Overview

On March 27, 2023, President Biden signed the Executive Order on Prohibition on Use by the United States Government of Commercial Spyware that Poses Risks to National Security (EO), restricting federal agencies’ use of commercial spyware.  The Biden Administration cited targeted attacks utilizing commercial spyware on U.S. officials and human rights abuses abroad as motivations for these restrictions.

Usage Restrictions

The EO is not a blanket ban on commercial spyware.[1]  Instead, it bars federal government agencies from using commercial spyware tools if they pose significant counterintelligence or security risks to the U.S. government, or significant risks of improper use by a foreign government or foreign person, including to target Americans or enable human rights abuses.  Indirect use of such spyware (e.g. through a contractor or other third party) is also prohibited.  The EO establishes risk factors indicative of prohibited commercial spyware, including:

  • Past use of the spyware by a foreign entity against U.S. government personnel or devices;
  • Past use of the spyware by a foreign entity against U.S. persons;
  • The spyware was or is furnished by an entity that maintains, transfers, or uses data obtained from the commercial spyware without authorization from the licensed end-user or the U.S. government, or has disclosed or intends to disclose non-public information about the U.S. government or its activities without authorization from the U.S. government;
  • The spyware was or is furnished by an entity under the direct or effective control of a foreign government or foreign person engaged in intelligence activities directed against the United States;
  • A foreign actor uses the commercial spyware to limit freedoms of expression, peaceful assembly or association; or to enable other forms of human rights abuses or suppression of civil liberties; or
  • The spyware is furnished to governments that have engaged in gross violations of human rights, whether such violations were aided by the spyware or not.


Continue Reading Spy Games: Biden Administration Issues Executive Order Restricting Federal Use of Commercial Spyware

The National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2023, signed into law on December 23, 2022, makes numerous changes to acquisition policy. Crowell & Moring’s Government Contracts Group discusses the most consequential changes for government contractors here. These include changes that provide new opportunities for contractors to recover inflation-related costs, authorize new programs for small businesses, impose new clauses or reporting requirements on government contractors, require government reporting to Congress on acquisition authorities and programs, and alter other processes and procedures to which government contractors are subject. The FY 2023 NDAA also includes the Advancing American AI Act, the Intelligence Authorization Act for FY 2023, and the Water Resources Development Act of 2022, all of which include provisions relevant for government contractors.

Continue Reading FY 2023 National Defense Authorization Act: Key Provisions Government Contractors Should Know

Yesterday, the Office of Management and Budget (OMB) released Memorandum M-22-18, implementing software supply chain security requirements that will have a significant impact on software companies and vendors in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity.  The Memorandum requires all federal agencies and their software suppliers to comply with the NIST Secure Software Development Framework (SSDF)NIST SP 800-­218, and the NIST Software Supply Chain Security Guidance whenever third-party software is used on government information systems or otherwise affects government information.  The term “software” includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.  It is critical to note that these requirements will apply whenever there is a major version update or new software that the government will be using. 

Continue Reading Going Hard on Software: OMB Unveils Mandatory Software Supply Chain Security Compliance Requirements

After much anticipation, the Cyber AB, formerly known as the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body, recently released its pre-decisional draft CMMC Assessment Process (CAP).  The CAP describes the overarching procedures and guidance that CMMC Third-Party Assessment Organizations (C3PAOs) will use to assess entities seeking CMMC certification.  The current version of the CAP applies to contractors requiring CMMC Level 2 certification, which will likely be most contractors handling Controlled Unclassified Information (CUI) based on the Department of Defense’s (DoD) provisional scoping guidance for CMMC 2.0.

Continue Reading No Summer Break for Cyber: Newly Unveiled CMMC Assessment Process Provides Industry with Upcoming Assessment Insights