After months of review, on November 4, 2021, the Department of Defense (DoD) finally unveiled its new version of the Cybersecurity Maturity Model Certification (CMMC 2.0). Well, almost. In a blink-and-you’ll-miss-it moment, the Department posted, then quickly removed, new federal regulations in/from the Federal Register highlighting the changes in CMMC. Most of those changes, however, were ultimately described on the OUSD Acquisition & Sustainment website, which remain posted and available. 
In conducting its review of CMMC 1.0, the DoD focused largely on clarifying the standard and reducing the cost impact on the Defense Industrial Base (DIB). The result? A “been there, already had to do that” standard that should leave the DIB relatively pleased and the burgeoning CMMC accreditation industry mildly perplexed. In place of the five-tiered, third-party-assessed cybersecurity framework addressing data confidentiality, integrity, and availability, the new CMMC 2.0 presents as a three-tiered, largely self-assessed bolstering of the NIST SP 800-171 safeguarding requirements already required to be implemented by contractors in possession of “Covered Defense Information” (CDI) under DFARS 252.204-7012.
Continue Reading CMMC 2.0: Throwback Cybersecurity — Everything Old Is New Again
The Clauses Implementing Vaccination Mandate for Federal Contractors Are Out—Key Considerations for Contractors
Four memoranda, released in the last several business days, provide federal contracting officers guidance and suggested clauses to implement President Biden’s Executive Order 14042 (the Executive Order) in federal contracts imposing mandatory vaccination and workplace safety protocols for covered federal contractors and their employees as early as October 15, 2021. Issued by the Federal Acquisition Regulatory Council (FAR Council) (the FAR Council Memo), the Civilian Agency Acquisition Council (CAAC) (the CAAC Memo), the Principal Director, Defense Pricing and Contracting for the Department of Defense (DoD) (the DoD Memo), and the General Services Administration’s Senior Procurement Executive (the GSA Memo) (which we will be discussing in a separate posting), the memoranda move quickly to provide all procuring activities the necessary tools to ensure that by October 8, all solicitations and contract subject to the Executive Order adhere to its mandates and the evolving guidance issued by the Safer Federal Workforce Task Force (issued September 24) (Task Force Guidance). For those unfamiliar with the Executive Order and the resulting Task Force Guidance, please feel free to review our prior discussions of those issues here and here.
Continue Reading The Clauses Implementing Vaccination Mandate for Federal Contractors Are Out—Key Considerations for Contractors
Bueller … Bueller …Bueller: The FAR Council’s Day(s) Off Come to an End with the Long Awaited Implementation of the SBA’s 2016 Revisions to the Limitations on Subcontracting Rule – The Government Contractor
The Federal Acquisition Regulation (FAR) Council has returned from an extended vacation to publish a final rule to align the FAR with similar subcontracting regulations implemented by the Small Business Administration more than a half decade ago. McCarter & English Government Contracts and Global Trade co-leaders Franklin Turner and Alex Major and Senior Associates Cara
The US Government Is Buying Cybersecurity – Should You Be Selling? – Nuix Quarterly Partner Newsletter
On May 12, 2021, the Biden administration unveiled a rather expansive executive order intent on “Improving the Nation’s Cybersecurity.” The lengthy and sweeping order is a comprehensive national cybersecurity overhaul. In addition to requiring significant improvements to the cybersecurity posture of the Federal Civilian Executive Branch (FCEB) agencies, the order also prescribes:
Prevention v. Cure: Supply Chain Hygiene Is the Key to Defending Enforcement
As COVID-19 antibodies begin flooding the immune systems of most Americans, it is important to remember the important role that hygiene has played over the past fifteen months. For many, the risks and dangers of the pandemic were kept at bay by hand washing, masking, and sanitizing after every new touch. That same kind of attention to hygiene is something federal contractors should retain as they are permitted to reenter a world filled with supply chain enforcement risk.
