Tag Archives: Cybersecurity

Department of Defense’s Interim Rule Imposes New Assessment Requirements But is Short on Detail on Implementation of CMMC

On September 29, 2020, the Department of Defense (DoD) released an interim rule that industry hoped would provide clear guidance with regard to DoD’s implementation of its Cybersecurity Maturity Model Certification (CMMC) framework.  The vast majority of the rule focuses on DoD’s increased requirements for confirming that contractors are currently in compliance with all 110 … Continue Reading

New Section 889 Restrictions Included in Updated Uniform Guidance Regulations from the Office of Management and Budget

On August 13, 2020, the Office of Management and Budget (OMB) released new revisions to its Guidance for Grants and Agreements set forth under 2 CFR (commonly referred to as the Uniform Guidance).  The Uniform Guidance governs the terms of federal funding issued by agencies, including grants, cooperative agreements, federal loans, and non-cash assistance awards.  … Continue Reading

National Institute for Standards and Technology Releases Draft of NIST SP 800-172

The National Institute for Standards and Technology released the draft of NIST Special Publication 800-172 (“NIST SP 800-172”) on July 6, 2020.  This draft special publication succeeds the prior draft NIST SP 800-171B that NIST published in June 2019, and operates as a supplement to the NIST SP 800-171 controls that federal contractors generally must … Continue Reading

M&A and Section 889: Due Diligence and Integration Considerations

(This article was originally published in Law360 and has been modified for this blog.) Companies in a range of industries that contract with the U.S. Government—including aerospace, defense, healthcare, technology, and energy—are actively working to assess whether or not their information technology systems comply with significant new restrictions that will take effect on August 13, … Continue Reading

Contractor Supply Chain Readiness – An Update on Expected Regulatory Changes

In recent years, both Congress and the Executive Branch have made it a key priority to mitigate risks across the industrial and innovation supply chains that provide hardware, software, and services to the U.S. government (“USG”).  Five of these initiatives are likely to result in new regulations in 2020, each of which could have a … Continue Reading

A Closer Look at Version 1.0 of DoD’s Cybersecurity Maturity Model Certification

On January 31, the Department of Defense (“DoD”) released Version 1.0 of its Cybersecurity Maturity Model Certification (“CMMC”).  This is the fourth iteration of the CMMC that DoD has publicly released since it issued the first draft in October, and it is intended to be the version that auditors will be trained against, and that … Continue Reading

DoD Announces the Release of CMMC Version 1.0

On Friday January 31, 2020, Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment, Kevin Fahey, Assistant Secretary of Defense for Acquisition, and Katie Arrington, the Chief Information Security Officer for the Department of Defense (“DoD”), briefed reporters on the release of the Cybersecurity Maturity Model Certification (“CMMC”) Version 1.0.  We have discussed draft … Continue Reading

DoD Releases Version 0.7 of Its Cybersecurity Maturity Model Certification

On December 13, the Department of Defense (“DoD”) released the latest version of its Cybersecurity Maturity Model Certification (“CMMC”).  This is the third iteration of the draft model that DoD has publicly released since it issued the first draft in October.  (We previously discussed Version 0.4 and Version 0.6 of the CMMC in prior blog … Continue Reading

DoD Releases Version 0.6 of its Cybersecurity Maturity Model Certification

On November 7, the Office of the Assistant Secretary of Defense for Acquisition released Version 0.6 of its draft Cybersecurity Maturity Model Certification (CMMC) for public comment. The CMMC was created in response to growing concerns by Congress and within DoD over the increased presence of cyber threats and intrusions aimed at the Defense Industrial … Continue Reading

CISA Information and Communications Technology Supply Chain Risk Management Task Force Issues New Interim Report

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (“CISA”) Information and Communications Technology (“ICT”) Supply Chain Risk Management Task Force (the “Task Force”) recently released an interim public report.  The report describes the Task Force’s efforts over the last year to develop recommendations for securing the Government’s supply chain, and outlines the potential … Continue Reading

DoD Announces the Cybersecurity Maturity Model Certification (CMMC) Initiative

The Department of Defense (“DoD”) recently announced the development of the ”Cybersecurity Maturity Model Certification” (“CMMC”), a framework aimed at assessing and enhancing the cybersecurity posture of the Defense Industrial Base (“DIB”), particularly as it relates to controlled unclassified information (“CUI”) within the supply chain. The Office of the Under Secretary of Defense for Acquisition … Continue Reading

Senate Armed Services Subcommittee on Cybersecurity Holds Hearing to Discuss the Responsibilities of the Defense Industrial Base

On March 26, 2019, the Senate Armed Services’ Subcommittee on Cybersecurity held a hearing to receive testimony assessing how the Department of Defense’s (“DOD”) cybersecurity policies and regulations have affected the Defense Industrial Base (“DIB”). To gain a better understanding of the DIB’s cybersecurity concerns, the Subcommittee invited William LaPlante, Senior Vice President and General … Continue Reading

