On May 10, the National Institute of Standards and Technology (NIST) released its initial public draft of SP 800-171, Revision 3, a set of updated guidelines aimed at helping organizations better handle confidential unclassified information (CUI) that resides on non-federal systems. Continue Reading NIST Releases Public Draft of Revised Guidelines Aimed at Helping Contractors Protect Sensitive Information
Cybersecurity
A First! President Hones Government’s Foreign Investment Review
On September 15, President Biden announced the issuance of Executive Order (EO) 14083 to sharpen the focus of inbound investment screening by more formally tying the role of the Committee on Foreign Investment in the United States (CFIUS or the Committee) to the president’s national security prerogatives. For the first time since the Committee was established in 1975, the EO provides formal presidential direction delineating five specific factors for the Committee to consider when reviewing foreign acquisitions of U.S. companies.
Continue Reading A First! President Hones Government’s Foreign Investment Review
Government Contractors Face False Claims Act Liability for Cybersecurity Non-Compliance
Last week, the District Court for the Eastern District of California denied the defendant’s motion for summary judgment of a False Claims Act (FCA) count against Aerojet Rocketdyne (Aerojet) for allegedly fraudulently inducing the government to enter into federal contracts when the company knew it was not compliant with cybersecurity requirements.
The order contains important lessons for government contractors in the emerging area of FCA liability based on noncompliance with cybersecurity obligations. While the litigation is ongoing and may ultimately be resolved in Aerojet’s favor, the order demonstrates the growing importance of cybersecurity compliance.Continue Reading Government Contractors Face False Claims Act Liability for Cybersecurity Non-Compliance
DOD Scraps CMMC 1.0 for CMMC 2.0
For nearly two years, we have been reporting on this blog about the Department of Defense’s (DOD) Cybersecurity Maturity Model Certification (CMMC) program. CMMC is a training, certification, and third-party assessment program designed to protect federal contract information (FCI) and controlled unclassified information (CUI) shared by DoD with its contractors and subcontractors through federal acquisition programs.
On November 4, the DOD announced that CMMC 2.0 would replace CMMC 1.0. The announcement was followed by a publication in the Federal Register of a summary of DOD’s CMMC 2.0 plans, which explains that the changes will be implemented through the notice and comment rulemaking process, proposing revisions/additions to titles 32 and 48 of the Code of Federal Regulations.
The decision was driven in large part by the more than 850 public comments submitted to the DoD in response to the CMMC 1.0 interim DFARS rule released on September 29, 2020, focusing on the need to enhance CMMC by doing the following, according to CMMC Frequently Asked Questions:
- Reducing costs, particularly for small businesses.
- Increasing trust in the CMMC assessment ecosystem.
- Clarifying and aligning cybersecurity requirements to other federal requirements and commonly accepted standards.
DOJ Expands False Claims Act Reach into Cybersecurity
There is a new weapon in the Department of Justice’s (DOJ’s) already powerful False Claims Act (FCA) arsenal. In October 2021, the DOJ announced a new Civil Cyber-Fraud Initiative, under which it will pursue FCA liability against government contractors in the cybersecurity space. According to the announcement from Deputy Attorney General Lisa O. Monaco, the…
Compliance Obligations for Government Contractors
I recently outlined the ever-growing list of compliance obligations for businesses that sell goods and services to the federal government in an article for Risk Management. “Some of the new regulatory requirements – such as obligations relating to cybersecurity and counterfeit parts – address challenges posed by an increasingly global, networked economy,” I explained in the article. “Others, such as the mandatory disclosure requirement, continue the trend of the government relying on third parties, whether it be whistleblowers or contractors themselves, to police the procurement system.”
To address the rising risk these complications pose, businesses should first ensure they have established an underlying compliance structure required by federal procurement regulations, as well as design effective training programs, translate the obligations into actionable policies, and effectively monitor adherence with those policies.Continue Reading Compliance Obligations for Government Contractors
[Virtual Event] 8th Annual Compliance & Government Investigations Seminar
Please join us for the Compliance & Government Investigations Seminar hosted by Bass, Berry & Sims and FTI Consulting. Due to ongoing COVID-19 concerns, this event will be virtual only.
