Information Technology

Subscribe to Information Technology via RSS

On January 8, 2025, the Department of Justice (“DOJ”) published its final rule addressing Executive Order (E.O.) 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” With the final rule, the DOJ National Security Division’s Foreign Investment Review Section (“FIRS”) defines prohibited and restricted data transactions, and outlines trusted data flows for companies with overseas operations involving countries of concern, including IT infrastructure. The general effect of the rule is to close “front door” access to bulk sensitive personal data on U.S. persons and certain U.S.-government-related data. Until now—or rather, April 8, 2025, when the majority of the rule becomes effective—nefarious actors could procure sensitive data through legitimate business transactions.Continue Reading Data, Deals, and Diplomacy, Part III: DOJ Issues National Security Final Rule with New Data Compliance Obligations for Transactions Involving Countries of Concern

For companies in the U.S. that hold certain personal data and U.S. Government-related data, rules stemming from recent Executive Order (“EO”) 14117 on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” may create obstacles and new compliance obligations. Under this EO, the Attorney General is charged with issuing regulations to either outright prohibit or impose restrictions on transactions involving bulk sensitive personal data or U.S. Government-related data when such transactions involve a “country of concern.”Continue Reading Data, Deals, and Diplomacy: How the Bulk Data Executive Order Will Shape Future Contracts and Security Practices

The Cybersecurity and Infrastructure Security Agency (“CISA”) recently released its new Proposed Rule pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), which was published in the Federal Register on April 4, 2024 and is open for public comment through June 3, 2024. The Proposed Rule will be published in Part 6 of the Code of Federal Regulations, in a new Section 226, as part of the Department of Homeland Security’s regulations on Domestic Security.Continue Reading CISA Cyber Incident Reporting for Critical Infrastructure Will Significantly Impact Government Contractors, Suppliers, and Service Providers

On October 5, 2023, the FAR Council released an Interim Rule on “Implementation of Federal Acquisition Supply Chain Security Act (FASCSA) Orders.” The Interim Rule implements requirements from Section 202 of the Federal Acquisition Supply Chain Security Act of 2018 (“FASCSA”), which will require contractors to ensure certain products and services are excluded from the U.S. Government supply chain as directed by the Federal Acquisition Security Council (“FASC”). The Interim Rule becomes effective 60 days after publication, requiring new FAR clauses to be incorporated into all solicitations and contracts (including orders and modifications) issued after December 4, 2023.Continue Reading Interim Rule Effective in December Establishes Requirements for Contractors to Remove Identified Products and Services from the U.S. Government Supply Chain

On March 2, 2023, the Biden Administration released its National Cybersecurity Strategy. The Strategy represents the latest push by the Administration to focus on cybersecurity concerns, following the release of Executive Order 14028, Improving the Nation’s Cybersecurity in May 2021. The Strategy lays out the cybersecurity goals and objectives for the federal government and outlines a fundamental change in how the federal government wishes to allocate roles, responsibilities, and resources for cybersecurity. It contemplates placing greater responsibility on industry, particularly owners and operators of systems that hold personal data and technology providers. Continue Reading Biden Administration Releases Highly Anticipated National Cybersecurity Strategy

The FedRAMP Program Management Office is seeking comments on its draft FedRAMP Authorization Boundary Guidance, Version 3.0, released on September 14, 2022. The public comment period currently is open and closes on October 17, 2022.Continue Reading Third Time’s The Charm – FedRAMP Releases Draft Authorization Boundary Guidance Version 3 for Public Comment

On July 19, 2022, the National Institute of Standards and Technology (NIST) released a Pre-Draft Call for Comments, seeking feedback on improving its Controlled Unclassified Information (CUI) series of publications. The comment period currently is open and scheduled to close on September 16, 2022Continue Reading NIST Wants Your Input – Updating NIST’s Controlled Unclassified Information (CUI) Guidelines

The National Institute of Standards and Technology (“NIST”) is seeking comments on its second draft of NIST SP 800-161 Rev. 1, “Cyber Supply Chain Risk Management Practices for Systems and Organizations,” published on October 28, 2021. We previously discussed the release of the first draft here. The public comment period currently is open and concludes on December 3, 2021. NIST anticipates releasing a final version during the third quarter of 2022.

Continue Reading Seeking HoNIST Opinions, Part II – NIST Invites Comments on Major Revision to Cyber Supply Chain Risk Management Practices and Software Guidelines Mandated By Cybersecurity Executive Order

The Office of Management and Budget (“OMB”) released its draft Federal Zero Trust Strategy under President Biden’s Executive Order on Improving the Nation’s Cybersecurity (No. 14028) (discussed previously here and
Continue Reading Moving to Zero Trust – CISA and OMB Seek Comments on Zero Trust Publications and Cloud Security Technical Reference Architecture under Cybersecurity Executive Order

The FedRAMP Program Management Office is seeking comments on its draft FedRAMP Authorization Boundary Guidance, Version 2.0, released on July 13, 2021. The public comment period currently is open and closes on September 13, 2021.
Continue Reading Watch Your Boundaries – FedRAMP Releases Draft Authorization Boundary Guidance for Public Comment

As called for in the May 12, 2021 Cybersecurity Executive Order (“EO”) released by the Biden Administration (discussed here), NIST met its deadline to release a definition of “critical software” within 45 days of the date of the Order.  The determination of what constitutes “critical software” is a key step in the process set forth in the Order for securing the software supply chain, which will culminate sometime next year in new Federal Acquisition Regulations for contractors that supply software.
Continue Reading Right on Time – NIST Releases Definition of “Critical Software” Per Biden’s Cybersecurity Executive Order