For just shy of a decade, the Defense Industrial Base (DIB) has had to operate under rules dictating the safeguarding of Controlled Unclassified Information, along with a strict 72-hour notification requirement if/when/should a “cyber incident” occur. For the uninitiated, these are the requirements found in the Department of Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. And for a large swath of government contractors, these requirements have been more bane than benefit, as many have struggled to meet the DFARS’ stringent requirements.

Well, critical infrastructure industry, welcome to the party! Soon, companies involved in all sectors of critical infrastructure will need to comply with new federal reporting requirements for cybersecurity incidents and ransom payments after President Joe Biden signed The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the Act) into law on March 15, 2022. Tied to an omnibus appropriations package, the Act requires entities involved in critical infrastructure to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and any paid ransom demands within 24 hours. While these new reporting obligations will not become effective until CISA promulgates rules to further define requirements, as the DIB’s effort has demonstrated, it would be wise to examine best practices in incident response plans to begin sooner rather than later.

Continue Reading Critical Infrastructure Industry Drafted: Welcome to the Cyber War

The Cybersecurity Maturity Model Certification version 2.0 (CMMC 2.0) is here! Like a song you’ve heard before, the revised standards are a throwback but no less significant change to the standards that have evolved over the past three and a half years. McCarter & English Government Contracts and Global Trade co-leaders Alex Major and Franklin Turner detail the changes coming to federal contractors in a Feature Comment for Thomson Reuters’ The Government Contractor. Set against the recent Beatles documentary, the comment examines the impact of the Department of Defense’s most recent effort while detailing what contractors need to do before its new standards go into effect.

Continue Reading Get Back: DOD Retreats While Revealing Plans for CMMC 2.0

On May 12, 2021, the Biden administration unveiled a rather expansive executive order intent on “Improving the Nation’s Cybersecurity.” The lengthy and sweeping order is a comprehensive national cybersecurity overhaul. In addition to requiring significant improvements to the cybersecurity posture of the Federal Civilian Executive Branch (FCEB) agencies, the order also prescribes:

Click to read

Akin to the exasperations of the newly minted “homeschool teachers” the pandemic has created, the Biden administration’s recent Executive Order on Improving the Nation’s Cybersecurity (Order) is a mix of sound logic and utter frustration. The lengthy and sweeping Order is resoundingly one of the most comprehensive national cybersecurity overhauls to date and ushers the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) into a forward-leaning position of leadership that has been missing since its inception. In addition to requiring significant improvements to the cybersecurity posture of the Federal Civilian Executive Branch (FCEB) agencies, the Order also prescribes (i) the implementation of cyber incident sharing requirements between the Government and private industry; (ii) the necessary demands of security on software development; and (iii) the inclusion of software bills of materials, operational technology (e.g., industrial machining), and the internet of things in the fabric of cybersecurity regulations. Set against the backdrop of an ambitious timeline that calls for drastic changes before the end of this fiscal year—i.e., September 30, 2021—the Order requires that the Federal government scale administrative mountains at breakneck speed while simultaneously working with the industry and developing new regulations with which contractors will have to comply in short order. Accordingly, while a brief summary of the Order is provided below, the size and magnitude of the Order call for a larger analysis. Accordingly, we have prepared a user-friendly Analysis of the Order that includes considerations for manufacturers and government contractors. Additionally, to better explain the compliance timeline associated with the Order, a listing of the EO Key Dates is provided for convenience.

Continue Reading Enough’s Enough: A New Executive Order Signals Sweeping Changes to Federal Cybersecurity Requirements

Undoubtedly a great film for its day, the 1982 classic Poltergeist might not have aged as well as the filmmakers had hoped. But the vivid imagery, jump scares and creepy marketing the PG-rated “family” movie employed remain burned into the minds of many. For those unfamiliar with the Spielberg classic, a “poltergeist” is largely understood

Like the sailors of old, the government contracting community ventures forth knowing full well that danger lies ahead – although fortunately not in the form of a kraken, leviathan, or other mythical sea monster.  Rather, these perils and risks are embedded in sweeping new regulations that, like an unseen reef, will be arriving and taking effect all too quickly.  On July 14, 2020, the FAR Council published a long-awaited (or perhaps long-dreaded) Interim Rule implementing Section 889(a)(1)(B) of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2019 (Section B).  Effective August 13, 2020, Section B prohibits executive agencies from “entering into, or extending or renewing, a contract with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”  Unlike its counterpart, Section 889(a)(1)(A) of the NDAA for FY 2019 (Section A), which prohibits agencies from “procuring or obtaining equipment or services that use covered telecommunications equipment or services as a substantial or essential component or critical technology,” the restrictions of Section B go far beyond the immediate contract between the contractor and the government.  Instead, Section B directs contractors to discontinue any and all use of covered telecommunications equipment or services.  Even accounting for the choppy seas caused by the ongoing pandemic, the exceedingly broad scope of Section B promises sharp, jagged, and uncharted hazards to contractors attempting to implement compliant policies and procedures.

Continue Reading Risks, Reefs, and Wrecks: Charting a Course Through the Perils of Covered Telecommunications Equipment and Services

In the seminal holiday film A Christmas Story, nine-year-old Ralphie Parker uses his diligently earned Little Orphan Annie Secret Society decoder pin to decrypt the secret message from Annie to her fans, only to express disappointment and confusion when he realizes the “secret code” he decrypted is nothing more than a marketing ploy to sell

There’s an often mistranslated Taoist adage that counsels “A journey of a thousand miles begins with a single step.” So it is presently with the Department of Defense’s (DoD’s) Cybersecurity Maturity Model Certification (CMMC), which continues its cybersecurity journey with the recently released update of standard CMMC .6.

Continue Reading Cybersecurity Maturity Model Certification (CMMC) Version .6: Another Step on the Department of Defense’s Long and Winding Cybersecurity Road

As DOD continues to expand its supply chain cybersecurity demands on federal contractors, McCarter & English Government Contracts and Export Controls co-leaders Alex Major and Franklin Turner provide critical guidance for federal contractors in a two-part Feature Comment for Thomson Reuters’ The Government Contractor. In the comprehensive article they address not only the recent and

DoD’s recent efforts to address cybersecurity have caused confusion and chaos for Government contractors. As we all know, cybersecurity is an issue that is impossible to ignore, and the sobering reality is that compliance with federal cybersecurity requirements is critical to avoiding catastrophic liability. Recently, McCarter & English Government Contracts and Export Controls co-leaders Alex