The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program will become operational at some point in fiscal year 2025. In October, the DOD issued a Final Rule to address evolving cybersecurity requirements and cyber threats while defining the security controls that DOD intends defense contractors and subcontractors to implement. The program will require defense contractors and subcontractors to obtain the requisite certification level depending on whether their respective information systems will process, store, or transmit Federal Contract Information and/or Controlled Unclassified Information (CUI). The Rule spawned a litany of questions during the public comment period, most notably around the area of CUI. In this Feature Comment, Alexander Major and Philip Lee address the fundamental challenge facing the CMMC: how can contractors protect the controlled unclassified data that DOD can’t/won’t/isn’t properly identifying?
Surviving And Thriving In The Small Business Administration’s 8(a) Program: Maximizing Opportunities For NHOs, ANCs, and Tribes
Alex Major, Franklin Turner, Philip Lee, and Marcos Gonzalez co-authored the article “Surviving And Thriving In The Small Business Administration’s 8(a) Program: Maximizing Opportunities For NHOs, ANCs, And Tribes” for Briefing Papers. The article provides an overview of the Small Business Administration’s 8(a) Business Development Program, which provides socially and economically disadvantaged small business owners with federal contracting and training opportunities. Along with a history and purpose of the 8(a) program, the article offers guidance for potential partners and participants that are Native Hawaiian Organizations, Alaska Native Corporations, and Tribally Owned, as well as advice on avoiding common pitfalls and thoughts about what is on the horizon for the program.
OMB Issues Guidance to Agencies on Responsible Artificial Intelligence Acquisitions
Contractors interested in offering federal agencies artificial intelligence (AI) can now glean insight into how agencies are expected to conduct AI acquisitions. On September 24, 2024, the Office of Management and Budget (OMB) issued Memorandum M-24-18, Advancing the Responsible Acquisition of Artificial Intelligence in Government (the Memorandum), providing guidance and directing agencies “to improve their capacity for the responsible acquisition of AI” systems or services, including subcomponents. The Memorandum builds on the White House’s Executive Order 14110, Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, and OMB Memorandum M-24-10, Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence. Taking effect on March 23, 2025, M-24-18 will apply to all solicitations and contract option exercises for AI systems covered under the Memorandum.
Continue Reading OMB Issues Guidance to Agencies on Responsible Artificial Intelligence AcquisitionsWisconsin Bell: Testing the Elasticity of False Claims Act’s Scope
Just how broad is the scope of the False Claims Act (FCA)? That is the basic question posed in Wisconsin Bell, Inc. v. U.S. ex rel. Heath, No. 23-1127. Put more directly, the case addresses whether reimbursement requests under the Schools and Libraries Universal Service Support program—better known as the E-Rate program—are actionable “claims” exposed to liability under the FCA. But when the US Supreme Court hears oral argument next month, the justices will grapple with broader questions with implications far beyond this case: (1) when does the government “provide” money in any transaction or program so that FCA liability attaches; (2) when is an independent government-sponsored enterprise (e.g., Fannie Mae/Freddie Mac) acting as an “agent” of the United States for FCA purposes; and (3) to what extent do those who deal with private entities established or chartered pursuant to federal law need to watch this case to determine their potential exposure under the FCA and its panoply of enforcement mechanisms?
Continue Reading Wisconsin Bell: Testing the Elasticity of False Claims Act’s ScopeA Standard on Many Levels: A Look at CMMC 2.0 in Final
Over the course of the past few years, gallons of ink have been spilled addressing the seemingly ever-pending US Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) Program. After keeping us waiting for years, it finally arrived when, on October 15, 2024, DoD published its Final Rule to establish the CMMC Program. See 89 Fed. Reg. 83092 (Oct. 15, 2024). Effective December 16, 2024, the Rule will require certain defense contractors to have implemented security measures to achieve a particular CMMC level necessary to safeguard Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as a condition of contract award. Codified at 34 C.F.R. Part 170, the CMMC Program will be augmented by a separate proposed acquisition rule to add a new 48 C.F.R. Part 204, amending the Defense Federal Acquisition Regulation Supplement (DFARS) to address procurement considerations related to the CMMC Program, including allowing DoD to require a specific CMMC level in a solicitation or contract. See 89 Fed. Reg. 66327 (Aug. 15, 2024) or our analyses here and here. The date when that DFARS clause will become final is still unclear, but most suspect it will be soon.
