On May 12, 2021, the Biden Administration issued its much anticipated “Executive Order on Improving the Nation’s Cybersecurity.” Below are provisions we believe will be of most interest to contractors, as well as any company that provides information technology (“IT”) and operational technology (“OT”) services, cloud computing, software, or internet of things (“IoT”) technology, as the new regulations and standards called for in the Order are likely to have an impact beyond government contractors.
Continue Reading Biden’s Cybersecurity Executive Order

On January 30, 2020, the Department of Defense (“DOD”) released its Cybersecurity Maturity Model Certification (“CMMC”) v.1.0, after releasing several draft versions of the document over the past year.  
Continue Reading CMMC Version 1.0: Enhancing DOD’s Supply Chain Cybersecurity

Pursuant to DFARS 252.204-7012, DoD contractors are to implement the security requirements in NIST Special Publication (SP) 800-171 by December 31, 2017. NIST SP 800-171 includes security requirements for protecting Controlled Unclassified Information (CUI) in nonfederal systems and is expected soon to be required under civilian agency contracts through a forthcoming FAR case. On November 28, 2017, NIST released its highly-anticipated draft publication, NIST SP 800-171A on “Assessing Security Requirements for Controlled Unclassified Information.” Like NIST SP 800-53A, which provides assessment procedures related to the requirements in NIST SP 800-53 (containing security requirements for federal systems), the draft publication will “help organizations develop assessment plans and conduct efficient, effective, and cost-effective assessments of the security requirements in Special Publication 800-171.” The draft special publication includes assessment procedures relating to each of the security requirements in the fourteen families included in NIST SP 800-171 and describes methods by which companies can “generate evidence to support the assertion that the security requirements have been satisfied.” Thus, it appears an organization that conducts the suggested assessments in the draft publication and generates supporting documentation can present this to its agency customer as proof of compliance with NIST SP 800-171 (of course, this is subject to any agency-specific clauses or demands relating to safeguarding CUI).
Continue Reading NIST Releases Highly-Anticipated Draft Special Publication on Assessing the Security Requirements in NIST SP 800-171 for Controlled Unclassified Information (CUI)

On May 11, President Donald Trump issued his long-awaited Executive Order on cybersecurity, the ‘‘Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.’’ It had been in the works since early in the administration, and its release had been announced (and drafts leaked) several times, only to be pulled back and reworked further. The Executive Order calls for a government-wide review and analysis of federal information technology infrastructure, including known risks and vulnerabilities, as well as consideration of the U.S.’s cybersecurity capabilities in relation to the rest of the world.
Continue Reading Presidential Executive Order on Cybersecurity: No More Antiquated IT

On May 18, 2016, the Department of Defense issued Conforming Change 2 of the “National Industrial Security Operating Manual” (“NISPOM”).   NISPOM Change 2 requires all U.S. government contractors who require access to U.S. classified information to implement an Insider Threat Program (“ITP”) that will gather, integrate and report relevant information related to potential or actual insider threats among cleared employees by November 30, 2016. Insider threats – a growing phenomenon – arise when employees or contractors exploit legitimate access to an organization’s data for unauthorized or malicious purposes. Much of the impetus for the new rule appears to be a valid concern about large-scale thefts of classified data, as exemplified by Edward Snowden’s release of a vast trove of sensitive documents stolen from the U.S. National Security Agency.
Continue Reading Insider Threat Programs – A New Challenge for Cleared Contractors

The Securities and Exchange Commission’s (“SEC”) recent $1 million settlement with Morgan Stanley Smith Barney LLC (“MSSB”) marked a turning point in the agency’s focus on cybersecurity issues, an area that the agency has proclaimed a top enforcement priority in recent years.  The MSSB settlement addressed various cybersecurity deficiencies that led to the misappropriation of sensitive data for approximately 730,000 customer accounts.
Continue Reading SEC Steps Up Cybersecurity Enforcement with $1 Million Fine Against Morgan Stanley

Like Frost’s nameless traveler in “The Road Not Taken,” our Government finds itself confronted with two diverging roads in the cybersecurity realm. The first offers moderation, deliberation, and evolution. The second, speed. Frost expressed regret that he could travel but one road. Armed with taxpayer dollars, our Government is not so constrained and, devoid of regret, proceeds down both in parallel.
Continue Reading Robert Frost and Cybersecurity – Two Roads Diverging

Over the first half of the year there has been a lot of activity surrounding government efforts to confront growing concern over “Cybersecurity.” This flurry of activity comes in the wake of two years during which lawmakers have been unable to define legislatively what, exactly, “cybersecurity” is, what it means, and how it should be mandated and implemented. But Congress’ failures have not halted the piecemeal charge that is pushing unabated into the cybersecurity realm. For example, the Pentagon is seeking roughly $23 billion to fund computer network defense and computer network attack initiatives through FY 2018, beginning with a $4.65 billion bump for such efforts in FY 2014. It is clear that the government is in the midst of a “cyber-gold rush” and savvy and innovative contractors practicing in this realm are poised to benefit. However, the increased attention cybersecurity is getting will also pose significant hurdles to businesses throughout the country.
Continue Reading New Laws and Firewalls – Summer 2013 Cyber Security Round-up