Photo of Alex Major

Alex Major

Subscribe to Alex Major's Posts

Mr. Major is a partner and co-leader of the firm’s Government Contracts & Export Controls Practice Group. Mr. Major focuses his practice on federal procurement, cybersecurity liability and risk management, and litigation. A prolific author and thought leader in the area of cybersecurity, his professional experience involves a wide variety of litigation and counseling matters dealing with procurement laws and federal regulations and standards . His diverse experience includes complex litigation in federal court under the qui tam provisions of the False Claims Act and bid protest actions. He counsels all sizes of companies on issues relating to compliance with government regulations including, among other things, cybersecurity (NIST, FIPS, FedRAMP, and DFARS) requirements, multiple award schedule compliance, Section 508 issues, country of origin requirements under the Buy American and Trade Agreements Acts, cost accounting, and small business requirements. He also regularly conducts internal investigations to assist companies ensure that they are in full compliance with the law.

Follow: Read more about Alex MajorAlexander's Linkedin Profile

For just shy of a decade, the Defense Industrial Base (DIB) has had to operate under rules dictating the safeguarding of Controlled Unclassified Information, along with a strict 72-hour notification requirement if/when/should a “cyber incident” occur. For the uninitiated, these are the requirements found in the Department of Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. And for a large swath of government contractors, these requirements have been more bane than benefit, as many have struggled to meet the DFARS’ stringent requirements.

Well, critical infrastructure industry, welcome to the party! Soon, companies involved in all sectors of critical infrastructure will need to comply with new federal reporting requirements for cybersecurity incidents and ransom payments after President Joe Biden signed The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the Act) into law on March 15, 2022. Tied to an omnibus appropriations package, the Act requires entities involved in critical infrastructure to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and any paid ransom demands within 24 hours. While these new reporting obligations will not become effective until CISA promulgates rules to further define requirements, as the DIB’s effort has demonstrated, it would be wise to examine best practices in incident response plans to begin sooner rather than later.

Continue Reading Critical Infrastructure Industry Drafted: Welcome to the Cyber War

Regardless of whether they were eagerly anticipated or begrudgingly unavoidable, the changes promised to the Buy American Act (BAA) early last year have at last arrived, or at least are quickly approaching. On March 4, 2022, the Federal Acquisition Regulation (FAR) Council released its long-anticipated Final Rule implementing important revisions to the BAA provisions of the FAR and incorporating the requirements outlined in President Biden’s January 28, 2021 executive order, “Ensuring the Future Is Made in All of America by All of America’s Workers.” Although the Final Rule, for the most part, conforms with the Proposed Rule issued in July 2021 (which we previously discussed here), the most notable aspect may be that the Final Rule’s effective date was delayed until October 25, 2022. This generous gap provides contractors with roughly 235 days to fortify their compliance efforts and ensure that necessary policies and procedures are in place to meet the necessary supply chain and regulatory changes imposed by the Final Rule — well  in advance of Halloween.

Continue Reading With Just a Little Ado: Significant Buy American Changes Are Coming Before Halloween

With Spring Training just a few weeks away it looks like the Biden Administration is stepping up to the plate to ensure the plans in its $1 trillion Infrastructure Investment and Jobs Act can avoid strikes. On February 4, 2022, President Biden signed the Executive Order on the Use of Project Labor Agreements for Federal Construction Projects (the Executive Order), which requires the federal government, in an effort to avoid potential labor disputes and delays in any “large-scale construction contract” (a project valued at over $35 million), to use project labor agreements before awarding a contract. The Executive Order is effective immediately, and construction contractors should begin seeing it applied in future and maybe even pending solicitations or orders. How, exactly, the Executive Order will appear in immediate solicitations is unclear, but the FAR Council is tasked with implementing the Executive Order within 120 days before promptly issuing a final rule. Before that happens, let’s tap the mud off the cleats and make sure you’re ready to play ball.

Continue Reading PLAy Ball! Executive Order Directs Project Labor Agreements for Construction Projects Over $35 Million

The Cybersecurity Maturity Model Certification version 2.0 (CMMC 2.0) is here! Like a song you’ve heard before, the revised standards are a throwback but no less significant change to the standards that have evolved over the past three and a half years. McCarter & English Government Contracts and Global Trade co-leaders Alex Major and Franklin Turner detail the changes coming to federal contractors in a Feature Comment for Thomson Reuters’ The Government Contractor. Set against the recent Beatles documentary, the comment examines the impact of the Department of Defense’s most recent effort while detailing what contractors need to do before its new standards go into effect.

