U.S. Department of Defense

The Department of Defense (DoD) Inspector General recently issued a report summarizing the findings of an audit into the protection of Controlled Unclassified Information (CUI) on contractor networks.  Based on an in-depth review into nine contractors, the audit uncovered some common practices that fall short of meeting the standards set forth in NIST SP 800-171, which contractors are obligated to follow under DFARS 252.204-7012.

Shortcomings Discovered in DoD Audit

These common lapses include the following, among others:

  • Inconsistent tracking of cybersecurity threats
  • Failure to consistently mitigate network vulnerabilities
  • Uneven use of strong passwords
  • Inconsistent use of multifactor identification

Continue Reading Vulnerable Systems: Contractor Protection of Controlled Unclassified Information at Risk

Bass, Berry & Sims attorney Richard Arnholt provided insight into delays to the procurement timeline in the Department of Defense’s (DoD) important $10 billion "JEDI" cloud procurement due to pending and potential protests.I recently provided insight into delays to the procurement timeline in the Department of Defense’s (DoD) important $10 billion “JEDI” cloud procurement due to pending and potential protests.

In a recent court filing, DoD said it would not award the contract until at least July 19, but the resolution of Oracle’s pending suit, as well as other potential related actions, may push the award and implementation dates out past this summer.Continue Reading Protest Challenges for the Defense Department’s “JEDI” Cloud

In 2016, Congress instructed the Department of Defense (DoD) to review its procurement regulations by convening a panel of procurement professionals—from both the public and private sectors. This panel became known as the Section 809 Panel (809 Panel). Congress instructed the 809 Panel to recommend amendments or repeals of defense procurement regulations. The 809 Panel’s objective was to help streamline or improve the efficiency and effectiveness of the defense acquisition process while still maintaining an advantage in defense technology. While Congress and the DoD are not required to adopt these recommendations, the report shows an attempt to define the issues in modern federal procurement and improve upon the old system.
Continue Reading Section 809 Panel Releases First Volume of Recommendations for the Overhaul of DoD’s Acquisition Process

The Government recently indicted an Army veteran for allegedly using his status as a service-disabled veteran to help a company qualify as a service-disabled veteran-owned small business and falsely obtain nearly $40 million in healthcare facility construction task orders from the Department of Defense.

The indictment is an indication that the government is continuing to aggressively pursue small businesses that fail to comply with set-aside requirements, and is a reminder that businesses benefiting from small business programs must be fully compliant with the complex regulations governing those socio-economic programs. It is also a reminder that the consequences of failing to meet those requirements are real – the Army veteran, Joseph Dial Jr., is facing over a century in prison.Continue Reading If You Don’t Do the Work, You Might Do Time Instead: Service-Disabled Veteran Faces Jail Time for Failing to Run Day-to-Day Operations

As recent malware, ransomware and distributed denial of service attacks have made clear, the cyber threats posed to governments and commercial entities are real and growing. Critical infrastructure such as power plants, airports and communication systems are vulnerable to attacks on the cyber battlefield, as are banks, manufacturers, and law firms, among other commercial entities. In an attempt to address these risks, the U.S. government is imposing heightened cyber-security requirements on contractors, some of which are summarized below. But, in light of the growing cyber threats posed by nation states, subnational groups and bored teenagers, even companies that are not subject to these new requirements should evaluate the sufficiency of their current cyber security protocols and consider taking steps such as the simplified four-step “starter plan” – train, maintain, test and repeat – laid out below to address vulnerabilities.
Continue Reading DoD’s Efforts to Secure Information on Contractor Systems Continues, But All Companies Are at Risk and Should Take Steps Now to Protect Themselves