Cybersecurity

Subscribe to Cybersecurity

In recent weeks, there has been an uptick in news of cyber-related False Claims Act (“FCA”) activity. For example, on September 1, 2023, the court unsealed a qui tam lawsuit against Penn State University relating to allegations of non-compliance with Department of Defense (“DoD”) cybersecurity obligations. Separately, on September 5, 2023, the Department of Justice (“DOJ”) announced a multi-million dollar FCA settlement with Verizon under its Civil-Cyber Fraud Initiative (which focuses on leveraging the FCA to pursue cybersecurity related fraud by government contractors and grant recipients, as we previously discussed here). These and other cases suggest—as many had been speculating—that the number of enforcement actions and publicity associated with previously-sealed qui tam cases will continue to increase. They also signal that contractors and universities should brace for additional scrutiny and potential whistleblower claims in this area.

Continue Reading Recent Cyber-Related False Claims Act Activity Signals Contractors and Universities Should Examine Their Cybersecurity Practices and Brace for an Uptick in Enforcement

On July 18, 2023, the Biden Administration announced the launch of the long-awaited cybersecurity labeling program, called the “U.S. Cyber Trust Mark,” aimed at providing consumers with a better understanding of the cybersecurity of the products they use daily. This labeling program seeks to enhance transparency and competition in the Internet of Things (“IoT”) device space, to “help differentiate trustworthy products in the marketplace,” and to incentivize manufacturers to meet higher cybersecurity standards.

Continue Reading Cybersecurity Labeling is (Almost) Here! Biden Administration Announces the U.S. Cyber Trust Mark Program

On June 9, 2023, OMB released additional guidance on the implementation of OMB Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practice, which requires that federal agencies only use third-party software that is provided by software producers that attest compliance with the secure software development guidance issued by the National Institute of Standards and Technology (NIST). Agencies must obtain a self-attestation from the software producer before using any software that “affects” government information or will be used on government information systems. The requirements are discussed in more detail here.

Continue Reading White House Provides New Guidance & Extends Deadline for Secure Software Attestations

The National Institute of Standards and Technology (NIST) has released an initial public draft of NIST SP 800-171, Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Compliance with the security controls in NIST SP 800-171 is required for Department of Defense contractors and is expected to be incorporated into a new Federal Acquisition Regulation (FAR) clause and required for all federal contractors that process, store, or transmit Controlled Unclassified Information (CUI). 

Continue Reading NIST Releases Initial Public Draft of NIST SP 800-171, Revision 3 for Protection of Sensitive Government Information

The Cybersecurity and Infrastructure Security Agency (CISA) is seeking public comment on the secure software development common self-attestation form to be completed by software producers that sell software to the federal government. Federal agencies are scheduled to begin collecting attestation forms for critical software by June 2023 and for all other software by September 2023.

Continue Reading CISA Releases Proposed Security Attestation Form for Software Producers

The Federal Risk and Authorization Management Program (FedRAMP) Program Management Office recently released a revised version of its Obligations and Compliance Standards document for third party assessors – the organizations that conduct reviews and enable security authorizations for cloud service offerings to the federal government. The revised document seeks to further define the performance and compliance expectations for third party assessors (3PAOs) and incorporates changes stemming from the FedRAMP Authorization Act, which was enacted as part of the Fiscal Year 2023 National Defense Authorization Act and codified FedRAMP. The revisions reflect recent trends in cyber and supply chain security, focusing on identifying potential foreign influence and enhancing transparency with respect to the activities conducted by the third party assessors. 

Continue Reading Reassessed: FedRAMP Releases Revised Obligations and Standards for Cybersecurity Assessors

On March 2, 2023, the Biden Administration released its National Cybersecurity Strategy. The Strategy represents the latest push by the Administration to focus on cybersecurity concerns, following the release of Executive Order 14028, Improving the Nation’s Cybersecurity in May 2021. The Strategy lays out the cybersecurity goals and objectives for the federal government and outlines a fundamental change in how the federal government wishes to allocate roles, responsibilities, and resources for cybersecurity. It contemplates placing greater responsibility on industry, particularly owners and operators of systems that hold personal data and technology providers. 

Continue Reading Biden Administration Releases Highly Anticipated National Cybersecurity Strategy

The FedRAMP Program Management Office is seeking comments on its draft FedRAMP Authorization Boundary Guidance, Version 3.0, released on September 14, 2022. The public comment period currently is open and closes on October 17, 2022.

Continue Reading Third Time’s The Charm – FedRAMP Releases Draft Authorization Boundary Guidance Version 3 for Public Comment

Per Executive Order 14028, Improving the Nation’s Cybersecurity, the Office of Management and Budget (OMB) issued a memorandum on September 14, 2022 requiring federal agencies to only use software from software producers that attest compliance with secure software development guidance issued by the National Institute of Standards and Technology (NIST).

Continue Reading Federal Government Outlines New Security and Attestation Requirements for Software

On July 19, 2022, the National Institute of Standards and Technology (NIST) released a Pre-Draft Call for Comments, seeking feedback on improving its Controlled Unclassified Information (CUI) series of publications. The comment period currently is open and scheduled to close on September 16, 2022

Continue Reading NIST Wants Your Input – Updating NIST’s Controlled Unclassified Information (CUI) Guidelines