Continue Reading A Standard on Many Levels: A Look at CMMC 2.0 in FinalFeature Comment: The New Madness? CMMC-Mania — It’s Arrived!
The arrival of the Cybersecurity Maturity Model Certification (CMMC) program will bring redefining changes to all companies selling to the DoD, suggest Alex Major and Cara Wulf in this Feature Comment for The Government Contractor.
CMMC and DFARS 252.204-7021—Is the Sequel Better than the Original?
Sequels are rarely better than the films that precede them, and yet, sometimes a story is just too compelling to be limited to just one film. At the tail end of a summer full of Hollywood sequels, the Department of Defense (DoD) released a long-gestating sequel of its own. On August 15, 2024, DoD published a Proposed Rule that would revise the DoD Federal Acquisition Regulation Supplement (DFARS) to implement Cybersecurity Maturity Model Certification (CMMC) 2.0 into DoD contracts in the near(ish) future. This follows a December 2023 Proposed Rule, discussed here, establishing the CMMC 2.0 requirements in broad strokes. In this latest Proposed Rule, DoD proposes several changes to the DFARS that would do the following:
Continue Reading CMMC and DFARS 252.204-7021—Is the Sequel Better than the Original?DOJ Went Down to Georgia: Lessons Learned from Recent Cybersecurity Enforcement Actions
Johnny, rosin up your bow and play your fiddle hard
’Cause Hell’s broke loose in Georgia and the Devil deals the cards
And if you win, you get this shiny fiddle made of gold
But if you lose the Devil gets your soul
~ The Charlie Daniels Band
Some might say there’s little difference between dealing with the devil and being a federal contractor. And for the unwary or unprepared, that may not be far off. Federal contracting comes with a litany of “fine print” that would make “Old Scratch” proud. However, as most savvy contractors recognize, it’s all hiding in plain sight, with the devil in the details. Take, for example, the cybersecurity requirements found in the Federal Acquisition Regulations (FAR) at 52.204-21 and the Department of Defense (DoD) FAR Supplement (DFARS) at 252.204-7012, -7019, and -7020. These requirements have been the topic of countless articles, trainings, webinars, whole conferences, etc., so it is surprising while simultaneously not surprising that they form the basis of a federal False Claims Act (FCA) claim the Department of Justice (DOJ) recently filed in its complaint in intervention.
Continue Reading DOJ Went Down to Georgia: Lessons Learned from Recent Cybersecurity Enforcement ActionsA New Frontier in Corporate Accountability: The DOJ’s Corporate Whistleblower Awards Pilot Program
On August 1, 2024, the US Department of Justice (DOJ) Criminal Division introduced its Corporate Whistleblower Awards Pilot Program (Program), which, like a modern-day Western posse, aims to bring justice to the wild frontier of corporate America. The DOJ is enticing anyone willing to saddle up and provide information on corporate outlaws—i.e., those involved in corruption, financial crimes, foreign corruption, bribery, and/or healthcare fraud. In sum, the Program closes the gaps left by existing whistleblower programs and bolsters the DOJ’s efforts to combat corporate crime. For those who decide to ride with it, the DOJ is promising substantial financial rewards—up to 30 percent of the loot recovered from those outlaws—to insiders, whistleblowers, and relators who come forward with information leading to significant criminal or civil forfeiture actions. As the Program unfolds over its three-year pilot period, it will—or should—be closely watched by False Claims Act defense counsel, plaintiff’s counsel, corporate leaders, and potential whistleblowers alike. If successful, it could permanently expand whistleblower incentives and further embolden an already aggressive DOJ (as if more encouragement were needed), signaling a new frontier in corporate governance and accountability in the United States.
Continue Reading A New Frontier in Corporate Accountability: The DOJ’s Corporate Whistleblower Awards Pilot ProgramDepartment of Labor Issues New Guidance on the Use of Artificial Intelligence and Employment Decision-Making
On April 29, 2024, the Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) released guidance to federal contractors regarding the use of artificial intelligence (AI) in their employment practices. See https://www.dol.gov/agencies/ofccp/ai/ai-eeo-guide. The guidance reminds federal contractors of their existing legal obligations, the potentially harmful effects of AI on employment decisions if used improperly, and best practices. Arriving early, the guidance puts contractors on notice of their responsibilities when using AI in their employment decisions.
Continue Reading Department of Labor Issues New Guidance on the Use of Artificial Intelligence and Employment Decision-Making