Photo of Darby Rourick

Darby Rourick

Darby Rourick is a government contracts lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. She has particular experience in federal cybersecurity and information technology supply chain issues. Darby has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. She also counsels clients on cybersecurity incident response; compliance with federal cybersecurity laws, regulations, and standards; supplier and subcontractor security issues; and cybersecurity related investigations.

Darby has particular regulatory experience with:

Government cybersecurity supply chain issues like the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements; and
Information handling, marking, and dissemination requirements, including those relating to Covered Defense Information (CDI) and Controlled Unclassified Information (CUI)

She also assist clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

Procurement fraud and FAR mandatory disclosure requirements;
Allegations of violations of cybersecurity regulation;
Cyber incidents and data spills; and 
Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

Contact:Read more about Darby RourickEmail

On August 13, 2020, the Office of Management and Budget (OMB) released new revisions to its Guidance for Grants and Agreements set forth under 2 CFR (commonly referred to as the Uniform Guidance).  The Uniform Guidance governs the terms of federal funding issued by agencies, including grants, cooperative agreements, federal
Continue Reading New Section 889 Restrictions Included in Updated Uniform Guidance Regulations from the Office of Management and Budget

The National Institute for Standards and Technology released the draft of NIST Special Publication 800-172 (“NIST SP 800-172”) on July 6, 2020.  This draft special publication succeeds the prior draft NIST SP 800-171B that NIST published in June 2019, and operates as a supplement to the NIST SP 800-171 controls that federal contractors generally must comply with in order to transmit, process, and store Controlled Unclassified Information (“CUI”).

Like the draft of NIST SP 800-171B released last year that it replaces, the publication recognizes that the basic and derived security controls in NIST SP 800-171 are “not designed to address APTs [Advanced Persistent Threats].”  As the publication notes,  “the APT may find ways to breach and/or compromise boundary defenses and deploy malicious code within a defender’s system.”  Thus, the additional safeguards in NIST SP 800-172 are meant to “outmaneuver, confuse, deceive, mislead, and impede the adversary—that is, take away the adversary’s tactical advantage and protect and preserve the organization’s critical programs and high value assets.”

Comments on the draft are due on August 21, 2020.Continue Reading National Institute for Standards and Technology Releases Draft of NIST SP 800-172

On July 10, 2020, the interim rule implementing Section 889(a)(1)(B) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Pub. L. No. 115-232) was released by the U.S. Government’s Federal Acquisition Regulatory Council. Section 889 prohibits the U.S. Government from buying (as of August 2019)—or contracting
Continue Reading “Section 889” Prohibition on “Use” of Covered Telecommunications Equipment by Federal Contractors Released as an Interim Rule

On January 31, the Department of Defense (“DoD”) released Version 1.0 of its Cybersecurity Maturity Model Certification (“CMMC”).  This is the fourth iteration of the CMMC that DoD has publicly released since it issued the first draft in October, and it is intended to be the version that auditors will be trained against, and that will eventually govern defense contractors’ cybersecurity obligations.  (We discussed the draft versions of the CMMC in earlier blog posts, as well as DoD’s Version 1.0 release announcement.)

As outlined in more detail below, the CMMC is a framework that “is designed to provide increased assurance to the DoD that a DIB [Defense Industrial Base] contractor can adequately protect CUI [Controlled Unclassified Information] at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.”

DoD stated publicly that it plans to add CMMC requirements to ten Requests for Information (“RFIs”) and ten Requests for Proposals (“RFPs”) by the end of this year, with contractors and subcontractors expected to meet all applicable CMMC requirements at the time of award.  DoD has indicated that these RFPs may involve relatively large awards, as it anticipates that each award will impact approximately 150 different contractors at all levels of the supply chain and at various levels of CMMC certification.  DoD’s goal is to have CMMC requirements fully implemented in all new contract awards by Fiscal Year 2026.Continue Reading A Closer Look at Version 1.0 of DoD’s Cybersecurity Maturity Model Certification

On Friday January 31, 2020, Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment, Kevin Fahey, Assistant Secretary of Defense for Acquisition, and Katie Arrington, the Chief Information Security Officer for the Department of Defense (“DoD”), briefed reporters on the release of the Cybersecurity Maturity Model Certification (“CMMC”) Version
Continue Reading DoD Announces the Release of CMMC Version 1.0