The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program will become operational at some point in fiscal year 2025. In October, the DOD issued a Final Rule to address evolving cybersecurity requirements and cyber threats while defining the security controls that DOD intends defense contractors and subcontractors to implement. The program will require
Compliance
A Standard on Many Levels: A Look at CMMC 2.0 in Final
Over the course of the past few years, gallons of ink have been spilled addressing the seemingly ever-pending US Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) Program. After keeping us waiting for years, it finally arrived when, on October 15, 2024, DoD published its Final Rule to establish the CMMC Program. See 89 Fed. Reg. 83092 (Oct. 15, 2024). Effective December 16, 2024, the Rule will require certain defense contractors to have implemented security measures to achieve a particular CMMC level necessary to safeguard Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as a condition of contract award. Codified at 34 C.F.R. Part 170, the CMMC Program will be augmented by a separate proposed acquisition rule to add a new 48 C.F.R. Part 204, amending the Defense Federal Acquisition Regulation Supplement (DFARS) to address procurement considerations related to the CMMC Program, including allowing DoD to require a specific CMMC level in a solicitation or contract. See 89 Fed. Reg. 66327 (Aug. 15, 2024) or our analyses here and here. The date when that DFARS clause will become final is still unclear, but most suspect it will be soon.Continue Reading A Standard on Many Levels: A Look at CMMC 2.0 in Final
DOJ Went Down to Georgia: Lessons Learned from Recent Cybersecurity Enforcement Actions
Johnny, rosin up your bow and play your fiddle hard
’Cause Hell’s broke loose in Georgia and the Devil deals the cards
And if you win, you get this shiny fiddle made of gold
But if you lose the Devil gets your soul
~ The Charlie Daniels Band
Some might say there’s little difference between dealing with the devil and being a federal contractor. And for the unwary or unprepared, that may not be far off. Federal contracting comes with a litany of “fine print” that would make “Old Scratch” proud. However, as most savvy contractors recognize, it’s all hiding in plain sight, with the devil in the details. Take, for example, the cybersecurity requirements found in the Federal Acquisition Regulations (FAR) at 52.204-21 and the Department of Defense (DoD) FAR Supplement (DFARS) at 252.204-7012, -7019, and -7020. These requirements have been the topic of countless articles, trainings, webinars, whole conferences, etc., so it is surprising while simultaneously not surprising that they form the basis of a federal False Claims Act (FCA) claim the Department of Justice (DOJ) recently filed in its complaint in intervention.Continue Reading DOJ Went Down to Georgia: Lessons Learned from Recent Cybersecurity Enforcement Actions
Department of Labor Issues New Guidance on the Use of Artificial Intelligence and Employment Decision-Making
On April 29, 2024, the Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) released guidance to federal contractors regarding the use of artificial intelligence (AI) in their employment practices. See https://www.dol.gov/agencies/ofccp/ai/ai-eeo-guide. The guidance reminds federal contractors of their existing legal obligations, the potentially harmful effects of AI on employment decisions if used improperly, and best practices. Arriving early, the guidance puts contractors on notice of their responsibilities when using AI in their employment decisions.Continue Reading Department of Labor Issues New Guidance on the Use of Artificial Intelligence and Employment Decision-Making
NIST SP 800-171 Revision 3 Goes Final: Who’s Down with ODP?
“Arm me with harmony.” – Treach, Naughty By Nature[1]
On May 14, 2024, the National Institute of Standards and Technology (NIST) dropped the third remix…er, revision…of its Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” It even came with a critical sidekick in the form of the companion assessment guide, “NIST SP 800-171A, Revision 3,” which gives organizations the necessary lowdown on “assessment procedures and methodologies” to check if they’re playing by NIST SP 800-171’s rules. Over a year in the making after previous releases in May and November of 2023, NIST’s finalized revision takes inspiration from industry by laying down the cybersecurity rules that contractors should expect to follow when handling Controlled Unclassified Information (CUI) for the US Department of Defense (DoD). While DoD isn’t requiring contractors who handle CUI to roll with Rev. 3 just yet, contractors can expect that DoD will eventually bring Rev. 3 into the mix for DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting” (DFARS 7012), and will be harmonizing it with the upcoming Cyber Maturity Model Certification (CMMC) program at some point soon.Continue Reading NIST SP 800-171 Revision 3 Goes Final: Who’s Down with ODP?
