This is part of a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021through February 2024. This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during March 2024. It also describes key actions taken during March 2024 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, secure software, and federal government contractors.
CISA’s OMB Common Software Attestation Form is Approved by OMB
On March 11, 2024, the Cybersecurity Infrastructure Security Agency (“CISA”), released the final version of its common Secure Software Development Attestation Form, which was approved by the Office of Management and Budget (“OMB”). The common form is a key part of OMB’s requirement for Government agencies to begin collection of attestations from software producers within three months of approval of the form for “critical” software and within six months of approval of the form for other software, as that term is defined by OMB memoranda. To date, we have not seen additional guidance relating to the planned implementation, but if OMB adheres to its published timeline then the requirements for critical software would be slated to go into effect in early June. CISA also launched a new repository to receive the forms, further signaling the Government’s intent to begin collecting these attestations. Additional information on the requirements can be found in our prior post, here.
CISA Releases a Notice of Proposed Rulemaking Regarding Critical Infrastructure Incident Reporting
On March 27, 2024, CISA released a notice of proposed rulemaking to implement critical infrastructure reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The law generally established a 24-hour requirement to report ransomware payments and a 72-hour requirement to report covered cyber incidents to CISA. The rule outlines how these requirements will function, including describing the entities that will be covered, the types of incidents that will be covered, and the exceptions for reporting requirements. The requirements are not directly related to the Cyber EO and instead are driven by statute. With this said, the rule will no doubt have impacts on implementation activities under the Cyber EO, such as with regard to potential efforts to harmonize incident reporting requirements as described by the proposed FAR incident reporting rule, which we discussed here. CISA will accept comments on the rule for 60 days after its publication in the April 4 Federal Register. More information about CISA’s rule is available here and we are working on a more complete alert on the subject.
AI Policy for Federal Agencies
The Office of Management and Budget issued guidance on governance and risk management for federal agency use of artificial intelligence across Government on March 28. The guidance, among other things, directs federal agencies and departments to address risks from the use of AI, expand public transparency, advance responsible AI innovation, grow an AI-focused talent pool and workforce, and strengthen AI governance systems. This includes inventorying AI use cases annually and submitting reports to OMB. This is similar to inventory requirements under OMB’s secure software memorandum, which we discussed here. The guidance also requests agencies to make updates to authorization processes for FedRAMP services. A more complete analysis of the memorandum is available here.