Old Dominion, New Privacy Law: The Virginia Consumer Data Protection Act

With the recent adoption of the Virginia Consumer Data Protection Act (“VCDPA”), the state’s consumers will have new rights to understand what data a company collects about them, how that data is used, and with whom they share it. In short, the new law will have a national impact on any company doing business in the state.

Led by attorneys from Blank Rome’s Privacy, Security & Data Protection and White Collar Defense & Investigation Groups, this complimentary webinar will provide in-depth analysis of the VCDPA and timely insights on how businesses should prepare to comply with its provisions, including discussion of:

      • Scope of the VCDPA;
      • The VCDPA compared to the California Consumer Privacy Act and other privacy regimes;
      • New data rights of consumers;
      • Information security requirements; and
      • Issues related to enforcement.

PRESENTERS

  • Sharon R. Klein, Partner and Chair, Privacy, Security & Data Protection, Orange County, CA
  • Alex C. Nisenbaum, Partner, Privacy, Security & Data Protection, Orange County, CA
  • Jennifer A. Short, Partner, White Collar Defense & Investigations, Washington, D.C.

CLE Credit

This course is anticipated to qualify for the following CLE credits: VA 1.0 general credit

QUESTIONS? Please contact Courtney Litman via e-mail.

Tuesday, September 21, 2021
10:00‒11:00 a.m. PDT / 1:00‒2:00 p.m. EDT
Online Event

REGISTER HERE

President Biden’s Recent Cybersecurity Executive Order Will Increase Compliance Obligations on the Private Sector

Sharon R. Klein, Alex C. Nisenbaum, Karen H. Shin, Justin A. Chiarodo, and Michael Joseph Montalbano

Companies providing information technology products and services to U.S. government agencies are now required to notify such agencies of cyber incidents and meet specific cybersecurity standards. The executive order attempts to modernize the federal government’s cybersecurity defenses by “protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the [United States]’ ability to respond to incidents when they occur.” The executive order is just one example of the Biden administration’s push to improve the nation’s data privacy and cybersecurity practices in response to the recent series of ransomware attacks.

On May 12, 2021, President Biden signed an executive order to bolster the federal government’s cybersecurity practices and contractually obligate the private sector to align with such enhanced security practices (“the Order”). The Order comes on the heels of a ransomware attack on Colonial Pipeline that occurred on May 6, 2021, which shut down the largest oil pipeline in the United States and disrupted supplies of gasoline, diesel, and jet fuel to the East Coast. This initiative to improve the security of the software supply chain also stems from the SolarWinds cyberattack that occurred last year. In the attack, Russian hackers used a routine software update that Texas-based SolarWinds Corp. provided to its customers to install malicious code, allowing the hackers to infiltrate nine federal agencies and about 100 companies.

Proposed amendments are expected soon from the Federal Acquisition Regulation (“FAR”) and the Defense Federal Acquisition Regulation Supplement (“DFARS”) that will increase compliance obligations for government contractors and their vendors, building on a string of supply chain and cybersecurity regulation in recent years (including Section 889’s prohibition on the use of certain Chinese telecommunications, new registration requirements in the Supplier Performance Risk System, and the Department of Defense’s Cybersecurity Maturity Model Certification program). We see the biggest impacts on government contractors, such as developers and users of software.

To read the full client alert, please click here

Where Are We Going with Section 889 Part B?

Justin A. Chiarodo, Merle M. DeLancey, Jr., and Robyn N. Burrows

About two months have passed since the August 13, 2020, effective date of Part B of Section 889 of the FY 2019 National Defense Authorization Act. Part B, sometimes referred to as the Chinese telecommunications equipment ban, broadly prohibits the federal government from contracting with entities that use certain Chinese telecommunications (including video surveillance) equipment and services.

After the FAR Council published its July 10, 2020, Interim Rule, contractors, large and small, spent countless hours working to be able to certify compliance by August 13. This deadline was critical because the Interim Rule said that absent such a certification, a contractor was ineligible for future contract awards. That is, government agencies were prohibited from renewing or extending existing contracts with contractors unable to certify Part B compliance. Indeed, agencies were prohibited from issuing an order under an existing contract to a contractor that failed to certify compliance.

Yet, despite the Rule’s laudable policy goals, the government’s piecemeal and inconsistent implementation has placed government contractors in an untenable position. Continue reading “Where Are We Going with Section 889 Part B?”

