Federal Acquisition Regulation

On November 18, the National Institute of Standards and Technology (“NIST”) released Draft Special Publication 800-171 (“SP 800-171”), which includes new recommended security controls for nonfederal organizations such as government contractors, state and local governments, and colleges and universities that “process, store, or transmit” controlled unclassified information (“CUI”) on their own systems.  These draft standards were issued pursuant to Executive Order 13556, Controlled Unclassified Information (“CUI EO”), which called for the establishment of a uniform government approach for managing unclassified information requiring safeguarding or dissemination controls.  The draft standards are based on the security requirements and controls in FIPS Publication 200 and NIST SP 800-53, but were tailored to eliminate requirements that are uniquely federal, related primarily to availability, and/or presumably already routinely satisfied by nonfederal organizations.

To maintain the security of CUI, the CUI EO instructed the National Archives and Records Administration (“NARA”) to collaborate with various agencies to propose CUI classifications and associated markings, and issue any directives necessary to implement the CUI EO.  As noted in SP 800-171, “the CUI program is designed to address several deficiencies in managing and protecting unclassified information to include inconsistent markings, inadequate safeguarding, and needless restrictions, both by standardizing procedures and by providing common definitions” through a federal CUI Registry.  This Registry outlines 22 top-level categories of data, with subcategories covering everything from electronic fund transfers to source selection in the procurement process.  Although the categories of information included in the Registry are unclassified, the government has determined that additional safeguarding – such as storage on a secure server – or limitations on sharing the data should be employed.  To ensure that controls are reasonable and justified , the CUI EO requires each category to be based in statute, regulation, or government-wide policy, and the Registry lists such authorizations.Continue Reading NIST Draft Standards Provide Guidance For Protecting CUI on Contractor Systems

President Obama recently issued two Executive Orders designed to ensure that federal contractors maintain strict compliance with various labor-related laws and regulations if they wish to remain eligible for federal contracts.  Taken together, these Executive Orders place significant new compliance burdens on federal contractors.  Please see our attached article for
Continue Reading Executive Orders Impose New Labor Requirements on Contractors

Contractors supplying commercial products and services to the U.S. Government under the Federal Supply Schedule (“FSS”) or General Services Administration (“GSA”) Schedules program may be required to comply with non-commercial requirements. Until recently, it was thought that rules in Part 12 of the Federal Acquisition Regulation (“FAR”) applicable to commercial
Continue Reading Court of Federal Claims Stays Decision Requiring Commercial Item Contractor to Comply with Non-Commercial Practices

Rep. Anna G. Eshoo (D-Calif.) recently introduced the Reforming Federal Procurement of Information Technology (“RFP-IT”) Act. This Act is similar in many ways to earlier drafts of the FITARA bill on which we have previously reported, with a few notable differences. Among other things, the RFP-IT Act would:
Continue Reading House introduces the “Reforming Federal Procurement of Information Technology Act”