DoD

Since May 2020, federal efforts to fast-track the development, manufacturing, and distribution of COVID-19 vaccines has been led by a joint effort between the Department of Health and Human Services (“HHS”) and the Department of Defense (“DoD”), formerly known as Operation Warp Speed but renamed the HHS-DoD COVID-19 Countermeasures Acceleration Group (“CAG”).  As of December 31, 2021, the CAG was dissolved, and the entire responsibility for managing the government’s vaccine efforts transitioned to HHS.  On January 19, 2022, the Government Accountability Office (“GAO”) released a report examining that transition, as part of its ongoing obligation under the CARES Act to monitor the federal government’s pandemic response.  The report includes a few key findings and recommendations that will be of interest to industry partners operating within this space.
Continue Reading New GAO Report: HHS Faces Outstanding Issues as it Assumes Vaccine Responsibilities

The Department of Defense (DoD) released key documentation relating to Cybersecurity Maturity Model Certification (CMMC) 2.0 over the past several weeks, including (1) a CMMC 2.0 Model Overview document, (2) CMMC Self-Assessment Scopes for Level 1 and 2 assessments/certifications, (3) CMMC Assessment Guides for Level 1 and 2 attestations/certifications, and (4) the CMMC Artifact Hashing

On November 9, 2021, the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body (AB) hosted a one hour Town Hall focused on CMMC Version 2.0.  Matthew Travis, CEO of the CMMC AB; Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy; David McKeown, Deputy Department of Defense (DoD) Chief Information Officer for Cybersecurity (DCIO(CS)) and DoD’s Senior Information Security Officer (SISO); and Buddy Dees, Director of CMMC, DoD gave prepared remarks and answered questions during the session.

According to Mr. Salazar, CMMC Version 2.0 has been in the making for the past 8 months, and takes into account the over 850 public comments DoD received regarding CMMC 1.0.  Mr. KcKeown explained that CMMC 1.0 may have been too broad and its requirements “too onerous” especially on small and medium sized contractors.  He described CMMC 2.0 — and its use of three levels rather than five levels in CMMC 1.0 — as being based on more of a risk based approach than the original CMMC because it is primarily focused on the type of data being protected.Continue Reading CMMC Accreditation Body Hosts Town Hall Regarding CMMC 2.0

UPDATE: DoD withdraws the unpublished Advanced Notice of Proposed Rulemaking

On November 5, 2021, an Editorial Note was added to the Federal Register stating “An agency letter requesting withdrawal of this document was received after placement on public inspection. The document will remain on public inspection through close of business November 4, 2021. A copy of the agency’s withdrawal letter is available for inspection at the Office of the Federal Register.”   The reason for the Department of Defense withdrawal of the unpublished Advanced Notice of Proposed Rulemaking was not provided.
Continue Reading DoD Outlines Significant Changes to CMMC with Version 2.0

As described in an earlier blog post, the Department of Defense (DoD) released an Interim Rule on September 29, 2020 that address DoD’s increased requirements for assessing whether contractors are compliant with the 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171).[1]  Under this new Interim Rule, DoD offerors must have a current assessment on file with DoD to document their compliance with NIST 800-171 before they can be eligible to be considered for award.  The Interim Rule specifically requires contractors to ensure that a summary score from an assessment conducted under DoD’s NIST 800-171 Assessment Methodology is submitted into a DoD enterprise application called the Supplier Performance Risk System (SPRS).[2]  We evaluate below how DoD may use the NIST 800-171 assessment scores in SPRS, as well as how updates to SPRS more generally are likely to impact contractors.
Continue Reading How is DoD Planning to Use the Supplier Performance Risk System (SPRS)?

