This is the third blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the new Trump Administration. This blog describes key cybersecurity developments that took place in April 2025.
NIST Publishes Initial Draft of Guidance for High Performance Computing Systems
U.S. National Institute of Standards and Technology (“NIST”) released an initial public draft of NIST SP 800-234, “High-Performance Computing (HPC) Security Overlay.” The draft is intended to outline the security controls that are recommended for securing certain very large computing infrastructure, including those that are used for “large-scale artificial intelligence (AI) and machine learning (ML) model training, big data analysis, and complex simulations.” The publication recognizes the unique characteristics of these systems, including the fact that different parts of these systems (which the guidance refers to as “zones”) may themselves require different security controls. In sum, the guidance serves as an overlay on NIST SP 800-53, and contains a selection of NIST SP 800-53 security controls that have been tailored for different zones of HPCs. Comments are due on the guidance by July 3, 2025, and the guidance will be of interest to any company that operates large scale infrastructure.
NIST Publishes Updated Incident Response Recommendations and Considerations
In April, the NIST published Special Publication (“SP”) 800-61, Incident Response Recommendations and Considerations for Cybersecurity Risk Management, Revision 3 (“Revision 3”). We wrote about Revision 3 of NIST SP 800-61 here.
NIST SP 800-61, which was first published in 2008 and last updated in 2012, is designed to assist organizations with cybersecurity incident response and cybersecurity risk management. Revision 3 is a significant change to incident response guidance, as it not only represents the first update of NIST SP 800-61 since 2012, but also maps the document’s recommendations and considerations for incident response to the six functions outlined in the recently-updated NIST Cybersecurity Framework 2.0—Govern, Identify, Protect, Detect, Respond, and Recover. As a result, Revision 3 includes significant new recommendations and guidance for incident response, and entities should consider reviewing and updating their incident response plans and procedures to incorporate these recommendations, particularly if they have aligned their cybersecurity program with the NIST Cybersecurity Framework or used the prior versions of NIST SP 800-61 as a basis for existing incident response plans or procedures.
Pentagon Publishes Memorandum on NIST SP 800-171 Rev. 3
On April 15, the Department of Defense (“DoD”) published a memorandum providing contracting officials instructions on applying the controls set forth in Revision 3 of NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. In particular, the memorandum provided guidance focused on tailoring organization-defined parameters (“ODPs”), which are included in NIST SP 800-171. ODPs are essentially fill-in-the-blank aspects of security controls that allow organizations to tailor the controls to their specific needs and risk environment.
The memorandum outlines values for ODPs, which represent “a consensus position of DoD stakeholders,” and are a minimum requirement for contractors. In other words, the memorandum provides specific guidance for DoD’s minimum expectations for these ODPs. ODP values included in the DoD policy relate to Access Control; Awareness and Training; Audit and Accountability; Configuration Management; Identification and Authentication; Incident Response; Media Protection; Personnel Security; Physical Protection; Risk Assessment; Security Assessment and Monitoring; Systems and Communications Protection; System and Information Integrity; Planning; System and Services Acquisition; and Supply Chain Risk Management.
These ODP values and Revision 3 of NIST SP 800-171 are expected to eventually align with the DoD Cybersecurity Model Maturity Certification (“CMMC”) Program and level two security control requirements. Level 2 of the CMMC program is currently tied to NIST 800-171 Revision 2. In general, Revision 3 contains more specificity than Revision 2 around the specific actions that contractors must take to satisfy a control requirement. DoD has not yet announced any public plans for migration from Revision 2 to Revision 3, but the memorandum signals that DoD may indeed look at such migration at some point in the future.