Continue Reading Get Back: DOD Retreats While Revealing Plans for CMMC 2.0

After months of review, on November 4, 2021, the Department of Defense (DoD) finally unveiled its new version of the Cybersecurity Maturity Model Certification (CMMC 2.0). Well, almost. In a blink-and-you’ll-miss-it moment, the Department posted, then quickly removed, new federal regulations in/from the Federal Register highlighting the changes in CMMC. Most of those changes, however, were ultimately described on the OUSD Acquisition & Sustainment website, which remain posted and available. In conducting its review of CMMC 1.0, the DoD focused largely on clarifying the standard and reducing the cost impact on the Defense Industrial Base (DIB). The result? A “been there, already had to do that” standard that should leave the DIB relatively pleased and the burgeoning CMMC accreditation industry mildly perplexed. In place of the five-tiered, third-party-assessed cybersecurity framework addressing data confidentiality, integrity, and availability, the new CMMC 2.0 presents as a three-tiered, largely self-assessed bolstering of the NIST SP 800-171 safeguarding requirements already required to be implemented by contractors in possession of “Covered Defense Information” (CDI) under DFARS 252.204-7012.

Continue Reading CMMC 2.0: Throwback Cybersecurity — Everything Old Is New Again

Four memoranda, released in the last several business days, provide federal contracting officers guidance and suggested clauses to implement President Biden’s Executive Order 14042 (the Executive Order) in federal contracts imposing mandatory vaccination and workplace safety protocols for covered federal contractors and their employees as early as October 15, 2021. Issued by the Federal Acquisition Regulatory Council (FAR Council) (the FAR Council Memo), the Civilian Agency Acquisition Council (CAAC) (the CAAC Memo), the Principal Director, Defense Pricing and Contracting for the Department of Defense (DoD) (the DoD Memo), and the General Services Administration’s Senior Procurement Executive (the GSA Memo) (which we will be discussing in a separate posting), the memoranda move quickly to provide all procuring activities the necessary tools to ensure that by October 8, all solicitations and contract subject to the Executive Order adhere to its mandates and the evolving guidance issued by the Safer Federal Workforce Task Force (issued September 24) (Task Force Guidance). For those unfamiliar with the Executive Order and the resulting Task Force Guidance, please feel free to review our prior discussions of those issues here and here.

Continue Reading The Clauses Implementing Vaccination Mandate for Federal Contractors Are Out—Key Considerations for Contractors

The Federal Acquisition Regulation (FAR) Council has returned from an extended vacation to publish a final rule to align the FAR with similar subcontracting regulations implemented by the Small Business Administration more than a half decade ago. McCarter & English Government Contracts and Global Trade co-leaders Franklin Turner and Alex Major and Senior Associates Cara

On May 12, 2021, the Biden administration unveiled a rather expansive executive order intent on “Improving the Nation’s Cybersecurity.” The lengthy and sweeping order is a comprehensive national cybersecurity overhaul. In addition to requiring significant improvements to the cybersecurity posture of the Federal Civilian Executive Branch (FCEB) agencies, the order also prescribes:

Click to read

As COVID-19 antibodies begin flooding the immune systems of most Americans, it is important to remember the important role that hygiene has played over the past fifteen months. For many, the risks and dangers of the pandemic were kept at bay by hand washing, masking, and sanitizing after every new touch. That same kind of attention to hygiene is something federal contractors should retain as they are permitted to reenter a world filled with supply chain enforcement risk.

Continue Reading Prevention v. Cure: Supply Chain Hygiene Is the Key to Defending Enforcement

Akin to the exasperations of the newly minted “homeschool teachers” the pandemic has created, the Biden administration’s recent Executive Order on Improving the Nation’s Cybersecurity (Order) is a mix of sound logic and utter frustration. The lengthy and sweeping Order is resoundingly one of the most comprehensive national cybersecurity overhauls to date and ushers the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) into a forward-leaning position of leadership that has been missing since its inception. In addition to requiring significant improvements to the cybersecurity posture of the Federal Civilian Executive Branch (FCEB) agencies, the Order also prescribes (i) the implementation of cyber incident sharing requirements between the Government and private industry; (ii) the necessary demands of security on software development; and (iii) the inclusion of software bills of materials, operational technology (e.g., industrial machining), and the internet of things in the fabric of cybersecurity regulations. Set against the backdrop of an ambitious timeline that calls for drastic changes before the end of this fiscal year—i.e., September 30, 2021—the Order requires that the Federal government scale administrative mountains at breakneck speed while simultaneously working with the industry and developing new regulations with which contractors will have to comply in short order. Accordingly, while a brief summary of the Order is provided below, the size and magnitude of the Order call for a larger analysis. Accordingly, we have prepared a user-friendly Analysis of the Order that includes considerations for manufacturers and government contractors. Additionally, to better explain the compliance timeline associated with the Order, a listing of the EO Key Dates is provided for convenience.

Continue Reading Enough’s Enough: A New Executive Order Signals Sweeping Changes to Federal Cybersecurity Requirements