On March 12, the Department of Defense (DOD) promulgated a final rule that expands the eligibility criteria for the Defense Industrial Base (DIB) Cybersecurity Program, a voluntary initiative aimed at bolstering the DIB’s ability to safeguard critical information. Continue Reading Final Rule Expands Defense Industrial Base Cybersecurity Program Eligibility Criteria
Cyber Defense Magazine Article on CMMC Proposed Rule
We published an article titled “Department of Defense Publishes Long-Awaited CMMC Proposed Rule,” in the March 2024 edition of Cyber Defense Magazine.Continue Reading Cyber Defense Magazine Article on CMMC Proposed Rule
Department of Defense Publishes Long-Awaited CMMC Proposed Rule
On December 26, the Department of Defense (DoD) published its long-awaited Cybersecurity Maturity Model Certification (CMMC) Program proposed rule, which places comprehensive cybersecurity and information security requirements on DoD contractors and subcontractors. Continue Reading Department of Defense Publishes Long-Awaited CMMC Proposed Rule
Cyber Incident Reporting May Be “Material” for Federal Contractors
Last month, the Federal Acquisition Regulatory Council proposed new cybersecurity and incident reporting regulations for federal contractors on behalf of the Department of Defense (DoD), the General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA). The proposed regulations include data incident reporting requirements the government explicitly designated as material to government contractors
Register Now | Demystifying Controlled Unclassified Information Requirements Webinar
Please join us on November 2 for an engaging webinar, Demystifying Controlled Unclassified Information Requirements: Overview of the Regulatory Landscape and Strategies for Implementing a Successful Compliance Program, alongside Stacy High-Brinkley from BDO. Together, we will illuminate the dynamic landscape of federal Controlled Unclassified Information (CUI) requirements.Continue Reading Register Now | Demystifying Controlled Unclassified Information Requirements Webinar
NIST Releases Public Draft of Revised Guidelines Aimed at Helping Contractors Protect Sensitive Information
On May 10, the National Institute of Standards and Technology (NIST) released its initial public draft of SP 800-171, Revision 3, a set of updated guidelines aimed at helping organizations better handle confidential unclassified information (CUI) that resides on non-federal systems. Continue Reading NIST Releases Public Draft of Revised Guidelines Aimed at Helping Contractors Protect Sensitive Information
A First! President Hones Government’s Foreign Investment Review
On September 15, President Biden announced the issuance of Executive Order (EO) 14083 to sharpen the focus of inbound investment screening by more formally tying the role of the Committee on Foreign Investment in the United States (CFIUS or the Committee) to the president’s national security prerogatives. For the first time since the Committee was established in 1975, the EO provides formal presidential direction delineating five specific factors for the Committee to consider when reviewing foreign acquisitions of U.S. companies.
Continue Reading A First! President Hones Government’s Foreign Investment Review
Government Contractors Face False Claims Act Liability for Cybersecurity Non-Compliance
Last week, the District Court for the Eastern District of California denied the defendant’s motion for summary judgment of a False Claims Act (FCA) count against Aerojet Rocketdyne (Aerojet) for allegedly fraudulently inducing the government to enter into federal contracts when the company knew it was not compliant with cybersecurity requirements.
The order contains important lessons for government contractors in the emerging area of FCA liability based on noncompliance with cybersecurity obligations. While the litigation is ongoing and may ultimately be resolved in Aerojet’s favor, the order demonstrates the growing importance of cybersecurity compliance.Continue Reading Government Contractors Face False Claims Act Liability for Cybersecurity Non-Compliance
DOD Scraps CMMC 1.0 for CMMC 2.0
For nearly two years, we have been reporting on this blog about the Department of Defense’s (DOD) Cybersecurity Maturity Model Certification (CMMC) program. CMMC is a training, certification, and third-party assessment program designed to protect federal contract information (FCI) and controlled unclassified information (CUI) shared by DoD with its contractors and subcontractors through federal acquisition programs.
On November 4, the DOD announced that CMMC 2.0 would replace CMMC 1.0. The announcement was followed by a publication in the Federal Register of a summary of DOD’s CMMC 2.0 plans, which explains that the changes will be implemented through the notice and comment rulemaking process, proposing revisions/additions to titles 32 and 48 of the Code of Federal Regulations.
The decision was driven in large part by the more than 850 public comments submitted to the DoD in response to the CMMC 1.0 interim DFARS rule released on September 29, 2020, focusing on the need to enhance CMMC by doing the following, according to CMMC Frequently Asked Questions:
- Reducing costs, particularly for small businesses.
- Increasing trust in the CMMC assessment ecosystem.
- Clarifying and aligning cybersecurity requirements to other federal requirements and commonly accepted standards.
DOJ Expands False Claims Act Reach into Cybersecurity
There is a new weapon in the Department of Justice’s (DOJ’s) already powerful False Claims Act (FCA) arsenal. In October 2021, the DOJ announced a new Civil Cyber-Fraud Initiative, under which it will pursue FCA liability against government contractors in the cybersecurity space. According to the announcement from Deputy Attorney General Lisa O. Monaco, the