Cybersecurity

We are looking forward to presenting a training webinar titled, “The Federal Government’s Continuing IT Upgrade – Changes in Cloud Computing & Cybersecurity” for the Maryland Procurement Technical Assistance Center (Maryland PTAC). The US government, the largest purchaser of goods and services in the world, is in the midst of an IT revolution. Much of

Last month, the U.S. Court of Appeals for the Federal Circuit’s (Federal Circuit) opinion in The Boeing Co. v. Secretary of the Air Force shed additional light on the technical data rights of contractors under defense contracts. The decision hinges on the fact that technical data provided by a contractor to the government remains the property of the contractor. Additionally, contractors retain certain rights in connection with technical data even when the government has so-called “unlimited rights” to use it.

Case Background

In this case, Boeing held two contracts with the U.S. Air Force (USAF) for work on the F-15 Eagle Passive/Active Warning Survivability System. The contracts included the requirement for delivery of technical data to the USAF with Unlimited Rights and the DFARS 252.227-7013, non-commercial technical data rights clause (Subsection 7013). The parties did not dispute that Boeing retained ownership of technical data delivered to the USAF under the contracts, but Boeing contended that its legends on the technical data were intended to protect its rights as they pertained to third parties. Namely, putting third parties on notice of the proprietary nature of the data and directing that “Non-US Government Entities May Use and Disclose Only As Permitted In Writing By Boeing Or By The US Government.” The USAF rejected the data deliverables marked in this manner, finding them nonconforming and Boeing requested a final Contracting Officer’s decision on the matter.

The Contracting Officer’s final decision confirmed that the USAF was correct in rejecting the legends and directed Boeing to correct them. Boeing appealed the decision to the Armed Services Board of Contract Appeals (ASBCA) on the ground that Boeing’s legend was “not nonconforming” under Subsection 7013(f) since its legend did not address restrictions on government rights, only third-party rights. The ASBCA, ruling on the motion for summary judgment, disagreed, siding with the USAF’s position that only the legends listed in Subsection 7013(f) are authorized and Boeing’s legend was not one of those. Boeing appealed this decision to the Federal Circuit.Continue Reading Federal Circuit Confirms DoD Contractor’s Expanded Restrictions on Non-Government Parties Rights in Data

For over a year, we have been discussing the Department of Defense’s (DoD) eventual implementation of a Cybersecurity Maturity Model Certification (CMMC) program for Defense contractors, most recently during a webinar in September 2020 entitled CMMC is (Almost) Here! Latest Developments and Best Practices for Government Contractors.

The CMMC framework is part of DoD’s efforts to enhance the protection of controlled unclassified information (CUI) within the federal supply chain. On September 29, the Pentagon released an interim rule under the Defense Federal Acquisition Regulation Supplement (DFARS) providing details on the implementation timeline of CMMC and the requirements defense contractors will have to adhere to starting November 30, 2020.

CMMC Five-Year Rollout

The interim rule specifies that the CMMC program will be introduced in a five-year phased rollout that will be complete by September 30, 2025. After that date, all defense contractors will be required to reach some level of CMMC certification if they are to receive future DoD contracts and subcontracts, except for DoD acquisitions solely for commercially available off-the-shelf (COTS) items. During the rollout, the Under Secretary of Defense for Acquisition and Sustainment (USD (A&S)) will determine and communicate to Contracting Officers which contracts will require contractors to undergo a full third-party CMMC assessment.Continue Reading It’s Here! DoD Issues Interim Rule Launching Two Cyber Assessment Programs

On January 30, the Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC) outlining cybersecurity requirements that DoD contractors and subcontractors must meet to certify they adequately satisfy the DoD standards. These new requirements may go into effect for certain procurements as soon as the end of September 2020.

In this 60-minute webinar,

The Department of Defense (DoD) has now finalized its new cybersecurity standards, which we discussed last year.  The new cybersecurity standards, which are intended to protect controlled unclassified information, will be implemented by the Cyber Maturity Model Certification program (CMMC), which was finalized last week after multiple draft iterations.  CMMC Version 1.0 is available here.

