The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program will become operational at some point in fiscal year 2025. In October, the DOD issued a Final Rule to address evolving cybersecurity requirements and cyber threats while defining the security controls that DOD intends defense contractors and subcontractors to implement. The program will require
Regulations
A Standard on Many Levels: A Look at CMMC 2.0 in Final
Over the course of the past few years, gallons of ink have been spilled addressing the seemingly ever-pending US Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) Program. After keeping us waiting for years, it finally arrived when, on October 15, 2024, DoD published its Final Rule to establish the CMMC Program. See 89 Fed. Reg. 83092 (Oct. 15, 2024). Effective December 16, 2024, the Rule will require certain defense contractors to have implemented security measures to achieve a particular CMMC level necessary to safeguard Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as a condition of contract award. Codified at 34 C.F.R. Part 170, the CMMC Program will be augmented by a separate proposed acquisition rule to add a new 48 C.F.R. Part 204, amending the Defense Federal Acquisition Regulation Supplement (DFARS) to address procurement considerations related to the CMMC Program, including allowing DoD to require a specific CMMC level in a solicitation or contract. See 89 Fed. Reg. 66327 (Aug. 15, 2024) or our analyses here and here. The date when that DFARS clause will become final is still unclear, but most suspect it will be soon.Continue Reading A Standard on Many Levels: A Look at CMMC 2.0 in Final
Feature Comment: The New Madness? CMMC-Mania — It’s Arrived!
The arrival of the Cybersecurity Maturity Model Certification (CMMC) program will bring redefining changes to all companies selling to the DoD, suggest Alex Major and Cara Wulf in this Feature Comment for The Government Contractor.
CMMC and DFARS 252.204-7021—Is the Sequel Better than the Original?
Sequels are rarely better than the films that precede them, and yet, sometimes a story is just too compelling to be limited to just one film. At the tail end of a summer full of Hollywood sequels, the Department of Defense (DoD) released a long-gestating sequel of its own. On August 15, 2024, DoD published a Proposed Rule that would revise the DoD Federal Acquisition Regulation Supplement (DFARS) to implement Cybersecurity Maturity Model Certification (CMMC) 2.0 into DoD contracts in the near(ish) future. This follows a December 2023 Proposed Rule, discussed here, establishing the CMMC 2.0 requirements in broad strokes. In this latest Proposed Rule, DoD proposes several changes to the DFARS that would do the following:Continue Reading CMMC and DFARS 252.204-7021—Is the Sequel Better than the Original?
FCC Makes a Call on AI
On August 7, 2024 the Federal Communications Commission (FCC) adopted a new Notice of Proposed Rule Making (NPRM) proposing regulations that prohibit the use of AI in automated dialing or artificial or pre-recorded voice calls absent the prior written consent of the call recipient, unless otherwise exempted by the FCC. The action was taken under…
DOD Releases Final Rule Prohibiting the Acquisition of Certain Magnets from Nonaligned Foreign Nations
China dominates the rare earth industry, accounting for approximately 60 percent of rare earth metal mining and approximately 90 percent of rare earth metal processing in 2023. In order to combat this near-monopoly and to limit supply chain vulnerabilities and risk to the US defense industry, a final Defense Federal Acquisition Regulation Supplement (DFARS) rule, published May 30, 2024, applies broader sourcing prohibitions to the language of DFARS 225.7018 and operative clause DFARS 252.225-7052 to prohibit the use and acquisition of magnets mined in China as of January 1, 2027.Continue Reading DOD Releases Final Rule Prohibiting the Acquisition of Certain Magnets from Nonaligned Foreign Nations
TikTok Dances Off of Contractor IT Devices—Interim Rule Prohibits ByteDance Limited Applications
On June 2, 2023, the FAR Council issued an Interim Rule to implement the prohibition on having or using TikTok or any successor application or service developed or provided by ByteDance Limited (covered application). Importantly, the prohibition applies not only to Government-issued devices but encompasses contractor and contractor employee-owned devices (e.g., employee devices used as part of a bring-your-own-device program) as well. The Interim Rule took immediate effect and requires new FAR clause FAR 52.204-27, Prohibition on a ByteDance Covered Application, to be included in solicitations issued on or after June 2, 2023. In addition, solicitations issued before the effective date were required to be amended by July 3, 2023, provided that award of the resulting contract(s) occurs on or after the effective date. Existing indefinite-delivery, indefinite-quantity contracts were required to be modified to include the new clause by July 3, 2023, to apply to future orders. Finally, if exercising an option or modifying an existing contract to extend the period of performance, contracting officers must include the clause. In short, this clause will soon be in most if not all Federal government contracts. Contractors should take action now to ensure that they are prepared to comply with these requirements and that employees are familiar with and trained regarding the prohibition.Continue Reading TikTok Dances Off of Contractor IT Devices—Interim Rule Prohibits ByteDance Limited Applications
Ostensible Clarity: SBA Rule Addresses Ostensible Subcontractor Rule in General Construction Contracts and DoverStaffing Factors
In a previous post, we mentioned the April 27, 2023 Small Business Administration (SBA) Final Rule, which made a number of revisions to the Small Business Regulations. A few of those revisions relate to the Ostensible Subcontractor Rule, a topic that has confused contractors for years. The Final Rule seeks to clear up that confusion, or at least some of it. Specifically, the Final Rule revises 13 CFR 121.103(h) to (1) clarify how the Ostensible Subcontractor Rule applies to general construction contracts and (2) provide guidance on the utilization of the DoverStaffing factors in determining whether a subcontractor is an “ostensible subcontractor.”Continue Reading Ostensible Clarity: SBA Rule Addresses Ostensible Subcontractor Rule in General Construction Contracts and DoverStaffing Factors
Small Business Contractors Rejoice or Repent: Final SBA Rule Adds Teeth to 13 CFR 125.6 Subcontracting Limitations
On April 27, 2023, the Small Business Administration (SBA) issued a final rule, finalizing a September 9, 2022 proposed rule, and making a myriad of changes to the Small Business Regulations. Those changes are effective at the end of this month, on May 30, 2023. We will be covering a number of those changes in upcoming posts. But for now, we’re focusing on a change that will make some contractors very happy and other contractors very worried: real, negative consequences for small businesses that fail to comply with 13 CFR 125.6, which governs subcontracting limitations for small business set-aside contracts over the simplified acquisition threshold (presently defined in FAR 2.101 as $250,000).Continue Reading Small Business Contractors Rejoice or Repent: Final SBA Rule Adds Teeth to 13 CFR 125.6 Subcontracting Limitations
An Inconvenient Requirement: New Proposed Rule Would Require Federal Contractors to Disclose Greenhouse Gas Emissions
In 2006, the documentary An Inconvenient Truth chronicled former Vice President Al Gore’s efforts to educate the public on the consequences of climate change. In the sixteen years since the Academy Award-winning film was released, public interest in the impact that greenhouse gas (GHG) emissions have had, are having, and will have on our planet has increased exponentially. Most recently, at the 27th U.N. Climate Conference (COP27), countries from around the globe came together to discuss the implementation of battle plans to combat climate change. One such plan, which was discussed at COP 27 by President Biden, is a new Proposed Rule that would require “significant” and “major” federal contractors to disclose their GHG emissions and climate-related financial risk as well as set science-based targets to reduce their GHG emissions. If and when the Proposed Rule is finalized, it will have seismic implications for contractors, in that it ties contractor responsibility (i.e., a contractor’s ability to receive federal awards) to compliance with these requirements.
Continue Reading An Inconvenient Requirement: New Proposed Rule Would Require Federal Contractors to Disclose Greenhouse Gas Emissions