Continue Reading Prevention v. Cure: Supply Chain Hygiene Is the Key to Defending Enforcement
Enough’s Enough: A New Executive Order Signals Sweeping Changes to Federal Cybersecurity Requirements
Akin to the exasperations of the newly minted “homeschool teachers” the pandemic has created, the Biden administration’s recent Executive Order on Improving the Nation’s Cybersecurity (Order) is a mix of sound logic and utter frustration. The lengthy and sweeping Order is resoundingly one of the most comprehensive national cybersecurity overhauls to date and ushers the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) into a forward-leaning position of leadership that has been missing since its inception. In addition to requiring significant improvements to the cybersecurity posture of the Federal Civilian Executive Branch (FCEB) agencies, the Order also prescribes (i) the implementation of cyber incident sharing requirements between the Government and private industry; (ii) the necessary demands of security on software development; and (iii) the inclusion of software bills of materials, operational technology (e.g., industrial machining), and the internet of things in the fabric of cybersecurity regulations. Set against the backdrop of an ambitious timeline that calls for drastic changes before the end of this fiscal year—i.e., September 30, 2021—the Order requires that the Federal government scale administrative mountains at breakneck speed while simultaneously working with the industry and developing new regulations with which contractors will have to comply in short order. Accordingly, while a brief summary of the Order is provided below, the size and magnitude of the Order call for a larger analysis. Accordingly, we have prepared a user-friendly Analysis of the Order that includes considerations for manufacturers and government contractors. Additionally, to better explain the compliance timeline associated with the Order, a listing of the EO Key Dates is provided for convenience.
Continue Reading Enough’s Enough: A New Executive Order Signals Sweeping Changes to Federal Cybersecurity Requirements
Keep American Businesses Workin’ 9 to 5—Bipartisan Changes to Buy American Requirements in Federal Procurement – The Government Contractor
Federal government contract domestic preference requirements are set for significant changes. McCarter & English Government Contracts and Global Trade co-leaders Franklin Turner and Alex Major and Senior Associate Cara Wulf provide guidance for federal contractors in a Feature Comment for Thomson Reuters’ The Government Contractor. In the comprehensive article, the authors review the current regulatory
Office Closures and Limited Access: Federal Contractor Considerations When Weathering Potential Political Unrest
As has been widely reported, the United States Federal Bureau of Investigation is warning of mass protests and potential violence accompanying the inauguration of President-Elect Joe Biden on January 20, 2021. However, unlike the tragic events of January 6, 2021, at the U.S. Capitol, this warning is being directed to the capitols of all fifty states in addition to numerous assets located throughout the National Capitol Region. In light of these developments, federal contractors who find their operations close to these seats of power may have concerns as to whether to stay open or close their offices and keep employees away. Accordingly, we provide a timely reminder of key considerations that contractors should take into account when balancing the practical reality of safety concerns against the legal obligations of contractual compliance.
Continue Reading Office Closures and Limited Access: Federal Contractor Considerations When Weathering Potential Political Unrest
They’re Here: New Cybersecurity Rules and Requirements Arrive to Haunt Defense Contractors – The Government Contractor
Undoubtedly a great film for its day, the 1982 classic Poltergeist might not have aged as well as the filmmakers had hoped. But the vivid imagery, jump scares and creepy marketing the PG-rated “family” movie employed remain burned into the minds of many. For those unfamiliar with the Spielberg classic, a “poltergeist” is largely understood
The FAR Council’s Second Interim Rule Implementing NDAA Section 889(a)(1)(B): And the Hits Keep Coming!
Like the hits produced by DJ Khaled, the FAR Council offers “another one.” As covered extensively in this blog, federal contractors have been—or should have been (you have been working toward compliance, haven’t you?)—spending the closing days of summer ensuring compliance with the July 14, 2020 Interim Rule implementing Section 889(a)(1)(B) (“Section B”) of the National Defense Authorization Act for fiscal year 2019. Section B prohibits the government from entering into a contract with an entity that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system, and requires, among other affirmative obligations, for contractors to represent—after conducting a “reasonable inquiry”—that they do/do not use covered telecommunications equipment or services in their respective business operations. In light of the Interim Rule’s broad scope and mandatory accounting of a contractor’s operations, Section B’s compliance mandate presents another significant regulatory burden for contractors to shoulder. But contractors should fear not, because the FAR Council has heard their plaintive wails and responded on August 27, 2020, with a Second Interim Rule implementing new requirements for Section B compliance.