Government Resources

Departments, Agencies, and More: the Public Sector

Administrative Conference of the United States

Algorithmic Tools in Retrospective Review of Agency Rules (May 2023)

Automated Legal Guidance at Federal Agencies (June 2022)

Managing Mass, Computer-Generated, and Falsely Attributed Comments (June 2021)

Cyberspace Solarium Commission

Countering Disinformation in the United States (December 2021)

View the Commission's final report (March 2020)

Department of Defense

FedRAMP Moderate Equivalency for Cloud Service Provider's Cloud Service Offerings (December 2023)

Proposed Cybersecurity Maturity Model Certification (CMMC) Program Rule (December 2023)

2023 Data, Analytics, and Artificial Intelligence Adoption Strategy (November 2023)

2023 Cyber Strategy of the Department of Defense (September 2023)

DoD Cyber Workforce Strategy 2023-2027 (March 2023)

DoD Zero Trust Strategy (October 2022)

U.S. Department of Defense Responsible Artificial Intelligence Strategy and Implementation Pathway (June 2022)

Department of Health and Human Services

Sign Up for the HHS OCR Privacy and Security Listservs

Healthcare Sector Cybersecurity: Introduction to the Strategy of the U.S. Department of Health and Human Services (December 2023)

Quick-Response Checklist (June 2017)

Fact Sheet: Ransomware and HIPAA (July 2016)

HIPAA Administrative Simplification (March 2013)

Department of Homeland Security

Guidelines for secure AI system development (November 2023)

Review of the December 2021 Log4j Event (July 2022)

Preparing for Post-Quantum Cryptography (September 2021)

Cybersecurity and Infrastructure Security Agency:

• Known Exploited Vulnerabilities Catalog
• Mobile Communications Best Practice Guidance
• Secure Cloud Business Applications Project
• Free Cybersecurity Services and Tools (February 2022)
  • CISA Tabletop Exercise Packages
  • CISA Vulnerability Scanning      
  • Cyber Infrastructure Survey      
  • Cyber Resilience Review
  • External Dependencies Management Assessment
  • Logging Made Easy
• Cybersecurity Alerts & Advisories
• 2024 Cybersecurity Performance Goals Adoption Report (January 2025)
• 2023 Top Routinely Exploited Vulnerabilities (November 2024)
• Ransomware Guidance and Resources
  
• Resources for Lawyers

Department of Justice

One-Stop Ransomware Resource: stopransomware.gov  

DOJ Comprehensive Cyber Review - July 2022 (2022)

Best Practices for Partnering with Law Enforcement (2021)

CCIPS Comments on the 2021 DMCA Section 1201 Security Research Exemption (2021)

Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources (2020)

Report of the Attorney General’s Cyber Digital Task Force (2018)  

Best Practices for Victim Response and Reporting of Cyber Incidents, Version 2.0 (2018)

Antitrust Policy Statement on Sharing of Cybersecurity Information (2014)

Department of State

Bureau of Cyberspace and Digital Policy

Additional Guidance on the Democratic People's Republic of Korea Information Technology Workers (2023)

North Korea Using Social Engineering to Enable Hacking of Think Tanks, Academia, and Media (2023)

Joint Statement on Advancing Responsible State Behavior in Cyberspace (International Resolution) (2019)

International Law In Cyberspace (2012)

Department of the Treasury

Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector (March 2024)

Cyber-related Sanctions FAQs

Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (2021)

G7 Fundamental Elements of Cybersecurity for the Financial Sector (2016)

Federal Communications Commission

Updated Data Breach Notification Rules,  Report and Order (FCC 23-111) (December 21, 2023)

Proposed Cybersecurity Labeling Program for Smart Devices (August 2023)

Federal Emergency Management Agency

Planning Considerations for Cyber Incidents: Guidance for Emergency Managers (November 2023)

Critical Cyber Asset Identification and Prioritization Checklist (November 2023)

Federal Trade Commission

SIGN UP for FTC Press Release Updates

FTC Privacy & Data Security Update for 2018 (2019)

Cybersecurity Resources for Your Small Business U.S. Federal Trade Commission (2018)

Date Breach Response: A Guide for Business (2016)

Antitrust Policy Statement on Sharing of Cybersecurity Information (2014)

Government Accountability Office

OMB Should Improve Information Security Performance Metrics (January 2024)

Federal Agencies Made Progress, but Need to Fully Implement Incident Response Requirements (December 2023)

Agencies Have Begun Implementation but Need to Complete Key Requirements (December 2023)

Agile Assessment Guide: Best Practices for Adoption and Implementation, revised (November 2023)

Cybersecurity Program Audit Guide (September 2023)

National Cybersecurity Strategy Needs to Address Information Sharing Performance Measures and Methods (September 2023)

Cybersecurity Challenges Facing the Nation (2018)

House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party

Reset, Prevent, Build: A Strategy to Win America's Economic Competition with the Chinese Communist Party (December 2023)

National Institute of Standards and Technology

Department of Commerce Announces New Guidance, Tools 270 Days Following President Biden’s Executive Order on AI (2024)

