Helping individuals, companies, and organizations understand key legal and practical considerations for promoting compliance and making better business decisions in these types of federal, state, and local government contracting matters MORE

In the wake of increasing cybersecurity threats and incidents, the U.S. Department of Defense (DoD) amended its Federal Acquisition Regulation Supplement (DFARS) in 2015 to issue the 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting clause (DFARS clause).  The DFARS clause, which is included in all DoD solicitations and contracts, including those for acquisitions of commercial items, requires that the contractor must “provide adequate security on all covered contractor information systems.” Covered contractor information systems are those that are “owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.” The DFARS clause also requires that a contractor discovering a cyber incident that “affects a covered contractor information system or the covered defense information residing therein, or affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract,” must conduct a review and “rapidly report” the cyber incident to the DoD Cyber Crime Center (DC3).  A “cyber incident” is defined as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.”  The current version of the clause goes on to define “compromise,” “covered defense information,” and more.  Thus, a reportable event only arises when a number of elements are present.  There still remain questions about the timing and scope of reporting under the clause.  Recognizing this, even when there are not mandatory reporting requirements, DoD has established a voluntary public-private Defense Industrial Base (DIB) Cybersecurity program that allows for the sharing of information on cyber threats and more.

Continue Reading A Sea Change in Handling of Government Contractor Cyber Incident Reporting?

On September 30, 2021, the Civilian Agency Acquisition Council (CAAC) issued a formal Class Deviation from the Federal Acquisition Regulation (FAR), to implement rollout of the President’s Executive Order 14042, Ensuring Adequate COVID Safety Protocols for Federal Contractors.  The CAAC Class Deviation provides for inclusion of the following clause in all covered procurements:

Continue Reading FAR Class Deviations Being Issued to Implement Executive Order 14042, Ensuring Adequate COVID Safety Protocols for Federal Contractors

Understanding the requirements for compliance with the interim DFARS rule on basic assessment and compliance with Cybersecurity Maturity Model Certification (CMMC) is not a task for the faint of heart. The rule requires that you accurately report the status of your compliance with the cybersecurity requirements in National Institute of Standards and Technology Special Publication (NIST SP) 800-171 and, for specific procurements in the initial CMMC pilot program and moving forward, that you address your level of compliance under the CMMC program.  Preparation here is crucial as the Department of Defense (DoD) has announced that all contractors, except those solely furnishing Commercial Off-The-Shelf (COTS), must submit their basic compliance assessment into the Supplier Performance Risk System (SPRS) to be considered for future contract awards.

Continue Reading How Do You Address Solicitation Requirements and Contract Performance After CMMC Rollout?

Recent weeks have brought news on multiple fronts regarding supply chain risks and actions in response thereto:

Commerce ICTS Regulations to Go Into Effect; Chinese ICTS Companies, Products and Services in the Headlights

The Trump Administration rolled out regulations to implement prohibitions on the use or delivery of covered Chinese telecommunications and video surveillance products

A lie may be a lie, but false representations and certifications on SAM may not necessarily be a proper protest ground. As the recent Government Accountability Office (GAO) decision in Phoenix Environmental Design, Inc. (Phoenix), B-418473, B-418473.2 (May 20, 2020) suggests, “minor” inaccurate statements may fall short of sustaining a protest.

Through the underlying solicitation,