The federal False Claims Act (“FCA”) is one of the United States’ most effective tools to detect and prevent fraud against the Government. One reason the FCA is so effective is that it encourages the employees of an organization to come forward as claimants and receive a share of any financial recovery to the Government. Recognizing the central role of these whistleblowers in the FCA’s enforcement scheme, Congress included an anti-retaliation provision in the statute that protects them when they report suspected fraudulent conduct. Under the FCA’s anti-retaliation provision, employees, contractors, or agents can sue for damages on their own behalf if they are “discharged, demoted, suspended, threatened, harassed, or in any other manner discriminated against in the terms and conditions of employment because of lawful acts done” in connection with a reported FCA violation. 31 U.S.C. § 3730(h)(1). Likewise, nearly every state also affords some degree of whistleblower protection, either statutorily or in the common law.
In July 2022, the Accreditation Body (“AB”) of the Cybersecurity Maturity Model Certification program (“CMMC”) released a 47-page CMMC Assessment Process guide (“CAP Guide”). The CAP Guide outlines the assessment process for contractors seeking a CMMC level 2 certification, which, as we discussed in earlier posts, is the required certification level for all contractors who expect to receive or store Controlled Unclassified Information (“CUI”).
The CAP Guide has been widely criticized by members of the Defense Industrial Base for being overly complicated and contrary to the Department of Defense’s (“DoD”) stated intention to reduce the complexity and cost of the CMMC program for small businesses. However, assuming it is adopted by the DoD, the CAP Guide includes helpful guidance for contractors that are beginning to prepare for their CMMC level 2 assessment.
Stay up to date by subscribing to our blog. Add your e-mail address to the Subscribe box on the right (below the post on mobile) to get our timely posts delivered directly to your inbox.
Attorney Michael Montalbano and Blank Rome’s Government Contracts group are raising money for Salute, Inc., a non-profit organization that provides financial assistance to U.S. veterans and their families. The fundraiser will culminate on October 9 with Michael running the Chicago marathon on behalf of both Salute, Inc. and Blank Rome. Michael provided the following statement about the fundraiser:
Many of our clients are led by or employ U.S. veterans. I have seen these veterans accomplish tremendous feats, whether it is developing state-of-the-art technology for the Government or supporting U.S. bases across the world.
I was looking for a veterans organization to support when I found that Salute, Inc. was sponsoring runners for the Chicago marathon. I have been an avid runner since law school, so I thought this was a good opportunity to both run the marathon and raise money for a good cause, supporting individuals who are such an integral part of the Blank Rome Government Contracts legal practice.
When I approached the head of our Government Contracts practice group, Justin Chiarodo, about the fundraiser, he immediately encouraged me to take on this challenge. He said to reach out to the attorneys in our practice group. They have a deep appreciation for our veteran clients and would certainly donate to this cause.
Justin was absolutely right. The attorneys and staff in my practice group and across the firm were eager to donate to the fundraiser. Within a few days, we exceeded our initial fundraising goal, and I am proud to say that we recently surpassed our revised fundraising goal.
As for training, I am on target to run the marathon on October 9. My goals are just to finish the race and raise money to help Salute, Inc. continue its important mission. Thanks to the support of my colleagues both of those goals are well within sight.
If you are interested in supporting this fundraiser, you can learn more and donate by clicking here.
In February 2021, the Department of Defense (“DoD”) promulgated 32 C.F.R. Part 117. This move converted the National Industrial Security Program Operating Manual (“NISPOM”)—the rules that govern personnel and facility security clearances—from DoD policy into federal law. The move originally garnered little attention because the new regulations include virtually all requirements that were in the prior NISPOM. DoD, however, embedded new requirements with potentially significant implications for cleared contractors and their senior management officials (“SMO”). And the Defense Counterintelligence and Security Agency (“DCSA”) is now signaling that it will hold SMOs accountable if they fail to meet these requirements.
A cleared contractor’s SMO is the person “with ultimate authority over the facility’s operations and the authority to direct actions necessary for the safeguarding of classified information in the facility.” § 117.3(b). Typically, the SMO is the individual who holds the top position at a company, such as a chief executive officer or majority owner. Prior to the promulgation of Part 117, the SMO had discretion to delegate responsibility over the contractor’s industrial security program to another employee. Section 117.7(b)(2) of the new NISPOM regulations has put an end to that practice.
Under the Law, covered entities that experience covered cyber incidents must report the incident to the Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours after the covered entity reasonably believes that a covered cyber incident has occurred. Covered entities must also notify CISA within 24 hours of making a ransomware payment.
The new cyber reporting law tasks CISA with creating more precise definitions for who constitutes a “covered entity” and what constitutes a “cyber incident.” Even the general language of the statute, however, provides some guidance for companies.
In response to more than 850 public comments, the Department of Defense (“DOD”) has decided to significantly revamp the Cybersecurity Maturity Model Certification (“CMMC”) program. On November 4, 2021, DOD announced that it was replacing the current CMMC program with CMMC 2.0, which is expected to significantly reduce the regulatory burden on companies in the Defense Industrial Base (“DIB”). DOD made three significant changes through the new CMMC 2.0 program:
Reduces the number of CMMC levels. As we explained in earlier posts, CMMC 1.0 originally had five CMMC levels of ascending sophistication. CMMC 2.0 now only has three levels:
CMMC 2.0 Level One: This level will apply to most DIB companies and requires compliance with 17 basic cyber hygiene practices.
CMMC 2.0 Level Two: This level applies to DIB companies who will receive controlled unclassified information (“CUI”) and is expected to align with the requirements under NIST SP 800-171. Notably, DOD already requires most DIB companies receiving CUI to comply with NIST SP 800-171 through the cybersecurity DFARS clause 252.204-7012.
