Catlin Meade

Catlin Meade

+1 202 662 5889

Catlin Meade is an associate in the firm’s Washington, DC office.

Subscribe to all posts by Catlin Meade

NIST Releases Fifth Revision of Special Publication 800-53

The National Institute of Standards and Technology (“NIST”) released on August 15, 2017 its proposed update to Special Publication (“SP”) 800-53. NIST SP 800-53, which was last revised in 2014, provides information security standards and guidelines, including baseline control requirements, for implementation on federal information systems under the Federal Information Systems Management Act of 2002 … Continue Reading

A Summary of the Recently Introduced “Internet of Things (IoT) Cybersecurity Improvement Act of 2017”

On August 1, 2017, a bipartisan group of Senators introduced legislation (fact sheet) that would establish minimum cybersecurity standards for Internet of Things (“IoT”) devices sold to the U.S. Government. As Internet-connected devices become increasingly ubiquitous and susceptible to evolving and complex cyber threats, the proposed bill attempts to safeguard the security of executive agencies’ … Continue Reading

Civil Penalties Across All Federal Agencies Set to Increase Significantly by August 2016

On May 3, 2016, the U.S. Railroad Retirement Board (“RRB”) issued an interim final rule adjusting civil False Claims Act (“FCA”) and Program Fraud Civil Remedies Act (“PFCRA”) monetary penalty amounts for the RRB.  The interim final rulemaking resulted in an increase of the PFCRA maximum to $10,781 and a new FCA range of $10,781-$21,563.  … Continue Reading

President Obama Unveils Cybersecurity National Action Plan and Issues Two New Executive Orders Directed at Cybersecurity and Privacy Concerns

President Obama unveiled on February 9, 2015 his Cybersecurity National Action Plan (CNAP), a combination of near-term actions and long-term strategy to “enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security.”  In conjunction with this unveiling, … Continue Reading

OSAI Issues Guidance on the Government Contractor Defense for Certified Anti-terror Technologies

Congress enacted the SAFETY Act in 2002 in an effort to incentivize the development of anti-terrorism technologies following the attacks of September 11, 2001.  The Act affords liability protections to sellers of Qualified Anti-Terrorism Technologies (“QATTs”) in the event of an act of terrorism where QATTs are deployed.  Although the SAFETY Act’s protections have not … Continue Reading

NDAA — Vetoed for Now — Includes New Cybersecurity Provisions for Contractors

On October 22, 2015, President Obama vetoed the National Defense Authorization Act (“NDAA”) for Fiscal Year 2016.  In so doing, the President cited concerns over provisions keeping in place the sequester, preventing reforms to modernize the military, and making it more difficult to close Guantanamo Bay.  As a result, the acquisition provisions of the 2016 … Continue Reading

DoD Issues Targeted Class Deviation Updating Recently Adopted Cybersecurity DFARS Clauses

Last week, on October 8th, DoD issued a class deviation replacing DFARS 252.204-7012 and 252.204-7008 with revised clauses that give covered contractors up to nine (9) months (from the date of contract award or modification incorporating the new clause(s)) to satisfy the requirement for “multifactor authentication for local and network access” found in Section 3.5.3 … Continue Reading

DOD Issues Interim Rule Addressing New Requirements for Cyber Incidents and Cloud Computing Services

On August 26, 2015, the Department of Defense (DoD) issued an interim rule that imposes expanded obligations on defense contractors and subcontractors with regard to the protection of “covered defense information” and the reporting of cyber incidents occurring on unclassified information systems that contain such information.  Nearly three years in the making, this interim rule replaces the … Continue Reading

Lock Down of Nuclear Site:  False Alarm, with a Lesson Learned

Last week the Savannah River Site (“SRS”) in South Carolina, a large nuclear facility owned by the U.S. Department of Energy (“DOE”), went into a lock down after electronic and canine scans of a commercial delivery truck attempting to enter the facility indicated possible explosive residue on the vehicle.  Fortunately, the lock down was lifted … Continue Reading

SAFETY First: Using the SAFETY Act to Bolster Cybersecurity

We have already seen tremendous fallout from recent cyber attacks on Target, the U.S. Office of Personnel Management, Sony Pictures, and J.P. Morgan.  Now imagine that, instead of an email server or a database of information, a hacker gained access to the controls of a nuclear reactor or a hospital.  The potential consequences are devastating: … Continue Reading

New Proposed Rule and Accompanying Guidance May Impose Additional Cybersecurity Burdens on Contractors Handling CUI

Pursuant to Executive Order 13,556 and as forecasted in the draft of the National Institute for Standards and Technology’s (“NIST”) Special Publication (“SP”) 800-171, the National Archives and Record Administration (“NARA”) released on May 8, 2015 a proposed rule addressing the government-wide designation and safeguarding of Controlled Unclassified Information[1] (“CUI”) (“the Proposed CUI Rule” or … Continue Reading

Potential Relief for Contractors Subject to Rapid Reporting Requirements

During markup of the 2016 National Defense Authorization Act (“NDAA FY 2016”) on April 27, House Armed Services Committee Chairman Mac Thornberry (R-TX) proposed an amendment that would provide liability protection to certain Department of Defense (“DoD”) contractors for properly reporting cyber incidents on their networks and information systems. This amendment relates back to two … Continue Reading

