On November 4, 2021, the Department of Defense (“DOD”) announced several changes to the Cybersecurity Maturity Model Certification (“CMMC”) program – the program that DOD intends to use to enhance the security of the defense industrial base through assessments and third-party cybersecurity certifications.[1] The new version of the program – “CMMC 2.0” – is a result of DOD’s internal review of the CMMC program implemented thus far (“CMMC 1.0”), which began following the release of an interim rule in September 2020, and included review of over 850 public comments. DOD intends to engage in additional rulemaking to refine and finalize CMMC 2.0. Although the overall goal of the program remains focused on safeguarding sensitive unclassified information, CMMC 2.0 includes several important differences from the original program, as discussed in greater detail below.
Continue Reading DOD Updates Its Cybersecurity Certification Program – CMMC 2.0: What Contractors Need to Know
Nikole Snyder
Nikole Snyder is an associate in the Governmental Practice in the firm's Washington, D.C. office. She is a lead associate of the firm’s Government Business Group.
DOJ Announces Civil Cyber-Fraud Initiative To Enforce Contractor Cybersecurity Compliance
On Wednesday, October 6, 2021, the Department of Justice (“DOJ”) announced a new Civil Cyber-Fraud Initiative to enforce cybersecurity standards and reporting requirements. The Initiative will use DOJ’s civil enforcement mechanisms, namely the False Claims Act, to pursue government contractors and federal grant recipients that “knowingly provid[e] deficient cybersecurity products or services, knowingly misrepresent[] their cybersecurity practices or protocols, or knowingly violat[e] obligations to monitor and report cybersecurity incidents and breaches.” DOJ will not limit enforcement to entities; individuals also can be held accountable for cybersecurity-related fraud. Under the False Claims Act, penalties for such violations could be substantial, including treble damages.
Continue Reading DOJ Announces Civil Cyber-Fraud Initiative To Enforce Contractor Cybersecurity Compliance
Executive Order 14042 Survival Guide
On September 9, 2021, the President issued Executive Order 14042, which applies new rules – including vaccination mandates – to Federal contractors and subcontractors. This rule is different and…
Continue Reading Executive Order 14042 Survival Guide
COVID-19 Oversight and Enforcement: President Biden’s COVID Executive Order
On September 9, 2021, President Biden signed an Executive Order (EO) to implement COVID safety protocols for Federal service contractors. While the EO did not identify specific safety protocols, it did direct a Federal task force (the “Safer Federal Workforce Task Force,” created by Executive Order in January 2021) to issue COVID-19-related workplace safety guidance for prime contractors and subcontractors in the near future. Specifically, the Task Force is charged with issuing contractor guidance by September 24, 2021, including definitions of relevant terms, specific workplace safety protocols, and applicable exceptions.
Continue Reading COVID-19 Oversight and Enforcement: President Biden’s COVID Executive Order
Right on Time – NIST Releases Definition of “Critical Software” Per Biden’s Cybersecurity Executive Order
As called for in the May 12, 2021 Cybersecurity Executive Order (“EO”) released by the Biden Administration (discussed here), NIST met its deadline to release a definition of “critical software” within 45 days of the date of the Order. The determination of what constitutes “critical software” is a key step in the process set forth in the Order for securing the software supply chain, which will culminate sometime next year in new Federal Acquisition Regulations for contractors that supply software.
Continue Reading Right on Time – NIST Releases Definition of “Critical Software” Per Biden’s Cybersecurity Executive Order
At a Glance: White House 100-Day Supply Chain Report
In February 2021, President Biden issued Executive Order 14017, “Executive Order on America’s Supply Chains” (discussed here), requiring (among other things) a report within 100-days requiring key government agencies to assess vulnerabilities and consider potential improvements to supply chains in four critical industries – (i) semiconductor manufacturing; (ii) high capacity batteries; (iii) rare earth elements; and (iv) pharmaceuticals.
Continue Reading At a Glance: White House 100-Day Supply Chain Report
Biden’s Cybersecurity Executive Order
On May 12, 2021, the Biden Administration issued its much anticipated “Executive Order on Improving the Nation’s Cybersecurity.” Below are provisions we believe will be of most interest to contractors, as well as any company that provides information technology (“IT”) and operational technology (“OT”) services, cloud computing, software, or internet of things (“IoT”) technology, as the new regulations and standards called for in the Order are likely to have an impact beyond government contractors.
Continue Reading Biden’s Cybersecurity Executive Order
Finding the Weak Links – President Biden Executive Order Demands Review of Critical U.S. Supply Chains
On February 24, 2021, President Biden signed Executive Order 14017, “Executive Order on America’s Supply Chains,” requiring a review of global supply chains that support key U.S. industries in an attempt to improve supply chain security for the U.S. government and U.S. companies. The new Executive Order appears to be an initial step focused on information gathering. Comprehensive reforms and supply chain strategies are likely to follow once the White House has collected key information.
Continue Reading Finding the Weak Links – President Biden Executive Order Demands Review of Critical U.S. Supply Chains
Key Provisions You Should Know From FY 2021 NDAA
On January 1, 2021, Congress overrode President Trump’s veto of the Fiscal Year (“FY”) 2021 National Defense Authorization Act (“NDAA”) (the “Act”), Pub. L. No. 116-283. The $740 billion defense…
Continue Reading Key Provisions You Should Know From FY 2021 NDAA
The NISPOM is Becoming a Regulation & Contractors Have Six Months to Comply
On December 21, 2020, the Department of Defense (“DoD”) published a final rule in the Federal Register that codifies the National Industrial Security Program Operating Manual (“NISPOM”) in the Code of Federal Regulations (“CFR”) at 32 CFR part 117. The rule will become effective on February 24, 2021, giving contractors six months from the effective date to comply with the changes. Comments on the proposed change are due by February 19, 2021.[1]
Continue Reading The NISPOM is Becoming a Regulation & Contractors Have Six Months to Comply