In July 2022, the Accreditation Body (“AB”) of the Cybersecurity Maturity Model Certification program (“CMMC”) released a 47-page CMMC Assessment Process guide (“CAP Guide”). The CAP Guide outlines the assessment process for contractors seeking a CMMC level 2 certification, which, as we discussed in earlier posts, is the required certification level for all contractors who expect to receive or store Controlled Unclassified Information (“CUI”).
The CAP Guide has been widely criticized by members of the Defense Industrial Base for being overly complicated and contrary to the Department of Defense’s (“DoD”) stated intention to reduce the complexity and cost of the CMMC program for small businesses. However, assuming it is adopted by the DoD, the CAP Guide includes helpful guidance for contractors that are beginning to prepare for their CMMC level 2 assessment.
On May 25, 2022, the Department of Defense (“DoD”) issued a memorandum recognizing that contractors are not immune from the “period of unusually high” inflation. The memorandum, titled “Guidance on Inflation and Economic Price Adjustments,” provides guidelines on when relief from cost increases due to inflation is appropriate and provides considerations for the proper use of economic price adjustment (“EPA”) clauses when entering into new contracts.
For existing DoD contracts, whether contractors can get relief from inflation depends on the type of contract.
In February 2021, the Department of Defense (“DoD”) promulgated 32 C.F.R. Part 117. This move converted the National Industrial Security Program Operating Manual (“NISPOM”)—the rules that govern personnel and facility security clearances—from DoD policy into federal law. The move originally garnered little attention because the new regulations include virtually all requirements that were in the prior NISPOM. DoD, however, embedded new requirements with potentially significant implications for cleared contractors and their senior management officials (“SMO”). And the Defense Counterintelligence and Security Agency (“DCSA”) is now signaling that it will hold SMOs accountable if they fail to meet these requirements.
A cleared contractor’s SMO is the person “with ultimate authority over the facility’s operations and the authority to direct actions necessary for the safeguarding of classified information in the facility.” § 117.3(b). Typically, the SMO is the individual who holds the top position at a company, such as a chief executive officer or majority owner. Prior to the promulgation of Part 117, the SMO had discretion to delegate responsibility over the contractor’s industrial security program to another employee. Section 117.7(b)(2) of the new NISPOM regulations has put an end to that practice.
The Department of Defense (“DoD”) recently issued its final rule amending the Defense Federal Acquisition Regulation Supplement (“DFARS”) to provide offerors enhanced post-award debriefing rights. DoD has provided these enhanced debriefing procedures since 2018 through a FAR Class Deviation, allowing offerors to submit additional questions after receiving the post-award debriefing. Four years later, DoD’s final rule clarifies when the clock for an automatic stay begins in an enhanced debriefing and provides greater transparency by allowing unsuccessful offerors in certain procurements access to the agency’s redacted source selection decision.
We highlight below several key elements of the final rule:
Access to Redacted Source Selection Decision Document
The final rule requires DoD to provide the source selection decision document in certain circumstances, redacted to remove confidential and proprietary information of other offerors. For awards over $100 million, DoD must automatically provide the source selection decision during the debriefing. Small businesses and nontraditional defense contractors on procurements resulting in awards over $10 million and up to $100 million are also entitled to a copy of the decision but must specifically request it—the agency will not automatically provide it to offerors.
Stay up to date by subscribing to our blog. Add your e-mail address to the Subscribe box on the right to get our timely posts delivered directly to your inbox.
As the federal government prepares to roll out infrastructure grants and contracts in amounts not seen since the New Deal and the defense industrial base (“DIB”) gears up to support billions in new spending to support Ukraine, a new Department of Defense (“DoD”) report raises serious concerns about the state of competition within the DIB. The report recently released by the Office of the Under Secretary of Defense for Acquisition and Sustainment analyzes the state of competition within the DIB and concluded that it can be summarized in one word: poor. The report discusses the causes for the lack of competition and makes recommendations for improving the solicitation process to increase competition, inspire innovation, reduce prices, and improve quality.
Foremost among the causes for the lack of competition identified by the report is consolidation of the DIB. Of 51 aerospace and defense prime contractors in the 1990s only five exist today. Although the report failed to find significant correlation between this consolidation and increased pricing, the consolidation raises additional concerns for DoD, such as national security, mission risk, and strategic technology innovation. The report notes that “having only a single source or a small number of sources for a defense need can pose mission risk and, particularly in cases where the existing dominant supplier or suppliers are influenced by an adversary nation, pose significant national security risks.” The report recommends that when a merger is likely to harm one of these interests, DoD work closely with the Federal Trade Commission and Department of Justice to take structural or behavioral measures deemed necessary, up to and including blocking the merger.
The attention-grabbing headline from the Department of Justice’s (“DOJ”) annually released statistics on False Claims Act (“FCA”) settlements and judgments is that the government recovered more than $5.6 billion from FCA cases in fiscal year (“FY”) 2021. While this is the second largest annual recovery in FCA history and the largest since 2014, procurement fraud cases represented a substantially smaller percentage of the total recoveries than in years past. Healthcare resolutions dominated, accounting for more than five billion of the $5.6 billion in settlements and judgments. In previous years, healthcare matters have accounted for closer to two-thirds of the total recoveries, making last year’s outsized healthcare figure—driven by the blockbuster opioid settlements of late 2020—an outlier.
