Tag Archives: Patrick J. Austin

DOD’s CMMC 2.0 Program Takes Step Forward with Release of Contract Rule Proposal

by Beth Burgin Waller and Patrick J. Austin

Photos of authors.

Beth Burgin Waller and Patrick J. Austin (photos courtesy of Woods Rogers Vandeventer Black PLC)

The United States Department of Defense (DoD) took another big step on the path to instituting its highly anticipated Cybersecurity Maturity Model Certification 2.0 program (CMMC 2.0). Once finalized, CMMC 2.0 will establish and govern cybersecurity standards for defense contractors and subcontractors.

On August 15, 2024, DoD submitted a proposed rule that would implement CMMC 2.0 in the Defense Federal Acquisition Regulation Supplement (DFARS). The proposed DFARS rule effectively supplements DoD’s proposed rule published in December 2023 by providing guidance to contracting officers, setting forth a standard contract clause to be used in all contracts covered by the CMMC 2.0 program, DFARS 252.204-7021, and setting forth a standard solicitation provision that must be used solicitations for contracts covered by the CMMC 2.0 program, DFARS 252.204-7YYY (number to be added when the rule is finalized).

There is a 60-day comment period for the DFARS proposed rule, meaning individuals have until October 15, 2024, to provide public feedback on the proposal.

Continue reading

Biden National Security Memorandum Bolsters CISA Role for Cybersecurity Oversight in Critical Infrastructure

by Beth Burgin Waller and Patrick J. Austin

Photos of authors

Beth Burgin Waller and Patrick J. Austin (photos courtesy of Woods Rogers Vandeventer Black PLC)

The Biden Administration recently rolled out a new critical infrastructure memorandum, titled National Security Memorandum on Critical Infrastructure Security and Resilience (NSM-22) which is intended to set forth the role of the federal government, including responsibilities for specific federal agencies, in protecting U.S. critical infrastructure.

NSM-22 serves to supplant PPD-21, formally known as the Presidential Policy Directive — Critical Infrastructure Security and Resilience (pdf). PPD-21, a memorandum issued during the Obama Administration, designated 16 critical infrastructure sectors that will be subject to additional oversight through the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Pursuant to CIRCIA, entities operating in critical infrastructure sectors will be obligated to report “covered cyber incidents” within 72 hours of the entity developing a reasonable belief that a cyber incident occurred. In addition, critical infrastructure entities must report ransom payments within 24 hours after a payment is made. CIRCIA delegated rulemaking authority to the Cybersecurity and Infrastructure Security Agency (CISA). We wrote about CISA’s proposed rule containing cyber incident reporting requirements in a recent article.

Continue reading

Executive Order Prohibits Transfer of Sensitive Personal Data to “Countries of Concern”

by Patrick J. Austin and John Pilch

Photos of authors

From the left to right: Patrick J. Austin and John Pilch

On February 28, 2024, U.S. President Joe Biden issued Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (EO), which authorizes the U.S. Attorney General to restrict large-scale transfers of personal data to “countries of concern.” The “countries of concern” identified in the EO include China (along with Hong Kong and Macau), Russia, Iran, North Korea, Cuba and Venezuela, according to a summary issued by the White House.

Continue reading

Proposed Federal Cyber Incident Reporting Rule Adds Hefty Federal Reporting Requirements to Critical Infrastructure Sector and Large Businesses

 by Beth Burgin Waller and Patrick J. Austin

Photos of authors

From left to right: Beth Burgin Waller and Patrick J. Austin (photos courtesy of authors)

The federal Cybersecurity and Infrastructure Security Agency (CISA) released a draft of its proposed rule detailing how covered entities operating in critical infrastructure sectors report cyberattacks and ransomware payments to the federal government. The proposed rule states that entities operating in critical infrastructure sectors will be obligated to report “covered cyber incidents” within 72 hours after an entity reasonably believes a cyber incident has occurred and report ransom payments within 24 hours after a payment is made.  The proposed Cyber Rule – hundreds of pages as drafted – adds significant requirements for those required to make a report, including a requirement that the entity preserve materials used to create the report (such as the threat actor’s ransom note, logs, and forensic artifacts) for two years.  As proposed, the Rule applies to large businesses and the critical infrastructure sector alike. Failure to comply can result in an entity being subpoenaed and ultimately referred to the Department of Justice for noncompliance.   

The proposed rule is scheduled to be published on the Federal Register on April 4, 2024. An unpublished version of the proposed rule may be accessed here (pdf).

Continue reading

EU AI Act Will Be World’s First Comprehensive AI Law

by Beth Burgin Waller, Patrick J. Austin, and Ross Broudy

Photos of authors

Left to right: Beth Burgin Waller, Patrick J. Austin, and Ross Broudy (photos courtesy of Woods Rogers Vandeventer Black PLC)

On March 13, 2024, the European Union’s parliament formally approved the EU AI Act, making it the world’s first major set of regulatory ground rules to govern generative artificial intelligence (AI) technology. The EU AI Act, after passing final checks and receiving endorsement from the European Council, is expected to become law in spring 2024, likely May or June.

