Category: Michael Joseph Montalbano

This Is Not a Drill: Department of Defense Issues Long-Awaited Final CMMC DFARS Rule

Michael Joseph Montalbano ●

After years of drafts and interim measures, the Department of Defense (“DOD”) has issued the final Defense Federal Acquisition Regulation Supplement (“DFARS”) rule implementing the Cybersecurity Maturity Model Certification (“CMMC”) program. This long-awaited development cements CMMC as a contractual requirement and clarifies key aspects of the rule’s certification, compliance, and oversight requirements.

How Will CMMC Work?

Under the final rule, every solicitation where a contractor may store, process, or transmit Federal Contract Information (“FCI”) or controlled unclassified information (“CUI”) will be assigned a CMMC level. Solicitations involving just FCI will have a CMMC Level 1 requirement. Solicitations involving non-Defense CUI will have a CUI Level 2 Self-Attestation requirement. Solicitations involving Defense CUI will have a CUI Level 2 third-party certification (i.e., C3PAO) requirement. Solicitations involving particularly sensitive DOD programs will have a Level 3 requirement. Level 3 requires an assessment by the Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”).

Continue reading “This Is Not a Drill: Department of Defense Issues Long-Awaited Final CMMC DFARS Rule”

Federal Circuit Clarifies “Interested Party” Status in Percipient.ai v. United States

Robyn N. Burrows and Michael Joseph Montalbano

When a Federal Circuit panel held that subcontractors had standing to challenge procurement violations, Judge Clevenger warned of a flood. Under the panel’s holding, thousands of subcontractors could inundate the Court of Federal Claims with allegations that agencies had violated applicable procurement laws. Progress on major programs could slow as the Government dealt with a wave of new protest litigants.

On August 28, 2025, the full Federal Circuit reversed course. The Court reaffirmed the long-standing definition of “interested party,” holding that only actual or prospective bidders or offerors with a direct economic interest in the outcome of the procurement may protest.

Continue reading “Federal Circuit Clarifies “Interested Party” Status in Percipient.ai v. United States”

Beyond the Balance Sheet: The Continued Importance of Cybersecurity in M&A

Merle M. DeLancey Jr., Samarth Barot, and Michael Joseph Montalbano 

In our August 1 post, we discussed how companies that acquire government contractors can inherit the False Claims Act (“FCA”) exposure based on their targets’ cybersecurity violations. Now, the Department of Justice (“DOJ”) delivered another vivid real-world example: a $1.75 million settlement in which a private equity (“PE”) firm, Gallant Capital Partners LLC, was named jointly and severally liable for its portfolio company’s cybersecurity violations on a U.S. Air Force contract.

The outcome underscores two critical truths. First, DOJ will pursue financial sponsors when a contractor in their portfolio fails to comply with its contractual cybersecurity requirements. Second, investors that fail to ask about, document, and remediate a target’s security shortcomings can find themselves financing both the acquisition and the government’s recovery.

Continue reading “Beyond the Balance Sheet: The Continued Importance of Cybersecurity in M&A”

Department of Defense to Increase Scrutiny Over IT Consulting and Advisory Contracts

Michael Joseph Montalbano  and Amanda C. DeLaPerriere ●

The Department of Defense’s (“DoD”) Under Secretary for Acquisition and Sustainment issued a memorandum on June 23, 2025, that tightens oversight on DoD contracts for information technology consulting & management services (“ITC&MS”) and advisory & assistance services (“A&AS”).

What contracts are impacted?

The memorandum applies to unclassified, FAR-based contracts or task orders for ITC&MS or A&AS. ITC&MS are services provided by integrators or consultants that involve system information technology (“IT”) integration, implementation, or advice and that are valued at over $10 million. A&AS are services for consulting, advising, assisting, or any professional services for similar functions, and that are valued over $1 million. The memorandum expressly notes that requirements may not be split into multiple efforts to stay under the $10 million and $1 million thresholds. Additionally, the memorandum does not apply to already existing consulting and advisory contracts. 

