Robyn N. Burrows and Michael J. Montalbano
On September 29, 2020, the Department of Defense (“DoD”) issued a long-awaited, interim rule to strengthen cybersecurity protections throughout the Defense Industrial Base. The new rule establishes how DoD will assess contractors under current cybersecurity regulations set out by the National Institute of Standards and Technology Special Publication 800-171 (“NIST Requirements”) and the newly established Cybersecurity Maturity Model Certification (“CMMC”) program. The interim rule goes into effect on November 30, 2020; although, as we have discussed in earlier posts, DoD will gradually roll out the CMMC over the next five years.
NIST Self-Assessment Requirements
The first part of the new rule applies to contracts that incorporate DFARS 252.204-7012, which requires contractors and subcontractors that have access to covered defense information to comply with the NIST Requirements. Under the new rule, these entities will need to conduct a “Basic” self-assessment of their compliance with the NIST Requirements, and submit the results of that assessment to DoD through the Supplier Performance Risk System (“SPRS”). Contractors will need to update this self-assessment every three years or sooner if required by a contract. Starting November 30, 2020, contractors will not be eligible for new contracts (including task orders and delivery orders) or for options on existing contracts, unless the self-assessment score is posted on SPRS. DoD expects that it will take 30 days from submission to have the self-assessment score posted on SPRS, so it is important for contractors to submit their assessment at least 30 days prior to the November 30, 2020 implementation date. Continue reading “New Department of Defense Regulations Clarify Contractors’ Responsibilities to Comply with NIST SP 800-171 and CMMC Requirements”
Michael Joseph Montalbano
The Department of Defense (“DoD”) is expected to begin rolling out the Cybersecurity Maturity Model Certification (“CMMC”) program later this year. As a brief refresher, the CMMC is a certification system implemented by DoD to protect Controlled Unclassified Information (“CUI”) and other sensitive contract information. There are five CMMC levels of ascending sophistication. The most common CMMC levels are expected to be Level 1 and Level 3. Level 1 will require contractors to put into place basic safeguarding practices to protect federal contract information. Level 3 will require contractors to put into place more stringent safeguarding practices that are designed to protect CUI. Contractors receive their CMMC after they pass an assessment by a CMMC Third Party Assessment Organization (“C3PAO”) or an individual assessor.
Although DoD will not fully implement the CMMC program until 2026, more and more contracts will require offerors to hold a CMMC demonstrating that their organizations have implemented the necessary cybersecurity controls. A nightmare scenario for any defense contractor is to find itself unable to compete for a lucrative DoD contract due to insufficient time to obtain the required CMMC before proposal deadlines. Fortunately, the Accreditation Body (“AB”) that is responsible for rolling out the CMMC program has provided estimated timelines for contractors seeking a CMMC. Continue reading “Preparing for the Rollout of the Cybersecurity Maturity Model Certification: It Is All about the Timing”
Justin A. Chiarodo, Merle M. DeLancey, Jr., and Robyn N. Burrows
We previously discussed key elements of the newly released interim rule (“the interim rule” or “the rule”) implementing Part B of Section 889 (“Part B”), which prohibits the federal government from contracting with entities that use certain Chinese telecommunications equipment. This post provides a more detailed analysis of the scope and application of the rule, as well as five compliance recommendations given the impending August 13th deadline.
Rule Applies to All Contracts Effective August 13, 2020
Part B applies to all solicitations, options, and modifications on or after August 13th, including contracts for commercial items, commercially available off-the-shelf (COTS) items, and contracts at or below both the micro-purchase and simplified acquisition thresholds. Like it did with respect to Part A, GSA intends to issue a Mass Modification requiring contractors to certify compliance with Part B. GSA has also released Q&As and FAQs to assist contractors with Part B implementation. The interim rule acknowledges that Part B will have a broad impact across contractors in a range of industries, including healthcare, education, automotive, aviation, and aerospace. The rule, however, does not apply to federal grant recipients (which are subject to a separate rulemaking). Continue reading “Part B Interim Rule Bans Contractors from Using Covered Technology Starting August 13th: 5 Steps for Meeting the Compliance Deadline”
The recently enacted coronavirus COVID-19 Coronavirus Aid, Relief, and Economic Security Act stimulus package (the “CARES Act” or “the Act”) includes billions of dollars earmarked for the Department of Defense (“DoD”) and defense industry contractors. It does this in two ways:
- By providing billions of dollars in loans, loan guarantees, and other financial assistance to businesses through the Department of the Treasury, including up to $17 billion specifically for businesses “critical to maintaining national security;” and
- By providing $10.5 billion in supplemental appropriations to DoD, much of which is likely to go to procuring goods and services from federal contractors, including in areas ranging from healthcare to information technology. The Act also contains provisions intended to streamline DoD contracting during the present emergency.
Although the procedures to obtain these loans were not established by the Act, the Secretary of the Treasury is required to publish procedures for applying for these loans within 10 days of enactment. It is expected that DoD will issue solicitations very soon to meet these pressing needs. We expect many contractors in the defense industry will be eligible for these loans, or for the parallel loan program for small businesses being administered by the Small Business Administration under the Act. Continue reading “CARES Act: Significant Funds for Defense Department and Defense Contractors”
Michael Joseph Montalbano
In January, the Department of Defense (“DoD”) released more information on its much-anticipated Cybersecurity Maturity Model Certification (“CMMC”) framework. While a final rule is not expected until the fall, contractors need to begin preparing now so they do not miss out on DoD contract opportunities.
