Photo of Townsend Bourne

Townsend Bourne is a partner in the Governmental Practice in the firm's Washington, D.C. office. She also is Leader of the firm’s Government Business Group.

The Federal Risk and Authorization Management Program (FedRAMP) Program Management Office recently released a revised version of its Obligations and Compliance Standards document for third party assessors – the organizations that conduct reviews and enable security authorizations for cloud service offerings to the federal government. The revised document seeks to further define the performance and compliance expectations for third party assessors (3PAOs) and incorporates changes stemming from the FedRAMP Authorization Act, which was enacted as part of the Fiscal Year 2023 National Defense Authorization Act and codified FedRAMP. The revisions reflect recent trends in cyber and supply chain security, focusing on identifying potential foreign influence and enhancing transparency with respect to the activities conducted by the third party assessors. Continue Reading Reassessed: FedRAMP Releases Revised Obligations and Standards for Cybersecurity Assessors

On March 2, 2023, the Biden Administration released its National Cybersecurity Strategy. The Strategy represents the latest push by the Administration to focus on cybersecurity concerns, following the release of Executive Order 14028, Improving the Nation’s Cybersecurity in May 2021. The Strategy lays out the cybersecurity goals and objectives for the federal government and outlines a fundamental change in how the federal government wishes to allocate roles, responsibilities, and resources for cybersecurity. It contemplates placing greater responsibility on industry, particularly owners and operators of systems that hold personal data and technology providers. Continue Reading Biden Administration Releases Highly Anticipated National Cybersecurity Strategy

On November 14, 2022, the Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) published a proposed rule that would amend the Federal Acquisition Regulation (FAR) to require Federal contractors that receive annual Federal contract obligations over a specified amount to disclose their greenhouse gas (GHG) emissions[1] and climate-related financial risk, and set science-based targets to reduce GHG emissions.[2] This proposed rule implements section 5(b) of Executive Order 14030, Climate-Related Financial Risk, which we previously wrote about here. The Government will consider comments from interested parties that are submitted by January 13, 2023, after which a final rule will be formulated.Continue Reading Proposed Rule Requires Contractors to Disclose Greenhouse Gas Emissions and Climate-Related Financial Risk

The FedRAMP Program Management Office is seeking comments on its draft FedRAMP Authorization Boundary Guidance, Version 3.0, released on September 14, 2022. The public comment period currently is open and closes on October 17, 2022.Continue Reading Third Time’s The Charm – FedRAMP Releases Draft Authorization Boundary Guidance Version 3 for Public Comment

Per Executive Order 14028, Improving the Nation’s Cybersecurity, the Office of Management and Budget (OMB) issued a memorandum on September 14, 2022 requiring federal agencies to only use software from software producers that attest compliance with secure software development guidance issued by the National Institute of Standards and Technology (NIST).Continue Reading Federal Government Outlines New Security and Attestation Requirements for Software

On July 19, 2022, the National Institute of Standards and Technology (NIST) released a Pre-Draft Call for Comments, seeking feedback on improving its Controlled Unclassified Information (CUI) series of publications. The comment period currently is open and scheduled to close on September 16, 2022Continue Reading NIST Wants Your Input – Updating NIST’s Controlled Unclassified Information (CUI) Guidelines

The Federal Acquisition Regulatory Council (the “FAR Council”) currently is considering amendments to the Federal Acquisition Regulation (“FAR”) that would elevate the consideration of climate-related risks in Federal Government contracting.

Continue Reading ESG for Government Contractors: Climate-Related Risk Considerations in Federal Procurement

On March 8, 2022, just five months after the creation of the Department of Justice’s (“DOJ”) new Civil Cyber-Fraud Initiative (previously discussed here), the DOJ announced its first settlement of a cyber-related fraud case. Under the settlement agreement, Comprehensive Health Services LLC (“CHS”) will pay $930,000 to resolve whistleblower allegations that it violated the False Claims Act by (among other things) failing to properly store and handle confidential information. This likely is just the start for increased cyber-related enforcement actions.

Continue Reading Well, That Didn’t Take Long – DOJ Announces its First Settlement of a Civil Cyber-Fraud Case

The National Institute of Standards and Technology (“NIST”) is seeking comments on its second draft of NIST SP 800-161 Rev. 1, “Cyber Supply Chain Risk Management Practices for Systems and Organizations,” published on October 28, 2021. We previously discussed the release of the first draft here. The public comment period currently is open and concludes on December 3, 2021. NIST anticipates releasing a final version during the third quarter of 2022.

Continue Reading Seeking HoNIST Opinions, Part II – NIST Invites Comments on Major Revision to Cyber Supply Chain Risk Management Practices and Software Guidelines Mandated By Cybersecurity Executive Order