Cost, Compliance & Risks

Hollywood is full of them. And unless you are trapped on the Planet of the Apes, caught on the 3:10 to Yuma, or running from Godzilla, you’ve probably seen a movie reboot or two over the past two decades. The term generally refers to the new start of a known fictional universe where established continuity is discarded to re-create that series’ characters, plotlines, and backstory from the beginning. Thankfully—and I’m looking at you, CMMC—that is a trend that appears to be confined to the entertainment industry and not one that will be adopted in federal contractor cybersecurity. To be sure, on May 10, 2023, the National Institute of Standards and Technology (NIST) released for review and comment a draft of Revision 3 of its Special Publication (SP) 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations. Not only is NIST seeking comments via email no later than July 14, 2023, on Rev. 3, it has even provided a comment template to help with that effort. Let’s get into some of those key changes to demonstrate how Rev. 3 is more of a sequel than a reboot.

Continue Reading NIST SP 800-171 Revision 3: Not Another Reboot

In 2006, the documentary An Inconvenient Truth chronicled former Vice President Al Gore’s efforts to educate the public on the consequences of climate change. In the sixteen years since the Academy Award-winning film was released, public interest in the impact that greenhouse gas (GHG) emissions have had, are having, and will have on our planet has increased exponentially. Most recently, at the 27th U.N. Climate Conference (COP27), countries from around the globe came together to discuss the implementation of battle plans to combat climate change. One such plan, which was discussed at COP 27 by President Biden, is a new Proposed Rule that would require “significant” and “major” federal contractors to disclose their GHG emissions and climate-related financial risk as well as set science-based targets to reduce their GHG emissions. If and when the Proposed Rule is finalized, it will have seismic implications for contractors, in that it ties contractor responsibility (i.e., a contractor’s ability to receive federal awards) to compliance with these requirements.
Continue Reading An Inconvenient Requirement: New Proposed Rule Would Require Federal Contractors to Disclose Greenhouse Gas Emissions

According to the Office of Federal Contract Compliance Programs (OFCCP), since 2019, Will Evans, a reporter for the Center for Investigative Reporting, has sought the Employment Information Report (EEO-1) data of federal contractors through a Freedom of Information Act (FOIA) request to OFCCP. Mr. Evans amended his FOIA request on June 2, 2022, and now seeks the Type 2 Consolidated EEO-1 Report demographic data of federal prime contractors and first-tier subcontractors for 2016–2020. OFCCP estimates that this impacts approximately 15,000 contractors and first-tier subcontractors.

What does this mean? Absent an objection, OFCCP could disclose your company’s Type 2 Consolidated EEO-1 Reports Component 1 data for 2016–2020 in response to Mr. Evans’s FOIA request.

What is an EEO-1 Report? The EEO-1 Report is the form used annually by the Equal Employment Opportunity Commission and OFCCP to collect a summary of an employer’s workforce data.Continue Reading Attention Federal Contractors and First-Tier Subcontractors: Your EEO-1 Reports May Be Responsive to an OFCCP FOIA Request, and You Have Only until September 19, 2022, to Object.

Unless you’ve been living under a rock or on a self-sustaining deserted island, the chances are high that you have become quite familiar with the term “inflation” (i.e., the rising costs of goods and services) over the past few years. Indeed, everything (from gasoline to gumballs and milk to movie tickets) appears to be more expensive as of late. Unfortunately, government contractors are not immune from this current economic reality. As most of us know all too well, many contracts that were negotiated and priced over the past 18 to 24 months are simply more expensive to perform now than was reasonably anticipated when bids were prepared.

In recognition of these soaring prices, the Department of Defense (DoD) issued a May 25, 2022, Memorandum titled “Guidance on Inflation and Economic Price Adjustments,” the purpose of which is to assist contracting officers (COs) in (i) navigating the impacts of inflation on existing contracts and (ii) managing downstream inflation risks on prospective contracts. Here are the key takeaways and our suggested courses of action to best protect your company’s bottom line:Continue Reading DoD Braces for Inflation: Guidance for Contractors Battling Rising Costs

Last year, President Biden signed the Juneteenth National Independence Day Act, making June 19, the celebration of the end of slavery, a federal holiday. The second Juneteenth National Independence Day is fast approaching. This year, Juneteenth falls on a Sunday and will be observed on Monday, June 20, 2022.

