DOD Archives - The National Law Forum

The Cybersecurity Maturity Model Certification (CMMC) Program – Defense Contractors Must Rapidly Prepare and Implement

The Department of Defense (DoD) has officially launched the Cybersecurity Maturity Model Certification (CMMC) Program, which requires federal contractors and subcontractors across the Defense Industrial Base (DIB) to comply with strict cybersecurity standards. The CMMC program aims to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in DoD contracts from evolving cyber threats by requiring defense contractors to implement comprehensive cybersecurity controls. The CMMC Program, which must be confirmed by contracting officers, moves beyond the prior self-assessment model for many contractors to a certification-based approach verified by DoD-approved third-party assessors known as CMMC Third Party Assessor Organizations (C3PAOs).

This client alert outlines the key elements of the CMMC program, providing a detailed analysis of the new certification requirements, timelines for implementation, and practical steps contractors can take to prepare for compliance.

CMMC Overview and Purpose

The CMMC Program represents the DoD’s commitment to ensuring that companies handling FCI and CUI meet stringent cybersecurity standards. The program was developed in response to increasing cyber threats targeting the defense supply chain and is designed to verify that defense contractors and subcontractors have implemented the necessary security measures to safeguard sensitive information.

The CMMC Program consists of three levels of certification, with each level representing an increasing set of cybersecurity controls. The certification levels correspond to the type of information handled by the contractor, with higher levels required for contractors handling more sensitive information, such as CUI.

The DoD officially published the CMMC final rule on October 15, 2024, establishing the CMMC Program within federal regulations. The rule will be effective 60 days after publication, marking a significant milestone in the program’s rollout. DoD expects to publish the final rule amending the DFARS to add CMMC requirements to DoD contracts in early 2025. Contractors that fail to meet CMMC requirements will be ineligible for DoD contracts that involve FCI or CUI and could face significant penalties if they inappropriately attest to compliance.

The overall scope of the CMMC rule is relatively clear; however, some key elements are ambiguous and, in some cases, may require careful consideration. Particularly at the outset of any assessment process, a pre-risk gap assessment internal review, ideally conducted under legal privilege, is recommended to permit sufficient time to address shortfalls in technical controls or governance. The typical timeline for implementing a CMMC-type program may take many months, and we strongly recommend that clients begin this process soon if they have not already started—it is now unquestionably a requirement to do business with the DoD.

CMMC Certification Levels

The CMMC Program features three certification levels that contractors must achieve depending on the nature and sensitivity of the information they handle:

Level 1 (Self-Assessment)

Contractors at this level must meet 15 basic safeguarding requirements outlined in Federal Acquisition Regulation (FAR) 52.204-21. These requirements focus on protecting FCI, which refers to information not intended for public release but necessary for performing the contracted services. A self-assessment is sufficient to achieve certification at this level.

Level 2 (Self-Assessment or Third-Party Assessment)

Contractors handling CUI must meet 110 security controls specified in NIST Special Publication (SP) 800-171. CUI includes unclassified information that requires safeguarding or dissemination controls according to federal regulations. To achieve certification, contractors at this level can conduct a self-assessment or engage a C3PAO. Most defense contracts involving CUI will require third-party assessments to verify compliance.

Level 3 (Third-Party Assessment by DIBCAC)

Contractors supporting critical national security programs or handling highly sensitive CUI must achieve Level 3 certification. This level adds 24 security controls from NIST SP 800-172 to protect CUI from advanced persistent threats. The Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will conduct assessments for Level 3 contractors. This is the most stringent level of certification and is reserved for contractors working on the most sensitive programs.

Each certification level builds upon the previous one, with Level 3 being the most comprehensive. Certification is valid for three years, after which, contractors must be reassessed.

Certification Process and Assessment Requirements

Contractors seeking certification must undergo an assessment process that varies depending on the level of certification they are targeting. For Levels 1 and 2, contractors may conduct self-assessments. However, third-party assessments are required for most contracts at Level 2 and all contracts at Level 3. The assessment process includes several key steps:

Self-Assessment (Level 1 and Level 2 (Self))

Contractors at Level 1 or Level 2 (Self) must perform an internal assessment of their cybersecurity practices and submit their results to the Supplier Performance Risk System (SPRS). This system is the DoD’s centralized repository for contractor cybersecurity assessments. Contractors must affirm their compliance annually to maintain their certification status.

Third-Party Assessment (Level 2 (C3PAO) and Level 3 (DIBCAC))

For higher-level certifications, contractors must engage a certified C3PAO to conduct an independent assessment of their compliance with the applicable security controls. For Level 3 certifications, assessments will be performed by the DIBCAC. These assessments will involve reviewing the contractor’s cybersecurity practices, examining documentation, and conducting interviews to verify that the contractor has implemented the necessary controls.

Plan of Action and Milestones (POA&M)

Contractors that do not meet all of the required security controls during their assessment may develop a POA&M. This document outlines the steps the contractor will take to address any deficiencies. Contractors have 180 days to close out their POA&M, after which they must undergo a follow-up assessment to verify that all deficiencies have been addressed. If the contractor fails to meet the requirements within the 180-day window, their conditional certification will expire, and they will be ineligible for future contract awards.

Affirmation

After completing an assessment and addressing any deficiencies, contractors must submit an affirmation of compliance to SPRS. This affirmation must be submitted annually to maintain certification, even if a third-party assessment is only required once every three years.

Integration of CMMC in DoD Contracts

The CMMC Program will be integrated into DoD contracts through a phased implementation process. The program will initially apply to a limited number of contracts, but it will eventually become a requirement for all contracts involving FCI and CUI. The implementation will occur in four phases:

Phase 1 (Early 2025)

Following the publication of the final DFARS rule, CMMC requirements will be introduced in select solicitations. Contractors bidding on these contracts must meet the required CMMC level to be eligible for contract awards.

Phase 2

One year after the start of Phase 1, additional contracts requiring CMMC certification will be released. Contractors at this stage must meet Level 2 certification if handling CUI.

Phase 3

A year after the start of Phase 2, more contracts, including those requiring Level 3 certification, will include CMMC requirements.

Phase 4 (Full Implementation)

The final phase, expected to occur by 2028, will fully implement CMMC requirements across all applicable DoD contracts. From this point forward, contractors must meet the required CMMC level as a condition of contract award, exercise of option periods, and contract extensions.

Flow-Down Requirements for Subcontractors

CMMC requirements will apply to prime contractors and their subcontractors. Prime contractors must ensure that their subcontractors meet the appropriate CMMC level. This flow-down requirement will impact the entire defense supply chain, as subcontractors handling FCI must achieve at least Level 1 certification, and those handling CUI must achieve Level 2.

Subcontractors must be certified before the prime contractor can award them subcontracts. Prime contractors will be responsible for verifying that their subcontractors hold the necessary CMMC certification.

Temporary Deficiencies and Enduring Exceptions

The CMMC Program allows for limited flexibility in cases where contractors cannot meet all of the required security controls. Two key mechanisms provide this flexibility:

Temporary Deficiencies

Contractors may temporarily fall short of compliance with specific security controls, provided they document the deficiency in a POA&M and work toward remediation. These temporary deficiencies must be addressed within 180 days to maintain certification. Failure to close out POA&Ms within the required timeframe will result in the expiration of the contractor’s conditional certification status.

Enduring Exceptions

In some cases, contractors may be granted an enduring exception for specific security controls that are not feasible to implement due to the nature of the system or equipment being used. For example, medical devices or specialized test equipment may not support all cybersecurity controls required by the CMMC Program. In these cases, contractors can document the exception in their System Security Plan (SSP) and work with the DoD to determine appropriate mitigations.