Supply Chain Checkup: FAR Council Announces New Rulemaking Focused on Prohibiting Certain Semiconductor Acquisitions
If you happen to be a government contractor and are contemplating additions to your Summer reading list, consider adding the FAR Council’s May 3, 2024 advanced notice of proposed rulemaking (“ANPR”) to the mix. The ANPR, which was issued in furtherance of implementing Section 5949 of the FY 2023 National Defense Authorization Act (“NDAA”), contemplates various forthcoming changes to the FAR, all of which focus on banning agencies from purchasing certain products or services that contain or otherwise utilize semiconductors that are produced, designed, or provided by three Chinese entities and their subsidiaries, affiliates, or successors: Semiconductor Manufacturing International Corporation (“SMIC”), ChangXin Memory Technologies (“CXMT”), and Yangtze Memory Technologies Corp. (“YMTC”). In addition, the FAR will likely be amended to prohibit the acquisition of semiconductor products or services from any entity that is owned, controlled by, or otherwise connected to China, North Korea, Iran, Russia and any other “foreign country of concern” – a designation to be determined by the Secretary of Defense or the Secretary of Commerce, in consultation with the Director of National Intelligence or the Director of the Federal Bureau of Investigation.Continue Reading Supply Chain Checkup: FAR Council Announces New Rulemaking Focused on Prohibiting Certain Semiconductor Acquisitions
The US Government Is Buying Cybersecurity – Should You Be Selling? – Nuix Quarterly Partner Newsletter
On May 12, 2021, the Biden administration unveiled a rather expansive executive order intent on “Improving the Nation’s Cybersecurity.” The lengthy and sweeping order is a comprehensive national cybersecurity overhaul. In addition to requiring significant improvements to the cybersecurity posture of the Federal Civilian Executive Branch (FCEB) agencies, the order also prescribes:
Office Closures and Limited Access: Federal Contractor Considerations When Weathering Potential Political Unrest
As has been widely reported, the United States Federal Bureau of Investigation is warning of mass protests and potential violence accompanying the inauguration of President-Elect Joe Biden on January 20, 2021. However, unlike the tragic events of January 6, 2021, at the U.S. Capitol, this warning is being directed to the capitols of all fifty states in addition to numerous assets located throughout the National Capitol Region. In light of these developments, federal contractors who find their operations close to these seats of power may have concerns as to whether to stay open or close their offices and keep employees away. Accordingly, we provide a timely reminder of key considerations that contractors should take into account when balancing the practical reality of safety concerns against the legal obligations of contractual compliance.
Continue Reading Office Closures and Limited Access: Federal Contractor Considerations When Weathering Potential Political Unrest
The Perils of Section 889 Part B Execution: The DoD Waiver
When last we left the Federal Government, agency buyers were staring down the Interim Rule prohibiting them from contracting with entities that use “covered telecommunications equipment” under Section 889(a)(1)(B) (“Section B”) of the National Defense Authorization Act for Fiscal Year 2019 after August 13, 2020. But then August 13 came and went. Did federal agencies do all they needed to follow the requirement? Did modifications go out to industry yet? Were amendments made? Was FAR 52.204-24 (2019) appropriately corrected to FAR 52.204-24 (2020)? What of 52.204-25 or 52.204-26? Can federal agencies act in time?Continue Reading The Perils of Section 889 Part B Execution: The DoD Waiver
Gambling on Compliance? DOJ Updates the House Rules on Corporate Compliance Program Expectations
When entering a casino, professional gamblers understand that “the house doesn’t beat the player. It just gives him the opportunity to beat himself.” This axiom is precisely why in the long run casinos make money, while gamblers see their bank accounts dwindle. The same holds true in the corporate world with respect to the creation, implementation, and maintenance of compliance programs. A company gambling on its compliance obligations does so at its own peril and must understand exactly what the “House” expects. If it doesn’t, then that company may join the unfortunate few that roll the dice or spin the wheel and come up with snake eyes or double zeros. That risk is multiplied if the company betting on sufficient compliance is receiving federal dollars, where failure can lead to catastrophic civil and criminal liability. Fortunately, the United States Department of Justice (“DOJ”) has published its version of “House Rules” that it is supposed to consult when examining whether to investigate, prosecute, or settle criminal charges against a company. In this respect, DOJ prosecutors are tasked with looking at specific factors outlined in the “Principles of Federal Prosecution of Business Organizations” (“Principles”) section of the Justice Manual. Among other factors, these Principles instruct DOJ prosecutors to consider “the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision.” In furtherance of this mandate, the DOJ’s Criminal Division issued revised guidance on June 1, 2020, regarding the specific factors DOJ prosecutors should consider in making that evaluation. This updated version of the DOJ’s “Evaluation of Corporate Compliance Programs” (Guidance) clarifies and modifies certain areas of the version last updated in April 2019. Among other noteworthy revisions, the Guidance underscores the need for companies to ensure their corporate compliance program is:
Continue Reading Gambling on Compliance? DOJ Updates the House Rules on Corporate Compliance Program Expectations