The wait is finally over! After more than 14 years of anticipation, the Federal Acquisition Regulation (“FAR”) Proposed Rule on Controlled Unclassified Information (“CUI”) was released on January 15, 2025 and comes as part of the Government’s broader efforts to identify, detect, and respond to ever-evolving threats targeting Federal contractors.Continue Reading At Long Last – The FAR CUI Rule is Here!
To kick off the New Year (and as is now tradition, since we put out a similar Recap & Forecast last year), Sheppard Mullin’s Governmental Practice Cybersecurity & Data Protection Team has prepared a cybersecurity-focused 2024 Recap (highlighting major updates and including links to the resources we put out over the past year) and a 2025 Forecast (previewing what we expect to see in 2025). This Recap & Forecast covers the following six high-interest topic areas relating to cybersecurity and data protection:Continue Reading Governmental Practice Cybersecurity and Data Protection: 2024 Recap & 2025 Forecast Alert
On October 15, 2024, the Department of Defense (“DoD”) published the final version of its Cybersecurity Maturity Model Certification (“CMMC”) rule in Title 32 of the Code of Federal Regulations (the “Final Rule”). (Reminder, there are two CMMC rulemakings going on in parallel. This Final Rule updates DoD national security regulations while the other rulemaking effort under Title 48 will update the Defense Federal Acquisition Regulation (“DFARS”) and trigger requirements for DoD contractors.)Continue Reading Countdown to Compliance: DoD Finalizes the CMMC Program Rule
One forum to raise a protest against the award of a contract is at the agency responsible for the procurement, pursuant to the procedures set forth in Federal Acquisition Regulation (“FAR”) 33.103. The procedures require that a protester submit a protest to the agency that details the legal and factual grounds for the protest; describes the resulting prejudice to the protester; establishes that the protester is an interested party; requests a ruling by the agency; demonstrates timeliness; and includes a request for relief.Continue Reading Government Contractors Beware: The Trap of the Unintended Agency-Level Protest and Timeliness Implications
The proposed rule to implement the Cybersecurity Maturity Model Certification (“CMMC”) program in the Defense Federal Acquisition Regulation Supplement (“DFARS”) was published in the Federal Register on August 15, 2024 and will have a 60-day comment period (through October 15, 2024).Continue Reading The CMMC Rule To Update the DFARS is Here!
On April 1, 2024, the FAR Council published a new Final Rule that establishes FAR Part 40 – but without any new provisions of substance. This Final Rule becomes effective on May 1, 2024. Subsequently, the FAR Council published a Request for Information (“RFI”) on April 10, 2024. The RFI seeks feedback on the scope and organization of FAR Part 40 and is open for comment until June 10, 2024.Continue Reading Not an April Fools Joke – FAR Part 40 Final Rule Has Been Published
On March 11, 2024, the Cybersecurity and Infrastructure Security Agency (“CISA”) and the Office of Management and Budget (“OMB”) released the highly-anticipated Secure Software Development Attestation Form (also known as the “Common Form”) and on March 18, 2024 CISA’s repository for the forms went live.Continue Reading CISA Opens Repository for Submission of Software Security Attestation Forms
To kick off the New Year, Sheppard Mullin’s Governmental Practice Cybersecurity & Data Protection Team has prepared a cybersecurity-focused 2023 Recap (including links to all of the resources the team has put out over the past year) and 2024 Forecast (that previews what we expect to see in 2024). This Recap & Forecast covers the following five high-interest topic areas related to cybersecurity and data protection:Continue Reading Governmental Practice Cybersecurity and Data Protection, 2023 Recap & 2024 Forecast Alert
Welcome back to the Cost Corner, where we provide practical insight into the complex cost and pricing requirements that apply to Government contractors. This is the third article in a multi-part series on the Federal Acquisition Regulation (“FAR”) Cost Principles applicable to contracts with commercial organizations. The first article in the series addressed the criteria for determining the allowability of costs. The second addressed the allocation of direct and indirect costs. This Cost Corner focuses accounting for unallowable costs. The applicable Cost Principle is FAR 31.201-6, Accounting for Unallowable Costs. Among other requirements, FAR 31.201-6 incorporates by reference the practices for accounting for, and presentation of, unallowable costs provided in Cost Accounting Standard (“CAS”) 405, also titled “Accounting for Unallowable Costs.” We will address both the FAR and the CAS requirements.Continue Reading Government Contracts Cost and Pricing: Accounting for Unallowable Costs
Since our last Bid Protest Hub article in November, the Government Accountability Office (“GAO”) has published 37 bid protest decisions, two of which have resulted in decisions sustaining the protester’s challenge. As we enter into the new year, it remains critical for government contractors to understand what issues win at the GAO and why. Below, we cover a few important GAO decisions you should know from December 2023.Continue Reading Bid Protest Hub – December 2023
The Cybersecurity and Infrastructure Security Agency (“CISA”) recently revised its Secure Software Development Attestation Common Form (after receiving over 110 comments on the initial draft), and is seeking additional comments through December 18, 2023. This is an important opportunity for software producers (and others) to provide input that will help shape the future of software supply chain regulations. At a time when the federal government is struggling to harmonize myriad rules on cybersecurity and supply chain, recommendations from industry will be key.Continue Reading Update: CISA Seeks Additional Input from Software Providers on Security Attestation Form