This is the eleventh in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the second through tenth blogs described the actions taken by various Government agencies to implement the EO from June 2021 through February 2022, respectively.  This blog summarizes key actions taken to implement the Cyber EO during March 2022.  As with steps taken during prior months, the actions described below reflect the implementation of the EO within the Government.  However, these activities portend further actions, potentially in or before June 2022, that are likely to impact government contractors, particularly those who provide software products or services to the Government.
Continue Reading March 2022 Developments Under President Biden’s Cybersecurity Executive Order

Given the growing attention in U.S. military assistance to foreign allies and the applicable ground rules, Covington has prepared a primer to understanding the basics of foreign military sales, foreign military financing, and direct commercial sales.  Covington features a multi-disciplinary team of government contracts, export controls, anticorruption, and corporate attorneys with experience in foreign military

On March 18, 2022, the Department of Defense published a final rule in the Defense Federal Acquisition Regulation Supplement implementing its “enhanced” debriefing process.  That process originated in the National Defense Authorization Act for Fiscal Year 2018 and had previously been implemented via a class deviation.

The DOD enhanced debriefing process — which applies to procurements under FAR Part 15, and to task order competitions under FAR 16.505 — has two hallmarks:

Continue Reading DOD Issues Final DFARS Rule on Enhanced Debriefing Process

On March 8, 2022, the Department of Justice announced the first settlement of a case under the Civil Cyber-Fraud Initiative.  Established in October 2021, the Initiative aims to utilize the government’s authority under the civil False Claims Act to pursue alleged instances of fraud and misrepresentation concerning cyber practices.  (We previously wrote about the Initiative here.)  The Initiative has been a point of emphasis in DOJ speeches and public comments in recent months.  This settlement is a milestone in the rollout of the program and confirmation that DOJ intends to take allegations of cyber fraud seriously.
Continue Reading First Settlement of DOJ Civil Cyber-Fraud Initiative

On the heels of the FTC’s opposition to Lockheed Martin’s acquisition of Aerojet Rocketdyne and Lockheed’s termination of the deal, the Department of Defense (DoD) released a report expressing concerns about the state of competition among its contractors.  Of particular note, the report encourages DoD action to (1) increase oversight of M&A transactions and (2) obtain greater IP rights in matters involving defense industrial base contractors.  Although the report is light on specifics and identifies objectives that are in some tension with each other, the report is a reminder to companies that the U.S. Government, the single largest purchaser in the country, remains focused on enhancing competition. To that end, we anticipate seeing Executive Branch action in the coming months that seeks to further that policy objective.
Continue Reading DoD Signals Increased Scrutiny of Gov Con M&A and Renewed Interest in Background IP Rights

On December 22, 2021, the Defense Security Cooperation Agency (DSCA) announced the Fiscal Year 2021 transaction figures for the Foreign Military Sales (FMS) Program, reporting $34.8 billion in total transaction value.  FMS declined for the second consecutive year, down 31 percent from $50.8 billion dollars in transactions in FY 2020.  The 2021 figure represents the

The Department of Defense (DoD) released key documentation relating to Cybersecurity Maturity Model Certification (CMMC) 2.0 over the past several weeks, including (1) a CMMC 2.0 Model Overview document, (2) CMMC Self-Assessment Scopes for Level 1 and 2 assessments/certifications, (3) CMMC Assessment Guides for Level 1 and 2 attestations/certifications, and (4) the CMMC Artifact Hashing

[This article was originally published in Law360.]

Amidst the whirlwind of M&A activity in the government contracts industry, a recent bid protest decision from the Government Accountability Office (GAO) highlights the importance of proper planning to protect prime contract proposals during M&A and other corporate transactions.  Last month, GAO denied a protest from ICI Services Corporation (ICI), which challenged the U.S. Navy’s decision to award a task order to Serco, Inc. (Serco) under the SeaPort Next Generation (SeaPort-NxG) vehicle.  Although ICI raised a “multitude of challenges,” GAO focused on what it considered the gravamen of ICI’s protest — that Serco was ineligible for award because it allegedly was not a complete successor-in-interest to the Naval Systems Business Unit (NSBU) of Alion Science and Technology Corporation (Alion).  Serco had acquired the NSBU from Alion in July 2019, and has been operating the NSBU in the several months since then.

For years, contractors have faced an amalgamation of protest decisions assessing the impact of transactions on proposals for new prime contracts.  The recent ICI decision provides some additional guidance and, more importantly, underscores GAO’s stated intent that its decisions not frustrate pending proposals merely because a corporate transaction has taken place or is expected to take place, but instead ensure that the procuring agency has reasonably considered the impact of the transaction and concluded that the resulting contract will be performed in materially the same way as described in the proposal.  In the absence clear guidance in the Federal Acquisition Regulation (FAR) on the treatment of bids in connection with a corporate transaction, GAO’s decision in ICI offers some clarity for contractors and a framework for agencies when assessing the impact of a transaction.  Although every transaction and proposal is unique, the ICI decision highlights some key considerations for contractors.
Continue Reading Buying a Business Without Losing the Pipeline: Further Guidance for Protecting Proposals

On November 9, 2021, the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body (AB) hosted a one hour Town Hall focused on CMMC Version 2.0.  Matthew Travis, CEO of the CMMC AB; Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy; David McKeown, Deputy Department of Defense (DoD) Chief Information Officer for Cybersecurity (DCIO(CS)) and DoD’s Senior Information Security Officer (SISO); and Buddy Dees, Director of CMMC, DoD gave prepared remarks and answered questions during the session.

According to Mr. Salazar, CMMC Version 2.0 has been in the making for the past 8 months, and takes into account the over 850 public comments DoD received regarding CMMC 1.0.  Mr. KcKeown explained that CMMC 1.0 may have been too broad and its requirements “too onerous” especially on small and medium sized contractors.  He described CMMC 2.0 — and its use of three levels rather than five levels in CMMC 1.0 — as being based on more of a risk based approach than the original CMMC because it is primarily focused on the type of data being protected.

Continue Reading CMMC Accreditation Body Hosts Town Hall Regarding CMMC 2.0

UPDATE: DoD withdraws the unpublished Advanced Notice of Proposed Rulemaking

On November 5, 2021, an Editorial Note was added to the Federal Register stating “An agency letter requesting withdrawal of this document was received after placement on public inspection. The document will remain on public inspection through close of business November 4, 2021. A copy of the agency’s withdrawal letter is available for inspection at the Office of the Federal Register.”   The reason for the Department of Defense withdrawal of the unpublished Advanced Notice of Proposed Rulemaking was not provided.
Continue Reading DoD Outlines Significant Changes to CMMC with Version 2.0