New Department of Defense Regulations Clarify Contractors’ Responsibilities to Comply with NIST SP 800-171 and CMMC Requirements

Robyn N. Burrows and Michael J. Montalbano

On September 29, 2020, the Department of Defense (“DoD”) issued a long-awaited, interim rule to strengthen cybersecurity protections throughout the Defense Industrial Base. The new rule establishes how DoD will assess contractors under current cybersecurity regulations set out by the National Institute of Standards and Technology Special Publication 800-171 (“NIST Requirements”) and the newly established Cybersecurity Maturity Model Certification (“CMMC”) program. The interim rule goes into effect on November 30, 2020; although, as we have discussed in earlier posts, DoD will gradually roll out the CMMC over the next five years.

NIST Self-Assessment Requirements

The first part of the new rule applies to contracts that incorporate DFARS 252.204-7012, which requires contractors and subcontractors that have access to covered defense information to comply with the NIST Requirements. Under the new rule, these entities will need to conduct a “Basic” self-assessment of their compliance with the NIST Requirements, and submit the results of that assessment to DoD through the Supplier Performance Risk System (“SPRS”). Contractors will need to update this self-assessment every three years or sooner if required by a contract. Starting November 30, 2020, contractors will not be eligible for new contracts (including task orders and delivery orders) or for options on existing contracts, unless the self-assessment score is posted on SPRS. DoD expects that it will take 30 days from submission to have the self-assessment score posted on SPRS, so it is important for contractors to submit their assessment at least 30 days prior to the November 30, 2020 implementation date. Continue reading “New Department of Defense Regulations Clarify Contractors’ Responsibilities to Comply with NIST SP 800-171 and CMMC Requirements”

Preparing for the Rollout of the Cybersecurity Maturity Model Certification: It Is All about the Timing

Michael Joseph Montalbano

The Department of Defense (“DoD”) is expected to begin rolling out the Cybersecurity Maturity Model Certification (“CMMC”) program later this year. As a brief refresher, the CMMC is a certification system implemented by DoD to protect Controlled Unclassified Information (“CUI”) and other sensitive contract information. There are five CMMC levels of ascending sophistication. The most common CMMC levels are expected to be Level 1 and Level 3. Level 1 will require contractors to put into place basic safeguarding practices to protect federal contract information. Level 3 will require contractors to put into place more stringent safeguarding practices that are designed to protect CUI. Contractors receive their CMMC after they pass an assessment by a CMMC Third Party Assessment Organization (“C3PAO”) or an individual assessor.

Although DoD will not fully implement the CMMC program until 2026, more and more contracts will require offerors to hold a CMMC demonstrating that their organizations have implemented the necessary cybersecurity controls. A nightmare scenario for any defense contractor is to find itself unable to compete for a lucrative DoD contract due to insufficient time to obtain the required CMMC before proposal deadlines. Fortunately, the Accreditation Body (“AB”) that is responsible for rolling out the CMMC program has provided estimated timelines for contractors seeking a CMMC. Continue reading “Preparing for the Rollout of the Cybersecurity Maturity Model Certification: It Is All about the Timing”

Part B Interim Rule Bans Contractors from Using Covered Technology Starting August 13th: 5 Steps for Meeting the Compliance Deadline

Justin A. Chiarodo, Merle M. DeLancey, Jr., and Robyn N. Burrows

We previously discussed key elements of the newly released interim rule (“the interim rule” or “the rule”) implementing Part B of Section 889 (“Part B”), which prohibits the federal government from contracting with entities that use certain Chinese telecommunications equipment. This post provides a more detailed analysis of the scope and application of the rule, as well as five compliance recommendations given the impending August 13th deadline.

Rule Applies to All Contracts Effective August 13, 2020

Part B applies to all solicitations, options, and modifications on or after August 13th, including contracts for commercial items, commercially available off-the-shelf (COTS) items, and contracts at or below both the micro-purchase and simplified acquisition thresholds. Like it did with respect to Part A, GSA intends to issue a Mass Modification requiring contractors to certify compliance with Part B. GSA has also released Q&As and FAQs to assist contractors with Part B implementation. The interim rule acknowledges that Part B will have a broad impact across contractors in a range of industries, including healthcare, education, automotive, aviation, and aerospace. The rule, however, does not apply to federal grant recipients (which are subject to a separate rulemaking). Continue reading “Part B Interim Rule Bans Contractors from Using Covered Technology Starting August 13th: 5 Steps for Meeting the Compliance Deadline”

