Category: Michael Joseph Montalbano

Time for Compliance with DOD’s Cybersecurity Regulations is NOW

Michael Joseph Montalbano and Samarth Barot 

On February 19, 2024, the Department of Justice (“DOJ”) notified the U.S. District Court for the Northern District of Georgia that it would intervene in a False Claims Act (“FCA”) case filed against Georgia Tech Research Corporation and Georgia Institute of Technology (collectively “Georgia Tech”) for not complying with the requirements of DFARS 252.204-7012 and National Institute of Standards and Technology Special Publication 800-171 (“NIST 800-171”).

All Department of Defense (“DOD”) solicitations and contracts contain DFARS clause 252.204-7012. DFARS 252.204-7012 requires a contractor to assess its compliance with 110 cybersecurity controls set out in the NIST 800-171 if the Company has controlled unclassified information. Specifically, pursuant to DFARS 252.204-7012, contractors must implement all of the NIST 800-171 requirements and upload the results of that assessment to the Department of Defense’s Supplier Performance Risk System (“SPRS”), or have a plan of action and milestones in place for any requirement the contractor has not yet implemented.

Continue reading “Time for Compliance with DOD’s Cybersecurity Regulations is NOW”

The Department of Defense Clarifies FedRAMP Equivalency Standard

Michael Joseph Montalbano 

As many Department of Defense (“DoD”) contractors know, if they want to store, process, or transmit covered defense information (“CDI”) with a cloud service provider (“CSP”), then the CSP must meet the security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (“FedRAMP”) Moderate baseline. This begs the question, what is equivalence to the FedRAMP Moderate baseline? Earlier this month, the DoD issued a much-needed memorandum that helps answer this question.

Continue reading “The Department of Defense Clarifies FedRAMP Equivalency Standard”

Understanding the Basics of CMMC Level 3

Michael Joseph Montalbano 

In this series on the Department of Defense’s (“DoD”) proposed Cybersecurity Maturity Model Certification (“CMMC”) rule, we have discussed the rule’s implementation timeline and the basics of CMMC Level 1 and CMMC Level 2.  In this post, we discuss the most demanding CMMC level – CMMC Level 3.

What contracts will be subject to CMMC Level 3?

Unlike with CMMC Levels 1 and 2, DoD has not announced specific criteria for when CMMC Level 3 will apply.  DoD has only stated that CMMC Level 3 will apply to contracts “supporting its most critical programs and technologies.”  We know that CMMC Level 2 will apply to contracts where the contractor will receive Controlled Unclassified Information (“CUI”), so we can probably assume that CMMC Level 3 will, at a minimum, apply to contracts with the most sensitive CUI.  DoD estimates that less than 1% of defense contractors will obtain a CMMC Level 3 verification once the rule has gone into full effect, which suggests that relatively few contracts will require CMMC Level 3 certification.    

What are the requirements of CMMC Level 3?

There are three steps the contractor must satisfy to obtain a CMMC Level 3 certification.  First, the contractor must obtain a CMMC Level 2 certification.  This means that a Certified Third-Party Assessor Organization (“C3PAO”) will need to assess any contractor information system that stores, processes, or transmits CUI for compliance with the NIST SP 800-171 rev. 2 security requirements.  Note that because the proposed CMMC rule requires a CMMC Level 2 certification—a third party assessment—a CMMC Level 2 self-assessment will not suffice.

Continue reading “Understanding the Basics of CMMC Level 3”

Understanding the Basics of CMMC Level 2

Michael Joseph Montalbano 

In this series on the Department of Defense’s (“DoD”) proposed Cybersecurity Maturity Model Certification (“CMMC”) rule, we have discussed the rule’s implementation timeline and the basics of CMMC Level 1. In this post, we discuss the basics of CMMC Level 2.

What contracts will be subject to CMMC Level 2?

