Like the sailors of old, the government contracting community ventures forth knowing full well that danger lies ahead – although fortunately not in the form of a kraken, leviathan, or other mythical sea monster.  Rather, these perils and risks are embedded in sweeping new regulations that, like an unseen reef, will be arriving and taking effect all too quickly.  On July 14, 2020, the FAR Council published a long-awaited (or perhaps long-dreaded) Interim Rule implementing Section 889(a)(1)(B) of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2019 (Section B).  Effective August 13, 2020, Section B prohibits executive agencies from “entering into, or extending or renewing, a contract with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”  Unlike its counterpart, Section 889(a)(1)(A) of the NDAA for FY 2019 (Section A), which prohibits agencies from “procuring or obtaining equipment or services that use covered telecommunications equipment or services as a substantial or essential component or critical technology,” the restrictions of Section B go far beyond the immediate contract between the contractor and the government.  Instead, Section B directs contractors to discontinue any and all use of covered telecommunications equipment or services.  Even accounting for the choppy seas caused by the ongoing pandemic, the exceedingly broad scope of Section B promises sharp, jagged, and uncharted hazards to contractors attempting to implement compliant policies and procedures.
Continue Reading Risks, Reefs, and Wrecks: Charting a Course Through the Perils of Covered Telecommunications Equipment and Services

In the seminal holiday film A Christmas Story, nine-year-old Ralphie Parker uses his diligently earned Little Orphan Annie Secret Society decoder pin to decrypt the secret message from Annie to her fans, only to express disappointment and confusion when he realizes the “secret code” he decrypted is nothing more than a marketing ploy to sell

There’s an often mistranslated Taoist adage that counsels “A journey of a thousand miles begins with a single step.” So it is presently with the Department of Defense’s (DoD’s) Cybersecurity Maturity Model Certification (CMMC), which continues its cybersecurity journey with the recently released update of standard CMMC .6.
Continue Reading Cybersecurity Maturity Model Certification (CMMC) Version .6: Another Step on the Department of Defense’s Long and Winding Cybersecurity Road

As DOD continues to expand its supply chain cybersecurity demands on federal contractors, McCarter & English Government Contracts and Export Controls co-leaders Alex Major and Franklin Turner provide critical guidance for federal contractors in a two-part Feature Comment for Thomson Reuters’ The Government Contractor. In the comprehensive article they address not only the recent and

DoD’s recent efforts to address cybersecurity have caused confusion and chaos for Government contractors. As we all know, cybersecurity is an issue that is impossible to ignore, and the sobering reality is that compliance with federal cybersecurity requirements is critical to avoiding catastrophic liability. Recently, McCarter & English Government Contracts and Export Controls co-leaders Alex

As we reported last month, the Department of Defense (DoD) has been engaging in an unusual rollout of its new cybersecurity certification program by way of  road tours—led by Katie Arrington, the Special Assistant to the Assistant Secretary of Defense for Acquisition and Sustainment for Cyber—that address the tiered, five-level Cybersecurity Maturity Model Certification (CMMC). At bottom, DoD intends for the CMMC to help streamline the acquisition process by providing acquiring agencies and consenting contractors with more exacting cybersecurity requirements for future acquisitions. What’s unique about the CMMC rollout is the lack of written guidance on the program. DoD representatives have orally provided a majority of publicly available information about CMMC only during various webinars and defense-industry events held over the past couple of months. Indeed, a quick Google search for “CMMC” indicates that, at this time, hard facts about the program appear to be limited to FAQs on a DoD website.
Continue Reading Cybersecurity – The Times (and Standards) They Are A Changin’ – FAST!

Cybersecurity. It’s never over, is it? In what can only be described as a “soft” release, the Department of Defense (DoD) has slowly and quietly begun to reveal its intent to provide federal contractors with formal cybersecurity certification as early as next year. The program, known as the Cybersecurity Maturity Model Certification (CMMC), is an effort to streamline the acquisition process by providing acquiring agencies and consenting contractors with more exacting cybersecurity requirements for forthcoming acquisitions.
Continue Reading Never Stop Never Stopping: Defense Department Quietly Unveils Proposed Cybersecurity Maturity Model Certification Standards and Confirms the Allowability of Certain Cybersecurity Costs

The Demon: What an excellent day for an exorcism.
Father Karras: You would like that?
The Demon: Intensely.

Honestly, it was challenging finding an all-audiences quote from William Peter Blatty’s “The Exorcist,” but we believe that this quote is exactly what federal contractors need to know. Today is indeed an excellent day for an information system exorcism and, unlike Father Karras, federal contractors know the name of that which they must purge: Kaspersky Lab.Continue Reading The Russian Exorcism of US Gov’t Contracts

At this point, even casual observers of the news likely have heard of Moscow-based Kaspersky Lab. In the wake of reported connections to the Kremlin and Russian intelligence entities, the cybersecurity company was famously banned as a source of supply to the United States Government by Section 1634 of the 2018 National Defense Authorization Act (“NDAA”). Effective October 1, 2018, the NDAA forbids every “department, agency, organization, or other element of the Federal Government” from using “any hardware, software, or services developed or provided, in whole or in part” by (i) Kaspersky and any corporate successors, (ii) any entities controlled by or under common control with Kaspersky and (iii) any entity in which Kaspersky has majority ownership.
Continue Reading The FAR Takes Aim at Russia’s Kaspersky Lab: What Every Contractor Must Know

Alex Major is a contributing author to the Nuix 2018 Black Report: Decoding the Minds of Hackers, a unique report that engages professional hackers, penetration testers, and incident responders to understand the security threat landscape companies face. Alex, a former intelligence officer, focuses his chapter on why companies need to properly select and structure their