At long last, the Department of Defense (“DoD”) has provided its interim rule, published in the Federal Register on September 29, 2020, amending the Defense Federal Acquisition Regulation Supplement (“DFARS”) to set forth requirements for the Cybersecurity Maturity Model Certification (“CMMC”) program, as well as new requirements for a “NIST SP 800-171 DoD Assessment Methodology.”  The interim rule is effective November 30, 2020, and comments to the interim rule should be submitted by November 30 as well.  Continue reading for our breakdown of key provisions.
Continue Reading DoD’s Long Awaited Rule on CMMC – Plus a New Cybersecurity Assessment Methodology for Contractors to Start Right Now

To further assist the contractor community with the effects of the unprecedented Coronavirus Disease 2019 (COVID-19), the U.S. Department of Defense (DoD) issued on April 8, 2020 a Class Deviation authorizing contracting officers to use a new clause – DFARS 231.205-79, CARES Act Section 3610 Implementation – to address contractor reimbursement under Section 3610 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act (Pub. L. 116-136).  Section 3610 allows agencies to reimburse paid leave, including sick leave, that a contractor provides to keep its employees or subcontractors in a ready state, including to protect the life and safety of Government and contractor personnel, during the COVID-19 pandemic.  Paid leave is reimbursable at the contractor’s minimum billing rates under its contracts, and may be allowed for up to an average of 40 hours per week.
Continue Reading DoD Issues Class Deviation to Address Contractor Reimbursement for Paid Leave Required to Maintain a Mission-Ready Workforce During the COVID-19 Outbreak Pursuant to Section 3610 of the CARES Act

On August 2, 2016, the Department of Defense (“DOD”) rolled out new requirements for defense contractors that provide electronic parts and assemblies containing electronic parts. The new rules impose significant risks on DOD contractors.  One clause mandates a specific purchasing hierarchy, with requirements to purchase from the original manufacturer or authorized suppliers thereof when available.  When an original source is not available, contractors are now required essentially to “vouch” for their suppliers, assuming all the risks if a vendor delivers a counterfeit or suspect counterfeit part. Simultaneously, DOD issued a second clause, which requires certain covered contractors in the DOD supply chain to establish and maintain an acceptable electronic part detection and avoidance system. Failure to implement an effective plan may disqualify a vendor from providing products to the DOD. These new rules come very close to imposing a near “strict liability” standard on DOD contractors, asking them to essentially guarantee the supply chain.  Cross your heart and hope to die.
Continue Reading Cross Your Heart and Hope to Die – New DFARS Clauses Target Counterfeit Electronic Parts

The Department of Defense (“DoD”) recently proposed to make specified costs allowable that are associated with discovering and correcting counterfeit or suspect counterfeit electronic parts.  DoD’s proposed rule would amend the Defense Federal Acquisition Regulation Supplement (“DFARS”) to implement the National Defense Authorization Act (“NDAA”) for Fiscal Year 2016.
Continue Reading DoD Proposes Cost Allowability Rule for Correcting Counterfeit Electronic Parts

In response to industry concerns and comments, on December 30, 2015, the Department of Defense issued a new interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity rules promulgated in August.  Specifically focusing on provision 252.204–7008, Compliance with Safeguarding Covered Defense Information Controls, and DFARS 252.204–7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, under this second interim rule contractors have until December 31, 2017 to implement the security control requirements specified by National Institute of Standards and Technology Special Publication 800-171 (SP 800-171).  As the prior interim rule had no grace period for implementing the new cybersecurity controls, this a fortunate change for DoD contractors.  This welcome extension, however, is not without conditions.  Contractors, in line with the notification outlined in DoD’s class deviation addressing “multifactor authentication for local and network access,” now have 30 days to inform the DoD Chief Information Officer (CIO) if any of the SP 800–171 security requirements are not implemented at the time of contract award.  Absent that notice, DoD will presume contractors are meeting all of the NIST-established controls.  As the new interim rule describes, this 30-day period will allow DoD the opportunity to monitor progress across its government contractors to identify and address any problems with the implementation of the NIST security controls.
Continue Reading Department of Defense Provides Government Contractors a Grace Period for Compliance with Key Cybersecurity Requirements

