In the seminal holiday film A Christmas Story, nine-year-old Ralphie Parker uses his diligently earned Little Orphan Annie Secret Society decoder pin to decrypt the secret message from Annie to her fans, only to express disappointment and confusion when he realizes the “secret code” he decrypted is nothing more than a marketing ploy to sell more Ovaltine. Although neither drinking copious amounts of Ovaltine nor possessing a Little Orphan Annie decoder pin are requirements of a federal contractor’s cybersecurity program, the use of encryption—like that employed by Ovaltine and its plucky propagandist—cannot be avoided. The challenge, of course, is approaching encryption in a manner that avoids the same irritating bewilderment experienced by Ralphie Parker. Modern encryption, while inherently and necessarily enigmatic, need not be overcomplicated, and that’s a good thing, because federal contractors, namely Department of Defense contractors, now face specific standards of encryption necessary to meet and maintain certain federal cybersecurity standards or bear the significant risk commensurate with noncompliance. Whether a contractor falls under the auspices of Federal Acquisition Regulation 52.204-21, Defense FAR Supplement 252.204-7012, or the newly unveiled Cybersecurity Maturity Model Certification (CMMC), contractor use of encryption is poised to be a critical element of compliance for the Federal Government over the next decade. This means that contractors must have a working knowledge of federal encryption standards to understand not only how such standards apply to the storage and handling of data but also whether the contractor can truly comply with those standards or have the wherewithal to understand the type of information technology products they are permitted to provide the Government.

Click to read full article.

There’s an often mistranslated Taoist adage that counsels “A journey of a thousand miles begins with a single step.” So it is presently with the Department of Defense’s (DoD’s) Cybersecurity Maturity Model Certification (CMMC), which continues its cybersecurity journey with the recently released update of standard CMMC .6.

Continue Reading Cybersecurity Maturity Model Certification (CMMC) Version .6: Another Step on the Department of Defense’s Long and Winding Cybersecurity Road


So you want to acquire a government contractor? Makes sense, and you’re not alone. Over the past few years, the federal contracting landscape continues to evolve as a result of mergers and acquisitions (M&A), primarily involving the acquisition of small and midsize contractors by larger entities as a means to quickly expand into new federal markets. This trend is especially prevalent in the information technology (IT) market, where the acquisition of small or midsize IT firms with new capabilities can provide larger firms with shiny new toys to share with their roster of government clients to gain a larger share of the federal IT “pie,” if not create—almost overnight—new IT market leaders in areas such as cloud computing, cybersecurity, software, and predictive intelligence.

Continue Reading Integrating Cybersecurity Into M&A Compliance Reviews: Avoiding Hidden Cyber Risks in the Acquisition of Government Contractors

As DOD continues to expand its supply chain cybersecurity demands on federal contractors, McCarter & English Government Contracts and Export Controls co-leaders Alex Major and Franklin Turner provide critical guidance for federal contractors in a two-part Feature Comment for Thomson Reuters’ The Government Contractor. In the comprehensive article they address not only the recent and planned updates to NIST publications, but also weigh those efforts against Defense Contract Management Agency’s (DCMA) auditing efforts, the revised Contractor Purchasing System Review (CPSR) Guidebook, and the new Cybersecurity Maturity Model Certification (CMMC) program. Information on how these efforts align along with practical guidance for weathering these changes can be found at Part 1 accessible here and Part 2 accessible here.

DoD’s recent efforts to address cybersecurity have caused confusion and chaos for Government contractors. As we all know, cybersecurity is an issue that is impossible to ignore, and the sobering reality is that compliance with federal cybersecurity requirements is critical to avoiding catastrophic liability. Recently, McCarter & English Government Contracts and Export Controls co-leaders Alex Major and Franklin Turner provided much-needed guidance for federal contractors in a two-part Feature Comment for Thomson Reuters’ The Government Contractor. The Feature Comment addresses certain changes to the NIST, the auditing effort underway by DCMA, and the Cybersecurity Maturity Model Certification (“CMMC”) program that will likely be implemented by DOD in the coming months.

Part 1 can be accessed here

As we reported last month, the Department of Defense (DoD) has been engaging in an unusual rollout of its new cybersecurity certification program by way of  road tours—led by Katie Arrington, the Special Assistant to the Assistant Secretary of Defense for Acquisition and Sustainment for Cyber—that address the tiered, five-level Cybersecurity Maturity Model Certification (CMMC). At bottom, DoD intends for the CMMC to help streamline the acquisition process by providing acquiring agencies and consenting contractors with more exacting cybersecurity requirements for future acquisitions. What’s unique about the CMMC rollout is the lack of written guidance on the program. DoD representatives have orally provided a majority of publicly available information about CMMC only during various webinars and defense-industry events held over the past couple of months. Indeed, a quick Google search for “CMMC” indicates that, at this time, hard facts about the program appear to be limited to FAQs on a DoD website.

Continue Reading Cybersecurity – The Times (and Standards) They Are A Changin’ – FAST!

Cybersecurity. It’s never over, is it? In what can only be described as a “soft” release, the Department of Defense (DoD) has slowly and quietly begun to reveal its intent to provide federal contractors with formal cybersecurity certification as early as next year. The program, known as the Cybersecurity Maturity Model Certification (CMMC), is an effort to streamline the acquisition process by providing acquiring agencies and consenting contractors with more exacting cybersecurity requirements for forthcoming acquisitions.

Continue Reading Never Stop Never Stopping: Defense Department Quietly Unveils Proposed Cybersecurity Maturity Model Certification Standards and Confirms the Allowability of Certain Cybersecurity Costs

If your company sells products or services to the U.S. Government, there’s a substantial likelihood that you’ve read or heard the acronym “NIST” in connection with various cybersecurity related obligations that the Government is imposing on contractors with a seemingly unceasing vengeance. NIST refers to the National Institute of Standards and Technology, which is a nonregulatory agency of the Department of Commerce, and which has the stated mission of promoting “U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”

For full article, click here.

This article appeared in The Government Contractor publication.

During the past few years, discussions in Washington, D.C. have intensified over the battle to modernize the Federal Government’s information technology (IT) systems. In May 2016, Representative Jason Chaffetz—Chairman of the Committee on Oversight and Government Reform in the U.S. House of Representatives—boldly stated that American “[t]axpayers deserve a government that leverages technology to serve them, rather than one that deploys unsecured, decades-old technology that places their sensitive and personal information at risk.”1 Within six months of coming into office, President Trump issued an Executive Order calling on the Government to “transform and modernize [Government] information technology and how [the Government] uses and delivers digital services.”2 These sweeping proclamations sound an increasingly familiar tune, often whistled by those who work for Uncle Sam at the highest levels—old technology wastes taxpayers dollars and leaves the Government more susceptible to cyberattacks.3 In fact, from 2006 through 2015, the number of reported security incidents in federal agencies increased by an astounding 1,303%.4 Against this alarming backdrop, the Government has grown ever more reliant upon commercial companies to assist in modernizing its IT systems.

For full article, click here.

This article was published in Briefing Papers publication.

It’s surprising how often the simplest phrases can provide the most salient advice. The 6 P’s,for example: Proper prior planning prevents poor performance. While the phrase may be a bit of a tortured alliteration, the truth and simplicity of its sentiment can’t be denied: When you want a good outcome, you have to think it through. Simple.

Continue Reading Your Biggest Cybersecurity Threat: Failing to Plan