Compliance Obligations and Contractual Penalties

The DoD has made it clear that failure to comply with CMMC requirements will have serious consequences for contractors. Noncompliant contractors will be ineligible for contract awards. Moreover, the Department of Justice’s Civil Cyber-Fraud Initiative looms menacingly in the background, as it actively pursues False Claims Act actions against defense contractors for alleged failures to comply with cybersecurity requirements in the DFARS. In addition, the DoD reserves the right to investigate contractors that have achieved CMMC certification to verify their continued compliance. If an investigation reveals that a contractor has not adequately implemented the required controls, the contractor may face contract termination and other contractual remedies.

Preparing for CMMC Certification

Given the far-reaching implications of the CMMC Program, contractors and subcontractors should begin preparing for certification as soon as possible. As an initial step, an internal, confidential gap assessment is highly advisable, preferably done under legal privilege, to fully understand both past and current shortfalls in compliance with existing cybersecurity requirements that will now be more fully examined in the CMMC process. Key steps include:

Assess Current Cybersecurity Posture

Contractors should conduct an internal assessment of their current cybersecurity practices against the CMMC requirements. This will help identify any gaps and areas that need improvement before seeking certification.

Develop an SSP

Contractors handling CUI must develop and maintain an SSP that outlines how they will meet the security controls specified in NIST SP 800-171. This document will serve as the foundation for both internal and third-party assessments.

Engage a C3PAO

Contractors at Level 2 (C3PAO) and Level 3 must identify and engage a certified C3PAO to conduct their assessments. Given the anticipated demand for assessments, contractors should begin this process early to avoid delays.

Prepare a POA&M

For contractors that do not meet all required controls at the time of assessment, developing a POA&M will be crucial to addressing deficiencies within the required 180-day window.

Review Subcontractor Compliance

Prime contractors must review their subcontractors’ compliance with CMMC requirements and ensure they hold the appropriate certification level. This flow-down requirement will impact the entire defense supply chain.

Conclusion

The CMMC Program marks a significant shift in the oversight of how the DoD manages cybersecurity risks within its defense supply chain. While DoD contractors that handle CUI have had contractual obligations to comply with the NIST SP 800-171 requirements since January 1, 2018, the addition of third-party assessments and more stringent security controls for Level 3 contracts aim to improve the overall cybersecurity posture of contractors handling FCI and CUI. Contractors that fail to comply with CMMC requirements risk losing eligibility for DoD contracts, which could result in substantial business losses.

Given the phased implementation of the program, contractors must act now to assess their cybersecurity practices, engage with certified third-party assessors, and ensure compliance with the new requirements. Proactive planning and preparation will be key to maintaining eligibility for future DoD contracts.

Are We There Yet? DoD Issues Final Rule Establishing CMMC Program

The US Department of Defense (DoD) published a final rule codifying the Cybersecurity Maturity Model Certification (CMMC) Program. The final CMMC rule will apply to all DoD contractors and subcontractors that will process, store, or transmit Federal Contract Information (FCI)[1] or Controlled Unclassified Information (CUI)[2] on contractor information systems. The final CMMC rule builds on the proposed CMMC rule that DoD published in December 2023, which we discussed in depth here.

The final CMMC rule incorporates DoD’s responses to 361 public comments submitted during the comment period and spans more than 140 pages in the Federal Register. Many responses address issues raised in our prior reporting, and DoD generally appears to have been responsive to several concerns raised by the industry. In the coming weeks, we expect to update our separate summaries of CMMC Level 1, Level 2, and Level 3 to reflect the final rule. This OTS summarizes the key changes to the CMMC Program in the final rule.

In Depth

THE CMMC PROGRAM

The final CMMC rule adopts in large part the new Part 170 to Title 32 of the Code of Federal Regulations proposed in 2023. The final rule formally establishes the CMMC Program and defines the security controls applicable to each of the three CMMC levels; establishes processes and procedures for assessing and certifying compliance with CMMC requirements; and defines roles and responsibilities for the Federal Government, contractors, and various third parties for the assessment and certification process. 32 C.F.R. § 170.14 codifies the three CMMC levels outlined in CMMC 2.0, which are summarized as follows in an updated CMMC Model Overview included in Appendix A to the final CMMC rule:

CMMC Model 2.0
Model	Assessment
Level 3	134 requirements based on NIST SP 800-171 and 800-172	Triennial government-led assessment and annual affirmation
Level 2	110 requirements aligned with NIST SP 800-171	Triennial third-party assessment and annual affirmation; Triennial self-assessment and annual affirmation for select programs
Level 1	15 requirements	Annual self-assessment and annual affirmation

See Cybersecurity Maturity Model Certification (CMMC) Model Overview, Version 2.11 – DRAFT at 3-4 (Sept. 2024).

CMMC Level 1 is required for contracts and subcontracts that involve the handling of FCI but not CUI. The security requirements for CMMC Level 1 are those set forth in FAR 52.204-21(b)(1)(i)-(xv), which currently governs contracts involving FCI. Contractors must conduct and report a CMMC Level 1 Self-Assessment in DoD’s Supplier Performance Risk System (SPRS) prior to award of a CMMC Level 1 contract or subcontract. Thereafter, contractors must make an annual affirmation of continued compliance. The final CMMC rule requires compliance with all CMMC Level 1 requirements at the time of the assessment and does not allow contractors to include a Plan of Action and Milestones (POA&M) to comply with unmet requirements in the future.

CMMC Level 2 is required for contracts and subcontracts that involve the handling of CUI. The security requirements for CMMC Level 2 are identical to the requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev 2, and the final CMMC rule adopts the scoring methodology for compliance with those requirements that is currently employed by DFARS 252.204-7020. The final CMMC rule establishes a minimum required score of 88 out of 110 for Conditional Level 2 status with a POA&M. The final CMMC rule allows for certain CMMC Level 2 requirements that are not met at the time of assessment to be addressed through POA&Ms if the contractor meets the minimum required score. A contractor with Conditional status is subject to close out of all POA&Ms, which must be reported in SPRS within 180 days of Conditional status. Conditional status must be achieved prior to the award of any contract subject to CMMC Level 2. If the contractor does not close out all POA&Ms within 180 days of Conditional status, the contractor becomes ineligible for additional awards of CMMC Level 2 contracts.

The final CMMC rule retains the proposed rule’s distinction between CMMC Level 2 Self-Assessments and CMMC Level 2 Certification Assessments. CMMC Level 2 Certification Assessments are issued by CMMC Third-Party Assessment Organizations (C3PAOs) and fulfill one of the primary goals of the CMMC Program: independent verification of contractor compliance with CMMC security requirements. Whether a CMMC Level 2 Self-Assessment or Certification Assessment will apply to a particular contract will be determined by DoD based on the sensitivity of the CUI involved with that contract. When the final CMMC rule is fully implemented, DoD expects that the vast majority of CMMC Level 2 contractors will eventually undergo a Certification Assessment. Under the phased implementation of the CMMC Program discussed below, however, CMMC Level 2 Certification Assessment requirements will not regularly appear in solicitations or contracts until one year after the start of implementation. Contractors that achieved a perfect score with no open POA&Ms on a Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) High Assessment under DFARS 252.204-7020 prior to the effective date of the final CMMC rule will be eligible for a CMMC Level 2 Certification for three years from the date of the High Assessment.

CMMC Level 3 applies to contracts that involve the handling of CUI, but for which DoD has determined that additional safeguarding requirements are necessary. The additional CMMC Level 3 requirements consist of 24 requirements from NIST SP 800-172 listed in Table 1 to Section 170.14(c)(4) of the final CMMC rule. These additional CMMC Level 3 requirements include various “Organization-Defined Parameters” that can be used to tailor these requirements to a particular situation. The applicability of CMMC Level 3 requirements will be determined by DoD on a contract-by-contract basis based on the sensitivity of the CUI involved in the performance of that contract.

