With the 2024 election rapidly approaching, the Biden Administration must race to finalize proposed agency actions as early as mid-May to avoid facing possible nullification if the Republican Party controls both chambers of Congress and the White House next year.  The Congressional Review Act (CRA) allows Congress to overturn rules issued by the Executive Branch by enacting a joint resolution of disapproval that cancels the rule and prohibits the agency from issuing a rule that is “substantially the same.”  One of the CRA’s most unique features—a 60-day “lookback period”—allows the n ..read more

This is the thirty-fourth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs describes described the actions taken by various government agencies to implement the Cyber EO from June 2021through January 2024.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during February 2024.  It also descri ..read more

The Department of Labor’s Office of Federal Contract Compliance Programs (“OFCCP”) has now opened its Contractor Portal for the 2024 Affirmative Action Program (“AAP”) certification period with a deadline of July 1, 2024. As previously discussed on this blog, a recent OFCCP policy requires supply and service contractors and subcontractors to use the Contactor Portal to register and certify their AAP compliance.  OFCCP’s Directive 2018-07, which sets forth OFCCP’s plans and objectives for the AAP verification process, states that the certification will allow OFCCP to incorporate AAP certif ..read more

On March 27, 2024, the U.S. Cybersecurity and Infrastructure Security Agency’s (“CISA”) Notice of Proposed Rulemaking (“Proposed Rule”) related to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) was released on the Federal Register website.  The Proposed Rule, which will be formally published in the Federal Register on April 4, 2024, proposes draft regulations to implement the incident reporting requirements for critical infrastructure entities from CIRCIA, which President Biden signed into law in March 2022.  CIRCIA established two cyber incident repo ..read more

On March 12, 2024, the Department of Defense (DoD) published a final rule, revising the eligibility criteria for the voluntary DoD Defense Industrial Base (DIB) Cybersecurity (CS) Activities Program.  The intent of the rule is to permit all defense contractors that own or operate unclassified information systems that process, store, or transmit covered defense information to participate in the program.  Previously, only cleared contractors were permitted to participate in the sharing of this information.  The final rule also amends identity proofing requirements by eliminating t ..read more

On March 11, 2024 the Cybersecurity Infrastructure Security Agency (CISA), released the much anticipated final version of its common Secure Software Development Attestation Form.  Finalization of the form is a notable development for developers of software that is sold to the U.S. Government for two reasons.  First, the form is expected to be used widely by Government agencies to fulfill requirements set forth in recent OMB memoranda for those agencies to ensure that the software they procure or use is secure by requiring attestations from software developers.  Second, as set fo ..read more

On March 7, 2024, the Department of Transportation’s (“DOT”) Federal Highway Administration (“FHWA”) announced a proposed rule to rescind a longstanding general waiver of Buy America requirements for manufactured products (the “Manufactured Products Waiver”).  If finalized, this would be a major change for the agency, reversing a policy that has been in place for more than 40 years. FHWA has imposed Buy America requirements for domestic iron and steel on its projects since 1978 (see 23 U.S.C. § 313; 23 CFR § 635.410), but in 1983, the agency determined that it was in the public interest t ..read more

On February 15, 2024, the Department of Defense (“DOD”) issued a final rule that increases the domestic content requirements for defense procurements.  The new rule amends the Defense Federal Acquisition Regulation Supplement (“DFARS”) to implement Executive Order 14005 (“EO”).  The EO was intended to strengthen the requirements of the Buy American Act (“BAA”) by, among other things, directing the FAR Council to issue new rules increasing the domestic content threshold for determining whether a product qualifies as a domestic end product.  Although the FAR Council issued a final ..read more

This is the thirty-third in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through December 2023.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during January 2024.  It also describes key ac ..read more

This is the thirty-second in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through November 2023.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during December 2023.  It also describes key ..read more