On March 11, 2024, the Cybersecurity and Infrastructure Security Agency (“CISA”) and the Office of Management and Budget (“OMB”) released the highly-anticipated Secure Software Development Attestation Form (also known as the “Common Form”) and on March 18, 2024 CISA’s repository for the forms went live.Continue Reading CISA Opens Repository for Submission of Software Security Attestation Forms

GSA long has stated that the “MAS program is designed to mirror commercial buying practices.” (Don’t laugh – I’m serious! Slide 12 if you don’t believe me.) In the commercial marketplace, SaaS licenses are sold for set periods of time (typically annual terms) and paid for in advance. Historically, GSA refused to accept this commercial term, explicitly prohibiting customer agencies from paying in advance when acquiring SaaS through the MAS program. Software companies, rejoice, because GSA finally has seen the light!Continue Reading Paid in Full: GSA Approves Advance Payment for SaaS Licenses

In January 2022, we warned software companies selling indirectly against attempting to enforce the terms of their End User License Agreement (“EULA”) directly against the Federal Government based on the decision of the Civilian Board of Contract Appeals (“CBCA”) in Avue Technologies Corp. Earlier this month, the Federal Circuit gave software companies some hope by vacating the CBCA’s decision. Read on, though, before filing your claim.Continue Reading Finally Invited to the Party? Federal Circuit Opens the Door for Software Companies Selling Through Resellers to Bring a Contract Claim Against the Federal Government

The Cybersecurity and Infrastructure Security Agency (“CISA”) recently revised its Secure Software Development Attestation Common Form (after receiving over 110 comments on the initial draft), and is seeking additional comments through December 18, 2023. This is an important opportunity for software producers (and others) to provide input that will help shape the future of software supply chain regulations. At a time when the federal government is struggling to harmonize myriad rules on cybersecurity and supply chain, recommendations from industry will be key.Continue Reading Update: CISA Seeks Additional Input from Software Providers on Security Attestation Form

On October 3, 2023, the FAR Council released two long-awaited proposed rules for federal contractor cybersecurity stemming from the Biden Administration’s Cybersecurity Executive Order from May 2021 (Executive Order 14028). The proposed rules relate to Cyber Threat and Incident Reporting and Information Sharing (FAR Case 2021-017) and Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems (FAR Case 2021-019). The comment period for both rules is currently open and is scheduled to close on December 4, 2023.Continue Reading Two New Cybersecurity Proposed Rules Mean Big Changes for Federal Contractors

On June 9, 2023, OMB released additional guidance on the implementation of OMB Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practice, which requires that federal agencies only use third-party software that is provided by software producers that attest compliance with the secure software development guidance issued by the National Institute of Standards and Technology (NIST). Agencies must obtain a self-attestation from the software producer before using any software that “affects” government information or will be used on government information systems. The requirements are discussed in more detail here.Continue Reading White House Provides New Guidance & Extends Deadline for Secure Software Attestations

The Cybersecurity and Infrastructure Security Agency (CISA) is seeking public comment on the secure software development common self-attestation form to be completed by software producers that sell software to the federal government. Federal agencies are scheduled to begin collecting attestation forms for critical software by June 2023 and for all other software by September 2023.Continue Reading CISA Releases Proposed Security Attestation Form for Software Producers

On March 2, 2023, the Biden Administration released its National Cybersecurity Strategy. The Strategy represents the latest push by the Administration to focus on cybersecurity concerns, following the release of Executive Order 14028, Improving the Nation’s Cybersecurity in May 2021. The Strategy lays out the cybersecurity goals and objectives for the federal government and outlines a fundamental change in how the federal government wishes to allocate roles, responsibilities, and resources for cybersecurity. It contemplates placing greater responsibility on industry, particularly owners and operators of systems that hold personal data and technology providers. Continue Reading Biden Administration Releases Highly Anticipated National Cybersecurity Strategy

Per Executive Order 14028, Improving the Nation’s Cybersecurity, the Office of Management and Budget (OMB) issued a memorandum on September 14, 2022 requiring federal agencies to only use software from software producers that attest compliance with secure software development guidance issued by the National Institute of Standards and Technology (NIST).Continue Reading Federal Government Outlines New Security and Attestation Requirements for Software

Software companies selling indirectly to the Federal Government finally received an answer to a question that has lingered for years – can a software company going to market through a reseller bring a direct claim under the Contract Disputes Act (“CDA”) against the Federal Government for violating a term of the software company’s End User License Agreement? Sadly, the answer is “no.”
Continue Reading Software Companies Beware: Board Holds Subcontractor Cannot Enforce EULA Directly Against Federal Government

Every now and then, the FAR Councils issue a Federal Acquisition Circular (FAC) – an update to the Federal Acquisition Regulation implementing a number of changes. Often these changes are rather pro forma. But occasionally, you get a Circular with many different (and interesting) issues. FAC 2005-67, issued in late-June 2013, with rules becoming effective in June and July 2013, is one such circular. We thought it would be helpful to highlight five of these rules that raise interesting and timely issues, especially where they may signal additional changes yet to come.
Continue Reading Lots of Little Things – FAR Updates from the Federal Acquisition Circular