On November 30, 2023, the Inspector General of the Department of Defense (“DoD IG”) released a Special Report: Common Cybersecurity Weaknesses Related to the Protection of DoD Controlled Unclassified Information on Contractor Networks (the “Report”). Between 2018 and 2023, the DoD IG reports it conducted five audits related to DoD contractors’ protection of Controlled Unclassified Information (“CUI”), in accordance with the cybersecurity requirements in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171. Additionally, the Report states that since 2022, the DoD IG has provided support/assessments for five investigations under the Department of Justice’s (“DOJ”) Civil Cyber Fraud Initiative (“CCFI”).[1] Continue Reading DoD IG Report Provides Insight Into Common Missteps When Protecting CUI

Welcome back to the Cost Corner, where we provide practical insight into the complex cost and pricing requirements that apply to Government Contractors. We just completed two articles on the Truth in Negotiations Act (TINA) [1] and, before that, two articles on Defense Contract Audit Agency (DCAA) audits. This issue of the Cost Corner concludes our coverage of TINA by addressing DCAA Truth in Negotiations (TIN) compliance audits (defective pricing audits) and identifying best practices for contractors to mitigate defective pricing risk.Continue Reading Government Contracts Cost and Pricing: The Truth in Negotiations Act, or Whatever the Kids Are Calling It These Days (Part 3)

Welcome back to the Cost Corner, where we provide practical insight into the complex cost and pricing compliance issues facing Government contractors. This is the second installment of a two-part article on Defense Contract Audit Agency (DCAA) audits. DCAA’s mission is to conduct contract audits and to provide accounting and financial advisory services to all Department of Defense (DoD) components responsible for procurement and contract administration. Part 1 of this article provided an overview of DCAA’s mission, organization, and audit rights, as well as the types of audits conducted by DCAA. Part 2 focuses on DCAA’s standard audit procedures across audit types and identifies best practices for contractors dealing with DCAA audits.Continue Reading Government Contracts Cost and Pricing – DCAA Audits (Part 2)

Summer is here and we’re back with another edition of the Cost Corner, where we provide practical insight into the complex cost and pricing requirements that apply to Government contractors. We just completed a two-part series on the Truthful Cost or Pricing Data Statute, commonly known as the Truth in Negotiations Act (TINA).[1] We will return to TINA in a few months to address the Defense Contract Audit Agency’s (DCAA) playbook for defective pricing audits. But first, we embark on a two-part series regarding DCAA audits generally. Part 1 (this article) provides an overview of DCAA’s mission, organization, audit guidance, and audit rights. We also address the types of audits DCAA conducts and recent DCAA audit statistics. Part 2 (our next article) will focus on DCAA’s audit guidance, audit procedures, and best practices for contractors dealing with DCAA audits.Continue Reading The Cost Corner: Government Contracts Cost and Pricing – DCAA Audits

On July 30, 2021, the Special Inspector General for Pandemic Recovery (“SIGPR”), Brian D. Miller, submitted his quarterly report to Congress.  SIGPR was created as an independent watchdog of the Department of the Treasury under the CARES Act.  It is tasked with investigating fraud and abuse of federal stimulus funds in response to COVID-19, and works in collaboration with law enforcement and U.S. Attorney’s Offices throughout the country.  These investigative efforts have resulted in civil and criminal enforcement actions against recipients of federal funding throughout the country, and such enforcement action investigations are sure to continue.  The quarterly report showed that the federal government has been active in investigating fraud and abuse related to stimulus funds, and its call for additional funding signals an increase in future enforcement against recipients of federal stimulus funds.
Continue Reading The Special Inspector General for Pandemic Recovery Calls For Increased Funding and Expanded Jurisdiction In Its Quarterly Report To Congress

At long last, the Department of Defense (“DoD”) has provided its interim rule, published in the Federal Register on September 29, 2020, amending the Defense Federal Acquisition Regulation Supplement (“DFARS”) to set forth requirements for the Cybersecurity Maturity Model Certification (“CMMC”) program, as well as new requirements for a “NIST SP 800-171 DoD Assessment Methodology.”  The interim rule is effective November 30, 2020, and comments to the interim rule should be submitted by November 30 as well.  Continue reading for our breakdown of key provisions.
Continue Reading DoD’s Long Awaited Rule on CMMC – Plus a New Cybersecurity Assessment Methodology for Contractors to Start Right Now