CMMC Level 3 assessments are performed exclusively by DCMA DIBCAC. The proposed CMMC rule establishes a scoring methodology for assessing compliance with CMMC Level 3 security requirements and allows for Conditional Level 3 status with POA&Ms for unmet requirements, subject to certain limitations and a general requirement that POA&Ms must be closed within 180 days. To achieve CMMC Level 3, contractors will need to have a perfect CMMC Level 2 score (110) and achieve a score of 20 out 24 for the additional CMMC Level 3 controls, with each control worth one point.

PHASED IMPLEMENTATION

The proposed rule contemplated a four-phase implementation over a three-year period, starting with the incorporation of self-assessment levels in Phase 1 through the full incorporation of CMMC requirements in all contracts in Phase 4. The final CMMC rule keeps the phases substantially the same, except it extends the time between Phase 1 and Phase 2 by six months, providing a full year between self-assessment and certification requirements:

Phase 1 – 0-12 Months: Phase 1 will begin when the proposed DFARS rule implementing CMMC is finalized. Our summary of the proposed DFARS rule can be found here. DoD has stated that it expects the final DFARS rule in “early to mid-2025.” During Phase 1, DoD will include Level 1 Self-Assessment or CMMC Level 2 Self-Assessment requirements as a condition of contract award and may include such requirements as a condition to exercising an option on an existing contract. During Phase 1, DoD may also include CMMC Level 2 Certification Assessment requirements as it deems necessary for applicable solicitations and contracts.
Phase 2 – 12-24 Months: Phase 2 begins one year after the start date of Phase 1 and will last for one year. During Phase 2, DoD will include CMMC Level 2 Certification Assessment requirements as a condition of contract award for applicable contracts involving CUI and may include such requirements as a condition to exercising an option on an existing contract. During Phase 2, DoD may also include CMMC Level 3 Certification Assessment requirements as it deems necessary for applicable solicitations and contracts.
Phase 3 – 24-36 Months: Phase 3 begins one year after the start date of Phase 2 and will also last for one year. During Phase 3, DoD intends to include CMMC Level 2 Certification Assessment requirements, not only as a condition of contract award but also as a condition to exercising an option on an existing contract. DoD will also include CMMC Level 3 Certification Assessment requirements for all applicable DoD solicitations and contracts as a condition of contract award, but DoD may delay inclusion of these requirements as a condition to exercising an option as it deems appropriate.
Phase 4 – 36+ Months: Phase 4 begins one year after the start date of Phase 3 and involves the inclusion of all CMMC Program requirements in all DoD solicitations and contracts, including option periods.

APPLICABILITY TO PERFORMANCE OF DOD CONTRACTS

The DoD has clarified that CMMC only applies to “contract and subcontract awardees that process, store, or transmit information, in performance of the DoD contract, that meets the standards for FCI or CUI on contractor information systems.” 32 C.F.R. § 170.3(a)(1). Given that CMMC will be implemented through a DFARS clause that is included in DoD contracts and subcontracts, the addition of the italicized language does not appear remarkable at first glance. However, it may prove an important qualification for companies that receive FCI and CUI in different circumstances. A company that receives CUI from the Government in the performance of one contract may also receive CUI from another entity independent of any contract or subcontract. For example, several categories of CUI reflect information that is contractor proprietary and, as such, can ordinarily be disclosed by the contractor that owns that information as that contractor deems appropriate. This can occur when teammates for a new opportunity share audit and business systems information for purposes of submitting a proposal, which information may be marked CUI by DoD to protect the proprietary information of the contractor being audited or whose business system was reviewed. The final CMMC rule’s clarification that it only applies to FCI and CUI handled in performance of the DoD contract may help clarify that the CMMC program does not restrict a contractor’s ability to process, store, or transmit its own information.

CMMC STATUS BEGINS ON THE EARLIER OF CONDITIONAL STATUS OR FINAL STATUS

DoD has clarified that although contractors have 180 days to finalize their CMMC certification if they do not originally achieve a passing score, the additional time to finalize does not extend the period for CMMC renewals. Thus, if a contractor’s CMMC certification status was conditionally granted on January 1, 2025, and its final status occurs 180 days later, the contractor’s renewal date will still be three years from the conditional date (January 1, 2028), not the later anniversary of the final status date.

TEMPORARY AND ENDURING EXCEPTIONS

DoD will now allow contractors to obtain permanent and temporary variances that have the status of a “MET” requirement when assessed as part of CMMC. These variances are separate from unmet controls that must be addressed within the contractor’s POA&M and completed within 180 days. The final CMMC rule introduces “enduring exceptions” and “temporary deficiencies,” which are defined as follows: An enduring exception is “a special circumstance or system where remediation and full compliance with CMMC security requirements is not feasible.” The final CMMC rule definition includes examples such as “systems required to replicate the configuration of ‘fielded’ systems, medical devices, test equipment, OT, and IoT.” Enduring exceptions must be documented within a system security plan.

A temporary deficiency is “a condition where remediation of a discovered deficiency is feasible, and a known fix is available or is in process.” Temporary deficiencies would arise after the implementation of a particular security requirement, not during its implementation. The example provided is “FIPS-validated cryptography that requires a patch and the patched version is no longer the validated version.” A temporary deficiency must be documented in an “operational plan of action.”

An operational plan of action is a contractor’s formal documentation of temporary vulnerabilities and temporary deficiencies in the contractor’s implementation of the CMMC security requirements. The operational plan of action documents how these temporary vulnerabilities and deficiencies are to be “mitigated, corrected, or eliminated.”

The proposed DFARS rule requires 72-hour notification for “any lapses in information security or changes in the status of CMMC certification or CMMC self-assessment levels during the performance of the contract.” Proposed DFARS 204.7503(b)(4)). As we pointed out in our summary of the proposed DFARS rule, it does not define “lapses in information security,” but that term appears substantially broader than the term “cyber incident,” which contractors must also report within 72 hours. Because the CMMC rule in C.F.R Title 32 establishes the cybersecurity controls that form the foundation of the CMMC Program, we expected that the final CMMC rule might provide the clarity missing from the proposed DFARS rule; however, the final CMMC rule does not discuss lapses, and it is unclear whether a temporary deficiency is the same as a lapse. The scope of a contractor’s notification obligations under the CMMC Program and the contractor’s DoD contracts and subcontracts therefore remains unclear, particularly whether a contractor must notify the Government every time a measure for complying with a particular CMMC control does not function as planned.

DEFINITION OF SECURITY PROTECTION DATA

In the interim rule, DoD introduced Security Protection Data (SPD) as an undefined term. The final CMMC rule defines SPD as follows:

Security Protection Data (SPD) means data stored or processed by Security Protection Assets (SPA) that are used to protect [a contractor’s] assessed environment. SPD is security relevant information and includes but is not limited to: configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment. (Emphasis added).

In our earlier analysis, we discussed the concern that the ambiguous nature of SPD would make it difficult for contractors to determine which external service providers (ESPs) were in-scope for CMMC. The definition of SPD in the final CMMC rule retains this ambiguity, thus missing an opportunity for further clarity in the use of ESPs.

DIBCAC ASSESSMENTS

For Level 2 and Level 3 CMMC assessments, DoD now reserves the right to conduct a DCMA DIBCAC assessment of any contractor, in addition to other investigative evaluations of an OSA. The results of an investigative DCMA DIBCAC assessment will supersede any preexisting CMMC status, and DoD will update SPRS to show that the OSA is out of compliance. This replaces previous language in the proposed CMMC rule that allowed DoD to merely revoke CMMC status after its investigation. Notably, the final CMMC rule removes the ability to revoke CMMC Level 1 status and does not substitute a DCMA DIBCAC assessment in its place. These changes bring the CMMC program into alignment with the DoD Self-Assessment methodology required in DFARS 252.204-7019/7020.

