On March 18, 2022, the Department of Defense (“DOD”) issued its long-awaited Final Rule implementing Section 818 of the National Defense Authorization Act for Fiscal Year 2018 (“NDAA FY 2018”), and formally codifying defense contractors’ rights to post-award enhanced debriefings. Contractors have been bound by a Class Deviation implementing these requirements since March 2018, with DOD only issuing its proposed rule in May 2021. Though the Final Rule largely tracks the proposed rule, it does include several important clarifications, and, of course, directly impacts timeliness rules for filing post-award protests of DOD awards at the Government Accountability Office (“GAO”).
Continue Reading The Impact of DOD’s Enhanced Debriefings Rule on Bid Protest Timeliness

On November 4, 2021, the Department of Defense (“DOD”) announced several changes to the Cybersecurity Maturity Model Certification (“CMMC”) program – the program that DOD intends to use to enhance the security of the defense industrial base through assessments and third-party cybersecurity certifications.[1] The new version of the program – “CMMC 2.0” – is a result of DOD’s internal review of the CMMC program implemented thus far (“CMMC 1.0”), which began following the release of an interim rule in September 2020, and included review of over 850 public comments. DOD intends to engage in additional rulemaking to refine and finalize CMMC 2.0. Although the overall goal of the program remains focused on safeguarding sensitive unclassified information, CMMC 2.0 includes several important differences from the original program, as discussed in greater detail below.

Continue Reading DOD Updates Its Cybersecurity Certification Program – CMMC 2.0: What Contractors Need to Know

On December 21, 2020, the Department of Defense (“DoD”) published a final rule in the Federal Register that codifies the National Industrial Security Program Operating Manual (“NISPOM”) in the Code of Federal Regulations (“CFR”) at 32 CFR part 117. The rule will become effective on February 24, 2021, giving contractors six months from the effective date to comply with the changes. Comments on the proposed change are due by February 19, 2021.[1]
Continue Reading The NISPOM is Becoming a Regulation & Contractors Have Six Months to Comply

At long last, the Department of Defense (“DoD”) has provided its interim rule, published in the Federal Register on September 29, 2020, amending the Defense Federal Acquisition Regulation Supplement (“DFARS”) to set forth requirements for the Cybersecurity Maturity Model Certification (“CMMC”) program, as well as new requirements for a “NIST SP 800-171 DoD Assessment Methodology.”  The interim rule is effective November 30, 2020, and comments to the interim rule should be submitted by November 30 as well.  Continue reading for our breakdown of key provisions.
Continue Reading DoD’s Long Awaited Rule on CMMC – Plus a New Cybersecurity Assessment Methodology for Contractors to Start Right Now

On July 14, 2020 the Department of Defense (“DoD”), General Services Administration (“GSA”), and the National Aeronautics and Space Administration (“NASA”) published an Interim Rule amending the Federal Acquisition Regulation (“FAR”) in order to implement Section 889(a)(1)(B) of the FY 2019 National Defense Authorization Act (“NDAA”).[1] The Interim Rule is effective August 13, 2020, and applies to all solicitations issued after (or resulting in contracts that will be awarded after) the effective date. Interested parties have until September 14, 2020 to submit written comments for consideration in the formation of the Final Rule.
Continue Reading Interim Rule Confirms Section 889 Part B Restriction on Contractor Use of Chinese Telecom Will Go Into Effect August 2020

A lot has happened since the Department of Defense (“DOD”) released its Cybersecurity Maturity Model Certification (CMMC) v. 1.0 back in February (see our prior discussion here).  In addition to developments with the CMMC Accreditation Body (“CMMC AB”), DOD has clarified applicability of the program to Commercially available off-the-shelf (“COTS”) providers and the impact of COVID-19 on program implementation.     
Continue Reading DOD CMMC Update – Third Party Auditors Gear Up and COTS Providers Get a Pass

To further assist the contractor community with the effects of the unprecedented Coronavirus Disease 2019 (COVID-19), the U.S. Department of Defense (DoD) issued on April 8, 2020 a Class Deviation authorizing contracting officers to use a new clause – DFARS 231.205-79, CARES Act Section 3610 Implementation – to address contractor reimbursement under Section 3610 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act (Pub. L. 116-136).  Section 3610 allows agencies to reimburse paid leave, including sick leave, that a contractor provides to keep its employees or subcontractors in a ready state, including to protect the life and safety of Government and contractor personnel, during the COVID-19 pandemic.  Paid leave is reimbursable at the contractor’s minimum billing rates under its contracts, and may be allowed for up to an average of 40 hours per week.
Continue Reading DoD Issues Class Deviation to Address Contractor Reimbursement for Paid Leave Required to Maintain a Mission-Ready Workforce During the COVID-19 Outbreak Pursuant to Section 3610 of the CARES Act

On January 30, 2020, the Department of Defense (“DOD”) released its Cybersecurity Maturity Model Certification (“CMMC”) v.1.0, after releasing several draft versions of the document over the past year.  
Continue Reading CMMC Version 1.0: Enhancing DOD’s Supply Chain Cybersecurity

At the end of 2019, the Department of Defense (“DoD”) took another step to limit the potential cyber risks posed by telecommunications equipment manufactured by Chinese companies (and potentially Russian
Continue Reading DoD’s Squeeze of Chinese Telecom Equipment Continues