The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program will become operational at some point in fiscal year 2025. In October, the DOD issued a Final Rule to address evolving cybersecurity requirements and cyber threats while defining the security controls that DOD intends defense contractors and subcontractors to implement. The program will require
Federal Government
OMB Issues Guidance to Agencies on Responsible Artificial Intelligence Acquisitions
Contractors interested in offering federal agencies artificial intelligence (AI) can now glean insight into how agencies are expected to conduct AI acquisitions. On September 24, 2024, the Office of Management and Budget (OMB) issued Memorandum M-24-18, Advancing the Responsible Acquisition of Artificial Intelligence in Government (the Memorandum), providing guidance and directing agencies “to improve their capacity for the responsible acquisition of AI” systems or services, including subcomponents. The Memorandum builds on the White House’s Executive Order 14110, Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, and OMB Memorandum M-24-10, Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence. Taking effect on March 23, 2025, M-24-18 will apply to all solicitations and contract option exercises for AI systems covered under the Memorandum.Continue Reading OMB Issues Guidance to Agencies on Responsible Artificial Intelligence Acquisitions
Wisconsin Bell: Testing the Elasticity of False Claims Act’s Scope
Just how broad is the scope of the False Claims Act (FCA)? That is the basic question posed in Wisconsin Bell, Inc. v. U.S. ex rel. Heath, No. 23-1127. Put more directly, the case addresses whether reimbursement requests under the Schools and Libraries Universal Service Support program—better known as the E-Rate program—are actionable “claims” exposed to liability under the FCA. But when the US Supreme Court hears oral argument next month, the justices will grapple with broader questions with implications far beyond this case: (1) when does the government “provide” money in any transaction or program so that FCA liability attaches; (2) when is an independent government-sponsored enterprise (e.g., Fannie Mae/Freddie Mac) acting as an “agent” of the United States for FCA purposes; and (3) to what extent do those who deal with private entities established or chartered pursuant to federal law need to watch this case to determine their potential exposure under the FCA and its panoply of enforcement mechanisms?Continue Reading Wisconsin Bell: Testing the Elasticity of False Claims Act’s Scope
A Standard on Many Levels: A Look at CMMC 2.0 in Final
Over the course of the past few years, gallons of ink have been spilled addressing the seemingly ever-pending US Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) Program. After keeping us waiting for years, it finally arrived when, on October 15, 2024, DoD published its Final Rule to establish the CMMC Program. See 89 Fed. Reg. 83092 (Oct. 15, 2024). Effective December 16, 2024, the Rule will require certain defense contractors to have implemented security measures to achieve a particular CMMC level necessary to safeguard Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as a condition of contract award. Codified at 34 C.F.R. Part 170, the CMMC Program will be augmented by a separate proposed acquisition rule to add a new 48 C.F.R. Part 204, amending the Defense Federal Acquisition Regulation Supplement (DFARS) to address procurement considerations related to the CMMC Program, including allowing DoD to require a specific CMMC level in a solicitation or contract. See 89 Fed. Reg. 66327 (Aug. 15, 2024) or our analyses here and here. The date when that DFARS clause will become final is still unclear, but most suspect it will be soon.Continue Reading A Standard on Many Levels: A Look at CMMC 2.0 in Final
Feature Comment: The New Madness? CMMC-Mania — It’s Arrived!
The arrival of the Cybersecurity Maturity Model Certification (CMMC) program will bring redefining changes to all companies selling to the DoD, suggest Alex Major and Cara Wulf in this Feature Comment for The Government Contractor.
CMMC and DFARS 252.204-7021—Is the Sequel Better than the Original?
Sequels are rarely better than the films that precede them, and yet, sometimes a story is just too compelling to be limited to just one film. At the tail end of a summer full of Hollywood sequels, the Department of Defense (DoD) released a long-gestating sequel of its own. On August 15, 2024, DoD published a Proposed Rule that would revise the DoD Federal Acquisition Regulation Supplement (DFARS) to implement Cybersecurity Maturity Model Certification (CMMC) 2.0 into DoD contracts in the near(ish) future. This follows a December 2023 Proposed Rule, discussed here, establishing the CMMC 2.0 requirements in broad strokes. In this latest Proposed Rule, DoD proposes several changes to the DFARS that would do the following:Continue Reading CMMC and DFARS 252.204-7021—Is the Sequel Better than the Original?