What is the timeline for review?

Effective immediately, DoD agencies must secure advance approval from the Department of Government Efficiency (“DOGE”) for all qualifying ITC&MS or A&AS contracts. DoD agencies must include in their approval request a description of the contract’s purpose, a cost/benefit analysis, and a justification as to why the efforts cannot be insourced or acquired from a direct service provider. DOGE then has three business days to respond. If DOGE does not respond or approves the contract, then the contract may proceed. If DOGE raises issues with the contract, then DOGE and the DoD agencies are required to work collaboratively to resolve those issues. The memorandum does not specify whether DOGE can block a DoD agency from moving forward with the contract, whether there is any time limit on DOGE and DoD’s attempts to work collaboratively, or whether the agency has a specific appeal process if it disagrees with DOGE’s assessment.

Scope and Exemptions

Not all ITC&MS or A&AS contracts are subject to review. The memo expressly excludes:

  • ITC&MS contracts involving “direct service providers” performing services rather than resellers, integrators, or intermediaries.
  • ITC&MS contracts in direct support of defense weapon system programs or sustainment activities.
  • A&AS contracts for systems engineering and technical assistance in support of major defense acquisition programs.

These exemptions align with the Administration’s decision to prioritize war fighting efforts as well as procure more supplies and services from Original Equipment Manufacturers.

Strategic Implications for Contractors and Agencies

This memorandum reflects a strategic push—rooted in broader federal efficiency initiatives—to trim consulting spend, eliminate unnecessary intermediation, and ensure rigorous scrutiny of high-value service awards.

While the exact impact this memorandum will have on contractors is still unclear, contractors working in the ITC&MS or A&AS space can take several steps to reduce their risk:

  • Preempt DOGE scrutiny with clear justifications: Articulate in your proposal how your services provide unique value and cost-effective support.
  • Clarify your role: Emphasize direct mission-critical support—especially for exempt programs. Avoid generic management consulting language that could trigger heightened scrutiny.
  • Collaborate with agency customers: Work early with DoD contracting and program officials to help them develop the rationale for approving your contract or identifying an applicable exception.
  • Streamline pricing and deliverables: Clearly define work products, performance metrics, and accountability mechanisms.
USA001386-25-DPCAPDownload

What CMMC Level Do I Need? The Department of Defense Issues New Guidance for Determining Appropriate CMMC Compliance Level

Michael Joseph Montalbano 

The Department of Defense (“DOD”) recently issued new guidance outlining how it will determine Cybersecurity Maturity Model Certification (“CMMC”) levels for its solicitations and contracts. Prior to this guidance, contractors generally understood that contracts with only Federal Contract Information (“FCI”) would require a CMMC Level 1 self-assessment; contracts with Controlled Unclassified Information (“CUI”) would require either a CMMC Level 2 self-assessment or a CMMC Level 2 certification; and DOD contracts “supporting its most critical programs and technologies” would require a CMMC Level 3 certification. DOD’s new guidance provides additional information contractors can use to help them determine which CMMC Level they should achieve.

Continue reading “What CMMC Level Do I Need? The Department of Defense Issues New Guidance for Determining Appropriate CMMC Compliance Level”

The FAR Council Publishes Long-Awaited CUI Rule

Michael Joseph Montalbano 

On January 15, 2025, the Federal Acquisition Regulation (“FAR”) Council issued its long-awaited “CUI Rule.” CUI, or Controlled Unclassified Information, is information that the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls. For nearly 15 years, contractors have struggled to determine what information meets this definition. The CUI rule is an opportunity for the federal government to finally provide contractors with the guidance needed to better identify and safeguard the CUI they receive in connection with their federal contracts.