CMMC 2.0 Level Three: DOD is still developing the requirements for this level, but we expect that this level will apply to only the most sensitive and high-risk DOD projects.
Companies providing information technology products and services to U.S. government agencies are now required to notify such agencies of cyber incidents and meet specific cybersecurity standards. The executive order attempts to modernize the federal government’s cybersecurity defenses by “protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the [United States]’ ability to respond to incidents when they occur.” The executive order is just one example of the Biden administration’s push to improve the nation’s data privacy and cybersecurity practices in response to the recent series of ransomware attacks.
On May 12, 2021, President Biden signed an executive order to bolster the federal government’s cybersecurity practices and contractually obligate the private sector to align with such enhanced security practices (“the Order”). The Order comes on the heels of a ransomware attack on Colonial Pipeline that occurred on May 6, 2021, which shut down the largest oil pipeline in the United States and disrupted supplies of gasoline, diesel, and jet fuel to the East Coast. This initiative to improve the security of the software supply chain also stems from the SolarWinds cyberattack that occurred last year. In the attack, Russian hackers used a routine software update that Texas-based SolarWinds Corp. provided to its customers to install malicious code, allowing the hackers to infiltrate nine federal agencies and about 100 companies.
Proposed amendments are expected soon from the Federal Acquisition Regulation (“FAR”) and the Defense Federal Acquisition Regulation Supplement (“DFARS”) that will increase compliance obligations for government contractors and their vendors, building on a string of supply chain and cybersecurity regulation in recent years (including Section 889’s prohibition on the use of certain Chinese telecommunications, new registration requirements in the Supplier Performance Risk System, and the Department of Defense’s Cybersecurity Maturity Model Certification program). We see the biggest impacts on government contractors, such as developers and users of software.
On September 29, 2020, the Department of Defense (“DoD”) issued a long-awaited, interim rule to strengthen cybersecurity protections throughout the Defense Industrial Base. The new rule establishes how DoD will assess contractors under current cybersecurity regulations set out by the National Institute of Standards and Technology Special Publication 800-171 (“NIST Requirements”) and the newly established Cybersecurity Maturity Model Certification (“CMMC”) program. The interim rule goes into effect on November 30, 2020; although, as we have discussed in earlier posts, DoD will gradually roll out the CMMC over the next five years.
NIST Self-Assessment Requirements
The first part of the new rule applies to contracts that incorporate DFARS 252.204-7012, which requires contractors and subcontractors that have access to covered defense information to comply with the NIST Requirements. Under the new rule, these entities will need to conduct a “Basic” self-assessment of their compliance with the NIST Requirements, and submit the results of that assessment to DoD through the Supplier Performance Risk System (“SPRS”). Contractors will need to update this self-assessment every three years or sooner if required by a contract. Starting November 30, 2020, contractors will not be eligible for new contracts (including task orders and delivery orders) or for options on existing contracts, unless the self-assessment score is posted on SPRS. DoD expects that it will take 30 days from submission to have the self-assessment score posted on SPRS, so it is important for contractors to submit their assessment at least 30 days prior to the November 30, 2020 implementation date. Continue reading “New Department of Defense Regulations Clarify Contractors’ Responsibilities to Comply with NIST SP 800-171 and CMMC Requirements”
The Department of Defense (“DoD”) is expected to begin rolling out the Cybersecurity Maturity Model Certification (“CMMC”) program later this year. As a brief refresher, the CMMC is a certification system implemented by DoD to protect Controlled Unclassified Information (“CUI”) and other sensitive contract information. There are five CMMC levels of ascending sophistication. The most common CMMC levels are expected to be Level 1 and Level 3. Level 1 will require contractors to put into place basic safeguarding practices to protect federal contract information. Level 3 will require contractors to put into place more stringent safeguarding practices that are designed to protect CUI. Contractors receive their CMMC after they pass an assessment by a CMMC Third Party Assessment Organization (“C3PAO”) or an individual assessor.
Although DoD will not fully implement the CMMC program until 2026, more and more contracts will require offerors to hold a CMMC demonstrating that their organizations have implemented the necessary cybersecurity controls. A nightmare scenario for any defense contractor is to find itself unable to compete for a lucrative DoD contract due to insufficient time to obtain the required CMMC before proposal deadlines. Fortunately, the Accreditation Body (“AB”) that is responsible for rolling out the CMMC program has provided estimated timelines for contractors seeking a CMMC. Continue reading “Preparing for the Rollout of the Cybersecurity Maturity Model Certification: It Is All about the Timing”
On March 27, 2020, the Coronavirus Aid, Relief and Economic Security Act (“CARES Act”) was signed into law. This massive $2.2 trillion economic package provides a host of opportunities and resources for all varieties of federal contractors—from those who need financial assistance through the coronavirus pandemic to those who can leverage their resources to assist the federal government in its response.
The five timely posts below discuss discrete portions of the CARES Act, how they might affect federal contractors, and what federal contractors can do to take advantages of the many programs and opportunities offered under the Act. Please contact us for assistance with any of these, or other components, of the Act.
Michael J. Slattery
This article discusses § 3610 of the CARES Act, which provides funds that federal agencies can use to alleviate disruptions to federal contractors caused by the coronavirus pandemic.
Albert B. Krachman
This article discusses new contracting authorities delegated under the CARES Act as well as sole source opportunities available under the Act.
As COVID-19 issues permeate virtually all aspects of commerce nationally and internationally, we stand ready to help. Blank Rome’s Coronavirus (“COVID-19”) Task Force includes interdisciplinary resources across every business sector from insurance recovery to HR.