Government Contracts Archives - The National Law Forum

Litigants Beware: Unjust Enrichment v. Quantum Meruit

The distinction between unjust enrichment claims and quantum meruit claims have long bedeviled courts and practitioners. In Core Finance Team Affiliates v. Maine Medical Center, the Law Court provided important guidance regarding the differences between these claims while leaving open a difficult question relating to the implications of pursuing one claim but not the other.

Core Finance involved a suit by a contractor against hospitals relating to the provision of services for reimbursement submittals. The contractor asserted claims for breach of contract and unjust enrichment. After a jury concluded that the contractor failed to prove the existence of a contract, the court held a bench trial and awarded damages to the contractor for unjust enrichment.

The Law Court reversed the judgment on narrow grounds—namely, that the contractor failed to “prove the damages recoverable under either a quantum meruit theory or an unjust enrichment theory.” The Court concluded that, absent proof of conscious wrongdoing, “the appropriate measure of damages” for an unjust enrichment claim is the same as for a quantum meruit claim: “the market value of [defendant’s] uncompensated contractual performance.” The contractor had not presented evidence of the value of its services; rather, its evidence focused on the increase in reimbursement to the hospitals (i.e., the value to the defendants of the services). Thus, the record did not contain a sufficient basis for correctly determining damages.

Although this holding is of note in its own right, it was preceded by a particularly notable discussion of the differences between a quantum meruit claim and an unjust enrichment claim. The parties had disputed whether the trial court should have considered the unjust enrichment claim at all, absent any quantum meruit claim. The hospitals argued that the contractor had to exhaust its legal remedies by pursuing a quantum meruit claim before pursuing an unjust enrichment claim.

Discussing this issue, the Court emphasized that a quantum meruit claim involves “recovery for services or materials provided under an implied contract.” It thus involves enforcement of a promise, and is a legal remedy. An unjust enrichment claim, by contrast, does not involve an implied contract, but rather involves compelled performance “of a legal and moral duty to pay.” Unjust enrichment does not involve any express or implied promise, and is an equitable remedy.

The Court went on to observe that it had “never stated that an unjust enrichment claim involving the rendition of services cannot be adjudicated until after the court has rejected a quantum meruit claim involving the same services.” Importantly, it then acknowledged that this “premise can readily be inferred” for two reasons: (1) the limitation on the availability of equitable remedies if there is an adequate legal remedy, and (2) the primacy over contract over unjust enrichment in the remedial scheme, which requires determining whether an express contract exists before considering quantum meruit or unjust enrichment claims. The Court noted that equitable remedies should be granted “only when there is not an adequate legal remedy,” and that “the court need not consider unjust enrichment if quantum meruit is an adequate remedy.” Having said all that, however, the Court declined “to explore the dilemma further,” instead resolving the case on the damages issue.

The Court’s lengthy discussion is dicta, but it is important nevertheless. Although the Court did not hold that the failure to bring a quantum meruit claim barred an unjust enrichment claim, the Court walked right up to that line. Its language certainly is suggestive that it would so hold if it had to resolve the issue. As such, Core Finance is an important guidepost for litigants considering which claims to bring in the alternative to a breach of contract claim.

OFCCP Requiring Construction Companies to Submit Monthly Data Reports starting April 2025

OFCCP announced it is reinstating a monthly reporting requirement (CC-257 Report) for federal construction contractors, nearly 30 years after discontinuing it. Beginning April 15, 2025, covered construction contractors must submit a report to OFCCP by the 15^th of each month, with detailed data on its number of employees and work hours by race/ethnicity and gender.

In its announcement, the Agency explained it will use the monthly report to further its “mission of protecting workers in the construction trades, as employment discrimination continues to be a problem in the construction industry.” OFCCP says the report will allow the Agency to strengthen both enforcement and compliance assistance.

OFCCP proposed reinstating CC-257 in February 2024, and in its Supporting Statement, indicated that the report would allow the Agency to “better identify if there are potential hiring or job assignment issues that warrant further investigation during a compliance evaluation.”

The new reporting requirement will include data on number of employees and trade employees’ hours worked by race and gender within each Standard Metropolitan Statistical Area (SMSA) or Economic Area (EA) each month. For contractors with employees working on multiple projects, either within a SMSA/EA or across several areas, gathering and preparing the relevant data each month may prove challenging. Contractors must also include whether the work performed is designated by OFCCP as a Megaproject. Other requirements include the contractor’s unique entity identifier (UEI) or Data Universal Numbering System (DUNS) number, both of which OFCCP uses to identify entities doing business with the federal government, and a list of the federal agencies funding their projects.

The Agency published Frequently Asked Questions on its CC-257 Report landing page and intends to provide additional compliance assistance, including a webinar, in early 2025.

The Cybersecurity Maturity Model Certification (CMMC) Program – Defense Contractors Must Rapidly Prepare and Implement

The Department of Defense (DoD) has officially launched the Cybersecurity Maturity Model Certification (CMMC) Program, which requires federal contractors and subcontractors across the Defense Industrial Base (DIB) to comply with strict cybersecurity standards. The CMMC program aims to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in DoD contracts from evolving cyber threats by requiring defense contractors to implement comprehensive cybersecurity controls. The CMMC Program, which must be confirmed by contracting officers, moves beyond the prior self-assessment model for many contractors to a certification-based approach verified by DoD-approved third-party assessors known as CMMC Third Party Assessor Organizations (C3PAOs).

This client alert outlines the key elements of the CMMC program, providing a detailed analysis of the new certification requirements, timelines for implementation, and practical steps contractors can take to prepare for compliance.

CMMC Overview and Purpose

The CMMC Program represents the DoD’s commitment to ensuring that companies handling FCI and CUI meet stringent cybersecurity standards. The program was developed in response to increasing cyber threats targeting the defense supply chain and is designed to verify that defense contractors and subcontractors have implemented the necessary security measures to safeguard sensitive information.

The CMMC Program consists of three levels of certification, with each level representing an increasing set of cybersecurity controls. The certification levels correspond to the type of information handled by the contractor, with higher levels required for contractors handling more sensitive information, such as CUI.

The DoD officially published the CMMC final rule on October 15, 2024, establishing the CMMC Program within federal regulations. The rule will be effective 60 days after publication, marking a significant milestone in the program’s rollout. DoD expects to publish the final rule amending the DFARS to add CMMC requirements to DoD contracts in early 2025. Contractors that fail to meet CMMC requirements will be ineligible for DoD contracts that involve FCI or CUI and could face significant penalties if they inappropriately attest to compliance.

The overall scope of the CMMC rule is relatively clear; however, some key elements are ambiguous and, in some cases, may require careful consideration. Particularly at the outset of any assessment process, a pre-risk gap assessment internal review, ideally conducted under legal privilege, is recommended to permit sufficient time to address shortfalls in technical controls or governance. The typical timeline for implementing a CMMC-type program may take many months, and we strongly recommend that clients begin this process soon if they have not already started—it is now unquestionably a requirement to do business with the DoD.

CMMC Certification Levels

The CMMC Program features three certification levels that contractors must achieve depending on the nature and sensitivity of the information they handle:

Level 1 (Self-Assessment)

Contractors at this level must meet 15 basic safeguarding requirements outlined in Federal Acquisition Regulation (FAR) 52.204-21. These requirements focus on protecting FCI, which refers to information not intended for public release but necessary for performing the contracted services. A self-assessment is sufficient to achieve certification at this level.

Level 2 (Self-Assessment or Third-Party Assessment)

Contractors handling CUI must meet 110 security controls specified in NIST Special Publication (SP) 800-171. CUI includes unclassified information that requires safeguarding or dissemination controls according to federal regulations. To achieve certification, contractors at this level can conduct a self-assessment or engage a C3PAO. Most defense contracts involving CUI will require third-party assessments to verify compliance.

Level 3 (Third-Party Assessment by DIBCAC)

Contractors supporting critical national security programs or handling highly sensitive CUI must achieve Level 3 certification. This level adds 24 security controls from NIST SP 800-172 to protect CUI from advanced persistent threats. The Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will conduct assessments for Level 3 contractors. This is the most stringent level of certification and is reserved for contractors working on the most sensitive programs.