On October 29, 2015, DOD renewed the DFARS deviation implemented in February, which prohibits contracting with entities that require employees or subcontractors to sign internal confidentiality agreements or statements that prohibit, or otherwise restrict, such employee or subcontractor from lawfully reporting waste, fraud, or abuse.  Defense contractors should review their policies to ensure they meet the requirements of these new clauses.
Continue Reading Contractors Beware: An Overly Broad Confidentiality Agreement Could Cost You!

Yes. I just asked that.  For many, the response is likely “Yes!  Of course we are!  It’s *&^%$% cybersecurity – it’s complicated!”  To which I would respond “Touché.  It is…but it needn’t be overly complicated.”  So, of course, I set out to find a complicated way to simplify it.  And, in the spirit of National Cyber Security Awareness Month, I thought I would share two complicated ways to simplify your cybersecurity processes.
Continue Reading Are You Overcomplicating Your Cybersecurity Processes?

When last we left the Department of Defense, it had issued a rather wide-reaching interim DFARS rule addressing cybersecurity practices, data retention, and cloud services purchasing guidance. Now, effective October 2, 2015, before the ink can dry on those nascent rules (comments are due October 26, 2015), the DoD has applied them to all DoD contractors in regulations governing the once-voluntary DoD-Defense Industrial Base (DIB) Cybersecurity (CS) activities (32 C.F.R. Part 236). That’s right, what was once entitled a “voluntary” program is now a mandatory program; just in time for a host of data retention and cyber-reporting requirements!
Continue Reading Have DoD Contractors and Subcontractors Been Drafted? Once Voluntary Defense Industrial Base CS/IA Regulations Now Mandatory and Aligned With New DFARS Cybersecurity Rules

Announced and effective today, August 26, 2015, DoD has issued an interim rule that significantly expands existing DFARS provisions and clauses requiring contractors and subcontractors to report cyber incidents.  The interim rule will apply “to all contractors with covered defense information transiting their information systems,” an estimated 10,000 contractors.  Additionally, in an effort to ensure acquisition uniformity across the Department, the interim rule implements DoD policies and procedures to be used when contracting for or utilizing cloud computing services.  Due to “urgent and compelling reasons,” the rule was issued without an opportunity for public comment.
Continue Reading DoD Addresses Cybersecurity Preparedness, Incident Reporting, and Cloud Computing Acquisitions with new DFARS interim rule

If you are a contractor that interacts with both the Department of Defense and “electronic parts,” it is time to grab the caffeinated beverage of your choice, crack open 79 FR 26,092, and begin the bone-tingling read that is sure to keep many supply chain managers up at night. Implementing the requirements found in the National Defense Authorization Acts for FY2012 and FY2013, the DoD’s counterfeit parts rule was finalized and published in the Federal Register on May 6, 2012. Effective immediately, the new series of regulations apply to defense contractors using, relying on, or selling to the DoD an “electronic part,” as that term is now newly defined.  Although it may spoil the ending and break the cardinal rule of reading any thriller, we provide here the “Cliffs Notes” version of the regulations’ lengthy preamble and the key takeaways of the new Rule and its proposed application.
Continue Reading “They’re Here” – What You Need to Know Now About the Chilling New DoD Counterfeit Parts Rule … and its NASA “Spinoff”

Every now and then, the FAR Councils issue a Federal Acquisition Circular (FAC) – an update to the Federal Acquisition Regulation implementing a number of changes. Often these changes are rather pro forma. But occasionally, you get a Circular with many different (and interesting) issues. FAC 2005-67, issued in late-June 2013, with rules becoming effective in June and July 2013, is one such circular. We thought it would be helpful to highlight five of these rules that raise interesting and timely issues, especially where they may signal additional changes yet to come.
Continue Reading Lots of Little Things – FAR Updates from the Federal Acquisition Circular