Hollywood is full of them. And unless you are trapped on the Planet of the Apes, caught on the 3:10 to Yuma, or running from Godzilla, you’ve probably seen a movie reboot or two over the past two decades. The term generally refers to the new start of a known fictional universe where established continuity is discarded to re-create that series’ characters, plotlines, and backstory from the beginning. Thankfully—and I’m looking at you, CMMC—that is a trend that appears to be confined to the entertainment industry and not one that will be adopted in federal contractor cybersecurity. To be sure, on May 10, 2023, the National Institute of Standards and Technology (NIST) released for review and comment a draft of Revision 3 of its Special Publication (SP) 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations. Not only is NIST seeking comments via email no later than July 14, 2023, on Rev. 3, it has even provided a comment template to help with that effort. Let’s get into some of those key changes to demonstrate how Rev. 3 is more of a sequel than a reboot.Continue Reading NIST SP 800-171 Revision 3: Not Another Reboot
The Cybersecurity Maturity Model Certification version 2.0 (CMMC 2.0) is here! Like a song you’ve heard before, the revised standards are a throwback but no less significant change to the standards that have evolved over the past three and a half years. McCarter & English Government Contracts and Global Trade co-leaders Alex Major and Franklin Turner detail the changes coming to federal contractors in a Feature Comment for Thomson Reuters’ The Government Contractor. Set against the recent Beatles documentary, the comment examines the impact of the Department of Defense’s most recent effort while detailing what contractors need to do before its new standards go into effect.
Continue Reading Get Back: DOD Retreats While Revealing Plans for CMMC 2.0
On January 4, 2021, the National Institute of Standards and Technology (NIST) published proposed rules for comment changing regulations promulgated under the Bayh-Dole Act (35 U.S.C. §§ 200-204), which allow businesses and nonprofit institutions, in most circumstances, to take title to inventions made under federally funded projects (subject inventions) and to freely commercialize items, and methods used to produce items, embodying subject inventions.
Continue Reading NIST on Track to Clarify Bayh-Dole to Ensure High Prices Cannot Be Used as Grounds for Exercising March-in Rights – Or Is It?
Akin to the exasperations of the newly minted “homeschool teachers” the pandemic has created, the Biden administration’s recent Executive Order on Improving the Nation’s Cybersecurity (Order) is a mix of sound logic and utter frustration. The lengthy and sweeping Order is resoundingly one of the most comprehensive national cybersecurity overhauls to date and ushers the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) into a forward-leaning position of leadership that has been missing since its inception. In addition to requiring significant improvements to the cybersecurity posture of the Federal Civilian Executive Branch (FCEB) agencies, the Order also prescribes (i) the implementation of cyber incident sharing requirements between the Government and private industry; (ii) the necessary demands of security on software development; and (iii) the inclusion of software bills of materials, operational technology (e.g., industrial machining), and the internet of things in the fabric of cybersecurity regulations. Set against the backdrop of an ambitious timeline that calls for drastic changes before the end of this fiscal year—i.e., September 30, 2021—the Order requires that the Federal government scale administrative mountains at breakneck speed while simultaneously working with the industry and developing new regulations with which contractors will have to comply in short order. Accordingly, while a brief summary of the Order is provided below, the size and magnitude of the Order call for a larger analysis. Accordingly, we have prepared a user-friendly Analysis of the Order that includes considerations for manufacturers and government contractors. Additionally, to better explain the compliance timeline associated with the Order, a listing of the EO Key Dates is provided for convenience.
Continue Reading Enough’s Enough: A New Executive Order Signals Sweeping Changes to Federal Cybersecurity Requirements
As DOD continues to expand its supply chain cybersecurity demands on federal contractors, McCarter & English Government Contracts and Export Controls co-leaders Alex Major and Franklin Turner provide critical guidance for federal contractors in a two-part Feature Comment for Thomson Reuters’ The Government Contractor. In the comprehensive article they address not only the recent and…
DoD’s recent efforts to address cybersecurity have caused confusion and chaos for Government contractors. As we all know, cybersecurity is an issue that is impossible to ignore, and the sobering reality is that compliance with federal cybersecurity requirements is critical to avoiding catastrophic liability. Recently, McCarter & English Government Contracts and Export Controls co-leaders Alex…
As we reported last month, the Department of Defense (DoD) has been engaging in an unusual rollout of its new cybersecurity certification program by way of road tours—led by Katie Arrington, the Special Assistant to the Assistant Secretary of Defense for Acquisition and Sustainment for Cyber—that address the tiered, five-level Cybersecurity Maturity Model Certification (CMMC). At bottom, DoD intends for the CMMC to help streamline the acquisition process by providing acquiring agencies and consenting contractors with more exacting cybersecurity requirements for future acquisitions. What’s unique about the CMMC rollout is the lack of written guidance on the program. DoD representatives have orally provided a majority of publicly available information about CMMC only during various webinars and defense-industry events held over the past couple of months. Indeed, a quick Google search for “CMMC” indicates that, at this time, hard facts about the program appear to be limited to FAQs on a DoD website.
Continue Reading Cybersecurity – The Times (and Standards) They Are A Changin’ – FAST!
Cybersecurity. It’s never over, is it? In what can only be described as a “soft” release, the Department of Defense (DoD) has slowly and quietly begun to reveal its intent to provide federal contractors with formal cybersecurity certification as early as next year. The program, known as the Cybersecurity Maturity Model Certification (CMMC), is an effort to streamline the acquisition process by providing acquiring agencies and consenting contractors with more exacting cybersecurity requirements for forthcoming acquisitions.
Continue Reading Never Stop Never Stopping: Defense Department Quietly Unveils Proposed Cybersecurity Maturity Model Certification Standards and Confirms the Allowability of Certain Cybersecurity Costs