Beyond the top-line dollar figures, the report shows that FCA activity continues at a healthy, if not fully robust, pace. The COVID-19 pandemic continues to impact qui tam filings; the number of new whistleblower suits dropped to 598 in FY 2021, a ten-year low. The number of DOJ-initiated matters remains higher than the near-term average, particularly in healthcare, but also in Department of Defense (“DOD”)-related cases. Contractors, healthcare providers, and others—especially those who received federal funding through pandemic aid programs—can anticipate that FCA investigations and resolutions will play out over the next several years.
In response to more than 850 public comments, the Department of Defense (“DOD”) has decided to significantly revamp the Cybersecurity Maturity Model Certification (“CMMC”) program. On November 4, 2021, DOD announced that it was replacing the current CMMC program with CMMC 2.0, which is expected to significantly reduce the regulatory burden on companies in the Defense Industrial Base (“DIB”). DOD made three significant changes through the new CMMC 2.0 program:
Reduces the number of CMMC levels. As we explained in earlier posts, CMMC 1.0 originally had five CMMC levels of ascending sophistication. CMMC 2.0 now only has three levels:
CMMC 2.0 Level One: This level will apply to most DIB companies and requires compliance with 17 basic cyber hygiene practices.
CMMC 2.0 Level Two: This level applies to DIB companies who will receive controlled unclassified information (“CUI”) and is expected to align with the requirements under NIST SP 800-171. Notably, DOD already requires most DIB companies receiving CUI to comply with NIST SP 800-171 through the cybersecurity DFARS clause 252.204-7012.
CMMC 2.0 Level Three: DOD is still developing the requirements for this level, but we expect that this level will apply to only the most sensitive and high-risk DOD projects.
On September 29, 2020, the Department of Defense (“DoD”) issued a long-awaited, interim rule to strengthen cybersecurity protections throughout the Defense Industrial Base. The new rule establishes how DoD will assess contractors under current cybersecurity regulations set out by the National Institute of Standards and Technology Special Publication 800-171 (“NIST Requirements”) and the newly established Cybersecurity Maturity Model Certification (“CMMC”) program. The interim rule goes into effect on November 30, 2020; although, as we have discussed in earlier posts, DoD will gradually roll out the CMMC over the next five years.
NIST Self-Assessment Requirements
The first part of the new rule applies to contracts that incorporate DFARS 252.204-7012, which requires contractors and subcontractors that have access to covered defense information to comply with the NIST Requirements. Under the new rule, these entities will need to conduct a “Basic” self-assessment of their compliance with the NIST Requirements, and submit the results of that assessment to DoD through the Supplier Performance Risk System (“SPRS”). Contractors will need to update this self-assessment every three years or sooner if required by a contract. Starting November 30, 2020, contractors will not be eligible for new contracts (including task orders and delivery orders) or for options on existing contracts, unless the self-assessment score is posted on SPRS. DoD expects that it will take 30 days from submission to have the self-assessment score posted on SPRS, so it is important for contractors to submit their assessment at least 30 days prior to the November 30, 2020 implementation date. Continue reading “New Department of Defense Regulations Clarify Contractors’ Responsibilities to Comply with NIST SP 800-171 and CMMC Requirements”
The Department of Defense (“DoD”) is expected to begin rolling out the Cybersecurity Maturity Model Certification (“CMMC”) program later this year. As a brief refresher, the CMMC is a certification system implemented by DoD to protect Controlled Unclassified Information (“CUI”) and other sensitive contract information. There are five CMMC levels of ascending sophistication. The most common CMMC levels are expected to be Level 1 and Level 3. Level 1 will require contractors to put into place basic safeguarding practices to protect federal contract information. Level 3 will require contractors to put into place more stringent safeguarding practices that are designed to protect CUI. Contractors receive their CMMC after they pass an assessment by a CMMC Third Party Assessment Organization (“C3PAO”) or an individual assessor.
Although DoD will not fully implement the CMMC program until 2026, more and more contracts will require offerors to hold a CMMC demonstrating that their organizations have implemented the necessary cybersecurity controls. A nightmare scenario for any defense contractor is to find itself unable to compete for a lucrative DoD contract due to insufficient time to obtain the required CMMC before proposal deadlines. Fortunately, the Accreditation Body (“AB”) that is responsible for rolling out the CMMC program has provided estimated timelines for contractors seeking a CMMC. Continue reading “Preparing for the Rollout of the Cybersecurity Maturity Model Certification: It Is All about the Timing”
We previously discussed key elements of the newly released interim rule (“the interim rule” or “the rule”) implementing Part B of Section 889 (“Part B”), which prohibits the federal government from contracting with entities that use certain Chinese telecommunications equipment. This post provides a more detailed analysis of the scope and application of the rule, as well as five compliance recommendations given the impending August 13th deadline.
Rule Applies to All Contracts Effective August 13, 2020
Part B applies to all solicitations, options, and modifications on or after August 13th, including contracts for commercial items, commercially available off-the-shelf (COTS) items, and contracts at or below both the micro-purchase and simplified acquisition thresholds. Like it did with respect to Part A, GSA intends to issue a Mass Modification requiring contractors to certify compliance with Part B. GSA has also released Q&As and FAQs to assist contractors with Part B implementation. The interim rule acknowledges that Part B will have a broad impact across contractors in a range of industries, including healthcare, education, automotive, aviation, and aerospace. The rule, however, does not apply to federal grant recipients (which are subject to a separate rulemaking). Continue reading “Part B Interim Rule Bans Contractors from Using Covered Technology Starting August 13th: 5 Steps for Meeting the Compliance Deadline”