrates differences, while providing an inclusive environment. The firm has achieved Mansfield Certification Plus since 2018 as a result of successfully reaching at least 30 percent women, communities of color, and LGBTQ+ lawyer representation in a notable number of current leadership roles and committees. The firm also has a long history of commitment to the community and society through providing pro bono legal services, including litigating for civil rights and civil liberties, improving public education and fostering the wellbeing of children, advocating for veterans, promoting international human rights, enforcing the right to asylum, and safeguarding the environment.

Social

Search

GAO Protest Timeline

govcon-gao-protest-timeline-thumb.jpg

Govcon GAO Post Award Protest Timeline Article

Contract Disputes Act Claim Timeline

govcon-contract-disputes-timeline-thumb.jpg

The Bayh-Dole Act

govcon-bayhdole-thumb.jpg

Anatomy of a Protest

govcon-federalclaimsprotest-thumb.jpg

Allowability of Legal Costs

govcon-allowabilityoflegalcosts-thumb.jpg

Procurement Integrity Act

240715-procurement-integrity-act-resized.jpg

Govcon-Resources

Tina is Co-chair of Morrison Foerster’s Government Contracts & Public Procurement practice. She represents a wide variety of government contractors including information technology, defense, biotechnology, and pharmaceutical companies, with a focus on general contract counseling and compliance, particularly concerning intellectual property, and cybersecurity matters and federal grant funding.Tina counsels contractors on compliance with federal, state and local acquisition and ethics regulations and with the evolving myriad of requirements pertaining to data security and cybersecurity. She has been involved with numerous internal investigations and compliance reviews, and with mandatory and voluntary disclosures to agencies, and litigation of False Claims Act matters.Tina routinely advises clients concerning:<ul><li>Prime-subcontractor relationships</li><li>Sources of supply and country of origin requirements</li><li>Price reductions and price reporting issues</li><li>Organizational conflicts of interest</li><li>Safeguarding of intellectual property and other proprietary interests</li><li>Licensing and data rights issues</li><li>Handling of classified materials and controlled unclassified information</li><li>Agency suspension and debarment proceedings</li></ul>She also assists clients with due diligence and other activities related to the acquisition of government contracting concerns, and with the drafting and negotiation of teaming agreements, subcontracts, licensing agreements, and cooperative research and development agreements. She also assists clients applying for federal grants (including SBIR and STTR agreements), and those who seek to obtain other transactional authority agreements, as well as those competing for state and local government work.Tina’s litigation experience includes government contracts claims litigation in federal courts and before boards of contract appeals, bid protests before the Government Accountability Office and the Court of Federal Claims, and complex disputes in federal courts, including civil fraud and False Claims Act litigation and reverse Freedom of Information Act litigation.Prior to joining Morrison Foerster, Tina worked at another large national firm and as a trial attorney in the Office of the General Counsel of the Navy, Navy Litigation Office.<h4>Representative Experience</h4><ul><li>Negotiation of largest CHIPS Act federal funding agreement between multinational semiconductor corporation and U.S. Department of Commerce.</li><li>Negotiated prime contract and major subcontracts related to the Department of Energy’s next generation supercomputer program, including extensive IP rights negotiations and negotiation of associated patent rights waivers.</li><li>Negotiated series of other transaction authority agreements with DARPA and associated subcontracts with more than a dozen research universities on behalf of a firm biotech client, including complex IP rights allocations and material transfer agreements.</li><li>Assist clients with FedRAMP authorization process and with development of license agreements for software products sold to federal, state and local government agencies.</li><li>Cyber incident response counseling to some of the largest companies and organizations impacted by security incidents.</li><li>Advises clients on Bayh-Dole reporting of inventions and IP strategies for contracts and grants.</li><li>Conducts due diligence for major government contract mergers and acquisitions.</li></ul>

reynolds_tina_blog_150x150.png

reynolds_tina_common_640x280.jpg

reynolds_tina_heroretina_2700x1160.jpg

reynolds_tina_mobileretina_750x1040.jpg

reynolds_tina_social_600x600.jpg

Partner

Our government contracts and procurement attorneys counsel businesses on legal and compliance issues encountered when doing business with government entities.

Government Contracts + Public Procurement

Government Contracts and Procurement Attorneys

Band 1: National: Government Contracts

Tier 1: Government Contracts

Readers Choice Award: Government Contracting

Tina is co-chair of Morrison Foerster’s Government Contracts & Public Procurement practice. She counsels a wide variety of government contractors on compliance with federal acquisition and ethics regulations. She drafts and negotiates contracts on their behalf and has been involved with numerous internal investigations and compliance reviews, and with bid protest, contract claims, and False Claims Act litigation. She also advises on M&A transactions involving government contractors.

Tina D. Reynolds

Jim Tucker is of counsel in Morrison Foerster’s Government Contracts and Public Procurement Practice Group and is based in the firm’s Washington, D.C. office.Jim’s practice runs the gamut of litigation and counseling in federal procurement matters, with an emphasis on bid protests, Cost Accounting Standards disputes, and small business matters. He has represented both protesters and awardees in scores of protests before the Government Accountability Office, the Court of Federal Claims, and procuring agencies, in acquisitions ranging from small business procurements to multibillion-dollar contracts of global significance. His representative protest matters span the aerospace sector, the Intelligence Community, base operations and logistics, healthcare, nuclear and environmental work, and information technology and software acquisitions. His protests have included both classified and unclassified programs. In addition to prevailing in published decisions, Jim has also secured favorable corrective action on behalf of clients in a wide variety of protests that were resolved without a published decision.Jim’s work also focuses on disputes over cost allowability and compliance with the Cost Accounting Standards, and he has appeared before the Armed Services and Civilian Boards of Contract Appeals, in size and status protests before Small Business Administration (SBA) area offices, and appeals before the SBA Office of Hearings and Appeals. Jim regularly counsels clients on contract interpretation, organizational conflicts of interest, and small business compliance.Jim graduated with high honors from the George Washington University Law School, where he focused his studies on federal procurement law, was a member of the Law Review, and interned with the General Services Administration’s suspension and debarment office. Jim also holds a degree in theology magna cum laude from the Pontifical Gregorian University in Rome and a bachelor’s degree in classical languages and literature summa cum laude from the University of Kentucky, where he graduated Phi Beta Kappa.

tucker_james_blog_150x150.png

tucker_james_common_640x280.jpg

tucker_james_heroretina_2700x1160.jpg

tucker_james_mobileretina_750x1040.jpg

tucker_james_social_600x600.jpg

Of Counsel

Jim maintains an active practice in bid protests before the Government Accountability Office and contracting agencies and counsels clients in contract disputes and compliance obligations.

Jim Tucker is of counsel in Morrison Foerster’s Government Contracts and Public Procurement Practice Group and is based in the firm’s Washington, D.C. office. Jim’s practice runs the gamut of litigation and counseling in federal procurement matters, with an emphasis on bid protests, Cost Accounting Standards disputes, and small business matters.