Last week, DoD released a draft of its much-anticipated guidance implementing Section 3610 of the CARES Act, which authorizes the government to reimburse qualifying contractors for the costs of providing certain paid leave to employees as a result of the COVID-19 pandemic.  DoD previously published a collection of memoranda, Q&A documents, and a class deviation addressing Section 3610 reimbursement, but the new draft guidance (“Guidance”), which includes a “reimbursement checklist” and accompanying instructions, provides significantly more detail regarding the process for requesting and substantiating claims for reimbursement under the statute.

A number of open questions remain pending the issuance of final guidance, as discussed below, but the contours of DoD’s Section 3610 process are becoming increasingly clear.  Contractors interested in pursuing recovery under the statute should start preparing now to satisfy these emerging rules and requirements.Continue Reading DoD Releases Draft Section 3610 Reimbursement Guidance

Defense Department leaders and agencies have been granted much-needed flexibility to respond to the coronavirus pandemic.  Last week, Under Secretary of Defense for Acquisition & Sustainment Ellen Lord delegated approval authority for Other Transaction Agreements (“OTs”) related to the coronavirus response, consistent with Section 13006 of the CARES Act.
Continue Reading Other Transaction Authorities Given Greater Flexibility to Foster Innovation in Coronavirus Response

On January 31, the Department of Defense (“DoD”) released Version 1.0 of its Cybersecurity Maturity Model Certification (“CMMC”).  This is the fourth iteration of the CMMC that DoD has publicly released since it issued the first draft in October, and it is intended to be the version that auditors will be trained against, and that will eventually govern defense contractors’ cybersecurity obligations.  (We discussed the draft versions of the CMMC in earlier blog posts, as well as DoD’s Version 1.0 release announcement.)

As outlined in more detail below, the CMMC is a framework that “is designed to provide increased assurance to the DoD that a DIB [Defense Industrial Base] contractor can adequately protect CUI [Controlled Unclassified Information] at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.”

DoD stated publicly that it plans to add CMMC requirements to ten Requests for Information (“RFIs”) and ten Requests for Proposals (“RFPs”) by the end of this year, with contractors and subcontractors expected to meet all applicable CMMC requirements at the time of award.  DoD has indicated that these RFPs may involve relatively large awards, as it anticipates that each award will impact approximately 150 different contractors at all levels of the supply chain and at various levels of CMMC certification.  DoD’s goal is to have CMMC requirements fully implemented in all new contract awards by Fiscal Year 2026.Continue Reading A Closer Look at Version 1.0 of DoD’s Cybersecurity Maturity Model Certification

As of February 10, 2020, the World Health Organization (WHO) reported that 40,554 cases of the Novel Coronavirus (2019-nCoV) have been confirmed globally, with twelve cases confirmed in the United States.  The WHO has been issuing situation reports on a daily basis since January 21, and each report in February alone has identified more than 2,000 to 3,000 new cases each day.

Due to the lack of approved therapeutics, vaccines, and diagnostics for this threat, developing new products and testing products already approved for other uses is a high priority for the U.S. interagency response effort—the Medical Countermeasure (MCM) Task Force.  The Biomedical Advanced Research and Development Authority (BARDA), under the Office of the Assistant Secretary for Preparedness and Response (ASPR) in the U.S. Department of Health and Human Services (HHS), is leading this Task Force in partnership with U.S. Department of Defense, Food and Drug Administration, Centers for Disease Control and Prevention, and National Institutes of Health.

BARDA is currently looking at the effectiveness of existing countermeasures for similar viruses, as well as potential new responsive technologies, including vaccines, diagnostics, therapeutics, and medical supplies.  BARDA is serving as the sole point of entry for product and technology submissions to ensure there is an expedited process for receipt and review of proposed solutions for 2019-nCoV.  In this capacity, BARDA has released two opportunities to submit potential solutions for the 2019-nCoV response discussed below: (1) the EZ-BAA for 2019-nCoV diagnostics and (2) market research packages for any and all potential products and supplies.  Covington encourages those with technology that could be potentially useful to respond.Continue Reading U.S. Government Seeks Industry Solutions in Novel Coronavirus Response