So you want to acquire a government contractor? Makes sense, and you’re not alone. Over the past few years, the federal contracting landscape continues to evolve as a result of mergers and acquisitions (M&A), primarily involving the acquisition of small and midsize contractors by larger entities as a means to quickly expand into new federal markets. This trend is especially prevalent in the information technology (IT) market, where the acquisition of small or midsize IT firms with new capabilities can provide larger firms with shiny new toys to share with their roster of government clients to gain a larger share of the federal IT “pie,” if not create—almost overnight—new IT market leaders in areas such as cloud computing, cybersecurity, software, and predictive intelligence.

Continue Reading Integrating Cybersecurity Into M&A Compliance Reviews: Avoiding Hidden Cyber Risks in the Acquisition of Government Contractors

As DOD continues to expand its supply chain cybersecurity demands on federal contractors, McCarter & English Government Contracts and Export Controls co-leaders Alex Major and Franklin Turner provide critical guidance for federal contractors in a two-part Feature Comment for Thomson Reuters’ The Government Contractor. In the comprehensive article they address not only the recent and planned updates to NIST publications, but also weigh those efforts against Defense Contract Management Agency’s (DCMA) auditing efforts, the revised Contractor Purchasing System Review (CPSR) Guidebook, and the new Cybersecurity Maturity Model Certification (CMMC) program. Information on how these efforts align along with practical guidance for weathering these changes can be found at Part 1 accessible here and Part 2 accessible here.

DoD’s recent efforts to address cybersecurity have caused confusion and chaos for Government contractors. As we all know, cybersecurity is an issue that is impossible to ignore, and the sobering reality is that compliance with federal cybersecurity requirements is critical to avoiding catastrophic liability. Recently, McCarter & English Government Contracts and Export Controls co-leaders Alex Major and Franklin Turner provided much-needed guidance for federal contractors in a two-part Feature Comment for Thomson Reuters’ The Government Contractor. The Feature Comment addresses certain changes to the NIST, the auditing effort underway by DCMA, and the Cybersecurity Maturity Model Certification (“CMMC”) program that will likely be implemented by DOD in the coming months.

Part 1 can be accessed here

As we reported last month, the Department of Defense (DoD) has been engaging in an unusual rollout of its new cybersecurity certification program by way of  road tours—led by Katie Arrington, the Special Assistant to the Assistant Secretary of Defense for Acquisition and Sustainment for Cyber—that address the tiered, five-level Cybersecurity Maturity Model Certification (CMMC). At bottom, DoD intends for the CMMC to help streamline the acquisition process by providing acquiring agencies and consenting contractors with more exacting cybersecurity requirements for future acquisitions. What’s unique about the CMMC rollout is the lack of written guidance on the program. DoD representatives have orally provided a majority of publicly available information about CMMC only during various webinars and defense-industry events held over the past couple of months. Indeed, a quick Google search for “CMMC” indicates that, at this time, hard facts about the program appear to be limited to FAQs on a DoD website.

Continue Reading Cybersecurity – The Times (and Standards) They Are A Changin’ – FAST!

Cybersecurity. It’s never over, is it? In what can only be described as a “soft” release, the Department of Defense (DoD) has slowly and quietly begun to reveal its intent to provide federal contractors with formal cybersecurity certification as early as next year. The program, known as the Cybersecurity Maturity Model Certification (CMMC), is an effort to streamline the acquisition process by providing acquiring agencies and consenting contractors with more exacting cybersecurity requirements for forthcoming acquisitions.

Continue Reading Never Stop Never Stopping: Defense Department Quietly Unveils Proposed Cybersecurity Maturity Model Certification Standards and Confirms the Allowability of Certain Cybersecurity Costs

If your company sells products or services to the U.S. Government, there’s a substantial likelihood that you’ve read or heard the acronym “NIST” in connection with various cybersecurity related obligations that the Government is imposing on contractors with a seemingly unceasing vengeance. NIST refers to the National Institute of Standards and Technology, which is a nonregulatory agency of the Department of Commerce, and which has the stated mission of promoting “U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”

For full article, click here.

