Photo of Susan B. Cassidy

Susan B. Cassidy

Susan Cassidy co-chairs Covington’s Aerospace and Defense Industry Group, and has been advising government contractors for more than 35 years on the requirements imposed on companies contracting with the U.S. Government.

Susan’s practice focuses on the intersection of cybersecurity, national security, and supply chain risk management for companies that sell products and services to the U.S. Government. Susan advises contractors at all phases of the procurement cycle, and regularly:

advises clients on compliance obligations imposed by the FAR, DFARS, and other agency regulatory requirements;
leads internal and government False Claims Act (FCA) investigations addressing allegations of violations of government cybersecurity, national security, supply chain, quality, and MIL-SPEC requirements; and
advises clients who have suffered a cyber breach where U.S. government information may have been impacted.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 252.204-7012, FedRAMP, controlled unclassified information (CUI), and NIST SP 800-171 requirements;
Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 semiconductor product and service restrictions, and limitations on sourcing a variety of products from China; and
Federal Acquisition Security Council (FASC) regulations and product exclusions.

 

Susan previously served as senior in-house counsel for two major defense contractors (Northrop Grumman Corporation and Motorola Incorporated) and is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. Chambers USA has quoted sources stating that “Susan's in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Susan’s pro-bono work extends to assisting veterans in a variety of matters, as well as providing advice to elderly clients on their wills and other end-of-life planning documents.

Contact:Read more about Susan B. CassidyEmail

This is the seventh blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the Trump Administration.  The sixth blog is available here and our initial blog is available here.  This blog describes key cybersecurity developments that took place in August, September

Continue Reading August, September, and October 2025 Cybersecurity Developments Under the Trump Administration

Now that the final Cybersecurity Maturity Model Certification (CMMC) Program and Procurement Rules have been issued by the Department of War (DoW) (see our CMMC Toolkit for in-depth analysis of these Rules) and the CMMC Program is set to begin in earnest, there is some uncertainty in industry as to

Continue Reading How Will DoW Determine Which Level of CMMC Applies to My Agreement?

On September 15, 2025, the Office of the Director of National Intelligence (“ODNI”) issued the first public exclusion and removal order (the “Order”) under the framework established by the Federal Acquisition Supply Chain Security Act of 2018 (“FASCSA”).  The Order applies to all products and services produced or provided by Acronis AG as well as all subordinate, subsidiary, or affiliated organizations doing business under various names in support of Acronis AG.  The exclusionary Order has two immediate impacts on the federal supply chain.  First, federal contractors entering into new contracts or following contractual modifications are prohibited from supplying products or services from Acronis to agencies that are either subject to the Order or that have otherwise adopted it (“Covered Agencies”).  Second, contractors are prohibited from using products or services from Acronis in the performance of new and modified contracts with Covered Agencies.  In addition, certain agencies must remove these products and services from particular information systems.

Although the prohibitions apply to new contract awards, all contractors to Covered Agencies that have the applicable FASCA FAR clause (FAR 52.204-30) in their agreements must conduct diligence to determine whether they have provided or used any prohibited products or services in the performance of their contracts.  Following this review, the clause requires contractors to report the use of prohibited products or services to Covered Agencies.

Additional detail on the FASCSA exclusionary process and this first public Order is provided below.Continue Reading First Order Issued under the Federal Acquisition Supply Chain Security Act, Triggering Immediate Requirements on Contractors

This blog post discusses the Department of Defense’s (“DoD”) new cybersecurity rule that imposes certain cybersecurity requirements on relevant DoD contractors and subcontractors. The post will be of interest to all DoD contractors, subcontractors, and possibly affiliates of contractors that may be impacted by the new rule’s cybersecurity requirements.

On

Continue Reading Cybersecurity Maturity Model Certification (CMMC) Program Procurement Final Rule Announced

Consistent with the Trump Administration’s focus on procurement fraud, a recent settlement and guilty pleas secured by the DOJ demonstrate that bid rigging is in the Administration’s crosshairs.  Government contractors should be aware of the legal risks associated with bid rigging when engaging in the bidding process. Continue Reading Bid Rigging Risk for Government Contractors

This is the sixth blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the Trump Administration.  The fifth blog is available here and our initial blog is available here.  This blog describes key cybersecurity developments that took place in July 2025. 

Continue Reading July 2025 Cybersecurity Developments Under the Trump Administration

In a recently announced settlement agreement with the U.S. Department of Justice (“DOJ”), Illumina, Inc. (“Illumina”) agreed to pay $9.8 million to resolve claims arising from alleged cybersecurity vulnerabilities in genomic sequencing systems that the company sold to federal agencies.  The case is the latest in a series of False

Continue Reading Latest Cybersecurity False Claims Act Settlement with Diagnostics Provider Focuses on Sensitive Health Systems

On July 14, 2025, the U.S. Department of Justice (DoJ) and General Services Administration (GSA) announced a $14.75 million settlement of Civil False Claims Act allegations against IT company Hill ASC Inc. (Hill).  This settlement is consistent with the current Administration’s focus on “fraud, waste, and abuse” in government procurement

Continue Reading Recent Cybersecurity FCA Settlement Demonstrates Heightened FCA Risk to Government Contractors

This is the fifth blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the Trump Administration.  The fourth blog is available here and our initial blog is available here.  This blog describes key cybersecurity developments that took place in June 2025. 

Continue Reading June 2025 Cybersecurity Developments Under the Trump Administration

This is the fourth blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the new Trump Administration.  This blog describes key cybersecurity developments that took place in May 2025. 

CISA Releases AI Data Security Guidance

On May 22, the Cybersecurity and Infrastructure

Continue Reading May 2025 Cybersecurity Developments Under the Trump Administration