CMMC Will Require Third-Party Certification of Cybersecurity Maturity Level

Among other changes from the prior cybersecurity compliance regime, this new approach will require that to be eligible for DoD awards, contractors must be certified by a third-party commercial certification organization to have achieved one of five cybersecurity maturity levels, with higher levels representing more advanced cybersecurity. Later this year, DoD solicitations will contain the applicable CMMC requirement, and contractors failing to meet this standard will be unable to bid. The requirements will apply to all parties within the supply chain (although subcontractors may not have to meet as high a CMMC standard as the prime contractor, depending on their scope of work).Continue Reading DoD Finalizes Cybersecurity Maturity Model Certification

In line with recent actions taken across the government to enhance the resilience of the nation’s cybersecurity apparatus, the Cybersecurity Infrastructure Security Agency (CISA) recently released a set of best practices for small businesses.  These Cyber Essentials, according to CISA, are intended as a starting point to nurture a “culture of security, and specific actions for leaders and their IT professionals to put that culture into actions.”

The Cyber Essentials provide guidance for both organization leaders and IT professionals across six elements:

  • Yourself
  • Your Staff
  • Your Systems
  • Your Surroundings
  • Your Data
  • Your Actions under Stress.

Continue Reading Covering the Basics: CISA Announces Cybersecurity Essentials for Small Businesses

As the Department of Defense (DoD) pushes to overhaul cybersecurity requirements with a new Cybersecurity Maturity Model Certification (CMMC) program to be implemented in the fall of 2020, I recently provided insights for an article in Law360 that highlighted some potential challenges the quick rollout and still-unanswered questions could present. Contractors generally welcome the unified and modernized approach to cybersecurity, but because there are many questions left unanswered since the initial drafts released in May and in September, there are concerns among some that the perceived rush is creating undue stress and confusion.

As a result, the September draft of the CMMC program received a large volume of public comments, which Todd noted was unusual given the limited time available for comment. For solutions the DOD could address in the final rule, I suggested the Department ensure minimum cybersecurity levels are included in contracts as pass-fail threshold requirements, rather than as subjective assessments that potentially open up new grounds for bid protests.Continue Reading Insight on DoD’s Cybersecurity Plan

I am excited to be presenting a training seminar titled, “Trends and Changes in Federal Contracting FY 20” for the Florida Procurement Technical Assistance Center (Florida PTAC).

The interactive seminar will provide insight into the world of federal government contracting for Fiscal Year 2020 and new initiatives that will impact federal businesses in the next 12 months.Continue Reading Trends and Changes in Federal Contracting for Fiscal Year 2020

In an article published by Law360, we examined a report issued by the U.S. Department of Defense (DoD) Inspector General on July 23, which summarizes the findings of an audit into the protection of controlled unclassified information (CUI) on contractor networks.

The DoD reviewed nine contractors’ information systems and revealed some deficiencies that do not meet the standards set forth in National Institute of Standards and Technology (NIST) Special Publication 800-171. The exposed deficiencies include: not mitigating vulnerabilities on their networks and systems, not scanning their network for vulnerabilities, not mitigating high vulnerabilities identified in the contractor’s management programs and more.Continue Reading Findings of DoD Audit and Recommendations for Cyber Enforcement

The Department of Defense (DoD) Inspector General recently issued a report summarizing the findings of an audit into the protection of Controlled Unclassified Information (CUI) on contractor networks.  Based on an in-depth review into nine contractors, the audit uncovered some common practices that fall short of meeting the standards set forth in NIST SP 800-171, which contractors are obligated to follow under DFARS 252.204-7012.

Shortcomings Discovered in DoD Audit

These common lapses include the following, among others:

  • Inconsistent tracking of cybersecurity threats
  • Failure to consistently mitigate network vulnerabilities
  • Uneven use of strong passwords
  • Inconsistent use of multifactor identification

Continue Reading Vulnerable Systems: Contractor Protection of Controlled Unclassified Information at Risk

From the Bass, Berry & Sims Blog Network
From the Bass, Berry & Sims Blog Network

Thought Leadership by our Attorneys.