SP 800-171 Pre-Draft Call for Comments (2022)

Telework Security Basics (2020)

LAUNCHING: NIST Small Business Cybersecurity Corner U.S. Department of Commerce (2019)

Version 1.1 of Cybersecurity Framework (2018)

Small Business Information Security: The Fundamentals (2016)

Framework for Improving Critical Infrastructure Cybersecurity (2014)

Security and Privacy Controls for Federal Information Systems and Organizations (2013)

National Security Agency

Cybersecurity Services Contact (for DoD contractors) 

Office of Management and Budget

Federal Cybersecurity Risk Determination Report and Action Plan (2018)

Memorandum for Heads of Executive Departments and Agencies (2012)

Office of the Director of National Intelligence

Safeguarding Our Innovation: Protecting U.S. Emerging Technology Companies From Investment by Foreign Threat Actors (2024)

Annual Threat Assessment of the U.S. Intelligence Community (2023)

Global Trends 2040: A More Contested World (2021) (National Intelligence Council)

National Counterintelligence Strategy, 2020-2022 (National Counterintelligence and Security Center)

Cyber Training Series (National Counterintelligence and Security Center)

Know the Risks, Raise Your Shield
Secure your business' supply chain, guard against intellectual property theft, and avoid spear-phishing and social media deception. View Press Release. (2019)

Supply Chain Risk Management (2019) (National Counterintelligence and Security Center)

Foreign Spies Stealing US Economic Secrets in Cyberspace (2011) (Office of the National Counterintelligence Executive)

Securities and Exchange Commission

Crypto Assets and Cyber Enforcement Actions

SEC v. SolarWinds Corp. and Timothy G. Brown (October 30, 2023)

SEC v. Covington & Burling, LLP (July 24, 2023)

SEC's Application for Order to Show Cause & Compliance with Subpoena (January 10, 2023)

Covington's Response in Opposition (January 14, 2023)

Amicus Curiae Brief of the Association of Corporate Counsel in Support of Covington & Burling (February 21, 2023)

Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (July 2023)

Proposed Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents (March 2023) 

Proposed Rule Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies (February 2022)

United States Air Force

Air Force Doctrine Publication 3-12: Cyberspace Operations

Executive Reports, Orders, Offices, and Policy Directives

2025

Removing Barriers to American Leadership in Artificial Intelligence, January 23, 2025

2024

Memorandum on Advancing the United States’ Leadership in Artificial Intelligence; Harnessing Artificial Intelligence to Fulfill National Security Objectives; and Fostering the Safety, Security, and Trustworthiness of Artificial Intelligence, October 24, 2024 

National Cybersecurity Strategy Implementation Plan, May 13, 2024

National Security Memorandum on Critical Infrastructure Security and Resilience, April 30, 2024

Back to the Building Blocks: A Path Towards Secure and Measurable Software, February 26, 2024

Executive Order on Amending Regulations Relating to the Safeguarding of Vessels, Harbors, Ports, and Waterfront Facilities of the United States, February 21, 2024

2023

Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, October 30, 2023

Addressing United States Investments in Certain National Security Technologies and Products in Countries of Concern, August 9, 2023

Prohibition on Use by the United States Government of Commercial Spyware That Poses Risks to National Security, March 27, 2023

2022

Enhancing Safeguards for United States Signals Intelligence Activities, October 7, 2022

Ensuring Robust Consideration of Evolving National Security Risks by the Committee on Foreign Investment in the United States, September 15, 2022

Implementation of the CHIPS Act of 2022, August 25, 2022

Enhancing the National Quantum Initiative Advisory Committee, May 4, 2022

Ensuring Responsible Development of Digital Assets, March 9, 2022

2021

Protecting Americans' Sensitive Data From Foreign Adversaries, June 9, 2021

Executive Order on Improving the Nation’s Cybersecurity, May 12, 2021

National Artificial Intelligence Initiative

2018

Executive Order: Enhancing the Effectiveness of Agency Chief Information Officers, May 2018

2017

2017 Insider Threat Guide: A Compendium of Best Practices to Accompany the National Insider Threat Minimum Standards

First U.S.-China Law Enforcement and Cybersecurity Dialogue
Released October, 2017

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Released May 11, 2017

Presidential Executive Order on the Establishment of the American Technology Council Released May 1, 2017

Justice Department Announces Actions to Disable Kelihos Botnet (United States v. Levashov)
Released April, 2017

2016

Year End Report: House Judiciary and House Energy and Commerce Committees' Encryption Working Group
Released December, 2016

Presidential Policy Directive on U.S. Cyber Incident Coordination
Released July 2016

Memo: House Energy and Commerce Committee Hearing on Encryption
Released April 2016

FACT SHEET: Cybersecurity National Action Plan
Released February 2016

2015

Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations from the Office of Legal Education

Executive Order--"Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities"

Statement of William C. Hubbard, President, American Bar Association, Re: President Obama’s Executive Order on financial sanctions for cyberintrusions (4/3/2015)

"Cyberintrusions present an extraordinary threat to the national security, foreign policy and economy of the United States. The American Bar Association commends President Obama for his executive order establishing a financial sanctions program targeting individuals and entities who engage in significant malicious cyber activities concerning trade secrets and the economic and financial stability of the United States. This executive order provides a new tool for both the private sector and the government in the fight against malicious cyberactivity and cybertheft.

