Photo of Townsend Bourne

Townsend Bourne is a partner in the Government Contracts, Investigations and International Trade Practice Group in the firm's Washington, D.C. office. She also is Leader of the firm’s Aerospace, Defense & Government Services Team.

NIST has now finalized its guidance providing important information on selecting both security and privacy control baselines for the Federal Government. The guidance is available here: Special Publication 800-53B, Control Baselines for Information Systems and Organizations. As we previously discussed when the draft version was released, these control baselines are from NIST Special Publication 800-53, and have been moved to this separate publication as a consolidated catalog of privacy and security controls. While the implementation of a minimum set of controls is required for protecting federal information systems, NIST envisions that these control baselines can be implemented by any organization that processes, stores, or transmits information.
Continue Reading NIST Finalizes Guidance on Security and Privacy Control Baselines – SP 800-53B

The Department of Defense (DoD) recently published an interim rule that sets forth its Cybersecurity Maturity Model Certification (CMMC) program plan, as well as new requirements for a “NIST SP 800-171 DoD Assessment Methodology.” NIST SP 800-171 relates to protection of sensitive, but unclassified information (within a company’s system.) The interim rule will be effective November 30, 2020, and comments are due the same day. You can read our in-depth breakdown of the key provisions here.
Continue Reading Interim Rule Solidifies Cybersecurity Requirements for Defense Industrial Base

After many years of being in draft form, NIST recently released its final version of Revision 5 of Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations to address a need for a more proactive and systematic approach to cybersecurity. With the release of Revision 5, NIST hopes to provide updated security and privacy controls that will make information systems more penetration resistant, limit damages from cyber-attacks, make systems more cyber-resilient, and protect individuals’ privacy. NIST intends this update to be usable by a more diverse set of consumer groups than previous iterations of the document permitted.
Continue Reading NIST Issues Long-Awaited Final Guidance on Security and Privacy Controls – SP 800-53

NIST’s new draft guidance, Special Publication 800-53B, Control Baselines for Information Systems and Organizations, provides important information on selecting both security and privacy control baselines for the Federal Government. These control baselines are from NIST Special Publication 800-53 and have been moved to this separate publication “so the SP 800-53 [can] serve as a consolidated catalog of security and privacy controls regardless of how those controls [are] used by different communities of interest.”   The new guidance addresses federal information systems and is applicable to information systems used or operated by an agency, a contractor on behalf of an agency, or another organization on behalf of an agency.
Continue Reading NIST Issues Draft Guidance on Security and Privacy Control Baselines – SP 800-53B

NIST recently released the final public draft of SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (formerly Draft NIST SP 800-171B). NIST is proposing additional security requirements for certain CUI in non-federal systems that is associated with critical programs or high value assets and is soliciting public comments through August 21, 2020.
Continue Reading NIST Proposes Draft Enhanced Security Requirements for Protecting CUI

As a part of its Cybersecurity for IoT Program, NIST recently released two publications with the goal of providing cybersecurity guidance and best practices specific for companies manufacturing IoT devices. These publications were developed as a part of NIST’s implementation of the 2017 Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. With these publications, NIST provides a set of recommended activities that manufacturers should consider to improve the securability of IoT devices, as well as a baseline level of security requirements for these devices.

Continue Reading NIST Releases Cybersecurity Guidance for Manufacturers of IoT Devices

Cybersecurity Maturity Model Certification (“CMMC”) v.1.0, after releasing several draft versions of the document over the past year. In an effort to enhance supply chain security, the CMMC sets forth unified cybersecurity standards that DOD contractors and suppliers (at all tiers, regardless of size or function) must meet to participate in future DOD acquisitions. Through the CMMC, DOD adds cybersecurity as a foundational element to the current DOD acquisition criteria of cost, schedule, and performance. We have previously discussed CMMC on our Government Contracts & Investigations Blog.
Continue Reading CMMC Version 1.0: Enhancing DOD’s Supply Chain Cybersecurity

The Department of Homeland Security Cybersecurity & Infrastructure Security Agency recently released its Cyber Essentials guide. Consistent with the NIST Cybersecurity Framework, these Cyber Essentials provide “a starting point to cyber readiness,” and are specifically aimed at small businesses and local government agencies that may have fewer resources to dedicate to cybersecurity.  The guide suggests a holistic approach for managing cyber risks, and is broken down into six “Essential Elements of a Culture of Cyber Readiness:” (1) Yourself; (2) Your Staff; (3) Your Systems; (4) Your Surroundings; (5) Your Data; and (6) Your Actions Under Stress. The final section of the guide provides a list of steps that can be taken immediately to increase organizational preparedness against cyber risks. These include backing up data, implementing multi-factor authentication, enabling automatic updates, and deploying patches quickly.
Continue Reading CISA Releases “Cyber Essentials” to Assist Small Businesses

“Internet of Things” devices are listening.  And now the federal government is taking notice. As we reported in our Government Contracts and Investigations blog, to date, federal cybersecurity regulations for government contractors focus on implementing safeguards to protect sensitive government data. A gap has emerged where the federal government purchases IoT devices. Those devices collect and send data online, and are thus are susceptible to hacking and listening in. Proposed legislation recently introduced in both the Senate (S.734) and the House (H.R. 1668) calls for new information security standards to manage these cybersecurity risks. This legislation would affect a wide range of IoT devices. I.e., a device connect to the internet that is not a “general purpose computing device.”
Continue Reading Feds Want New IoT Guidance to Address Security Vulnerabilities

As the first month of 2019 comes to a close, it is clear that this year will be another busy one in the world of privacy. To help get a handle on what to worry about this year, it is helpful to look back on the privacy developments from 2018 and consider what will be recurring or new themes in the year to come. To help on this front, we have put together our comprehensive “year in review” bulletin. In this document, we’ve included all of the developments we reported on in 2018, in one handy spot. You can view the summary here. There were many themes that emerged, from biometrics to targeting, breach laws to breach enforcement, 2018 was a busy year in privacy. We expect 2019 to be equally packed with privacy developments.
Continue Reading Year In Review: Eye on Privacy 2018

The U.S. Government is increasingly taking the initiative to alert companies to the cybersecurity risks of certain foreign corporations. Whether by issuing binding directives on agencies, passing laws or promulgating regulations that include prohibitions on the use of these companies’ products – including by government contractors, the Government is becoming less reluctant to interfere in the private market in favor of warning American companies of the cybersecurity dangers out there.
Continue Reading When the U.S. Government Declares Companies Cyber-Insecure, We Should All Pay Attention