Newly Released Interim Rule Implementing Part B of Section 889

Justin A. Chiarodo, Merle M. DeLancey Jr., and Robyn N. Burrows

On July 10, the government issued the    long-awaited Interim Rule implementing Part B of Section 889 (here is a link to the pre-publication version, with the official version soon to follow). Part B prohibits the federal government from contracting with entities that use certain Chinese telecommunications equipment (previously discussed in our blog posts here and here). The Interim Rule is 86 pages and addresses issues related to compliance with Part B, as well as clarifying aspects of Part A.

These are the key points federal contractors need to know:

  • Effective Date: The effective date remains August 13, 2020. The ban applies to solicitations, options, and modifications on or after August 13. However, as we previously discussed, the Department of Defense may allow its contractors more time to comply, despite the statutory deadline.
  • Required Representation: An offeror must represent that, after conducting a reasonable inquiry, it does/does not use covered telecommunications equipment/services.
    • “Reasonable inquiry” means an inquiry designed to uncover any information in the entity’s possession about the identity of the producer or provider of covered telecommunications equipment or services used by the entity. An internal or third-party audit is not required.
  • Scope of “Use”: Applies to the contractor’s use of covered technology, regardless of whether it is used to perform a federal contract. Thus, a contractor’s commercial operations are included.
  • Affiliates/Subsidiaries: The required representation is not applicable to affiliates or subsidiaries at this time. The FAR Council is considering whether to expand the scope of the representation/prohibition to cover an offeror’s domestic affiliates, parents, and subsidiaries. If expanded, it would be effective August 13, 2021.
  • Subcontractors: The ban and required representation are not applicable to subcontractors at this time. The ban only applies at the prime contractor level and does not include a flow down obligation.
  • Detailed Waiver Process: The Interim Rule includes a detailed and complex process for seeking a waiver (really a two-year delayed application).
  • Suggested Compliance Steps: The Interim Rule suggests contractors adopt a “robust, risk-based compliance approach” to include educating personnel on the ban and implementing corporate enterprise tracking to identify covered equipment/services.

Regulators are still seeking feedback from industry, which suggests the government’s willingness to incorporate changes in a final rule. But prime contractors need to act now. In the next 30 days, prime contractors need to determine through a “reasonable inquiry” whether they use covered equipment, regardless of whether that use relates to performance of a federal contract. To demonstrate a reasonable inquiry, contractors should memorialize all steps taken and decisions made in performing the inquiry.

A more detailed analysis is forthcoming. In the meantime, if you have any questions regarding compliance, please contact one of Blank Rome’s Government Contracts practice group attorneys for guidance.

What Does a Potential One-Year Delay for Part B of Section 889 Mean for Your Compliance Efforts?

Justin A. Chiarodo, Merle DeLancey Jr., and Robyn N. Burrows

In remarks to Congress and statements this week, the Department of Defense (“DoD”) announced that it is considering a one-year delay for full implementation of Part B of the Section 889 ban (we previously summarized the ban, which prohibits the government from contracting with entities using certain Chinese telecommunications equipment, here). The ban is currently scheduled to go into effect on August 13, 2020. What does this welcome development mean for contractors? We think it warrants prioritizing near-term compliance efforts to high-risk areas, pending forthcoming rulemaking that will provide needed specifics on the way forward.


During June 10 remarks before the House Armed Services Committee, Undersecretary for Acquisition and Sustainment Ellen Lord expressed the DoD’s full support for the intent of Section 889, but admitted she is “very concerned” about being able to accomplish Part B implementation by August 13. As to whether the DoD can meet the current timeline given COVID-19 disruptions and the lack of an interim rule, Ms. Lord acknowledged that “we need more time” for contractors to comply.

Following the undersecretary’s testimony, the DoD announced that it is considering adding contract language giving its suppliers an additional year to reach full compliance with Part B. Though not final, the DoD’s proposed delay could relieve DoD contractors from full compliance with the impending August deadline. We anticipate this approach would be similar to the phase-in period for compliance with the Defense Federal Acquisition Regulation Supplement Safeguarding and Cyber Incident Reporting clause. It is not yet clear whether the Office of Management and Budget, which currently has the draft interim rule for Part B, will incorporate a delayed implementation into that forthcoming rule.

