Data Dive

In May, the National Institute of Standards and Technology (NIST) issued updated recommendations for security controls for controlled unclassified information (CUI) that is processed, stored or transmitted by nonfederal organizations using nonfederal systems, (NIST Special Publication 800-171 (SP 800-171), Revision 3). These security requirements are “intended for use by federal agencies in contractual vehicles or other agreements that are established between those agencies and nonfederal organizations.”¹ While these new controls are only applicable to nonfederal entities that agree to comply with the new issuance, Revision 3 signals the next phase of expected security for government contractors.

A recent uptick in enforcement and regulatory activity related to cybersecurity is reshaping the landscape. The Federal Acquisition Regulatory Council’s proposed rules increasing cybersecurity requirements for government contractors could open your business up to new or increased FCA liability. Amid this rising cyber-related FCA activity, government-contracted tech companies and other organizations receiving government funds must understand how regulators and private whistleblowers alike are using the FCA to enforce required cybersecurity standards.

The 2023 National Cybersecurity Strategy (the Strategy) released by the Biden Administration highlights shifts that are “rebalance[ing] the responsibility to defend cyberspace” and “realign[ing] incentives to favor long-term investments.” For the technology sector, the Strategy focuses on investments in cybersecurity-related research and development aimed at modernizing federal information and operational technology systems.

In recent weeks, the Consumer Financial Protection Bureau (CFPB), the U.S. government agency that is charged with implementing and enforcing federal consumer financial law, has taken an increasingly active approach on a range of topics relating to credit reporting and background checks. In the last eight weeks, the agency has taken action aimed at protecting on five separate occasions.

On Tuesday, the Department of Justice (DOJ) released its Comprehensive Cyber Review report (the “Review”) summarizing its review of the Department’s cyber-related activities and its recommendations around the Department’s “offensive” (i.e., cyber threat investigations and enforcement) and “defensive” (i.e., Department system protections) cyber capabilities. One element of the Review addressed federal contractor and vendor cybersecurity, and noted that “many of the cybersecurity provisions and standards set forth for federal contractors were found to be insufficiently rigorous,” and that the Department has offered to assist the Federal Acquisition Regulatory Council in updating cybersecurity contract terms, which is an effort that is underway pursuant to E.O. 14028.

Akin Gump published a client alert on November 23, which discusses that on November 17, 2021, the U.S. Department of Defense (DOD) published an Advanced Notice of Proposed Rulemaking (ANPRM) previewing significant changes to its Cybersecurity Maturity Model Certification (CMMC) program. The revamp, “CMMC 2.0,” promises a more streamlined and flexible system for defense contractors and their suppliers to comply with CMMC and DOD’s cybersecurity expectations, with practical changes coming into effect between 9 and 24 months from now. CMMC 2.0 is DOD’s response to a months-long internal review spurred by more than 850 public comments in response to DOD’s September 2020 “CMMC 1.0” interim rule (see our webinar coverage of this rule here). While DOD pursues the forthcoming rulemakings, it intends to suspend current CMMC piloting efforts and has stated it will not include CMMC requirements in DOD solicitations. Contractors should continue, however, to adhere to the existing cybersecurity “assessments” framework (described here), focusing on compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 controls and required Basic Assessments.

Last month, the Office of Management and Budget (OMB) and the Cyber and Infrastructure Security Agency (CISA) released draft guidance to implement a Zero Trust cybersecurity policy government-wide. OMB and CISA are seeking public comment on the strategical and technical guidance published in direct support of President Biden’s Executive Order on Improving the Nation’s Cybersecurity (“EO 14208”).

President Biden issued Executive Order (EO) 14,028 on May 12, 2021 on “Improving the Nation’s Cybersecurity.” As noted in the administration’s accompanying Fact Sheet, the EO is a direct response to recent high-profile cybersecurity incidents. However, it should also be viewed in context as a response to years of increasing concern about, and efforts to enhance, cyber and supply chain security within the federal government, its contracting base and the U.S. information and communications technology and services (ICTS) industry more broadly.