Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government contractors and represents her clients before the Defense Contract Audit Agency (DCAA), Inspectors General (IG), and the Department of Justice with regard to those investigations.  From 2008 to 2012, Ms. Cassidy served as in-house counsel at Northrop Grumman Corporation, one of the world’s largest defense contractors, supporting both defense and intelligence programs. Previously, Ms. Cassidy held an in-house position with Motorola Inc., leading a team of lawyers supporting sales of commercial communications products and services to US government defense and civilian agencies. Prior to going in-house, Ms. Cassidy was a litigation and government contracts partner in an international law firm headquartered in Washington, DC.

On July 10, 2020, the interim rule implementing Section 889(a)(1)(B) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Pub. L. No. 115-232) was released by the U.S. Government’s Federal Acquisition Regulatory Council. Section 889 prohibits the U.S. Government from buying (as of August 2019)—or contracting with an entity that uses

In recent years, both Congress and the Executive Branch have made it a key priority to mitigate risks across the industrial and innovation supply chains that provide hardware, software, and services to the U.S. government (“USG”).  Five of these initiatives are likely to result in new regulations in 2020, each of which could have a fundamental impact on companies’ ability to sell Information, Communications, Technology and Services (“ICTS”) to the USG.  As these requirements begin to take hold, federal contractors should be mindful of potential impacts and the actions that can be taken now to prepare for increased USG scrutiny of their supply chain security.

Continue Reading Contractor Supply Chain Readiness – An Update on Expected Regulatory Changes

On May 5, 2020 the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (“CISA”) Information and Communications Technology (“ICT”) Supply Chain Risk Management (“SCRM”) Task Force (the “Task Force”) released a six-step guide for organizations to start implementing organizational SCRM practices to improve their overall security resilience.  The Task Force also released a revised fact sheet to further raise awareness about ICT supply chain risk.

As we discussed in a prior blog post on the Task Force’s efforts, the Task Force was established in 2018 with representatives from 17 different defense and civilian agencies, as well as industry representatives across the information technology and communications sectors.  The Task Force has been focused on assessing and protecting security vulnerabilities in government supply chains.  Since its founding, the Task Force has inventoried existing SCRM efforts across the government and industry, including some of the practices reflected in the guide.
Continue Reading CISA Information and Communications Technology Supply Chain Risk Management Task Force Releases New Guidance on Security Resiliency

As the fallout from COVID-19 continues, federal contractors in every industry are seeing significant impacts on their ability to perform, ranging from scheduling delays to supply chain interruptions and increased costs of performance.  We previously addressed the rules and regulations governing excusable delays, which permit a contractor to avoid default if a failure to perform arises from causes beyond its control.  This next post addresses key FAR provisions that may entitle a contractor to a price adjustment or other recovery due to changes in contract requirements as a result of the pandemic.

Continue Reading Can I Recover the Added Costs of Work Caused by COVID-19?

As the COVID-19 virus extends its global reach, defense contractors may be called upon to begin implementing their contracts’ mission-essential services plans. These plans, required by DFARS 252.237-7023, facilitate mission-essential functions in extended crisis situations, including pandemics, which are explicitly noted in the DFARS. As the coronavirus outbreak continues, defense contractors should check whether their contracts include this clause and assess their readiness to implement the requirement if DoD requests activation of the company’s plan.
Continue Reading The Show Must Go On: Mission-Essential Services During the Coronavirus Outbreak

The global spread of the COVID-19 virus may put many federal contractors at risk of missing contractual deadlines. In a growing number of cases, supply chains may become cut off, work spaces may be closed, or employees may need to stay home, all of which could impact a contractor’s ability to perform in a timely manner. This is the first in a series of blog posts aimed at helping contractors navigate performance delays, changes, and other complications caused by the coronavirus outbreak.

When confronting challenges caused by the coronavirus, contractors should know that their contracts may contain clauses that would excuse these delays such as FAR 52.249-14 (cost reimbursement and time and material contracts), FAR 52.249-8 (fixed price supply and service contracts), and FAR 52.212-4 (commercial contracts). All of these clauses share a common thread – a contractor should not be in default because of a failure to perform the contract if the failure arises from causes beyond the control and without the fault or negligence of the contractor.
Continue Reading “Excuse Me, My Performance Has been Interrupted”– How Excusable Delay Provisions in the FAR May Help Federal Contractors Affected by the Coronavirus

On January 31, the Department of Defense (“DoD”) released Version 1.0 of its Cybersecurity Maturity Model Certification (“CMMC”).  This is the fourth iteration of the CMMC that DoD has publicly released since it issued the first draft in October, and it is intended to be the version that auditors will be trained against, and that will eventually govern defense contractors’ cybersecurity obligations.  (We discussed the draft versions of the CMMC in earlier blog posts, as well as DoD’s Version 1.0 release announcement.)

As outlined in more detail below, the CMMC is a framework that “is designed to provide increased assurance to the DoD that a DIB [Defense Industrial Base] contractor can adequately protect CUI [Controlled Unclassified Information] at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.”

DoD stated publicly that it plans to add CMMC requirements to ten Requests for Information (“RFIs”) and ten Requests for Proposals (“RFPs”) by the end of this year, with contractors and subcontractors expected to meet all applicable CMMC requirements at the time of award.  DoD has indicated that these RFPs may involve relatively large awards, as it anticipates that each award will impact approximately 150 different contractors at all levels of the supply chain and at various levels of CMMC certification.  DoD’s goal is to have CMMC requirements fully implemented in all new contract awards by Fiscal Year 2026.


Continue Reading A Closer Look at Version 1.0 of DoD’s Cybersecurity Maturity Model Certification

On Friday January 31, 2020, Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment, Kevin Fahey, Assistant Secretary of Defense for Acquisition, and Katie Arrington, the Chief Information Security Officer for the Department of Defense (“DoD”), briefed reporters on the release of the Cybersecurity Maturity Model Certification (“CMMC”) Version 1.0.  We have discussed draft

On December 13, the Department of Defense (“DoD”) released the latest version of its Cybersecurity Maturity Model Certification (“CMMC”).  This is the third iteration of the draft model that DoD has publicly released since it issued the first draft in October.  (We previously discussed Version 0.4 and Version 0.6 of the CMMC in prior blog posts.)

DoD describes the CMMC as “a DoD certification process that measures a DIB sector company’s ability to protect FCI [Federal Contract Information] and CUI [Controlled Unclassified Information].”  DoD has stated publicly that it intends to begin incorporating certification requirements into solicitations starting in Fall 2020, with compliance audits beginning in late 2020 or early 2021.  Depending the sensitivity of the information that contractors will receive in the course of performing work for DoD, they will be expected to demonstrate compliance through third party audits with the requirements set forth under one of five certification levels.  This applies even where contractors will not be handling FCI or CUI in the course of performing their contracts.[1]

The two most significant updates to the model in this version of the draft are (i) the addition of “Practices” for obtaining Level 4 and 5 certifications, and (ii) an expansion of “clarifications” section, which now covers the requirements of Levels 2 and 3 of the model, in addition to Level 1.  These changes and others are discussed in more detail below.  Given the expected release in late January 2020, it is likely that the requirements in this draft will closely resemble those that will be set forth in Version 1.0 of the CMMC framework, which is anticipated to serve as the basis for the first contractor audits.


Continue Reading DoD Releases Version 0.7 of Its Cybersecurity Maturity Model Certification

Last week, the FAR Council issued a Final Rule, setting forth new FAR provisions that require the reporting of certain counterfeit and suspect counterfeit parts and certain major or critical nonconformances to the Government – Industry Data Exchange Program (“GIDEP”).[1]  This Final Rule comes more than five years after the rule was first proposed in the Federal Register in June 2014.  The FAR Council describes the Final Rule as “significantly de-scoped” from the version proposed in 2014, but it nonetheless constitutes a significant expansion of the existing counterfeit part reporting obligations, which to date have applied only to electronic parts under DOD contracts.

Continue Reading New FAR Rule Expands Counterfeit Reporting Obligations