On September 29, 2020, the Department of Defense (DoD) released an interim rule that industry hoped would provide clear guidance with regard to DoD’s implementation of its Cybersecurity Maturity Model Certification (CMMC) framework.  The vast majority of the rule focuses on DoD’s increased requirements for confirming that contractors are currently in compliance with all 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171).  The interim rule also includes a clause for adding CMMC as a requirement in a DoD contract, but the clause fails to address many of the questions that industry has with regard to implementation of the CMMC program.  The rule becomes effective November 30, 2020.  We have written previously on NIST 800-171 and the CMMC here and here respectively.

DoD has been focused on improving the cyber resiliency and security of the Defense Industrial Base (DIB) sector for over a decade.  The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.  The interim rule is one of multiple efforts by DoD focused on the broader supply chain security and resiliency of the DIB and builds on existing FAR and DFARS clause cybersecurity requirements.  Increasing security concerns coupled with recent high-profile data breaches have led DoD to move beyond self-certification to auditable verification systems when it comes to protecting sensitive Government information.


Continue Reading Department of Defense’s Interim Rule Imposes New Assessment Requirements But is Short on Detail on Implementation of CMMC

Last week, the FAR Council issued a Final Rule, setting forth new FAR provisions that require the reporting of certain counterfeit and suspect counterfeit parts and certain major or critical nonconformances to the Government – Industry Data Exchange Program (“GIDEP”).[1]  This Final Rule comes more than five years after the rule was first proposed in the Federal Register in June 2014.  The FAR Council describes the Final Rule as “significantly de-scoped” from the version proposed in 2014, but it nonetheless constitutes a significant expansion of the existing counterfeit part reporting obligations, which to date have applied only to electronic parts under DOD contracts.

Continue Reading New FAR Rule Expands Counterfeit Reporting Obligations

As previously discussed on this blog, the National Defense Authorization Act for Fiscal Year 2017 and the NDAA for Fiscal Year 2018 imposed new limitations on when the Department of Defense can use Lowest Price Technically Acceptable source selection methods.  Just last month, the Department of Defense issued a final rule amending the Defense Federal Acquisition Regulation Supplement to implement those provisions.  Now, in Inserso Corp., B-417791, B-417791.3, Nov. 4, 2019, GAO has weighed in on what counts as LPTA for purposes of those restrictions.  This decision may indicate a potentially significant limitation on the reach of the NDAA provisions, new DFARS rule, and proposed FAR rule.

Continue Reading What Is Lowest Priced Technically Acceptable? GAO Clarifies Reach of New LPTA Restrictions

On March 26, 2019, the Senate Armed Services’ Subcommittee on Cybersecurity held a hearing to receive testimony assessing how the Department of Defense’s (“DOD”) cybersecurity policies and regulations have affected the Defense Industrial Base (“DIB”).

To gain a better understanding of the DIB’s cybersecurity concerns, the Subcommittee invited William LaPlante, Senior Vice President and General

(This article was originally published in Law360 and has been modified for this blog.)

On Jan. 21, 2019, Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment, issued a memorandum focused on assessing contractor compliance with the DFARS cyber clause via audits of a Contractor’s purchasing system.[1]  One intent of this guidance is to have the Defense Contract Management Agency, or DCMA, “validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS clause 252.204-7012.”[2]

This would be done as part of a review of a contractor’s purchasing system in accordance with DFARS 252.244-7001.  Pursuant to this DFARS clause, contractors are required to provide adequate security on their internal networks to protect Covered Defense Information (CDI) and are required to flow DFARS clause 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” to subcontractors without alteration.


Continue Reading Keeping Up With DoD Cybersecurity Compliance Demands

The Section 809 Panel recently concluded its monumental analysis of defense acquisition law and regulations and released its third volume of recommended changes.  As we have written previously, the Panel’s work stands out from previous acquisition reform efforts with the appendices of detailed legislative and regulatory changes that accompany the commissioners’ analysis and recommendations.

Given the scope of the Panel’s work, few believe that Congress or the Department of Defense (“DoD”) will — or even could — simply adopt the recommendations in full.  Legislative bandwidth for additional acquisition reform is finite, and some of the Panel’s recommendations will prompt robust debate.  In this post, we analyze some of the recommendations that government contractors should follow most closely.  We highlight key issues and address the political dynamics involved in enacting them.
Continue Reading After the Final Report: Expectations Following the Section 809 Panel’s Third Volume of Acquisition Policy Reforms

[This article was originally published in Law360 and has been modified for the blog.]

Over the summer, pursuant to Section 874 of the FY 2017 National Defense Authorization Act (“NDAA”)[1], the Department of Defense (“DoD”) issued a proposed rule[2] to exclude the application of certain laws and regulations to the acquisition of commercial items, including commercially available off-the-shelf (“COTS”) items.  Among other things, the proposed rule identifies certain DFARS and FAR clauses that should be excluded from commercial item contracts and subcontracts, and sets forth a narrower definition of “subcontract” that would carve out a category of lower-tier commercial item agreements from the reach of certain flow-down requirements.  A summary of the proposed rule and our key observations/takeaways are below.
Continue Reading Takeaways From DoD’s Proposed Changes to Commercial Item Contracting

This past March marked the beginning of a more fulsome required debriefing process for defense contracts.  The Director of Defense Procurement and Acquisition Policy (“DPAP”) issued a class deviation memorandum, effective March 22, 2018, requiring contracting officers to: (1) provide unsuccessful offerors an opportunity to submit additional questions within two days after receiving a debriefing; and (2) hold the debriefing open until the agency delivers written responses.  The class deviation implements Section 818 of the National Defense Authorization Act for Fiscal Year 2018 (“NDAA”).
Continue Reading Any Questions? : Department of Defense Implements FY 2018 NDAA Requirement for Post-Debriefing Q&A Process

On January 31, 2018, the Department of Defense (“DoD” or the “Department”) published a final rule regarding commercial item purchasing requirements.  Among other key amendments, the final rule modifies the Defense Federal Acquisition Regulation Supplement (“DFARS”) by:  (i) formalizing a presumption of commerciality for items that DoD previously treated as commercial; (ii) providing commercial item treatment to goods and services offered by nontraditional defense contractors; and (iii) prioritizing the types of information that the contracting officer (“CO”) can consider when determining price reasonableness in the absence of adequate competition.

The final rule adopts much of DoD’s August 2016 proposed rule, which itself was a revised version of a retracted August 2015 proposed version.  We discussed the August 2016 proposed rule on this subject (and linked to an article regarding the August 2015 version) in a prior post.  Despite receiving repeated input from industry and Congress, DoD’s final rule still provides little concrete guidance, and although these changes were made with the stated purpose of promoting consistency across purchasing components, it appears likely that inconsistencies will persist.  In particular, the final rule continues to leave the door open for individual contracting officers to make potentially burdensome requests for information to support the proposed pricing of commercial items.
Continue Reading Third Time Around: Inconsistencies Persist with Final DFARS Commercial Items Rule

[The referenced article was originally published in Law360.]

Since August 2015, defense contractors have been on notice that they were required to implement the security controls in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 no later than December 31, 2017 on covered contractor information systems. Although the focus has been