On September 29, 2020, the Department of Defense (DoD) released an interim rule that industry hoped would provide clear guidance with regard to DoD’s implementation of its Cybersecurity Maturity Model Certification (CMMC) framework.  The vast majority of the rule focuses on DoD’s increased requirements for confirming that contractors are currently in compliance with all 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171).  The interim rule also includes a clause for adding CMMC as a requirement in a DoD contract, but the clause fails to address many of the questions that industry has with regard to implementation of the CMMC program.  The rule becomes effective November 30, 2020.  We have written previously on NIST 800-171 and the CMMC here and here respectively.

DoD has been focused on improving the cyber resiliency and security of the Defense Industrial Base (DIB) sector for over a decade.  The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.  The interim rule is one of multiple efforts by DoD focused on the broader supply chain security and resiliency of the DIB and builds on existing FAR and DFARS clause cybersecurity requirements.  Increasing security concerns coupled with recent high-profile data breaches have led DoD to move beyond self-certification to auditable verification systems when it comes to protecting sensitive Government information.


Continue Reading Department of Defense’s Interim Rule Imposes New Assessment Requirements But is Short on Detail on Implementation of CMMC

Almost a year after Assistant Secretary of the Navy James Geurts issued his September 28, 2018 memorandum (Geurts Memo) imposing enhanced security controls on “critical” Navy programs, the Navy has issued an update to the Navy Marine Corps Acquisition Regulations Supplement (NMCARS) to implement those changes more formally across the Navy.  Pursuant to this update, a new Annex 16 in the NMCARS provides Statement of Work (SOW) language that must be added into Navy solicitations and contracts where the Navy has determined “the risk to a critical program and/or technology warrants its inclusion.”  In addition to the technical requirements reflected in the Geurts Memo, the Navy has added Subpart 5204.73 to the NMCARS that, among other things, instructs Contracting Officers (COs) to seek equitable reductions or consider reducing or suspending progress payments for contractor non-compliance with the Annex 16 and DFARS 252.204-7012 (DFARS clause) requirements.

Continue Reading Navy Modifies Acquisition Supplement to Tighten Cybersecurity Requirements and Implement the Geurts Memorandum

Compliance with the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is only the beginning for contractors that receive controlled defense information (CDI) in performance of Department of Defense (DoD) contracts and subcontracts.  Faced with an evolving cyber threat, DoD contractors have experienced an increased emphasis on protecting DoD’s information and on confirming contractor compliance with DoD cybersecurity requirements.  This includes audits by the DoD Inspector General (IG) “to determine whether DoD contractors have security controls in place” to protect CDI and enhanced security controls for certain high risk contractor networks.  And on September 28, 2018, the Navy issued a policy memorandum calling for enhanced cybersecurity requirements, including some that have generated opposition within the defense community such as the installation of network sensors by the Naval Criminal Investigative Service on contractor systems.  Other requiring activities are reportedly requiring similar enhanced protections and NIST is expected to issue a public draft of Revision 2 to NIST SP 800-171 by the end of February, with an appendix of additional enhanced controls.

As discussed in our blog post here, on November 6, 2018, DoD issued final guidance to requiring activities for assessing contractors’ System Security Plans (SSPs) and their implementation of the security controls in NIST SP 800-171.  Since then, DoD has issued two additional guidance memoranda; one that includes contractual language for implementing the November 6th guidance and one that explains how DoD plans to confirm contractor oversight of subcontractor compliance with the DFARS 252.204-7012 cybersecurity requirements.


Continue Reading DoD Continues to Up the Ante on Cybersecurity Compliance for Contractors

[The referenced article was originally published in Law360.]

Since August 2015, defense contractors have been on notice that they were required to implement the security controls in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 no later than December 31, 2017 on covered contractor information systems. Although the focus has been