The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program will become operational at some point in fiscal year 2025. In October, the DOD issued a Final Rule to address evolving cybersecurity requirements and cyber threats while defining the security controls that DOD intends defense contractors and subcontractors to implement. The program will require
A Standard on Many Levels: A Look at CMMC 2.0 in Final
Over the course of the past few years, gallons of ink have been spilled addressing the seemingly ever-pending US Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) Program. After keeping us waiting for years, it finally arrived when, on October 15, 2024, DoD published its Final Rule to establish the CMMC Program. See 89 Fed. Reg. 83092 (Oct. 15, 2024). Effective December 16, 2024, the Rule will require certain defense contractors to have implemented security measures to achieve a particular CMMC level necessary to safeguard Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as a condition of contract award. Codified at 34 C.F.R. Part 170, the CMMC Program will be augmented by a separate proposed acquisition rule to add a new 48 C.F.R. Part 204, amending the Defense Federal Acquisition Regulation Supplement (DFARS) to address procurement considerations related to the CMMC Program, including allowing DoD to require a specific CMMC level in a solicitation or contract. See 89 Fed. Reg. 66327 (Aug. 15, 2024) or our analyses here and here. The date when that DFARS clause will become final is still unclear, but most suspect it will be soon.Continue Reading A Standard on Many Levels: A Look at CMMC 2.0 in Final
Feature Comment: The New Madness? CMMC-Mania — It’s Arrived!
The arrival of the Cybersecurity Maturity Model Certification (CMMC) program will bring redefining changes to all companies selling to the DoD, suggest Alex Major and Cara Wulf in this Feature Comment for The Government Contractor.
CMMC and DFARS 252.204-7021—Is the Sequel Better than the Original?
Sequels are rarely better than the films that precede them, and yet, sometimes a story is just too compelling to be limited to just one film. At the tail end of a summer full of Hollywood sequels, the Department of Defense (DoD) released a long-gestating sequel of its own. On August 15, 2024, DoD published a Proposed Rule that would revise the DoD Federal Acquisition Regulation Supplement (DFARS) to implement Cybersecurity Maturity Model Certification (CMMC) 2.0 into DoD contracts in the near(ish) future. This follows a December 2023 Proposed Rule, discussed here, establishing the CMMC 2.0 requirements in broad strokes. In this latest Proposed Rule, DoD proposes several changes to the DFARS that would do the following:Continue Reading CMMC and DFARS 252.204-7021—Is the Sequel Better than the Original?
DOJ Went Down to Georgia: Lessons Learned from Recent Cybersecurity Enforcement Actions
Johnny, rosin up your bow and play your fiddle hard
’Cause Hell’s broke loose in Georgia and the Devil deals the cards
And if you win, you get this shiny fiddle made of gold
But if you lose the Devil gets your soul
~ The Charlie Daniels Band
Some might say there’s little difference between dealing with the devil and being a federal contractor. And for the unwary or unprepared, that may not be far off. Federal contracting comes with a litany of “fine print” that would make “Old Scratch” proud. However, as most savvy contractors recognize, it’s all hiding in plain sight, with the devil in the details. Take, for example, the cybersecurity requirements found in the Federal Acquisition Regulations (FAR) at 52.204-21 and the Department of Defense (DoD) FAR Supplement (DFARS) at 252.204-7012, -7019, and -7020. These requirements have been the topic of countless articles, trainings, webinars, whole conferences, etc., so it is surprising while simultaneously not surprising that they form the basis of a federal False Claims Act (FCA) claim the Department of Justice (DOJ) recently filed in its complaint in intervention.Continue Reading DOJ Went Down to Georgia: Lessons Learned from Recent Cybersecurity Enforcement Actions
Executive Order 14410: An Artificial Intelligence Odyssey
What do you think is going to be scarier—artificial intelligence (AI) or the government’s effort to regulate AI? On October 30, 2023, the White House issued Executive Order (E.O.) 14410, Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. As the federal government’s latest foray into harnessing AI, this E.O.—like those before it, generally—recognizes that AI offers extraordinary potential and promise, provided that it is harnessed responsibly to prevent the exacerbation of societal harms. Since E.O. 14410, there has been a flurry of activity in the federal government, including guidance and policies providing an indication of how agencies can/should/will harness AI to support agency objectives. While we are far from a situation similar to Skynet from the Terminator franchise or HAL 9000 from 2001: A Space Odyssey, the government’s accelerated activity to reap AI’s potential benefits far outpaces the provision of actionable guidance so contractors can understand and adapt to what will be required in offering AI products and services to the government. So let’s open the pod bay doors and explore…Continue Reading Executive Order 14410: An Artificial Intelligence Odyssey