CSPS AND ESPS

Of significant interest to service providers will be the changes to the requirements for cloud service providers (CSPs) and other ESPs. The final CMMC rule is less prescriptive than the proposed rule with respect to how these service providers fit into the scope of a contractor’s CMMC certification.

First, as before, the final CMMC rule allows the use of CSPs to process, store, or transmit CUI where the CSP is Federal Risk and Authorization Management Program (FedRAMP) Authorized at FedRAMP Moderate baseline or higher, or where the CSP meets FedRAMP Equivalency. The final CMMC rule, however, states that FedRAMP Moderate and FedRAMP Moderate Equivalent determinations will be “in accordance with DoD Policy,” thereby incorporating the DoD Chief Information Officer policy memo on FedRAMP Moderate equivalency issued after the proposed rule. This reference may also allow DoD to change this policy in the future without further notice-and-comment rulemaking.

Second, for ESPs that process, store, or transmit CUI or SPD, CMMC certification is no longer required in advance of the contractor’s certification. Instead, ESPs will be assessed as in-scope for the contractor itself against all of the relevant requirements. This change may relieve pressure not only on ESPs but also on contractors and CMMC C3PAOs if non-contractor ESPs do not need to be at the front of the line for certifications. Although many ESPs with significant Federal contracting customer bases will likely choose to obtain CMMC certification directly, smaller ESPs may choose to support Federal contractor customers in the customer’s own certifications on a case-by-case basis.

Notably, this is a model that many service providers may be familiar with from a different context and standard. In practice, it seems similar to the method for service providers to comply with Payment Card Industry Data Security Standards (PCI DSS). Under PCI DSS, a service provider may obtain its own Attestation of Compliance (AOC) or may participate in the compliance efforts of each merchant it supports. Also, like the PCI DSS model, there now is a requirement to document the roles and responsibilities between ESPs and the contractors. 32 C.F.R. § 170.19(c)(2)(ii) (“documented in the OSA’s SSP and described in the ESP’s service description and customer responsibility matrix (CRM)”).

APPLICABILITY TO SUBCONTRACTORS

The final CMMC rule updates the applicability of the CMMC requirements to subcontractors by incorporating requirements not only for CMMC compliance but also explicitly to flow down CMMC requirements for both CMMC level and assessment type through the supply chain. There is again a helpful clarification that such flow-downs are only required for the performance of a “DoD contract” rather than the prior language that did not specify what types of contracts required flowing down. Id. § 170.23(a).

MISREPRESENTATION AND FALSE CLAIMS ACT RISK

Although the CMMC Level 1 and Level 2 security requirements are the same requirements in FAR 52.204-21 and NIST SP 800-171 that contractors have been required to follow for years, the final CMMC rule will require all contractors that handle FCI and CUI on their systems – even contractors subject to CMMC Level 1 – to make periodic affirmative representations regarding their cybersecurity programs and controls, in addition to the initial assessments and certifications reported in SPRS. Contractors must vet these representations carefully as any potential inaccuracy or ambiguity could generate litigation risk under a variety of criminal and civil laws, including the False Claims Act (FCA).

Since the inception of the CMMC Program, the US Department of Justice (DOJ) has increasingly made cybersecurity an enforcement priority. In 2021, DOJ launched its Civil Cyber-Fraud Initiative, which seeks to leverage DOJ’s expertise in civil fraud enforcement to combat cyber threats to the security of sensitive information and critical systems. Deputy Attorney General Lisa Monaco stated at the time: “We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.” As CMMC is implemented, it will provide the “required cybersecurity standards” that DOJ will seek to enforce and a record of statements of compliance that DOJ will use to leverage the FCA in enforcement.

THE ELEPHANT (STILL) IN THE ROOM

The final CMMC rule, like the proposed rule, does nothing to address the fundamental uncertainty regarding what constitutes CUI and the widespread overmarking of CUI. We continue to see emails from Government officials with CUI markings embedded in signature blocks that automatically attach to every email that official sends out – even when the email is sent to private entities and individuals who do not hold a contract subject to CMMC. Multiple commentators expressed concerns regarding the mismarking and overmarking of CUI, but DoD generally responded by pointing to its existing guidance on CUI marking, without addressing whether that guidance is sufficient or is actually being followed.

CONCLUSION

The final CMMC rule makes several significant changes to the proposed rule, but it largely keeps the structure, content, and format of the proposed rule in place. We will continue to analyze the final CMMC rule, including updating our in-depth analyses of each CMMC certification level, in the weeks to come.

But are we there yet? No, and if you don’t stop asking, DoD will turn this car around! DoD must still finalize the companion DFARS rule before the CMMC can be fully implemented by DoD for new contracts. Once that final DFARS rule is released, we expect a gradual, phased approach that will take three to four years before CMMC is a reality for all Federal prime contractors and subcontractors that store, process, or transmit FCI or CUI in performance of DoD contracts.

© 2024 McDermott Will & Emery

by: Daniel P. Graham, Jessica McGahie Sawyer, Brian Long of McDermott Will & Emery

For more on the CMMC Program, visit the NLR Consumer Protection section

AUVSI and DOD’s Defense Innovation Unit Announce Collaboration for Cyber Standards for Drones

The Association for Uncrewed Vehicle Systems International (AUVSI), the world’s leading trade association for drones and other autonomous vehicles, announced a collaboration with the Department of Defense’s (DOD) Defense Innovation Unit (DIU) to further commercial cyber methodologies to design a shared standard. AUVSI’s effort is meant to expand the number of vetted drones that meet congressional and federal agency drone security requirements.

This pilot program would extend relevant cyber-credentialing across the U.S. industrial base and assist the DOD and other government entities in streamlining and accelerating drone capabilities across the board. Overall, this collaboration will help make the drone industry more secure. The program will work with numerous cybersecurity firms to conduct technical cyber assessments before the DIU, DOD, and other government entities conduct additional vetting as necessary.

Currently, the Blue UAS (Unmanned Aircraft Systems) Cleared List has 14 drones on it and 13 more drones are scheduled to be added. The Blue UAS Cleared List is routinely updated and contains a list of DOD-approved drones for government users. These drones are section 848 FY20 NDAA compliant, validated as cyber-secure and safe to fly, and are available for government purchase and operation. However, even with these additions, the demand for additional cleared drones with new capabilities and technology has outpaced the DIU’s ability to scale the program. This collaboration seeks to close that gap and offer cybersecurity certification in close cooperation with the DIU. With off-the-shelf drones serving as critical tools to help conduct diverse government operations, partnership with AUVSI and cybersecurity experts will make it easier for government users to use commercial technology and achieve effective operations in a secure manner.

Article By Kathryn M. Rattigan of Robinson & Cole LLP

For more cybersecurity and data privacy news, click here to visit the National Law Review.

Defense Department Takes Aim at Anticompetitive Mergers in Defense Industry

Government says market concentration poses a national security risk.

In 1990, the Department of Defense could turn to 13 companies to produce tactical missiles, eight to make fixed-wing aircraft, and another eight to build ships. Now there are only three missile and three aircraft makers, and only two surface ship builders. There were eight satellite manufacturers in 1990; today there are only four. Tanks and other tracked vehicles are now made by a single company.

Such market consolidation is potentially harmful for the usual reasons, such as less innovation, higher prices, and a lower level of customer service. But when that customer is the DOD, having only one or a handful of defense equipment makers, suddenly critical military missions, military and civilian lives, and national security are put at risk, “[P]articularly in cases where the existing dominant supplier or suppliers are influenced by an adversary nation ….”

That is the worrisome assessment contained in a report issued by the DOD which is following up on President Biden’s July 2021 executive order, titled “Promoting Competition in the American Economy.” DOD is just one of the agencies now responding with plans to evaluate their respective competitive landscapes and to make recommendations to restore productive rivalries.