What Is the CMMC?
The CMMC is a certification system that all DoD prime and subcontractors must comply with to be eligible to compete for and perform future DoD contracts. Under the new CMMC requirements, an accreditation body tapped by DoD will begin training third-party assessors in the spring of 2020, who will in turn certify defense contractors under the CMMC. There will be five CMMC certification levels, of ascending sophistication:
- Level 1 – Basic Cyber Hygiene
- Level 2 – Intermediate Cyber Hygiene
- Level 3 – Good Cyber Hygiene
- Level 4 – Proactive
- Level 5 – Advanced / Progressive
The contractor must comply with a combination of the following cybersecurity safeguards, depending on the certification level a contractor wants to achieve: (1) FAR 52.204 (Basic Safeguarding of Covered Contractor Information Systems); (2) NIST Special Publication 800-171 Revision 1 (“NIST Requirements”); (3) select subsets of a supplement to the NIST Requirements called NIST SP 800-171B; and (4) up to 171 “practices” identified in the CMMC. Though this may sound like a lot for contractors to process, DoD has released helpful appendices that put many of the requirements in easy-to-understand terms. Continue reading “New DoD Cybersecurity Regulations Are Coming—Is Your Company Ready?”
Justin A. Chiarodo and Robyn N. Burrows
A very Happy New Year to our GovCon Navigator readers! Further expanding recent supply chain restrictions across federal procurement, the Department of Defense (“DoD”) issued an interim rule prohibiting DoD from procuring equipment or services from certain Chinese entities (and possibly Russian) if used to carry out DoD nuclear deterrence or homeland defense missions. The rule builds on the Section 889 supply chain restrictions we previously covered in a prior blog post.
What should contractors do now given the interim rule is already in effect? Contractors should first evaluate their existing contract portfolios for covered missions and take immediate steps to eliminate all covered products from their supply chain (and find alternate sources of supply). If the rule might impact contract performance, you should be prepared to address this with the appropriate counterparty. And given the requirement for compliance certifications that mirror Section 889, contractors should also harmonize monitoring and compliance with their existing supply chain compliance programs. Among other things, this should address the requirement to obtain compliance certifications from downstream subcontractors and suppliers.
Read on for the specifics. Continue reading “A DoD New Year’s Resolution: No More Chinese (and Possibly Russian) Products and Services in Support of Key Missions”
Merle M. DeLancey Jr.
On August 15, 2019, the Defense Health Agency (“DHA”) and Defense Logistics Agency (“DLA”) agreed upon a joint approach to healthcare logistics. Under the Memorandum of Agreement (“MOA”), DLA will be responsible for materiel acquisitions, while DHA will take the lead on medical services acquisitions. The MOA clarifies the agencies’ complementary roles and responsibilities and avoids duplication of effort. The MOA covers all aspects of medical logistics support provided by DLA to DHA, and DHA’s consideration for that support in performance areas including pharmaceuticals, medical-surgical supplies, healthcare technology equipment, cataloging, and Class VIII surge and sustainment materiel required by the services to meet the demands of the national military support strategy.
The uninformed might question the need for DHA and DLA to formally enter into a MOA. After all, DHA and DLA are both under the Department of Defense (‘DoD”) umbrella. Why is an agreement required to coordinate the two agencies’ efforts? Why wasn’t such coordination and avoidance of duplication of effort simply ordered by DoD senior command? Good questions perhaps, but the MOA was necessary to ensure the agencies stay in their respective lanes. Continue reading “Defense Health Agency and Defense Logistics Agency Memorandum of Agreement: A Good First Step, but What about Coordination with the Department of Veterans Affairs?”
Carolyn R. Cody-Jones
A recent decision in the federal district court for the Eastern District of California is one of the first to recognize application of the False Claims Act (“FCA”) to Department of Defense (“DoD”) cybersecurity requirements, and will likely encourage future lawsuits alleging noncompliance with federal cybersecurity procurement regulations. In United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-2245 WBS AC, 2019 WL 2024595 (E.D. Cal. May 8, 2019), the court denied the defendant contractor’s motion to dismiss qui tam complaint fraud allegations against the company. The complaint—brought by a former employee from the company’s cybersecurity department a month after his termination from the company—alleged the defendant fraudulently entered into DoD and National Aeronautics and Space Administration (“NASA”) contracts despite knowing that it did not meet the minimum standards required to receive the awards. The court permitted the case to move forward despite the government declining to intervene.
The primary regulations at issue in the case are DFARS 252.204-7012, which recently required, as of December 31, 2017, that contractors have a cybersecurity plan in place complying with 110 recommended security control standards set forth in NIST SP 800-171. However, the court’s decision in Aerojet Rocketdyne focused on the previous 2013 final rule and the two interim rules in 2015 implementing DFARS 252.204-7012, and also a NASA cybersecurity regulation at 48 C.F.R. § 1852.204-76 involving contractor security controls for sensitive but unclassified government information. Continue reading “Eastern District of California Allows False Claims Act Allegations Based on Noncompliance with DoD Cybersecurity Requirements to Go Forward”