James Tucker

<div style="margin-bottom: 15px;" class="videoWrapper"><iframe class="sticky-video" title="Meet Alex Ward, Government Contracts Practice Co-Chair" src="https://www.youtube-nocookie.com/embed/TkliwdSlTaQ?rel=0" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen="1" title="iframe"></iframe></div>J. Alex Ward is co-chair of Morrison Foerster’s Government Contracts and Public Procurement group. His practice covers a full range of government contracts matters, including investigations, bid protests, claims, general litigation, corporate transactions, and counseling. Alex strives in all matters is to provide his clients the highest level of efficient and effective representation.Alex represents contractors in internal and external investigations, disclosures to the government, and qui tam litigation, with great success in reducing or eliminating his clients’ exposure through active engagement with the government. His work in this area includes obtaining numerous declinations and dismissals of False Claims Act cases in their earliest stages, sparing his clients the cost, risk, and exposure of litigation.He has also served as lead counsel in dozens of bid protests involving military and civilian agency procurements of a wide range of products and services, including all manner of pre- and post-award protests in the GAO, the U.S. Court of Federal Claims, and state tribunals, as well as appeals to the U.S. Court of Appeals for the Federal Circuit and size protest appeals before the SBA’s Office of Hearings and Appeals.Alex handles all aspects of the claims process, from the initial assessment and drafting of requests for equitable adjustment through litigation in the Boards of Contract Appeals and the Court of Federal Claims. Alex’s practice also covers the full gamut of other controversies confronting government contractors, including prime-sub, teaming partner, employer-employee, competitor, and indemnification disputes. His litigation work also includes a wide variety of pro bono engagements, in which he has represented both individual and institutional clients in matters ranging from immigration and criminal defense to sustainable procurement and protection of the environment.Prior to joining the firm, Alex served in the U.S. Army as a commissioned officer and an Assistant to the General Counsel of the Army responsible for civil works and international matters, and as a clerk for judges on the U.S. Courts of Appeals for the Armed Forces and the D.C. Circuit. He is a member of the Boards of the Morrison & Foerster Foundation and the Chesapeake Bay Foundation and of Law360’s Government Contracts Editorial Board.

ward_alex_blog_150x150.png

ward_alex_common_640x280.jpg

ward_alex_heroretina_2700x1160.jpg

ward_alex_mobileretina_750x1040.jpg

ward_alex_social_600x600.jpg

Alex is co-chair of Morrison Foerster’s Government Contracts and Public Procurement practice. His practice covers a full range of government contracts matters, including bid protests, claims, investigations, corporate transactions, and counseling.

J. Alex Ward

favicon.ico

favicon-16x16.png

favicon-32x32.png

apple-touch-icon.png

MoFo Favicons

Morrison Foerster’s Government Contracts Insights blog provides an in-depth analysis of news, developments, and trends impacting government contracting and procurement. Through Insights, attorneys from our nationally recognized Government Contracts and Public Procurement practice will offer a real-time assessment of the statutory, regulatory, legal, and business-related developments that are shaping the industry. This blog will also examine a full array of U.S. and non-U.S. public procurement issues, mindful that our clients compete in a global marketplace.Read about our <a href="http://govcon.mofo.com/editors/">Authors</a>.Never miss a post. Subscribe to get real-time updates.

gov-con-feature-image-thumb1.jpg

Welcome to the Government Contracts Insights Blog

Welcome to the Government Contracts Insights Blog

gov-con-feature-image_(1)1.jpg

The United States Capitol building

Morrison Foerster’s Government Contracts Insights blog provides an in-depth analysis of news, developments, and trends impacting government contracting and proc

Announcements & Press

Blog - Terms of Use

Blog - Privacy Policy

Blog - Blog Disclaimer

Blog - Attorney Advertising

morrison-foerster-blog-logo.png

Provides insights and reports on the most current class actions lawsuits and product liability issues that affect consumer-facing companies.

Class Dismissed Blog

Class Dismissed

Looks behind the headlines to explore the trends, identify the opportunities, analyze the issues, and provide guidance for science and technology-based companies.

MoFo Tech

Mofo Tech

News and thought leadership from lawyers who are adding value to the legal profession and the communities we call home.

  External-Link

MoFo + Blog

Mofo+

Stay on top of emerging issues and stay informed of developments related to the law and business of social media.

Socially Aware

Our Government Contracts Insights blog provides in-depth analysis of developments and trends impacting U.S. government contracting and non-U.S. public procureme

Government Contracts Insights

  Linkedin

MoFo LinkedIN

Blog - Govcon RSS

Stay Connected

Never miss a post from Government Contracts Insights. Enter your email below to stay up-to-date.

Subscribe

The latest updates and analysis from Morrison Foerster

Morrison Foerster - Footer

Blogs -  Home Button

Home

Blog - Topics

Acquisition Regulations

Topics

Blog - Editors

Editors

Blog - About

About

Blog - Subscribe

More

James A. Tucker

Strengthening the American Drone Industrial Base

Bid Protest Spotlight: Jurisdiction, Price Range, Late-Is-Late

Trump Issues Executive Order on Cybersecurity Rolling Back Some Prior Policies and Introducing New Ones

GAO Reaffirms Agencies’ Discretion to Award Sole-Source SBIR Phase III Contracts (Even to a Successor-in-Interest)

