The arrival of the Cybersecurity Maturity Model Certification (CMMC) program will bring redefining changes to all companies selling to the DoD, suggest Alex Major and Cara Wulf in this Feature Comment for The Government Contractor.
Proposed Rule
CMMC and DFARS 252.204-7021—Is the Sequel Better than the Original?
Sequels are rarely better than the films that precede them, and yet, sometimes a story is just too compelling to be limited to just one film. At the tail end of a summer full of Hollywood sequels, the Department of Defense (DoD) released a long-gestating sequel of its own. On August 15, 2024, DoD published a Proposed Rule that would revise the DoD Federal Acquisition Regulation Supplement (DFARS) to implement Cybersecurity Maturity Model Certification (CMMC) 2.0 into DoD contracts in the near(ish) future. This follows a December 2023 Proposed Rule, discussed here, establishing the CMMC 2.0 requirements in broad strokes. In this latest Proposed Rule, DoD proposes several changes to the DFARS that would do the following:Continue Reading CMMC and DFARS 252.204-7021—Is the Sequel Better than the Original?
CISA’s CIRCIA Proposed Rule: Another Player Enters the Reporting Regime
Cyber incidents involving critical infrastructure pose a serious risk to the US. In March 2024, the Environmental Protection Agency and the National Security Advisor warned state governors about potential attacks on drinking water and wastewater facilities by specific Iran- and China-aligned hackers. The following month (on April 4, 2024), in an attempt to prepare for such attacks and otherwise improve the federal government’s ability to collect and analyze data related to cyber incidents on critical infrastructure, the Cybersecurity and Infrastructure Security Agency (CISA) issued a proposed rule to implement cyber incident reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Enacted in an omnibus appropriation, CIRCIA directed CISA to issue rulemaking requiring the reporting of cyber incidents or the payment of ransoms in response to cyberattacks affecting critical infrastructure. Continue Reading CISA’s CIRCIA Proposed Rule: Another Player Enters the Reporting Regime
DoD Mentor-Protégé Program Solidified under Proposed Rule
On October 25, 2023, the Department of Defense (DoD) published a Proposed Rule amending the Department of Defense Federal Acquisition Regulation Supplement (DFARS) and permanently authorizing the DoD Mentor-Protégé Program (DoD MP Program). In addition, the Proposed Rule makes several changes to the program—the most prominent of which include (a) lowering barriers to entry and (b) adding additional benefits for prospective mentors and protégés. Before we dive in to the Proposed Rule, a brief history of the DoD MP Program is in order.Continue Reading DoD Mentor-Protégé Program Solidified under Proposed Rule
Cyber Security Slasher: What’s Lurking in FAR Case 2021-017, Cyber Threat and Incident Reporting and Information Sharing Proposed Rule
The Proposed Rule behind FAR Case 2021-017 may strike fear into the hearts of many contractors, as it implements new recommendations regarding cybersecurity reporting obligations. Alex Major highlights the necessary steps and potential risks federal contractors must consider in the Government Contractor.
An Inconvenient Requirement: New Proposed Rule Would Require Federal Contractors to Disclose Greenhouse Gas Emissions
In 2006, the documentary An Inconvenient Truth chronicled former Vice President Al Gore’s efforts to educate the public on the consequences of climate change. In the sixteen years since the Academy Award-winning film was released, public interest in the impact that greenhouse gas (GHG) emissions have had, are having, and will have on our planet has increased exponentially. Most recently, at the 27th U.N. Climate Conference (COP27), countries from around the globe came together to discuss the implementation of battle plans to combat climate change. One such plan, which was discussed at COP 27 by President Biden, is a new Proposed Rule that would require “significant” and “major” federal contractors to disclose their GHG emissions and climate-related financial risk as well as set science-based targets to reduce their GHG emissions. If and when the Proposed Rule is finalized, it will have seismic implications for contractors, in that it ties contractor responsibility (i.e., a contractor’s ability to receive federal awards) to compliance with these requirements.
Continue Reading An Inconvenient Requirement: New Proposed Rule Would Require Federal Contractors to Disclose Greenhouse Gas Emissions
DoD Issues Proposed Rule on Enhanced Post-Award Debriefing Rights
As you may recall, Section 818 of the National Defense Authorization Act for Fiscal Year 2018 (FY 2018 NDAA required the US Department of Defense (DoD) to draft regulations to establish comprehensive post-award debriefing rights for disappointed offerors involved in applicable DoD procurements. On March 22, 2018, the DoD responded by issuing a Class Deviation that implemented certain FY 2018 NDAA requirements—i.e., those requirements affording disappointed offerors the opportunity to submit additional written questions to the cognizant DoD agency within two business days of its agency debriefing conducted in accordance with FAR 15.506(d). In such circumstances, the cognizant DoD agency must provide written responses to the questions within five business days after receipt of the questions. Moreover, if a disappointed offeror chooses to submit timely post-debriefing questions, the debriefing does not conclude—and thus the disappointed offeror’s GAO protest “clock” does not begin to run—until the agency provides its written response. On May 20, 2021, the DoD published a Proposed Rule to amend the Defense Federal Acquisition Regulation Supplement to (1) codify the March 2018 Class Deviation and (2) implement the additional post-award debriefing requirements from the FY 2018 NDAA.
Continue Reading DoD Issues Proposed Rule on Enhanced Post-Award Debriefing Rights
The FAR Council Issues Proposed Rule to Implement Executive Order on Significant Buy American Changes
Halloween is coming up and, right on cue, the FAR Council has released a proposed rule that has potentially frightening implications for contractors. Last year, on July 15, 2019, the president signed Executive Order 13881 (the E.O.), Maximizing Use of American-Made Goods, Products, and Materials (84 FR 34257, July 18, 2019). As we noted in our previous post on this topic, the E.O. mandated significant changes to Federal Acquisition Regulation (FAR) clauses implementing the Buy American statute by substantially increasing both domestic content requirements and price preferences for domestic products. As we also pointed out, the E.O. contained several ambiguities as to how the desired changes would be implemented. At long last, we have (proposed) answers. On September 14, 2020, the FAR Council issued a proposed rule designed to implement the requirements of the E.O. (85 FR 56558, Sept. 14, 2020). While this proposed rule incorporates the overarching objectives of the E.O., it also adds a fairly unsettling spin in that it expands on the E.O.’s mandate by reintroducing the domestic content test for commercially available off-the-shelf (COTS) items as it pertains to iron and steel products.
Continue Reading The FAR Council Issues Proposed Rule to Implement Executive Order on Significant Buy American Changes