As described in an earlier blog post, the Department of Defense (DoD) released an Interim Rule on September 29, 2020 that address DoD’s increased requirements for assessing whether contractors are compliant with the 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171).[1]  Under this new Interim Rule, DoD offerors must have a current assessment on file with DoD to document their compliance with NIST 800-171 before they can be eligible to be considered for award.  The Interim Rule specifically requires contractors to ensure that a summary score from an assessment conducted under DoD’s NIST 800-171 Assessment Methodology is submitted into a DoD enterprise application called the Supplier Performance Risk System (SPRS).[2]  We evaluate below how DoD may use the NIST 800-171 assessment scores in SPRS, as well as how updates to SPRS more generally are likely to impact contractors.

Continue Reading How is DoD Planning to Use the Supplier Performance Risk System (SPRS)?

At the end of last month, the Department of Defense (“DoD”) issued a class deviation to implement Section 2821 of the National Defense Authorization Act for Fiscal Year 2020 (“FY20 NDAA”), which seeks to reduce dependence on Russian energy by prohibiting the acquisition of energy sourced from inside Russia for DoD’s main operating bases in

Last week, DoD released a draft of its much-anticipated guidance implementing Section 3610 of the CARES Act, which authorizes the government to reimburse qualifying contractors for the costs of providing certain paid leave to employees as a result of the COVID-19 pandemic.  DoD previously published a collection of memoranda, Q&A documents, and a class deviation addressing Section 3610 reimbursement, but the new draft guidance (“Guidance”), which includes a “reimbursement checklist” and accompanying instructions, provides significantly more detail regarding the process for requesting and substantiating claims for reimbursement under the statute.

A number of open questions remain pending the issuance of final guidance, as discussed below, but the contours of DoD’s Section 3610 process are becoming increasingly clear.  Contractors interested in pursuing recovery under the statute should start preparing now to satisfy these emerging rules and requirements.


Continue Reading DoD Releases Draft Section 3610 Reimbursement Guidance

Defense Department leaders and agencies have been granted much-needed flexibility to respond to the coronavirus pandemic.  Last week, Under Secretary of Defense for Acquisition & Sustainment Ellen Lord delegated approval authority for Other Transaction Agreements (“OTs”) related to the coronavirus response, consistent with Section 13006 of the CARES Act.
Continue Reading Other Transaction Authorities Given Greater Flexibility to Foster Innovation in Coronavirus Response

On January 31, the Department of Defense (“DoD”) released Version 1.0 of its Cybersecurity Maturity Model Certification (“CMMC”).  This is the fourth iteration of the CMMC that DoD has publicly released since it issued the first draft in October, and it is intended to be the version that auditors will be trained against, and that will eventually govern defense contractors’ cybersecurity obligations.  (We discussed the draft versions of the CMMC in earlier blog posts, as well as DoD’s Version 1.0 release announcement.)

As outlined in more detail below, the CMMC is a framework that “is designed to provide increased assurance to the DoD that a DIB [Defense Industrial Base] contractor can adequately protect CUI [Controlled Unclassified Information] at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.”

DoD stated publicly that it plans to add CMMC requirements to ten Requests for Information (“RFIs”) and ten Requests for Proposals (“RFPs”) by the end of this year, with contractors and subcontractors expected to meet all applicable CMMC requirements at the time of award.  DoD has indicated that these RFPs may involve relatively large awards, as it anticipates that each award will impact approximately 150 different contractors at all levels of the supply chain and at various levels of CMMC certification.  DoD’s goal is to have CMMC requirements fully implemented in all new contract awards by Fiscal Year 2026.


Continue Reading A Closer Look at Version 1.0 of DoD’s Cybersecurity Maturity Model Certification

As of February 10, 2020, the World Health Organization (WHO) reported that 40,554 cases of the Novel Coronavirus (2019-nCoV) have been confirmed globally, with twelve cases confirmed in the United States.  The WHO has been issuing situation reports on a daily basis since January 21, and each report in February alone has identified more than 2,000 to 3,000 new cases each day.

