In Part I of this series we introduced readers to what Controlled Unclassified Information (CUI) is understood to consist of under the CUI Program at 32 CFR pt. 2002, differentiating and safeguarding CUI, CUI Program Authority and Control, and CUI policy as promulgated under the U.S. Department of Defense CUI Program. (See 66 GC ¶

The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program will become operational at some point in fiscal year 2025. In October, the DOD issued a Final Rule to address evolving cybersecurity requirements and cyber threats while defining the security controls that DOD intends defense contractors and subcontractors to implement. The program will require

Over the course of the past few years, gallons of ink have been spilled addressing the seemingly ever-pending US Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) Program. After keeping us waiting for years, it finally arrived when, on October 15, 2024, DoD published its Final Rule to establish the CMMC Program. See 89 Fed. Reg. 83092 (Oct. 15, 2024). Effective December 16, 2024, the Rule will require certain defense contractors to have implemented security measures to achieve a particular CMMC level necessary to safeguard Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as a condition of contract award. Codified at 34 C.F.R. Part 170, the CMMC Program will be augmented by a separate proposed acquisition rule to add a new 48 C.F.R. Part 204, amending the Defense Federal Acquisition Regulation Supplement (DFARS) to address procurement considerations related to the CMMC Program, including allowing DoD to require a specific CMMC level in a solicitation or contract. See 89 Fed. Reg. 66327 (Aug. 15, 2024) or our analyses here and here. The date when that DFARS clause will become final is still unclear, but most suspect it will be soon.Continue Reading A Standard on Many Levels: A Look at CMMC 2.0 in Final

China dominates the rare earth industry, accounting for approximately 60 percent of rare earth metal mining and approximately 90 percent of rare earth metal processing in 2023. In order to combat this near-monopoly and to limit supply chain vulnerabilities and risk to the US defense industry, a final Defense Federal Acquisition Regulation Supplement (DFARS) rule, published May 30, 2024, applies broader sourcing prohibitions to the language of DFARS 225.7018 and operative clause DFARS 252.225-7052 to prohibit the use and acquisition of magnets mined in China as of January 1, 2027.Continue Reading DOD Releases Final Rule Prohibiting the Acquisition of Certain Magnets from Nonaligned Foreign Nations

For just shy of a decade, the Defense Industrial Base (DIB) has had to operate under rules dictating the safeguarding of Controlled Unclassified Information, along with a strict 72-hour notification requirement if/when/should a “cyber incident” occur. For the uninitiated, these are the requirements found in the Department of Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. And for a large swath of government contractors, these requirements have been more bane than benefit, as many have struggled to meet the DFARS’ stringent requirements.

Well, critical infrastructure industry, welcome to the party! Soon, companies involved in all sectors of critical infrastructure will need to comply with new federal reporting requirements for cybersecurity incidents and ransom payments after President Joe Biden signed The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the Act) into law on March 15, 2022. Tied to an omnibus appropriations package, the Act requires entities involved in critical infrastructure to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and any paid ransom demands within 24 hours. While these new reporting obligations will not become effective until CISA promulgates rules to further define requirements, as the DIB’s effort has demonstrated, it would be wise to examine best practices in incident response plans to begin sooner rather than later.Continue Reading Critical Infrastructure Industry Drafted: Welcome to the Cyber War

Each year, Congress presents us in Title VIII of the National Defense Authorization Act (NDAA) a potpourri of procurement reforms, changes, and additions. Some are effective immediately, while some are bound for rulemaking and regulation and surface years from enactment. Some require analyses, reports, and studies which have no immediate impact but provide a roadmap that can and should be used by government contractors in their business planning. Finally, some provisions of the NDAAs just wither away and have no impact whatsoever. Nineteen days before the Trump Administration ended, the US Senate followed the US House of Representatives in overriding the President’s veto of the William (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (H.R. 6395) (FY2021 NDAA), making it law on January 1, 2021.  Happy New Year! As for its Title VIII, the FY2021 NDAA is no different from its predecessors in its procurement potpourri. Here’s a tour of key provisions you oughta know.
Continue Reading Here to Remind You of the Key Provisions of the Fiscal Year 2021 National Defense Authorization Act – You Oughta Know!