Each certification level builds upon the previous one, with Level 3 being the most comprehensive. Certification is valid for three years, after which, contractors must be reassessed.

Certification Process and Assessment Requirements

Contractors seeking certification must undergo an assessment process that varies depending on the level of certification they are targeting. For Levels 1 and 2, contractors may conduct self-assessments. However, third-party assessments are required for most contracts at Level 2 and all contracts at Level 3. The assessment process includes several key steps:

Self-Assessment (Level 1 and Level 2 (Self))

Contractors at Level 1 or Level 2 (Self) must perform an internal assessment of their cybersecurity practices and submit their results to the Supplier Performance Risk System (SPRS). This system is the DoD’s centralized repository for contractor cybersecurity assessments. Contractors must affirm their compliance annually to maintain their certification status.

Third-Party Assessment (Level 2 (C3PAO) and Level 3 (DIBCAC))

For higher-level certifications, contractors must engage a certified C3PAO to conduct an independent assessment of their compliance with the applicable security controls. For Level 3 certifications, assessments will be performed by the DIBCAC. These assessments will involve reviewing the contractor’s cybersecurity practices, examining documentation, and conducting interviews to verify that the contractor has implemented the necessary controls.

Plan of Action and Milestones (POA&M)

Contractors that do not meet all of the required security controls during their assessment may develop a POA&M. This document outlines the steps the contractor will take to address any deficiencies. Contractors have 180 days to close out their POA&M, after which they must undergo a follow-up assessment to verify that all deficiencies have been addressed. If the contractor fails to meet the requirements within the 180-day window, their conditional certification will expire, and they will be ineligible for future contract awards.

Affirmation

After completing an assessment and addressing any deficiencies, contractors must submit an affirmation of compliance to SPRS. This affirmation must be submitted annually to maintain certification, even if a third-party assessment is only required once every three years.

Integration of CMMC in DoD Contracts

The CMMC Program will be integrated into DoD contracts through a phased implementation process. The program will initially apply to a limited number of contracts, but it will eventually become a requirement for all contracts involving FCI and CUI. The implementation will occur in four phases:

Phase 1 (Early 2025)

Following the publication of the final DFARS rule, CMMC requirements will be introduced in select solicitations. Contractors bidding on these contracts must meet the required CMMC level to be eligible for contract awards.

Phase 2

One year after the start of Phase 1, additional contracts requiring CMMC certification will be released. Contractors at this stage must meet Level 2 certification if handling CUI.

Phase 3

A year after the start of Phase 2, more contracts, including those requiring Level 3 certification, will include CMMC requirements.

Phase 4 (Full Implementation)

The final phase, expected to occur by 2028, will fully implement CMMC requirements across all applicable DoD contracts. From this point forward, contractors must meet the required CMMC level as a condition of contract award, exercise of option periods, and contract extensions.

Flow-Down Requirements for Subcontractors

CMMC requirements will apply to prime contractors and their subcontractors. Prime contractors must ensure that their subcontractors meet the appropriate CMMC level. This flow-down requirement will impact the entire defense supply chain, as subcontractors handling FCI must achieve at least Level 1 certification, and those handling CUI must achieve Level 2.

Subcontractors must be certified before the prime contractor can award them subcontracts. Prime contractors will be responsible for verifying that their subcontractors hold the necessary CMMC certification.

Temporary Deficiencies and Enduring Exceptions

The CMMC Program allows for limited flexibility in cases where contractors cannot meet all of the required security controls. Two key mechanisms provide this flexibility:

Temporary Deficiencies

Contractors may temporarily fall short of compliance with specific security controls, provided they document the deficiency in a POA&M and work toward remediation. These temporary deficiencies must be addressed within 180 days to maintain certification. Failure to close out POA&Ms within the required timeframe will result in the expiration of the contractor’s conditional certification status.

Enduring Exceptions

In some cases, contractors may be granted an enduring exception for specific security controls that are not feasible to implement due to the nature of the system or equipment being used. For example, medical devices or specialized test equipment may not support all cybersecurity controls required by the CMMC Program. In these cases, contractors can document the exception in their System Security Plan (SSP) and work with the DoD to determine appropriate mitigations.

Compliance Obligations and Contractual Penalties

The DoD has made it clear that failure to comply with CMMC requirements will have serious consequences for contractors. Noncompliant contractors will be ineligible for contract awards. Moreover, the Department of Justice’s Civil Cyber-Fraud Initiative looms menacingly in the background, as it actively pursues False Claims Act actions against defense contractors for alleged failures to comply with cybersecurity requirements in the DFARS. In addition, the DoD reserves the right to investigate contractors that have achieved CMMC certification to verify their continued compliance. If an investigation reveals that a contractor has not adequately implemented the required controls, the contractor may face contract termination and other contractual remedies.

Preparing for CMMC Certification

Given the far-reaching implications of the CMMC Program, contractors and subcontractors should begin preparing for certification as soon as possible. As an initial step, an internal, confidential gap assessment is highly advisable, preferably done under legal privilege, to fully understand both past and current shortfalls in compliance with existing cybersecurity requirements that will now be more fully examined in the CMMC process. Key steps include:

Assess Current Cybersecurity Posture

Contractors should conduct an internal assessment of their current cybersecurity practices against the CMMC requirements. This will help identify any gaps and areas that need improvement before seeking certification.

Develop an SSP

Contractors handling CUI must develop and maintain an SSP that outlines how they will meet the security controls specified in NIST SP 800-171. This document will serve as the foundation for both internal and third-party assessments.

Engage a C3PAO

Contractors at Level 2 (C3PAO) and Level 3 must identify and engage a certified C3PAO to conduct their assessments. Given the anticipated demand for assessments, contractors should begin this process early to avoid delays.

Prepare a POA&M

For contractors that do not meet all required controls at the time of assessment, developing a POA&M will be crucial to addressing deficiencies within the required 180-day window.

Review Subcontractor Compliance

Prime contractors must review their subcontractors’ compliance with CMMC requirements and ensure they hold the appropriate certification level. This flow-down requirement will impact the entire defense supply chain.

Conclusion

The CMMC Program marks a significant shift in the oversight of how the DoD manages cybersecurity risks within its defense supply chain. While DoD contractors that handle CUI have had contractual obligations to comply with the NIST SP 800-171 requirements since January 1, 2018, the addition of third-party assessments and more stringent security controls for Level 3 contracts aim to improve the overall cybersecurity posture of contractors handling FCI and CUI. Contractors that fail to comply with CMMC requirements risk losing eligibility for DoD contracts, which could result in substantial business losses.

Given the phased implementation of the program, contractors must act now to assess their cybersecurity practices, engage with certified third-party assessors, and ensure compliance with the new requirements. Proactive planning and preparation will be key to maintaining eligibility for future DoD contracts.

Federal Contractors Beware – More Data Disclosures Coming!

On October 29, 2024, the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) published a Freedom of Information Act (FOIA) notice, inviting federal contractors to respond to FOIA requests that the OFCCP received related to federal contractors’ 2021 Type 2 EEO-1 Consolidated Reports. These reports, required of federal contractors and subcontractors with at least 50 employees, contain data critical to the government’s diversity efforts consistent with anti-discrimination mandates under Title VII and Executive Order 11246. Contractors have previously relied on FOIA Exemption 4 to protect against disclosing sensitive commercial information that could impact competitive positioning, but in late December 2023 as previously reported here, a federal court ruling concluded that certain demographic data did not qualify as confidential under FOIA Exemption 4. That court decision may spur an increase in FOIA requests for EEO-1 reporting information.

Contractors who wish to object to the disclosure of their EEO-1 reporting information must do so via OFCCP’s online portal, email, or mail on or before December 9, 2024. Per the OFCCP’s notice, contractors can object to releasing their 2021 EEO-1 Type 2 data by providing evidence showing the data satisfies FOIA Exemption 4. To do this, contractors should:

Specifically identify the objectionable data;
Explain why this data is commercial or competitive to render it confidential;
Outline the processes the contractor has in place to safeguard the data;
Identify any prior assurances or expectations that the data would remain confidential; and
Detail the damage that would occur if the data were disclosed by conducting assessments to see how disclosure would impact business operations.

