Earlier this year, the White House issued an Executive Order on AI mandating that the National Institute of Standards and Technology develop a guide to federal engagement on AI technical standards. While the federal government’s actions have understandably garnered significant attention, state and local governments are also undertaking preliminary efforts to engage on the technical standards for AI procured and utilized by their agencies. Lee Tiedrich and Nooree Lee discuss those regulatory efforts on Inside Tech Media.
The Department of Defense (“DoD”) recently announced the development of the ”Cybersecurity Maturity Model Certification” (“CMMC”), a framework aimed at assessing and enhancing the cybersecurity posture of the Defense Industrial Base (“DIB”), particularly as it relates to controlled unclassified information (“CUI”) within the supply chain.
The Office of the Under Secretary of Defense for Acquisition and Sustainment has created a website that provides additional background on the proposed CMMC, including a list of FAQs and details about a CMMC Listening Tour that is intended to solicit feedback from key DIB stakeholders. DoD is planning to release Version 1.0 the CMMC framework in January 2020 and expects to incorporate CMMC requirements in Requests for Proposals (“RFPs”) beginning in June 2020.
The concept of a CMMC framework arose in response to a series of high profile breaches of DoD information. This caused DoD to reevaluate its reliance on the security controls in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 as sufficient to thwart the increasing and evolving threat, especially from nation-state actors. Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, Office of the Under Secretary of Acquisition and Sustainment, is among those leading this effort and addressed DoD’s plans for the CMMC at the May 23, 2019 Georgetown Cybersecurity Law Institute.
Key takeaways from the CMMC website include:
- The initial implementation of the CMMC is for DoD only. However, the use of CUI terminology rather than covered defense information (“CDI”), which is used in DFARS 252.204-7012, indicates a potentially broader role for this model beyond DoD.
- All companies conducting business with the DoD, including subcontractors, must be certified.
- The CMMC is expected to combine relevant portions of various cybersecurity standards, such as NIST SP 800-171, NIST SP 800-53, ISO 270001, and ISO 27032, into one unified standard for cybersecurity. Unlike NIST SP 800-171, which measures a contractor’s compliance with a specified set of controls, the CMMC will more broadly “measure the maturity of a company’s institutionalization of cybersecurity practices and processes.”
- The CMMC is expected to designate maturity levels ranging from “Basic Cybersecurity Hygiene” to “Advanced.” For a given CMMC level, the associated controls and processes, when implemented, are intended to reduce risk against a specific set of cyber threats. Notably, DoD will assess which CMMC level is appropriate for a particular contract and incorporate that level into Sections L and M of the RFP as a “go/no go” evaluative determination. This assessment of appropriate maturity levels on a procurement basis is akin to the Cyber Security Model that the United Kingdom’s Ministry of Defence (“MoD”) currently employs for all MoD contracts.
- In general, contractors will be required to be certified by a third-party auditor. The FAQs on the website note that certain “higher level assessments” may be conducted by government assessors, including requiring activity personnel, the Defense Contract Management Agency (“DCMA”), and the Defense Counterintelligence and Security Agency (“DCSA”). The website does not, however, explain what qualifies as a higher level assessment.
- How long a certification will remain in effect is still under consideration. Additionally, certification levels of contractors will be made public, though, details of specific findings will not be publicly accessible.
- A compromise of a contractor’s systems will not result in automatic loss of certification. However, depending on the circumstances of the compromise, it appears that DoD intends to authorize program managers to require recertification if they believe necessary. It is unclear whether this obligation will be imposed via contract or regulation and what standard will be used to determine that a recertification is necessary.
- The cost of certification will be considered an allowable, reimbursable cost. The FAQs state that the costs “will not be prohibitive.”
Impact on Contractors
It is too early to assess the potential impact of the CMMC on contractors. Although details relating to the scope, breadth, and implementation of the CMMC are limited, the framework reflects DoD’s first meaningful attempt to impose a broader assessment regime. It is unclear whether implementation of the CMMC will eliminate the need for DCMA to conduct audits to measure compliance with NIST SP 800-171.
DIB stakeholders will have a number of opportunities to provide feedback. The CMMC Listening Tour is expected to include five outreach events throughout July and August 2019, with more expected before the framework is released in January 2020.
Earlier this week, the Federal Circuit unanimously affirmed a 2017 ruling by the Armed Services Board of Contract Appeals (“ASBCA”) that held the United States Government breached its contractual obligation to provide physical security to KBR and its subcontractors during the height of the Iraq War. The decision awards KBR $44 million, plus interest, in private security costs that the Government unilaterally recovered under the LOGCAP III contract.
The Court’s decision is significant in two respects. First, it confirms that the affirmative defense of prior material breach is not a Contract Disputes Act (CDA) “claim” that must be presented to a contracting officer under M. Maropakis Carpentry, Inc. v. United States, 609 F.3d 1323, 1331 (Fed. Cir. 2010). Second, the decision makes clear that a contractor is entitled to CDA interest on its claim to recover amounts taken or held by the Government to enforce a government claim. We discuss each of these important rulings below. Continue Reading
Late last month, the Pandemic and All-Hazards Preparedness and Advancing Innovation Act of 2019 (PAHPAI) was signed into law. The Act is a much anticipated reauthorization of the Pandemic and All-Hazards Preparedness Act, originally passed in 2006. The legislation is a key development in strengthening the country’s ability to respond to bio-threats, disasters, and other national emergencies by defining federal program initiatives and funding states and private researchers. PAHPAI-authorized grants allow for the research and development of biodefense measures and the stockpiling of preparedness supplies.
