Photo of Townsend Bourne

Townsend Bourne

Subscribe to Townsend Bourne's Posts

Townsend Bourne is a partner in the Governmental Practice in the firm's Washington, D.C. office. She also is Leader of the firm’s Government Business Group.

Contact:Read more about Townsend Bourne

On June 28, 2024, in a landmark decision, the Supreme Court overruled the four decade old case Chevron v. Natural Resources Defense Council. This pivotal decision should spur businesses to recalibrate their existing relationship with federal agencies. Indeed, we have already seen industry groups begin to use the overruling to influence agency rulemaking, signaling a future of significant shifts in the regulatory landscape. For those operating in regulated industries—including government contractors, and particularly those navigating the complex world of cybersecurity regulation—understanding the implications of the decision is crucial.Continue Reading Navigating the New Cybersecurity Regulatory Landscape Post-Chevron

It’s been a hot summer so far but Federal Risk and Authorization Program (“FedRAMP”) is just starting to heat up. In June, FedRAMP (the Federal government’s program for security authorizations for cloud solutions) released the final Emerging Technology Prioritization Framework, which outlines the prioritization of certain artificial intelligence capabilities. In mid-July, FedRAMP announced its Agile Delivery pilot program, which is a new process for reviewing significant changes without the need for advanced approval. FedRAMP also announced a new technical documentation hub (automate.fedramp.gov) that focuses on provided support to cloud service providers in the development of digital authorization packages. Lastly, just as the heat wave in Washington, D.C. ended, FedRAMP published the final version of the FedRAMP OMB Memo (“OMB Memo”) on July 26, 2024. The OMB Memo revamps FedRAMP through changes to the authorization paths and continuous monitoring and incident response processes, as well as enhancements through automation. Below are key points to know about each FedRAMP update released this summer.Continue Reading Summer Heat Ramping Up: FedRAMP Releases Final OMB Memo and Announces Update on Roadmap Progress, Automation Site Launch, and the Agile Delivery Pilot Launch

For companies in the U.S. that hold certain personal data and U.S. Government-related data, rules stemming from recent Executive Order (“EO”) 14117 on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” may create obstacles and new compliance obligations. Under this EO, the Attorney General is charged with issuing regulations to either outright prohibit or impose restrictions on transactions involving bulk sensitive personal data or U.S. Government-related data when such transactions involve a “country of concern.”Continue Reading Data, Deals, and Diplomacy: How the Bulk Data Executive Order Will Shape Future Contracts and Security Practices

On June 17, 2024, the Department of Justice (“DOJ”) announced the latest settlement under its Civil Cyber-Fraud Initiative (“CCFI”) (previously discussed here).[1] The settlement resulted in a total of $11,300,000 in payments from two consulting companies (Guidehouse, Inc., the prime contractor, which paid $7,600,000; and Nan Kay and Associates, the subcontractor, which paid $3,700,000) to resolve allegations the two companies violated the False Claims Act by failing to meet cybersecurity requirements in federally-funded contracts.Continue Reading Latest Cyber-Related FCA Settlement Underscores the Breadth of DOJ’s Civil Cyber-Fraud Focus

On May 3, 2024, the FAR Council published an advanced notice of proposed rulemaking (the “Advanced Notice”) seeking to implement Section 5949 of the James M. Inohfe National Defense Authorization Act for Fiscal Year 2023 prohibition on procuring certain covered semiconductor products and services. The Congressional prohibition does not go into effect until December 2027, but the FAR Council was directed to promulgate regulations by December 2025. Though this only is an Advanced Notice at this time, the publication provides government contractors with information crucial to developing compliant infrastructures and preparing for the forthcoming rule’s publication. Interested parties are directed to submit written comments in response to the Advanced Notice by July 2, 2024 for consideration in the forthcoming proposed rule – an opportunity all contractors impacted by this prohibition should take advantage of.Continue Reading FAR Council Releases Rulemaking on Prohibitions for Semiconductors

On April 1, 2024, the FAR Council published a new Final Rule that establishes FAR Part 40 – but without any new provisions of substance. This Final Rule becomes effective on May 1, 2024. Subsequently, the FAR Council published a Request for Information (“RFI”) on April 10, 2024. The RFI seeks feedback on the scope and organization of FAR Part 40 and is open for comment until June 10, 2024.Continue Reading Not an April Fools Joke – FAR Part 40 Final Rule Has Been Published

On March 28, 2024, the Office of Management and Budget (“OMB”) issued Memorandum M-24-10, Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence (the “Memo”). This is the final version of a draft memorandum OMB released for public comment on November 1, 2023. The Memo primarily focuses on agency use of AI and outlines minimum practices for managing risks associated with the use of AI in the federal government. The Memo also provides recommendations for managing AI risks in federal procurement of AI that industry should keep in mind, specifically entities developing AI tools to sell to the federal government.Continue Reading Better Safe Than Sorry: OMB Releases Memorandum on Managing AI Risks in the Federal Government

The Cybersecurity and Infrastructure Security Agency (“CISA”) recently released its new Proposed Rule pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), which was published in the Federal Register on April 4, 2024 and is open for public comment through June 3, 2024. The Proposed Rule will be published in Part 6 of the Code of Federal Regulations, in a new Section 226, as part of the Department of Homeland Security’s regulations on Domestic Security.Continue Reading CISA Cyber Incident Reporting for Critical Infrastructure Will Significantly Impact Government Contractors, Suppliers, and Service Providers

Class Deviation Prohibits DoD from Requiring Contractors to Disclose Emissions

Over the past two years, the FAR Council has been working to develop a rule that would amend the Federal Acquisition Regulation (“FAR”) to require contractors to inventory and report their greenhouse gas (“GHG”) emissions and climate-related financial risk in order to be eligible for Federal awards. (Prior posts are available here and here.)Continue Reading Updates on GHG Emissions Disclosure Requirements

On March 11, 2024, the Cybersecurity and Infrastructure Security Agency (“CISA”) and the Office of Management and Budget (“OMB”) released the highly-anticipated Secure Software Development Attestation Form (also known as the “Common Form”) and on March 18, 2024 CISA’s repository for the forms went live.Continue Reading CISA Opens Repository for Submission of Software Security Attestation Forms