Data Privacy & Protection

What do you think is going to be scarier—artificial intelligence (AI) or the government’s effort to regulate AI? On October 30, 2023, the White House issued Executive Order (E.O.) 14410, Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. As the federal government’s latest foray into harnessing AI, this E.O.—like those before it, generally—recognizes that AI offers extraordinary potential and promise, provided that it is harnessed responsibly to prevent the exacerbation of societal harms. Since E.O. 14410, there has been a flurry of activity in the federal government, including guidance and policies providing an indication of how agencies can/should/will harness AI to support agency objectives. While we are far from a situation similar to Skynet from the Terminator franchise or HAL 9000 from 2001: A Space Odyssey, the government’s accelerated activity to reap AI’s potential benefits far outpaces the provision of actionable guidance so contractors can understand and adapt to what will be required in offering AI products and services to the government. So let’s open the pod bay doors and explore…

Continue Reading Executive Order 14410: An Artificial Intelligence Odyssey

On December 26, 2023, the Department of Defense (“DoD”) belatedly gifted defense contractors and subcontractors a Proposed Rule on the Cybersecurity Maturity Model Certification (“CMMC”) Program. DoD also released eight CMMC guidance documents, providing interested parties a one-two combo of what to expect under the Program. The Proposed Rule has already received over 100 comments. With commenting open until February 26, 2024, will DoD proceed with a final rule, or is the Proposed Rule a Groundhog Day scenario with DoD further delaying final implementation of the CMMC Program?

Continue Reading DoD’s Proposed CMMC Rule: Groundhog Day… or a Final Rule in the Works?

The Proposed Rule behind FAR Case 2021-017 may strike fear into the hearts of many contractors, as it implements new recommendations regarding cybersecurity reporting obligations. Alex Major highlights the necessary steps and potential risks federal contractors must consider in the Government Contractor.

READ MORE

Effective July 21, 2023, DHS is operating under new rules for government contractors on safeguarding Controlled Unclassified Information (CUI) and reporting cyber incidents. In this Feature Comment for The Government Contractor, Alex Major describes how government contractors can best navigate DHS’s wide-reaching cybersecurity and data privacy requirements.

READ THE ARTICLE

Hollywood is full of them. And unless you are trapped on the Planet of the Apes, caught on the 3:10 to Yuma, or running from Godzilla, you’ve probably seen a movie reboot or two over the past two decades. The term generally refers to the new start of a known fictional universe where established continuity is discarded to re-create that series’ characters, plotlines, and backstory from the beginning. Thankfully—and I’m looking at you, CMMC—that is a trend that appears to be confined to the entertainment industry and not one that will be adopted in federal contractor cybersecurity. To be sure, on May 10, 2023, the National Institute of Standards and Technology (NIST) released for review and comment a draft of Revision 3 of its Special Publication (SP) 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations. Not only is NIST seeking comments via email no later than July 14, 2023, on Rev. 3, it has even provided a comment template to help with that effort. Let’s get into some of those key changes to demonstrate how Rev. 3 is more of a sequel than a reboot.

Continue Reading NIST SP 800-171 Revision 3: Not Another Reboot

Sure, America has the Grand Canyon, baseball, and apple pie, but you know what it doesn’t have? A nationwide data protection law. Instead, data protection has been left up to a pastiche of state laws, regulations, and enforcement actions that demand many companies choose one state law to rule them all. California led the pack, being the first to pass a data protection law, the California Consumer Privacy Act of 2018, going into effect January 1, 2020. Following California, only four other states have successfully enacted a data protection law, with Colorado and Virginia passing such laws in 2021 and Utah and Connecticut in 2022.

Continue Reading Coming Soon? The American Data Privacy and Protection Act (SPOILERS)

For just shy of a decade, the Defense Industrial Base (DIB) has had to operate under rules dictating the safeguarding of Controlled Unclassified Information, along with a strict 72-hour notification requirement if/when/should a “cyber incident” occur. For the uninitiated, these are the requirements found in the Department of Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. And for a large swath of government contractors, these requirements have been more bane than benefit, as many have struggled to meet the DFARS’ stringent requirements.Continue Reading Critical Infrastructure Industry Drafted: Welcome to the Cyber War

The Cybersecurity Maturity Model Certification version 2.0 (CMMC 2.0) is here! Like a song you’ve heard before, the revised standards are a throwback but no less significant change to the standards that have evolved over the past three and a half years. McCarter & English Government Contracts and Global Trade co-leaders Alex Major and Franklin Turner detail the changes coming to federal contractors in a Feature Comment for Thomson Reuters’ The Government Contractor. Set against the recent Beatles documentary, the comment examines the impact of the Department of Defense’s most recent effort while detailing what contractors need to do before its new standards go into effect.
Continue Reading Get Back: DOD Retreats While Revealing Plans for CMMC 2.0

After months of review, on November 4, 2021, the Department of Defense (DoD) finally unveiled its new version of the Cybersecurity Maturity Model Certification (CMMC 2.0). Well, almost. In a blink-and-you’ll-miss-it moment, the Department posted, then quickly removed, new federal regulations in/from the Federal Register highlighting the changes in CMMC. Most of those changes, however, were ultimately described on the OUSD Acquisition & Sustainment website, which remain posted and available. In conducting its review of CMMC 1.0, the DoD focused largely on clarifying the standard and reducing the cost impact on the Defense Industrial Base (DIB). The result? A “been there, already had to do that” standard that should leave the DIB relatively pleased and the burgeoning CMMC accreditation industry mildly perplexed. In place of the five-tiered, third-party-assessed cybersecurity framework addressing data confidentiality, integrity, and availability, the new CMMC 2.0 presents as a three-tiered, largely self-assessed bolstering of the NIST SP 800-171 safeguarding requirements already required to be implemented by contractors in possession of “Covered Defense Information” (CDI) under DFARS 252.204-7012.
Continue Reading CMMC 2.0: Throwback Cybersecurity — Everything Old Is New Again

On May 12, 2021, the Biden administration unveiled a rather expansive executive order intent on “Improving the Nation’s Cybersecurity.” The lengthy and sweeping order is a comprehensive national cybersecurity overhaul. In addition to requiring significant improvements to the cybersecurity posture of the Federal Civilian Executive Branch (FCEB) agencies, the order also prescribes:

Click to read