Ongoing FAR Overhaul: Market Research and the New FAR Part 10

LinkedIN

On May 10, 2023, the National Institute of Standards and Technology (“NIST”) released an <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r3.ipd.pdf" target="_blank">Initial Public Draft</a> of Revision 3 to NIST Special Publication (“SP”) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Although still in draft form, the document provides important guidance to federal government contractors and other companies that must use NIST SP 800-171 as a baseline for cybersecurity compliance. The draft Revision 3 was informed by public comments received by NIST, and NIST is seeking additional public comment on this revision.BackgroundNIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems. SP 800-171 is used as a baseline of security requirements for protection of controlled unclassified information (“CUI”)—sensitive information that requires certain confidentiality, access, or dissemination controls—when that information resides outside of federal government systems (i.e., on contractor systems).  The requirements apply to those components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components, and only where no other applicable law, regulation, or policy prescribes different or more specific safeguarding requirements.  The NIST SP 800-171 requirements are imposed via contractual vehicles or other agreements established between federal agencies and nonfederal organizations. Outside of government agreements, commercial parties also may require or rely upon the requirements of NIST SP 800-171 as a cybersecurity compliance standard.The requirements of SP 800-171 are derived from <a href="https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf" target="_blank">Federal Information Processing Standards (“FIPS”) 199</a>, Standards for Security Categorization of Federal Information and Information Systems; <a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf" target="_blank">FIPS 200</a>, Minimum Security Requirements for Federal Information and Information Systems; and <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf" target="_blank">NIST SP 800-53</a>, Security and Privacy Controls for Federal Information Systems and Organizations. For purposes of CUI protection under NIST SP 800-171, NIST has assumed that the confidentiality impact value for CUI is no less than moderate under the FIPS categorization methodology.  To develop the NIST SP 800-171 controls, NIST started with the more rigorous NIST SP 800-53 controls for a moderate control baseline, which satisfy the minimum security requirements under FIPS 200. It then tailored those controls to eliminate those that are:  (i) primarily the responsibility of the federal government; (ii) not directly related to protecting the confidentiality of CUI; or (iii) expected to be implemented by organizations without specification by the federal government.  The NIST SP 800-171 security requirements are a subset of controls necessary for an information security program. Under Revision 2, 14 control families were present; but with Revision 3, they are organized into 17 control “families,” as follows:<table><colgroup data-width='672'><col style="width:30.357142857142854%"><col style="width:26.785714285714285%"><col style="width:42.857142857142854%"></colgroup><tbody><tr><td>Access Control</td><td>Maintenance</td><td>Security Assessment and Monitoring</td></tr><tr><td>Awareness and Training</td><td>Media Protection</td><td>System and Communications Protection</td></tr><tr><td>Audit and Accountability</td><td>Personnel Security</td><td>System and Information Integrity</td></tr><tr><td>Configuration Management</td><td>Physical Protection</td><td>Planning*</td></tr><tr><td>Identification and Authentication</td><td>Risk Assessment</td><td>System and Services Acquisition*</td></tr><tr><td>Incident Response</td><td></td><td>Supply Chain Risk Management*</td></tr></tbody></table>Families with an asterisk (*) have been added with Revision 3 to maintain consistency with the NIST SP 800-53B moderate control baseline.Section 3 of NIST SP 800-171 describes applicable requirements for each of these control families, including numerous subcategories of requirements within each family.  For each subcategory, there is a discussion section, with examples, as well as references to source controls from NIST SP 800-53 and a list of supporting publications. As discussed below, one of the proposed changes with Revision 3 is the addition of organization-defined parameters (“ODP”), which allow for additional flexibility for federal agencies by permitting them to set specific values for defined parameters. Once specified, these ODP become part of the requirement.Proposed Changes Introduced Through NIST SP 800-171, rev. 3In the draft Revision 3, NIST has proposed several significant changes from the prior version of the publication. The updates are designed to streamline and clarify requirements.  Below, we highlight some of the most consequential modifications.Elimination of the distinction between basic and derived security requirementsNIST has proposed to eliminate the distinction between basic security requirements from FIPS 200 and derived requirements from NIST SP 800-53.  NIST SP 800-171 previously required compliance with both basic and derived controls, but the revision now proposes to require compliance only with derived controls. This is due in part to NIST’s recognition that FIPS 200 requirements are very high-level and lack sufficient specificity to be useful. Updating of security controlsNIST has proposed to streamline security requirements by removing outdated and redundant requirements. It has also added new security requirements, thus keeping the number of security controls approximately the same.   Increase in specificity of security requirementsNIST has proposed to increase the level of detail of the various security requirements in order to remove ambiguity, improve effective implementation, and clarify the scope of assessments. This was likely in reaction to feedback that previous requirements were open to interpretation, which has made compliance and security assessments more challenging. Introducing specificity has the potential to make compliance with specific controls more onerous by reducing organizational flexibility with respect to protecting CUI, but it also may facilitate compliance by clarifying security requirements.Update of security requirements to reflect recent changes in NIST SP 800-53 and SP 800‑53BNIST has updated the security requirements and families in NIST SP 800-171 to reflect updates in, and better align with, NIST SP 800-53, rev. 5 and <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53B.pdf" target="_blank">NIST SP 800-53B</a>, Control Baselines for Information Systems and Organizations. This was in response to feedback that organizations are overwhelmed by the number of potentially applicable security and risk management frameworks for the public and private sectors. To facilitate the harmonization of requirements, NIST has provided as part of the revision a <a href="https://csrc.nist.gov/csrc/media/Publications/sp/800-171/rev-3/draft/documents/sp800-171r3-ipd-cui-overlay.xlsx" target="_blank">Prototype CUI Overlay</a>, which shows how the moderate control baseline in NIST SP 800-53B can be tailored at the control and control‑item levels to align with the NIST SP 800-171 security requirements.Introduction of ODPAs noted above, another significant proposal is the introduction of ODP for certain security requirements. ODP currently are present in NIST SP 800-53 to provide government agencies with flexibility to tailor security requirements to their specific needs. NIST is now proposing to introduce ODP to NIST SP 800-171 to give federal agencies similar flexibility to tailor requirements for protection of CUI. ODP would be reflected in NIST SP 800-171 through agency‑assigned parameters such as time periods and numbers of operations, as shown in the example below:<div data-reactroot=""><img src="https://media2.mofo.com/v3/images/blt5775cc69c999c255/bltef14ed99f31b244f/64626cd16606ca423795dff7/230515-govcon-graphic.PNG?format=auto&amp;quality=60" alt="govcon graphic"/></div>View a detailed analysis of the updates from <a href="https://csrc.nist.gov/publications/detail/sp/800-171/rev-3/draft" target="_blank">Revision 2 to Revision 3</a>.Next StepsPublic comments on the Initial Public Draft should be submitted to NIST by July 14, 2023.  NIST has indicated that it is specifically interested in feedback related to re-categorized controls, ODP, and the Prototype CUI Overlay. See a <a href="https://csrc.nist.gov/csrc/media/Publications/sp/800-171/rev-3/draft/documents/sp800-171r3-ipd-comment-template.xlsx" target="_blank">template for comments</a>.In the meantime, federal contractors and others who are bound by the NIST SP 800‑171 requirements should review the updated revision and associated materials and prepare to adjust their security controls and systems at such time as the newly revised publication is adopted by their customers.  We recommend particular focus on the three new control families and their requirements. In terms of timing, contractors should bear in mind that Revision 3 generally will not require regulatory changes and may be implemented through contract modifications. For example, the applicable Defense Federal Acquisition Regulation Supplement (“DFARS”) clause requires compliance with the version of NIST SP 800-171 “in effect at the time the solicitation is issued or as authorized by the Contracting Officer.” DFARS 252.204-7012(b)(2)(i). Similarly, we have seen the Department of Veterans Affairs include language in certain contracts that commits the parties to agree to negotiate in good faith the implementation of updated security requirements in FIPS or NIST SPs after contract execution. In other words, Revision 3 not only will begin to be required as soon as it moves from draft to final publication in all new procurements, but also may be adopted for existing contracts through contract modifications.Even for those companies not involved in federal contracting, changes to NIST security requirements very often are adopted by industry more broadly as best practices, so these updates should also be carefully considered by the private sector more broadly.

NIST Releases Revised Cybersecurity Controls and Requirements for Protection of Controlled Unclassified Information Resident in Contractor Information Technology Systems

Tina is a partner in Morrison & Foerster’s Government Contracts practice. She represents a wide variety of government contractors including information technology, defense, biotechnology, and pharmace

Tina Reynolds

Sandeep Nandivada is a partner in the Litigation Department of Morrison Foerster’s Washington, D.C. office.

Sandeep N. Nandivada

Sandeep Nandivada

12_30_cybersecurity_07.jpg

NIST Releases Revised Cybersecurity Controls and Requirements for Protection of Controlled Unclassified Information Resident in Contractor Information Technology Systems

DOJ Cyber-Fraud Initiative Highlights Potential Civil Liability for Failing to Meet Federal Cybersecurity Requirements

On May 10, 2023, the National Institute of Standards and Technology (“NIST”) released an Initial Public Draft of Revision 3 to NIST Special Publication (“SP”) 800-171, Protecting Controlled Unclassified Information in 