If market consolidation suggests harmful anticompetitive conditions, then the defense industry’s merger history should send up multiple flares. “Since the 1990s, the defense sector has consolidated substantially, transitioning from 51 to 5 aerospace and defense prime contractors,” the report says.

DOD offers five general recommendations to increase defense industry competition, saying it should:

Strengthen Merger Oversight. When a merger threatens DOD interests, DOD will support the Federal Trade Commission and Department of Justice in antitrust investigations and recommendations involving the defense industry.
Address Intellectual Property Limitations. Certain practices surrounding intellectual property and data rights have been used to limit competition in DOD purchasing and to induce “vendor-lock” and other undesirable results. DOD says it will identify its long-term intellectual property needs early in the bidding process. This should ensure that intellectual property is a key factor in evaluating competitive awards, and a negotiation objective in sole-source awards and when contracting with vendors willing to provide the government the intellectual property and rights it needs.
Increase New Entrants. To counteract the shrinking list of contractors, DOD says it will work to attract new entrants to the defense marketplace by reducing barriers to entry. This will be accomplished through small business outreach and support. DOD says it will use “acquisition authorities” that will give it the flexibility to adopt and incorporate commercial best practices to reduce barriers and attract new vendors.
Increase Opportunities for Small Businesses. DOD will increase small business participation in defense procurement, with an emphasis on increasing competition in priority segments of the defense industry.
Implement Sector-Specific Supply Chain Resiliency Plans. DOD calls for greater resilience in the supply chain for five priority sectors: casting and forgings, missiles and munitions, energy storage and batteries, strategic and critical materials, and microelectronics.

In June 2021, Bradley Martin, Ph.D., a retired Navy captain now with the RAND National Security Supply Chain Institute, wrote of the dangers of the defense industry’s shift to practices that make resupply of military equipment “highly questionable” should demand for equipment suddenly spike.

Abrams Main Battle Tank manufactured by General Dynamics, the sole producer of tanks and other tracked combat vehicles for the Department of Defense. Photo from General Dynamics’ website.

“If evaluated solely against meeting steady-state demand, the military operational supply chain works as it should,” Martin wrote. “The problem is not performance relative to incentives. Rather, the problem is that the existing guidance does not lead the system to conduct analyses and make decisions needed to support the highly demanding combat operations likely in a conflict with a major power. As a result, the ability of this system to properly support the joint force in the event of major conflict is at best untested and could be highly problematic.”

Recent Public and Private Actions

In addition to the government’s focus on the overall industry, it has been taking action to address specific instances of alleged and potentially anticompetitive behavior. In one instance, a private class action quickly followed.

In January, the FTC sued to stop Lockheed Martin Corp.’s $4.4 billion acquisition of Aerojet Rocketdyne Holdings Inc., marking the first time in decades the government opposed a defense industry merger. (Read FTC Sues to Torpedo Lockheed’s $4.4 Billion Aerojet Acquisition.)

The FTC noted that Aerojet, which reported more than $2 billion in 2020 revenue, is the last independent U.S. supplier of defense-critical missile propulsion systems. If the deal were to go through, the FTC said, “Lockheed will use its control of Aerojet to harm rival defense contractors and further consolidate multiple markets critical to national security and defense.”

Lockheed leads the pack of the largest defense contractors in the world. It is one of the leading suppliers of missile technology in a concentrated group that includes Raytheon Technologies, Inc., Northrop Grumman Corporation, and The Boeing Company. All are missile system prime contractors to the Department of Defense. The FTC says these companies are intermediaries between the U.S. government and the missile supply chain, including subcontractors like Aerojet.

In December 2021, a federal grand jury in Connecticut returned an indictment charging a former manager of leading aerospace engineering company Pratt & Whitney, Inc., and five executives of outsource engineering suppliers for participating in a long-running conspiracy to restrict the hiring and recruiting of employees among their respective companies. (Read Aerospace Execs Indicted for Conspiracy to Limit Worker Pay and Job Prospects.)

The conspiracy is said to have affected thousands of engineers and other skilled workers in the aerospace industry who perform services in the design, manufacturing, and servicing of aircraft components for both commercial and military purposes. According to the felony indictment, unsealed in U.S. District Court for the District of Connecticut, six individuals conspired with others to allocate employees by agreeing not to hire or solicit professionals from each other’s ranks.

Following the indictment, a jet engine mechanic formerly employed by Pratt & Whitney filed a class action suit in federal court in Connecticut against the company and five outsource engineer suppliers. The plaintiffs seek damages because of the alleged conspiracy to suppress labor costs and hamper employees’ career prospects using illegal no-poach agreements in violation of antitrust laws.

Ukraine Invasion Demonstrates ‘Rapid Escalation’

Combined with Russia’s invasion of Ukraine and the alarming specter of a widening conflict, security supply chain expert Bradley Martin’s assessment that the industry may not be set up to address a spike in demand for military equipment illustrates why the DOD’s plan to improve competition in the defense industry is an urgent one.

“The Ukraine crisis shows that situations can rapidly escalate, potentially leading to situations where spikes in demand might occur in largely unexpected ways,” Martin told the MoginRubin Blog. “If the U.S. had to deal with an expanded conflict in Europe, such as might occur if Russia were to threaten a NATO ally, DOD could reallocate munitions and supplies for some period, but expanding production and inventory over a longer period would be very challenging. This would likely be exactly the kind of conflict where low-standing issues with supply chains would show themselves, sometimes in unexpected ways.”

Defense is just one of several industries seeing increased scrutiny from enforcers. Healthcare also has been a focus of late (see our article regarding FTC’s action to stop a New England hospital merger). The technology sector is getting attention, too. As we wrote in February, chipmaker Nvidia called off its vertical acquisition of Arm Ltd. following an FTC challenge to the deal. A recent Treasury Department report on the alcoholic beverage industry foreshadows greater attention from the FTC and DOJ regarding deals in that sector.

In October the FTC said it was bringing back its policy of routinely restricting anticompetitive mergers, putting “industry on notice” that it will require aggressive acquirers to obtain prior approval “before closing any future transaction affecting each relevant market for which a violation was alleged, for a minimum of 10 years.” The agency is clearly making good on its promise.

Edited by Tom Hagy for MoginRubin LLP.

Article By Jennifer M. Oliver with MoginRubin.

For more articles about antitrust, visit the NLR Antitrust Law section.

Continuing Effort to Protect National Security Data and Networks

CMMC 2.0 – Simplification and Flexibility of DoD Cybersecurity Requirements

Evolving and increasing threats to U.S. defense data and national security networks have necessitated changes and refinements to U.S. regulatory requirements intended to protect such.

In 2016, the U.S. Department of Defense (DoD) issued a Defense Federal Acquisition Regulation Supplement (DFARs) intended to better protect defense data and networks. In 2017, DoD began issuing a series of memoranda to further enhance protection of defense data and networks via Cybersecurity Maturity Model Certification (CMMC). In December 2019, the Department of State, Directorate of Defense Trade Controls (DDTC) issued long-awaited guidance in part governing the minimum encryption requirements for storage, transport and/or transmission of controlled but unclassified information (CUI) and technical defense information (TDI) otherwise restricted by ITAR.

DFARs initiated the government’s efforts to protect national security data and networks by implementing specific NIST cyber requirements for all DoD contractors with access to CUI, TDI or a DoD network. DFARs was self-compliant in nature.

CMMC provided a broad framework to enhance cybersecurity protection for the Defense Industrial Base (DIB). CMMC proposed a verification program to ensure that NIST-compliant cybersecurity protections were in place to protect CUI and TDI that reside on DoD and DoD contractors’ networks. Unlike DFARs, CMMC initially required certification of compliance by an independent cybersecurity expert.

