Almost a year after Assistant Secretary of the Navy James Geurts issued his September 28, 2018 memorandum (Geurts Memo) imposing enhanced security controls on “critical” Navy programs, the Navy has issued an update to the Navy Marine Corps Acquisition Regulations Supplement (NMCARS) to implement those changes more formally across the Navy. Pursuant to this update, a new Annex 16 in the NMCARS provides Statement of Work (SOW) language that must be added into Navy solicitations and contracts where the Navy has determined “the risk to a critical program and/or technology warrants its inclusion.” In addition to the technical requirements reflected in the Geurts Memo, the Navy has added Subpart 5204.73 to the NMCARS that, among other things, instructs Contracting Officers (COs) to seek equitable reductions or consider reducing or suspending progress payments for contractor non-compliance with the Annex 16 and DFARS 252.204-7012 (DFARS clause) requirements.
On September 4, the Office of the Assistant Secretary of Defense for Acquisition released Version 0.4 of its draft Cybersecurity Maturity Model Certification (CMMC) for public comment. The CMMC was created in response to growing concerns by Congress and within DoD over the increased presence of cyber threats and intrusions aimed at the Defense Industrial Base (DIB) and its supply chains. In its overview briefing for the new model, DoD describes the draft CMMC framework as a “unified cybersecurity standard” for DoD acquisitions that is intended to build upon existing regulations, policy, and memoranda by adding a verification component to cybersecurity protections for safeguarding Controlled Unclassified Information (CUI) within the DIB. As discussed in a prior post, the model describes the requirements that contractors must meet to qualify for certain maturity certifications, ranging from Level 1 (“Basic Cyber Hygiene” practices and “Performed” processes) through Level 5 (“Advanced / Progressive” practices and “Optimized” processes), with such certification determinations to generally be made by third party auditors.
The CMMC establishes a new framework for defense contractors to become certified as cybersecurity compliant. DoD has stated that it intends to release Version 1.0 of the CMMC framework in January 2020 and will begin using that version in new DoD solicitations starting in Fall 2020. Notwithstanding the pendency of these deadlines, a large number of questions remain outstanding. DoD is seeking feedback on the current version of the model by September 25, 2019. Continue Reading
The FAR Council released an Interim Rule in August implementing part of Section 889 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019. In this briefing, we highlight points where the Interim Rule provides clarity; definitional issues that remain unresolved; and new procedural requirements that government contractors should track.
The Interim Rule covers the portion of Section 889, subsection (a)(1)(A), that prohibits the federal government from acquiring certain telecommunications equipment/services from Huawei, ZTE, and other Chinese companies. Specifically: “The head of an executive agency may not … procure or obtain or extend or renew a contract to procure or obtain any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”
Section (a)(1)(A) took effect on August 13, 2019, although a 60-day window remains open for stakeholders to submit comments to be considered in the development of a final rule. Comments on the (a)(1)(A) Interim Rule are due by October 15, 2019.
The second part of Section 889 implementation, sections (a)(1)(B) and (b)(1), go into effect on August 13, 2020. Regulations for those sections remain pending within the government, but the definitions and waiver process established by (a)(1)(A) will be instructive for those regulations as well. Continue Reading
On the eve of deciding an $82 billion dollar protest dispute, GAO dismissed a string of protests without reaching the merits because another contractor filed a protest of the same procurement at the Court of Federal Claims. AECOM Management Services, Inc., B-417506.2 et al., Aug. 7, 2019.
(This article was originally published in Law360 and has been modified for this blog.)
On July 15, 2019, President Trump issued an Executive Order on Maximizing Use of American-Made Goods, Products, and Materials. The EO directs the FAR Council to “consider” amending the Federal Acquisition Regulation’s provisions governing the implementation of the Buy American Act. This EO is the Trump administration’s latest – and most concrete – step toward enhancing domestic sourcing preferences and restricting foreign sources of supply for federal customers. And if implemented, the change promises to have dramatic implications for government contractors and their supply chains. Continue Reading
The U.S. Court of Federal Claims recently overturned an agency’s decision to terminate a government contractor for default ─ finding that the government allowed a series of contract disputes, poor practices, conflicting personalities, and a lack of effective communication to cloud its termination analysis. The case serves as an important reminder that, when reviewing a termination for default, the Court gives little credence to the government’s “subjective beliefs” regarding the contractor’s ability to perform. Rather, the Court conducts an objective inquiry and scrutinizes the events, actions, and communications that led to the agency’s termination decision. Continue Reading
The House of Representatives passed its version of the FY2020 National Defense Authorization Act (“NDAA”) last week. The headline story was the remarkably close, party-line vote: in contrast to past years, the bill received no Republican votes, and eight Democratic Members voted against it.
