The wait is finally over! After more than 14 years of anticipation, the Federal Acquisition Regulation (“FAR”) Proposed Rule on Controlled Unclassified Information (“CUI”) was released on January 15, 2025 and comes as part of the Government’s broader efforts to identify, detect, and respond to ever-evolving threats targeting Federal contractors.Continue Reading At Long Last – The FAR CUI Rule is Here!
To kick off the New Year (and as is now tradition, since we put out a similar Recap & Forecast last year), Sheppard Mullin’s Governmental Practice Cybersecurity & Data Protection Team has prepared a cybersecurity-focused 2024 Recap (highlighting major updates and including links to the resources we put out over the past year) and a 2025 Forecast (previewing what we expect to see in 2025). This Recap & Forecast covers the following six high-interest topic areas relating to cybersecurity and data protection:Continue Reading Governmental Practice Cybersecurity and Data Protection: 2024 Recap & 2025 Forecast Alert
The proposed rule to implement the Cybersecurity Maturity Model Certification (“CMMC”) program in the Defense Federal Acquisition Regulation Supplement (“DFARS”) was published in the Federal Register on August 15, 2024 and will have a 60-day comment period (through October 15, 2024).Continue Reading The CMMC Rule To Update the DFARS is Here!
On May 3, 2024, the FAR Council published an advanced notice of proposed rulemaking (the “Advanced Notice”) seeking to implement Section 5949 of the James M. Inohfe National Defense Authorization Act for Fiscal Year 2023 prohibition on procuring certain covered semiconductor products and services. The Congressional prohibition does not go into effect until December 2027, but the FAR Council was directed to promulgate regulations by December 2025. Though this only is an Advanced Notice at this time, the publication provides government contractors with information crucial to developing compliant infrastructures and preparing for the forthcoming rule’s publication. Interested parties are directed to submit written comments in response to the Advanced Notice by July 2, 2024 for consideration in the forthcoming proposed rule – an opportunity all contractors impacted by this prohibition should take advantage of.Continue Reading FAR Council Releases Rulemaking on Prohibitions for Semiconductors
On April 1, 2024, the FAR Council published a new Final Rule that establishes FAR Part 40 – but without any new provisions of substance. This Final Rule becomes effective on May 1, 2024. Subsequently, the FAR Council published a Request for Information (“RFI”) on April 10, 2024. The RFI seeks feedback on the scope and organization of FAR Part 40 and is open for comment until June 10, 2024.Continue Reading Not an April Fools Joke – FAR Part 40 Final Rule Has Been Published
Class Deviation Prohibits DoD from Requiring Contractors to Disclose Emissions
Over the past two years, the FAR Council has been working to develop a rule that would amend the Federal Acquisition Regulation (“FAR”) to require contractors to inventory and report their greenhouse gas (“GHG”) emissions and climate-related financial risk in order to be eligible for Federal awards. (Prior posts are available here and here.)Continue Reading Updates on GHG Emissions Disclosure Requirements
To kick off the New Year, Sheppard Mullin’s Governmental Practice Cybersecurity & Data Protection Team has prepared a cybersecurity-focused 2023 Recap (including links to all of the resources the team has put out over the past year) and 2024 Forecast (that previews what we expect to see in 2024). This Recap & Forecast covers the following five high-interest topic areas related to cybersecurity and data protection:Continue Reading Governmental Practice Cybersecurity and Data Protection, 2023 Recap & 2024 Forecast Alert
On October 3, 2023, the FAR Council released two long-awaited proposed rules for federal contractor cybersecurity stemming from the Biden Administration’s Cybersecurity Executive Order from May 2021 (Executive Order 14028). The proposed rules relate to Cyber Threat and Incident Reporting and Information Sharing (FAR Case 2021-017) and Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems (FAR Case 2021-019). The comment period for both rules is currently open and is scheduled to close on December 4, 2023.Continue Reading Two New Cybersecurity Proposed Rules Mean Big Changes for Federal Contractors
Last month, we began our three-part series on organizational conflicts of interests (“OCIs”) with an article discussing the different types of OCIs and how they can be mitigated. Now, in Part 2 of our series, we analyze how OCIs arise in bid protests. First, we explain how the Government Accountability Office (“GAO”) and the Court of Federal Claims (“COFC”) review OCI protests. Then, we examine scenarios where OCI protests have been sustained, followed by a synopsis of OCI protest grounds that (almost) always will be denied. Finally, we conclude with a summary of key points to consider when faced with an OCI issue that arises during a bid protest.Continue Reading Organizational Conflicts of Interests – Part 2: OCIs in Bid Protests
You might be wondering, “What’s so important about Organizational Conflicts of Interest (“OCIs”)?” The answer is fairly simple: understanding both what causes OCIs and how to mitigate them are critical because unmitigated OCIs can preclude a contractor from (1) competing for future contract work, (2) performing certain tasks under existing contracts, (3) transferring personnel between company organizations, (4) hiring personnel, (5) teaming with certain vendors, and/or (6) entering into certain corporate transactions. Moreover, undisclosed or unmitigated OCIs can create risk of liability under the False Claims Act. In this Part 1 of a three part series, we offer a summary of what creates OCIs and general mitigation strategies. In Part 2, we will detail how OCIs arise in protests, and in Part 3, we will address the risks of False Claims Act liability arising from undisclosed OCIs.Continue Reading Organizational Conflicts of Interest – Part 1: A Refresher on OCIs
As called for in the May 12, 2021 Cybersecurity Executive Order (“EO”) released by the Biden Administration (discussed here), NIST met its deadline to release a definition of “critical software” within 45 days of the date of the Order. The determination of what constitutes “critical software” is a key step in the process set forth in the Order for securing the software supply chain, which will culminate sometime next year in new Federal Acquisition Regulations for contractors that supply software.
Continue Reading Right on Time – NIST Releases Definition of “Critical Software” Per Biden’s Cybersecurity Executive Order