DoD’s recent efforts to address cybersecurity have caused confusion and chaos for Government contractors. As we all know, cybersecurity is an issue that is impossible to ignore, and the sobering reality is that compliance with federal cybersecurity requirements is critical to avoiding catastrophic liability. Recently, McCarter & English Government Contracts and Export Controls co-leaders Alex

As we reported last month, the Department of Defense (DoD) has been engaging in an unusual rollout of its new cybersecurity certification program by way of  road tours—led by Katie Arrington, the Special Assistant to the Assistant Secretary of Defense for Acquisition and Sustainment for Cyber—that address the tiered, five-level Cybersecurity Maturity Model Certification (CMMC). At bottom, DoD intends for the CMMC to help streamline the acquisition process by providing acquiring agencies and consenting contractors with more exacting cybersecurity requirements for future acquisitions. What’s unique about the CMMC rollout is the lack of written guidance on the program. DoD representatives have orally provided a majority of publicly available information about CMMC only during various webinars and defense-industry events held over the past couple of months. Indeed, a quick Google search for “CMMC” indicates that, at this time, hard facts about the program appear to be limited to FAQs on a DoD website.

Continue Reading

Cybersecurity. It’s never over, is it? In what can only be described as a “soft” release, the Department of Defense (DoD) has slowly and quietly begun to reveal its intent to provide federal contractors with formal cybersecurity certification as early as next year. The program, known as the Cybersecurity Maturity Model Certification (CMMC), is an effort to streamline the acquisition process by providing acquiring agencies and consenting contractors with more exacting cybersecurity requirements for forthcoming acquisitions.

Continue Reading

The Demon: What an excellent day for an exorcism.
Father Karras: You would like that?
The Demon: Intensely.

Honestly, it was challenging finding an all-audiences quote from William Peter Blatty’s “The Exorcist,” but we believe that this quote is exactly what federal contractors need to know. Today is indeed an excellent day for an information system exorcism and, unlike Father Karras, federal contractors know the name of that which they must purge: Kaspersky Lab.


Continue Reading

At this point, even casual observers of the news likely have heard of Moscow-based Kaspersky Lab. In the wake of reported connections to the Kremlin and Russian intelligence entities, the cybersecurity company was famously banned as a source of supply to the United States Government by Section 1634 of the 2018 National Defense Authorization Act (“NDAA”). Effective October 1, 2018, the NDAA forbids every “department, agency, organization, or other element of the Federal Government” from using “any hardware, software, or services developed or provided, in whole or in part” by (i) Kaspersky and any corporate successors, (ii) any entities controlled by or under common control with Kaspersky and (iii) any entity in which Kaspersky has majority ownership.

Continue Reading

Alex Major is a contributing author to the Nuix 2018 Black Report: Decoding the Minds of Hackers, a unique report that engages professional hackers, penetration testers, and incident responders to understand the security threat landscape companies face. Alex, a former intelligence officer, focuses his chapter on why companies need to properly select and structure their

If your company sells products or services to the U.S. Government, there’s a substantial likelihood that you’ve read or heard the acronym “NIST” in connection with various cybersecurity related obligations that the Government is imposing on contractors with a seemingly unceasing vengeance. NIST refers to the National Institute of Standards and Technology, which is a

On April 18, 2017, at the headquarters of Snap-On Incorporated, a Wisconsin-based manufacturer, Donald J. Trump signed an Executive Order titled “Buy American, Hire American”. The Hire American portion, explained in all of two paragraphs in Section 5, requires the Attorney General and Secretaries of State, Labor, and Homeland Security to “consistent with applicable law, propose new rules and issue new guidance, to supersede or revise previous rules and guidance if appropriate, to protect the interests of United States workers in the administration of our immigration system”. The second paragraph is a bit more specific inasmuch as it states that these folks ought to “suggest reforms to help ensure that H-1B visas are awarded to the most-skilled or highest-paid petition beneficiaries.” Among those in attendance were likely Snap-On’s H-1B employees, since the company is a perennial petitioner for H-1B workers at its Kenosha, Wisconsin location.[1]
Continue Reading

It’s surprising how often the simplest phrases can provide the most salient advice. The 6 P’s,for example: Proper prior planning prevents poor performance. While the phrase may be a bit of a tortured alliteration, the truth and simplicity of its sentiment can’t be denied: When you want a good outcome, you have to think it through. Simple.

Continue Reading

If you are aware of German Christmas folklore (and really, who isn’t?), you know that Belsnickel is a legendary companion of St. Nick who carries a switch with which to punish naughty children and a pocketful of sweets to reward good ones. This holiday season, many are feeling the sting of a switch of another kind, this one involving the December 20, 2016, issuing by the National Institute of Standards and Technology (NIST) of a preholiday revision of Special Publication 800-171 (SP 800-171), Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations. If SP 800-171 sounds familiar, it is because the publication is the source of the cybersecurity controls that defense contractors must follow and flow down to subcontractors pursuant to DFARS Subpart 204.73 and its operative clauses (e.g., DFARS 252.204-7008 and DFARS 252.204-7012). Essentially accompanying St. Nick (perhaps Santa Clause may be more appropriate) this season, the NIST’s revised publication may resemble Belsnickel’s switch (pun intended) to contractors who already have existing SP 800-171 controls in place (as the controls have been required, in various forms, since November 2013) or who have started down the road toward SP 800-171 adherence in advance of the DFARS-directed December 2017 deadline. With that in mind, let’s take a quick look at the implications that switch (pun still intended) brings to the security requirements for protecting the confidentiality of CUI in nonfederal systems and organizations:

Continue Reading