Due to the lack of approved therapeutics, vaccines, and diagnostics for this threat, developing new products and testing products already approved for other uses is a high priority for the U.S. interagency response effort—the Medical Countermeasure (MCM) Task Force.  The Biomedical Advanced Research and Development Authority (BARDA), under the Office of the Assistant Secretary for Preparedness and Response (ASPR) in the U.S. Department of Health and Human Services (HHS), is leading this Task Force in partnership with U.S. Department of Defense, Food and Drug Administration, Centers for Disease Control and Prevention, and National Institutes of Health.

BARDA is currently looking at the effectiveness of existing countermeasures for similar viruses, as well as potential new responsive technologies, including vaccines, diagnostics, therapeutics, and medical supplies.  BARDA is serving as the sole point of entry for product and technology submissions to ensure there is an expedited process for receipt and review of proposed solutions for 2019-nCoV.  In this capacity, BARDA has released two opportunities to submit potential solutions for the 2019-nCoV response discussed below: (1) the EZ-BAA for 2019-nCoV diagnostics and (2) market research packages for any and all potential products and supplies.  Covington encourages those with technology that could be potentially useful to respond.


Continue Reading U.S. Government Seeks Industry Solutions in Novel Coronavirus Response

On Friday January 31, 2020, Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment, Kevin Fahey, Assistant Secretary of Defense for Acquisition, and Katie Arrington, the Chief Information Security Officer for the Department of Defense (“DoD”), briefed reporters on the release of the Cybersecurity Maturity Model Certification (“CMMC”) Version 1.0.  We have discussed draft

(This article was originally published in Law360 and has been modified for this blog.)

Peter Navarro, assistant to the president for trade and manufacturing policy, recently offered in a New York Times op-ed that “[a] strong manufacturing base is critical to both economic prosperity and national defense.” The Trump Administration’s maxim that “economic security is national security” is rooted in several government initiatives, ranging from large-scale policy reforms (like renegotiating the North American Free Trade Agreement and strengthening the so-called “Buy American Laws”) to more granular contracting procedures (like the Department of Defense’s proposed changes to commercial item contracting and increased scrutiny of security across all levels of defense supply chains).

Business leaders should therefore pay close attention to the government’s long-awaited interagency assessment of the manufacturing and defense industrial base, available in unclassified form here.  The report was commissioned by Executive Order 13806, which described “[s]trategic support for a vibrant domestic manufacturing sector, a vibrant defense industrial base, and resilient supply chains” as “a significant national priority.”  The Department of Defense served as the lead agency coordinating the report, in partnership with the White House’s Office of Trade and Manufacturing Policy.

Throughout the 140-page report, the Interagency Task Force (the “Task Force”) identifies myriad threats, risks and gaps in the country’s manufacturing and industrial base, and concludes that “[a]ll facets of the manufacturing and defense industrial base are currently under threat, at a time when strategic competitors and revisionist powers appear to be growing in strength and capability.”  To address these concerns, the Task Force lays out a methodology, diagnosis, and framework for policy recommendations and gives the government significant flexibility in crafting responses.  The report recommends – and we expect the President to issue – a follow-on Executive Order directing action on those responses.  That creates an opportunity for industry to participate in shaping the major implementing policies and regulations that are coming. 
Continue Reading “Economic Security Is National Security”: Key Takeaways from the Defense Industrial Base Report

This post first appeared on Covington’s Global Policy Watch blog on September 7, 2018

Generating and sustaining the United States’ global economic and military superiority over more than the last half century has depended on a dominant U.S. global economic position and perpetual technological innovation. The United States has increasingly relied on a global industrial

For the first time in several years, the version of the FY 2019 National Defense Authorization Act (NDAA) that just passed the Senate does not contain any major reforms to limit bid protests.  But the bill the Senate sent to the conference committee process does contain two provisions aimed at bid protests.  Although they are minor, they portend and may lay the groundwork for future attempts to change the protest process.  Both provisions call for further study of issues addressed in the RAND Corporation’s January 2018 bid protest report.
Continue Reading Senate Largely Leaves Bid Protests Alone in Passed Version of FY 2019 NDAA After Threatening Major Revisions