The proposed rule to implement the Cybersecurity Maturity Model Certification (“CMMC”) program in the Defense Federal Acquisition Regulation Supplement (“DFARS”) was published in the Federal Register on August 15, 2024 and will have a 60-day comment period (through October 15, 2024).Continue Reading The CMMC Rule To Update the DFARS is Here!
On May 3, 2024, the FAR Council published an advanced notice of proposed rulemaking (the “Advanced Notice”) seeking to implement Section 5949 of the James M. Inohfe National Defense Authorization Act for Fiscal Year 2023 prohibition on procuring certain covered semiconductor products and services. The Congressional prohibition does not go into effect until December 2027, but the FAR Council was directed to promulgate regulations by December 2025. Though this only is an Advanced Notice at this time, the publication provides government contractors with information crucial to developing compliant infrastructures and preparing for the forthcoming rule’s publication. Interested parties are directed to submit written comments in response to the Advanced Notice by July 2, 2024 for consideration in the forthcoming proposed rule – an opportunity all contractors impacted by this prohibition should take advantage of.Continue Reading FAR Council Releases Rulemaking on Prohibitions for Semiconductors
Class Deviation Prohibits DoD from Requiring Contractors to Disclose Emissions
Over the past two years, the FAR Council has been working to develop a rule that would amend the Federal Acquisition Regulation (“FAR”) to require contractors to inventory and report their greenhouse gas (“GHG”) emissions and climate-related financial risk in order to be eligible for Federal awards. (Prior posts are available here and here.)Continue Reading Updates on GHG Emissions Disclosure Requirements
To kick off the New Year, Sheppard Mullin’s Governmental Practice Cybersecurity & Data Protection Team has prepared a cybersecurity-focused 2023 Recap (including links to all of the resources the team has put out over the past year) and 2024 Forecast (that previews what we expect to see in 2024). This Recap & Forecast covers the following five high-interest topic areas related to cybersecurity and data protection:Continue Reading Governmental Practice Cybersecurity and Data Protection, 2023 Recap & 2024 Forecast Alert
In addition to prohibiting the flow-down of non-mandatory FAR/DFARS clauses (which we talk about here), the Department of Defense (“DOD”) Final Rule in connection with the Defense Federal Acquisition Regulation Supplement (“DFARS”) Case 2017-D010 also touched on the decades-long debate as to which entities actually are subcontractors performing under a Federal prime contract. Yes, you read that correctly – there is no single definition for the terms “subcontract” or “subcontractor.” After almost 40 years of confusion, it appears the DFARS and Federal Acquisition Regulation (“FAR”) Councils are trying to end the debate once and for all.Continue Reading New Year, (Potentially) New Definition for “Subcontract”
On November 17, 2023, the Department of Defense (“DOD”) published a Final Rule – over five years in the making – addressing DOD policies regarding the applicability of laws to commercial products, commercial services, and commercially available off-the-shelf (“COTS”) products (DFARS Case 2017-D010). Partially implementing Section 874 of the Fiscal Year 2017 National Defense Authorization Act, DOD has imposed new regulations that expressly prohibit Contracting Officers (“CO”) and prime contractors alike from incorporating regulatory requirements of the Federal Acquisition Regulation (“FAR”) and the Defense Federal Acquisition Regulation Supplement (“DFARS”) in prime contracts and subcontracts unless mandated by regulatory text.Continue Reading It’s the Most Wonderful Time for New DOD Flow Down Policies: Flowing Down Too Many Clauses Will Get Prime Contractors More Than a Lump of Coal
In recent weeks, there has been an uptick in news of cyber-related False Claims Act (“FCA”) activity. For example, on September 1, 2023, the court unsealed a qui tam lawsuit against Penn State University relating to allegations of non-compliance with Department of Defense (“DoD”) cybersecurity obligations. Separately, on September 5, 2023, the Department of Justice (“DOJ”) announced a multi-million dollar FCA settlement with Verizon under its Civil-Cyber Fraud Initiative (which focuses on leveraging the FCA to pursue cybersecurity related fraud by government contractors and grant recipients, as we previously discussed here). These and other cases suggest—as many had been speculating—that the number of enforcement actions and publicity associated with previously-sealed qui tam cases will continue to increase. They also signal that contractors and universities should brace for additional scrutiny and potential whistleblower claims in this area.Continue Reading Recent Cyber-Related False Claims Act Activity Signals Contractors and Universities Should Examine Their Cybersecurity Practices and Brace for an Uptick in Enforcement
On March 1, 2023, the U.S. Department of Defense (“DoD”) adopted, without change, Defense Federal Acquisition Regulation Supplement (“DFARS”) Case No. 2022-D010, Employment Transparency Regarding Individuals Who Perform Work in the People’s Republic of China (88 Fed. Reg. 12861), updating provisions at DFARS 225.7021 and adding contract clauses at 252.225-7057 and 252.225-7058. This latest DFARS rule reflects a shifting regulatory landscape aimed at increasing transparency and oversight of U.S. transactions involving China.Continue Reading Continuing Skepticism on China: Final Rule Requires Disclosure of Defense Contractor Personnel in China
Effective August 25, 2022, the U.S. Department of Defense (“DoD”) has issued two new changes to the Defense Federal Acquisition Regulation Supplement (“DFARS”) reinforcing national defense priorities that limit DoD
Continue Reading In the Interest of National Security – Two New DFARS Rules Reinforce Increased Scrutiny For Chinese-Origin Supply Chains
On March 18, 2022, the Department of Defense (“DOD”) issued its long-awaited Final Rule implementing Section 818 of the National Defense Authorization Act for Fiscal Year 2018 (“NDAA FY 2018”), and formally codifying defense contractors’ rights to post-award enhanced debriefings. Contractors have been bound by a Class Deviation implementing these requirements since March 2018, with DOD only issuing its proposed rule in May 2021. Though the Final Rule largely tracks the proposed rule, it does include several important clarifications, and, of course, directly impacts timeliness rules for filing post-award protests of DOD awards at the Government Accountability Office (“GAO”).
Continue Reading The Impact of DOD’s Enhanced Debriefings Rule on Bid Protest Timeliness
A lot has happened since the Department of Defense (“DOD”) released its Cybersecurity Maturity Model Certification (CMMC) v. 1.0 back in February (see our prior discussion here). In addition to developments with the CMMC Accreditation Body (“CMMC AB”), DOD has clarified applicability of the program to Commercially available off-the-shelf (“COTS”) providers and the impact of COVID-19 on program implementation.
Continue Reading DOD CMMC Update – Third Party Auditors Gear Up and COTS Providers Get a Pass