Keeping Up With DoD Cybersecurity Compliance Demands

(This article was originally published in Law360 and has been modified for this blog.) On Jan. 21, 2019, Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment, issued a memorandum focused on assessing contractor compliance with the DFARS cyber clause via audits of a Contractor’s purchasing system.[1]  One intent of this guidance is … Continue Reading

Senate Reintroduces IoT Cybersecurity Improvement Act

On March 11, 2019, a bipartisan group of lawmakers including Sen. Mark Warner and Sen. Cory Gardner introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2019. The Act seeks “[t]o leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices.” In other words, this bill aims to shore up … Continue Reading

How Well Do You Know Your Supply Chain? New Policy Developments Affect Defense and Security Contractors

This post first appeared on Covington’s Global Policy Watch blog on September 7, 2018 Generating and sustaining the United States’ global economic and military superiority over more than the last half century has depended on a dominant U.S. global economic position and perpetual technological innovation. The United States has increasingly relied on a global industrial … Continue Reading

Department of Homeland Security Secretary Kirstjen Nielsen Proposes “More Forward-Leaning Posture” for Federal Government in Cybersecurity

On April 17, 2018, Department of Homeland Security (DHS) Secretary Kirstjen Nielsen delivered a keynote address at the RSA Conference.  A copy of her prepared remarks is available here.  Secretary Nielsen’s remarks highlighted efforts by DHS to address the evolving cybersecurity threats to our country’s critical infrastructure. Secretary Nielsen set the stage by describing the … Continue Reading

DHS Cybersecurity Legislation Advances Through Capitol Hill

Earlier this week, both chambers on Capitol Hill took steps that would increase the Department of Homeland Security’s (DHS) role in the area of cybersecurity.  On the Senate side, the Senate Homeland Security and Governmental Affairs Committee approved a DHS reauthorization bill that included amendments to rename and reorganize the DHS National Protection and Programs … Continue Reading

Latest NIST Draft Report a Call to Action for Federal Agencies and Private Companies

Inflection Point for IoT In a relatively short amount of time, the adoption of the Internet of Things (IoT) and its applications — from smart cars to the myriad of interconnected sensors in the General Service Administration building reminiscent of HAL 9000 from 2001: A Space Odyssey — has rapidly proliferated, providing significant opportunities and … Continue Reading

DFARS Cyber Rule – What Questions Should Contractors Ask Themselves in the New Year?

[The referenced article was originally published in Law360.] Since August 2015, defense contractors have been on notice that they were required to implement the security controls in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 no later than December 31, 2017 on covered contractor information systems. Although the focus has been on meeting … Continue Reading

DoD Issues Further Guidance on Implementation of DFARS Cyber Rule

On September 21, 2017, the Director of the Defense Pricing/Defense Procurement and Acquisition Policy (DPAP) issued guidance to Department of Defense (DoD) acquisition personnel in anticipation of the December 31, 2017 date for contractors to implement the security controls of NIST Special Publication (SP) 800-171.  The guidance outlines (i) ways in which a contractor may … Continue Reading

A Summary of the Recently Introduced “Internet of Things (IoT) Cybersecurity Improvement Act of 2017”

On August 1, 2017, a bipartisan group of Senators introduced legislation (fact sheet) that would establish minimum cybersecurity standards for Internet of Things (“IoT”) devices sold to the U.S. Government. As Internet-connected devices become increasingly ubiquitous and susceptible to evolving and complex cyber threats, the proposed bill attempts to safeguard the security of executive agencies’ … Continue Reading

Updated OMB Breach Response Policy Includes Required Breach-Related Provisions for Federal Agency Contracts

On Monday, our colleague Caleb Skeath posted on Inside Privacy an engaging article that discusses the new Office of Management and Budget policy setting forth minimum standards for federal agencies in preparing for and responding to breaches of personally identifiable information (PII) and the expected contractual changes that agencies will impose on contractors whose systems … Continue Reading

Cybersecurity Update: DoD Releases Long-Awaited Final Rule

On October 21, 2016, the Department of Defense (DoD) issued its long-awaited Final Rule—effective immediately—imposing safeguarding and cyber incident reporting obligations on defense contractors whose information systems process, store, or transmit covered defense information (CDI). The Final Rule has been years in the making and is the culmination of an initial rule issued in November … Continue Reading

DoD Finalizes Rule on Policies for Cyber Incident Reporting

On October 4th, the Department of Defense (DoD) issued a Final Rule implementing mandatory cyber incident reporting requirements for DoD contractors and subcontractors who have “agreements” with DoD.  The Final Rule also highlights DoD’s desire to encourage greater participation in the voluntary Defense Industrial Base (DIB) cybersecurity information sharing program.  This Rule is effective on … Continue Reading
LexBlog