On Monday, the Supreme Court significantly altered how government agencies will treat confidential commercial information protected from disclosure by Exemption 4 of the Freedom of Information Act (“FOIA”) — an issue that recurs repeatedly with respect to information submitted by contractors to government agencies. Food Marketing Institute v. Argus Leader Media, No. 18-481 (U.S. June 24, 2019). The Court overturned 45 years of lower-court precedent requiring that the submitter show both that the information was not publicly disclosed, and that its release would cause substantial competitive harm. The Court’s decision seemingly expands the scope of Exemption 4 by removing the “substantial competitive harm” requirement. However, the effect of this apparent expansion is unclear, because the Court suggested but did not resolve whether Exemption 4 also requires a new element: a showing that the submitter’s information was provided under an assurance by the government that it would keep the information confidential.
Notwithstanding the question left open by the Court, Food Marketing points the way to several steps that contractors can take to protect their commercial and financial information from release under the new interpretation of Exemption 4.
On June 19, 2019, the National Institute of Standards and Technology (“NIST”) announced the long-awaited update to Special Publication (“SP”) 800-171 Rev. 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which includes three separate but related documents.
As previously discussed on this blog, the Supreme Court announced last year that it would resolve a circuit split over when a relator needed to file a qui tam action under the False Claims Act (“FCA”). Earlier this month, the Court decided in Cochise Consultancy Inc. v. United States ex rel. Hunt, that relators can — in limited circumstances — take advantage of the FCA’s 3-year “alternative” statute of limitations, which means they may file their complaints up to four years after the default 6-year period has expired.
Now that the dust has settled, it is worth stepping back to take stock of the ruling’s practical effect. We believe that Cochise will have limited impact on most qui tam actions, although it leaves some important questions open. For FCA aficionados, the ruling by Justice Thomas also foreshadows a plain-reading, textual approach to future questions that may arise. Continue Reading
The Contract Disputes Act (“CDA”) is probably not the first law that comes to mind when a government contractor is named as a defendant in a personal injury or wrongful death suit. But a recent decision from the U.S. Court of Federal Claims illustrates why the CDA ─ and its six-year statute of limitations ─ should be top of mind for any contractor that is sued in tort and wants the government to take over its defense or to reimburse its uninsured legal fees or settlement/judgment costs. The Court’s decision, which is the latest opinion in a long-running dispute, is an important reminder for contractors that are indemnified by the government for liabilities to third persons, including under clauses such as FAR 52.228-7, Insurance ─ Liability to Third Persons (MAR. 1996) and FAR 52.250-1, Indemnification under Public Law 85-804 (APR. 1984).
On May 23, 2019, multiple news outlets reported that the White House was considering an emergency declaration to permit arms shipments to Saudi Arabia without Congressional approval. These reports were met with sharp criticism by multiple legislators. These recent developments shine a spotlight on the contours of the Congressional notice and approval mechanisms set forth in the Arms Export Control Act (AECA).
AECA (22 U.S.C. § 2751 et seq.) is the authorizing statute for the Foreign Military Sales (FMS) program. AECA and the implementing guidance from the Defense Security Cooperation Agency (DSCA) set forth the procedures for the development of a transaction under the FMS program, referred to as an FMS case.
Once an FMS case has been negotiated between the U.S. Government and the foreign government purchaser, the White House is required submit a formal notification to the Speaker of the House of Representatives, the House Committee on Foreign Affairs, and the Senate Committee on Foreign Relations (although this requirement is subject to country- and defense article-specific dollar value thresholds). Congress then has 30 days (or 15 days for certain proposed sales to a NATO county, Australia, Japan, South Korea, Israel, or New Zealand) to enact a joint resolution opposing the sale. Unless a joint resolution is passed within the time period, Congress is considered to have consented to the sale.
Earlier this month, the FAR Council issued a proposed rule to expand the definition of “commercial item” under the Federal Acquisition Regulation (FAR) to include certain items sold in substantial quantities to foreign governments. This new rule implements section 847 of the National Defense Authorization Act (NDAA) for FY 2018 (Pub. L. 115-91), and has the potential to extend commercial item status to defense articles that have been sold to foreign militaries, including sales under the Foreign Military Financing program.
Ensuring the commercial item status of products and services has long been a key point of federal contracting compliance for many businesses, as commercial item contracts typically avoid many of the more burdensome provisions imposed by the FAR. While the term “commercial item” is often generalized to refer to items offered for sale to the general public for non-governmental purposes, the definition of “commercial item” under FAR 2.101 includes certain items used for governmental purposes and sold in substantial quantities to multiple state and local governments. See FAR 2.101. This provision permitted products like protective equipment used by police and fire departments to be deemed commercial items.