Helping individuals, companies, and organizations understand key legal and practical considerations for promoting compliance and making better business decisions in these types of federal, state, and local government contracting matters MORE

Cyber, Data Security, and Privacy

Increasingly, the Federal government implements a rule for government contractors which then makes its way in some form into all of US industry.  Cybersecurity regulations, mandating that government contractors, grant and agreement holders, and their subcontractors, maintain certain security controls and report on cyber incidents, have been in effect for a number of years.  Indeed, Deputy Attorney General Lisa Monaco announced a Civil Cybersecurity Fraud initiative to go after government contractors, grant and agreement holders that falsely represent the cybersecurity of their products and services or the state of their compliance with cybersecurity requirements in seeking or performing government contracts.  With a reported 1885% increase in ransomware attacks and high profile cyber events such as Colonial Pipeline in 2021, therefore, it is not surprising that the Securities and Exchange Commission (SEC) is making the move to require public companies to increase their cybersecurity activities and to report cyber incidents so investors have greater insight into their investments.
Continue Reading SEC Issued Proposed Rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

This week the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA) issued a “SHIELDS UP” advisory.  While it does not identify specific threats in the advisory, CISA states that the “Russian government understands that disabling or destroying critical infrastructure – including power and communications – can augment pressure on a country’s government,

In the wake of increasing cybersecurity threats and incidents, the U.S. Department of Defense (DoD) amended its Federal Acquisition Regulation Supplement (DFARS) in 2015 to issue the 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting clause (DFARS clause).  The DFARS clause, which is included in all DoD solicitations and contracts, including those for acquisitions of commercial items, requires that the contractor must “provide adequate security on all covered contractor information systems.” Covered contractor information systems are those that are “owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.” The DFARS clause also requires that a contractor discovering a cyber incident that “affects a covered contractor information system or the covered defense information residing therein, or affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract,” must conduct a review and “rapidly report” the cyber incident to the DoD Cyber Crime Center (DC3).  A “cyber incident” is defined as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.”  The current version of the clause goes on to define “compromise,” “covered defense information,” and more.  Thus, a reportable event only arises when a number of elements are present.  There still remain questions about the timing and scope of reporting under the clause.  Recognizing this, even when there are not mandatory reporting requirements, DoD has established a voluntary public-private Defense Industrial Base (DIB) Cybersecurity program that allows for the sharing of information on cyber threats and more.
Continue Reading A Sea Change in Handling of Government Contractor Cyber Incident Reporting?

Published on June 9, 2021, President Biden’s Executive Order on Protecting America’s Sensitive Data from Foreign Adversaries is the latest Executive Order seeking to strengthen national security by improving public and private sector capabilities and practices relating to cybersecurity and supply chain risks. As explained in a previous article, the first such Executive Order addressed five main areas. The latest Executive Order focuses primarily on protecting against risks “associated with connected software applications that are designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.” However, unlike prior Executive Orders on the topic, it expands the scope of threat actors to be addressed in future to include those “persons who engage in serious human rights abuse,” noting, “If persons who own, control, or manage connected software applications engage in serious human rights abuse or otherwise facilitate such abuse, the United States may impose consequences on those persons in action separate from this order.”
Continue Reading Biden’s Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries

Understanding the requirements for compliance with the interim DFARS rule on basic assessment and compliance with Cybersecurity Maturity Model Certification (CMMC) is not a task for the faint of heart. The rule requires that you accurately report the status of your compliance with the cybersecurity requirements in National Institute of Standards and Technology Special Publication (NIST SP) 800-171 and, for specific procurements in the initial CMMC pilot program and moving forward, that you address your level of compliance under the CMMC program.  Preparation here is crucial as the Department of Defense (DoD) has announced that all contractors, except those solely furnishing Commercial Off-The-Shelf (COTS), must submit their basic compliance assessment into the Supplier Performance Risk System (SPRS) to be considered for future contract awards.
Continue Reading How Do You Address Solicitation Requirements and Contract Performance After CMMC Rollout?