CMMC Level 2 will apply to all DoD contracts where the contractor will receive Controlled Unclassified Information (“CUI”), except contracts that are purely for commercially available off-the-shelf (“COTS”) items. CUI is information that requires safeguarding or dissemination controls pursuant to applicable laws, regulations, and government-wide policies. The Government currently recognizes 20 categories of CUI, all of which are listed on the National Archives website. Those CUI categories include information related to defense, export-controlled information, intelligence, and procurements. While not as prevalent as Federal Contract Information, CUI is still often used in the performance of DoD contracts and DoD estimates that approximately 36 percent of defense contractors will obtain a CMMC Level 2 verification once the rule has gone into full effect.

Continue reading “Understanding the Basics of CMMC Level 2”

Understanding the Basics of CMMC Level 1


Michael Joseph Montalbano 

In this series, we have provided an overview of the Department of Defense’s (“DoD”) proposed Cybersecurity Maturity Model Certification (“CMMC”) rule and its implementation timeline. Now, we delve deeper into the three CMMC security levels, starting with CMMC Level 1.

What contracts will be subject to CMMC Level 1?

CMMC Level 1 will apply to all DoD contracts where the contractor will receive Federal Contract Information (“FCI”), except contracts that are purely for commercially available off-the-shelf (“COTS”) items. FCI is information not intended for public release that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. Types of documents that could contain FCI include contracts, modifications, statements of work, technical drawings, and government communications to the contractor. Given the broad definition of FCI, contractors can expect that nearly all non-COTS, DoD contracts will involve FCI and will therefore be subject to CMMC Level 1.

Continue reading “Understanding the Basics of CMMC Level 1”

The Department of Defense Issues Proposed Timeline for CMMC Implementation

Michael Joseph Montalbano 

On December 26, 2023, the Department of Defense (“DoD”) issued the long-awaited proposed rule for the Cybersecurity Maturity Model Certification (“CMMC”) program. In our previous post, we discussed how the CMMC program comprises three levels with increasing cybersecurity requirements. Contractors will be required to either conduct a self-assessment or undergo a third-party assessment (the latter referred to as a certification assessment) to demonstrate compliance with their applicable CMMC Level.

DoD included in the proposed rule an estimated timeline for the rollout of the CMMC program. Specifically, DoD intends to implement the CMMC program in four phases over two and a half years:

  • Phase 1 begins on the effective date of DoD’s final CMMC rule (i.e., when DFARS 252.204–7021 is officially revised). During Phase 1, CMMC Level 1 or Level 2 self-assessments become a condition for contract award. This means that contractors must self-assess their compliance with the cybersecurity requirements of CMMC Level 1 or 2 (whichever level is applicable to the contract) to be eligible for award. DoD may also include third-party CMMC Level 2 assessment requirements in certain contracts at its discretion.
Continue reading “The Department of Defense Issues Proposed Timeline for CMMC Implementation”

The Department of Defense Releases Proposed CMMC Rule

Michael Joseph Montalbano 

The Department of Defense (“DoD”) has released a draft of its proposed Cybersecurity Maturity Model Certification (“CMMC”) Program rule just in time for the holidays. The rule—which is scheduled to be published December 26, 2023—is over 200 pages, and we will publish follow-up articles as we have time to analyze the new requirements. At a high level, here is what DoD has proposed:

  • Tiered Model: CMMC requires companies entrusted with national security information to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. Those levels range from CMMC Level 1 (the most basic level) to CMMC Level 3 (the most advance level).
  • Assessment Requirement: CMMC requires certain contractors at CMMC Levels 2 and 3 to undergo third-party assessments, which allows DoD to verify the implementation of the CMMC cybersecurity standards.
  • Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors handling sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.
Continue reading “The Department of Defense Releases Proposed CMMC Rule”

The FAR Council Proposes Standardizing Cybersecurity Requirements

Michael Joseph Montalbano and Oliver E. Jury ●

On October 3, 2023, the FAR Council proposed two potentially significant cybersecurity rules. We discussed FAR Case No. 2021-017, which would impose a range of new cyber incident reporting requirements on nearly all government contractors, earlier this week. This post discusses FAR Case No. 2021-019, which seeks to standardize cybersecurity contractual requirements across federal agencies.

