This is the sixth in the series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, fourth, and fifth blogs described the actions taken by various federal agencies to implement the EO during June, July, August, and September 2021, respectively.  This blog summarizes key actions taken to implement the Cyber EO during October 2021.

Although the recent developments this month are directly applicable to the U.S. Government, the standards being established for U.S. Government agencies could be adopted as industry standards for all organizations that develop or acquire software similar to various industries adopting the NIST Cybersecurity Framework as a security controls baseline.

NIST Publishes Preliminary Guidelines for Enhancing Software Supply Chain Security

            Section 4(c) of the Cyber EO directs NIST to publish preliminary guidelines for enhancing software supply chain security by November 8, 2021.  NIST issued these preliminary guidelines on October 28, 2021 as part of a second draft of NIST Special Publication 800-161 Revision 1, “Supply Chain Risk Management Practices for Systems and Organizations.”  The preliminary guidelines, which are specifically addressed in Appendix F to Draft Revision 1, but are also incorporated throughout the document, describe key cybersecurity supply chain risk management (C-SCRM) practices for managing exposures to cybersecurity risks, threats, and vulnerabilities throughout the supply chain and developing appropriate response strategies presented by the supplier, the supplied products, services, and the supply chain.  The guidelines also provide a general prioritization of such practices (i.e., Foundational, Sustaining, and Enabling) for enterprises to consider as they implement C-SCRM.

In preparing the updated draft following the release of the Cyber EO, NIST translated the Cyber EO’s Section 4 software supply chain directives into three targeted initiatives:

  • Critical Software Definition and Security Measures;
  • Recommended Minimum Standard for Vendor or Developer Verification of Code; and
  • Cybersecurity Labeling for Consumers: Internet of Things (IoT) Devices and Software.

NIST will accept comments on the preliminary guidelines through December 5, 2021.  The Cyber EO requires NIST to publish final guidelines for ensuring software supply chain security by February 2022.  While these guidelines will initially be applicable only to federal agencies, the head of cyber response and policy at the National Security Council, Jeff Greene, stated recently that a goal of the Cyber EO was “spillover” of NIST’s software security guidelines to private entities, presumably (in the case of government contractors and subcontractors) through the use of standardized FAR clauses contemplated elsewhere in the Cyber EO.

NIST Announces Virtual Workshop on November 8 to Discuss Artifacts Used in Developing Secure Software

            Section 4(e) of the Cyber EO requires NIST to issue guidance identifying practices that enhance the security of the software supply chain, including standards, procedures, or criteria regarding secure software development environments and providing “artifacts” that demonstrate conformance to such standards, processes, or criteria.  Pursuant to Section 4(e), NIST released a draft Secure Software Development Framework (Draft SSDF) at the end of September 2021.  The Draft SSDF bears the title Draft NIST Special Publication 800-218, Version 1.1, and consists of a core set of high-level secure software development practices that can be integrated into software development life cycles.  The Draft SSDF requests comments by November 5, 2021, including responses to the questions “What types of artifacts and evidence can be captured, documented, and shared publicly as byproducts of implementing the secure software development practices?” and “Are there examples [of such artifacts and evidence] you can share?”

On October 28, 2021, NIST announced that it would hold a virtual workshop on November 8, 2021 to solicit input about the types of artifacts of secure software development that software producers can share publicly with software acquirers.  The workshop will also cover approaches for “attesting to following specific secure software development practices.” NIST will use the input gathered at this workshop to finalize the SSDF, which then will be  incorporated into the guidelines for enhancing software supply chain security discussed above.

NIST Issues Three Guidance Documents on Cloud Security

            On October 28, 2021, NIST issued three reports related to cloud security: (1) the Second Draft NIST Internal Report (IR) 8320, “Hardware-Enabled Security: Enabling a Layered Approach to Platform Security for Cloud and Edge Computing Use Cases”; (2) Draft NIST IR 8320B, “Hardware-Enabled Security: Policy-Based Governance in Trusted Container Platforms”; and (3) Draft NIST Publication (SP) 1800-19, “Trusted Cloud: Security Practice Guide for VMware Hybrid Cloud Infrastructure as a Service (IaaS) Environments.”  Each of these reports provides guidance on practices, techniques, and technologies for securing data in connection with various cloud services.  NIST is accepting comments on all three reports until December 5, 2021.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Robert Huffman Robert Huffman

Bob Huffman represents defense, health care, and other companies in contract matters and in disputes with the federal government and other contractors. He focuses his practice on False Claims Act qui tam investigations and litigation, cybersecurity and supply chain security counseling and compliance…

Bob Huffman represents defense, health care, and other companies in contract matters and in disputes with the federal government and other contractors. He focuses his practice on False Claims Act qui tam investigations and litigation, cybersecurity and supply chain security counseling and compliance, contract claims and disputes, and intellectual property (IP) matters related to U.S. government contracts.

Bob has leading expertise advising companies that are defending against investigations, prosecutions, and civil suits alleging procurement fraud and false claims. He has represented clients in more than a dozen False Claims Act qui tam suits. He also represents clients in connection with parallel criminal proceedings and suspension and debarment.

Bob also regularly counsels clients on government contracting supply chain compliance issues, including cybersecurity, the Buy American Act/Trade Agreements Act (BAA/TAA), and counterfeit parts requirements. He also has extensive experience litigating contract and related issues before the Court of Federal Claims, the Armed Services Board of Contract Appeals, federal district courts, the Federal Circuit, and other federal appellate courts.

In addition, Bob advises government contractors on rules relating to IP, including government patent rights, technical data rights, rights in computer software, and the rules applicable to IP in the acquisition of commercial items and services. He handles IP matters involving government contracts, grants, Cooperative Research and Development Agreements (CRADAs), and Other Transaction Agreements (OTAs).

Photo of Susan B. Cassidy Susan B. Cassidy

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government…

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government contractors and represents her clients before the Defense Contract Audit Agency (DCAA), Inspectors General (IG), and the Department of Justice with regard to those investigations.  From 2008 to 2012, Ms. Cassidy served as in-house counsel at Northrop Grumman Corporation, one of the world’s largest defense contractors, supporting both defense and intelligence programs. Previously, Ms. Cassidy held an in-house position with Motorola Inc., leading a team of lawyers supporting sales of commercial communications products and services to US government defense and civilian agencies. Prior to going in-house, Ms. Cassidy was a litigation and government contracts partner in an international law firm headquartered in Washington, DC.

Photo of Ashden Fein Ashden Fein

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing…

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Mr. Fein frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, and destructive attacks.

Additionally, Mr. Fein assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, and requirements related to supply chain security.

Before joining Covington, Mr. Fein served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Mr. Fein currently serves as a Judge Advocate in the U.S. Army Reserve.

Photo of Ryan Burnette Ryan Burnette

Ryan Burnette advises defense and civilian contractors on federal contracting compliance and on civil and internal investigations that stem from these obligations. Ryan has particular experience with clients that hold defense and intelligence community contracts and subcontracts, and has recognized expertise in national…

Ryan Burnette advises defense and civilian contractors on federal contracting compliance and on civil and internal investigations that stem from these obligations. Ryan has particular experience with clients that hold defense and intelligence community contracts and subcontracts, and has recognized expertise in national security related matters, including those matters that relate to federal cybersecurity and federal supply chain security. Ryan also advises on government cost accounting, FAR and DFARS compliance, public policy matters, and agency disputes. He speaks and writes regularly on government contracts and cybersecurity topics, drawing significantly on his prior experience in government to provide insight on the practical implications of regulations.