To kick off the New Year, Sheppard Mullin’s Governmental Practice Cybersecurity & Data Protection Team has prepared a cybersecurity-focused 2023 Recap (including links to all of the resources the team has put out over the past year) and 2024 Forecast (that previews what we expect to see in 2024). This Recap & Forecast covers the following five high-interest topic areas related to cybersecurity and data protection:Continue Reading Governmental Practice Cybersecurity and Data Protection, 2023 Recap & 2024 Forecast Alert

On October 3, 2023, the FAR Council released two long-awaited proposed rules for federal contractor cybersecurity stemming from the Biden Administration’s Cybersecurity Executive Order from May 2021 (Executive Order 14028). The proposed rules relate to Cyber Threat and Incident Reporting and Information Sharing (FAR Case 2021-017) and Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems (FAR Case 2021-019). The comment period for both rules is currently open and is scheduled to close on December 4, 2023.Continue Reading Two New Cybersecurity Proposed Rules Mean Big Changes for Federal Contractors

Last month, we began our three-part series on organizational conflicts of interests (“OCIs”) with an article discussing the different types of OCIs and how they can be mitigated. Now, in Part 2 of our series, we analyze how OCIs arise in bid protests. First, we explain how the Government Accountability Office (“GAO”) and the Court of Federal Claims (“COFC”) review OCI protests. Then, we examine scenarios where OCI protests have been sustained, followed by a synopsis of OCI protest grounds that (almost) always will be denied. Finally, we conclude with a summary of key points to consider when faced with an OCI issue that arises during a bid protest.Continue Reading Organizational Conflicts of Interests – Part 2: OCIs in Bid Protests

You might be wondering, “What’s so important about Organizational Conflicts of Interest (“OCIs”)?” The answer is fairly simple: understanding both what causes OCIs and how to mitigate them are critical because unmitigated OCIs can preclude a contractor from (1) competing for future contract work, (2) performing certain tasks under existing contracts, (3) transferring personnel between company organizations, (4) hiring personnel, (5) teaming with certain vendors, and/or (6) entering into certain corporate transactions. Moreover, undisclosed or unmitigated OCIs can create risk of liability under the False Claims Act. In this Part 1 of a three part series, we offer a summary of what creates OCIs and general mitigation strategies. In Part 2, we will detail how OCIs arise in protests, and in Part 3, we will address the risks of False Claims Act liability arising from undisclosed OCIs.Continue Reading Organizational Conflicts of Interest – Part 1: A Refresher on OCIs

As called for in the May 12, 2021 Cybersecurity Executive Order (“EO”) released by the Biden Administration (discussed here), NIST met its deadline to release a definition of “critical software” within 45 days of the date of the Order.  The determination of what constitutes “critical software” is a key step in the process set forth in the Order for securing the software supply chain, which will culminate sometime next year in new Federal Acquisition Regulations for contractors that supply software.
Continue Reading Right on Time – NIST Releases Definition of “Critical Software” Per Biden’s Cybersecurity Executive Order

On July 14, 2020 the Department of Defense (“DoD”), General Services Administration (“GSA”), and the National Aeronautics and Space Administration (“NASA”) published an Interim Rule amending the Federal Acquisition Regulation (“FAR”) in order to implement Section 889(a)(1)(B) of the FY 2019 National Defense Authorization Act (“NDAA”).[1] The Interim Rule is effective August 13, 2020, and applies to all solicitations issued after (or resulting in contracts that will be awarded after) the effective date. Interested parties have until September 14, 2020 to submit written comments for consideration in the formation of the Final Rule.
Continue Reading Interim Rule Confirms Section 889 Part B Restriction on Contractor Use of Chinese Telecom Will Go Into Effect August 2020

A lot has happened since the Department of Defense (“DOD”) released its Cybersecurity Maturity Model Certification (CMMC) v. 1.0 back in February (see our prior discussion here).  In addition to developments with the CMMC Accreditation Body (“CMMC AB”), DOD has clarified applicability of the program to Commercially available off-the-shelf (“COTS”) providers and the impact of COVID-19 on program implementation.     
Continue Reading DOD CMMC Update – Third Party Auditors Gear Up and COTS Providers Get a Pass

On January 30, 2020, the Department of Defense (“DOD”) released its Cybersecurity Maturity Model Certification (“CMMC”) v.1.0, after releasing several draft versions of the document over the past year.  
Continue Reading CMMC Version 1.0: Enhancing DOD’s Supply Chain Cybersecurity

On January 7, 2020, the National Aeronautics and Space Administration (“NASA”) published a proposed rule seeking to amend the NASA Federal Regulation Supplement regarding counterfeit electronic parts. The proposed rule
Continue Reading Let the Seller Beware – NASA’s Proposed Rule Seeks to Limit the Presence of Counterfeit Electronic Parts

As you probably know, we have been following very closely developments relating to Section 889 of the 2019 National Defense Authorization Act (NDAA), which prohibits executive agencies from purchasing restricted
Continue Reading The True Impact of the Chinese Telecom Ban on Government Contractors

On September 9, 2019, the U.S. General Services Administration (“GSA”) announced it would be issuing a mass modification (expected sometime this month)[1] requiring all new and existing GSA Multiple Award Schedule (“MAS”) contracts include two new clauses. The new clauses come in response to Section 889 of the FY2019 National Defense Authorization Act (“NDAA”), and recently implemented FAR provisions, which impose prohibitions relating to the procurement of certain Chinese telecommunications equipment and services (which we have previously discussed here and here). The two clauses to be added to all MAS contracts are:

  • FAR 52.204-25, Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment (Aug 2019)
  • GSAR 552.204-70, Representation Regarding Certain Telecommunications and Video Surveillance Services or Equipment (Aug 2019)

Continue Reading GSA Implements Restrictions on Certain Chinese-Made Telecommunications Services and Equipment