On January 31, the Department of Defense (“DoD”) released Version 1.0 of its Cybersecurity Maturity Model Certification (“CMMC”).  This is the fourth iteration of the CMMC that DoD has publicly released since it issued the first draft in October, and it is intended to be the version that auditors will be trained against, and that will eventually govern defense contractors’ cybersecurity obligations.  (We discussed the draft versions of the CMMC in earlier blog posts, as well as DoD’s Version 1.0 release announcement.)

As outlined in more detail below, the CMMC is a framework that “is designed to provide increased assurance to the DoD that a DIB [Defense Industrial Base] contractor can adequately protect CUI [Controlled Unclassified Information] at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.”

DoD stated publicly that it plans to add CMMC requirements to ten Requests for Information (“RFIs”) and ten Requests for Proposals (“RFPs”) by the end of this year, with contractors and subcontractors expected to meet all applicable CMMC requirements at the time of award.  DoD has indicated that these RFPs may involve relatively large awards, as it anticipates that each award will impact approximately 150 different contractors at all levels of the supply chain and at various levels of CMMC certification.  DoD’s goal is to have CMMC requirements fully implemented in all new contract awards by Fiscal Year 2026.

Continue Reading A Closer Look at Version 1.0 of DoD’s Cybersecurity Maturity Model Certification

On Friday January 31, 2020, Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment, Kevin Fahey, Assistant Secretary of Defense for Acquisition, and Katie Arrington, the Chief Information Security Officer for the Department of Defense (“DoD”), briefed reporters on the release of the Cybersecurity Maturity Model Certification (“CMMC”) Version 1.0.  We have discussed draft

As previously discussed on this blog, the National Defense Authorization Act for Fiscal Year 2017 and the NDAA for Fiscal Year 2018 imposed new limitations on when the Department of Defense can use Lowest Price Technically Acceptable source selection methods.  Just last month, the Department of Defense issued a final rule amending the Defense Federal Acquisition Regulation Supplement to implement those provisions.  Now, in Inserso Corp., B-417791, B-417791.3, Nov. 4, 2019, GAO has weighed in on what counts as LPTA for purposes of those restrictions.  This decision may indicate a potentially significant limitation on the reach of the NDAA provisions, new DFARS rule, and proposed FAR rule.

Continue Reading What Is Lowest Priced Technically Acceptable? GAO Clarifies Reach of New LPTA Restrictions

The Department of Defense (“DoD”) recently announced the development of the ”Cybersecurity Maturity Model Certification” (“CMMC”), a framework aimed at assessing and enhancing the cybersecurity posture of the Defense Industrial Base (“DIB”), particularly as it relates to controlled unclassified information (“CUI”) within the supply chain.

The Office of the Under Secretary of Defense for Acquisition

On March 26, 2019, the Senate Armed Services’ Subcommittee on Cybersecurity held a hearing to receive testimony assessing how the Department of Defense’s (“DOD”) cybersecurity policies and regulations have affected the Defense Industrial Base (“DIB”).

To gain a better understanding of the DIB’s cybersecurity concerns, the Subcommittee invited William LaPlante, Senior Vice President and General

(This article was originally published in Law360 and has been modified for this blog.)

On Jan. 21, 2019, Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment, issued a memorandum focused on assessing contractor compliance with the DFARS cyber clause via audits of a Contractor’s purchasing system.[1]  One intent of this guidance is to have the Defense Contract Management Agency, or DCMA, “validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS clause 252.204-7012.”[2]

This would be done as part of a review of a contractor’s purchasing system in accordance with DFARS 252.244-7001.  Pursuant to this DFARS clause, contractors are required to provide adequate security on their internal networks to protect Covered Defense Information (CDI) and are required to flow DFARS clause 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” to subcontractors without alteration.

Continue Reading Keeping Up With DoD Cybersecurity Compliance Demands

The Department of Defense Office of Inspector General (“OIG”) recently announced that it was initiating an audit to determine whether agencies within DoD awarded Service-Disabled Veteran-Owned Small Business (“SDVOSB”) set-aside and sole-source contracts to eligible companies. The audit is set to begin this month, and likely will evaluate the number and value of contracts awarded to SDVOSBs under set-asides and sole-source procurements, as well as whether and how agencies confirm that awardees qualify as SDVOSBs at the time of award. The audit, which comes six years after the OIG previously determined that DoD did not have adequate controls in place to ensure the integrity of the SDVOSB set-aside program, signals that SDVOSB eligibility issues are likely to become a greater point of emphasis in future enforcement proceedings.

Continue Reading DoD OIG Audit: What SDVOSBs Need to Know

In a memorandum issued June 27, 2018, Deputy Secretary of Defense Patrick Shanahan ordered the establishment of the Joint Artificial Intelligence Center (“JAIC”) within DoD.  The JAIC will report to DoD Chief Information Officer (“CIO”) Dana Deasey and has the “overarching goal of accelerating the delivery of AI-enabled capabilities, scaling the Department-wide impact of AI, and synchronizing DoD AI activities to expand Joint Force advantages.”  With the creation of the JAIC, the DoD has acknowledged that the AI “effort is a Department priority,” and one to which government contractors should pay attention.

The JAIC will be the primary organizational component responsible for coordinating and executing DoD’s 2018 Artificial Intelligence Strategy, which was delivered to Congress in June. Although an unclassified version of the report is not out yet, the memorandum elaborates upon what is in the report by stating that “A new approach is required to increase the speed and agility with which we deliver AI-enabled capabilities and adapt our way of fighting.”

Continue Reading Covington Artificial Intelligence Update: Department of Defense Establishes Joint Artificial Intelligence Center

For the first time in several years, the version of the FY 2019 National Defense Authorization Act (NDAA) that just passed the Senate does not contain any major reforms to limit bid protests.  But the bill the Senate sent to the conference committee process does contain two provisions aimed at bid protests.  Although they are minor, they portend and may lay the groundwork for future attempts to change the protest process.  Both provisions call for further study of issues addressed in the RAND Corporation’s January 2018 bid protest report.
Continue Reading Senate Largely Leaves Bid Protests Alone in Passed Version of FY 2019 NDAA After Threatening Major Revisions

On May 4, 2018, the Department of Defense (“DoD”) issued a final rule amending the Defense Federal Acquisition Regulation Supplement (“DFARS”) to state that, in the interest of promoting voluntary disclosures of defective pricing identified by contractors after contract award, DoD contracting officers have more discretion to determine the scope of the involvement of the Defense Contract Audit Agency (“DCAA”) in assessing such a disclosure. 83 Fed. Reg. 19645. This is a change from DoD’s November 2015 proposed rule, which required contracting officers to request at least a limited-scope audit when a contractor voluntarily discloses defective pricing. While arguably a step in the right direction, the permissive language of the final rule continues to provide only limited information to defense contractors about what to expect following a voluntary defective pricing disclosure. Nonetheless, by listing the types of information that the contracting officer must consider when deciding whether to request an audit, the rule arms contractors with potentially impactful information.

Continue Reading DoD Final Rule to Promote Post-Award Disclosure of Defective Pricing Arms Contractors with Potentially Impactful Information