Effective August 25, 2022, the U.S. Department of Defense (“DoD”) has issued two new changes to the Defense Federal Acquisition Regulation Supplement (“DFARS”) reinforcing national defense priorities that limit DoDContinue Reading In the Interest of National Security – Two New DFARS Rules Reinforce Increased Scrutiny For Chinese-Origin Supply Chains
On March 18, 2022, the Department of Defense (“DOD”) issued its long-awaited Final Rule implementing Section 818 of the National Defense Authorization Act for Fiscal Year 2018 (“NDAA FY 2018”), and formally codifying defense contractors’ rights to post-award enhanced debriefings. Contractors have been bound by a Class Deviation implementing these requirements since March 2018, with DOD only issuing its proposed rule in May 2021. Though the Final Rule largely tracks the proposed rule, it does include several important clarifications, and, of course, directly impacts timeliness rules for filing post-award protests of DOD awards at the Government Accountability Office (“GAO”).
Continue Reading The Impact of DOD’s Enhanced Debriefings Rule on Bid Protest Timeliness
At long last, the Department of Defense (“DoD”) has provided its interim rule, published in the Federal Register on September 29, 2020, amending the Defense Federal Acquisition Regulation Supplement (“DFARS”) to set forth requirements for the Cybersecurity Maturity Model Certification (“CMMC”) program, as well as new requirements for a “NIST SP 800-171 DoD Assessment Methodology.” The interim rule is effective November 30, 2020, and comments to the interim rule should be submitted by November 30 as well. Continue reading for our breakdown of key provisions.
Continue Reading DoD’s Long Awaited Rule on CMMC – Plus a New Cybersecurity Assessment Methodology for Contractors to Start Right Now
To further assist the contractor community with the effects of the unprecedented Coronavirus Disease 2019 (COVID-19), the U.S. Department of Defense (DoD) issued on April 8, 2020 a Class Deviation authorizing contracting officers to use a new clause – DFARS 231.205-79, CARES Act Section 3610 Implementation – to address contractor reimbursement under Section 3610 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act (Pub. L. 116-136). Section 3610 allows agencies to reimburse paid leave, including sick leave, that a contractor provides to keep its employees or subcontractors in a ready state, including to protect the life and safety of Government and contractor personnel, during the COVID-19 pandemic. Paid leave is reimbursable at the contractor’s minimum billing rates under its contracts, and may be allowed for up to an average of 40 hours per week. …
Continue Reading DoD Issues Class Deviation to Address Contractor Reimbursement for Paid Leave Required to Maintain a Mission-Ready Workforce During the COVID-19 Outbreak Pursuant to Section 3610 of the CARES Act
On August 2, 2016, the Department of Defense (“DOD”) rolled out new requirements for defense contractors that provide electronic parts and assemblies containing electronic parts. The new rules impose significant risks on DOD contractors. One clause mandates a specific purchasing hierarchy, with requirements to purchase from the original manufacturer or authorized suppliers thereof when available. When an original source is not available, contractors are now required essentially to “vouch” for their suppliers, assuming all the risks if a vendor delivers a counterfeit or suspect counterfeit part. Simultaneously, DOD issued a second clause, which requires certain covered contractors in the DOD supply chain to establish and maintain an acceptable electronic part detection and avoidance system. Failure to implement an effective plan may disqualify a vendor from providing products to the DOD. These new rules come very close to imposing a near “strict liability” standard on DOD contractors, asking them to essentially guarantee the supply chain. Cross your heart and hope to die.
Continue Reading Cross Your Heart and Hope to Die – New DFARS Clauses Target Counterfeit Electronic Parts
The Department of Defense (“DoD”) recently proposed to make specified costs allowable that are associated with discovering and correcting counterfeit or suspect counterfeit electronic parts. DoD’s proposed rule would amend the Defense Federal Acquisition Regulation Supplement (“DFARS”) to implement the National Defense Authorization Act (“NDAA”) for Fiscal Year 2016.
Continue Reading DoD Proposes Cost Allowability Rule for Correcting Counterfeit Electronic Parts
In response to industry concerns and comments, on December 30, 2015, the Department of Defense issued a new interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity rules promulgated in August. Specifically focusing on provision 252.204–7008, Compliance with Safeguarding Covered Defense Information Controls, and DFARS 252.204–7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, under this second interim rule contractors have until December 31, 2017 to implement the security control requirements specified by National Institute of Standards and Technology Special Publication 800-171 (SP 800-171). As the prior interim rule had no grace period for implementing the new cybersecurity controls, this a fortunate change for DoD contractors. This welcome extension, however, is not without conditions. Contractors, in line with the notification outlined in DoD’s class deviation addressing “multifactor authentication for local and network access,” now have 30 days to inform the DoD Chief Information Officer (CIO) if any of the SP 800–171 security requirements are not implemented at the time of contract award. Absent that notice, DoD will presume contractors are meeting all of the NIST-established controls. As the new interim rule describes, this 30-day period will allow DoD the opportunity to monitor progress across its government contractors to identify and address any problems with the implementation of the NIST security controls.
Continue Reading Department of Defense Provides Government Contractors a Grace Period for Compliance with Key Cybersecurity Requirements
On October 29, 2015, DOD renewed the DFARS deviation implemented in February, which prohibits contracting with entities that require employees or subcontractors to sign internal confidentiality agreements or statements that prohibit, or otherwise restrict, such employee or subcontractor from lawfully reporting waste, fraud, or abuse. Defense contractors should review their policies to ensure they meet the requirements of these new clauses.
Continue Reading Contractors Beware: An Overly Broad Confidentiality Agreement Could Cost You!
Yes. I just asked that. For many, the response is likely “Yes! Of course we are! It’s *&^%$% cybersecurity – it’s complicated!” To which I would respond “Touché. It is…but it needn’t be overly complicated.” So, of course, I set out to find a complicated way to simplify it. And, in the spirit of National Cyber Security Awareness Month, I thought I would share two complicated ways to simplify your cybersecurity processes. …
Continue Reading Are You Overcomplicating Your Cybersecurity Processes?
When last we left the Department of Defense, it had issued a rather wide-reaching interim DFARS rule addressing cybersecurity practices, data retention, and cloud services purchasing guidance. Now, effective October 2, 2015, before the ink can dry on those nascent rules (comments are due October 26, 2015), the DoD has applied them to all DoD contractors in regulations governing the once-voluntary DoD-Defense Industrial Base (DIB) Cybersecurity (CS) activities (32 C.F.R. Part 236). That’s right, what was once entitled a “voluntary” program is now a mandatory program; just in time for a host of data retention and cyber-reporting requirements!
Continue Reading Have DoD Contractors and Subcontractors Been Drafted? Once Voluntary Defense Industrial Base CS/IA Regulations Now Mandatory and Aligned With New DFARS Cybersecurity Rules
Announced and effective today, August 26, 2015, DoD has issued an interim rule that significantly expands existing DFARS provisions and clauses requiring contractors and subcontractors to report cyber incidents. The interim rule will apply “to all contractors with covered defense information transiting their information systems,” an estimated 10,000 contractors. Additionally, in an effort to ensure acquisition uniformity across the Department, the interim rule implements DoD policies and procedures to be used when contracting for or utilizing cloud computing services. Due to “urgent and compelling reasons,” the rule was issued without an opportunity for public comment.
Continue Reading DoD Addresses Cybersecurity Preparedness, Incident Reporting, and Cloud Computing Acquisitions with new DFARS interim rule