The Cybersecurity and Infrastructure Security Agency (“CISA”) recently revised its Secure Software Development Attestation Common Form (after receiving over 110 comments on the initial draft), and is seeking additional comments through December 18, 2023. This is an important opportunity for software producers (and others) to provide input that will help shape the future of software supply chain regulations. At a time when the federal government is struggling to harmonize myriad rules on cybersecurity and supply chain, recommendations from industry will be key.Continue Reading Update: CISA Seeks Additional Input from Software Providers on Security Attestation Form
On October 3, 2023, the FAR Council released two long-awaited proposed rules for federal contractor cybersecurity stemming from the Biden Administration’s Cybersecurity Executive Order from May 2021 (Executive Order 14028). The proposed rules relate to Cyber Threat and Incident Reporting and Information Sharing (FAR Case 2021-017) and Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems (FAR Case 2021-019). The comment period for both rules is currently open and is scheduled to close on December 4, 2023.Continue Reading Two New Cybersecurity Proposed Rules Mean Big Changes for Federal Contractors
On June 9, 2023, OMB released additional guidance on the implementation of OMB Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practice, which requires that federal agencies only use third-party software that is provided by software producers that attest compliance with the secure software development guidance issued by the National Institute of Standards and Technology (NIST). Agencies must obtain a self-attestation from the software producer before using any software that “affects” government information or will be used on government information systems. The requirements are discussed in more detail here.Continue Reading White House Provides New Guidance & Extends Deadline for Secure Software Attestations
The Cybersecurity and Infrastructure Security Agency (CISA) is seeking public comment on the secure software development common self-attestation form to be completed by software producers that sell software to the federal government. Federal agencies are scheduled to begin collecting attestation forms for critical software by June 2023 and for all other software by September 2023.Continue Reading CISA Releases Proposed Security Attestation Form for Software Producers
On March 2, 2023, the Biden Administration released its National Cybersecurity Strategy. The Strategy represents the latest push by the Administration to focus on cybersecurity concerns, following the release of Executive Order 14028, Improving the Nation’s Cybersecurity in May 2021. The Strategy lays out the cybersecurity goals and objectives for the federal government and outlines a fundamental change in how the federal government wishes to allocate roles, responsibilities, and resources for cybersecurity. It contemplates placing greater responsibility on industry, particularly owners and operators of systems that hold personal data and technology providers. Continue Reading Biden Administration Releases Highly Anticipated National Cybersecurity Strategy
Per Executive Order 14028, Improving the Nation’s Cybersecurity, the Office of Management and Budget (OMB) issued a memorandum on September 14, 2022 requiring federal agencies to only use software from software producers that attest compliance with secure software development guidance issued by the National Institute of Standards and Technology (NIST).Continue Reading Federal Government Outlines New Security and Attestation Requirements for Software
Software companies selling indirectly to the Federal Government finally received an answer to a question that has lingered for years – can a software company going to market through a reseller bring a direct claim under the Contract Disputes Act (“CDA”) against the Federal Government for violating a term of the software company’s End User License Agreement? Sadly, the answer is “no.”
Continue Reading Software Companies Beware: Board Holds Subcontractor Cannot Enforce EULA Directly Against Federal Government
Every now and then, the FAR Councils issue a Federal Acquisition Circular (FAC) – an update to the Federal Acquisition Regulation implementing a number of changes. Often these changes are rather pro forma. But occasionally, you get a Circular with many different (and interesting) issues. FAC 2005-67, issued in late-June 2013, with rules becoming effective in June and July 2013, is one such circular. We thought it would be helpful to highlight five of these rules that raise interesting and timely issues, especially where they may signal additional changes yet to come.
Continue Reading Lots of Little Things – FAR Updates from the Federal Acquisition Circular
It has been noted, the more things change, the more they stay the same. In the world of Government Contracts Law, however, the more things change, the more the phone rings. And while we’re only a few weeks into 2013, the phone has been ringing off the hook. Here are a few of the reasons why.Continue Reading What Does 2013 Have In Store for Government Contractors and Their Lawyers?
One of the most perplexing questions that has plagued the government contracting community in recent years relates to the country of origin for computer software. Where most government procurements restrict the purchase of products that were not manufactured or substantially transformed in an approved country, the question of where software is “substantially transformed” is one of critical importance – particularly where the government buys more and more software products, and particularly where those software products are distributed via direct download. The Department of U.S. Customs and Border Protection has long resisted issuing any authoritative guidance on the country of origin for computer software, leaving industry to reach its own conclusions, conclusions that hopefully will be adjudged as reasonable in the event of later Government scrutiny or challenge. But Customs has recently issued an advisory opinion that may finally shed some light on this dark and murky topic.
Continue Reading Country of Origin for Computer Software – U.S. Customs Finally Sheds Some Light on the Issue
The United States has long been the world’s principal purchaser of (a) research and development services, (b) the products generated by the R&D, and (c) the intellectual property relating to that R&D. Historically, Government-funded R&D has evoked images of an omnipresent, overly intrusive, audit-fixated purchaser bent on levying a host of required terms and conditions on the seller, many of which are wholly unrelated to the underlying R&D and are designed solely to advance socio-economic policies and preferences. For these (and other) reasons, companies, particularly new and emerging companies, are often reluctant to accept federal funding to advance their privately conceived and privately developed ideas.Continue Reading A Brief Guide to Alternative Contracting Arrangements for R&D