How the National Cybersecurity Strategy Delivers Some Unexpected Teeth

Last week, I posted my initial reactions to the National Cybersecurity Strategy, but there’s a sub-topic that warrants a closer look. Nestled within the Strategy are some teeth that many found lacking in the earlier Executive Order 14028 (“EO 14028”). 

Brandishing Civil Cyber Fraud

In Section 3.5, the Strategy invokes DoJ's Civil Cyber-Fraud Initiative. This Initiative was launched in 2021, so it’s not new. But, we might be able to read something into the fact that the White House has invoked this Initiative in the Strategy, in almost the same breath that they reference the importance of EO 14028 in “improv[ing] accountability.” My read here is that the White House intends to use the Initiative to target government contractors who falsely assert compliance with NIST's Secure Software Development Framework (SSDF), specifically in the context of EO 14028.

Self Attestation Under EO 14028

EO 14028 requires government contractors who sell software to the government to self-attest that they comply with the secure software development practices outlined in the NIST Secure Software Development Framework. Following the release of EO 14028, the White House clarified that companies would only be required to issue a self-attestation that they are, in fact, in compliance with the SSDF.  

While some have criticized this approach as rendering the EO toothless, the decision to allow self attestation was likely in response to the troubled path of the Department of Defense (“DoD”) Cybersecurity Maturity Model Certification (“CMMC”). The CMMC, established in 2019 to set standards for cybersecurity among defense contractors, was based on third-party certification (that is, DoD would accredit private companies who would be authorized to assess individual defense contractor companies and certify them as compliant with the CMMC rules). 

The CMMC has been dramatically delayed, in no small part because of the challenges in accrediting enough third-party companies to certify the (no-joke) 140,000 companies that fall under the scope of CMMC. The White House went a different route, allowing government contractors to attest to their own compliance with the new cybersecurity rules, and it’s not too hard to see why. 

This Thing Here Goes With That Thing There

Unlike CMMC’s stumble out of the gate (followed by a rather long nap on the track), EO 14028 has been gaining traction. But things get a little interesting when you combine self-attestation with the Civil Cyber-Fraud Initiative. 

If past practice is any indication of the future, the personnel filling out the self-attestation forms for EO 14028 may not be the people who actually know whether the company is, in fact, in compliance with SSDF. If they fail to report accurate information about their company’s compliance, that company may find itself at a table with a Department of Justice prosecutor sitting opposite. 

As the name suggests, this would be a civil lawsuit - not a criminal one, but it’s cold comfort as a government contractor to say “well, at least it’s not _criminal_ fraud….” Moreover, the standard of proof in civil litigation is lower, and how do you show that the misrepresentations about your cybersecurity practices were simply accidental and were not made with an intent to mislead?

Bottom line: the self-attestation may not make EO 14028 the toothiest of cybersecurity regimes, but the threat of civil prosecution for fraud will lead a lot of companies to take much more care in understanding the SSDF requirements and assessing whether they are in compliance.