Who Will the Standardization of Cybersecurity Contractual Requirements Affect?

Under the proposed rule, the FAR Council would promulgate two new FAR clauses, FAR 52.239-YY (Federal Information Systems Using Non-Cloud Computing Systems) and FAR 52.239-XX (Federal Information Systems Using Cloud Computing Services). As drafted, the rule would affect contracts that involve the development and maintenance of federal information systems (“FIS”).

What is an FIS? The proposed rule defines FIS as “an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization, on behalf of a government agency.”

FAR 52.239-YY would be required in contracts acquiring FIS services that include (or are anticipated to use) non-cloud computing services during contract performance. The proposed clause would require flowdown to subcontractors at all tiers (provided those subcontractors may use non-cloud computing services). There would be no exception for acquisitions below the simplified acquisition threshold or acquisitions for commercial products, including commercially available off-the-shelf (“COTS”) items and commercial services, “because Government data and systems require protection regardless of dollar value.”

The FAR 52.239-XX requirements would largely mirror those in FAR 52.239-YY, albeit for contractors using cloud-based computing services during performance. Contractors would need to comply with both proposed clauses if they use both non-cloud and cloud-based computing services in support of contract performance.

Continue reading “The FAR Council Proposes Standardizing Cybersecurity Requirements”

The FAR Council Proposes New Cyber Incident Reporting Requirements

Michael Joseph Montalbano and Oliver E. Jury ●

On October 3, 2023, the FAR Council issued two proposed cybersecurity rules that could have significant implications for both Government prime and subcontractors. This post discusses the first rule, FAR Case No. 2021-017, which, if implemented, will impose an array of new cyber incident reporting requirements on nearly all government contractors. The second rule, FAR Case No. 2021-019, seeks to standardize cybersecurity contractual requirements across Federal agencies. We discuss the first rule in further detail here.

Who Would Have to Comply with the New Cyber Incident Reporting Rule?

Under the proposed cyber incident rule, the FAR Council intends to promulgate a new FAR clause, FAR 52.239-ZZ. In its current form, FAR 52.239-ZZ would apply to all contracts where “information and communications technology” (“ICT”) is used or provided in the performance of the contract.

What is ICT? ICT is just about anything computer related. ICT includes computers and their peripheral equipment, telecommunications equipment, computer software, and electronic documents. In other words, if a contractor uses a computer or related device in the performance of a government contract, then FAR 52.239-ZZ would likely apply.

Continue reading “The FAR Council Proposes New Cyber Incident Reporting Requirements”

How to Manage a Potential Whistleblower

Dominique L. Casimir, Jennifer A. Short, and Michael Joseph Montalbano 


The federal False Claims Act (“FCA”) is one of the United States’ most effective tools to detect and prevent fraud against the Government. One reason the FCA is so effective is that it encourages the employees of an organization to come forward as claimants and receive a share of any financial recovery to the Government. Recognizing the central role of these whistleblowers in the FCA’s enforcement scheme, Congress included an anti-retaliation provision in the statute that protects them when they report suspected fraudulent conduct. Under the FCA’s anti-retaliation provision, employees, contractors, or agents can sue for damages on their own behalf if they are “discharged, demoted, suspended, threatened, harassed, or in any other manner discriminated against in the terms and conditions of employment because of lawful acts done” in connection with a reported FCA violation. 31 U.S.C. § 3730(h)(1). Likewise, nearly every state also affords some degree of whistleblower protection, either statutorily or in the common law.

Continue readingHow to Manage a Potential Whistleblower
Exit mobile version
%%footer%%