A lot has happened since the Department of Defense (“DOD”) released its Cybersecurity Maturity Model Certification (CMMC) v. 1.0 back in February (see our prior discussion here).  In addition to developments with the CMMC Accreditation Body (“CMMC AB”), DOD has clarified applicability of the program to Commercially available off-the-shelf (“COTS”) providers and the impact of COVID-19 on program implementation.     
Continue Reading DOD CMMC Update – Third Party Auditors Gear Up and COTS Providers Get a Pass

On January 30, 2020, the Department of Defense (“DOD”) released its Cybersecurity Maturity Model Certification (“CMMC”) v.1.0, after releasing several draft versions of the document over the past year.  
Continue Reading CMMC Version 1.0: Enhancing DOD’s Supply Chain Cybersecurity

The Government remains intensely focused on how best to protect its Controlled Unclassified Information (CUI) once it is released to contractors. In a shift from its initial approach of “we will take the contractor’s word for it,” the Department of Defense (DoD) announced in June 2019 it is in the process of developing a new cybersecurity certification program for its contractors, which will involve using third party auditors to validate contractor compliance with required security controls. In addition, on June 19, 2019, the National Institute of Standards and Technology (NIST) released two new highly-anticipated draft special publications – NIST SP 800-171, Rev 2 and NIST SP 800-171B – with a tight turnaround time for comments by July 19, 2019.
Continue Reading Cyber Update: DoD Contractor Cybersecurity Certification and 33 New Enhanced Controls to Combat the Advanced Persistent Threat

The April issue of National Defense Magazine brought a well-written article by Susan Cassidy and her colleagues at Covington & Burling LLP on a recent DOD IG report analyzing (and criticizing) spare aviation parts pricing, even though the report concluded that the contractor in question had complied with the Truthful Cost or Pricing Data Act. The article addresses the IG’s concept of a fair profit – which is abjectly divorced from reality – and it notes that the GAO has been conducting a study of spare parts purchasing with a promise of recommendations to improve transparency in this area. I commend the article to anyone who operates in the spares market and wants to know where the Government is heading in relation to spares pricing.

With the IG and the GAO injecting themselves – yet again – into the spare parts market and decrying the rapacious contractors who dare to sell at prices that the Government regards as outrageous (after all, why in the world would anyone think that a profit rate in excess of 15% on a firm fixed price contract was reasonable?) it seems like a good time to revisit the reasons why the Government’s periodic complaints about spare parts pricing are generally myopic and wrong. And so, because no criticism of Government contractors ever goes away forever, I offer for your consumption a refresher: the re-publication of a posting that I authored in November 2014, entitled “How Dare You Charge That for a Spare Part!” – The Untold Story of the X27 Interface Assembly” –
Continue Reading Resurrecting the Spare Parts Bogeyman – A Refresher on Why the Government Gets It Wrong

Reprinted from The Government Contractor, with permission of Thomson Reuters. Copyright © 2017. Further use without the permission of West is prohibited. For further information about this publication, please visit http://legalsolutions.thomsonreuters.com, or call 800.328.9352.

The Department of Defense final rule for safeguarding covered defense information requires contractors to implement the security controls in National Institute of Standards and Technology Special Publication 800-171 by December 31. See 81 Fed. Reg. 72986; Chierichella, Bourne and Biancuzzo, Feature Comment, “Achieving Cyber-Fitness In 2017: Part 1—Planning For Compliance,” 59 GC ¶ 25. In enacting the final rule, the drafters created “[n]o new oversight paradigm” or certification requirement. 81 Fed. Reg. 72990. More recently, in response to questions from industry on compliance with NIST SP 800-171, DOD stated,

The rule does not require “certification” of any kind, either by DoD or any other firm professing to provide compliance, assessment, or certification services for DoD or Federal contractors. Nor will DoD give any credence to 3rd party assessments or certifications—by signing the contract, the contractor agrees to comply with the terms of the contract. It is up to the contractor to determine that their systems meet the requirements.

Some companies with limited cybersecurity expertise may choose to seek outside assistance in determining how best to meet and implement the NIST SP 800-171 requirements in their company. But, once the company has implemented the requirements, there is no need to have a separate entity assess or certify that the company is compliant with NIST SP 800-171.
Continue Reading Achieving Cyber-Fitness in 2017: Part 3—Proving Compliance and the Role of Third-Party Auditors