On November 9, 2023, the National Institute of Standards and Technology (“NIST”) released the Final Public Draft (“FPD”) of Special Publication (“SP”) 800-171 Revision (“Rev.”) 3, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” and the Initial Public Draft of NIST SP 800-171A Rev 3, “Assessing Security Requirements for Controlled Unclassified Information.” The FPD of SP 800-171 Rev. 3 condenses several control requirements from the initial public draft while adding new requirements under existing controls. The initial draft of SP 800-171A now aligns with SP 800-171 Rev. 3 and includes more detailed assessment procedures than its predecessor. Changes in both documents forecast the evolving compliance requirements for organizations required to safeguard Controlled Unclassified Information (“CUI”).
Jacob Harrison helps his clients navigate both domestic and international legal challenges.
Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including for cybersecurity compliance reviews, risk assessments, and data breaches.
In his international practice, Jake represents foreign and domestic clients in Foreign Sovereign Immunities Act and Anti-Terrorism Act litigation. He also has experience advising clients involved in cross-border commercial arbitration proceedings.
During law school, Jake served as an associate editor of the Emory Law Journal and interned at the Supreme Court of Georgia and the Georgia House Democratic Caucus. Before attending law school, Jake worked in politics and state government.
On October 30, 2023, President Biden released an Executive Order (EO) on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (AI). This landmark EO seeks to advance the safe and secure development and deployment of AI by implementing a society-wide effort across government, the private sector, academia, and civil society to harness “AI for good,” while mitigating its substantial risks.…
On June 21, 2023, the Department of Homeland Security (DHS) issued a final rule amending the Homeland Security Acquisition Regulation (HSAR) by updating an existing clause (HSAR 3052.204-71) and adding two new contract clauses (HSAR 3052.204-72 and 3052.204-73) to address safeguarding of Controlled Unclassified Information (CUI). The final rule is effective July 21, 2023.
The new clauses aim to improve privacy and security measures around CUI by introducing: (1) general CUI handling requirements; (2) authority to operate (ATO) requirements for federal information systems; (3) incident reporting requirements and activities; and (4) sanitization of government related files and information. These new clauses move DHS away from the use of DHS-defined sensitive information and toward the government-wide CUI model. …
On June 9, 2023, the Office of Management and Budget (OMB) released M-23-16, Update to Memorandum M-22-18, which alters key deadlines and clarifies how agencies and software developers can comply with M-22-18. The original memorandum, published in September 2022, required all federal agencies and their software developers to comply with the National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF), NIST SP 800-218, and the NIST Software Supply Chain Security Guidance (collectively, NIST Guidance) whenever third-party software is used on government information systems or otherwise affects government information.
On June 2, 2023, the FAR Council issued an Interim Rule with immediate effect that prohibits the presence or use of the TikTok app on “information technology” (IT) equipment used by government contractors and contractor personnel in the performance of a contract. The interim rule mirrors the Office of Management and Budget’s guidance, which directed federal agencies to remove TikTok and successor apps made by Chinese company ByteDance Limited from federal devices (to implement the No TikTok on Government Devices Act).
On May 10, 2023, the National Institute of Standards and Technology (NIST) released a draft of NIST Special Publication (SP) 800-171 Revision 3, containing new and revised cybersecurity controls that, when finalized, will be required for federal contractors handling Controlled Unclassified Information (CUI).
NIST proposed five key changes to NIST SP 800-171:
- New controls
On April 28, 2023 the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) published its long-awaited draft Secure Software Development Self-Attestation Form. The form is a key component of the mandatory software supply chain security requirements introduced by last fall in Office of Management and Budget (OMB) Memorandum M-22-18. The Form requires certain software developers to attest to specific security elements of their software development life cycle (SDLC) and their development environment.
In May 2021, the Biden Administration issued Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity.” The EO directed the federal government to prioritize software supply chain security, including by creating secure software development practices for federal software acquisitions. Pursuant to the EO, in February 2022 the National Institute of Standards and Technology (NIST) published NIST Special Publication 800-218 and the NIST Software Supply Chain Security Guidance (collectively, the NIST Secure Software Development Framework, or NIST SSDF), providing software development-focused security controls and best practices for federal agencies and their commercial software partners.
OMB Memorandum M-22-18, published on September 14, 2022, requires companies providing software to the federal government to complete the self-attestation form to certify that they comply with the NIST SSDF controls and guidance whenever third-party software is used on government information systems or otherwise affects government information. …
On March 27, 2023, President Biden signed the Executive Order on Prohibition on Use by the United States Government of Commercial Spyware that Poses Risks to National Security (EO), restricting federal agencies’ use of commercial spyware. The Biden Administration cited targeted attacks utilizing commercial spyware on U.S. officials and human rights abuses abroad as motivations for these restrictions.
The EO is not a blanket ban on commercial spyware. Instead, it bars federal government agencies from using commercial spyware tools if they pose significant counterintelligence or security risks to the U.S. government, or significant risks of improper use by a foreign government or foreign person, including to target Americans or enable human rights abuses. Indirect use of such spyware (e.g. through a contractor or other third party) is also prohibited. The EO establishes risk factors indicative of prohibited commercial spyware, including:
- Past use of the spyware by a foreign entity against U.S. government personnel or devices;
- Past use of the spyware by a foreign entity against U.S. persons;
- The spyware was or is furnished by an entity that maintains, transfers, or uses data obtained from the commercial spyware without authorization from the licensed end-user or the U.S. government, or has disclosed or intends to disclose non-public information about the U.S. government or its activities without authorization from the U.S. government;
- The spyware was or is furnished by an entity under the direct or effective control of a foreign government or foreign person engaged in intelligence activities directed against the United States;
- A foreign actor uses the commercial spyware to limit freedoms of expression, peaceful assembly or association; or to enable other forms of human rights abuses or suppression of civil liberties; or
- The spyware is furnished to governments that have engaged in gross violations of human rights, whether such violations were aided by the spyware or not.
The National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2023, signed into law on December 23, 2022, makes numerous changes to acquisition policy. Crowell & Moring’s Government Contracts Group discusses the most consequential changes for government contractors here. These include changes that provide new opportunities for contractors to recover inflation-related costs, authorize new programs for small businesses, impose new clauses or reporting requirements on government contractors, require government reporting to Congress on acquisition authorities and programs, and alter other processes and procedures to which government contractors are subject. The FY 2023 NDAA also includes the Advancing American AI Act, the Intelligence Authorization Act for FY 2023, and the Water Resources Development Act of 2022, all of which include provisions relevant for government contractors.
Yesterday, the Office of Management and Budget (OMB) released Memorandum M-22-18, implementing software supply chain security requirements that will have a significant impact on software companies and vendors in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity. The Memorandum requires all federal agencies and their software suppliers to comply with the NIST Secure Software Development Framework (SSDF), NIST SP 800-218, and the NIST Software Supply Chain Security Guidance whenever third-party software is used on government information systems or otherwise affects government information. The term “software” includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software. It is critical to note that these requirements will apply whenever there is a major version update or new software that the government will be using. …