This is part of a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021through July 2024. This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during August 2024. We discuss developments during August 2024 to implement President Biden’s Executive Order on Artificial Intelligence in a separate post.
New Guides Released Relating to Secure Software Development Requirements
On August 2, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) released a new guide titled, “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle.” This guide addresses the cybersecurity risks associated with the acquisition and use of third-party developed software and certain related physical products in an agency enterprise environment, and provides recommendations to agency personnel for understanding, addressing, and mitigating those risks. This guide was followed on August 6, 2024, by a separate guide issued jointly by CISA and the FBI titled, “Secure By Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem.” Together, these two guides provide agency and industry personnel a series of questions that can be used to obtain information from suppliers, set technical requirements, and develop contract terms for the acquisition of secure software as contemplated by the Cyber EO. A more detailed analysis of these guides is available on our post on Inside Government Contracts.
DoD Publishes Proposed CMMC DFARS Rule
On August 15, the U.S. Department of Defense (“DoD”) published a proposed rule in the Federal Register that would implement the Cybersecurity Maturity Model Certification (“CMMC”) 2.0 in the Defense Federal Acquisition Regulation Supplement (“DFARS”). The proposed rule incorporates contractual requirements related to CMMC 2.0, including by establishing a standard contract clause and solicitation provision.
For example, the proposed rule would require (among other things) that contractors:
- Hold “a current CMMC certificate or current CMMC self-assessment at” the CMMC level, or higher, that is specified in the solicitation as a condition of eligibility for award of the contract;
- Consult 32 C.F.R. part 170 “related to flowing down information in order to establish the correct CMMC level requirements for subcontracts and other contractual instruments;”
- Maintain “the CMMC level required by [the] contract for the duration of the contract for all information systems, used in performance of the contract, that process, store, or transmit Federal contract information (FCI) or controlled unclassified information (CUI);”
- “Only process, store, or transmit data on information systems that have a CMMC certificate or CMMC self-assessment at the CMMC level required by the contract, or higher;”
- Within 72 hours, notify the Contracting Officer “when there are any lapses in information security or changes in the status of CMMC certificate or CMMC self-assessment levels during performance of the contract;”
- On an annual basis or when changes occur in CMMC compliance status, complete and maintain an affirmation of continuous compliance;
- On an annual basis or when changes occur in CMMC compliance status, ensure all subcontractors and suppliers complete and maintain an affirmation of continuous compliance;
- Provide “the Contracting Officer the DoD [unique identifier(s)] issued by SPRS for contractor information systems that will process, store, or transmit FCI or CUI during performance of the contract;”
- Submit “into SPRS the results of self-assessment(s) for each DoD [unique identifier] applicable to each of the contractor information systems”; and
- Report “any changes to the list of DoD [unique identifiers]” to the Contracting Officer.
The publication of the proposed rule follows shortly after the Office of Information and Regulatory Affairs (“OIRA”) completed its review of the proposed contract clause on August 7, 2024 and moves CMMC 2.0 closer to finalization. DoD is accepting comments on the proposed rule through October 15, 2024.
NIST Releases Second Draft of Digital Identity Guidelines Update
On August 21, the National Institute of Standards and Technology (“NIST”) issued a second draft of the update of its Special Publication (SP) 800-63, Rev. 4, “Digital Identity Guidelines,” and three companion guidelines, SP 800-63A, 63B, and 63C. These guidelines address the mechanisms and best practices for providing and protecting digital access to online public services. Among the newer practices addressed in the guidelines are the use of cloud-based syncable authenticators as passkeys and the use of subscriber-controlled wallets. Syncable authenticators are software or hardware authenticators that allow authentication keys to be cloned and exported to other storage to sync those keys to other authenticators. Subscriber-controlled wallets are devices that are controlled by the user that allow the user’s device to act as an identity provider. These practices may eventually show up in other NIST documents that have more direct applicability to contractors, such as NIST SP 800-53. The guidelines also require that any machine learning or artificial intelligence used by identity systems must be documented and communicated to those that use the systems. NIST is accepting comments on the draft guidelines through October 7, 2024.