The DoD has announced an updated cybersecurity framework, referred to as CMMC 2.0. The announcement comes after a months-long internal review of the proposed CMMC framework. It still could take nine to 24 months for the final rule to take shape. But for now, CMMC 2.0 promises to be simpler to understand and easier to comply with.

Three Goals of CMMC 2.0

Broadly, CMMC 2.0 is similar to the earlier-proposed framework. Familiar elements include a tiered model, required assessments, and contractual implementation. But the new framework is intended to facilitate three goals identified by DoD’s internal review.

Simplify the CMMC standard and provide additional clarity on cybersecurity regulations, policy, and contracting requirements.
Focus on the most advanced cybersecurity standards and third-party assessment requirements for companies supporting the highest priority programs.
Increase DoD oversight of professional and ethical standards in the assessment ecosystem.

Key Changes under CMMC 2.0

The most impactful changes of CMMC 2.0 are

A reduction from five to three security levels.
Reduced requirements for third-party certifications.
Allowances for plans of actions and milestones (POA&Ms).

CMMC 2.0 has only three levels of cybersecurity

An innovative feature of CMMC 1.0 had been the five-tiered model that tailored a contractor’s cybersecurity requirements according to the type and sensitivity of the information it would handle. CMMC 2.0 keeps this model, but eliminates the two “transitional” levels in order to reduce the total number of security levels to three. This change also makes it easier to predict which level will apply to a given contractor. At this time, it appears that:

Level 1 (Foundational) will apply to federal contract information (FCI) and will be similar to the old first level;
Level 2 (Advanced) will apply to controlled unclassified information (CUI) and will mirror NIST SP 800-171 (similar to, but simpler than, the old third level); and
Level 3 (Expert) will apply to more sensitive CUI and will be partly based on NIST SP 800-172 (possibly similar to the old fifth level).

Significantly, CMMC 2.0 focuses on cybersecurity practices, eliminating the few so-called “maturity processes” that had baffled many DoD contractors.

CMMC 2.0 relieves many certification requirements

Another feature of CMMC 1.0 had been the requirement that all DoD contractors undergo third-party assessment and certification. CMMC 2.0 is much less ambitious and allows Level 1 contractors — and even a subset of Level 2 contractors — to conduct only an annual self-assessment. It is worth noting that a subset of Level 2 contractors — those having “critical national security information” — will still be required to seek triennial third-party certification.

CMMC 2.0 reinstitutes POA&Ms

An initial objective of CMMC 1.0 had been that — by October 2025 — contractual requirements would be fully implemented by DoD contractors. There was no option for partial compliance. CMMC 2.0 reinstitutes a regime that will be familiar to many, by allowing for submission of Plans of Actions and Milestones (POA&Ms). The DoD still intends to specify a baseline number of non-negotiable requirements. But a remaining subset will be addressable by a POA&M with clearly defined timelines. The announced framework even contemplates waivers “to exclude CMMC requirements from acquisitions for select mission-critical requirements.”

Operational takeaways for the defense industrial base

For many DoD contractors, CMMC 2.0 will not significantly impact their required cybersecurity practices — for FCI, focus on basic cyber hygiene; and for CUI, focus on NIST SP 800-171. But the new CMMC 2.0 framework dramatically reduces the number of DoD contractors that will need third-party assessments. It could also allow contractors to delay full compliance through the use of POA&Ms beyond 2025.

Increased Risk of Enforcement

Regardless of the proposed simplicity and flexibility of CMMC 2.0, DoD contractors need to remain vigilant to meet their respective CMMC 2.0 level cybersecurity obligations.

Immediately preceding the CMMC 2.0 announcement, the U.S. Department of Justice (DOJ) announced a new Civil Cyber-Fraud Initiative on October 6 to combat emerging cyber threats to the security of sensitive information and critical systems. In its announcement, the DOJ advised that it would pursue government contractors who fail to follow required cybersecurity standards.

As Bradley has previously reported in more detail, the DOJ plans to utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors or involving government programs, where entities or individuals, put U.S. information or systems at risk by knowingly:

Providing deficient cybersecurity products or services
Misrepresenting their cybersecurity practices or protocols, or
Violating obligations to monitor and report cybersecurity incidents and breaches.

The DOJ also expressed their intent to work closely on the initiative with other federal agencies, subject matter experts and its law enforcement partners throughout the government.

As a result, while CMMC 2.0 will provide some simplicity and flexibility in implementation and operations, U.S. government contractors need to be mindful of their cybersecurity obligations to avoid new heightened enforcement risks.

Article By Andrew Tuggle and David Vance Lucas with Bradley Arant Boult Cummings LLP.

For more articles about cybersecurity, visit the NLR Cybersecurity, Media & FCC section.

Focus on Military Readiness Means More Construction Work on Military Bases: Are Contractors Ready to Compete and Perform?

The United States military is the most powerful warfighting force in world history.

But Secretary of Defense Jim Mattis made a stark observation in the 2017 National Defense Strategy:

Without sustained and predictable investment to restore readiness and modernize our military to make it fit for our time, we will rapidly lose our military advantage, resulting in a Joint Force that has legacy systems irrelevant to the defense of our people.

The problem, in summary, is a lack of readiness.

But the Future is “BIG”

Readiness is not as exciting as futuristic weapons systems or as dramatic as battle. Instead, readiness focuses on the military’s more mundane, but essential, ability to train, house troops, repair equipment, and plan for mobilization. Readiness undergirds the core ability of the military to defend the United States. We are seeing a new emphasis on readiness. Significantly, the current President and Congress are actively increasing the military’s budget to purchase goods and services, especially those related to the construction of military facilities.

This new construction is required because readiness demands it. For example, many structures at MCAS Cherry Point used for aviator and aircraft ground-support training, repair, and deployment are over 70 years old. Many structures were built for World War II and the Cold War. We now face different enemies, technologies, and strategies. Combat aircraft fleet facility upgrades are essential to meet the raised readiness standard.

In addition, the new F-35 Joint Strike Fighter adds significantly increased technology, infrastructure, and security demands that cannot be met with the current facilities at MCAS Cherry Point and its tenant command, Fleet Readiness Center East (“FRC East”). MCAS Cherry Point will be home for probably 94 F-35 jet fighters. FRC East’s role in servicing Air Force, Navy, and Marine Corps variants of the Joint Strike Fighter is essential to achieving the overwhelming lethality required for proper military readiness.

But MCAS Cherry Point and FRC East cannot fulfill their obligations to the readiness standard without new construction. The President has asked Congress to fund the following major construction projects for the federal fiscal year beginning in October 2018:

$133,970,000 for a new hangar that will house F-35B Lightning II Joint Strike Fighters for the Marine Corps’ Second Marine Air Wing, which is headquartered at MCAS Cherry Point.
$106,860,000 to modernize flight line infrastructure such-as electrical, water, and technology services as well as new access points and loading areas for the new hangar.

That’s about $180,000,000 more than MCAS Cherry Point has seen in a single fiscal year for at least the last 20 years. But this new funding is only the beginning of a rapidly accelerating plan to rebuild Cherry Point’s aging facilities, roads, and infrastructure. We also expect the following projects to be funded over the next 10 years:

New streets, parking, security enhancements, and F-35 hangars at MCAS Cherry Point at a cost of around $600 million.
New repair hangars, test facilities, and improved facilities at FRC East at of a cost of around $400 million.

Overall, we expect to see around $1.2 billion in new construction and facility upgrades at MCAS Cherry Point and FRC East over the next 15 years.

A Place for Private Contractors

Successful construction needs more than just funding. It also needs private contractors who can build, install, and maintain the facilities and infrastructure.