In addition to raising timely objections to disclosure of data, contractors should also implement clear policies to maintain a consistent approach to data confidentiality. Specifically, contractors should be thoughtful and consistent as to how they define confidential information and the protection measures they take related to such information.

FOIA requests and court decisions in this space will likely continue to make striking a balance between government transparency and protecting contractors’ confidential business information more difficult. To navigate these changes, federal contractors should remain vigilant by staying informed, preparing objections to FOIA requests, and consulting with legal counsel to ensure compliance with this evolving area of law.

Are We There Yet? DoD Issues Final Rule Establishing CMMC Program

The US Department of Defense (DoD) published a final rule codifying the Cybersecurity Maturity Model Certification (CMMC) Program. The final CMMC rule will apply to all DoD contractors and subcontractors that will process, store, or transmit Federal Contract Information (FCI)[1] or Controlled Unclassified Information (CUI)[2] on contractor information systems. The final CMMC rule builds on the proposed CMMC rule that DoD published in December 2023, which we discussed in depth here.

The final CMMC rule incorporates DoD’s responses to 361 public comments submitted during the comment period and spans more than 140 pages in the Federal Register. Many responses address issues raised in our prior reporting, and DoD generally appears to have been responsive to several concerns raised by the industry. In the coming weeks, we expect to update our separate summaries of CMMC Level 1, Level 2, and Level 3 to reflect the final rule. This OTS summarizes the key changes to the CMMC Program in the final rule.

In Depth

THE CMMC PROGRAM

The final CMMC rule adopts in large part the new Part 170 to Title 32 of the Code of Federal Regulations proposed in 2023. The final rule formally establishes the CMMC Program and defines the security controls applicable to each of the three CMMC levels; establishes processes and procedures for assessing and certifying compliance with CMMC requirements; and defines roles and responsibilities for the Federal Government, contractors, and various third parties for the assessment and certification process. 32 C.F.R. § 170.14 codifies the three CMMC levels outlined in CMMC 2.0, which are summarized as follows in an updated CMMC Model Overview included in Appendix A to the final CMMC rule:

CMMC Model 2.0
Model	Assessment
Level 3	134 requirements based on NIST SP 800-171 and 800-172	Triennial government-led assessment and annual affirmation
Level 2	110 requirements aligned with NIST SP 800-171	Triennial third-party assessment and annual affirmation; Triennial self-assessment and annual affirmation for select programs
Level 1	15 requirements	Annual self-assessment and annual affirmation

See Cybersecurity Maturity Model Certification (CMMC) Model Overview, Version 2.11 – DRAFT at 3-4 (Sept. 2024).

CMMC Level 1 is required for contracts and subcontracts that involve the handling of FCI but not CUI. The security requirements for CMMC Level 1 are those set forth in FAR 52.204-21(b)(1)(i)-(xv), which currently governs contracts involving FCI. Contractors must conduct and report a CMMC Level 1 Self-Assessment in DoD’s Supplier Performance Risk System (SPRS) prior to award of a CMMC Level 1 contract or subcontract. Thereafter, contractors must make an annual affirmation of continued compliance. The final CMMC rule requires compliance with all CMMC Level 1 requirements at the time of the assessment and does not allow contractors to include a Plan of Action and Milestones (POA&M) to comply with unmet requirements in the future.

CMMC Level 2 is required for contracts and subcontracts that involve the handling of CUI. The security requirements for CMMC Level 2 are identical to the requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev 2, and the final CMMC rule adopts the scoring methodology for compliance with those requirements that is currently employed by DFARS 252.204-7020. The final CMMC rule establishes a minimum required score of 88 out of 110 for Conditional Level 2 status with a POA&M. The final CMMC rule allows for certain CMMC Level 2 requirements that are not met at the time of assessment to be addressed through POA&Ms if the contractor meets the minimum required score. A contractor with Conditional status is subject to close out of all POA&Ms, which must be reported in SPRS within 180 days of Conditional status. Conditional status must be achieved prior to the award of any contract subject to CMMC Level 2. If the contractor does not close out all POA&Ms within 180 days of Conditional status, the contractor becomes ineligible for additional awards of CMMC Level 2 contracts.

The final CMMC rule retains the proposed rule’s distinction between CMMC Level 2 Self-Assessments and CMMC Level 2 Certification Assessments. CMMC Level 2 Certification Assessments are issued by CMMC Third-Party Assessment Organizations (C3PAOs) and fulfill one of the primary goals of the CMMC Program: independent verification of contractor compliance with CMMC security requirements. Whether a CMMC Level 2 Self-Assessment or Certification Assessment will apply to a particular contract will be determined by DoD based on the sensitivity of the CUI involved with that contract. When the final CMMC rule is fully implemented, DoD expects that the vast majority of CMMC Level 2 contractors will eventually undergo a Certification Assessment. Under the phased implementation of the CMMC Program discussed below, however, CMMC Level 2 Certification Assessment requirements will not regularly appear in solicitations or contracts until one year after the start of implementation. Contractors that achieved a perfect score with no open POA&Ms on a Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) High Assessment under DFARS 252.204-7020 prior to the effective date of the final CMMC rule will be eligible for a CMMC Level 2 Certification for three years from the date of the High Assessment.

CMMC Level 3 applies to contracts that involve the handling of CUI, but for which DoD has determined that additional safeguarding requirements are necessary. The additional CMMC Level 3 requirements consist of 24 requirements from NIST SP 800-172 listed in Table 1 to Section 170.14(c)(4) of the final CMMC rule. These additional CMMC Level 3 requirements include various “Organization-Defined Parameters” that can be used to tailor these requirements to a particular situation. The applicability of CMMC Level 3 requirements will be determined by DoD on a contract-by-contract basis based on the sensitivity of the CUI involved in the performance of that contract.

CMMC Level 3 assessments are performed exclusively by DCMA DIBCAC. The proposed CMMC rule establishes a scoring methodology for assessing compliance with CMMC Level 3 security requirements and allows for Conditional Level 3 status with POA&Ms for unmet requirements, subject to certain limitations and a general requirement that POA&Ms must be closed within 180 days. To achieve CMMC Level 3, contractors will need to have a perfect CMMC Level 2 score (110) and achieve a score of 20 out 24 for the additional CMMC Level 3 controls, with each control worth one point.

PHASED IMPLEMENTATION

The proposed rule contemplated a four-phase implementation over a three-year period, starting with the incorporation of self-assessment levels in Phase 1 through the full incorporation of CMMC requirements in all contracts in Phase 4. The final CMMC rule keeps the phases substantially the same, except it extends the time between Phase 1 and Phase 2 by six months, providing a full year between self-assessment and certification requirements:

Phase 1 – 0-12 Months: Phase 1 will begin when the proposed DFARS rule implementing CMMC is finalized. Our summary of the proposed DFARS rule can be found here. DoD has stated that it expects the final DFARS rule in “early to mid-2025.” During Phase 1, DoD will include Level 1 Self-Assessment or CMMC Level 2 Self-Assessment requirements as a condition of contract award and may include such requirements as a condition to exercising an option on an existing contract. During Phase 1, DoD may also include CMMC Level 2 Certification Assessment requirements as it deems necessary for applicable solicitations and contracts.
Phase 2 – 12-24 Months: Phase 2 begins one year after the start date of Phase 1 and will last for one year. During Phase 2, DoD will include CMMC Level 2 Certification Assessment requirements as a condition of contract award for applicable contracts involving CUI and may include such requirements as a condition to exercising an option on an existing contract. During Phase 2, DoD may also include CMMC Level 3 Certification Assessment requirements as it deems necessary for applicable solicitations and contracts.
Phase 3 – 24-36 Months: Phase 3 begins one year after the start date of Phase 2 and will also last for one year. During Phase 3, DoD intends to include CMMC Level 2 Certification Assessment requirements, not only as a condition of contract award but also as a condition to exercising an option on an existing contract. DoD will also include CMMC Level 3 Certification Assessment requirements for all applicable DoD solicitations and contracts as a condition of contract award, but DoD may delay inclusion of these requirements as a condition to exercising an option as it deems appropriate.
Phase 4 – 36+ Months: Phase 4 begins one year after the start date of Phase 3 and involves the inclusion of all CMMC Program requirements in all DoD solicitations and contracts, including option periods.