This article appeared in The Government Contractor publication.

During the past few years, discussions in Washington, D.C. have intensified over the battle to modernize the Federal Government’s information technology (IT) systems. In May 2016, Representative Jason Chaffetz—Chairman of the Committee on Oversight and Government Reform in the U.S. House of Representatives—boldly stated that American “[t]axpayers deserve a government that leverages technology to serve them, rather than one that deploys unsecured, decades-old technology that places their sensitive and personal information at risk.”1 Within six months of coming into office, President Trump issued an Executive Order calling on the Government to “transform and modernize [Government] information technology and how [the Government] uses and delivers digital services.”2 These sweeping proclamations sound an increasingly familiar tune, often whistled by those who work for Uncle Sam at the highest levels—old technology wastes taxpayers dollars and leaves the Government more susceptible to cyberattacks.3 In fact, from 2006 through 2015, the number of reported security incidents in federal agencies increased by an astounding 1,303%.4 Against this alarming backdrop, the Government has grown ever more reliant upon commercial companies to assist in modernizing its IT systems.

For full article, click here.

This article was published in Briefing Papers publication.

It’s surprising how often the simplest phrases can provide the most salient advice. The 6 P’s,for example: Proper prior planning prevents poor performance. While the phrase may be a bit of a tortured alliteration, the truth and simplicity of its sentiment can’t be denied: When you want a good outcome, you have to think it through. Simple.

Continue Reading Your Biggest Cybersecurity Threat: Failing to Plan

If you are aware of German Christmas folklore (and really, who isn’t?), you know that Belsnickel is a legendary companion of St. Nick who carries a switch with which to punish naughty children and a pocketful of sweets to reward good ones. This holiday season, many are feeling the sting of a switch of another kind, this one involving the December 20, 2016, issuing by the National Institute of Standards and Technology (NIST) of a preholiday revision of Special Publication 800-171 (SP 800-171), Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations. If SP 800-171 sounds familiar, it is because the publication is the source of the cybersecurity controls that defense contractors must follow and flow down to subcontractors pursuant to DFARS Subpart 204.73 and its operative clauses (e.g., DFARS 252.204-7008 and DFARS 252.204-7012). Essentially accompanying St. Nick (perhaps Santa Clause may be more appropriate) this season, the NIST’s revised publication may resemble Belsnickel’s switch (pun intended) to contractors who already have existing SP 800-171 controls in place (as the controls have been required, in various forms, since November 2013) or who have started down the road toward SP 800-171 adherence in advance of the DFARS-directed December 2017 deadline. With that in mind, let’s take a quick look at the implications that switch (pun still intended) brings to the security requirements for protecting the confidentiality of CUI in nonfederal systems and organizations:

Continue Reading Switches and Sweets: Belsnickel Brings Defense Contractors and Subcontractors New Cybersecurity Controls in Preholiday Revisions of NIST Cybersecurity Publication

As the frequency and sophistication of existential threats to national security over the past decade have drastically increased, the United States’ reliance on software to identify threats, rapidly share information, and manage its military resources has increased. Accordingly, the federal government’s ability to timely develop, procure, and deploy software to the field has been—and continues to be—a critical component of national security. Notwithstanding the growing importance of software to national security, the Department of Defense (DoD) software-acquisition process mirrors the lengthy, inflexible process typically reserved for the acquisition of major weapon systems. As a result, the DoD’s software development and acquisition cycles are significantly longer for their commercial counterparts, thus affecting the DoD’s ability to deliver timely solutions to users and rapidly respond to urgent threats.

Continue Reading Slow and Steady Doesn’t Always Win the (Acquisition) Race: The CODER Act Aims to Transform DoD Software Acquisition