As described in an earlier blog post, the Department of Defense (DoD) released an Interim Rule on September 29, 2020 that address DoD’s increased requirements for assessing whether contractors are compliant with the 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171).[1]  Under this new Interim Rule, DoD offerors must have a current assessment on file with DoD to document their compliance with NIST 800-171 before they can be eligible to be considered for award.  The Interim Rule specifically requires contractors to ensure that a summary score from an assessment conducted under DoD’s NIST 800-171 Assessment Methodology is submitted into a DoD enterprise application called the Supplier Performance Risk System (SPRS).[2]  We evaluate below how DoD may use the NIST 800-171 assessment scores in SPRS, as well as how updates to SPRS more generally are likely to impact contractors.

Continue Reading How is DoD Planning to Use the Supplier Performance Risk System (SPRS)?

Last week, DoD released a draft of its much-anticipated guidance implementing Section 3610 of the CARES Act, which authorizes the government to reimburse qualifying contractors for the costs of providing certain paid leave to employees as a result of the COVID-19 pandemic.  DoD previously published a collection of memoranda, Q&A documents, and a class deviation addressing Section 3610 reimbursement, but the new draft guidance (“Guidance”), which includes a “reimbursement checklist” and accompanying instructions, provides significantly more detail regarding the process for requesting and substantiating claims for reimbursement under the statute.

A number of open questions remain pending the issuance of final guidance, as discussed below, but the contours of DoD’s Section 3610 process are becoming increasingly clear.  Contractors interested in pursuing recovery under the statute should start preparing now to satisfy these emerging rules and requirements.


Continue Reading DoD Releases Draft Section 3610 Reimbursement Guidance

On January 31, the Department of Defense (“DoD”) released Version 1.0 of its Cybersecurity Maturity Model Certification (“CMMC”).  This is the fourth iteration of the CMMC that DoD has publicly released since it issued the first draft in October, and it is intended to be the version that auditors will be trained against, and that will eventually govern defense contractors’ cybersecurity obligations.  (We discussed the draft versions of the CMMC in earlier blog posts, as well as DoD’s Version 1.0 release announcement.)

As outlined in more detail below, the CMMC is a framework that “is designed to provide increased assurance to the DoD that a DIB [Defense Industrial Base] contractor can adequately protect CUI [Controlled Unclassified Information] at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.”

DoD stated publicly that it plans to add CMMC requirements to ten Requests for Information (“RFIs”) and ten Requests for Proposals (“RFPs”) by the end of this year, with contractors and subcontractors expected to meet all applicable CMMC requirements at the time of award.  DoD has indicated that these RFPs may involve relatively large awards, as it anticipates that each award will impact approximately 150 different contractors at all levels of the supply chain and at various levels of CMMC certification.  DoD’s goal is to have CMMC requirements fully implemented in all new contract awards by Fiscal Year 2026.


Continue Reading A Closer Look at Version 1.0 of DoD’s Cybersecurity Maturity Model Certification

On Friday January 31, 2020, Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment, Kevin Fahey, Assistant Secretary of Defense for Acquisition, and Katie Arrington, the Chief Information Security Officer for the Department of Defense (“DoD”), briefed reporters on the release of the Cybersecurity Maturity Model Certification (“CMMC”) Version 1.0.  We have discussed draft

As previously discussed on this blog, the National Defense Authorization Act for Fiscal Year 2017 and the NDAA for Fiscal Year 2018 imposed new limitations on when the Department of Defense can use Lowest Price Technically Acceptable source selection methods.  Just last month, the Department of Defense issued a final rule amending the Defense Federal Acquisition Regulation Supplement to implement those provisions.  Now, in Inserso Corp., B-417791, B-417791.3, Nov. 4, 2019, GAO has weighed in on what counts as LPTA for purposes of those restrictions.  This decision may indicate a potentially significant limitation on the reach of the NDAA provisions, new DFARS rule, and proposed FAR rule.

Continue Reading What Is Lowest Priced Technically Acceptable? GAO Clarifies Reach of New LPTA Restrictions

The Department of Defense (“DoD”) recently announced the development of the ”Cybersecurity Maturity Model Certification” (“CMMC”), a framework aimed at assessing and enhancing the cybersecurity posture of the Defense Industrial Base (“DIB”), particularly as it relates to controlled unclassified information (“CUI”) within the supply chain.

The Office of the Under Secretary of Defense for Acquisition

On March 26, 2019, the Senate Armed Services’ Subcommittee on Cybersecurity held a hearing to receive testimony assessing how the Department of Defense’s (“DOD”) cybersecurity policies and regulations have affected the Defense Industrial Base (“DIB”).

To gain a better understanding of the DIB’s cybersecurity concerns, the Subcommittee invited William LaPlante, Senior Vice President and General

(This article was originally published in Law360 and has been modified for this blog.)

On Jan. 21, 2019, Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment, issued a memorandum focused on assessing contractor compliance with the DFARS cyber clause via audits of a Contractor’s purchasing system.[1]  One intent of this guidance is to have the Defense Contract Management Agency, or DCMA, “validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS clause 252.204-7012.”[2]

This would be done as part of a review of a contractor’s purchasing system in accordance with DFARS 252.244-7001.  Pursuant to this DFARS clause, contractors are required to provide adequate security on their internal networks to protect Covered Defense Information (CDI) and are required to flow DFARS clause 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” to subcontractors without alteration.


Continue Reading Keeping Up With DoD Cybersecurity Compliance Demands

The Department of Defense Office of Inspector General (“OIG”) recently announced that it was initiating an audit to determine whether agencies within DoD awarded Service-Disabled Veteran-Owned Small Business (“SDVOSB”) set-aside and sole-source contracts to eligible companies. The audit is set to begin this month, and likely will evaluate the number and value of contracts awarded to SDVOSBs under set-asides and sole-source procurements, as well as whether and how agencies confirm that awardees qualify as SDVOSBs at the time of award. The audit, which comes six years after the OIG previously determined that DoD did not have adequate controls in place to ensure the integrity of the SDVOSB set-aside program, signals that SDVOSB eligibility issues are likely to become a greater point of emphasis in future enforcement proceedings.

Continue Reading DoD OIG Audit: What SDVOSBs Need to Know

In a memorandum issued June 27, 2018, Deputy Secretary of Defense Patrick Shanahan ordered the establishment of the Joint Artificial Intelligence Center (“JAIC”) within DoD.  The JAIC will report to DoD Chief Information Officer (“CIO”) Dana Deasey and has the “overarching goal of accelerating the delivery of AI-enabled capabilities, scaling the Department-wide impact of AI, and synchronizing DoD AI activities to expand Joint Force advantages.”  With the creation of the JAIC, the DoD has acknowledged that the AI “effort is a Department priority,” and one to which government contractors should pay attention.

The JAIC will be the primary organizational component responsible for coordinating and executing DoD’s 2018 Artificial Intelligence Strategy, which was delivered to Congress in June. Although an unclassified version of the report is not out yet, the memorandum elaborates upon what is in the report by stating that “A new approach is required to increase the speed and agility with which we deliver AI-enabled capabilities and adapt our way of fighting.”


Continue Reading Covington Artificial Intelligence Update: Department of Defense Establishes Joint Artificial Intelligence Center