APPLICABILITY TO PERFORMANCE OF DOD CONTRACTS

The DoD has clarified that CMMC only applies to “contract and subcontract awardees that process, store, or transmit information, in performance of the DoD contract, that meets the standards for FCI or CUI on contractor information systems.” 32 C.F.R. § 170.3(a)(1). Given that CMMC will be implemented through a DFARS clause that is included in DoD contracts and subcontracts, the addition of the italicized language does not appear remarkable at first glance. However, it may prove an important qualification for companies that receive FCI and CUI in different circumstances. A company that receives CUI from the Government in the performance of one contract may also receive CUI from another entity independent of any contract or subcontract. For example, several categories of CUI reflect information that is contractor proprietary and, as such, can ordinarily be disclosed by the contractor that owns that information as that contractor deems appropriate. This can occur when teammates for a new opportunity share audit and business systems information for purposes of submitting a proposal, which information may be marked CUI by DoD to protect the proprietary information of the contractor being audited or whose business system was reviewed. The final CMMC rule’s clarification that it only applies to FCI and CUI handled in performance of the DoD contract may help clarify that the CMMC program does not restrict a contractor’s ability to process, store, or transmit its own information.

CMMC STATUS BEGINS ON THE EARLIER OF CONDITIONAL STATUS OR FINAL STATUS

DoD has clarified that although contractors have 180 days to finalize their CMMC certification if they do not originally achieve a passing score, the additional time to finalize does not extend the period for CMMC renewals. Thus, if a contractor’s CMMC certification status was conditionally granted on January 1, 2025, and its final status occurs 180 days later, the contractor’s renewal date will still be three years from the conditional date (January 1, 2028), not the later anniversary of the final status date.

TEMPORARY AND ENDURING EXCEPTIONS

DoD will now allow contractors to obtain permanent and temporary variances that have the status of a “MET” requirement when assessed as part of CMMC. These variances are separate from unmet controls that must be addressed within the contractor’s POA&M and completed within 180 days. The final CMMC rule introduces “enduring exceptions” and “temporary deficiencies,” which are defined as follows: An enduring exception is “a special circumstance or system where remediation and full compliance with CMMC security requirements is not feasible.” The final CMMC rule definition includes examples such as “systems required to replicate the configuration of ‘fielded’ systems, medical devices, test equipment, OT, and IoT.” Enduring exceptions must be documented within a system security plan.

A temporary deficiency is “a condition where remediation of a discovered deficiency is feasible, and a known fix is available or is in process.” Temporary deficiencies would arise after the implementation of a particular security requirement, not during its implementation. The example provided is “FIPS-validated cryptography that requires a patch and the patched version is no longer the validated version.” A temporary deficiency must be documented in an “operational plan of action.”

An operational plan of action is a contractor’s formal documentation of temporary vulnerabilities and temporary deficiencies in the contractor’s implementation of the CMMC security requirements. The operational plan of action documents how these temporary vulnerabilities and deficiencies are to be “mitigated, corrected, or eliminated.”

The proposed DFARS rule requires 72-hour notification for “any lapses in information security or changes in the status of CMMC certification or CMMC self-assessment levels during the performance of the contract.” Proposed DFARS 204.7503(b)(4)). As we pointed out in our summary of the proposed DFARS rule, it does not define “lapses in information security,” but that term appears substantially broader than the term “cyber incident,” which contractors must also report within 72 hours. Because the CMMC rule in C.F.R Title 32 establishes the cybersecurity controls that form the foundation of the CMMC Program, we expected that the final CMMC rule might provide the clarity missing from the proposed DFARS rule; however, the final CMMC rule does not discuss lapses, and it is unclear whether a temporary deficiency is the same as a lapse. The scope of a contractor’s notification obligations under the CMMC Program and the contractor’s DoD contracts and subcontracts therefore remains unclear, particularly whether a contractor must notify the Government every time a measure for complying with a particular CMMC control does not function as planned.

DEFINITION OF SECURITY PROTECTION DATA

In the interim rule, DoD introduced Security Protection Data (SPD) as an undefined term. The final CMMC rule defines SPD as follows:

Security Protection Data (SPD) means data stored or processed by Security Protection Assets (SPA) that are used to protect [a contractor’s] assessed environment. SPD is security relevant information and includes but is not limited to: configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment. (Emphasis added).

In our earlier analysis, we discussed the concern that the ambiguous nature of SPD would make it difficult for contractors to determine which external service providers (ESPs) were in-scope for CMMC. The definition of SPD in the final CMMC rule retains this ambiguity, thus missing an opportunity for further clarity in the use of ESPs.

DIBCAC ASSESSMENTS

For Level 2 and Level 3 CMMC assessments, DoD now reserves the right to conduct a DCMA DIBCAC assessment of any contractor, in addition to other investigative evaluations of an OSA. The results of an investigative DCMA DIBCAC assessment will supersede any preexisting CMMC status, and DoD will update SPRS to show that the OSA is out of compliance. This replaces previous language in the proposed CMMC rule that allowed DoD to merely revoke CMMC status after its investigation. Notably, the final CMMC rule removes the ability to revoke CMMC Level 1 status and does not substitute a DCMA DIBCAC assessment in its place. These changes bring the CMMC program into alignment with the DoD Self-Assessment methodology required in DFARS 252.204-7019/7020.

CSPS AND ESPS

Of significant interest to service providers will be the changes to the requirements for cloud service providers (CSPs) and other ESPs. The final CMMC rule is less prescriptive than the proposed rule with respect to how these service providers fit into the scope of a contractor’s CMMC certification.

First, as before, the final CMMC rule allows the use of CSPs to process, store, or transmit CUI where the CSP is Federal Risk and Authorization Management Program (FedRAMP) Authorized at FedRAMP Moderate baseline or higher, or where the CSP meets FedRAMP Equivalency. The final CMMC rule, however, states that FedRAMP Moderate and FedRAMP Moderate Equivalent determinations will be “in accordance with DoD Policy,” thereby incorporating the DoD Chief Information Officer policy memo on FedRAMP Moderate equivalency issued after the proposed rule. This reference may also allow DoD to change this policy in the future without further notice-and-comment rulemaking.

Second, for ESPs that process, store, or transmit CUI or SPD, CMMC certification is no longer required in advance of the contractor’s certification. Instead, ESPs will be assessed as in-scope for the contractor itself against all of the relevant requirements. This change may relieve pressure not only on ESPs but also on contractors and CMMC C3PAOs if non-contractor ESPs do not need to be at the front of the line for certifications. Although many ESPs with significant Federal contracting customer bases will likely choose to obtain CMMC certification directly, smaller ESPs may choose to support Federal contractor customers in the customer’s own certifications on a case-by-case basis.

Notably, this is a model that many service providers may be familiar with from a different context and standard. In practice, it seems similar to the method for service providers to comply with Payment Card Industry Data Security Standards (PCI DSS). Under PCI DSS, a service provider may obtain its own Attestation of Compliance (AOC) or may participate in the compliance efforts of each merchant it supports. Also, like the PCI DSS model, there now is a requirement to document the roles and responsibilities between ESPs and the contractors. 32 C.F.R. § 170.19(c)(2)(ii) (“documented in the OSA’s SSP and described in the ESP’s service description and customer responsibility matrix (CRM)”).

APPLICABILITY TO SUBCONTRACTORS

The final CMMC rule updates the applicability of the CMMC requirements to subcontractors by incorporating requirements not only for CMMC compliance but also explicitly to flow down CMMC requirements for both CMMC level and assessment type through the supply chain. There is again a helpful clarification that such flow-downs are only required for the performance of a “DoD contract” rather than the prior language that did not specify what types of contracts required flowing down. Id. § 170.23(a).