The federal procurement process for construction of Defense Department facilities is a complex undertaking. Once a company enters the procurement process, there are special rules unique to federal contracting that the contractor must understand. Therefore, companies should become familiar with the federal procurement rules before pursuing their first contract. While a comprehensive primer on these rules is beyond the scope of this article, our attorneys handling government contracts are seeing an increase in the use of small business preferences and teaming arrangements. These programs allow small businesses to benefit both from their size status and the competitive advantage of teaming with a larger or more sophisticated company.

Incentives: Federal Small Business Preferences

We have seen a marked increase in contractors interested in qualifying for the small business “set-aside” and other programs available in federal procurements. At the same time, the Defense Department itself is, at least in theory, promoting the set-aside programs. Opportunity abounds for companies who qualify for small business programs.

Unlike most private sector commercial contracts, federal government contracts are used to support certain socio-economic goals. Many of these programs favor small or disadvantaged businesses. The federal government has a specific goal every year for the percentage of contracts given to small and disadvantaged businesses. The following programs are currently the most active for participation and promotion:

Woman-owned small businesses
Historically underutilized businesses in certain geographical areas (“HUBZone businesses”)
Veteran-owned small businesses (especially service-disabled veterans)
Mentor-protégé joint ventures and teaming agreements between large and small businesses, especially those teaming with Section 8(a) disadvantaged businesses.

Construction companies and other contractors who are ready for this wave of new projects will benefit from the increased attention to readiness upgrades. Unprepared companies will lose out on these opportunities. This may not seem a big problem while the economy is strong, but in our experience, contractors who planned for federal work survived and even thrived during the recent Great Recession.

Conclusion

Fortunately, with proper planning, a good business plan, and sound legal advice, there is no reason to be discouraged from beginning or expanding your federal government contracts. Although entering and working within the federal contracting arena can be daunting, several programs assist small and innovative companies with getting and keeping federal contracts.

This post was written by James W. Norment of Ward and Smith, P.A.

A Change to the Suspending and Debarring Official (SDO) Position at NASA

On March 8, 2016, a final rule changed the position of the National Aeronautics and Space Administration’s (“NASA”) suspending and debarring official (“SDO”). The SDO had been NASA’s Assistant Administrator for Procurement. The final rule reassigns the position to NASA’s Deputy General Counsel. Public comments were not accepted because NASA concluded that the change “affects only the internal operating procedures” of the agency.

Not mentioned in this action is Section 861(a) of the National Defense Authorization Act of 2013. That law applies to the U.S. Department of Defense (“DoD”), the U.S. Department of State (“State”), and the U.S. Agency for International Development (“USAID”), not to NASA, but for those agencies it specifically prohibits the not-uncommon practice of having a procurement officer act as an SDO. Last year, in International Relief and Development, Inc. et al. v. United States Agency for International Development et al., No. 15-CV-854 RCL (D.D.C.), a federal court concluded that such an arrangement at USAID likely violated Section 861(a).

Section 861(a) precipitated a necessary discussion on the independence and impartiality of SDOs. It is not hard to imagine how an SDO who also serves as a procurement officer could be predisposed against a contractor. But even if NASA’s change tacitly acknowledges this concern, it hardly resolves it. Conditioned already to advocate for a particular client, agency counsel are sure to have predispositions, as well.

Article By Frederic M. Levy & Jade C. Totman of Covington & Burling LLP

Wasn't That Supposed to be Made in the USA?

Made in the USA.jpg Despite the existence of long-standing U.S. laws strongly favoring the purchase of domestic products for use by governmental entities, in governmental programs and particularly the fulfillment of Department of Defense (“DoD”) contracts, a surprising number of companies still attempt to circumvent these laws. They do so at their own peril. Recognizing the harm likely to befall American workers as a result, an increasing number of employees and former employees have “blown the whistle” on these practices in recent years and teamed up with the U.S. Government to curtail this trend.

The Buy American Act, 41 U.S.C. §§ 8301–8305, (“BAA”) was enacted in 1933 under President Hoover as part of New Deal legislation intended to help struggling American depression era companies. The BAA superseded an 1875 statute that “related to preferential treatment of American material contracts for public improvements.” (1933, Sect. 10). The law carried with it a very simple idea: require the government to exercise a clear preference for US-made products in its purchases to bolster the American economy.

To this day, the BAA continues to require federal agencies to purchase “domestic end products” and use “domestic construction materials” in contracts exceeding certain dollar amounts performed in the United States. Unmanufactured end products or construction materials qualify as “domestic” if they are mined or produced in the United States. Manufactured products are treated as “domestic” if they are manufactured in the United States, and either (1) the cost of components mined, produced, or manufactured in the United States exceeds 50% of the cost of all components, or (2) the items are commercially available off-the-shelf items.

Exemptions and exceptions to the applicability of the BAA exist. For example, the BAA does not apply if the purchasing agency determines “it to be inconsistent with the public interest, or the cost to be unreasonable.” Furthermore, the U.S. Trade Agreements Act of 1979 authorizes the President to waive any procurement law or regulation that accords foreign products less favorable treatment than that given to domestic products in foreign lands. Additionally, purchases from Canada and Mexico are exempt from BAA prohibitions under the North American Free Trade Agreement. Other treaties and agreements also limit the BAA. Despite these, the BAA continues to cast a wide liability net for those that seek to willfully or knowingly circumvent it.

Similar to the BAA, the Berry Amendment was passed in 1941 to promote the U.S. economy through the preferential purchase of certain U.S. goods. The Amendment was eventually codified as 10 U.S.C. 2533a in 2002. The law prohibits the Department of Defense (“DoD”) from utilizing any funding available to or appropriated by the DoD for the purchase of the following end product items from “non-qualifying countries” unless these items are wholly of U.S. origin: food; clothing; tents, tarpaulins, or covers; cotton and other natural fiber products; woven silk or woven silk blends; spun silk yarn for cartridge cloth; synthetic fabric or coated synthetic fabric (including all textile fibers and yarns that are for use in such fabrics); canvas products, or wool (whether in the form of fiber or yarn or contained in fabrics, materials, or manufactured articles); or any item of individual equipment manufactured from or containing such fibers, yarns, fabrics, or materials; and hand or measuring tools. Noticeably absent from the definition of “qualifying country” are China, Japan, Thailand and Korea- among others.

Congress revised the Berry Amendment for fiscal years 2007 and 2008 with National Defense Authorization Act. The revised statute, 10 U.S.C. 2533b, declares that the DoD is prohibited from acquiring specialty metals or component parts for the use in the construction of aircraft, missile and space systems, ships, tank and automotive items, weapon systems, or ammunition unless the DoD itself acquires those materials directly. In other words, contractors engaged in the production of these items must use American made specialty metals or require that the DoD obtain these materials and component parts for use in any such fabrication and manufacturing.

Despite the existence numerous limitations with the Buy American Act, Berry Amendment and Trade Agreements Act, as discussed above, the United States Government and private citizen plaintiffs (known as Relators) have recently collaborated in bringing numerous False Claims qui tam actions against companies seeking to profit at the expense of the American Taxpayers. In the majority of these cases, contractors attempted to pass off foreign goods as made in the U.S.A. Examples of these include: MedTronic (relabeled Chinese devices allegations – $4.4 million settlement); ECL Solutions (conceal country of origin-$1.066 million civil forfeiture); Invacare (wrongfully certified as American Made- $2.6 Million settlement); Staples (foreign made goods- $7.4 million settlement), Office Depot (foreign made goods – $4.75 million settlement) and Office Max (sale of goods not permitted by Trade Agreements Act results in $9.72 million settlement).

According to Justice Department statistics released last week, whistleblowers filed 638 False Claims Act lawsuits in FY2015. Because these cases remain under seal sometimes for years, we do not know how many involved violations of BAA or related laws. We are aware from conversations with the Justice Department of an uptick in these claims, however.

Whistleblowers who bring claims under the False Claims Act can earn up to 30% of whatever the government collects from the wrongdoer. To qualify, one must have original knowledge or information about the fraud. Successful whistleblowers are usually current or former employees but anyone with inside information can file.

