Yes. I just asked that.  For many, the response is likely “Yes!  Of course we are!  It’s *&^%$% cybersecurity – it’s complicated!”  To which I would respond “Touché.  It is…but it needn’t be overly complicated.”  So, of course, I set out to find a complicated way to simplify it.  And, in the spirit of National Cyber Security Awareness Month, I thought I would share two complicated ways to simplify your cybersecurity processes.
Continue Reading Are You Overcomplicating Your Cybersecurity Processes?

When last we left the Department of Defense, it had issued a rather wide-reaching interim DFARS rule addressing cybersecurity practices, data retention, and cloud services purchasing guidance. Now, effective October 2, 2015, before the ink can dry on those nascent rules (comments are due October 26, 2015), the DoD has applied them to all DoD contractors in regulations governing the once-voluntary DoD-Defense Industrial Base (DIB) Cybersecurity (CS) activities (32 C.F.R. Part 236). That’s right, what was once entitled a “voluntary” program is now a mandatory program; just in time for a host of data retention and cyber-reporting requirements!
Continue Reading Have DoD Contractors and Subcontractors Been Drafted? Once Voluntary Defense Industrial Base CS/IA Regulations Now Mandatory and Aligned With New DFARS Cybersecurity Rules

Announced and effective today, August 26, 2015, DoD has issued an interim rule that significantly expands existing DFARS provisions and clauses requiring contractors and subcontractors to report cyber incidents.  The interim rule will apply “to all contractors with covered defense information transiting their information systems,” an estimated 10,000 contractors.  Additionally, in an effort to ensure acquisition uniformity across the Department, the interim rule implements DoD policies and procedures to be used when contracting for or utilizing cloud computing services.  Due to “urgent and compelling reasons,” the rule was issued without an opportunity for public comment.
Continue Reading DoD Addresses Cybersecurity Preparedness, Incident Reporting, and Cloud Computing Acquisitions with new DFARS interim rule

In a matter of keen interest to the small business community, last month the Supreme Court granted certiorari in Kingdomware Technologies, Inc. v. United States. The Court’s decision will hopefully bring some closure to the long-running dispute between the Department of Veterans Affairs (“VA”) and veteran-owned businesses over the VA’s refusal to set aside procurements under the so-called “Rule of Two.”
Continue Reading Supreme Court to Hear VA Procurement Controversy This Fall

On July 2, 2015, the FAR Council issued a Final Rule that amends the FAR, effective October 1, 2015, to implement inflation-based adjustments to certain acquisition-related monetary thresholds. 80 Fed. Reg. 38293. The modifications will be made to comply with 41 U.S.C. § 1908, which requires the FAR Council to calculate the adjustments every five years based on the Consumer Price Index for all urban consumers. The statute does not require adjustments to thresholds established by the Construction Wage Rate Requirements statute (the Davis-Bacon Act), the Service Contract Labor Standards statute, or the United States Trade Representative, pursuant to Title III of the Trade Agreements Act of 1979.
Continue Reading Heads Up! Inflation Adjustments to Acquisition Thresholds Are Just Around the Corner

Perhaps it’s the books I’ve been reading or the television shows I’ve been watching, but my mind can’t seem to stop linking the recent barrage of cybersecurity attacks with those ne’er-do-wells that plagued the Caribbean from 1650 through the 1730s.  Yes, I’m talking about pirates, but not the Errol Flynn/Johnny Depp-style buccaneer, more the Edward Teach model, the notorious “Blackbeard.”  One of Blackbeard’s most infamous successes occurred in Charleston, South Carolina in 1718 when he blockaded Charleston Harbor and held some of the town’s leading citizens for ransom.  Rather than demand the typical jewels and money, Blackbeard wanted something else – he held both the town and its people ransom for £300 of medicine.  After a circus of errors conspired to delay the ransom payment, Blackbeard received his medicine and released both the harbor and his prisoners – minus, of course, much of their finer possessions (they were pirates after all) – and sailed off into legend.  So what does this jaunt down piracy lane have to do with cybersecurity and federal contractors?  Simple, sometimes we don’t know what’s really of value and how that value can be used.  Case in point – the OPM breach.
Continue Reading Ransoming Sensitive Personal Information: Will OPM’s Data Breach Trigger Your Insider Threats?

On June 19, 2015, the National Institute of Standards and Technology (“NIST”) published the final version of guidance for federal agencies to ensure sensitive information remains confidential when stored outside of federal systems.  The guidelines, Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, apply to nonfederal information systems and organizations that process, store, or transmit federal controlled unclassified information, or “CUI,” and match the guidelines published for public comment last fall.  The new guidance is step two in a three-part plan with the National Archives and Records Administration (“NARA”), discussed in last month’s blog, to ensure the confidentiality of sensitive federal information no matter where it is stored.  As data breaches continue to make near-daily news, federal contractors not using the “recommendations” laid out in SP 800-171 would be wise to take another look, as they contain, more than ever, the Government’s express expectations of how it wants its information protected.
Continue Reading ALERT: NIST Issues Final Guidance on Federal Contractor Cybersecurity Standards for Controlled Unclassified Information

Government contractors should take note of a proposed new rule that could impose significant new data storage obligations when finalized.  The Federal Government is taking another baby-step towards cybersecurity regulation with a proposed rule intended to standardize protocols relating to designating and safeguarding unclassified information that is to be withheld from public disclosure (also known as “controlled unclassified information” (“CUI”)).  See 80 Fed. Reg. 26501 (proposing amendments to 32 CFR Part 2002).  On May 8, 2015, the National Archives and Records Administration (“NARA”) published a proposed new rule that goes a long way in creating a standardized system intended to replace the litany of improvised CUI control markings that have been used by various Federal agencies and, unintentionally, hindered inter-governmental information sharing for decades.  The effort, however, is more than a simple housekeeping exercise, the re-designation of CUI will also bring changes to the manner in which contractor-generated information residing on contractor-owned systems is stored and secured.
Continue Reading Another Prologue to Cybersecurity Regulations: Controlled Unclassified Information (“CUI”) – What Contractors Need to Know and Why They Should Care

In late January, the FAR Council issued its long-awaited final rule amending the FAR to strengthen the U.S. Government’s policy against human trafficking.  As discussed below, the amendments may have far-reaching compliance implications for government contractors.
Continue Reading Final Anti-Trafficking Rule to Impose New – and Uncertain – Obligations on Contractors

On November 20, 2014, the District Court for the District of Columbia once again ordered Kellogg, Brown and Root (“KBR”) to produce all documents prepared as part of an internal investigation.  The District Court’s decision comes after the D.C. Circuit, in an opinion that was welcome news for in-house counsel, found that the documents prepared during an internal investigation were protected by the attorney-client privilege since one of the “significant purposes” of the communications was to obtain or provide legal advice.  On remand, the District Court nonetheless ordered KBR to produce the documents because it found that, under the doctrine of implied waiver, KBR waived the privilege by placing in dispute what otherwise would have been privileged matters when it represented to the Court that the internal investigation resulted in no evidence of fraud.[1]
Continue Reading Implied Waiver of Privilege in Internal Investigations: Barko Court Compels Production of Internal Investigation Documents, Again