Tag: DOD

Preliminary Takeaways as DoD Seeks to Redesign the Defense Acquisition System for Wartime Speed

Oliver E. Jury ●

During a speech before key players in the defense industrial base on Friday, November 7, Secretary Hegseth announced plans for a sweeping transformation of the Defense Acquisition System, redesignating it as the Warfighting Acquisition System (“WAS”) and elevating speed-to-field as the organizing principle. The reforms would concentrate authority, expand competition and modularity, adopt commercial-first pathways, modernize contracting and training, and streamline oversight—all aimed at accelerating capability delivery and scaling industrial capacity for surge. While much will depend on how these announced changes are implemented, in this post we highlight key aspects of the changes and identify potential impacts to monitor. Secretary Hegseth’s full recorded remarks are available on C-SPAN’s website.

Redesignation and Organizing Principle

Acquisition is to be treated as a warfighting function, with every process required to justify its value to timely capability delivery. The WAS will reframe success around time-to-capability rather than exhaustive specification compliance.

Potential impact: Companies should expect solicitations and evaluations to prioritize schedule credibility and operational outcomes, reshaping win strategies toward demonstrable speed and adaptability.

Continue reading “Preliminary Takeaways as DoD Seeks to Redesign the Defense Acquisition System for Wartime Speed”

This Is Not a Drill: Department of Defense Issues Long-Awaited Final CMMC DFARS Rule

Michael Joseph Montalbano ●

After years of drafts and interim measures, the Department of Defense (“DOD”) has issued the final Defense Federal Acquisition Regulation Supplement (“DFARS”) rule implementing the Cybersecurity Maturity Model Certification (“CMMC”) program. This long-awaited development cements CMMC as a contractual requirement and clarifies key aspects of the rule’s certification, compliance, and oversight requirements.

How Will CMMC Work?

Under the final rule, every solicitation where a contractor may store, process, or transmit Federal Contract Information (“FCI”) or controlled unclassified information (“CUI”) will be assigned a CMMC level. Solicitations involving just FCI will have a CMMC Level 1 requirement. Solicitations involving non-Defense CUI will have a CUI Level 2 Self-Attestation requirement. Solicitations involving Defense CUI will have a CUI Level 2 third-party certification (i.e., C3PAO) requirement. Solicitations involving particularly sensitive DOD programs will have a Level 3 requirement. Level 3 requires an assessment by the Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”).

Continue reading “This Is Not a Drill: Department of Defense Issues Long-Awaited Final CMMC DFARS Rule”

All-Points Bulletin for Defense Contractors: If You’re 15% Behind Schedule or 15% Over Budget, You Need a Strategy

Dominique L. Casimir ●

On April 9, 2025, President Trump signed an Executive Order (“EO”) titled Modernizing Defense Acquisitions and Spurring Innovation in the Defense Industrial Base. This EO seeks to overhaul many aspects of defense acquisition in order to enhance the military capabilities and streamline the Department of Defense’s (“DOD”) procurement processes. While every presidential administration seeks to streamline and facilitate defense procurement, this EO contains noteworthy approaches that defense contractors should be aware of. For instance, the EO suggests that the government has an appetite for “risk” when it comes to DOD procurements: “We will also modernize the duties and composition of the defense acquisition workforce, as well as incentivize and reward risk-taking and innovation from these personnel.”

Continue reading “All-Points Bulletin for Defense Contractors: If You’re 15% Behind Schedule or 15% Over Budget, You Need a Strategy”

Other Transactions: A Flexible and Efficient Acquisition Tool for the Department of Defense

Scott Arnold and Samarth Barot 

On March 6, 2025, the Defense Secretary released a memorandum directing the Department of Defense (“DoD”) to adopt the Software Acquisition Pathway (“SWP”) to speed up the development, procurement, and delivery of software needed for weapons and business systems. Specifically, the memorandum directed DoD to use Commercial Solutions Openings and Other Transactions (“OTs”) as the default solicitation and award approaches for acquiring capabilities under the SWP. As a result, we are likely to see an expansion in DoD’s use of OTs. Thus, contractors should be aware of the rules and regulations regarding OTs.

Background

While OTs have been in the news a lot these days, they are not a new concept. OTs date back to 1958, when Congress granted the National Aeronautics and Space Administration (“NASA”) the authority to enter into transactions other than contracts, grants, or cooperative agreements in order to foster innovation and speed in the space race.

Continue reading “Other Transactions: A Flexible and Efficient Acquisition Tool for the Department of Defense”

What CMMC Level Do I Need? The Department of Defense Issues New Guidance for Determining Appropriate CMMC Compliance Level

Michael Joseph Montalbano 

The Department of Defense (“DOD”) recently issued new guidance outlining how it will determine Cybersecurity Maturity Model Certification (“CMMC”) levels for its solicitations and contracts. Prior to this guidance, contractors generally understood that contracts with only Federal Contract Information (“FCI”) would require a CMMC Level 1 self-assessment; contracts with Controlled Unclassified Information (“CUI”) would require either a CMMC Level 2 self-assessment or a CMMC Level 2 certification; and DOD contracts “supporting its most critical programs and technologies” would require a CMMC Level 3 certification. DOD’s new guidance provides additional information contractors can use to help them determine which CMMC Level they should achieve.

