Photo of Alex Major

Mr. Major is a partner and co-leader of the firm’s Government Contracts & Export Controls Practice Group. Mr. Major focuses his practice on federal procurement, cybersecurity liability and risk management, and litigation. A prolific author and thought leader in the area of cybersecurity, his professional experience involves a wide variety of litigation and counseling matters dealing with procurement laws and federal regulations and standards . His diverse experience includes complex litigation in federal court under the qui tam provisions of the False Claims Act and bid protest actions. He counsels all sizes of companies on issues relating to compliance with government regulations including, among other things, cybersecurity (NIST, FIPS, FedRAMP, and DFARS) requirements, multiple award schedule compliance, Section 508 issues, country of origin requirements under the Buy American and Trade Agreements Acts, cost accounting, and small business requirements. He also regularly conducts internal investigations to assist companies ensure that they are in full compliance with the law.

McCarter’s Government Contracts team is grateful to its clients for once again honoring it with a Band 1 Nationwide ranking by Chambers USA: America’s Leading Lawyers for Business. It appreciates the recognition that “McCarter & English, LLP is lauded for its ability to provide guidance on a broad array of issues including transactions, regulatory

Arm me with harmony.” – Treach, Naughty By Nature[1]

On May 14, 2024, the National Institute of Standards and Technology (NIST) dropped the third remix…er, revision…of its Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” It even came with a critical sidekick in the form of the companion assessment guide, “NIST SP 800-171A, Revision 3,” which gives organizations the necessary lowdown on “assessment procedures and methodologies” to check if they’re playing by NIST SP 800-171’s rules. Over a year in the making after previous releases in May and November of 2023, NIST’s finalized revision takes inspiration from industry by laying down the cybersecurity rules that contractors should expect to follow when handling Controlled Unclassified Information (CUI) for the US Department of Defense (DoD). While DoD isn’t requiring contractors who handle CUI to roll with Rev. 3 just yet, contractors can expect that DoD will eventually bring Rev. 3 into the mix for DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting” (DFARS 7012), and will be harmonizing it with the upcoming Cyber Maturity Model Certification (CMMC) program at some point soon.Continue Reading NIST SP 800-171 Revision 3 Goes Final: Who’s Down with ODP?

On April 22, 2024, the Department of Health and Human Services (HHS) announced a Final Rule titled HIPAA Privacy Rule to Support Reproductive Health Care Privacy. The Final Rule strengthens the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by prohibiting disclosure of protected health information (PHI) related to lawful reproductive health care under

What do you think is going to be scarier—artificial intelligence (AI) or the government’s effort to regulate AI? On October 30, 2023, the White House issued Executive Order (E.O.) 14410, Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. As the federal government’s latest foray into harnessing AI, this E.O.—like those before it, generally—recognizes that AI offers extraordinary potential and promise, provided that it is harnessed responsibly to prevent the exacerbation of societal harms. Since E.O. 14410, there has been a flurry of activity in the federal government, including guidance and policies providing an indication of how agencies can/should/will harness AI to support agency objectives. While we are far from a situation similar to Skynet from the Terminator franchise or HAL 9000 from 2001: A Space Odyssey, the government’s accelerated activity to reap AI’s potential benefits far outpaces the provision of actionable guidance so contractors can understand and adapt to what will be required in offering AI products and services to the government. So let’s open the pod bay doors and explore…Continue Reading Executive Order 14410: An Artificial Intelligence Odyssey

On December 26, 2023, the Department of Defense (“DoD”) belatedly gifted defense contractors and subcontractors a Proposed Rule on the Cybersecurity Maturity Model Certification (“CMMC”) Program. DoD also released eight CMMC guidance documents, providing interested parties a one-two combo of what to expect under the Program. The Proposed Rule has already received over 100 comments. With commenting open until February 26, 2024, will DoD proceed with a final rule, or is the Proposed Rule a Groundhog Day scenario with DoD further delaying final implementation of the CMMC Program?Continue Reading DoD’s Proposed CMMC Rule: Groundhog Day… or a Final Rule in the Works?

On October 25, 2023, the Department of Defense (DoD) published a Proposed Rule amending the Department of Defense Federal Acquisition Regulation Supplement (DFARS) and permanently authorizing the DoD Mentor-Protégé Program (DoD MP Program). In addition, the Proposed Rule makes several changes to the program—the most prominent of which include (a) lowering barriers to entry and (b) adding additional benefits for prospective mentors and protégés. Before we dive in to the Proposed Rule, a brief history of the DoD MP Program is in order.Continue Reading DoD Mentor-Protégé Program Solidified under Proposed Rule

The Proposed Rule behind FAR Case 2021-017 may strike fear into the hearts of many contractors, as it implements new recommendations regarding cybersecurity reporting obligations. Alex Major highlights the necessary steps and potential risks federal contractors must consider in the Government Contractor.

Effective July 21, 2023, DHS is operating under new rules for government contractors on safeguarding Controlled Unclassified Information (CUI) and reporting cyber incidents. In this Feature Comment for The Government Contractor, Alex Major describes how government contractors can best navigate DHS’s wide-reaching cybersecurity and data privacy requirements.

Parties litigating False Claims Act (FCA) cases have long struggled with a thorny question around the essential element of scienter (the defendant’s intent, or state of mind): What/how much does a contractor need to know when submitting an invoice for payment for the related claim to be considered knowingly false when made? When that question arises in FCA litigation, a court’s determination of that essential element of scienter/knowledge often pivots on what the judge believes matters more:

(A) The defendant’s subjective belief at the time a claim is made; or

(B) An objective textual reading of what a person may have known or believed when a claim is made.Continue Reading The False Claims Act’s Fuzzy Scienter Element Brought into Sharp Focus