This means a holiday for federal workers, but what does this mean for an employer with federal contracts or subcontracts? The following provides a brief overview of when Juneteenth is a paid holiday for a federal contractor’s employees under contracts or subcontracts subject to (i) the Service Contract Act (SCA), (ii) the Davis Bacon Act’s (DBA) labor standards provisions, or (iii) another contract provision governing paid holidays.Continue Reading Juneteenth Is Fast Approaching: Time to Check and Confirm Your Contractual Fringe Benefit Obligations for Paid Holidays

For just shy of a decade, the Defense Industrial Base (DIB) has had to operate under rules dictating the safeguarding of Controlled Unclassified Information, along with a strict 72-hour notification requirement if/when/should a “cyber incident” occur. For the uninitiated, these are the requirements found in the Department of Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. And for a large swath of government contractors, these requirements have been more bane than benefit, as many have struggled to meet the DFARS’ stringent requirements.Continue Reading Critical Infrastructure Industry Drafted: Welcome to the Cyber War

Regardless of whether they were eagerly anticipated or begrudgingly unavoidable, the changes promised to the Buy American Act (BAA) early last year have at last arrived, or at least are quickly approaching. On March 4, 2022, the Federal Acquisition Regulation (FAR) Council released its long-anticipated Final Rule implementing important revisions to the BAA provisions of the FAR and incorporating the requirements outlined in President Biden’s January 28, 2021 executive order, “Ensuring the Future Is Made in All of America by All of America’s Workers.” Although the Final Rule, for the most part, conforms with the Proposed Rule issued in July 2021 (which we previously discussed here), the most notable aspect may be that the Final Rule’s effective date was delayed until October 25, 2022. This generous gap provides contractors with roughly 235 days to fortify their compliance efforts and ensure that necessary policies and procedures are in place to meet the necessary supply chain and regulatory changes imposed by the Final Rule — well  in advance of Halloween.
Continue Reading With Just a Little Ado: Significant Buy American Changes Are Coming Before Halloween

The Cybersecurity Maturity Model Certification version 2.0 (CMMC 2.0) is here! Like a song you’ve heard before, the revised standards are a throwback but no less significant change to the standards that have evolved over the past three and a half years. McCarter & English Government Contracts and Global Trade co-leaders Alex Major and Franklin Turner detail the changes coming to federal contractors in a Feature Comment for Thomson Reuters’ The Government Contractor. Set against the recent Beatles documentary, the comment examines the impact of the Department of Defense’s most recent effort while detailing what contractors need to do before its new standards go into effect.
Continue Reading Get Back: DOD Retreats While Revealing Plans for CMMC 2.0

After months of review, on November 4, 2021, the Department of Defense (DoD) finally unveiled its new version of the Cybersecurity Maturity Model Certification (CMMC 2.0). Well, almost. In a blink-and-you’ll-miss-it moment, the Department posted, then quickly removed, new federal regulations in/from the Federal Register highlighting the changes in CMMC. Most of those changes, however, were ultimately described on the OUSD Acquisition & Sustainment website, which remain posted and available. In conducting its review of CMMC 1.0, the DoD focused largely on clarifying the standard and reducing the cost impact on the Defense Industrial Base (DIB). The result? A “been there, already had to do that” standard that should leave the DIB relatively pleased and the burgeoning CMMC accreditation industry mildly perplexed. In place of the five-tiered, third-party-assessed cybersecurity framework addressing data confidentiality, integrity, and availability, the new CMMC 2.0 presents as a three-tiered, largely self-assessed bolstering of the NIST SP 800-171 safeguarding requirements already required to be implemented by contractors in possession of “Covered Defense Information” (CDI) under DFARS 252.204-7012.
Continue Reading CMMC 2.0: Throwback Cybersecurity — Everything Old Is New Again

A major pillar of President Biden’s campaign was strengthening the Buy American requirements in procurement law, promising both before and after the election that “[n]o government contracts will be given to companies that don’t make their products here in America.” Five days into office, the President issued an Executive Order designed to bring that promise closer to fruition. As we wrote here, the January 25, 2021 Executive Order directed both dramatic changes to domestic preference regulations and increased enforcement of existing requirements through a variety of means. Now, seven months later, amendments to the Federal Acquisition Regulation (FAR) are being proposed by the Department of Defense (DoD), General Services Administration, and National Aeronautics and Space Administration—collectively, the Federal Acquisition Regulatory (FAR) Council—to implement, at least in part, President Biden’s Executive Order (Proposed Rule).
Continue Reading Enhanced Buy American Requirements Coming Soon; Proposed Rule Foretells Big Changes