Cybersecurity & Data Privacy

The Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (DHS) recently published a <a href="https://www.cisa.gov/resources-tools/resources/secure-software-self-attestation-common-form" target="_blank">draft version</a> of a Secure Software Development Attestation Common Form. The draft Common Form is designed to confirm that software producers (i.e., the manufacturers/developers of software products) have followed minimum secure software development practices in compliance with guidance created by the National Institutes of Standards and Technology (NIST). Such affirmation was mandated by a White House Office of Management and Budget (OMB) memorandum issued September 14, 2022, as a prerequisite to acquisition of software by federal agencies. Interested parties have until June 26, 2023 to comment on the draft form.As we have <a href="https://govcon.mofo.com/topics/companies-selling-software-to-the-u-s-government-soon-must-attest-to-compliance-with-nist-guidance-on-software-supply-chain-security" target="_blank">previously advised</a>, the purpose of the self-attestation form is to enhance the security of the nation’s software supply chain, which has been proven vulnerable by incidents like the Colonial Pipeline and Solar Winds attacks. The Common Form marks one step towards increased transparency, stability, and security of the software acquired by the federal government, consistent with President Biden’s <a href="https://govcon.mofo.com/topics/210601-executive-order-on-cybersecurity" target="_blank">Executive Order 14028</a>, Improving the Nation’s Cybersecurity.What Does the Common Form Entail?The Common Form is composed of three sections. Section I requires a list of the software to which the attestation applies, including software product name, version number, and release/publish date. Section II collects information about the software producer (name, address, etc.) and the responsible primary contact. Section III requires a signed attestation by the Chief Executive Officer or delegate that affirms the producer complied with the standards and best practices established in NIST Special Publication (SP) <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf" target="_blank">800-218</a>, “Secure Software Development Framework” (SSDF).Specifically, the form requires producers to attest:<ol><li>The software is developed and built in secure environments;</li><li>The software producer made a good-faith effort to maintain trusted source code supply chains;</li><li>The software producer maintains provenance data for internal and third-party source code incorporated into the software; and</li><li>The software producer employs automated tools or comparable processes that check for security vulnerabilities.</li></ol>Agencies may also include additional requirements, such as a request for a Software Bill of Materials (SBOM) or other artifacts or documentation. Agencies may require such additional documentation or artifacts be either attached to the Common Form or maintained and updated at another agency-designated location online. It is anticipated that the Common Form will be a fillable PDF that will be submitted electronically by the software producer to CISA.What Software Is Covered by the Attestation Requirement?The Common Form covers three categories of software, based on its development date. A Common Form attestation is required for all software developed after September 14, 2022, in order to sell to the federal government. The Common Form is also required for existing software modified after September 14, 2022 with major version changes (e.g., using a semantic versioning schema of Major.Minor.Patch, the software version number goes from 2.5 to 3.0). Finally, the Common Form is required for software for which the producer delivers continuous changes to the software code (such as software-as-a-service products or other products using continuous delivery/continuous deployment).Software freely obtained directly by a federal agency (e.g., freeware or open-source software) and software developed internally by federal agencies require no attestation. However, open-source elements incorporated by software producers into a software deliverable must be part of the software producer’s attestation.If the relevant software has been verified by a certified FedRAMP third-party assessor organization (3PAO) or other 3PAO approved in writing by an appropriate agency official in accordance with relevant NIST guidance, the software producer does not need to submit an attestation, but must provide relevant documentation from the 3PAO instead.If it cannot fully attest to compliance with the SSDF, a software producer must provide documentation identifying the practice(s) to which it cannot attest. The purchasing agency then must document the practices the agency has in place to mitigate resulting risks and require a plan of actions and milestones (POAM) from the software producer to address compliance gaps.What Is the Estimated Burden?DHS <a href="https://www.govinfo.gov/content/pkg/FR-2023-04-27/pdf/2023-08823.pdf" target="_blank">estimates</a> the total opportunity costs to all software producers of completion of the Common Forms will be $923,623 annually, based on BLS labor rates and the following estimates. DHS anticipates receiving 2,689 initial form submissions and 1,345 resubmissions of the form—due to major software changes—per year. Each initial submission will impose a three-hour burden on a quality assurance analyst or tester to understand requirements and the gather information. Additionally, DHS estimates a Chief Information Security Officer (CISO) will require 20 minutes to review, and approve, the release of information in each initial submission.DHS assumes that half of initial submissions will result in resubmission for a major software change or update. Each resubmission DHS estimates will require a software quality assurance analyst or tester an additional hour and 30 minutes to complete and a CISO 20 minutes to review. Failure to ensure the accuracy of the attestation may result in a far greater burden, including potential False Claims Act liability and suspension or debarment.Next Steps for Software ProducersAffected software producers, as well as resellers of software products, systems integrators, and other affected parties, are encouraged to submit comments on the draft Common Form, the information requested therein, and the feasibility of the attestation. DHS and CISA are particularly interested in comments regarding the practical utility of the proposed information collection: whether DHS accurately estimated the burden on the producers, and ways DHS might enhance the quality, utility, and clarity of the information collected. The practicality of the attestation’s application to open-source components of software products may be particularly ripe for comment.Once the Common Form is required, software producers should bear in mind that completion of the form is mandatory and that failure to provide any of the information requested may result in the inability to sell the software to the federal government. Further, providing false or misleading information may constitute a violation of the criminal False Statements Act or could result in a violation of the False Claims Act in connection with a sale.

Federal Government Provides Further Guidance and Draft Attestation Form for Software It Acquires

speidel_markus_blog_150x150.png

speidel_markus_common_640x280.jpg

speidel_markus_heroretina_2700x1160.jpg

speidel_markus_mobileretina_750x1040.jpg

speidel_markus_social_600x600.jpg

Associate

Markus Speidel is an associate in Morrison & Foerster’s Government Contracts & Public Procurement group, in Washington, D.C. Markus assists clients across a wide range of contract matters, including contract claims and disputes, bid protests, compliance counseling, and investigations.

Markus Gerhard Speidel

Markus Speidel

230502-gov-con-blog-graphic.jpg

Federal Government Provides Further Guidance and Draft Attestation Form for Software It Acquires

230502-gov-con-blog-graphic

The Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (DHS) recently published a draft version of a Secure Software Development Attestation Common Form. 

