Last December, the Department of Defense (“DoD”) published its proposed rule setting forth cybersecurity requirements for defense contractors and subcontractors. These requirements are designated with a particular Cybersecurity Maturity Model Certification (CMMC) level that is associated with the contractor’s procurement. As the second iteration of CMMC, 2.0 demonstrates an escalating system of maturity using designated levels 1, 2, and 3.

With the proposed rule set to be finalized this year, and implementation set to take place in 2025, now is as good a time as any to understand how contractors are impacted by CMMC 2.0; as well as the requirements, the certification process, and how your organization can best prepare.Continue Reading CMMC 2.0 Is Here to Stay: Where Do We Start?

For companies doing business with the Department of Defense (DoD), the Cybersecurity Maturity Model Certification (CMMC) has been a source of confusion for nearly five years. Originally, November 30, 2020, was the deadline for DoD to implement a standard methodology for assessing DoD contractor compliance with security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. Concurrently, the DoD would roll out CMMC as a certification process designed to measure a company’s maturity and institutionalization of cybersecurity practices and processes. This certification, in turn, would be required for performance of DoD contracts.Continue Reading CMMC – Where Do We Stand in 2023?

On Nov. 4, the U.S. Department of Defense (DoD) announced that it is suspending the current iteration of the Cybersecurity Maturity Model Certification program (CMMC) in order to streamline the size and scope of required administrative, technical, and physical controls for businesses contracting with DoD. Originally, CMMC was designed to take full effect in 2025 by requiring every defense contractor responsible for processing controlled unclassified information (CUI) to obtain certification from an approved third-party auditor indicating satisfaction of one of five levels of certification. Implementation of CMMC is now halted until DoD has completed a revision to the program intended to strategically meet the needs and capabilities of industries conducting business with the government. As the Office of Under Secretary of Defense described it, the goal is to make cybersecurity requirements “streamlined, flexible, and secure.”

In its place, DoD intends to promote CMMC 2.0, which will reduce the certification model from five levels to three. CMMC 2.0 will remove additional controls added under the initial program and rely primarily on those set forth in NIST 800-171. All contractors required to meet Level 1 (foundational, with 10 required cybersecurity practices and annual self-assessments) will be able to self-attest satisfaction of associated requirements. Level 2 (advanced, with 110 required practices aligned with NIST 800-171) will take a bi-furcated approach to certification with some priority contractors needing to participate in the audit process, while a subset of non-priority contractors will be able to self-attest satisfaction. In the coming weeks, DoD will announce the approach for Level 3 (expert, with at least 110 required practices aligned with NIST 800-171), which will likely be subject to the audit process as well as heightened requirements.
Continue Reading See ya, CMMC. Hello, CMMC 2.0: DOD Announces Suspension of Current Information Security Certification Program

In response to recommendations contained in the Solarium Commission report and the Solar Winds cybersecurity incident, President Biden issued an Executive Order on May 12, 2021, outlining new requirements for information technology providers that do business with the federal government. The purpose of the requirements are to protect federal networks from malicious cyber-attacks and to improve information-sharing between the U.S. government and the private sector on cyber issues, thereby strengthening the United States’ ability to respond to incidents when they
Continue Reading Strengthening U.S. Cyber Security – New Executive Order

While hardly a new topic for anyone doing business with the government, current events and the challenges of COVID-19 provide a cautionary tale and proactive reminder that doing business with the government carries with the burden of ensuring applicable data privacy and security protections are in place.  As companies consider existing relationships with the U.S. government, or potentially pursuing new business with the U.S. government in responding to current challenges, we thought it a good time to provide a high-level summary of what to expect.

All organizations store, maintain, and process data to some extent.  However, organizations that contract with the federal government may also be storing controlled unclassified information (“CUI”).  The federal government requires that CUI be protected from public disclosure; or other unauthorized use.  Protection of CUI in nonfederal systems and organizations is important to federal agencies and can directly affect the ability of the federal government to successfully conduct its essential missions and functions. For example, over the last decade, cyber criminals have increasingly targeted contractor organizations to extract information in an attempt to weaken the federal government’s supply chain. Accordingly, companies can expect to see an emphasis on security of CUI when contracting with the federal government as they process CUI and other types of data on the government’s behalf, whether directly as a prime contractor or subcontractor to a prime contractor of the government.Continue Reading COVID-19 Bulletin: Dreaming of a government contract? Neglecting data security can be a nightmare.

In the summer of 2015, we cautioned that the Department of Defense’s (DoD’s) new cybersecurity regulations could be used offensively to support False Claims Act (FCA) cases and bid protests. Four years later, those premonitions have unfortunately come true. Recently, a federal court refused to dismiss a relator’s implied certification FCA case in which he alleged that his employer “misrepresented … to the government the extent to which it had equipment required by the regulations, instituted required security controls, and possessed necessary firewalls” in violation of DoD’s cybersecurity regulations. United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-2245, 2019 WL 2024595, *3 (E.D. Cal. May 8, 2019).
Continue Reading False Claims Act Case Based On DoD’s Cybersecurity Regulations Survives Motion to Dismiss

You may have heard news recently that federal government agencies were directed to stop using products made by the computer security vendor Kaspersky Lab because of potential security risks from links between Kaspersky officials and the Russian government. The directive was issued by the U.S. Department of Homeland Security (DHS) Secretary Elaine Duke on Sept. 13, 2017.

Kaspersky products have broad access to files and elevated privileges on the computers on which they are installed. As a result, the DHS
Continue Reading DSS Directs Federal Government Contractors to Stop Using Products Made by AO Kaspersky Lab

The American Arbitration Association (AAA) and its International Centre for Dispute Resolution (ICDR) recently created an aerospace, aviation and national security panel of arbitrators to handle complex, high-value aerospace, aviation, defense, cyber and security-related disputes. Similarly, AAA has a special panel of arbitrators to handle technology-related disputes. But what should companies involved in these types of arbitration cases expect?

Taft attorneys Bill Wagner and Michael Diamant recently published an article in Law360 with 10 tips for presenting complex cases in
Continue Reading 10 Tips for Presenting Complex Cases In Arbitration

In January, we wrote about the new training requirement for employees who handle personally identifiable information (“PII”) or who build systems containing PII. On the same day that rule went into effect, Jan. 19, 2017, three related Department of Homeland Security (“DHS”) proposed rules were published in the Federal Register covering mandatory privacy training, information technology (“IT”) security awareness training, and the safeguarding of controlled unclassified information (“CUI”). Comments on all three proposed rules are due on Monday, March 20,
Continue Reading DHS Proposed Rules Cover Privacy Training, IT Security Awareness Training and the Safeguarding of CUI

The new DoD cybersecurity regulations require contractors to implement the security requirements specified by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” not later than Dec. 31, 2017. DFARS, 252.204-7008(c)(1).

However, a contractor may propose to vary from the NIST SP 800-171 requirements under two circumstances. Under DFARS 252.204-7008(c)(2), a contractor may propose to vary from the security requirements specified by NIST SP 800-171 through a
Continue Reading Will the New DoD Cybersecurity Regulations Cause a New Wave of Protest Disputes?