Sharon R. Klein, Alex C. Nisenbaum, Karen H. Shin, Justin A. Chiarodo, and Michael Joseph Montalbano
Companies providing information technology products and services to U.S. government agencies are now required to notify such agencies of cyber incidents and meet specific cybersecurity standards. The executive order attempts to modernize the federal government’s cybersecurity defenses by “protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the [United States]’ ability to respond to incidents when they occur.” The executive order is just one example of the Biden administration’s push to improve the nation’s data privacy and cybersecurity practices in response to the recent series of ransomware attacks.
On May 12, 2021, President Biden signed an executive order to bolster the federal government’s cybersecurity practices and contractually obligate the private sector to align with such enhanced security practices (“the Order”). The Order comes on the heels of a ransomware attack on Colonial Pipeline that occurred on May 6, 2021, which shut down the largest oil pipeline in the United States and disrupted supplies of gasoline, diesel, and jet fuel to the East Coast. This initiative to improve the security of the software supply chain also stems from the SolarWinds cyberattack that occurred last year. In the attack, Russian hackers used a routine software update that Texas-based SolarWinds Corp. provided to its customers to install malicious code, allowing the hackers to infiltrate nine federal agencies and about 100 companies.
Proposed amendments are expected soon from the Federal Acquisition Regulation (“FAR”) and the Defense Federal Acquisition Regulation Supplement (“DFARS”) that will increase compliance obligations for government contractors and their vendors, building on a string of supply chain and cybersecurity regulation in recent years (including Section 889’s prohibition on the use of certain Chinese telecommunications, new registration requirements in the Supplier Performance Risk System, and the Department of Defense’s Cybersecurity Maturity Model Certification program). We see the biggest impacts on government contractors, such as developers and users of software.
To read the full client alert, please click here.
Robyn N. Burrows and Michael J. Montalbano
On September 29, 2020, the Department of Defense (“DoD”) issued a long-awaited, interim rule to strengthen cybersecurity protections throughout the Defense Industrial Base. The new rule establishes how DoD will assess contractors under current cybersecurity regulations set out by the National Institute of Standards and Technology Special Publication 800-171 (“NIST Requirements”) and the newly established Cybersecurity Maturity Model Certification (“CMMC”) program. The interim rule goes into effect on November 30, 2020; although, as we have discussed in earlier posts, DoD will gradually roll out the CMMC over the next five years.
NIST Self-Assessment Requirements
The first part of the new rule applies to contracts that incorporate DFARS 252.204-7012, which requires contractors and subcontractors that have access to covered defense information to comply with the NIST Requirements. Under the new rule, these entities will need to conduct a “Basic” self-assessment of their compliance with the NIST Requirements, and submit the results of that assessment to DoD through the Supplier Performance Risk System (“SPRS”). Contractors will need to update this self-assessment every three years or sooner if required by a contract. Starting November 30, 2020, contractors will not be eligible for new contracts (including task orders and delivery orders) or for options on existing contracts, unless the self-assessment score is posted on SPRS. DoD expects that it will take 30 days from submission to have the self-assessment score posted on SPRS, so it is important for contractors to submit their assessment at least 30 days prior to the November 30, 2020 implementation date. Continue reading “New Department of Defense Regulations Clarify Contractors’ Responsibilities to Comply with NIST SP 800-171 and CMMC Requirements”
Michael Joseph Montalbano
The Department of Defense (“DoD”) is expected to begin rolling out the Cybersecurity Maturity Model Certification (“CMMC”) program later this year. As a brief refresher, the CMMC is a certification system implemented by DoD to protect Controlled Unclassified Information (“CUI”) and other sensitive contract information. There are five CMMC levels of ascending sophistication. The most common CMMC levels are expected to be Level 1 and Level 3. Level 1 will require contractors to put into place basic safeguarding practices to protect federal contract information. Level 3 will require contractors to put into place more stringent safeguarding practices that are designed to protect CUI. Contractors receive their CMMC after they pass an assessment by a CMMC Third Party Assessment Organization (“C3PAO”) or an individual assessor.
Although DoD will not fully implement the CMMC program until 2026, more and more contracts will require offerors to hold a CMMC demonstrating that their organizations have implemented the necessary cybersecurity controls. A nightmare scenario for any defense contractor is to find itself unable to compete for a lucrative DoD contract due to insufficient time to obtain the required CMMC before proposal deadlines. Fortunately, the Accreditation Body (“AB”) that is responsible for rolling out the CMMC program has provided estimated timelines for contractors seeking a CMMC. Continue reading “Preparing for the Rollout of the Cybersecurity Maturity Model Certification: It Is All about the Timing”
On March 27, 2020, the Coronavirus Aid, Relief and Economic Security Act (“CARES Act”) was signed into law. This massive $2.2 trillion economic package provides a host of opportunities and resources for all varieties of federal contractors—from those who need financial assistance through the coronavirus pandemic to those who can leverage their resources to assist the federal government in its response.
The five timely posts below discuss discrete portions of the CARES Act, how they might affect federal contractors, and what federal contractors can do to take advantages of the many programs and opportunities offered under the Act. Please contact us for assistance with any of these, or other components, of the Act.