Continue reading “The FAR Council Publishes Long-Awaited CUI Rule”

Department of Defense Issues Final CMMC Rule

Michael Joseph Montalbano 

On October 11, 2024, the Department of Defense (“DoD”) issued the first part of its final rule establishing the Cybersecurity Maturity Model Certification (“CMMC”) program. As expected, the final rule requires companies entrusted with national security information to implement cybersecurity standards at progressively advanced levels, (CMMC level 1, CMMC level 2, and CMMC level 3) depending on the type and sensitivity of the information. While the final rule largely tracks the proposed rule issued in December 2023, we outline below several notable updates DoD included in the final rule and their potential impacts on DoD contractors.

Continue reading “Department of Defense Issues Final CMMC Rule”

Time for Compliance with DOD’s Cybersecurity Regulations is NOW

Michael Joseph Montalbano and Samarth Barot 

On February 19, 2024, the Department of Justice (“DOJ”) notified the U.S. District Court for the Northern District of Georgia that it would intervene in a False Claims Act (“FCA”) case filed against Georgia Tech Research Corporation and Georgia Institute of Technology (collectively “Georgia Tech”) for not complying with the requirements of DFARS 252.204-7012 and National Institute of Standards and Technology Special Publication 800-171 (“NIST 800-171”).

All Department of Defense (“DOD”) solicitations and contracts contain DFARS clause 252.204-7012. DFARS 252.204-7012 requires a contractor to assess its compliance with 110 cybersecurity controls set out in the NIST 800-171 if the Company has controlled unclassified information. Specifically, pursuant to DFARS 252.204-7012, contractors must implement all of the NIST 800-171 requirements and upload the results of that assessment to the Department of Defense’s Supplier Performance Risk System (“SPRS”), or have a plan of action and milestones in place for any requirement the contractor has not yet implemented.

Continue reading “Time for Compliance with DOD’s Cybersecurity Regulations is NOW”

The Department of Defense Clarifies FedRAMP Equivalency Standard

Michael Joseph Montalbano 

As many Department of Defense (“DoD”) contractors know, if they want to store, process, or transmit covered defense information (“CDI”) with a cloud service provider (“CSP”), then the CSP must meet the security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (“FedRAMP”) Moderate baseline. This begs the question, what is equivalence to the FedRAMP Moderate baseline? Earlier this month, the DoD issued a much-needed memorandum that helps answer this question.

Continue reading “The Department of Defense Clarifies FedRAMP Equivalency Standard”

Understanding the Basics of CMMC Level 3

Michael Joseph Montalbano 

In this series on the Department of Defense’s (“DoD”) proposed Cybersecurity Maturity Model Certification (“CMMC”) rule, we have discussed the rule’s implementation timeline and the basics of CMMC Level 1 and CMMC Level 2.  In this post, we discuss the most demanding CMMC level – CMMC Level 3.

What contracts will be subject to CMMC Level 3?

Unlike with CMMC Levels 1 and 2, DoD has not announced specific criteria for when CMMC Level 3 will apply.  DoD has only stated that CMMC Level 3 will apply to contracts “supporting its most critical programs and technologies.”  We know that CMMC Level 2 will apply to contracts where the contractor will receive Controlled Unclassified Information (“CUI”), so we can probably assume that CMMC Level 3 will, at a minimum, apply to contracts with the most sensitive CUI.  DoD estimates that less than 1% of defense contractors will obtain a CMMC Level 3 verification once the rule has gone into full effect, which suggests that relatively few contracts will require CMMC Level 3 certification.    

What are the requirements of CMMC Level 3?

There are three steps the contractor must satisfy to obtain a CMMC Level 3 certification.  First, the contractor must obtain a CMMC Level 2 certification.  This means that a Certified Third-Party Assessor Organization (“C3PAO”) will need to assess any contractor information system that stores, processes, or transmits CUI for compliance with the NIST SP 800-171 rev. 2 security requirements.  Note that because the proposed CMMC rule requires a CMMC Level 2 certification—a third party assessment—a CMMC Level 2 self-assessment will not suffice.

Continue reading “Understanding the Basics of CMMC Level 3”
Exit mobile version
%%footer%%