The EU AI Act will have a phased-in approach. For example, regulations governing providers of generative AI systems are expected to go into effect one year after the regulation becomes law, while prohibitions on AI systems posing an “unacceptable risk” to the health, safety, or fundamental rights of the public will go into effect six months after the implementation date. The complete set of regulations in the EU AI Act are expected to be in force by mid-2026.

Continue reading

CPPA’s Regulatory Enforcement Restored: It’s Time to Get Compliant

 by Beth Burgin Waller and Patrick J. Austin

Photos of authors

From left to right: Beth Burgin Waller and Patrick J. Austin (photos courtesy of authors)

For businesses subject to California Consumer Privacy Act (CCPA), privacy compliance just became urgent. A California appellate court agreed on February 9, 2024 with the California Privacy Protection Agency (CPPA) that there is no statutory requirement for a one-year gap between approval of privacy regulations and enforcement of those regulations. Overturning a stay of enforcement at the trial court level, the California appellate court held that CCPA regulations can be enforceable upon finalization. This means for businesses subject to the CCPA, there is no ramp-up period between new regulations being finalized and the agency enforcing those new regulations.

Continue reading

FCC Updates and Expands Data Breach Notification Rules

by Beth Burgin Waller and Patrick J. Austin

Photos of authors

From left to right: Beth Burgin Waller and Patrick J. Austin (photos courtesy of authors)

The updated data breach notification rules broaden the definition of what is considered a breach and expand the scope of who must be notified when a data breach occurs.

The Federal Communications Commission (FCC or Commission) voted to adopt new and expanded data breach notification requirements that apply to telecommunications, interconnected Voice over Internet Protocol (VoIP), and telecommunications relay services (TRS). The updated rules now include personally identifiable information (PII), as opposed to just customer proprietary network information (CPNI). This means carriers must provide notice when a consumer’s PII is breached.

The new data breach notification rules will go into effect approximately 30 days after publication in the Federal Register. Below is an overview of the new rules.

Continue reading

DOJ, FBI Issue Guidance for Public Companies Seeking to Delay Disclosure of Material Cybersecurity Incidents

by Michael T. Borgia and Patrick J. Austin

Photos of the authors

Left to right: Michael T. Borgia and Patrick J. Austin (Photos courtesy of Davis Wright Tremaine LLP)

Public companies may only request a delay of the SEC’s disclosure requirements for national security or public safety reasons

As we discussed in our prior blog post, the Securities and Exchange Commission (SEC) recently finalized its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule for public companies (the “Rule”). The Rule requires, among other things, that public companies disclose “material” cybersecurity incidents on Form 8-K (Form 6-K for foreign private issuers). Item 1.05 of Form 8-K must include the “material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations,” and the form must be filed within four business days of determining that an incident is material. The Rule permits companies to delay disclosure beyond four business days only where the U.S. Attorney General determines that disclosure “would pose a substantial risk to national security or public safety.” The Rule’s cyber incident disclosure requirements go into effect on December 18, 2023.

Continue reading

CISA Releases Revised Draft of Secure Software Development Self-Attestation Form

by Michael T. Borgia, Andrew M. Lewis, and Patrick J. Austin

Photos of the authors

Left to right: Michael T. Borgia, Andrew M. Lewis, and Patrick J. Austin. (Photos courtesy of Davis Wright Tremaine LLP)

Once Finalized, the Form will Establish Secure Software Development Baselines for Companies that Provide Software to the Federal Government

The Cybersecurity and Infrastructure Security Agency (CISA) has released a revised draft of its Secure Software Development Attestation Common Form (“Form”).  The Form, once finalized, will obligate vendors providing software to the federal government to attest to enumerated practices to secure their software, third-party components, and the development environment.  Software vendors to federal agencies are advised to review the draft Form and assess their current secure development practices—both for in-house and third-party developed software—against the Form’s relevant attestations and the supporting NIST guidance.  Software producers unable to make any of the required attestations should prioritize conforming their software development practices to the Form’s attestations and NIST guidance, and should consider whether to pursue a plan of action and milestones (POA&M) with their federal agency customers once the Form is finalized.

Continue reading

Ctrl-Alt-Delete: California Legislature Passes Delete Act

by Nancy Libin and Patrick J. Austin

Photos of the authors

From left to right: Nancy Libin and Patrick J. Austin. (Photos courtesy of Davis Wright Tremaine LLP)

Legislation requires data brokers to register with the California Privacy Protection Agency and comply with a one-stop consumer deletion mechanism by 2026

The wave of data privacy legislation in California continues as lawmakers passed a bill that will impose new obligations on data brokers. Senate Bill 362, also known as the Delete Act, will amend California’s existing data broker law by subjecting all data brokers to mandatory registration with the California Privacy Protection Agency (CPPA), imposing new disclosure obligations, and requiring data brokers to comply with a “one-stop” mechanism to be established by the CPPA whereby California consumers can request data brokers to delete their personal data. This one-stop deletion mechanism would have to be established by January 1, 2026, and honored by data brokers starting August 1, 2026.

The Delete Act, awaiting signature by the Governor, will become law no later than October 14, 2023, unless signed earlier or vetoed. 

Below is an overview of notable provisions and regulatory requirements.

Continue reading