Defense Industrial Base

On February 24, 2021, President Biden signed an Executive Order entitled “Executive Order on America’s Supply Chains” (the “Order”). Among other things, the Order is an initial step toward accomplishing the Biden Administration’s goal of building more resilient American supply chains that avoid shortages of critical products, facilitate investments to maintain America’s competitive edge, and

It goes without saying that the COVID-19 pandemic has significantly affected the Department of Defense (“DoD”) and the defense industrial base.  And while Congress has taken steps to mitigate these impacts, the sheer scale of the pandemic’s effects pose a continuing challenge to both DoD and its contractors.  Now a group of major defense contractors has submitted a pair of joint letters to the Pentagon and OMB highlighting the need for further action and the risk to the defense industrial base if such actions are not taken.

Continue Reading Defense Contractors Say Section 3610 and Other Contractor Support Measures Require Relief

On Friday January 31, 2020, Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment, Kevin Fahey, Assistant Secretary of Defense for Acquisition, and Katie Arrington, the Chief Information Security Officer for the Department of Defense (“DoD”), briefed reporters on the release of the Cybersecurity Maturity Model Certification (“CMMC”) Version 1.0.  We have discussed draft

On December 13, the Department of Defense (“DoD”) released the latest version of its Cybersecurity Maturity Model Certification (“CMMC”).  This is the third iteration of the draft model that DoD has publicly released since it issued the first draft in October.  (We previously discussed Version 0.4 and Version 0.6 of the CMMC in prior blog posts.)

DoD describes the CMMC as “a DoD certification process that measures a DIB sector company’s ability to protect FCI [Federal Contract Information] and CUI [Controlled Unclassified Information].”  DoD has stated publicly that it intends to begin incorporating certification requirements into solicitations starting in Fall 2020, with compliance audits beginning in late 2020 or early 2021.  Depending the sensitivity of the information that contractors will receive in the course of performing work for DoD, they will be expected to demonstrate compliance through third party audits with the requirements set forth under one of five certification levels.  This applies even where contractors will not be handling FCI or CUI in the course of performing their contracts.[1]

The two most significant updates to the model in this version of the draft are (i) the addition of “Practices” for obtaining Level 4 and 5 certifications, and (ii) an expansion of “clarifications” section, which now covers the requirements of Levels 2 and 3 of the model, in addition to Level 1.  These changes and others are discussed in more detail below.  Given the expected release in late January 2020, it is likely that the requirements in this draft will closely resemble those that will be set forth in Version 1.0 of the CMMC framework, which is anticipated to serve as the basis for the first contractor audits.


Continue Reading DoD Releases Version 0.7 of Its Cybersecurity Maturity Model Certification

On November 7, the Office of the Assistant Secretary of Defense for Acquisition released Version 0.6 of its draft Cybersecurity Maturity Model Certification (CMMC) for public comment. The CMMC was created in response to growing concerns by Congress and within DoD over the increased presence of cyber threats and intrusions aimed at the Defense Industrial Base (DIB) and its supply chains.

The model updates Version 0.4, which DoD released on September 4, 2019, and which we wrote about here. The CMMC establishes the framework necessary for contractors to obtain one of five certification levels necessary to perform work on certain DoD contracts, including those that require the handling of Controlled Unclassified Information. Whereas Version 0.4 merely listed the capabilities, controls, and processes that were expected to apply to each certification level, this version provides some additional discussion and clarification to assist contractors with meeting Level 1 certifications.

DoD has not explicitly asked for comment on this version of the CMMC, and has stated that the updated model is being released “so that the public can review the draft model and begin to prepare for the eventual CMMC roll out.” For this reason, although additional changes are to be expected to the model, contractors should review the general requirements closely to ensure that they are positioned to continue bidding on DoD contracts once DoD begins including a requirement to obtain a specific certification level in Requests for Proposal in Fall 2020.
Continue Reading DoD Releases Version 0.6 of its Cybersecurity Maturity Model Certification

