Regulatory & Statutory Developments

Arm me with harmony.” – Treach, Naughty By Nature[1]

On May 14, 2024, the National Institute of Standards and Technology (NIST) dropped the third remix…er, revision…of its Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” It even came with a critical sidekick in the form of the companion assessment guide, “NIST SP 800-171A, Revision 3,” which gives organizations the necessary lowdown on “assessment procedures and methodologies” to check if they’re playing by NIST SP 800-171’s rules. Over a year in the making after previous releases in May and November of 2023, NIST’s finalized revision takes inspiration from industry by laying down the cybersecurity rules that contractors should expect to follow when handling Controlled Unclassified Information (CUI) for the US Department of Defense (DoD). While DoD isn’t requiring contractors who handle CUI to roll with Rev. 3 just yet, contractors can expect that DoD will eventually bring Rev. 3 into the mix for DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting” (DFARS 7012), and will be harmonizing it with the upcoming Cyber Maturity Model Certification (CMMC) program at some point soon.

Continue Reading NIST SP 800-171 Revision 3 Goes Final: Who’s Down with ODP?

If you happen to be a government contractor and are contemplating additions to your Summer reading list, consider adding the FAR Council’s May 3, 2024 advanced notice of proposed rulemaking (“ANPR”) to the mix. The ANPR, which was issued in furtherance of implementing Section 5949 of the FY 2023 National Defense Authorization Act (“NDAA”), contemplates various forthcoming changes to the FAR, all of which focus on banning agencies from purchasing certain products or services that contain or otherwise utilize semiconductors that are produced, designed, or provided by three Chinese entities and their subsidiaries, affiliates, or successors: Semiconductor Manufacturing International Corporation (“SMIC”), ChangXin Memory Technologies (“CXMT”), and Yangtze Memory Technologies Corp. (“YMTC”). In addition, the FAR will likely be amended to prohibit the acquisition of semiconductor products or services from any entity that is owned, controlled by, or otherwise connected to China, North Korea, Iran, Russia and any other “foreign country of concern” – a designation to be determined by the Secretary of Defense or the Secretary of Commerce, in consultation with the Director of National Intelligence or the Director of the Federal Bureau of Investigation.

Continue Reading Supply Chain Checkup: FAR Council Announces New Rulemaking Focused on Prohibiting Certain Semiconductor Acquisitions

On April 22, 2024, the Department of Health and Human Services (HHS) announced a Final Rule titled HIPAA Privacy Rule to Support Reproductive Health Care Privacy. The Final Rule strengthens the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by prohibiting disclosure of protected health information (PHI) related to lawful reproductive health care under

In March 2024, the Department of Health and Human Services—through the Office of the National Coordinator for Health IT (ONC)—released a draft 2024-2030 Federal Health IT Strategic Plan for public comment. A collaborative effort between ONC and more than two dozen federal agencies, the plan outlines federal health information technology (health IT) goals and objectives

What do you think is going to be scarier—artificial intelligence (AI) or the government’s effort to regulate AI? On October 30, 2023, the White House issued Executive Order (E.O.) 14410, Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. As the federal government’s latest foray into harnessing AI, this E.O.—like those before it, generally—recognizes that AI offers extraordinary potential and promise, provided that it is harnessed responsibly to prevent the exacerbation of societal harms. Since E.O. 14410, there has been a flurry of activity in the federal government, including guidance and policies providing an indication of how agencies can/should/will harness AI to support agency objectives. While we are far from a situation similar to Skynet from the Terminator franchise or HAL 9000 from 2001: A Space Odyssey, the government’s accelerated activity to reap AI’s potential benefits far outpaces the provision of actionable guidance so contractors can understand and adapt to what will be required in offering AI products and services to the government. So let’s open the pod bay doors and explore…

Continue Reading Executive Order 14410: An Artificial Intelligence Odyssey

On December 26, 2023, the Department of Defense (“DoD”) belatedly gifted defense contractors and subcontractors a Proposed Rule on the Cybersecurity Maturity Model Certification (“CMMC”) Program. DoD also released eight CMMC guidance documents, providing interested parties a one-two combo of what to expect under the Program. The Proposed Rule has already received over 100 comments. With commenting open until February 26, 2024, will DoD proceed with a final rule, or is the Proposed Rule a Groundhog Day scenario with DoD further delaying final implementation of the CMMC Program?

Continue Reading DoD’s Proposed CMMC Rule: Groundhog Day… or a Final Rule in the Works?

The Proposed Rule behind FAR Case 2021-017 may strike fear into the hearts of many contractors, as it implements new recommendations regarding cybersecurity reporting obligations. Alex Major highlights the necessary steps and potential risks federal contractors must consider in the Government Contractor.

READ MORE

Just in time for the season of new backpacks, lunch boxes, and school supplies, the Office of Management and Budget (OMB) has assigned some homework to contractors looking to participate in Federal financial assistance programs for infrastructure. Consistent with its Build America, Buy America Act (BABA) mandates, on August 23, 2023, OMB published a Final Rule revising its Guidance for Grants and Agreements to implement BABA (Final Rule). This Final Rule follows the Proposed Rule of February 9, 2023 (Proposed Rule), which we previously discussed, in which OMB proposed creating a new part 184 in 2 Code of Federal Regulations (CFR), and revising 2 CFR 200.322, Domestic preferences for procurements, to implement the requirements in Section 70914 of BABA. With the guidance becoming effective October 23, 2023, contractors should not put off studying these requirements if they want to be prepared for the BABA tests that will undoubtedly come as agencies begin to implement this guidance.

Continue Reading Back to School: Time to Study the OMB Final Rule Implementing BABA

In what is quickly becoming an epic saga centered around the repercussions from the Ultima Servs. case, 8(a) program participants should have received a direct communication from the Small Business Administration (SBA) on Monday (August 21), providing direction on next steps regarding social disadvantage eligibility determinations. As that communication stated, if your firm’s 8(a) eligibility was based on an individual or individual(s) who relied upon the rebuttable presumption of social disadvantage, the firm will now be required to submit a social disadvantage narrative. (Entity-owned firms, such as firms owned by Indian tribes, Alaska Native Corporations, or Native Hawaiian Organizations, will not need to submit narratives; nor will 8(a) participants who previously established their social disadvantage through submission of a social disadvantage narrative.) Each owner claiming disadvantaged status must submit a narrative. This is all consistent with our previous coverage on this topic. What is new, however, is that there is now some more specific guidance on timing and how this process is going to play out.

Continue Reading The Continuing Saga of 8(a) Social Disadvantage Eligibility