On the heels of the FTC’s opposition to Lockheed Martin’s acquisition of Aerojet Rocketdyne and Lockheed’s termination of the deal, the Department of Defense (DoD) released a report expressing concerns about the state of competition among its contractors.  Of particular note, the report encourages DoD action to (1) increase oversight of M&A transactions and (2) obtain greater IP rights in matters involving defense industrial base contractors.  Although the report is light on specifics and identifies objectives that are in some tension with each other, the report is a reminder to companies that the U.S. Government, the single largest purchaser in the country, remains focused on enhancing competition. To that end, we anticipate seeing Executive Branch action in the coming months that seeks to further that policy objective.
Continue Reading DoD Signals Increased Scrutiny of Gov Con M&A and Renewed Interest in Background IP Rights

Since May 2020, federal efforts to fast-track the development, manufacturing, and distribution of COVID-19 vaccines has been led by a joint effort between the Department of Health and Human Services (“HHS”) and the Department of Defense (“DoD”), formerly known as Operation Warp Speed but renamed the HHS-DoD COVID-19 Countermeasures Acceleration Group (“CAG”).  As of December 31, 2021, the CAG was dissolved, and the entire responsibility for managing the government’s vaccine efforts transitioned to HHS.  On January 19, 2022, the Government Accountability Office (“GAO”) released a report examining that transition, as part of its ongoing obligation under the CARES Act to monitor the federal government’s pandemic response.  The report includes a few key findings and recommendations that will be of interest to industry partners operating within this space.
Continue Reading New GAO Report: HHS Faces Outstanding Issues as it Assumes Vaccine Responsibilities

The Department of Defense (DoD) released key documentation relating to Cybersecurity Maturity Model Certification (CMMC) 2.0 over the past several weeks, including (1) a CMMC 2.0 Model Overview document, (2) CMMC Self-Assessment Scopes for Level 1 and 2 assessments/certifications, (3) CMMC Assessment Guides for Level 1 and 2 attestations/certifications, and (4) the CMMC Artifact Hashing

On November 9, 2021, the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body (AB) hosted a one hour Town Hall focused on CMMC Version 2.0.  Matthew Travis, CEO of the CMMC AB; Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy; David McKeown, Deputy Department of Defense (DoD) Chief Information Officer for Cybersecurity (DCIO(CS)) and DoD’s Senior Information Security Officer (SISO); and Buddy Dees, Director of CMMC, DoD gave prepared remarks and answered questions during the session.

According to Mr. Salazar, CMMC Version 2.0 has been in the making for the past 8 months, and takes into account the over 850 public comments DoD received regarding CMMC 1.0.  Mr. KcKeown explained that CMMC 1.0 may have been too broad and its requirements “too onerous” especially on small and medium sized contractors.  He described CMMC 2.0 — and its use of three levels rather than five levels in CMMC 1.0 — as being based on more of a risk based approach than the original CMMC because it is primarily focused on the type of data being protected.

Continue Reading CMMC Accreditation Body Hosts Town Hall Regarding CMMC 2.0

UPDATE: DoD withdraws the unpublished Advanced Notice of Proposed Rulemaking

On November 5, 2021, an Editorial Note was added to the Federal Register stating “An agency letter requesting withdrawal of this document was received after placement on public inspection. The document will remain on public inspection through close of business November 4, 2021. A copy of the agency’s withdrawal letter is available for inspection at the Office of the Federal Register.”   The reason for the Department of Defense withdrawal of the unpublished Advanced Notice of Proposed Rulemaking was not provided.
Continue Reading DoD Outlines Significant Changes to CMMC with Version 2.0

As described in an earlier blog post, the Department of Defense (DoD) released an Interim Rule on September 29, 2020 that address DoD’s increased requirements for assessing whether contractors are compliant with the 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171).[1]  Under this new Interim Rule, DoD offerors must have a current assessment on file with DoD to document their compliance with NIST 800-171 before they can be eligible to be considered for award.  The Interim Rule specifically requires contractors to ensure that a summary score from an assessment conducted under DoD’s NIST 800-171 Assessment Methodology is submitted into a DoD enterprise application called the Supplier Performance Risk System (SPRS).[2]  We evaluate below how DoD may use the NIST 800-171 assessment scores in SPRS, as well as how updates to SPRS more generally are likely to impact contractors.

Continue Reading How is DoD Planning to Use the Supplier Performance Risk System (SPRS)?

Last week, DoD released a draft of its much-anticipated guidance implementing Section 3610 of the CARES Act, which authorizes the government to reimburse qualifying contractors for the costs of providing certain paid leave to employees as a result of the COVID-19 pandemic.  DoD previously published a collection of memoranda, Q&A documents, and a class deviation addressing Section 3610 reimbursement, but the new draft guidance (“Guidance”), which includes a “reimbursement checklist” and accompanying instructions, provides significantly more detail regarding the process for requesting and substantiating claims for reimbursement under the statute.

A number of open questions remain pending the issuance of final guidance, as discussed below, but the contours of DoD’s Section 3610 process are becoming increasingly clear.  Contractors interested in pursuing recovery under the statute should start preparing now to satisfy these emerging rules and requirements.

Continue Reading DoD Releases Draft Section 3610 Reimbursement Guidance

Defense Department leaders and agencies have been granted much-needed flexibility to respond to the coronavirus pandemic.  Last week, Under Secretary of Defense for Acquisition & Sustainment Ellen Lord delegated approval authority for Other Transaction Agreements (“OTs”) related to the coronavirus response, consistent with Section 13006 of the CARES Act.
Continue Reading Other Transaction Authorities Given Greater Flexibility to Foster Innovation in Coronavirus Response

On January 31, the Department of Defense (“DoD”) released Version 1.0 of its Cybersecurity Maturity Model Certification (“CMMC”).  This is the fourth iteration of the CMMC that DoD has publicly released since it issued the first draft in October, and it is intended to be the version that auditors will be trained against, and that will eventually govern defense contractors’ cybersecurity obligations.  (We discussed the draft versions of the CMMC in earlier blog posts, as well as DoD’s Version 1.0 release announcement.)

As outlined in more detail below, the CMMC is a framework that “is designed to provide increased assurance to the DoD that a DIB [Defense Industrial Base] contractor can adequately protect CUI [Controlled Unclassified Information] at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.”

DoD stated publicly that it plans to add CMMC requirements to ten Requests for Information (“RFIs”) and ten Requests for Proposals (“RFPs”) by the end of this year, with contractors and subcontractors expected to meet all applicable CMMC requirements at the time of award.  DoD has indicated that these RFPs may involve relatively large awards, as it anticipates that each award will impact approximately 150 different contractors at all levels of the supply chain and at various levels of CMMC certification.  DoD’s goal is to have CMMC requirements fully implemented in all new contract awards by Fiscal Year 2026.

Continue Reading A Closer Look at Version 1.0 of DoD’s Cybersecurity Maturity Model Certification