Software companies that sell commercial software products to federal agencies soon must begin attesting to their compliance with guidance designed to enhance the security of the software supply chain. Under a new White House Office of Management and Budget (OMB) <a href="https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf">memorandum</a> issued September 14, federal agencies must require software “producers” (i.e., the developers of software) to confirm their compliance with specific guidance created by the National Institutes of Standards and Technology (NIST). The OMB memorandum implements the software supply chain enhancements first suggested under Executive Order (EO) 14028, Improving the Nation’s Cybersecurity, on which we’ve previously <a href="https://govcon.mofo.com/topics/210601-executive-order-on-cybersecurity">commented</a>. For purposes of the memorandum, the term “software” includes firmware, operating systems, applications, and cloud-based software, as well as products that contain software. The new requirements apply to software developed after the memorandum’s effective date (more on this below), and to existing software if modified by major version changes. Once the policy is in full effect, federal agencies may only use software if the software producer has attested to compliance with the NIST guidance, subject to certain limited exceptions. The purpose of the new requirements is to protect federal information systems from cyberattacks by ensuring the integrity of software acquired by the government. The policy can be traced to the SolarWinds compromise that impacted multiple U.S. government systems and other similar security incidents.When do the new rules take effect?Under the scheme set forth in the OMB memorandum, agencies have 90 days (or until December 14) to inventory their existing software and 120 days (until January 14, 2023) to develop a process for communication with software vendors. Agencies must begin collecting attestation letters for “critical software”<a href="about:blank">[1]</a> within 270 days (by June 14, 2023) and for all other software within 365 days (by September 14, 2023). In other words, within the next year, any software company seeking to sell its products to the federal government will need to assess and come into compliance with the NIST guidance. Note, however, the memorandum does permit agencies to request extensions of the above deadlines. If past is prologue, the implementation timeline may well be expanded beyond a year.What is the relevant NIST guidance?The two publications collectively referred to as the “NIST Guidance” in the OMB memorandum are the <a href="https://csrc.nist.gov/Projects/ssdf">NIST Special Publication (SP) 800-218</a> – Secure Software Development Framework (SSDF) and the <a href="https://www.nist.gov/system/files/documents/2022/02/04/software-supply-chain-security-guidance-under-EO-14028-section-4e.pdf">NIST Software Supply Chain Security Guidance</a>.NIST SP 800-218 provides high-level guidance on how software producers can integrate security into the software development life cycle. The framework consists of four recommendations, each broken down into a series of more specific practices and more well defined tasks, followed by examples and references. The recommendations are:<ul><li>Prepare the organization, by ensuring that the people, processes, and technology are prepared to perform secure software development.</li><li>Protect the software, including all components from tampering and unauthorized access.</li><li>Produce well-secured software, with minimal security vulnerabilities in each release.</li><li>Respond to vulnerabilities, by identifying residual vulnerabilities and responding appropriately to address those vulnerabilities and prevent similar ones from occurring in the future.</li></ul>The publication takes the form of a chart, mapping out each recommendation, practice, and task. The executive summary clarifies that not all practices apply to every use case, and that organizations should adopt a risk-based approach to determine which practices are relevant, appropriate, and effective to mitigate the threats to their software development practices.The NIST Software Supply Chain Security Guidance provides additional direction, aimed primarily at agencies, to assist in integrating the SSDF into procurements. The guidance clarifies that although open-source software freely obtained by federal agencies falls outside the scope of the framework, open-source software that is bundled, integrated, or otherwise used as part of any third-party software purchased by agencies is covered by the SSDF. Additionally, the guidance applies to both on premises and cloud-hosted software. The guidance further recommends that agencies:<ul><li>Use the SSDF’s terminology and structure to organize communications about secure software development requirements.</li><li>Require attestation to cover secure software development practices performed as part of processes and procedures throughout the software life cycle.</li><li>Accept first-party attestation of conformity with SSDF practices unless a risk-based approach determines that second or third-party attestation is required.</li><li>Request high-level artifacts demonstrating conformance, when needed. </li></ul>How do I provide an attestation?The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has been directed to work with OMB to establish a “common form” suitable for use by multiple agencies. The form will provide a minimum level of assurance that the vendor followed NIST Guidance, and will include the software producer’s name, a description of the product or products the statement covers, and a statement attesting that the software producer followed NIST recommended secure development practices. Alternatively, a vendor may obtain a third-party assessment, provided by a certified FedRAMP Third-Party Assessor Organization (3PAO) or another assessor approved by the agency, in lieu of attestation. The OMB memorandum suggests that use of this process might be especially useful for open source software, or products incorporating open source software.Beyond the simple attestation form, agencies may also request artifacts in future solicitations, such as a complete Software Bill of Materials (SBOM), depending on the criticality of the software or the agency’s determination of need. To facilitate information sharing with the government, within the next two years CISA will establish a government-wide repository for software attestations and artifacts. As needed, CISA also will publish updated SBOM guidance for federal agencies.What if my software does not fully comply?In exceptional circumstances, and only for limited durations, agencies may seek a waiver of specific requirements from OMB, which will review the requests on a case-by-case basis. OMB will post specific instructions for submitting waiver or extension requests within 90 days.If a software producer cannot attest to its conformance with one or more practices from the NIST Guidance, the requesting agency shall require the software producer to identify those practices to which they cannot attest, to document measures in place to mitigate risks, and to develop a Plan of Action & Milestones (POA&M) to address remaining gaps. The POA&M and other documentation will not be posted publicly by either the vendor or the agency. If the software producer supplies this documentation and the agency finds the POA&M satisfactory, the agency may use the software despite the producer’s inability to provide a complete self-attestation.What if my company does not develop software, but uses third-party software in its products?The scope of the attestation requirement extends not just to stand alone software and cloud-based software-as-a-service offerings but also to other products that incorporate third-party software. Under the process as described, the attestation must come from the software “producer” itself. But companies that incorporate third-party software into their own products will have a vested interest in ensuring compliance by their essential software subcontractors, as the end products incorporating the software may not be sold to the government absent an attestation (or use of an alternative assessment methodology, or an agency waiver).ConclusionBy requiring software producers to attest to compliance with the NIST Guidance, the government aims to ensure that companies undertake a risk-based approach to secure software development, which ultimately will help ensure the overall security of federal information systems. Given the deadlines, all companies that sell (or want to sell) software to the government, whether directly or through resellers or other channels, should quickly assess their compliance with the NIST Guidance, develop action plans to address any gaps, and carefully document their activities. Some companies may be required to rethink development strategy for new products or major version upgrades. As with all recent government cybersecurity initiatives, dates may slip and the contours of the requirements may change around the edges, but the basic policy directive here is clear, and software producers that intend to keep the U.S. government as customers need to get on board. In addition, contractors whose products rely upon or incorporate software will need to ensure that the vendors upon which they are dependent are fully engaged in the attestation process.By implementing the policy through an attestation form rather than a contract clause, the government is making sure software producers are directly involved in the process, and are legally liable, under False Statements and False Claims Act authority, for any misrepresentations or misstatements. This was surely a deliberate decision to reinforce the seriousness of the issue and to help ensure more widespread compliance. As with any attestation or certification requirement, the new policy brings with it the potential for enforcement actions, whether initiated by the government or by False Claims Act qui tam relators. Software vendors therefore should pay particular attention to their compliance assessments and the representations that they make going forward.  <a href="about:blank">[1]</a> A <a href="https://whitehouse.gov/wp-content/uploads/2021/08/M-21-30.pdf" target="_blank">prior OMB memorandum</a> directed NIST to issue guidance of security measures for “critical software,” defined as any software that has, or has direct software dependencies upon, one of more components with at least one of these attributes:- is designed to run with elevated privilege or manage privileges; - has direct or privileged access to networking or computing resources; - is designed to control access to data or operational technology; - performs a function critical to trust; or - operates outside of normal trust boundaries with privileged access.

Companies Selling Software to the U.S. Government Soon Must Attest to Compliance with NIST Guidance on Software Supply Chain Security

Companies Selling Software to the U.S. Government Soon Must Attest to Compliance with NIST Guidance on Software Supply Chain Security

Software companies that sell commercial software products to federal agencies soon must begin attesting to their compliance with guidance designed to enhance the security of the software supply chain.

The Department of Justice (DOJ) has created a new <a rel="noopener" target="_blank" href="https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative">Civil Cyber-Fraud Initiative</a> to use the power of the False Claims Act (FCA) to initiate suits against federal contractors and grant recipients that fall short of their regulatory and contractual cybersecurity obligations. This initiative, announced on October 6, 2021, builds on the Biden administration’s efforts to protect federal government networks from cybersecurity threats and to promote notifications of incidents by federal contractors to their federal agency customers—efforts that were outlined in the President’s May 2021 <a rel="noopener" target="_blank" href="https://govcon.mofo.com/cybersecurity-and-data-privacy/executive-order-on-cybersecurity-expands-mandatory-breach-notification-and-supply-chain-security-requirements-for-government-contractors/">Executive Order on Improving the Nation’s Cybersecurity</a>.To learn more,<a rel="noopener" target="_blank" href="https://www.mofo.com/resources/insights/211012-doj-cyber-fraud-initiative.html"> read our client alert.</a>

DOJ Cyber-Fraud Initiative Highlights Potential Civil Liability for Failing to Meet Federal Cybersecurity Requirements

The Department of Justice (DOJ) has created a new Civil Cyber-Fraud Initiative to use the power of the False Claims Act (FCA) to initiate suits against federal 

This week, U.S. Senator Mark Warner (D-VA), chair of the Senate Intelligence Committee, and a broad group of bipartisan co-sponsors, introduced legislation that would require government agencies, contractors, and operators of critical infrastructure to report cyber incidents to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours. The bill is a response to incidents like the SolarWinds and Colonial Pipeline hacks, which have put a fresh spotlight on the national security implications of cyber incidents and the need for greater information sharing. It expands on efforts by the Biden administration, such as the Executive Order on Improving the Nation’s Cybersecurity, to implement more expansive cyber breach notification requirements for entities that do business with the federal government. The bill, known as the Cyber Incident Notification Act of 2021, which has been previewed in the press for some time, has broad bipartisan and industry support and a strong chance of being enacted by Congress.Read the <a rel="noopener" target="_blank" href="https://www.mofo.com/resources/insights/210723-mandatory-cyber-breach-notification-bill.html">full client alert</a>.

