In response to widespread interest in allowing more small business participation in opportunities involving cloud computing, the Small Business Administration (“SBA”) has decided to exclude cloud computing from the limitation
Continue Reading Small Business Subcontracting for Cloud Computing Gets Easier

The United States District Court of the Eastern District of Pennsylvania recently issued a decision unsealing a False Claims Act case over the objections of the government, the relator and the defendant.[1] In United States ex. Rel. Brasher v. Pentec Health, Inc. No. 13-05745, 2018 WL 5003474 (E.D.P.A. Oct. 16, 2018), a case initially filed five years ago, the government filed a motion to continue the seal – which happened to be its eleventh such motion – arguing that additional time was necessary, in part, to finalize its decision whether to intervene in the action, as well as to pursue settlement options. The Court disagreed.
Continue Reading District Court Determines that the Eleventh Time is NOT the Charm

After nearly four years of planning and comments, DoD, GSA, and NASA issued a final rule today amending the Federal Acquisition Regulations (“FAR”) with a new Subpart 4-19 and a new contract clause 52.204-21 addressing the basic safeguarding of contractor information systems.  Applicable to all acquisitions, including commercial items other than commercial off-the-shelf items (“COTS”), the Final Rule applies to any contractor information system that may contain “Federal contract information,” meaning “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.”  See FAR 4.1901.  The term expressly excludes information provided by the Government to the public (e.g., on public-facing web sites) or simple transactional information, “such as that necessary to process payments.”
Continue Reading It’s Arrived! FAR Final Rule Addressing “Basic Safeguarding of Contractor Information Systems”

“If our country is to successfully defend our right to live the American way, it needs every one of you, and requires you in the best possible condition. Any [company] who willfully, or through neglect fails to maintain [their systems] in this condition is a ‘shirker’ who is throwing an extra burden on his comrades by requiring them to do his work as well as their own.”

It’s kind of apropos how easily you can adapt this introduction to a 1940s War Department venereal disease training film into a lesson addressing the 21st Century problems of cyberattacks and malware.  After all, certain computer attacks are called “virus” for a reason, businesses often find themselves in a virtual “war” with hackers and nation states on digital shores all around the world, and, perhaps most telling, the sordid details of both are things we really don’t like to discuss in “open and polite society.”  (I’ll stop there so as not to offend, but the list can go on.) So it comes as no surprise that it is the Department of Defense that is pulling back the curtain to openly address cyber-hygiene and, with the recent update and “open release” of the DoD Cybersecurity Discipline Implementation Plan, providing federal contractors and commercial companies alike with insight on the computer security prophylactics the Department is directing its units use.
Continue Reading DoD Reveals its Cybersecurity Discipline Implementation Plan (or How 1940s War Department VD Training Can Help Your 21st Century Cyber Hygiene)

In response to industry concerns and comments, on December 30, 2015, the Department of Defense issued a new interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity rules promulgated in August.  Specifically focusing on provision 252.204–7008, Compliance with Safeguarding Covered Defense Information Controls, and DFARS 252.204–7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, under this second interim rule contractors have until December 31, 2017 to implement the security control requirements specified by National Institute of Standards and Technology Special Publication 800-171 (SP 800-171).  As the prior interim rule had no grace period for implementing the new cybersecurity controls, this a fortunate change for DoD contractors.  This welcome extension, however, is not without conditions.  Contractors, in line with the notification outlined in DoD’s class deviation addressing “multifactor authentication for local and network access,” now have 30 days to inform the DoD Chief Information Officer (CIO) if any of the SP 800–171 security requirements are not implemented at the time of contract award.  Absent that notice, DoD will presume contractors are meeting all of the NIST-established controls.  As the new interim rule describes, this 30-day period will allow DoD the opportunity to monitor progress across its government contractors to identify and address any problems with the implementation of the NIST security controls.
Continue Reading Department of Defense Provides Government Contractors a Grace Period for Compliance with Key Cybersecurity Requirements

Yes. I just asked that.  For many, the response is likely “Yes!  Of course we are!  It’s *&^%$% cybersecurity – it’s complicated!”  To which I would respond “Touché.  It is…but it needn’t be overly complicated.”  So, of course, I set out to find a complicated way to simplify it.  And, in the spirit of National Cyber Security Awareness Month, I thought I would share two complicated ways to simplify your cybersecurity processes.
Continue Reading Are You Overcomplicating Your Cybersecurity Processes?

When last we left the Department of Defense, it had issued a rather wide-reaching interim DFARS rule addressing cybersecurity practices, data retention, and cloud services purchasing guidance. Now, effective October 2, 2015, before the ink can dry on those nascent rules (comments are due October 26, 2015), the DoD has applied them to all DoD contractors in regulations governing the once-voluntary DoD-Defense Industrial Base (DIB) Cybersecurity (CS) activities (32 C.F.R. Part 236). That’s right, what was once entitled a “voluntary” program is now a mandatory program; just in time for a host of data retention and cyber-reporting requirements!
Continue Reading Have DoD Contractors and Subcontractors Been Drafted? Once Voluntary Defense Industrial Base CS/IA Regulations Now Mandatory and Aligned With New DFARS Cybersecurity Rules