The DoD also signaled that it is poised to advocate for a more risk-based approach to Part B implementation and rulemaking. During her testimony, Ms. Lord expressed concern with the “unintended consequences” of a minor infraction several layers deep within the supply chain potentially shutting down major portions of the defense industrial base by disqualifying key prime contractors from doing business with the federal government. The DoD suggested that the use of a risk-based approach may be useful to achieve effective implementation. The DoD’s consideration of a risk-based approach indicates that it is equally concerned about its contractors’ ability to comply with a strict application of Part B.

How DoD’s Announcements Inform Compliance Efforts with Part B

Without an interim rule and with less than two months before the statutory August deadline, how should contractors begin implementing Part B? Given the DoD’s recent comments suggesting a risk-based approach, contractors should consider adjusting their Part B implementation efforts using a risk assessment framework, prioritizing high-risk areas. That is, contractors should identify the extent to which telecommunications or video surveillance equipment is used to support government contracts, the nature of that work, and the frequency with which the technology is used.

The nature of the product’s telecommunication function also informs its risk potential. For example, computers, routers, phones, and network equipment can generally be considered a higher priority area than technology that, although technically subject to the ban, presents a moderate to low cybersecurity risk, depending on the nature and frequency of use (e.g., HVAC systems, fax machines, copiers, scanners).

Contractors should also communicate with key suppliers to ensure that they are aware of the rule and are similarly working to prepare for Part B.

Although the DoD’s statements are welcome news—and reflect that the government is mindful of the challenges presented by the ban—the DoD remains committed to Section 889 and contractors should proceed accordingly.

New DoD Cybersecurity Regulations Are Coming—Is Your Company Ready?

Michael Joseph Montalbano

In January, the Department of Defense (“DoD”) released more information on its much-anticipated Cybersecurity Maturity Model Certification (“CMMC”) framework. While a final rule is not expected until the fall, contractors need to begin preparing now so they do not miss out on DoD contract opportunities.

What Is the CMMC?

The CMMC is a certification system that all DoD prime and subcontractors must comply with to be eligible to compete for and perform future DoD contracts. Under the new CMMC requirements, an accreditation body tapped by DoD will begin training third-party assessors in the spring of 2020, who will in turn certify defense contractors under the CMMC. There will be five CMMC certification levels, of ascending sophistication:

    • Level 1 – Basic Cyber Hygiene
    • Level 2 – Intermediate Cyber Hygiene
    • Level 3 – Good Cyber Hygiene
    • Level 4 – Proactive
    • Level 5 – Advanced / Progressive

The contractor must comply with a combination of the following cybersecurity safeguards, depending on the certification level a contractor wants to achieve: (1) FAR 52.204 (Basic Safeguarding of Covered Contractor Information Systems); (2) NIST Special Publication 800-171 Revision 1 (“NIST Requirements”); (3) select subsets of a supplement to the NIST Requirements called NIST SP 800-171B; and (4) up to 171 “practices” identified in the CMMC. Though this may sound like a lot for contractors to process, DoD has released helpful appendices that put many of the requirements in easy-to-understand terms. Continue reading “New DoD Cybersecurity Regulations Are Coming—Is Your Company Ready?”

For Part B of Section 889, Is Compliance by August 13, 2020, Realistic?

Merle M. DeLancey Jr., Justin A. Chiarodo, and Robyn N. Burrows

On March 10, 2020, the Department of Commerce extended the deadline for U.S. companies to stop doing business with Huawei Technologies Co. Ltd. and its non-U.S. affiliates. The deadline has been extended multiple times and is now May 15, 2020. Under the extension, U.S. businesses can continue to work with Huawei on the operation of existing networks and mobile services, including cybersecurity research considered critical for network reliability.

Huawei was added to the Commerce Department’s Bureau of Industry and Security “Entity List” in May 2019. The Entity List includes foreign entities who have engaged in activities sanctioned by the State Department and activities contrary to U.S. national security and/or foreign policy interests.

In addition to the extension, the Commerce Department is seeking public comments through March 25, 2020, regarding the continuing need for, and scope of, possible future extensions concerning Huawei. The multiple extensions and new request for public comments are intended to allow time for companies and persons to shift from Huawei or its affiliates to alternative sources of equipment, software, and technology. Continue reading “For Part B of Section 889, Is Compliance by August 13, 2020, Realistic?”