On January 8, 2025, in UNICA-BPA JV, LLC, the U.S. Government Accountability Office (GAO) sustained a protester’s challenge to its elimination from the competition for failing to have an active System for Award Management (SAM) registration at the time of its initial proposal submission. The GAO sustained the protest because the protester’s registration was in fact active at the time it submitted its final proposal revision (FPR) even though it was inactive at the time of initial proposal submission. The facts of the case are straightforward:

Continue Reading What Happens When Uncle Sam Doesn’t Understand SAM? The Case of the Lucky Protester . . .

The US Department of Justice Antitrust Division (DOJ or Division) recently released a revised Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations (Guidance). The Guidance reflects how the Division assesses the effectiveness and adequateness of a company’s antitrust compliance program. The Guidance offers insight into the Division’s evaluations of antitrust compliance programs at the charging and the sentencing stages of a criminal prosecution but is equally applicable to civil compliance. Adherence to the Guidance improves the chances a company can receive leniency and reduces the risk of prosecution should a violation occur.

Continue Reading Antitrust Corporate Compliance Programs: Late 2024 Changes Mean Companies Should Revisit Their Programs Early in 2025

In Part I of this series we introduced readers to what Controlled Unclassified Information (CUI) is understood to consist of under the CUI Program at 32 CFR pt. 2002, differentiating and safeguarding CUI, CUI Program Authority and Control, and CUI policy as promulgated under the U.S. Department of Defense CUI Program. (See 66 GC ¶ 324)We also noted that nearly five years after first announced, DOD’s Cybersecurity Maturity Model Certification (CMMC) Program will finally become operational at some point in fiscal year 2025 as the means by which DOD intends to protect CUI. As we noted in Part I, many gaps in the DOD CUI Program have yet to be filled. These gaps took center stage in comments DOD received when it issued its Final Rule. Disappointingly, DOD made no effort to fill in these gaps in responding, thus ensuring that Defense Industrial Base (DIB) contractors and subcontractors will be in for a bumpy ride.

Read more

The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program will become operational at some point in fiscal year 2025. In October, the DOD issued a Final Rule to address evolving cybersecurity requirements and cyber threats while defining the security controls that DOD intends defense contractors and subcontractors to implement. The program will require defense contractors and subcontractors to obtain the requisite certification level depending on whether their respective information systems will process, store, or transmit Federal Contract Information and/or Controlled Unclassified Information (CUI). The Rule spawned a litany of questions during the public comment period, most notably around the area of CUI. In this Feature Comment, Alexander Major and Philip Lee address the fundamental challenge facing the CMMC: how can contractors protect the controlled unclassified data that DOD can’t/won’t/isn’t properly identifying?

Read More

Alex Major, Franklin Turner, Philip Lee, and Marcos Gonzalez co-authored the article “Surviving And Thriving In The Small Business Administration’s 8(a) Program: Maximizing Opportunities For NHOs, ANCs, And Tribes” for Briefing Papers. The article provides an overview of the Small Business Administration’s 8(a) Business Development Program, which provides socially and economically disadvantaged small business owners with federal contracting and training opportunities. Along with a history and purpose of the 8(a) program, the article offers guidance for potential partners and participants that are Native Hawaiian Organizations, Alaska Native Corporations, and Tribally Owned, as well as advice on avoiding common pitfalls and thoughts about what is on the horizon for the program.

Read the article

Contractors interested in offering federal agencies artificial intelligence (AI) can now glean insight into how agencies are expected to conduct AI acquisitions. On September 24, 2024, the Office of Management and Budget (OMB) issued Memorandum M-24-18, Advancing the Responsible Acquisition of Artificial Intelligence in Government (the Memorandum), providing guidance and directing agencies “to improve their capacity for the responsible acquisition of AI” systems or services, including subcomponents. The Memorandum builds on the White House’s Executive Order 14110, Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, and OMB Memorandum M-24-10, Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence. Taking effect on March 23, 2025, M-24-18 will apply to all solicitations and contract option exercises for AI systems covered under the Memorandum.

Continue Reading OMB Issues Guidance to Agencies on Responsible Artificial Intelligence Acquisitions

Just how broad is the scope of the False Claims Act (FCA)? That is the basic question posed in Wisconsin Bell, Inc. v. U.S. ex rel. Heath, No. 23-1127. Put more directly, the case addresses whether reimbursement requests under the Schools and Libraries Universal Service Support program—better known as the E-Rate program—are actionable “claims” exposed to liability under the FCA. But when the US Supreme Court hears oral argument next month, the justices will grapple with broader questions with implications far beyond this case: (1) when does the government “provide” money in any transaction or program so that FCA liability attaches; (2) when is an independent government-sponsored enterprise (e.g., Fannie Mae/Freddie Mac) acting as an “agent” of the United States for FCA purposes; and (3) to what extent do those who deal with private entities established or chartered pursuant to federal law need to watch this case to determine their potential exposure under the FCA and its panoply of enforcement mechanisms?

Continue Reading Wisconsin Bell: Testing the Elasticity of False Claims Act’s Scope

Over the course of the past few years, gallons of ink have been spilled addressing the seemingly ever-pending US Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) Program. After keeping us waiting for years, it finally arrived when, on October 15, 2024, DoD published its Final Rule to establish the CMMC Program. See 89 Fed. Reg. 83092 (Oct. 15, 2024). Effective December 16, 2024, the Rule will require certain defense contractors to have implemented security measures to achieve a particular CMMC level necessary to safeguard Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as a condition of contract award. Codified at 34 C.F.R. Part 170, the CMMC Program will be augmented by a separate proposed acquisition rule to add a new 48 C.F.R. Part 204, amending the Defense Federal Acquisition Regulation Supplement (DFARS) to address procurement considerations related to the CMMC Program, including allowing DoD to require a specific CMMC level in a solicitation or contract. See 89 Fed. Reg. 66327 (Aug. 15, 2024) or our analyses here and here. The date when that DFARS clause will become final is still unclear, but most suspect it will be soon.

Continue Reading A Standard on Many Levels: A Look at CMMC 2.0 in Final

The arrival of the Cybersecurity Maturity Model Certification (CMMC) program will bring redefining changes to all companies selling to the DoD, suggest Alex Major and Cara Wulf in this Feature Comment for The Government Contractor.

READ MORE

Sequels are rarely better than the films that precede them, and yet, sometimes a story is just too compelling to be limited to just one film. At the tail end of a summer full of Hollywood sequels, the Department of Defense (DoD) released a long-gestating sequel of its own. On August 15, 2024, DoD published a Proposed Rule that would revise the DoD Federal Acquisition Regulation Supplement (DFARS) to implement Cybersecurity Maturity Model Certification (CMMC) 2.0 into DoD contracts in the near(ish) future. This follows a December 2023 Proposed Rule, discussed here, establishing the CMMC 2.0 requirements in broad strokes. In this latest Proposed Rule, DoD proposes several changes to the DFARS that would do the following:

Continue Reading CMMC and DFARS 252.204-7021—Is the Sequel Better than the Original?