On September 4, the Office of the Assistant Secretary of Defense for Acquisition released Version 0.4 of its draft Cybersecurity Maturity Model Certification (CMMC) for public comment.  The CMMC was created in response to growing concerns by Congress and within DoD over the increased presence of cyber threats and intrusions aimed at the Defense Industrial Base (DIB) and its supply chains.  In its overview briefing for the new model, DoD describes the draft CMMC framework as a “unified cybersecurity standard” for DoD acquisitions that is intended to build upon existing regulations, policy, and memoranda by adding a verification component to cybersecurity protections for safeguarding Controlled Unclassified Information (CUI) within the DIB.  As discussed in a prior post, the model describes the requirements that contractors must meet to qualify for certain maturity certifications, ranging from Level 1 (“Basic Cyber Hygiene” practices and “Performed” processes) through Level 5 (“Advanced / Progressive” practices and “Optimized” processes), with such certification determinations to generally be made by third party auditors.

The CMMC establishes a new framework for defense contractors to become certified as cybersecurity compliant.  DoD has stated that it intends to release Version 1.0 of the CMMC framework in January 2020 and will begin using that version in new DoD solicitations starting in Fall 2020.  Notwithstanding the pendency of these deadlines, a large number of questions remain outstanding.  DoD is seeking feedback on the current version of the model by September 25, 2019.
Continue Reading DoD Releases Public Draft of Cybersecurity Maturity Model Certification and Seeks Industry Input

(This article was originally published in Law360 and has been modified for this blog.)

Peter Navarro, assistant to the president for trade and manufacturing policy, recently offered in a New York Times op-ed that “[a] strong manufacturing base is critical to both economic prosperity and national defense.” The Trump Administration’s maxim that “economic security is national security” is rooted in several government initiatives, ranging from large-scale policy reforms (like renegotiating the North American Free Trade Agreement and strengthening the so-called “Buy American Laws”) to more granular contracting procedures (like the Department of Defense’s proposed changes to commercial item contracting and increased scrutiny of security across all levels of defense supply chains).

Business leaders should therefore pay close attention to the government’s long-awaited interagency assessment of the manufacturing and defense industrial base, available in unclassified form here.  The report was commissioned by Executive Order 13806, which described “[s]trategic support for a vibrant domestic manufacturing sector, a vibrant defense industrial base, and resilient supply chains” as “a significant national priority.”  The Department of Defense served as the lead agency coordinating the report, in partnership with the White House’s Office of Trade and Manufacturing Policy.

Throughout the 140-page report, the Interagency Task Force (the “Task Force”) identifies myriad threats, risks and gaps in the country’s manufacturing and industrial base, and concludes that “[a]ll facets of the manufacturing and defense industrial base are currently under threat, at a time when strategic competitors and revisionist powers appear to be growing in strength and capability.”  To address these concerns, the Task Force lays out a methodology, diagnosis, and framework for policy recommendations and gives the government significant flexibility in crafting responses.  The report recommends – and we expect the President to issue – a follow-on Executive Order directing action on those responses.  That creates an opportunity for industry to participate in shaping the major implementing policies and regulations that are coming. 
Continue Reading “Economic Security Is National Security”: Key Takeaways from the Defense Industrial Base Report

[This article was originally published in Law360.]

On July 21, 2017 – and during “Made in America Week” – President Trump issued Executive Order 13806 on “Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States” (the “Manufacturing EO”).  The Manufacturing EO sets forth a policy stressing the importance of having a “healthy” domestic “manufacturing and defense industrial base and resilient supply chains” to meet “national security” needs.  This policy comes on the heels of President Trump’s April 2017 “Buy American and Hire American” Executive Order (the “Buy American EO”), which announced a policy and action plan to increase U.S. manufacturing capabilities by “maximiz[ing]” the Federal Government’s procurement of “goods, products, and materials produced in the United States.”

The Manufacturing EO calls for a sweeping review and assessment of the strengths and weaknesses of the defense industrial base (“DIB”) and supply chains, and cites the need for the United States “to surge in response to an emergency.”  This review stems from the Administration’s stated conclusion that the “manufacturing capacity and defense industrial base of the United States have been weakened by the loss of factories and manufacturing jobs.”  Although a report on this review is not due until April 2018, the Manufacturing EO’s underlying policies and reporting requirements offer contractors an important glimpse into the Trump Administration “America First” vision and potential impacts on federal procurement.


Continue Reading Six Takeaways from President Trump’s Executive Order on Assessing Manufacturing and the Defense Industrial Base