Department of Defense Archives - Page 2 of 3 - Government Contracts Navigator

Understanding the Basics of CMMC Level 1

In this series, we have provided an overview of the Department of Defense’s (“DoD”) proposed Cybersecurity Maturity Model Certification (“CMMC”) rule and its implementation timeline. Now, we delve deeper into the three CMMC security levels, starting with CMMC Level 1.

What contracts will be subject to CMMC Level 1?

CMMC Level 1 will apply to all DoD contracts where the contractor will receive Federal Contract Information (“FCI”), except contracts that are purely for commercially available off-the-shelf (“COTS”) items. FCI is information not intended for public release that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. Types of documents that could contain FCI include contracts, modifications, statements of work, technical drawings, and government communications to the contractor. Given the broad definition of FCI, contractors can expect that nearly all non-COTS, DoD contracts will involve FCI and will therefore be subject to CMMC Level 1.

The Department of Defense Issues Proposed Timeline for CMMC Implementation

Michael Joseph Montalbano ●

On December 26, 2023, the Department of Defense (“DoD”) issued the long-awaited proposed rule for the Cybersecurity Maturity Model Certification (“CMMC”) program. In our previous post, we discussed how the CMMC program comprises three levels with increasing cybersecurity requirements. Contractors will be required to either conduct a self-assessment or undergo a third-party assessment (the latter referred to as a certification assessment) to demonstrate compliance with their applicable CMMC Level.

DoD included in the proposed rule an estimated timeline for the rollout of the CMMC program. Specifically, DoD intends to implement the CMMC program in four phases over two and a half years:

Phase 1 begins on the effective date of DoD’s final CMMC rule (i.e., when DFARS 252.204–7021 is officially revised). During Phase 1, CMMC Level 1 or Level 2 self-assessments become a condition for contract award. This means that contractors must self-assess their compliance with the cybersecurity requirements of CMMC Level 1 or 2 (whichever level is applicable to the contract) to be eligible for award. DoD may also include third-party CMMC Level 2 assessment requirements in certain contracts at its discretion.

The Department of Defense Releases Proposed CMMC Rule

Michael Joseph Montalbano ●

The Department of Defense (“DoD”) has released a draft of its proposed Cybersecurity Maturity Model Certification (“CMMC”) Program rule just in time for the holidays. The rule—which is scheduled to be published December 26, 2023—is over 200 pages, and we will publish follow-up articles as we have time to analyze the new requirements. At a high level, here is what DoD has proposed:

Tiered Model: CMMC requires companies entrusted with national security information to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. Those levels range from CMMC Level 1 (the most basic level) to CMMC Level 3 (the most advance level).
Assessment Requirement: CMMC requires certain contractors at CMMC Levels 2 and 3 to undergo third-party assessments, which allows DoD to verify the implementation of the CMMC cybersecurity standards.
Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors handling sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

Senate Majority Leader Schumer Proposes Section 889 Expansion

Robyn N. Burrows and Merle M. DeLancey, Jr. ●

On October 18, 2022, Senate Majority Leader Chuck Schumer (D-NY) issued a press release signaling a potentially significant expansion of Section 889 through a proposed amendment to the 2023 National Defense Authorization Act (“NDAA”). Schumer’s proposal is aimed at extending the telecommunications supply chain prohibitions in Section 889 to the semiconductor manufacturing industry.

Section 889 currently prohibits contractors from providing the federal government or using any products or services that incorporate “covered telecommunications equipment or services” from five Chinese telecom companies and their affiliates and subsidiaries: (1) Huawei Technologies Company, (2) ZTE Corporation, (3) Hytera Communications Corporation, (4) Hangzhou Hikvision Digital Technology Company, and (5) Dahua Technology Company.

Schumer’s 2023 NDAA amendment would expand Section 889 by banning semiconductor products like microchips from the following three Chinese entities: (1) Semiconductor Manufacturing International Corporation (“SMIC”), (2) ChangXin Memory Technologies (“CXMT”), and (3) Yangtze Memory Technologies Corp. (“YMTC”). Schumer noted that these companies have known links to the Chinese state security and intelligence apparatuses. The amendment is aimed at filling a gap in federal procurement restrictions that currently do not include semiconductor technology and services, creating a vulnerability for cyberattacks and data privacy. The amendment would not take effect until three years after the NDAA’s enactment, or until 2025.

Although we do not yet know whether Schumer’s amendment will be incorporated into the final NDAA bill, contractors should nevertheless begin evaluating their supply chains to identify any semiconductor products from any of the three named Chinese manufacturers. Schumer’s amendment signals a continually expansive interpretation and enforcement of Section 889, which may be reflected in the final rulemaking for Section 889. The current FAR docket anticipates a final rule in December 2022, although these deadlines continue to be moving targets.

DoD Section 889 Telecommunications Prohibition Waiver Expires

Merle M. DeLancey Jr. ●

Effective October 1, 2022, Department of Defense (“DoD”) contractors must comply with Part B of Section 889 of the FY 2019 National Defense Authorization Act (“NDAA”). The approximately two-year long Part B waiver granted to the Director of National Intelligence expired October 1. DoD contractors cannot seek a DoD agency-level waiver as DoD cannot grant waivers under the statute. Thus, as with other agencies, DoD is prohibited from entering into, extending, or renewing contracts with contractors who use covered telecommunications or video surveillance equipment and services from certain Chinese companies in any part of their business.

Compliance with Part A of Section 889 was straightforward. Part A prohibited contractors from selling covered technology to the federal agencies. Comparatively, compliance with Part B is much more complicated. Part B requires a contractor to certify that it does not use “any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.” The prohibition applies to all contracts at any dollar value. “Covered telecommunications equipment or services” is defined as equipment, services and/or video surveillance products from Huawei Technologies Company, Hangzhou Hikvision Digital Technology Company, Hytera Communications Company, Dahua Technology Company, ZTE Corporation, or any entity controlled by the People’s Republic of China.