Continue reading “What CMMC Level Do I Need? The Department of Defense Issues New Guidance for Determining Appropriate CMMC Compliance Level”

The Department of Defense Clarifies FedRAMP Equivalency Standard

Michael Joseph Montalbano 

As many Department of Defense (“DoD”) contractors know, if they want to store, process, or transmit covered defense information (“CDI”) with a cloud service provider (“CSP”), then the CSP must meet the security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (“FedRAMP”) Moderate baseline. This begs the question, what is equivalence to the FedRAMP Moderate baseline? Earlier this month, the DoD issued a much-needed memorandum that helps answer this question.

Continue reading “The Department of Defense Clarifies FedRAMP Equivalency Standard”

Understanding the Basics of CMMC Level 1


Michael Joseph Montalbano 

In this series, we have provided an overview of the Department of Defense’s (“DoD”) proposed Cybersecurity Maturity Model Certification (“CMMC”) rule and its implementation timeline. Now, we delve deeper into the three CMMC security levels, starting with CMMC Level 1.

What contracts will be subject to CMMC Level 1?

CMMC Level 1 will apply to all DoD contracts where the contractor will receive Federal Contract Information (“FCI”), except contracts that are purely for commercially available off-the-shelf (“COTS”) items. FCI is information not intended for public release that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. Types of documents that could contain FCI include contracts, modifications, statements of work, technical drawings, and government communications to the contractor. Given the broad definition of FCI, contractors can expect that nearly all non-COTS, DoD contracts will involve FCI and will therefore be subject to CMMC Level 1.

Continue reading “Understanding the Basics of CMMC Level 1”

The Department of Defense Issues Proposed Timeline for CMMC Implementation

Michael Joseph Montalbano 

On December 26, 2023, the Department of Defense (“DoD”) issued the long-awaited proposed rule for the Cybersecurity Maturity Model Certification (“CMMC”) program. In our previous post, we discussed how the CMMC program comprises three levels with increasing cybersecurity requirements. Contractors will be required to either conduct a self-assessment or undergo a third-party assessment (the latter referred to as a certification assessment) to demonstrate compliance with their applicable CMMC Level.

DoD included in the proposed rule an estimated timeline for the rollout of the CMMC program. Specifically, DoD intends to implement the CMMC program in four phases over two and a half years:

  • Phase 1 begins on the effective date of DoD’s final CMMC rule (i.e., when DFARS 252.204–7021 is officially revised). During Phase 1, CMMC Level 1 or Level 2 self-assessments become a condition for contract award. This means that contractors must self-assess their compliance with the cybersecurity requirements of CMMC Level 1 or 2 (whichever level is applicable to the contract) to be eligible for award. DoD may also include third-party CMMC Level 2 assessment requirements in certain contracts at its discretion.
Continue reading “The Department of Defense Issues Proposed Timeline for CMMC Implementation”

The Department of Defense Releases Proposed CMMC Rule

Michael Joseph Montalbano 

The Department of Defense (“DoD”) has released a draft of its proposed Cybersecurity Maturity Model Certification (“CMMC”) Program rule just in time for the holidays. The rule—which is scheduled to be published December 26, 2023—is over 200 pages, and we will publish follow-up articles as we have time to analyze the new requirements. At a high level, here is what DoD has proposed:

  • Tiered Model: CMMC requires companies entrusted with national security information to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. Those levels range from CMMC Level 1 (the most basic level) to CMMC Level 3 (the most advance level).
  • Assessment Requirement: CMMC requires certain contractors at CMMC Levels 2 and 3 to undergo third-party assessments, which allows DoD to verify the implementation of the CMMC cybersecurity standards.
  • Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors handling sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.
Continue reading “The Department of Defense Releases Proposed CMMC Rule”

Senate Majority Leader Schumer Proposes Section 889 Expansion

Robyn N. Burrows and Merle M. DeLancey, Jr. 

On October 18, 2022, Senate Majority Leader Chuck Schumer (D-NY) issued a press release signaling a potentially significant expansion of Section 889 through a proposed amendment to the 2023 National Defense Authorization Act (“NDAA”). Schumer’s proposal is aimed at extending the telecommunications supply chain prohibitions in Section 889 to the semiconductor manufacturing industry.

Section 889 currently prohibits contractors from providing the federal government or using any products or services that incorporate “covered telecommunications equipment or services” from five Chinese telecom companies and their affiliates and subsidiaries: (1) Huawei Technologies Company, (2) ZTE Corporation, (3) Hytera Communications Corporation, (4) Hangzhou Hikvision Digital Technology Company, and (5) Dahua Technology Company.

Schumer’s 2023 NDAA amendment would expand Section 889 by banning semiconductor products like microchips from the following three Chinese entities: (1) Semiconductor Manufacturing International Corporation (“SMIC”), (2) ChangXin Memory Technologies (“CXMT”), and (3) Yangtze Memory Technologies Corp. (“YMTC”). Schumer noted that these companies have known links to the Chinese state security and intelligence apparatuses. The amendment is aimed at filling a gap in federal procurement restrictions that currently do not include semiconductor technology and services, creating a vulnerability for cyberattacks and data privacy. The amendment would not take effect until three years after the NDAA’s enactment, or until 2025.

Although we do not yet know whether Schumer’s amendment will be incorporated into the final NDAA bill, contractors should nevertheless begin evaluating their supply chains to identify any semiconductor products from any of the three named Chinese manufacturers. Schumer’s amendment signals a continually expansive interpretation and enforcement of Section 889, which may be reflected in the final rulemaking for Section 889. The current FAR docket anticipates a final rule in December 2022, although these deadlines continue to be moving targets.

Exit mobile version
%%footer%%