11_23_li_tech3.jpg

U.S. Congress Introduces Bill that Would Require Mandatory 24 Hour Cyber Breach Notification for Government Agencies, Contractors, and Operators of Critical Infrastructure

U.S. Congress Introduces Bill that Would Require Mandatory 24 Hour Cyber Breach Notification for Government Agencies, Contractors, and Operators of Critical Infrastructure

11_23_li_tech3

This week, U.S. Senator Mark Warner (D-VA), chair of the Senate Intelligence Committee, and a broad group of bipartisan co-sponsors, introduced legislation that

National Security

On May 12, 2021, the Biden administration issued an ambitious Executive Order on Improving the Nation’s Cybersecurity (EO) declaring the prevention, detection, assessment, and remediation of cyber incidents to be a “top priority and essential to national and economic security.” Over 8,000 words long, the EO establishes a series of initiatives designed to better equip the U.S. federal government to respond to cybersecurity threats. The most notable provisions of the EO are as follows:<ul><li>It sets in motion changes to federal contracts that will add breach notification and information sharing requirements for government service providers and remove existing contractual barriers to threat information sharing by the private sector;</li><li>It establishes baseline security standards for the development of software sold to the government by all commercial suppliers; and</li><li>It provides minimum cybersecurity requirements for federal agencies, like the use of multifactor authentication and encryption, and helps to move the federal government toward secure cloud services and zero-trust architecture.</li></ul>The EO reflects the government’s heightened concerns about cyber threats, particularly following the SolarWinds, Microsoft Exchange, and Colonial Pipeline incidents. It also reflects the Administration’s efforts to leverage the buying power of the federal government to incentivize the software market to build security into the software development lifecycle, and to expand and enhance the information sharing between the private sector and the government.<h4>STATUS QUO</h4>Currently, federal contractors’ cyber incident reporting requirements are primarily based on a patchwork of agency-specific policies, regulations, and contract clauses. For example, the Defense Federal Acquisition Regulation Supplement (DFARS) requires reporting of incidents that affect “covered defense information,” while other agencies require reporting in the form of contract clauses or agency information security policies and only if agency-specific information or certain categories of information held by the agency (such as personally identifiable information or protected health information) have been compromised.The Federal Acquisition Regulation (FAR) has a basic safeguarding clause, FAR 52.204-21, that applies to nearly all federal contractor information systems. This clause currently stops short of requiring breach notification. Instead, it merely imposes basic safeguarding requirements and procedures amounting to good cybersecurity hygiene. By contrast, DFARS 252.204-7012, requires defense contractors to “rapidly report” – i.e., within 72 hours – any “cyber incident” following a review for evidence of compromise.In sum, many government contractors are already subject to security incident notification requirements, but they vary depending upon the agencies with which those companies contract, and the nature of the information traversing their information technology (IT) systems.<h4>THE EO’S CYBER INCIDENT REPORTING REQUIREMENTS</h4>The new EO seeks to expand existing cyber breach notification requirements by modifying contract terms to require all providers of IT and operational technology (OT) services to the federal government, including, but not limited to, cloud service providers, to share threat and security incident information with select executive departments and agencies responsible for investigation and remediation of cyber incidents. These include the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the other elements of the Intelligence Community (IC).To implement this process, the EO requires a review and update of the current FAR and DFARS contract requirements for IT and OT service providers. As revised, these clauses will be designed to ensure that covered contractors collect and preserve cyber incident and cyber threat-related information, and share such information with the designated government agencies. Moreover, the EO requires federal agencies to propose contract language to the FAR Council that would require information and communications technology service providers to report certain types of cyber incidents to federal agencies, and CISA in particular, within a prescribed period of time. Among the specifics requested by the White House are a maximum three days from detection reporting requirement for “the most severe cyber incidents.” The EO sets a rather aggressive timeline for the FAR Council to review and publish for public comment the proposed new regulations, which could mean that we will see proposed updates to the FAR before the end of the year.The EO also requires the removal of barriers that inhibit the sharing of threat information, such as contractors’ incident response data, within the federal government. The EO directs the Office of Management and Budget (OMB), in consultation with other agencies, to propose updates to contract language to ensure contracts do not contain obstacles to the sharing of threat and cyber incident information within government. Such sharing will improve prevention, detection, and response and also foster collaboration among agencies, the FBI and CISA in their investigations of cyber incidents.Finally, new standardized cybersecurity requirements for all government contractors may be considered and adopted by the FAR Council.Much work remains to be done before new clauses are implemented in federal contracts, but contractors are now on notice of a potential sea change on the horizon.<h4>OTHER POTENTIALLY SIGNIFICANT DEVELOPMENTS FOR GOVERNMENT CONTRACTORS</h4><h5>MODERNIZATION OF THE GOVERNMENT’S IT SYSTEMS AND OF THE FEDERAL RISK AND AUTHORIZATION MANAGEMENT PROGRAM (“FEDRAMP”)</h5>The EO calls for the modernization of the federal government’s approach to cybersecurity, including adoption of best practices like the use of multifactor authentication and encryption, movement towards zero-trust architecture, and acceleration of adoption of cloud service solutions. The EO requires agencies to take steps toward implementation of these goals. In addition, the EO establishes a framework for the modernization of FedRAMP, suggesting a potential revamping of the currently cumbersome FedRAMP authorization process used for vendors seeking permission to provide cloud service offerings to government customers. This modernization effort offers significant opportunities for software vendors and IT service providers to expand their reach within the government.<h5>ENHANCED SUPPLY CHAIN SECURITY</h5>The EO also seeks to enhance supply chain security, particularly for “critical software” that has or enables privileged or direct access to networking and computing resources. The EO directs the National Institute of Standards and Technology (NIST) to develop guidelines for software vendors and promulgate a list of secure software development lifecycle standards with which all commercial suppliers to the government must comply.Among the criteria to be examined and regulated will be: (1) the development environment, including examination of access controls and use of automated tools to maintain integrity; (2) the developers’ transparency regarding security data; and (3) the provenance of the software, including review of a software bill of materials (SBOM) for each product. There may also be procedures for agencies to request artifacts demonstrating product integrity and for software providers to participate in a vulnerability disclosure program.Only software that is compliant with these newly established rules will be eligible for federal procurement. Non-compliant software will be removed from all indefinite delivery, indefinite quantity contracts; federal supply schedules, federal government-wide acquisition contracts; blanket purchase agreements, and multiple award contracts. Legacy software must either meet the new requirements or be redesigned to do so.It is worth keeping in mind the broader context of these supply chain reforms as part of a coordinated response to recent high-profile attacks. U.S. intelligence agencies have already begun reviewing supply chain risks, especially those associated with Russian companies. Of particular concern are any back-end software designs and coding done in Russia or other untrustworthy countries with the capacity for sophisticated cyber intrusions. The EO thus requires the FAR Council to propose supply chain security requirements, to be applicable to all government contractors. Those products and services that do not meet the government’s requirements will not be able to be sold to federal agencies.<h4>OTHER CYBERSECURITY ENHANCEMENTS</h4>In addition to its requirements for enhanced information sharing and supply chain security, the EO advances several other measures aimed at bolstering federal cybersecurity coordination and standardizing responses to cyber incidents.These include:<ul><li>Establishment of a Cyber Safety Review Board to improve government remediation of significant cybersecurity incidents. The Board’s membership will be drawn from the Department of Defense and Justice, CISA, the National Security Agency (NSA), and the FBI, with representation from private sector cybersecurity and software suppliers as determined appropriate by the Department of Homeland Security.</li><li>Standardization of the federal cyber incident response playbook developed by CISA in conjunction with the OMB, agency chief information officers, the federal Chief Information Security Officer Council, the NSA, the Attorney General and the Director of National Intelligence, which will conform response processes across all federal agencies.</li><li>Development of government-wide federal/civilian Endpoint Detection and Response (EDR) approach to support CISA-managed cyber threat hunting, detection, and response.</li><li>Issuance of policy requirements for agency logging, log retention, log management, and centralization of top-level security operations within each agency to improve the government’s overall investigation and response capabilities.</li></ul><h4>IMPLICATIONS FOR GOVERNMENT CONTRACTORS</h4>Although the EO previews desired and forthcoming new requirements, full implementation of the new rules will take time. The EO simply puts contractors on notice of the government’s plan to adopt new heightened cybersecurity standards and reporting obligations that will be implemented in the near future. Because the responsible agencies, in conjunction with the FAR Council, must still work to implement the EO, contractors will have time to prepare to meet the new standards and the opportunity to comment on the proposed FAR regulations (a process that we will be monitoring closely).That being said, unlike the existing DFARS 252.204-7012 cyber incident notification requirements, the new requirements have the potential to directly affect nearly all government contractors. While the new requirements may simplify notification requirements for contractors by creating a federal government-wide standardized approach, companies that have not previously implemented rigorous cybersecurity measures and incident response protocols may find themselves unprepared for this new era of cybersecurity. The new rules will also force scrutiny of the development cycle and supply chain for software and service providers in a manner not previously seen. The stakes are high for IT companies with significant government sales, and the opportunities are potentially ripe for new contractors seeking to replace them.Markus Speidel, a Law Clerk in the Morrison & Foerster LLP Government Contracts + Public Procurement practice, contributed to this alert.

nandivada_sandeep_blog_150x150.png

nandivada_sandeep_common_640x280.jpg

nandivada_sandeep_heroretina_2700x1160.jpg

nandivada_sandeep_mobileretina_750x1040.jpg

nandivada_sandeep_social_600x600.jpg

Executive Order on Cybersecurity Expands Mandatory Breach Notification and Supply Chain Security Requirements for Government Contractors

On May 12, 2021, the Biden administration issued an ambitious Executive Order on Improving the Nation’s Cybersecurity (EO) declaring the prevention, detection, 

Executive Order on Cybersecurity Expands Mandatory Breach Notification and Supply Chain Security Requirements for Government Contractors

Jay DeVecchio recently published a Briefing Paper for Thomson Reuters covering recent developments in the Department of Defense’s (DOD) Defense Federal Acquisition Regulation Supplement (DFARS) data rights provisions. Dissecting the DOD’s recent actions and attitudes, this article contextualizes the upcoming DOD proposal as it relates to commercial space and offers guidance to contractors on responding to the changes it will bring. Read the <a href="https://www.mofo.com/resources/insights/210517-data-rights-current-developments.html">full article</a>.

Data Rights: Current Developments & Pending DOD Changes

Jay DeVecchio recently published a Briefing Paper for Thomson Reuters covering recent developments in the Department of Defense’s (DOD) Defense Federal Acquisit

Data Rights: Current Developments & Pending DOD Changes

After much anticipation and hints, the U.S. Government announced a series of measures to respond to recent Russian actions against the United States, including the SolarWinds intrusion campaign. The measures underscore that companies are not in a position and should not be left to defend against nation state actors on their own, and that the U.S. Government will take steps to impose consequences and change the norms to make clear that widespread and costly intrusions on private companies are unacceptable. The initial actions taken by the U.S. Government include:<ul><li>imposing new sanctions against Russian entities,</li><li>attributing the SolarWinds compromise to the Russian Foreign Intelligence Service (SVR), and</li><li>issuing a pair of interagency reports that provide detailed technical information about the tools and methods Russian hackers used to exploit victim networks.</li></ul>Read our <a rel="noopener" target="_blank" href="https://www.mofo.com/resources/insights/210419-us-government-responds-solarwinds-hack.html">client alert.</a>

wugmeister_miriam_blog_150x150.png

wugmeister_miriam_common_640x280.jpg

wugmeister_miriam_heroretina_2700x1160.jpg

wugmeister_miriam_mobileretina_750x1040.jpg

wugmeister_miriam_social_600x600.jpg

Few lawyers in the world have Miriam’s breadth and understanding of privacy and data security laws, obligations, and practices.

Few lawyers in the world have Miriam Wugmeister’s breadth and understanding of privacy and data security laws, obligations, and practices. 

Miriam H. Wugmeister | Privacy and Data Security Lawyer

Few lawyers in the world have Miriam Wugmeister's breadth and understanding of privacy and data security laws, obligations, and practices. In the words of her clients, she is “extremely practical and phenomenally smart. Just about one of the best privacy advisers there is” (Chambers USA). Co-chair of Morrison & Foerster’s market-leading Global Privacy and Data Security Group and ranked among the top in the profession by all major directories, Ms. Wugmeister is regularly called upon by some of the world’s largest and most complex multinational organizations to confront their most difficult U.S. and international privacy challenges. “Tremendous at helping you come up with practical solutions to real problems” (Chambers USA), she develops cutting-edge solutions for clients that marry legal compliance with business realities.

Miriam Wugmeister

van-grack_brandon_blog_150x150.png

van-grack_brandon_common_640x280.jpg

van-grack_brandon_heroretina_2700x1160.jpg

van-grack_brandon_mobileretina_750x1040.jpg

van-grack_brandon_social_600x600.jpg

Brandon L. Van Grack co-chairs Morrison Foerster’s National Security and Crisis Management groups. 

Brandon Van Grack

Brandon Van Grack - National Security Lawyer

Brandon L. Van Grack

U.S. Government Responds to SolarWinds Hack, Seeks to Establish New Norms for Cyber Espionage

After much anticipation and hints, the U.S. Government announced a series of measures to respond to recent Russian actions against the United States, including 

U.S. Government Responds to SolarWinds Hack, Seeks to Establish New Norms for Cyber Espionage

Although it was already apparent, recent events have made it even clearer that cybersecurity is an essential concern for government contractors.  The coming year is poised to include many cybersecurity-related changes and developments.  Below we highlight just a few:Continued Rollout of Department of Defense’s CMMC ProgramThe Department of Defense (DoD) <a href="https://www.govinfo.gov/content/pkg/FR-2020-09-29/pdf/2020-21123.pdf">interim rule</a> for its Cybersecurity Maturity Model Certification (CMMC) Program went into effect November 30, 2020.  Although full CMMC implementation will not be achieved until 2025, a number of steps must be taken by contractors in the coming year.  First, registration and reporting of assessment scores in accordance with the DoD Assessment Methodology (based on National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171) in the Supplier Performance Risk System (SPRS) are now required of all DoD contractors and subcontractors that handle controlled unclassified information (CUI).  (More on these CMMC and SPRS requirements is available <a href="https://govcon.mofo.com/cybersecurity-and-data-privacy/department-of-defense-issues-cmmc-interim-rule-setting-up-a-two-part-process-for-review-of-contractor-it-systems/">here</a>.)  Second, the first “pathfinder” contracts requiring CMMC review have been <a href="https://www.defense.gov/Newsroom/Releases/Release/Article/2447770/cybersecurity-maturity-model-certification-pilots-for-fiscal-year-2021/">announced by DoD</a>.  Contractors and subcontractors seeking to obtain these contracts, expected to be awarded in late 2021, will need CMMC certification by date of award in order to participate.  More contract opportunities that require CMMC certification will be forthcoming this calendar year, meaning the race is on for contractors to come into compliance and line up for assessment, lest they be excluded from DoD contracting altogether.We expect other federal agencies to closely watch the CMMC rollout, and perhaps themselves adopt the same or a similar third-party cybersecurity authorization requirement for contractors in the coming year.Post-SolarWinds Fallout The hacking of SolarWinds’ Orion product, and the subsequent havoc wreaked upon government agencies and private industry alike are sure to shape cybersecurity policy for years to come.  The government has now <a href="https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure">definitively attributed</a> the hack to the Russian government.  In the coming year we expect even more rigorous scrutiny of supply chain considerations, and closer examination of software and cloud-based offerings sold to the government.  Federal Risk and Authorization Management Program (FedRAMP) authorization is likely to become more challenging and other cybersecurity standards for contractors may become more demanding.  Supply chain-related certifications with respect to information technology use also may be implemented, following the pattern of the telecommunications equipment restrictions of the Fiscal Year (FY) 2019 National Defense Authorization Act (NDAA) Section 889.In what is perhaps a preview of things to come, the recent pandemic stimulus package enacted by Congress as a Consolidated Appropriations Act includes a provision that requires government agencies to conduct “an assessment of any risk of cyber-espionage or sabotage” associated with the acquisition of any high-impact or moderate impact information system “including any risk associated with such system being produced, manufactured, or assembled by one or more entities identified by the United States Government as posing a cyber threat, including but not limited to, those that may be owned, directed, or subsidized by the People’s Republic of China, the Islamic Republic of Iran, the Democratic People’s Republic of Korea, or the Russian Federation.”Legislative Changes Impacting Cybersecurity for Government ContractorsThe FY 2021 NDAA contains a number of provisions related to cybersecurity designed to improve U.S. cybersecurity defenses and to protect U.S. systems and critical infrastructure from malicious actors, both state-sponsored and not.  Most prominently, more than two dozen of the recommendations of the <a href="https://www.solarium.gov/">Cyberspace Solarium Commission</a> were adopted.  These include the establishment of a National Cyber Director housed in the Executive Office of the President and of an Integrated Cybersecurity Center to coordinate federal cybersecurity centers within the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency, and the adoption of a biennial national cyber exercise that will involve federal, state, private sector and international stakeholders. Other provisions recognize the need for greater coordination and cooperation between government and industry pertaining to cyber threats. See <a href="https://www.solarium.gov/press-and-news/ndaa-override-press-release">here</a> for a comprehensive list of the 27 FY 2021 NDAA provisions pertaining to cybersecurity.In December 2020, the <a rel="noopener noreferrer" target="_blank" href="https://www.congress.gov/bill/116th-congress/house-bill/1668/text">Internet of Things (IoT) Cybersecurity Improvement Act</a> was also signed into law.  This statute provides incentives to manufacturers to address cybersecurity gaps and directs NIST to develop standards and guidelines for federal government use of IoT devices.  Ultimately, subject to limited exceptions, federal agencies will not be able to procure IoT devices that do not meet the applicable NIST standards and guidelines.  On December 15, NIST issued four draft guidance documents, including three interagency reports (NIST Interagency Reports 8259B, 8259C, and 8259D) and <a rel="noopener noreferrer" target="_blank" href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-213-draft.pdf">Draft SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government</a>, as part of the process of establishing IoT device cybersecurity requirements.  The public comment period for the draft publication extends through February 12, 2021.Just last week, the House passed H.R. 21, the FedRAMP Authorization Act of 2021, which codifies the FedRAMP program and instructs the General Services Administration to make modifications to the risk-based approach to certifying cloud computing products and services for use by the federal government.  The bill has yet to be considered by the Senate.Additional cybersecurity-related legislation is certain to be on the horizon this year.Possible (and Welcome) Changes to the Program for Marking and Securing CUIIn 2010, President Obama issued <a rel="noopener noreferrer" target="_blank" href="https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information">Executive Order No. 13556, Controlled Unclassified Information</a>, directing the Executive Branch to establish a uniform program for safeguarding non-classified government information, or CUI, in order to replace the ad hoc patchwork approach then used by federal agencies in the absence of any uniform policies and procedures.  The executive order called for the National Archives and Records Administration (NARA) to spearhead the effort in concert with all executive agencies.  It took NARA six years to issue its comprehensive CUI program guidance, which ultimately identified over 100 categories and subcategories of CUI, each with specific marking and handling requirements.  However, since NARA’s guidance was issued in 2016, relatively little progress has been made on actually implementing the uniform CUI program, especially with respect to federal contractors.  While NARA issued program guidance in 2016, agencies were not required to implement the NARA program until the end of 2020.While some agencies, including the DoD and the Department of Homeland Security in particular, have issued CUI guidance and/or have imposed formal CUI-related cybersecurity requirements on contractors, many other agencies have simply failed to implement a comprehensive CUI program. Also, no Federal Acquisition Regulation (FAR) clause has been issued to uniformly apply CUI requirements to contractors.In December 2020 – just days before the NARA implementation deadline – the Director of National Intelligence (DNI) <a rel="noopener noreferrer" target="_blank" href="https://fas.org/sgp/othergov/intel/ratcliffe-cui.pdf">formally requested</a> that the President rescind Executive Order No. 13556.  Notably, the DNI did not request an extension or exemption for intelligence agencies, but instead requested that the entire CUI program be scrapped.  In his request, the DNI slammed the program as “exponentially more complex” than prior procedures and “vastly overcomplicated,” and argued that implementation within just the intelligence community will cost “over a billion dollars.”  The DNI suggested that many other agencies may be in agreement with the intelligence community, noting that several agencies also objected to the 2020 deadline as infeasible.We do not yet know how President Biden and other agencies may respond to the DNI’s request.  It does seem apparent that something should be done about the CUI program as, in its current form, the CUI rules simply sow confusion and create excessive administrative burdens for agencies and contractors alike.Potential Sanctions for Ransomware PaymentsAs cyber criminals’ use of ransomware escalates, victims must now not only grapple with the threat of potential release or deletion of their data, but also with the possibility of U.S. government sanctions if payment is made to sanctioned individuals or organizations.  In October 2020, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued <a rel="noopener noreferrer" target="_blank" href="https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf">an advisory</a> that paying ransoms to cyber criminals could violate U.S. law.  OFAC now includes as part of its <a rel="noopener noreferrer" target="_blank" href="https://home.treasury.gov/policy-issues/financial-sanctions/other-ofac-sanctions-lists">sanctions lists</a> a growing number of cyber-criminal organizations with which U.S. companies and individuals cannot do business. These entities are primarily affiliated with North Korea, Iran, and Russia.  Individuals and entities found to have breached the sanctions restrictions can face punishment of up to $20 million in fines.  It is possible to obtain a license to permit a ransom payment, but OFAC has made clear these will not be issued with regularity:  “Ransomware payments benefit illicit actors and can undermine the national security and foreign policy objectives of the United States. For this reason, license applications involving ransomware payments demanded as a result of malicious cyber-enabled activities will be reviewed by OFAC on a case-by-case basis with a presumption of denial.”

Top Cybersecurity Considerations for Government Contractors in 2021

Although it was already apparent, recent events have made it even clearer that cybersecurity is an essential concern for government contractors.  The coming yea

Top Cybersecurity Considerations for Government Contractors in 2021

As we previously reported, the Department of Defense (DoD) has issued an interim rule that requires all contractors and subcontractors that store, process, generate, transmit or access “covered defense information” to conduct a self- assessment of compliance with NIST SP 800-171 using the DoD Assessment Methodology.  Contractors must post their self-assessment scores on the Defense Information Systems Agency-run database, the <a rel="noopener noreferrer" target="_blank" href="https://www.sprs.csd.disa.mil/">Supplier Performance Risk System (SPRS)</a>.Beginning December 1, 2020, where covered defense information will be involved in contract performance, DoD cannot award a prime contract, and primes cannot award subcontracts, to any company that does not have a current assessment in SPRS.  Covered defense information is essentially any information provided by DoD or produced by a contractor in connection with contract performance that is subject to access or dissemination controls (e.g., export controlled data or controlled technical documents, drawings, or specifications).We have heard anecdotally that the SPRS registration process is somewhat time consuming and requires the transfer of information from an entity’s SAM registration.  Companies that wait until the last minute to begin the registration process may find themselves ineligible for awards.  In particular, companies that have not previously assessed their compliance with NIST SP 800-171 (or had a third party do so) will have a significant amount of work to determine their DoD Assessment score.The recommendations in <a rel="noopener noreferrer" target="_blank" href="https://govcon.mofo.com/cybersecurity-and-data-privacy/department-of-defense-issues-cmmc-interim-rule-setting-up-a-two-part-process-for-review-of-contractor-it-systems/">this article</a> provide further guidance on the assessment process and next steps for contractors and subcontractors.

Deadline Fast Approaching for DoD Contractors and Subcontractors to Report Cyber Compliance

As we previously reported, the Department of Defense (DoD) has issued an interim rule that requires all contractors and subcontractors that store, process, gene

Deadline Fast Approaching for DoD Contractors and Subcontractors to Report Cyber Compliance