For more information regarding Part B compliance, see our prior posts For Part B of Section 889, Is Compliance by August 13, 2020, Realistic? and Five Steps to Take to Prepare for Part B of the Section 889 Ban.

Accreditation Body Releases CMMC Assessment Guidance

Michael Joseph Montalbano ●

In July 2022, the Accreditation Body (“AB”) of the Cybersecurity Maturity Model Certification program (“CMMC”) released a 47-page CMMC Assessment Process guide (“CAP Guide”). The CAP Guide outlines the assessment process for contractors seeking a CMMC level 2 certification, which, as we discussed in earlier posts, is the required certification level for all contractors who expect to receive or store Controlled Unclassified Information (“CUI”).

The CAP Guide has been widely criticized by members of the Defense Industrial Base for being overly complicated and contrary to the Department of Defense’s (“DoD”) stated intention to reduce the complexity and cost of the CMMC program for small businesses. However, assuming it is adopted by the DoD, the CAP Guide includes helpful guidance for contractors that are beginning to prepare for their CMMC level 2 assessment.

DoD Offers Guidance for Contractors on Inflation and Economic Price Adjustment Clauses

Amanda C. DeLaPerriere ●

On May 25, 2022, the Department of Defense (“DoD”) issued a memorandum recognizing that contractors are not immune from the “period of unusually high” inflation. The memorandum, titled “Guidance on Inflation and Economic Price Adjustments,” provides guidelines on when relief from cost increases due to inflation is appropriate and provides considerations for the proper use of economic price adjustment (“EPA”) clauses when entering into new contracts.

For existing DoD contracts, whether contractors can get relief from inflation depends on the type of contract.

NISPOM Creates New Requirements for Senior Management Officials

Michael Joseph Montalbano ●

In February 2021, the Department of Defense (“DoD”) promulgated 32 C.F.R. Part 117. This move converted the National Industrial Security Program Operating Manual (“NISPOM”)—the rules that govern personnel and facility security clearances—from DoD policy into federal law. The move originally garnered little attention because the new regulations include virtually all requirements that were in the prior NISPOM. DoD, however, embedded new requirements with potentially significant implications for cleared contractors and their senior management officials (“SMO”). And the Defense Counterintelligence and Security Agency (“DCSA”) is now signaling that it will hold SMOs accountable if they fail to meet these requirements.

A cleared contractor’s SMO is the person “with ultimate authority over the facility’s operations and the authority to direct actions necessary for the safeguarding of classified information in the facility.” § 117.3(b). Typically, the SMO is the individual who holds the top position at a company, such as a chief executive officer or majority owner. Prior to the promulgation of Part 117, the SMO had discretion to delegate responsibility over the contractor’s industrial security program to another employee. Section 117.7(b)(2) of the new NISPOM regulations has put an end to that practice.

DoD’s Final Rule on Enhanced Post-Award Debriefings Provides Offerors Clarity on Automatic Stay Deadlines and Access to Agency’s Redacted Source Selection Decisions

Robyn N. Burrows and Luke W. Meier

The Department of Defense (“DoD”) recently issued its final rule amending the Defense Federal Acquisition Regulation Supplement (“DFARS”) to provide offerors enhanced post-award debriefing rights. DoD has provided these enhanced debriefing procedures since 2018 through a FAR Class Deviation, allowing offerors to submit additional questions after receiving the post-award debriefing. Four years later, DoD’s final rule clarifies when the clock for an automatic stay begins in an enhanced debriefing and provides greater transparency by allowing unsuccessful offerors in certain procurements access to the agency’s redacted source selection decision.

We highlight below several key elements of the final rule:

Access to Redacted Source Selection Decision Document

The final rule requires DoD to provide the source selection decision document in certain circumstances, redacted to remove confidential and proprietary information of other offerors. For awards over $100 million, DoD must automatically provide the source selection decision during the debriefing. Small businesses and nontraditional defense contractors on procurements resulting in awards over $10 million and up to $100 million are also entitled to a copy of the decision but must specifically request it—the agency will not automatically provide it to offerors.

Report on the State of Competition within the Defense Industrial Base

Brian S. Gocial, Sara N. Gerber, and Tjasse L. Fritz

As the federal government prepares to roll out infrastructure grants and contracts in amounts not seen since the New Deal and the defense industrial base (“DIB”) gears up to support billions in new spending to support Ukraine, a new Department of Defense (“DoD”) report raises serious concerns about the state of competition within the DIB. The report recently released by the Office of the Under Secretary of Defense for Acquisition and Sustainment analyzes the state of competition within the DIB and concluded that it can be summarized in one word: poor. The report discusses the causes for the lack of competition and makes recommendations for improving the solicitation process to increase competition, inspire innovation, reduce prices, and improve quality.

Consolidation

Foremost among the causes for the lack of competition identified by the report is consolidation of the DIB. Of 51 aerospace and defense prime contractors in the 1990s only five exist today. Although the report failed to find significant correlation between this consolidation and increased pricing, the consolidation raises additional concerns for DoD, such as national security, mission risk, and strategic technology innovation. The report notes that “having only a single source or a small number of sources for a defense need can pose mission risk and, particularly in cases where the existing dominant supplier or suppliers are influenced by an adversary nation, pose significant national security risks.” The report recommends that when a merger is likely to harm one of these interests, DoD work closely with the Federal Trade Commission and Department of Justice to take structural or behavioral measures deemed necessary, up to and including blocking the merger.

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: