September 2024 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

This is part of a series of Covington blogs on implementation of Executive Order 14028, "Improving the Nation's Cybersecurity," issued by President Biden on May 12, 2021 (the "Cyber EO"). The first blog summarized the Cyber EO's key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through August 2024. This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during September 2024. We discuss developments during September 2024 to implement President Biden's Executive Order on Artificial Intelligence in a separate post.

CMMC 2.0 Clears Interagency Review

On September 13, the long-awaited Cybersecurity Maturity Model Certification ("CMMC") 2.0 agency rule passed final interagency review. (The final rule was released publicly in pre-publication form on October 11, as we covered in a separate post here.) CMMC 2.0 will be subject to a 60-day Congressional review under the Congressional Review Act, during which time Congress could issue a joint statement of disapproval. CMMC 2.0 will require compliance with the program as a condition of entering into Department of Defense ("DoD") contracts involving the storage, processing, or transmission of federal contract information ("FCI") or controlled unclassified information ("CUI"). A more thorough discussion of CMMC 2.0 generally is available in our January alert, which discussed the proposed CMMC 2.0 rule. As we noted in a prior post, DoD published an accompanying proposed rule that would implement CMMC 2.0 in the Defense Federal Acquisition Regulation Supplement ("DFARS"). That rule will govern how the requirements of the program will be imposed on contractors by contract.

CSC 2.0 Publishes 2024 Implementation Report

The Cyberspace Solarium Commission 2.0 ("CSC 2.0") published its 2024 Annual Report on Implementation, which assesses the U.S. government's progress in enacting the original Cyberspace Solarium Commission's ("CSC") 82 bipartisan recommendations and outlines the top ten recommendations for the next administration and Congress to improve cyber resilience. Given the history of the CSC's recommendations evolving into significant executive, legislative, and regulatory actions that have shaped the cybersecurity landscape over the past several years, the 2024 Implementation Report and the CSC's roadmap of recommendations provide a noteworthy preview of potential future cyber regulations and legislative developments in the U.S. Indeed, many of the most significant changes to the federal cybersecurity landscape in the past few years evolved from the CSC's recommendations. The report's analysis and recommendations are summarized further in our Alert.

ONCD Tackles Border Gateway Protocol ("BGP") Vulnerabilities

On September 3, the Office of the National Cyber Director ("ONCD") released the Roadmap to Enhancing Internet Routing Security ("Roadmap"), providing recommendations for network operators to strengthen BGP security and resilience features. BGP refers to the protocol that dictates how information is routed across networks. According to ONCD, BGP is susceptible to intentional and inadvertent misconfigurations that "may expose personal information; enable theft, extortion, and state-level espionage; disrupt security-critical transactions; and disrupt critical infrastructure operations." The Roadmap encourages the adoption of Resource Public Key Infrastructure, a form of cryptographic certification to authenticate route announcements, and provides 18 recommendations for network operators, network service providers, public and private stakeholders, and federal agencies. To further advance these goals ONCD, in coordination with the Cybersecurity and Infrastructure Security Agency, is in the process of creating a public-private Internet Routing Security Working Group.