Photo of Michael G. Gruden, CIPP/GPhoto of Evan D. WolffPhoto of Nkechi KanuPhoto of Maida Oringher LernerPhoto of Jacob HarrisonPhoto of Alexis Ward

On June 21, 2023, the Department of Homeland Security (DHS) issued a final rule amending the Homeland Security Acquisition Regulation (HSAR) by updating an existing clause (HSAR 3052.204-71) and adding two new contract clauses (HSAR 3052.204-72 and 3052.204-73) to address safeguarding of Controlled Unclassified Information (CUI).  The final rule is effective July 21, 2023.

The new clauses aim to improve privacy and security measures around CUI by introducing: (1) general CUI handling requirements; (2) authority to operate (ATO) requirements for federal information systems; (3) incident reporting requirements and activities; and (4) sanitization of government related files and information. These new clauses move DHS away from the use of DHS-defined sensitive information and toward the government-wide CUI model. Continue Reading Homeland Cybersecurity: DHS Overhauls Its CUI Program, Releases New Contract Clauses

Photo of Michael G. Gruden, CIPP/GPhoto of Evan D. WolffPhoto of Maida Oringher LernerPhoto of Jacob Harrison

On April 28, 2023 the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) published its long-awaited draft Secure Software Development Self-Attestation Form.  The form is a key component of the mandatory software supply chain security requirements introduced by last fall in Office of Management and Budget (OMB) Memorandum M-22-18. The Form requires certain software developers to attest to specific security elements of their software development life cycle (SDLC) and their development environment. 

Background

In May 2021, the Biden Administration issued Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity.”  The EO directed the federal government to prioritize software supply chain security, including by creating secure software development practices for federal software acquisitions.  Pursuant to the EO, in February 2022 the National Institute of Standards and Technology (NIST) published NIST Special Publication 800-­218 and the NIST Software Supply Chain Security Guidance (collectively, the NIST Secure Software Development Framework, or NIST SSDF), providing software development-focused security controls and best practices for federal agencies and their commercial software partners. 

OMB Memorandum M-22-18, published on September 14, 2022, requires companies providing software to the federal government to complete the self-attestation form to certify that they comply with the NIST SSDF controls and guidance whenever third-party software is used on government information systems or otherwise affects government information.  Continue Reading CISA Releases Draft Secure Software Development Self-Attestation Form

Photo of Mary-Caitlin RayPhoto of Evan Chuck

Last week, the House of Representatives passed a bill that would ban some U.S. Federal agencies from purchasing drones and drone components manufactured in certain foreign countries.  The “Drone Origin Security Enhancement Act,” would prevent all government agencies from purchasing drones based solely on their country of manufacture.  A similar bill currently in the

Photo of Kate M. Growley, CIPP/G, CIPP/US

Just before the closing bell for 2012, the federal government gave its first approval for government-wide security authorization to a cloud service provider.  On December 26, the General Services Administration (GSA) certified its first cloud service provider under the Federal Risk and Authorization Management Program, more commonly known as FedRAMP.  The GSA expects last month’s