DoD Mentor-Protégé Program Solidified under Proposed Rule
On October 25, 2023, the Department of Defense (DoD) published a Proposed Rule amending the Department of Defense Federal Acquisition Regulation Supplement (DFARS) and permanently authorizing the DoD Mentor-Protégé Program (DoD MP Program). In addition, the Proposed Rule makes several changes to the program—the most prominent of which include (a) lowering barriers to entry and (b) adding additional benefits for prospective mentors and protégés. Before we dive in to the Proposed Rule, a brief history of the DoD MP Program is in order.Continue Reading DoD Mentor-Protégé Program Solidified under Proposed Rule
DoD Braces for Inflation: Guidance for Contractors Battling Rising Costs
Unless you’ve been living under a rock or on a self-sustaining deserted island, the chances are high that you have become quite familiar with the term “inflation” (i.e., the rising costs of goods and services) over the past few years. Indeed, everything (from gasoline to gumballs and milk to movie tickets) appears to be more expensive as of late. Unfortunately, government contractors are not immune from this current economic reality. As most of us know all too well, many contracts that were negotiated and priced over the past 18 to 24 months are simply more expensive to perform now than was reasonably anticipated when bids were prepared.
In recognition of these soaring prices, the Department of Defense (DoD) issued a May 25, 2022, Memorandum titled “Guidance on Inflation and Economic Price Adjustments,” the purpose of which is to assist contracting officers (COs) in (i) navigating the impacts of inflation on existing contracts and (ii) managing downstream inflation risks on prospective contracts. Here are the key takeaways and our suggested courses of action to best protect your company’s bottom line:Continue Reading DoD Braces for Inflation: Guidance for Contractors Battling Rising Costs
Get Back: DOD Retreats While Revealing Plans for CMMC 2.0
The Cybersecurity Maturity Model Certification version 2.0 (CMMC 2.0) is here! Like a song you’ve heard before, the revised standards are a throwback but no less significant change to the standards that have evolved over the past three and a half years. McCarter & English Government Contracts and Global Trade co-leaders Alex Major and Franklin Turner detail the changes coming to federal contractors in a Feature Comment for Thomson Reuters’ The Government Contractor. Set against the recent Beatles documentary, the comment examines the impact of the Department of Defense’s most recent effort while detailing what contractors need to do before its new standards go into effect.
Continue Reading Get Back: DOD Retreats While Revealing Plans for CMMC 2.0
DoD Issues Proposed Rule on Enhanced Post-Award Debriefing Rights
As you may recall, Section 818 of the National Defense Authorization Act for Fiscal Year 2018 (FY 2018 NDAA required the US Department of Defense (DoD) to draft regulations to establish comprehensive post-award debriefing rights for disappointed offerors involved in applicable DoD procurements. On March 22, 2018, the DoD responded by issuing a Class Deviation that implemented certain FY 2018 NDAA requirements—i.e., those requirements affording disappointed offerors the opportunity to submit additional written questions to the cognizant DoD agency within two business days of its agency debriefing conducted in accordance with FAR 15.506(d). In such circumstances, the cognizant DoD agency must provide written responses to the questions within five business days after receipt of the questions. Moreover, if a disappointed offeror chooses to submit timely post-debriefing questions, the debriefing does not conclude—and thus the disappointed offeror’s GAO protest “clock” does not begin to run—until the agency provides its written response. On May 20, 2021, the DoD published a Proposed Rule to amend the Defense Federal Acquisition Regulation Supplement to (1) codify the March 2018 Class Deviation and (2) implement the additional post-award debriefing requirements from the FY 2018 NDAA.
Continue Reading DoD Issues Proposed Rule on Enhanced Post-Award Debriefing Rights