MISREPRESENTATION AND FALSE CLAIMS ACT RISK

Although the CMMC Level 1 and Level 2 security requirements are the same requirements in FAR 52.204-21 and NIST SP 800-171 that contractors have been required to follow for years, the final CMMC rule will require all contractors that handle FCI and CUI on their systems – even contractors subject to CMMC Level 1 – to make periodic affirmative representations regarding their cybersecurity programs and controls, in addition to the initial assessments and certifications reported in SPRS. Contractors must vet these representations carefully as any potential inaccuracy or ambiguity could generate litigation risk under a variety of criminal and civil laws, including the False Claims Act (FCA).

Since the inception of the CMMC Program, the US Department of Justice (DOJ) has increasingly made cybersecurity an enforcement priority. In 2021, DOJ launched its Civil Cyber-Fraud Initiative, which seeks to leverage DOJ’s expertise in civil fraud enforcement to combat cyber threats to the security of sensitive information and critical systems. Deputy Attorney General Lisa Monaco stated at the time: “We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.” As CMMC is implemented, it will provide the “required cybersecurity standards” that DOJ will seek to enforce and a record of statements of compliance that DOJ will use to leverage the FCA in enforcement.

THE ELEPHANT (STILL) IN THE ROOM

The final CMMC rule, like the proposed rule, does nothing to address the fundamental uncertainty regarding what constitutes CUI and the widespread overmarking of CUI. We continue to see emails from Government officials with CUI markings embedded in signature blocks that automatically attach to every email that official sends out – even when the email is sent to private entities and individuals who do not hold a contract subject to CMMC. Multiple commentators expressed concerns regarding the mismarking and overmarking of CUI, but DoD generally responded by pointing to its existing guidance on CUI marking, without addressing whether that guidance is sufficient or is actually being followed.

CONCLUSION

The final CMMC rule makes several significant changes to the proposed rule, but it largely keeps the structure, content, and format of the proposed rule in place. We will continue to analyze the final CMMC rule, including updating our in-depth analyses of each CMMC certification level, in the weeks to come.

But are we there yet? No, and if you don’t stop asking, DoD will turn this car around! DoD must still finalize the companion DFARS rule before the CMMC can be fully implemented by DoD for new contracts. Once that final DFARS rule is released, we expect a gradual, phased approach that will take three to four years before CMMC is a reality for all Federal prime contractors and subcontractors that store, process, or transmit FCI or CUI in performance of DoD contracts.

© 2024 McDermott Will & Emery

by: Daniel P. Graham, Jessica McGahie Sawyer, Brian Long of McDermott Will & Emery

For more on the CMMC Program, visit the NLR Consumer Protection section

Department of Defense Issues Final CMMC Rule

On October 11, 2024, the Department of Defense (“DoD”) issued the first part of its final rule establishing the Cybersecurity Maturity Model Certification (“CMMC”) program. As expected, the final rule requires companies entrusted with national security information to implement cybersecurity standards at progressively advanced levels, (CMMC level 1, CMMC level 2, and CMMC level 3) depending on the type and sensitivity of the information. While the final rule largely tracks the proposed rule issued in December 2023, we outline below several notable updates DoD included in the final rule and their potential impacts on DoD contractors.

Updated Implementation Timeline

DoD extended the timeline for CMMC implementation. DoD will now roll out the CMMC program in a four-phased approach:

Phase 1 will begin in early to mid-2025 when DoD finalizes the second part of its CMMC rule under 48 C.F.R. Part 204. Once that rule is finalized, DoD will begin including CMMC level 1 and CMMC level 2 self-assessment requirements in new solicitations. That is, while DoD contractors will not need to obtain a CMMC certification by Phase 1, they will need to self-assess and affirm compliance with CMMC level 1 and/or level 2 security requirements when competing for new DoD contracts.
Phase 2 will begin one year after the start of Phase 1 (~early to mid-2026). During Phase 2, DoD will begin including CMMC level 2 certification requirements in applicable solicitations. Contractors who expect to bid on solicitations requiring a CMMC level 2 certification should plan to obtain that certification by early 2026 to avoid losing out on DoD opportunities.
Phase 3 will begin one year after the start of Phase 2 (~early to mid-2027). During Phase 3, DoD will begin requiring contractors to meet the CMMC level 2 certification requirements as a condition to exercise option periods on applicable contracts awarded after the effective date of the CMMC rule. DoD will also begin including CMMC Level 3 requirement in applicable solicitations.
Phase 4 will begin one year after the start of Phase 3 (~early to mid-2028). During Phase 4, DoD will include CMMC program requirements in all applicable CMMC solicitations and as a condition to exercise option periods on applicable contracts regardless of when they were awarded.

Narrower Assessment Scope for Security Protection Assets

The final rule narrows the assessment scope for contractors’ Security Protection Assets (“SPA”). Under the proposed rule, certain contractor assets that provide security functions or capabilities (i.e., SPAs) for the protection of controlled unclassified information (“CUI”) had to meet all security requirements of CMMC level 2. The final rule reduces that assessment scope so now SPAs only need to be assessed against “relevant” security requirements. This change should reduce the regulatory burden on contractors because they will no longer need to show how SPAs meet CMMC security requirements that are not applicable to the SPAs being assessed.

External Service and Cloud Service Providers

The final rule provides greater clarity as to when External Service Providers (“ESPs”) are within the scope of a contractor’s CMMC assessment. Under the final rule, if an ESP deals with CUI, then it must be assessed against all CMMC level 2 security requirements and must obtain a CMMC level 2 assessment or certification. By contrast, ESPs that only deal with security protection data (“SPD”)—data used to protect a contractor’s assessed environment—are subject to a more limited assessment and do not require a full CMMC level 2 assessment or certification. A service provider that does not deal with CUI or SPD does not meet the CMMC definition of ESP and presumably is outside the scope of any CMMC assessment.

For Cloud Service Providers (“CSPs”) dealing with CUI, the final rule tracks current DoD security requirements, which require CSPs to meet security requirements equivalent to the FedRAMP moderate baseline. Like with ESPs, CSPs that only deal with SPD are subject to a more limited assessment and CSPs that do not deal with CUI or SPD are outside of the CMMC scope.

Supreme Court Issues Landmark Decision Upending Deference to Federal Agencies

On June 28, 2024, the Supreme Court of the United States upended the 40-year-old doctrine whereby federal courts gave deference to administrative agencies’ reasonable interpretations of federal statutes. The ruling stands to have significant implications for federal agencies’ rulemaking and enforcement of federal labor and employment laws.

Quick Hits

The Supreme Court held that courts must exercise their independent judgment in deciding whether an agency acted within its statutory authority and may not defer to an agency’s interpretation when a law is ambiguous.
The decision overruled the four-decades-old doctrine known as Chevron deference, in which courts had deferred to agencies’ reasonable interpretations of ambiguous statutes.
The ruling will have a major impact on federal agencies’ rulemaking authority.

The Supreme Court decision in Loper Bright Enterprises v. Raimondo held that courts must exercise independent judgment in deciding whether an agency acted within its statutory authority and may not simply defer to the agency’s interpretation of ambiguities in the law.

The decision overrules the longstanding doctrine known as Chevron deference, under which courts would defer to a federal agency’s reasonable interpretation of an ambiguous law that the agency administers. The deference had provided the rules of such administrative agencies with the force of law, but that authority will, at a minimum, be weakened, along with the corresponding power of the agencies.

In the opinion of the Court, Chief Justice John Roberts wrote that Chevron deference “defies the command of the” Administrative Procedure Act (APA) that courts “not the agency whose action it reviews … ‘decide all relevant questions of law’ and interpret … statutory provisions.” Chevron deference “requires a court to ignore, not follow, ‘the reading the court would have reached’ had it exercised its independent judgment as required by the APA,” (Emphasis in original).

The Court, in its majority, rejected the presumption that ambiguities in federal statutes are implicit delegations of authority to agencies, stating the “presumption is misguided because agencies have no special competence in resolving statutory ambiguities.”