The ABA adopted a resolution in 2013 calling for appropriate sanctions for unauthorized, illegal intrusions into the computer networks, including economic sanctions or asset forfeitures against those involved.  Information security represents an increasingly important issue for the legal profession. Sophisticated hacking activities on private computer systems and networks, including on those used by lawyers and law firms, have increased dramatically over the last decade. The Executive Order, by using authorities pursuant to the International Emergency Economic Powers Act, recognizes the potential national security implications. These breaches also expose clients, their lawyers and society to significant economic losses and undermine the legal profession by threatening client confidentiality and the attorney-client privilege."

2014

Cybersecurity Procurement Language for Energy Delivery Systems, April 2014
Released April 2014

2013

2013 Cybersecurity Executive Order: Overview and Considerations for CongressCongressional Research Service

U.S. Federal Cybersecurity Operations Teams
Released March 2013

Cybersecurity Questions for CEOs
Released February 2013

Administration Strategy on Mitigating the Theft of U.S. Trade Secrets
Released February 20, 2013

Presidential Policy Directive on Critical Infrastructure Security and Resilience
Released February 12, 2013

Executive Order 13636 - Improving Critical Infrastructure
Released February 12, 2013

Legislative Branch

Children's Online Privacy Protection Act

Text 105th Congress

COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. Learn more from the FTC.

Cybersecurity and Infrastructure Security Act 

2018 115th Congress

2017 115th Congress

FISA

2018 115th Congress

Gramm Leach Bliley Act

In the news: FTC Proposes Changes to Graham Leach Bliley Act

Amending House Resolution 115th Congress

Text

National Defense Authorization Act

2021 116th Congress

2020 116th Congress

2019 115th Congress

NIST Small Business Cybersecurity Act

2018 115th Congress

Reports, Guidelines, Hearings, and More

2024

Bipartisan House Task Force Report on Artificial Intelligence

2016

U.S. House of Representatives Committee on Science, Space, and Technology: Subcommittee on Research & Technology and Oversight Friday, January 8, 2016 Hearing on "Cybersecurity: What the Federal Government Can Learn from the Private Sector"

2015

Cybersecurity and Information Sharing: Legal Challenges and Solutions
Congressional Research Service by Andrew Nolan, Legislative Attorney

2014

Cybersecurity: Authoritative Reports and Resources, by Topic
Congressional Research Service (May 2014)

Framework for Improving Critical Infrastructure Cybersecurity
National Institute of Standards and Technology, February 2014

The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure 
Senate Committee on Homeland Security and Governmental Affairs, February 2014

2013

The 2013 Cybersecurity Executive Order: Overview and Considerations for Congress
Congressional Research Service, December 2013

2012

Investigative Report on the U.S. National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE Permanent Select Committee on Intelligence, U.S. House of Representatives, October 2012

State Legislation

(Access the National Conference of State Legislatures Task Force on Cybersecurity)

Alabama

Insurance Data Security Law (2019)

Arkansas

LEARNS Act (requires schools to review and update cybersecurity policies annually) (2023)

Act 504 (requiring public entities to create authorized use and cybersecurity policies & amends the State Cyber Security Office's duties) (2023)

Act 510 (regulates meetings, policies, guidelines, and reports for cybersecurity incidents targeting public entities) (2023)

Student Data Vendor Security Act (increases the security & transparency requirements of use or sharing student data with or by third party vendors) (2023)

Act 758 (prohibits contracts with China) (2023)

Act 809 (adds appropriation for expenses for the Arkansas Cyber Response Board) (2023)

Act 846 (cyber insurance) (2023)

Act 149 (authorizes state militia to address cybersecurity threats and vulnerabilities) (2019)

California

AB-302 (requires Department of Technology to inventory high-risk automated systems within state agencies)

AB-569 (establishes the Cybersecurity Regional Alliances and Multistakeholder Partnerships Pilot Program to address the cybersecurity workforce gap and requires the Chancellor of the California State University to select schools to participate in and report on the program)

AB-1215 (blocking the use by police of body cams for facial recognition purposes) (2019)

California Privacy Act (2018)

Information Privacy: Connected Devices Act (2018)

Florida

Florida Information Protect Act (2014)

Maine

An Act To Protect the Privacy of Online Customer Information

Nevada

New York

Ohio

Pennsylvania

Rhode Island 

H 5684 (updates the Identity Theft Prevention Act, municipal and state agencies to notify state policy of a cybersecurity incident within 24 hours)

Washington

S 5518 (defines ransomware; creates the cybersecurity advisory committee to strengthen critical infrastructure cybersecurity) (2023)