Controversial Cyber Information Sharing Bill May Impact Government Contractors

Following Obama’ s February 13, 2015 Executive Order to promote the sharing of cybersecurity risks and incidents between the federal government and the private sector, Congress has introduced a slew of information-sharing legislation.  Such legislation includes the Cybersecurity Information Sharing Act of 2015 (“CISA”), which was marked up and approved 14-1 by the Senate Intelligence … Continue Reading

DoD Memo Reveals Poor Scorecard for Agency’s Inclusion of the UCTI DFARS Clause in New Contracts

On February 25, 2015, the Office of the Secretary of Defense (AT&L) issued a memorandum containing an agency “Scorecard” for the implementation of the DFARS clause on safeguarding Unclassified Controlled Technical Information (“UCTI”).  The final UCTI rule was published on November 18, 2013 and required the new DFARS clause 252.204-7012−which imposes requirements for (1) safeguarding … Continue Reading

DoD’s Updated Privacy Program Imposes Stringent Rules for Protection of PII

By final rule issued January 27, the Department of Defense (DoD) updated its Privacy Program, meaning that effective February 26, 2015, certain DoD contractors will be required to comply with additional “rules of conduct.”  These rules of conduct are consistent with the types of requirements imposed on federal agencies by the Privacy Act. The final … Continue Reading

Off the Mark?: Fourth Circuit Reverses FCA Dismissal Using Implied Certification Theory

In its January 8 decision in United States v. Triple Canopy, Inc., the Fourth Circuit reiterated its acceptance of the implied certification theory of False Claims Act (“FCA”) liability.  Under the FCA, a contractor can face steep financial penalties for knowingly making false statements in order to get fraudulent claims paid or approved by the … Continue Reading

FISMA Updated and Modernized

On December 18, 2014, President Obama signed a bill reforming the Federal Information Security Management Act of 2002 (“FISMA”). The new law updates and modernizes FISMA to provide a leadership role for the Department of Homeland Security, include security incident reporting requirements, and other key changes. Background:  FISMA was originally passed in 2002 to provide … Continue Reading

DoD to Impose Yet Another Form of Rapid Reporting Requirements

The National Defense Authorization Act for Fiscal Year 2015 (“NDAA FY 15”) was passed by the House of Representatives on December 4, 2014, and is expected to pass in the Senate.  Among NDAA FY 15’s cybersecurity and acquisition provisions are directions for the Secretary of Defense to establish rapid reporting requirements for “operationally critical contractors.” … Continue Reading

NIST Draft Standards Provide Guidance For Protecting CUI on Contractor Systems

On November 18, the National Institute of Standards and Technology (“NIST”) released Draft Special Publication 800-171 (“SP 800-171”), which includes new recommended security controls for nonfederal organizations such as government contractors, state and local governments, and colleges and universities that “process, store, or transmit” controlled unclassified information (“CUI”) on their own systems.  These draft standards … Continue Reading

Nuclear Regulatory Commission Moving Forward on Data Breach Notification Rules

The Nuclear Regulatory Commission (“NRC”) appears poised to be the next agency to promulgate cybersecurity breach notification requirements.  The NRC has stated that it is moving forward with draft breach notification rules it released in July 2014.  Under the draft rules, anyone licensed by NRC to operate a nuclear power plant would be required to … Continue Reading

ASBCA Finds Kickbacks Under Three of Sixteen Task Orders is Sufficient to Taint Contractor’s Entire Claim

Background: In Appeal of Laguna Construction Company, Inc., the Armed Services Board of Contracts Appeals (“ASBCA”) found that a contractor’s receipt of kickbacks from subcontractors was both criminal fraud and a material breach of the contract, which eliminated the Government’s obligation to reimburse the contractor for additional work, even if that work was not itself … Continue Reading

New RFI Seeks Feedback on NIST Cybersecurity Framework

On February 12, 2013, President Obama issued Executive Order 13636, which directed federal agencies to undertake a broad range of tasks aimed at enhancing the security and resilience of the nation’s critical infrastructure.  One task directed the National Institute of Standards and Technology (“NIST”) to establish a technology-neutral, voluntary, risk-based cybersecurity framework. A year later, … Continue Reading

DOD Rapid Reporting Regulations Further Delayed

The Department of Defense (“DOD”) has once again delayed the promulgation of regulations requiring DOD contractors to rapidly report data breaches and allowing DOD to access the contractor’s equipment to conduct a forensic analysis.  The National Defense Authorization Act for Fiscal Year 2013 originally required an ad hoc committee to provide a report to the Defense Acquisition Regulations Council in March 2013.  The … Continue Reading

D.C. Circuit Dismisses FCA Suit & Provides Guidance for Contractor Reliance on Supplier Certifications

On August 29, the U.S. Court of Appeals for the D.C. Circuit upheld the dismissal of a qui tam suit under the False Claims Act (“FCA”) alleging that government contractor Govplace made false statements and false claims by selling to the Government, via its GSA schedule contract, computer and other products not originating in designated … Continue Reading
LexBlog