Cybersecurity

Subscribe to Cybersecurity
Photo of Peter J. EyrePhoto of M.Yuan Zhou

This week’s episode covers two notable False Claims Act settlements and the White House National Cybersecurity Strategy Implementation Plan, and is hosted by Peter Eyre and Yuan Zhou. Crowell & Moring’s “Fastest 5 Minutes” is a biweekly podcast that provides a brief summary of significant government contracts legal and regulatory developments that no government contracts

Photo of Sarah RippyPhoto of Alexander UrbelisPhoto of Evan D. WolffPhoto of Neda ShaheenPhoto of Garylene “Gage” JavierPhoto of Kate Growley

On June 18, 2023, the Biden-Harris administration announced the launch of a new “U.S. Cyber Trust Mark” program (hereinafter the “Program”). First proposed by Federal Communication Commission (“FCC”) Chairwoman Jessica Rosenworcel, the Program aims to increase transparency and competition across the smart devices sector and to assist consumers in making informed decisions about the security of the devices they purchase.

Continue Reading Biden Admin Eyes IoT Cyber Practices

Photo of Peter J. EyrePhoto of M.Yuan Zhou

This week’s episode covers a DHS final rule implementing measures to safeguard Controlled Unclassified Information and facilitate improved incident reporting to DHS, a letter from Silicon Valley defense technology and venture capital firms calling on DoD to better embrace and scale commercial innovation for military use, a bid protest decision in which the Court found

Photo of Michael G. Gruden, CIPP/GPhoto of Evan D. WolffPhoto of Nkechi KanuPhoto of Maida Oringher LernerPhoto of Jacob HarrisonPhoto of Alexis Ward

On June 21, 2023, the Department of Homeland Security (DHS) issued a final rule amending the Homeland Security Acquisition Regulation (HSAR) by updating an existing clause (HSAR 3052.204-71) and adding two new contract clauses (HSAR 3052.204-72 and 3052.204-73) to address safeguarding of Controlled Unclassified Information (CUI).  The final rule is effective July 21, 2023.

The new clauses aim to improve privacy and security measures around CUI by introducing: (1) general CUI handling requirements; (2) authority to operate (ATO) requirements for federal information systems; (3) incident reporting requirements and activities; and (4) sanitization of government related files and information. These new clauses move DHS away from the use of DHS-defined sensitive information and toward the government-wide CUI model. 

Continue Reading Homeland Cybersecurity: DHS Overhauls Its CUI Program, Releases New Contract Clauses

Photo of Michael G. Gruden, CIPP/GPhoto of Evan D. WolffPhoto of Alexander UrbelisPhoto of Maida Oringher LernerPhoto of Jacob HarrisonPhoto of Alexis Ward

On June 9, 2023, the Office of Management and Budget (OMB) released M-23-16, Update to Memorandum M-22-18, which alters key deadlines and clarifies how agencies and software developers can comply with M-22-18.  The original memorandum, published in September 2022, required all federal agencies and their software developers to comply with the National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF), NIST SP 800-218, and the NIST Software Supply Chain Security Guidance (collectively, NIST Guidance) whenever third-party software is used on government information systems or otherwise affects government information.

Continue Reading Softening the Blow: OMB Extends Software Supply Chain Security Deadline and Clarifies Scope

Photo of Evan D. WolffPhoto of Matthew B. WellingPhoto of Alexander UrbelisPhoto of Michael G. Gruden, CIPP/GPhoto of Maarten StassenPhoto of Christiana StatePhoto of Garylene “Gage” JavierPhoto of Sarah Rippy

A new Cybersecurity & Infrastructure Security Agency (CISA) alert advises that, starting in late May, a well-known ransomware group called Clop compromised a widely used managed file transfer (MFT) platform called MOVEit Transfer, reportedly impacting hundreds of companies globally. 

MFT platforms are used to securely transfer files between parties, and Clop reportedly compromised MOVEit Transfer using a previously unknown (zero-day) vulnerability that allowed attackers to steal files from MOVEit’s underlying database. This vulnerability is now tracked as CVE-2023-34362.

Clop has previously targeted MFT platforms such as Accellion and has shown that it is prepared to follow through on threatened next steps.  In this case, Clop is threatening to identify victim companies on the Clop site as soon as June 14 and then, if a ransom is not paid, publish victims’ stolen data.  In prior attacks, Clop has also reportedly contacted victim companies directly with ransom demands, sometimes weeks or more after the attack.  We do not recommend that victims contact threat actors like Clop directly but instead work with experts to do so safely, if necessary.

Continue Reading MOVEit Vulnerability: What to Know and What to Do

Photo of Michael G. Gruden, CIPP/GPhoto of Evan D. WolffPhoto of Maida Oringher LernerPhoto of Jacob Harrison

On May 10, 2023, the National Institute of Standards and Technology (NIST) released a draft of NIST Special Publication (SP) 800-171 Revision 3, containing new and revised cybersecurity controls that, when finalized, will be required for federal contractors handling Controlled Unclassified Information (CUI).

NIST proposed five key changes to NIST SP 800-171:

  1. New controls
Photo of Michael G. Gruden, CIPP/GPhoto of Evan D. WolffPhoto of Alexander UrbelisPhoto of Maida Oringher LernerPhoto of Jacob Harrison

On April 28, 2023 the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) published its long-awaited draft Secure Software Development Self-Attestation Form.  The form is a key component of the mandatory software supply chain security requirements introduced by last fall in Office of Management and Budget (OMB) Memorandum M-22-18. The Form requires certain software developers to attest to specific security elements of their software development life cycle (SDLC) and their development environment. 

Background

In May 2021, the Biden Administration issued Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity.”  The EO directed the federal government to prioritize software supply chain security, including by creating secure software development practices for federal software acquisitions.  Pursuant to the EO, in February 2022 the National Institute of Standards and Technology (NIST) published NIST Special Publication 800-­218 and the NIST Software Supply Chain Security Guidance (collectively, the NIST Secure Software Development Framework, or NIST SSDF), providing software development-focused security controls and best practices for federal agencies and their commercial software partners. 

OMB Memorandum M-22-18, published on September 14, 2022, requires companies providing software to the federal government to complete the self-attestation form to certify that they comply with the NIST SSDF controls and guidance whenever third-party software is used on government information systems or otherwise affects government information. 

Continue Reading CISA Releases Draft Secure Software Development Self-Attestation Form

Photo of Michael G. Gruden, CIPP/GPhoto of Nkechi KanuPhoto of Evan D. WolffPhoto of Maida Oringher LernerPhoto of Alexis Ward

On March 22, 2022, the Department of Defense (DoD) issued a final rule requiring contracting officers to consider supplier risk assessments in DoD’s Supplier Performance Risk System (SPRS) when evaluating offers. SPRS is a DoD enterprise system that collects contractor quality and delivery performance data from a variety of systems to develop three risk assessments:

Photo of Peter J. EyrePhoto of M.Yuan Zhou

This week’s episode covers the National Cyber Security Strategy, a final DFARS clause requiring disclosure of use of workforce and facilities in the China, the Department of Commerce’s first Notice of Funding Opportunity under the CHIPS and Science Act of 2022, and congressional inquiries about financial conflicts of interest and ethically questionable behavior by senior