1. The CARES Act Provides Much Needed Financial Relief for Small Businesses
Michael Joseph Montalbano
This article discusses the expanded $349 billion loan program set aside for small businesses under the CARES Act.
2. CARES Act § 3610: An Immediate Lifeline for Qualifying Federal Contactors Displaced by COVID-19
Michael J. Slattery
This article discusses § 3610 of the CARES Act, which provides funds that federal agencies can use to alleviate disruptions to federal contractors caused by the coronavirus pandemic.
3. CARES Act Grant Programs: Searching for Opportunity in the Coronavirus Relief Effort
Tjasse L. Fritz
This article discusses the wealth of grant programs available to federal contractors and other businesses under the CARES Act.
4. CARES Act: Significant Funds for Defense Department and Defense Contractors
This article discusses the billions of dollars in loans, loan guarantees, and other financial assistance available through the Department of Defense to defense industry contractors.
5. New Contracting Authorities and Preferences Established under the CARES Act
Albert B. Krachman
This article discusses new contracting authorities delegated under the CARES Act as well as sole source opportunities available under the Act.
As COVID-19 issues permeate virtually all aspects of commerce nationally and internationally, we stand ready to help. Blank Rome’s Coronavirus (“COVID-19”) Task Force includes interdisciplinary resources across every business sector from insurance recovery to HR.
Michael Joseph Montalbano
On March 27, 2020, Congress passed, and the President signed into law, the Coronavirus Aid, Relief and Economic Security Act (“CARES Act”). The CARES Act is a massive $2.2 trillion law designed to stabilize the United States’ economy as the country deals with the novel coronavirus COVID-19.
One major component of the CARES Act is the $349 billion set-aside to provide relief for small businesses in the form of loans and other financial resources. Here we discuss the major components of this program that all small businesses need to know before deciding whether they should apply for one of these loans. Continue reading “The CARES Act Provides Much Needed Financial Relief for Small Businesses”
Michael Joseph Montalbano
In January, the Department of Defense (“DoD”) released more information on its much-anticipated Cybersecurity Maturity Model Certification (“CMMC”) framework. While a final rule is not expected until the fall, contractors need to begin preparing now so they do not miss out on DoD contract opportunities.
What Is the CMMC?
The CMMC is a certification system that all DoD prime and subcontractors must comply with to be eligible to compete for and perform future DoD contracts. Under the new CMMC requirements, an accreditation body tapped by DoD will begin training third-party assessors in the spring of 2020, who will in turn certify defense contractors under the CMMC. There will be five CMMC certification levels, of ascending sophistication:
- Level 1 – Basic Cyber Hygiene
- Level 2 – Intermediate Cyber Hygiene
- Level 3 – Good Cyber Hygiene
- Level 4 – Proactive
- Level 5 – Advanced / Progressive
The contractor must comply with a combination of the following cybersecurity safeguards, depending on the certification level a contractor wants to achieve: (1) FAR 52.204 (Basic Safeguarding of Covered Contractor Information Systems); (2) NIST Special Publication 800-171 Revision 1 (“NIST Requirements”); (3) select subsets of a supplement to the NIST Requirements called NIST SP 800-171B; and (4) up to 171 “practices” identified in the CMMC. Though this may sound like a lot for contractors to process, DoD has released helpful appendices that put many of the requirements in easy-to-understand terms. Continue reading “New DoD Cybersecurity Regulations Are Coming—Is Your Company Ready?”
Merle M. DeLancey Jr. and Michael Joseph Montalbano
In May 2018, the Government Accountability Office (“GAO”) implemented a $350 filing fee for bid protests. There are differences of opinion regarding why GAO implemented the fee. GAO publicly states that the fee was implemented to cover the costs of its new Electronic Protest Docket System (“EPDS”). Many, however, believe the fee was implemented to deter the filing of frivolous protests. Regardless, there “may” be an unintended consequence of the protest filing fee—an increase in agency-level protests. Recently, several agency contracting officers have stated that they are handling more agency protests, and, in their opinion, it is a direct result of GAO’s protest filing fee. As a result, contractors should understand and be prepared to mitigate the risk of agency protests to protect their contracts and position themselves for new ones.
Pros and Cons of Agency Protests Continue reading “Agency Protests: An Emerging Tool and Potential Threat for Contractors”
Michael Joseph Montalbano
Cost, schedule, and performance, the three pillars of defense procurement, may soon be accompanied by a fourth pillar: cybersecurity. As the nature of warfare evolves away from pure kinetic capabilities to the asymmetric, cyber realm, the Department of Defense (“DoD”) has had to grapple with the reality that its defense contractors are prime targets for infiltration. Indeed, in the February 2018 Worldwide Threat Assessment, Director of National Intelligence Daniel Coats specifically identifies defense contractors and IT communications firms as the primary focal points of China—one of the United States’ primary cyber adversaries. As a result of this new reality, DoD has begun the process of revamping the defense procurement system to place greater emphasis on cybersecurity. In response to these moves by DoD, contractors should take a fresh look at their current operations to identify their own cyber vulnerabilities as well as the vulnerabilities of their subcontractors, suppliers, and other partners. Without adequate preparation, contractors risk finding themselves at a significant disadvantage during future contract bids. Continue reading “Cybersecurity Could Make or Break Defense Contractors’ Chances of Future Awards”