We are excited for this year’s complimentary CLE program, which will provide the same caliber of practical advice, insight into government developments, and thoughtful discussion from industry panelists you have come to expect from this seminar. This year’s topics include:
- Inside Scoop: Top Issues In-House Counsel Currently Face
- Update on International Trade Regulations and Enforcement
- SEC Update: Key Enforcement and Regulatory Priorities
- Running an Investigation
- Antitrust Is Back: DOJ and FTC Signal Significant Increase in Antitrust Enforcement
- Data Privacy Update
- Healthcare Fraud Enforcement Updates
- Hot Topics in Procurement Fraud in 2021 and Beyond
- COVID-19 Funding Fallout: Preparation for Government Scrutiny
This year’s seminar will be held from 8:30 a.m.–3:45 p.m. CDT on Tuesday, September 28. To register, please click here.
Click here to view the agenda.Continue Reading [Virtual Event] 8th Annual Compliance & Government Investigations Seminar
WEBINAR: The Federal Government’s Continuing IT Upgrade – Changes in Cloud Computing & Cybersecurity
We are looking forward to presenting a training webinar titled, “The Federal Government’s Continuing IT Upgrade – Changes in Cloud Computing & Cybersecurity” for the Maryland Procurement Technical Assistance Center (Maryland PTAC). The US government, the largest purchaser of goods and services in the world, is in the midst of an IT revolution. Much of…
Federal Circuit Confirms DoD Contractor’s Expanded Restrictions on Non-Government Parties Rights in Data
Last month, the U.S. Court of Appeals for the Federal Circuit’s (Federal Circuit) opinion in The Boeing Co. v. Secretary of the Air Force shed additional light on the technical data rights of contractors under defense contracts. The decision hinges on the fact that technical data provided by a contractor to the government remains the property of the contractor. Additionally, contractors retain certain rights in connection with technical data even when the government has so-called “unlimited rights” to use it.
Case Background
In this case, Boeing held two contracts with the U.S. Air Force (USAF) for work on the F-15 Eagle Passive/Active Warning Survivability System. The contracts included the requirement for delivery of technical data to the USAF with Unlimited Rights and the DFARS 252.227-7013, non-commercial technical data rights clause (Subsection 7013). The parties did not dispute that Boeing retained ownership of technical data delivered to the USAF under the contracts, but Boeing contended that its legends on the technical data were intended to protect its rights as they pertained to third parties. Namely, putting third parties on notice of the proprietary nature of the data and directing that “Non-US Government Entities May Use and Disclose Only As Permitted In Writing By Boeing Or By The US Government.” The USAF rejected the data deliverables marked in this manner, finding them nonconforming and Boeing requested a final Contracting Officer’s decision on the matter.
The Contracting Officer’s final decision confirmed that the USAF was correct in rejecting the legends and directed Boeing to correct them. Boeing appealed the decision to the Armed Services Board of Contract Appeals (ASBCA) on the ground that Boeing’s legend was “not nonconforming” under Subsection 7013(f) since its legend did not address restrictions on government rights, only third-party rights. The ASBCA, ruling on the motion for summary judgment, disagreed, siding with the USAF’s position that only the legends listed in Subsection 7013(f) are authorized and Boeing’s legend was not one of those. Boeing appealed this decision to the Federal Circuit.Continue Reading Federal Circuit Confirms DoD Contractor’s Expanded Restrictions on Non-Government Parties Rights in Data
It’s Here! DoD Issues Interim Rule Launching Two Cyber Assessment Programs
For over a year, we have been discussing the Department of Defense’s (DoD) eventual implementation of a Cybersecurity Maturity Model Certification (CMMC) program for Defense contractors, most recently during a webinar in September 2020 entitled CMMC is (Almost) Here! Latest Developments and Best Practices for Government Contractors.
The CMMC framework is part of DoD’s efforts to enhance the protection of controlled unclassified information (CUI) within the federal supply chain. On September 29, the Pentagon released an interim rule under the Defense Federal Acquisition Regulation Supplement (DFARS) providing details on the implementation timeline of CMMC and the requirements defense contractors will have to adhere to starting November 30, 2020.
CMMC Five-Year Rollout
The interim rule specifies that the CMMC program will be introduced in a five-year phased rollout that will be complete by September 30, 2025. After that date, all defense contractors will be required to reach some level of CMMC certification if they are to receive future DoD contracts and subcontracts, except for DoD acquisitions solely for commercially available off-the-shelf (COTS) items. During the rollout, the Under Secretary of Defense for Acquisition and Sustainment (USD (A&S)) will determine and communicate to Contracting Officers which contracts will require contractors to undergo a full third-party CMMC assessment.Continue Reading It’s Here! DoD Issues Interim Rule Launching Two Cyber Assessment Programs