The National Institute of Standards and Technology (NIST), in coordination with the Department of Defense (DoD) and the National Archives and Records Administration (NARA), will host a Workshop providing an overview of Controlled Unclassified Information (CUI) on October 18, 2018. The agenda for the Workshop shows a full day of panels, including those addressing DoD’s “Safeguarding Covered Defense Information and Cyber Incident Reporting” Clause (DFARS Cyber Rule), overviews of NIST Special Publications (SPs) 800-171 and 800-171A, and Government expectations when evaluating contractor implementation of the 800-171 security controls.

In addition to the panels described in the agenda, the Workshop may provide an opportunity to address questions about DoD’s April 2018 draft guidance for the Department’s assessment of contractors’ System Security Plans (SSPs) and implementation of the security controls in NIST SP 800-171. As we noted in a recent blog post, this guidance raises questions about what role offerors’ implementation of NIST SP 800-171 — and their SSPs and Plans of Action and Milestones (POA&Ms) – may play in bid protests. Likewise, questions remain as to how SSPs and POA&Ms will be addressed in DCMA audits, how DoD will evaluate cybersecurity as part of ongoing performance, and whether DoD’s intended uses of an SSP could increase the risks associated with the False Claims Act.

The Workshop also may offer some insight into a new cybersecurity regulation that is expected later this year. The January 2018 Semiannual Regulatory Agenda published by the Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council noted that a proposed rule addressing cybersecurity for all Executive agencies is expected to be issued in November of this year. NIST SP 800-171 already states that the security controls in that publication are expected to be incorporated into this proposed rule. Thus, this Workshop may provide some insight into the content of the expected FAR cybersecurity rule and whether it will result in any changes to the DFARS Cyber Rule.

The NIST Workshop is open to all interested stakeholders and is free to attend. Registration for in-person attendance can be made at the NIST website and is required by October 11, 2018. NIST has stated that the Workshop also will be available via webcast. Advanced registration is not required for the webcast.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.