Article By Brian Mahany of Mahany Law

Wasn’t That Supposed to be Made in the USA?

Article By Brian Mahany of Mahany Law

DoD Issues Targeted Class Deviation Updating Recently Adopted Cybersecurity DFARS Clauses

Last week, on October 8th, DoD issued a class deviation replacing DFARS 252.204-7012 and 252.204-2008 with revised clauses that give covered contractors up to nine (9) months (from the date of contract award or modification incorporating the new clause(s)) to satisfy the requirement for “multifactor authentication for local and network access” found in Section 3.5.3 of National Institute of Standards and Technology (NIST) Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

We previously reported on the August 26th Department of Defense (DoD) interim rule that greatly expanded the obligations imposed on defense contractors for safeguarding “covered defense information” and for reporting cybersecurity incidents involving unclassified information systems that house such information. The interim rule, which went into effect immediately, requires non-cloud contractors to comply with several new requirements, including those in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting” and DFARS 252.204-7008, “Compliance with Safeguarding Covered Defense Information Controls.” While the class deviation is a welcomed development for contractors that may struggle to implement the NIST SP 800-171 requirements for multifactor authentication, the deviation: (1) requires contractors to notify the government if they need more time to satisfy those requirements, and (2) does not alter any other aspect of the August 26th interim rule.

DFARS 252.204-7012 requires prime contractors and their subcontractors to employ “adequate security” measures to protect “covered defense information.” Specifically, contractors must adhere to the security requirements in the version of NIST SP 800-171 that is in effect “at the time the solicitation is issued or as authorized by the Contracting Officer,” or employ alternative security measures approved in writing by an authorized representative of the DOD Chief Information Officer. Special Publication 800-171 describes fourteen families of basic security requirements. As described in section 2.2 of 800-171, each of these fourteen families has “derived security requirements,” which provide added detail of the security controls required to protect government data. These basic requirements are based on FIPS Publication 200, which “provides the high level and fundamental security requirements” for government information systems. The derived requirements are taken from the security controls contained in NIST Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations.” Among those derived requirements is one for “multifactor authentication for local and network access.”

DoD contractors and subcontractors should be aware of what the class deviation does and does not change:

Effective immediately, DoD contractors and subcontractors are required to comply with the clauses at DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DEVIATION 2016-O0001) (OCT 2015) and DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls (DEVIATION 2016-O0001) (OCT 2015), in lieu of the clauses that were issued as part of the August 26th interim rule.
Under the new clauses, DoD contractors (and subcontractors, through the prime contractor) may notify the contracting officer that they need up to 9 months (from the date of award or the date of a modification incorporating the new clauses) to comply with the requirements for “multifactor authentication for local and network access” in Section 3.5.3 of NIST SP 800-171.
The revised clauses apply to all DoD contracts and subcontracts, including those for the acquisition of commercial items.
The class deviation only impacts non-cloud contractor information systems that are not operated on behalf of the government (e.g., contractor internal systems).
DoD contractors and subcontractors that cannot meet the specific requirements of NIST 800-171, including the requirements of Section 3.5.3, may still seek authorization from DoD to use “[a]lternative but equally effective security measures.”
With the exception of the targeted changes to DFARS 252.204-7012 and DFARS 252.204-7008 (i.e., affording contractors up to 9 months to comply with Section 3.5.3 of NIST 800-171, provided they notify the contracting officer), all other requirements introduced by the August 26th interim rule remain in effect.
Non-cloud contractor information systems that are operated on behalf of the government remain “subject to the security requirements specified [in their contracts].”
The class deviation does not impact DoD cloud computing contracts, which remain subject to DFARS 252.239-7010, Cloud Computing Services.

Ensuring Compliance With the Revised DFARS Clauses and NIST SP 800-171 Section 3.5.3

During the solicitation phase of a procurement subject to the revised DFARS clauses, DoD contractors and subcontractors should engage technical experts to determine whether they would need additional time to satisfy the NIST requirements for multifactor authentication. If a contractor determines that additional time is needed, and is later awarded a contract subject to the new requirements, then the contractor should immediately notify the contracting officer in writing and should ensure that all subsequent communications with the government are adequately documented.

Upon providing such notice, contractors will have up to nine months (from the date of contract award or modification incorporating the revised clauses) to comply with Section 3.5.3 of NIST SP 800-171, which requires contractors to: “Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.” See NIST SP 800-171, Section 3.5.3 (emphasis added). Section 3.5.3 is a derived requirement of the basic security requirement in section 3.5 for identification and authentication. Section 3.5.3 of NIST SP 800-171 notes that:

“Multifactor authentication” requires two or more different factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic device, token); or (iii) something you are (e.g., biometric). The requirement for multifactor authentication does not require the use of a federal Personal Identification Verification (PIV) card or Department of Defense Common Access Card (CAC)-like solutions. Rather, “[a] variety of multifactor solutions (including those with replay resistance) using tokens and biometrics are commercially available. Such solutions may employ hard tokes (e.g., smartcards, key fobs, or dongles) or soft tokens to store user credentials. See id., n. 22.
“Local access” is any access to an information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.

“Network access” is any access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).

Article By Susan B. Cassidy, Alejandro L. Sarria, Patrick Stanton & Catlin M. Meade of Covington & Burling LLP

CMMC Overview and Purpose

CMMC Certification Levels

Level 1 (Self-Assessment)

Level 2 (Self-Assessment or Third-Party Assessment)

Level 3 (Third-Party Assessment by DIBCAC)

Certification Process and Assessment Requirements

Self-Assessment (Level 1 and Level 2 (Self))

Third-Party Assessment (Level 2 (C3PAO) and Level 3 (DIBCAC))

Plan of Action and Milestones (POA&M)

Affirmation

Integration of CMMC in DoD Contracts

Phase 1 (Early 2025)

Phase 2

Phase 3

Phase 4 (Full Implementation)

Flow-Down Requirements for Subcontractors

Temporary Deficiencies and Enduring Exceptions

Temporary Deficiencies

Enduring Exceptions

Compliance Obligations and Contractual Penalties

Preparing for CMMC Certification

Assess Current Cybersecurity Posture

Develop an SSP

Engage a C3PAO

Prepare a POA&M

Review Subcontractor Compliance

Conclusion

Share this:

Like this:

In Depth

THE CMMC PROGRAM

PHASED IMPLEMENTATION

APPLICABILITY TO PERFORMANCE OF DOD CONTRACTS

CMMC STATUS BEGINS ON THE EARLIER OF CONDITIONAL STATUS OR FINAL STATUS

TEMPORARY AND ENDURING EXCEPTIONS

DEFINITION OF SECURITY PROTECTION DATA

DIBCAC ASSESSMENTS

CSPS AND ESPS

APPLICABILITY TO SUBCONTRACTORS

MISREPRESENTATION AND FALSE CLAIMS ACT RISK

THE ELEPHANT (STILL) IN THE ROOM

CONCLUSION

Share this:

Like this:

Share this:

Like this:

Government says market concentration poses a national security risk.

Recent Public and Private Actions

Ukraine Invasion Demonstrates ‘Rapid Escalation’

Share this:

Like this:

CMMC 2.0 – Simplification and Flexibility of DoD Cybersecurity Requirements

Three Goals of CMMC 2.0

Key Changes under CMMC 2.0

CMMC 2.0 has only three levels of cybersecurity

CMMC 2.0 relieves many certification requirements

CMMC 2.0 reinstitutes POA&Ms

Operational takeaways for the defense industrial base

Increased Risk of Enforcement

Share this:

Like this:

But the Future is “BIG”

A Place for Private Contractors

Incentives: Federal Small Business Preferences

Conclusion

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Like this: