Following our recent overview of topics to watch in the National Defense Authorization Act (“NDAA”) for Fiscal Year (“FY”) 2024, available here, we continue our coverage with a “deep dive” into NDAA provisions related to cybersecurity and software security in each of the Senate and House bills. For the past three years, the NDAA has dedicated a separate Title to cyber and cybersecurity, reflecting the increased importance of these issues in Department of Defense (“DoD”) operations. As expected, both the Senate and House versions of the NDAA bill continue this tradition. Many of the cyberspace related provisions in both chambers’ bills would have direct or indirect impacts on DoD contractors and other members of the Defense Industrial Base (“DIB”). We summarize below the cyber-related provisions that are most likely to impact the DIB.
The Coalition for Government Procurement and the National Defense Industrial Association filed an amicus brief in the consolidated Supreme Court cases United States ex rel. Schutte v. SuperValu, Inc. and United States ex rel. Proctor v. Safeway, Inc. The brief urges the Court to hold, consistent with the decisions of multiple federal courts of appeals, that a defendant cannot be liable under the False Claims Act (“FCA”) for “knowingly” submitting a “false” claim if (1) it acted in accordance with an objectively reasonable reading of an ambiguous statute, regulation, or contract provision and (2) there was no authoritative guidance warning it away from that interpretation. The Amici are represented by Covington & Burling LLP.
In SuperValu and Safeway, the Court is asked to resolve questions over the role that subjective intent plays in evaluating whether a defendant satisfies the FCA’s “knowledge” requirement. Petitioners argue that a contractor can be liable under the FCA for submitting a claim that is premised on an objectively reasonable interpretation of an ambiguous legal provision if the contractor recognized that the provision could be interpreted a different way. However, as the amicus brief explains, such a claim cannot be false for alleged noncompliance with the ambiguous legal provision that has not otherwise been clarified by authoritative guidance. Nor can such a contractor knowingly submit a false claim just because it was aware that the legal obligation may be interpreted differently.…
It goes without saying that the COVID-19 pandemic has significantly affected the Department of Defense (“DoD”) and the defense industrial base. And while Congress has taken steps to mitigate these impacts, the sheer scale of the pandemic’s effects pose a continuing challenge to both DoD and its contractors. Now a group of major defense contractors has submitted a pair of joint letters to the Pentagon and OMB highlighting the need for further action and the risk to the defense industrial base if such actions are not taken.
Continue Reading Defense Contractors Say Section 3610 and Other Contractor Support Measures Require Relief
On January 31, the Department of Defense (“DoD”) released Version 1.0 of its Cybersecurity Maturity Model Certification (“CMMC”). This is the fourth iteration of the CMMC that DoD has publicly released since it issued the first draft in October, and it is intended to be the version that auditors will be trained against, and that will eventually govern defense contractors’ cybersecurity obligations. (We discussed the draft versions of the CMMC in earlier blog posts, as well as DoD’s Version 1.0 release announcement.)
As outlined in more detail below, the CMMC is a framework that “is designed to provide increased assurance to the DoD that a DIB [Defense Industrial Base] contractor can adequately protect CUI [Controlled Unclassified Information] at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.”
DoD stated publicly that it plans to add CMMC requirements to ten Requests for Information (“RFIs”) and ten Requests for Proposals (“RFPs”) by the end of this year, with contractors and subcontractors expected to meet all applicable CMMC requirements at the time of award. DoD has indicated that these RFPs may involve relatively large awards, as it anticipates that each award will impact approximately 150 different contractors at all levels of the supply chain and at various levels of CMMC certification. DoD’s goal is to have CMMC requirements fully implemented in all new contract awards by Fiscal Year 2026.…
On Friday January 31, 2020, Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment, Kevin Fahey, Assistant Secretary of Defense for Acquisition, and Katie Arrington, the Chief Information Security Officer for the Department of Defense (“DoD”), briefed reporters on the release of the Cybersecurity Maturity Model Certification (“CMMC”) Version 1.0. We have discussed draft…
On December 13, the Department of Defense (“DoD”) released the latest version of its Cybersecurity Maturity Model Certification (“CMMC”). This is the third iteration of the draft model that DoD has publicly released since it issued the first draft in October. (We previously discussed Version 0.4 and Version 0.6 of the CMMC in prior blog posts.)
DoD describes the CMMC as “a DoD certification process that measures a DIB sector company’s ability to protect FCI [Federal Contract Information] and CUI [Controlled Unclassified Information].” DoD has stated publicly that it intends to begin incorporating certification requirements into solicitations starting in Fall 2020, with compliance audits beginning in late 2020 or early 2021. Depending the sensitivity of the information that contractors will receive in the course of performing work for DoD, they will be expected to demonstrate compliance through third party audits with the requirements set forth under one of five certification levels. This applies even where contractors will not be handling FCI or CUI in the course of performing their contracts.
The two most significant updates to the model in this version of the draft are (i) the addition of “Practices” for obtaining Level 4 and 5 certifications, and (ii) an expansion of “clarifications” section, which now covers the requirements of Levels 2 and 3 of the model, in addition to Level 1. These changes and others are discussed in more detail below. Given the expected release in late January 2020, it is likely that the requirements in this draft will closely resemble those that will be set forth in Version 1.0 of the CMMC framework, which is anticipated to serve as the basis for the first contractor audits.…
On November 7, the Office of the Assistant Secretary of Defense for Acquisition released Version 0.6 of its draft Cybersecurity Maturity Model Certification (CMMC) for public comment. The CMMC was created in response to growing concerns by Congress and within DoD over the increased presence of cyber threats and intrusions aimed at the Defense Industrial Base (DIB) and its supply chains.
The model updates Version 0.4, which DoD released on September 4, 2019, and which we wrote about here. The CMMC establishes the framework necessary for contractors to obtain one of five certification levels necessary to perform work on certain DoD contracts, including those that require the handling of Controlled Unclassified Information. Whereas Version 0.4 merely listed the capabilities, controls, and processes that were expected to apply to each certification level, this version provides some additional discussion and clarification to assist contractors with meeting Level 1 certifications.
DoD has not explicitly asked for comment on this version of the CMMC, and has stated that the updated model is being released “so that the public can review the draft model and begin to prepare for the eventual CMMC roll out.” For this reason, although additional changes are to be expected to the model, contractors should review the general requirements closely to ensure that they are positioned to continue bidding on DoD contracts once DoD begins including a requirement to obtain a specific certification level in Requests for Proposal in Fall 2020.
Continue Reading DoD Releases Version 0.6 of its Cybersecurity Maturity Model Certification
On September 4, the Office of the Assistant Secretary of Defense for Acquisition released Version 0.4 of its draft Cybersecurity Maturity Model Certification (CMMC) for public comment. The CMMC was created in response to growing concerns by Congress and within DoD over the increased presence of cyber threats and intrusions aimed at the Defense Industrial Base (DIB) and its supply chains. In its overview briefing for the new model, DoD describes the draft CMMC framework as a “unified cybersecurity standard” for DoD acquisitions that is intended to build upon existing regulations, policy, and memoranda by adding a verification component to cybersecurity protections for safeguarding Controlled Unclassified Information (CUI) within the DIB. As discussed in a prior post, the model describes the requirements that contractors must meet to qualify for certain maturity certifications, ranging from Level 1 (“Basic Cyber Hygiene” practices and “Performed” processes) through Level 5 (“Advanced / Progressive” practices and “Optimized” processes), with such certification determinations to generally be made by third party auditors.
The CMMC establishes a new framework for defense contractors to become certified as cybersecurity compliant. DoD has stated that it intends to release Version 1.0 of the CMMC framework in January 2020 and will begin using that version in new DoD solicitations starting in Fall 2020. Notwithstanding the pendency of these deadlines, a large number of questions remain outstanding. DoD is seeking feedback on the current version of the model by September 25, 2019.
Continue Reading DoD Releases Public Draft of Cybersecurity Maturity Model Certification and Seeks Industry Input
On November 6 and 7, 2014, the International Forum on Business Ethical Conduct (“IFBEC”) will host its annual conference in Brussels, Belgium. The IFBEC Annual Conference is designed to encourage an interactive dialogue that promotes and enhances global, industry-wide ethical standards within the aerospace and defense industry. The Conference will include a range of speakers…