Those partisan dynamics obscured the inclusion of two important amendments – one Republican and one Democratic – regarding bid protest policy that the House quietly adopted in its bill. The provisions are not yet law, since the House and Senate must still resolve differences in their respective NDAAs through the conference process. In this post, we summarize these provisions and encourage government contractors to watch them closely in the coming months. Continue Reading
Earlier this year, the White House issued an Executive Order on AI mandating that the National Institute of Standards and Technology develop a guide to federal engagement on AI technical standards. While the federal government’s actions have understandably garnered significant attention, state and local governments are also undertaking preliminary efforts to engage on the technical standards for AI procured and utilized by their agencies. Lee Tiedrich and Nooree Lee discuss those regulatory efforts on Inside Tech Media.
The Department of Defense (“DoD”) recently announced the development of the ”Cybersecurity Maturity Model Certification” (“CMMC”), a framework aimed at assessing and enhancing the cybersecurity posture of the Defense Industrial Base (“DIB”), particularly as it relates to controlled unclassified information (“CUI”) within the supply chain.
The Office of the Under Secretary of Defense for Acquisition and Sustainment has created a website that provides additional background on the proposed CMMC, including a list of FAQs and details about a CMMC Listening Tour that is intended to solicit feedback from key DIB stakeholders. DoD is planning to release Version 1.0 the CMMC framework in January 2020 and expects to incorporate CMMC requirements in Requests for Proposals (“RFPs”) beginning in June 2020.
The concept of a CMMC framework arose in response to a series of high profile breaches of DoD information. This caused DoD to reevaluate its reliance on the security controls in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 as sufficient to thwart the increasing and evolving threat, especially from nation-state actors. Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, Office of the Under Secretary of Acquisition and Sustainment, is among those leading this effort and addressed DoD’s plans for the CMMC at the May 23, 2019 Georgetown Cybersecurity Law Institute.
Key takeaways from the CMMC website include:
- The initial implementation of the CMMC is for DoD only. However, the use of CUI terminology rather than covered defense information (“CDI”), which is used in DFARS 252.204-7012, indicates a potentially broader role for this model beyond DoD.
- All companies conducting business with the DoD, including subcontractors, must be certified.
- The CMMC is expected to combine relevant portions of various cybersecurity standards, such as NIST SP 800-171, NIST SP 800-53, ISO 270001, and ISO 27032, into one unified standard for cybersecurity. Unlike NIST SP 800-171, which measures a contractor’s compliance with a specified set of controls, the CMMC will more broadly “measure the maturity of a company’s institutionalization of cybersecurity practices and processes.”
- The CMMC is expected to designate maturity levels ranging from “Basic Cybersecurity Hygiene” to “Advanced.” For a given CMMC level, the associated controls and processes, when implemented, are intended to reduce risk against a specific set of cyber threats. Notably, DoD will assess which CMMC level is appropriate for a particular contract and incorporate that level into Sections L and M of the RFP as a “go/no go” evaluative determination. This assessment of appropriate maturity levels on a procurement basis is akin to the Cyber Security Model that the United Kingdom’s Ministry of Defence (“MoD”) currently employs for all MoD contracts.
- In general, contractors will be required to be certified by a third-party auditor. The FAQs on the website note that certain “higher level assessments” may be conducted by government assessors, including requiring activity personnel, the Defense Contract Management Agency (“DCMA”), and the Defense Counterintelligence and Security Agency (“DCSA”). The website does not, however, explain what qualifies as a higher level assessment.
- How long a certification will remain in effect is still under consideration. Additionally, certification levels of contractors will be made public, though, details of specific findings will not be publicly accessible.
- A compromise of a contractor’s systems will not result in automatic loss of certification. However, depending on the circumstances of the compromise, it appears that DoD intends to authorize program managers to require recertification if they believe necessary. It is unclear whether this obligation will be imposed via contract or regulation and what standard will be used to determine that a recertification is necessary.
- The cost of certification will be considered an allowable, reimbursable cost. The FAQs state that the costs “will not be prohibitive.”
Impact on Contractors
It is too early to assess the potential impact of the CMMC on contractors. Although details relating to the scope, breadth, and implementation of the CMMC are limited, the framework reflects DoD’s first meaningful attempt to impose a broader assessment regime. It is unclear whether implementation of the CMMC will eliminate the need for DCMA to conduct audits to measure compliance with NIST SP 800-171.
DIB stakeholders will have a number of opportunities to provide feedback. The CMMC Listening Tour is expected to include five outreach events throughout July and August 2019, with more expected before the framework is released in January 2020.
Earlier this week, the Federal Circuit unanimously affirmed a 2017 ruling by the Armed Services Board of Contract Appeals (“ASBCA”) that held the United States Government breached its contractual obligation to provide physical security to KBR and its subcontractors during the height of the Iraq War. The decision awards KBR $44 million, plus interest, in private security costs that the Government unilaterally recovered under the LOGCAP III contract.
The Court’s decision is significant in two respects. First, it confirms that the affirmative defense of prior material breach is not a Contract Disputes Act (CDA) “claim” that must be presented to a contracting officer under M. Maropakis Carpentry, Inc. v. United States, 609 F.3d 1323, 1331 (Fed. Cir. 2010). Second, the decision makes clear that a contractor is entitled to CDA interest on its claim to recover amounts taken or held by the Government to enforce a government claim. We discuss each of these important rulings below. Continue Reading