The ruling will have significant implications for the multiple federal agencies that regulate employers, including the U.S. Department of Labor (DOL), the U.S. Equal Employment Opportunity Community Commission (EEOC), the Federal Trade Commission (FTC), the National Labor Relations Board (NLRB), Occupational Safety and Health Administration (OSHA), and the Office of Federal Contract Compliance Programs (OFCCP), among others.

Chevron Deference

Under the two-step Chevron deference framework, the court would first determine whether a statute in question was clear and unambiguous regarding an issue. If the statute was clear, then the court would give effect to it. If, however, the court found the statute was ambiguous or silent on the issue, then the court would proceed to step two. At that step, the court would determine whether the agency’s interpretation was a permissible or reasonable construction of the statute. If so, the court would uphold the agency’s interpretation.

The deference had allowed federal agencies leeway to act, allowing them interpret ambiguities and fill gaps in the laws they enforce. However, the doctrine has been criticized in recent years as unconstitutionally allowing the Executive Branch’s policy positions to be advanced by federal agencies outside the democratic process and for taking power away from federal courts to interpret laws.

Background

The issue over Chevron deference came before the Supreme Court in two cases challenging a National Marine Fisheries Service (NMFS) rule that required fishing vessels to pay the salaries of federal observers that vessels are required to “carry” under the Magnus-Stevenson Act (MSA). The MSA is silent as to whether the fishing industry is responsible for paying the costs for the observers. Given concerns about funding, the NMFS rule required the vessels carrying the observers to pay the costs despite objections from the fishing industry over its negative economic impact on the livelihoods of commercial fishermen.

In Loper Bright Enterprises, four family-owned and –operated fishing companies, argued that the NMFS cannot force vessels to pay for the observers because the MSA did not clearly give the agency power to do so. However, the D.C. Circuit Court of Appeals ruled in favor of the agency, finding that the law’s silence on the issue created an ambiguity that required deference to the agency.

Supreme Court Justice Ketanji Brown Jackson recused herself from the Loper Bright case as she had sat on the D.C. Circuit panel that had ruled in the case. The Court then added Relentless, Inc. v. Department of Commerce, in which the owner of fishing vessels raised a similar challenge to the NMFS rule. The challengers argued that since the MSA provides for observers to be paid in at least three other contexts, the NMFS did not have the authority to require fishing vessels to pay for them. But the First Circuit Court of Appeals affirmed a district court finding that “the rule is a permissible exercise of the agency’s authority and is otherwise lawful.”

At the Supreme Court, the challengers in Loper Bright Enterprises argued that the Court should “either abandon Chevron for good or at least substantially cabin its scope” because it has “proved unworkable” and has “seriously distorted how the political branches operate.” They argued that stare decisis does not bar the court from abandoning the framework since the Court would not have to change the outcome of the case in which the deference was established but merely alter the interpretative methodologies used. Similarly, the challengers in Relentless argued that the deference is unconstitutional because it “compromise[es] judges’ independence when interpreting the law,” which is a power vested in the federal courts under Article III of the U.S. Constitution.

Decision

In deciding Loper Bright, the Supreme Court stated that courts simply “do not throw up their hands because ‘Congress’s instructions have’ supposedly ‘run out.’” “Courts instead understand that such statutes, no matter how impenetrable, do—in fact, must—have a single, best meaning. … So instead of declaring a particular party’s reading ‘permissible’ in such a case, courts use every tool at their disposal to determine the best reading of the statute and resolve the ambiguity,” the Court stated.

The Supreme Court further stated that agencies do not have any special ability to interpret ambiguities, “even when an ambiguity happens to implicate a technical matter” as “Congress expects courts to handle technical statutory questions.” However, the Court stated that courts do not decide cases “blindly” and instead, rely on arguments from the parties and amici, noting that an agency’s interpretation “may be especially informative.”

“The better presumption is therefore that Congress expects courts to do their ordinary job of interpreting statutes, with due respect for the views of the Executive Branch,” the court stated. “And to the extent that Congress and the Executive Branch may disagree with how the courts have performed that job in a particular case, they are of course always free to act by revising the statute.”

However, the Court noted that the decision does “not call into question prior cases that relied on the Chevron framework,” as cases upholding specific agency actions “are still subject to statutory stare decisis despite our change in interpretative methodologies.

Justice Elena Kagan and Justice Sonia Sotomayor dissented and were joined by Justice Jackson to the extent it applied to the Relentless case. In the dissenting opinion authored by Justice Kagan, the justices argued that Chevron deference “has formed the backdrop against which Congress, courts, and agencies—as well as regulated parties and the public—all have operated for decades” and “has been applied in thousands of judicial decisions.”

They argued that Chevron deference is “right” and the “obvious choice” to resolve ambiguities because “[a]gencies have expertise” that “courts do not.” Further, agencies report to the president, “who in turn answers to the public for his policy calls; courts have no such accountability and no proper basis for making policy.” Moreover, “Congress has conferred on that expert, experienced, and politically accountable agency the authority to administer—to make rules about and otherwise implement—the statute giving rise to the ambiguity or gap,” Justice Kagan wrote.

Next Steps

The Supreme Court’s latest decision is likely to shift power dynamics by weakening agency authority to interpret ambiguous statutes and increasing judicial scrutiny. At a minimum, agencies may need to provide stronger justifications on the merits for their interpretations, and overall, they may be less likely to issue rulemaking in areas where statutory authority is not clear.

The decision is also likely to increase litigation and legal uncertainty, as it potentially opens the floodgates to a wave of legal challenges to overturn all sorts of existing agency rules that have been upheld citing Chevron deference and legal challenges to new agency rules moving forward. For example, this decision likely will have significant impact on the litigation challenging the Federal Trade Commission’s (FTC) rule purporting to ban noncompetes nationally.

Continuing Forward: Senate Leaders Release an AI Policy Roadmap

The US Senate’s Bipartisan AI Policy Roadmap is a highly anticipated document expected to shape the future of artificial intelligence (AI) in the United States over the next decade. This comprehensive guide, which complements the AI research, investigations, and hearings conducted by Senate committees during the 118th Congress, identifies areas of consensus that could help policymakers establish the ground rules for AI use and development across various sectors.

From intellectual property reforms and substantial funding for AI research to sector-specific rules and transparent model testing, the roadmap addresses a wide range of AI-related issues. Despite the long-awaited arrival of the AI roadmap, Sen. Chuck Schumer (D-NY), the highest-ranking Democrat in the Senate and key architect of the high-level document, is expected to strongly defer to Senate committees to continue drafting individual bills impacting the future of AI policy in the United States.

The Senate’s bipartisan roadmap is the culmination of a series of nine forums held last year by the same group, during which they gathered diverse perspectives and information on AI technology. Topics of the forums included:

Inaugural Forum
Supporting US Innovation in AI
AI and the Workforce
High Impact Uses of AI
Elections and Democracy
Privacy and Liability
Transparency, Explainability, Intellectual Property, and Copyright
Safeguarding
National Security

The wide range of views and concerns expressed by over 150 experts including developers, startups, hardware and software companies, civil rights groups, and academia during these forums helped policymakers develop a thorough and inclusive document that reveals the areas of consensus and disagreement. As the 118th Congress continues, it’s expected that Sen. Schumer will reach out to his counterparts in the US House of Representatives to determine the common areas of interest. Those bipartisan and bicameral conversations will ultimately help Congress establish the foundational rules for AI use and development, potentially shaping not only the future of AI in the United States but also influencing global AI policy.

The final text of this guiding document focuses on several high-level categories. Below, we highlight a handful of notable provisions:

Publicity Rights (Name, Image, and Likeness)

The roadmap encourages senators to consider whether there is a need for legislation that would protect against the unauthorized use of one’s name, image, likeness, and voice, as it relates to AI. While state laws have traditionally recognized the right of individuals to control the commercial use of their so-called “publicity rights,” federal recognition of those rights would mark a major shift in intellectual property law and make it easier for musicians, celebrities, politicians, and other prominent public figures to prevent or discourage the unauthorized use of their publicity rights in the context of AI.