CISA’s CIRCIA Proposed Rule: Another Player Enters the Reporting Regime
Cyber incidents involving critical infrastructure pose a serious risk to the US. In March 2024, the Environmental Protection Agency and the National Security Advisor warned state governors about potential attacks on drinking water and wastewater facilities by specific Iran- and China-aligned hackers. The following month (on April 4, 2024), in an attempt to prepare for such attacks and otherwise improve the federal government’s ability to collect and analyze data related to cyber incidents on critical infrastructure, the Cybersecurity and Infrastructure Security Agency (CISA) issued a proposed rule to implement cyber incident reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Enacted in an omnibus appropriation, CIRCIA directed CISA to issue rulemaking requiring the reporting of cyber incidents or the payment of ransoms in response to cyberattacks affecting critical infrastructure. Continue Reading CISA’s CIRCIA Proposed Rule: Another Player Enters the Reporting Regime
Executive Order 14410: An Artificial Intelligence Odyssey
What do you think is going to be scarier—artificial intelligence (AI) or the government’s effort to regulate AI? On October 30, 2023, the White House issued Executive Order (E.O.) 14410, Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. As the federal government’s latest foray into harnessing AI, this E.O.—like those before it, generally—recognizes that AI offers extraordinary potential and promise, provided that it is harnessed responsibly to prevent the exacerbation of societal harms. Since E.O. 14410, there has been a flurry of activity in the federal government, including guidance and policies providing an indication of how agencies can/should/will harness AI to support agency objectives. While we are far from a situation similar to Skynet from the Terminator franchise or HAL 9000 from 2001: A Space Odyssey, the government’s accelerated activity to reap AI’s potential benefits far outpaces the provision of actionable guidance so contractors can understand and adapt to what will be required in offering AI products and services to the government. So let’s open the pod bay doors and explore…Continue Reading Executive Order 14410: An Artificial Intelligence Odyssey
An Inconvenient Requirement: New Proposed Rule Would Require Federal Contractors to Disclose Greenhouse Gas Emissions
In 2006, the documentary An Inconvenient Truth chronicled former Vice President Al Gore’s efforts to educate the public on the consequences of climate change. In the sixteen years since the Academy Award-winning film was released, public interest in the impact that greenhouse gas (GHG) emissions have had, are having, and will have on our planet has increased exponentially. Most recently, at the 27th U.N. Climate Conference (COP27), countries from around the globe came together to discuss the implementation of battle plans to combat climate change. One such plan, which was discussed at COP 27 by President Biden, is a new Proposed Rule that would require “significant” and “major” federal contractors to disclose their GHG emissions and climate-related financial risk as well as set science-based targets to reduce their GHG emissions. If and when the Proposed Rule is finalized, it will have seismic implications for contractors, in that it ties contractor responsibility (i.e., a contractor’s ability to receive federal awards) to compliance with these requirements.
Continue Reading An Inconvenient Requirement: New Proposed Rule Would Require Federal Contractors to Disclose Greenhouse Gas Emissions
With Just a Little Ado: Significant Buy American Changes Are Coming Before Halloween
Regardless of whether they were eagerly anticipated or begrudgingly unavoidable, the changes promised to the Buy American Act (BAA) early last year have at last arrived, or at least are quickly approaching. On March 4, 2022, the Federal Acquisition Regulation (FAR) Council released its long-anticipated Final Rule implementing important revisions to the BAA provisions of the FAR and incorporating the requirements outlined in President Biden’s January 28, 2021 executive order, “Ensuring the Future Is Made in All of America by All of America’s Workers.” Although the Final Rule, for the most part, conforms with the Proposed Rule issued in July 2021 (which we previously discussed here), the most notable aspect may be that the Final Rule’s effective date was delayed until October 25, 2022. This generous gap provides contractors with roughly 235 days to fortify their compliance efforts and ensure that necessary policies and procedures are in place to meet the necessary supply chain and regulatory changes imposed by the Final Rule — well in advance of Halloween.
Continue Reading With Just a Little Ado: Significant Buy American Changes Are Coming Before Halloween