Disclosure and Transparency Requirements

Noting that the “black box” nature of some AI systems can make it difficult to assess compliance with existing consumer protection and civil rights laws, the roadmap encourages lawmakers to ensure that regulators are able to access information directly relevant to enforcing those laws and, if necessary, place appropriate transparency and “explainability” requirements on “high risk” uses of AI. The working group does not offer a definition of “high risk” use cases, but suggests that systems implicating constitutional rights, public safety, or anti-discrimination laws could be forced to disclose information about their training data and factors that influence automated or algorithmic decision making. The roadmap also encourages the development of best practices for when AI users should disclose that their products utilize AI, and whether developers should be required to disclose information to the public about the data sets used to train their AI models.

The document also pushes senators to develop sector-specific rules for AI use in areas such as housing, health care, education, financial services, news and journalism, and content creation.

Increased Funding for AI Innovation

On the heels of the findings included in the National Security Commission on Artificial Intelligence’s (NSCAI) final report, the roadmap encourages Senate appropriators to provide at least $32 billion for AI research funding at federal agencies, including the US Department of Energy, the National Science Foundation, and the National Institute of Standards and Technology. This request for a substantial investment underscores the government’s commitment to advancing AI technology and seeks to position federal agencies as “AI ready.” The roadmap’s innovation agenda includes funding the CHIPS and Science Act, support for semiconductor research and development to create high-end microchips, modernizing the federal government’s information technology infrastructure, and developing in-house supercomputing and AI capacity in the US Department of Defense.

Investments in National Defense

Many members of Congress believe that creating a national framework for AI will also help the United States compete on the global stage with China. Senators who see this as the 21st century space race believe investments in the defense and intelligence community’s AI capabilities are necessary to push back against China’s head start in AI development and deployment. The working group’s national security priorities include leveraging AI’s potential to build a digital armed services workforce, enhancing and accelerating the security clearance application process, blocking large language models from leaking intelligence or reconstructing classified information, and pushing back on perceived “censorship, repression, and surveillance” by Russia and China.

Addressing AI in Political Ads

Looking ahead to the 2024 election cycle, the roadmap’s authors are already paying attention to the threats posed by AI-generated election ads. The working group encourages digital content providers to watermark any political ads made with AI and include disclaimers in any AI-generated election content. These guardrails also align with the provisions of several bipartisan election-related AI bills that passed out of the Senate Rules Committee the same day of the roadmap’s release.

Privacy and Legal Liability for AI Usage

The AI Working Group recommends the passage of a federal data privacy law to protect personal information. The AI Working Group notes that the legislation should address issues related to data minimization, data security, consumer data rights, consent and disclosure, and the role of data brokers. Support for these principles is reflected in numerous state privacy laws enacted since 2018, and in bipartisan, bicameral draft legislation (the American Privacy Rights Act) supported by Rep. McMorris Rogers (D-WA), and Sen. Maria Cantwell (D-WA).

As we await additional legislative activity later this year, it is clear that these guidelines will have far-reaching implications for the AI industry and society at large.

New Department of Labor Rule Restores Multifactor Analysis for Classifying Workers as Employees or Independent Contractors

Effective March 11, 2024, a new administrative rule will modify how the Department of Labor (DOL or Department) classifies workers as either employees or independent contractors under the Fair Labor Standards Act (FLSA). The 2024 rule will rescind the 2021 rule currently in place, which focused the Department’s classification analysis on two “core factors,” and restores the multifactor analysis that previously had been in use by courts for decades.

Given the procedural uncertainty surrounding the 2021 rule, its impact on FLSA jurisprudence has been minimal-to-nonexistent. In this sense, the 2024 rule merely codifies an analysis that federal courts never really stopped using, in the first place. But it also sends an important signal to employers operating in the modern economy: even if workers have significant autonomy over their day-to-day work lives, they should be classified as employees if, as a matter of economic reality, they are dependent on their employer’s business for work.

Background on the FLSA and Pre-2021 Classification Analysis

Under the FLSA, employers generally must pay employees at least the federal minimum wage for all hours worked and at least one and one-half times the employee’s regular rate of pay for every hour worked over 40 in a single workweek. The FLSA does not, however, extend these and other workplace protections to workers who are classified as independent contractors. Employees who are misclassified as independent contractors therefore may incur substantial losses in unpaid overtime and other lost wages as a result of their status.

Prior to 2021, federal courts applied flexible, multifactor tests rooted in Supreme Court precedent to determine whether workers should be classified as employees, and thus covered by the FLSA, or independent contractors, and thus excluded from FLSA coverage. The “ultimate inquiry” was whether, as a matter of economic reality, the worker was economically dependent on the business entity for work (employee) or was in business for herself (independent contractor).

Though the specific factors varied somewhat by circuit, the tests generally took into consideration (1) workers’ opportunity for profit or loss; (2) the amount of investment in the business by the worker; (3) the permanency of the working relationship; (4) the business’s control over the worker; (5) whether the work constituted an “integral part” of the business; and (6) the skill and initiative required to do the worker’s job. Courts tended not to assign predetermined weight to any factor or factors and engaged in a “totality-of-the-circumstances” analysis.

Prior to 2021, DOL had issued only informal guidance on classifying workers as employees or independent contractors and other than some industry-specific guidance—for example, for sharecroppers and tenant farmers and certain workers in the forestry and logging industries—had not engaged in formal rulemaking on this topic. Rather, the Department allowed federal courts to develop and hone their own classification analyses on a case-by-case basis.

The 2021 Rule

On January 7, 2021, DOL promulgated a first-of-its-kind rule identifying a total of five factors, but prioritizing only two “core factors,” for federal courts to consider in conducting the classification analysis. DOL articulated the two “core factors” as (1) the nature and degree of the worker’s control over the work and (2) the worker’s opportunity for profit or loss based on initiative, investment, or both. It articulated the three remaining factors as (3) the amount of skill required for the work; (4) the degree of permanence of the working relationship between the individual and the business; and (5) whether the work is part of an “integrated unit of production.” If the two “core factors” weighed in favor of the same classification, it likely was the correct classification, and the Department deemed it “highly unlikely” the three non-core factors could outweigh the combined probative value of the other two.

By elevating the two “core factors” above the other factors traditionally considered by federal courts, the 2021 rule focused almost exclusively on workers’ control over when and on what projects they worked and their ability to earn more money based on how efficiently or for how long they worked. This approach ignored the reality that for many workers, their work is completely dependent on their employer’s business—and vice versa—even though they may have significant autonomy over their day-to-day work lives.

The Department’s articulation of some of the non-core factors also departed from longstanding court precedent and rendered them less, not more, compatible with the modern economy. For example, the 2021 rule considered only whether a worker’s job was part of an “integrated unit of production,” akin to a job on an assembly line, rather than its importance or centrality to the business, overall. This change risked misclassifying employees who performed work that was essential to but “segregable from” an employer’s process of production or provision of services, even though modern industry is much more sprawling than the traditional assembly line. The 2021 rule also combined the distinct “investment in the business” factor with consideration of a worker’s potential for profit and loss, which improperly shifted the focus of that factor from worker inputs to worker outcomes. This change likewise risked misclassifying employees who earned more profits because of greater “investment” in their employers’ businesses, even though the costs they bore might have been non-capital in nature, e.g., an existing personal vehicle, or imposed unilaterally by the employers.

Shortly after the change in administration that took place on January 20, 2021, the Department took steps to delay and ultimately withdraw the 2021 rule based on these and other concerns about its potential to misclassify employees as independent contractors. But legal challenges to the administrative process led a Texas district court to vacate the Department’s delay and withdrawal actions, ostensibly leaving the 2021 rule in effect. Though the Department appealed the district court’s order, the Fifth Circuit stayed the action pending promulgation of the new rule. In the interim, the uncertain legal status of the 2021 rule and impending new rule meant that few courts, if any, incorporated the “core factor” analysis into their jurisprudence.[1]

The 2024 Rule

After unsuccessful efforts to delay and withdraw the 2021 rule, the Department opted to rescind and replace it altogether with the new final rule it announced on January 10, 2024. The 2024 rule, effective March 11, 2024, identifies six equally-weighted factors for courts to consider in classifying workers as independent contractors or employees: (1) opportunity for profit or loss depending on managerial skill; (2) investments by the worker and the potential employer; (3) degree of permanence of the work relationship; (4) nature and degree of control; (5) extent to which the work performed is an integral part of the potential employer’s business; and (6) skill and initiative. Each single factor should be considered “in view of the economic reality of the whole activity” and additional factors “may be relevant” to the analysis.

Notably, the 2024 rule reverts to the “integral to the business” formulation of that factor; treats “investment in the business” as a distinct factor; differentiates between capital and non-capital investments by workers; and takes into consideration whether a particular cost was incurred based on entrepreneurial initiative or was imposed unilaterally by the employer. In these ways, the 2024 rule is much more compatible with the growing and increasingly diffuse economy than was the 2021 rule.

Ongoing and prospective legal challenges to the 2024 rule, plus the looming possibility that the Supreme Court will overturn or modify Chevron v. Natural Resources Defense Council—the 1984 decision applying deference to a federal agency’s interpretation of the statutes it administers—mean the 2024 rule may have a limited impact on FLSA jurisprudence. But it nevertheless conveys the Department’s position that employers should err on the side of classifying workers as employees, not independent contractors, and therefore subject to FLSA protections.

Given this changing landscape, employers may struggle to classify workers who were considered independent contractors under the 2021 rule but will be considered employees under the 2024 rule. If your employer has misclassified you as an independent contractor instead of an employee, you may be entitled to benefits and protections under the FLSA or state equivalents, like time-and-a-half pay for overtime work, that you are not currently receiving. If you believe you have been misclassified, consider contacting an attorney to discuss your legal options.

[1] The Fifth Circuit remanded the Texas case to the district court in light of the 2024 rule on February 19, 2024. Coal. for Workforce Innovation v. Walsh, No. 22-40316 (5th Cir. Feb. 19, 2024).

Secure Software Regulations and Self-Attestation Required for Federal Contractors

US Policy and Regulatory Alert

Government contractors providing software across the federal government’s supply chain will be required later this year to comply with a new Secure Software Design Framework (SSDF). The SSDF requires software vendors to attest to new security controls in the design of code used by the federal government.

Cybersecurity Compromises of Government Software on the Rise

In the aftermath of the cybersecurity compromises of significant enterprise software systems embedded in government supply chains, the federal government has increasingly prioritized reducing the vulnerability of software used within agency networks. Recognizing that most of the enterprise software that is used by the federal government is provided by a wide range of private sector contractors, the White House has been moving to impose a range of new software security regulations on both prime and subcontractors. One priority area is an effort to require government contractors to ensure that software used by federal agencies incorporates security by design. As a result, federal contractors supplying software to the government now face a new set of requirements to supply secure software code. That is, to provide software that is developed with security in mind so that flaws and vulnerabilities can be mitigated before the government buys and deploys the software.

The SSDF as A Government Response

In response, the White House issued Executive Order 14028, “Executive Order on Improving the Nation’s Cybersecurity” (EO 14028), on 12 May 2021. EO 14028 requires the National Institute of Standards and Technology (NIST) to develop standards, tools, and best practices to enhance the security of the software supply chain. NIST subsequently promulgated the SSDF in special publication NIST SP 800-218. EO 14028 also mandates that the director of the Office of Management and Budget (OMB) take appropriate steps to ensure that federal agencies comply with NIST guidance and standards regarding the SSDF. This resulted in OMB Memorandum M-22-18, “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” (M-22-18). The OMB memo provides that a federal agency may use software subject to M-22-18’s requirements only if the producer of that software has first attested to compliance with federal government-specified secure software development practices drawn from the SSDF. Meaning, if the producer of the software cannot attest to meeting the NIST requirements, it will not be able to supply software to the federal government. There are some exceptions and processes for software to gradually enter into compliance under various milestones for improvements, all of which are highly technical and subjective.

In accordance with these regulations, the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security issued a draft form for collecting the relevant attestations and associated information. CISA released the draft form on 27 April 2023 and is accepting comments until 26 June 2023.¹

SSDF Implementation Deadline and Requirements for Government Suppliers

CISA initially set a deadline of 11 June 2023 for critical software and 13 September 2023 for non-critical software to comply with SSDF. Press reports indicate that these deadlines will be extended due to both the complexity of the SSDF requirements and the fact that the comment period remains open until 26 June 2023. However, CISA has not yet confirmed an extension of the deadline.

Attestation and Compliance with the SSDF

Based on what we know now, the attestation form generally requires software producers to confirm that:

The software was developed and built in secure environments.
The software producer has made a good-faith effort to maintain trusted source code supply chains.
The software producer maintains provenance data for internal and third-party code incorporated into the software.
The software producer employed automated tools or comparable processes that check for security vulnerabilities.

Software producers that must comply with SSDF should move quickly and begin reviewing their approach to software security. The SSDF requirements are complex and likely will take time to review, implement, and document. In particular, many of the requirements call for subjective analysis rather than objective evaluation against a set of quantifiable criteria, as is usually the case with such regulations. The SSDF also includes numerous ambiguities. For example, the SSDF requires versioning changes in software to have certain impacts in the security assessment, although the term “versioning” does not have a standard definition in the software sector.

Next Steps and Ricks of Noncompliance

Critically, the attestations on the new form carry risk under the civil False Claims Act for government contractors and subcontractors. Given the fact that many of the attestations require subjective analysis, contractors must take exceptional care in completing the attestation form. Contractors should carefully document their assessment that the software they produce is compliant. In particular, contractors and other interested parties should use this opportunity to share feedback and insights with CISA through the public comment process.

K&L Gates lawyers in our National Security Practice are closely tracking the implementation of these new requirements.

1 88 Fed. Reg. 25,670.

Share this:

Like this:

Share this:

Like this:

CMMC Overview and Purpose

CMMC Certification Levels

Level 1 (Self-Assessment)

Level 2 (Self-Assessment or Third-Party Assessment)

Level 3 (Third-Party Assessment by DIBCAC)

Certification Process and Assessment Requirements

Self-Assessment (Level 1 and Level 2 (Self))

Third-Party Assessment (Level 2 (C3PAO) and Level 3 (DIBCAC))

Plan of Action and Milestones (POA&M)

Affirmation

Integration of CMMC in DoD Contracts

Phase 1 (Early 2025)

Phase 2

Phase 3

Phase 4 (Full Implementation)

Flow-Down Requirements for Subcontractors

Temporary Deficiencies and Enduring Exceptions

Temporary Deficiencies

Enduring Exceptions

Compliance Obligations and Contractual Penalties

Preparing for CMMC Certification

Assess Current Cybersecurity Posture

Develop an SSP

Engage a C3PAO

Prepare a POA&M

Review Subcontractor Compliance

Conclusion

Share this:

Like this:

Share this:

Like this:

In Depth

THE CMMC PROGRAM

PHASED IMPLEMENTATION

APPLICABILITY TO PERFORMANCE OF DOD CONTRACTS

CMMC STATUS BEGINS ON THE EARLIER OF CONDITIONAL STATUS OR FINAL STATUS

TEMPORARY AND ENDURING EXCEPTIONS

DEFINITION OF SECURITY PROTECTION DATA

DIBCAC ASSESSMENTS

CSPS AND ESPS

APPLICABILITY TO SUBCONTRACTORS

MISREPRESENTATION AND FALSE CLAIMS ACT RISK

THE ELEPHANT (STILL) IN THE ROOM

CONCLUSION

Share this:

Like this:

Updated Implementation Timeline

Narrower Assessment Scope for Security Protection Assets

External Service and Cloud Service Providers

Share this:

Like this:

Share this:

Like this:

Publicity Rights (Name, Image, and Likeness)

Disclosure and Transparency Requirements

Increased Funding for AI Innovation

Investments in National Defense

Addressing AI in Political Ads

Privacy and Legal Liability for AI Usage

Share this:

Like this:

Share this:

Like this:

Cybersecurity Compromises of Government Software on the Rise

The SSDF as A Government Response

SSDF Implementation Deadline and Requirements for Government Suppliers

Attestation and Compliance with the SSDF

Next Steps and Ricks of Noncompliance

Share this:

Like this: