Morrison Foerster’s Government Contracts Insights provides our in-depth analysis of developments and trends impacting government contracting. Through Insights, our attorneys offer a real-time assessment of the statutory, regulatory, legal, and business-related developments and trends that are shaping the industry. We also examine a full array of non-U.S. public procurement issues, mindful that our clients compete in a global marketplace.Morrison Foerster’s nationally recognized Government Contracts and Public Procurement practice represents the world’s leading companies in the aerospace and defense, intelligence, cybersecurity, information technology, financial and professional services, education, healthcare, infrastructure, and logistics support sectors. We are enlisted to address our clients’ most complex and important legal issues. Our work includes contract and subcontract negotiation and other transactional matters, business and regulatory compliance counseling, internal investigations, bid protests, and a wide array of enforcement and litigation matters. Our clients range from Fortune 50 companies to small and medium-sized companies just entering the public sector. We advise both U.S. and non-U.S. companies involved in municipal, state, federal, and non-U.S. procurement matters.<h2>ABOUT MORRISON FOERSTER</h2>Morrison Foerster is a leading global law firm that transforms complexity into advantage for its clients. Our clients include some of the largest financial institutions, banks, consulting and accounting firms, and Fortune 100, technology, and life sciences companies. Highlighting the firm’s commitment to client service, leadership in market-changing deals and impact litigation, and values-based culture, Morrison Foerster has been repeatedly recognized as one of the top 10 firms on The American Lawyer’s A-List. Year after year, the firm receives significant recognition from Chambers and The Legal 500 across their various guides, including Global, USA, Asia‑Pacific, Europe, UK, Latin America, and FinTech Legal. Our lawyers passionately care about delivering legal excellence while living our values. Morrison Foerster has a long-standing commitment to creating a culture that respects and celebrates differences, while providing an inclusive environment. The firm has achieved Mansfield Certification Plus since 2018 as a result of successfully reaching at least 30 percent women, communities of color, and LGBTQ+ lawyer representation in a notable number of current leadership roles and committees. The firm also has a long history of commitment to the community and society through providing pro bono legal services, including litigating for civil rights and civil liberties, improving public education and fostering the wellbeing of children, advocating for veterans, promoting international human rights, enforcing the right to asylum, and safeguarding the environment.

Social

Search

GAO Protest Timeline

govcon-gao-protest-timeline-thumb.jpg

Govcon GAO Post Award Protest Timeline Article

Contract Disputes Act Claim Timeline

govcon-contract-disputes-timeline-thumb.jpg

The Bayh-Dole Act

govcon-bayhdole-thumb.jpg

Anatomy of a Protest

govcon-federalclaimsprotest-thumb.jpg

Allowability of Legal Costs

govcon-allowabilityoflegalcosts-thumb.jpg

Procurement Integrity Act

240715-procurement-integrity-act-resized.jpg

Govcon-Resources

Tina is Co-chair of Morrison Foerster’s Government Contracts & Public Procurement practice. She represents a wide variety of government contractors including information technology, defense, biotechnology, and pharmaceutical companies, with a focus on general contract counseling and compliance, particularly concerning intellectual property, and cybersecurity matters and federal grant funding.Tina counsels contractors on compliance with federal, state and local acquisition and ethics regulations and with the evolving myriad of requirements pertaining to data security and cybersecurity. She has been involved with numerous internal investigations and compliance reviews, and with mandatory and voluntary disclosures to agencies, and litigation of False Claims Act matters.Tina routinely advises clients concerning:<ul><li>Prime-subcontractor relationships</li><li>Sources of supply and country of origin requirements</li><li>Price reductions and price reporting issues</li><li>Organizational conflicts of interest</li><li>Safeguarding of intellectual property and other proprietary interests</li><li>Licensing and data rights issues</li><li>Handling of classified materials and controlled unclassified information</li><li>Agency suspension and debarment proceedings</li></ul>She also assists clients with due diligence and other activities related to the acquisition of government contracting concerns, and with the drafting and negotiation of teaming agreements, subcontracts, licensing agreements, and cooperative research and development agreements. She also assists clients applying for federal grants (including SBIR and STTR agreements), and those who seek to obtain other transactional authority agreements, as well as those competing for state and local government work.Tina’s litigation experience includes government contracts claims litigation in federal courts and before boards of contract appeals, bid protests before the Government Accountability Office and the Court of Federal Claims, and complex disputes in federal courts, including civil fraud and False Claims Act litigation and reverse Freedom of Information Act litigation.Prior to joining Morrison Foerster, Tina worked at another large national firm and as a trial attorney in the Office of the General Counsel of the Navy, Navy Litigation Office.<h4>Representative Experience</h4><ul><li>Negotiation of largest CHIPS Act federal funding agreement between multinational semiconductor corporation and U.S. Department of Commerce.</li><li>Negotiated prime contract and major subcontracts related to the Department of Energy’s next generation supercomputer program, including extensive IP rights negotiations and negotiation of associated patent rights waivers.</li><li>Negotiated series of other transaction authority agreements with DARPA and associated subcontracts with more than a dozen research universities on behalf of a firm biotech client, including complex IP rights allocations and material transfer agreements.</li><li>Assist clients with FedRAMP authorization process and with development of license agreements for software products sold to federal, state and local government agencies.</li><li>Cyber incident response counseling to some of the largest companies and organizations impacted by security incidents.</li><li>Advises clients on Bayh-Dole reporting of inventions and IP strategies for contracts and grants.</li><li>Conducts due diligence for major government contract mergers and acquisitions.</li></ul>

reynolds_tina_blog_150x150.png

reynolds_tina_common_640x280.jpg

reynolds_tina_heroretina_2700x1160.jpg

reynolds_tina_mobileretina_750x1040.jpg

reynolds_tina_social_600x600.jpg

Partner

Our government contracts and procurement attorneys counsel businesses on legal and compliance issues encountered when doing business with government entities.

Government Contracts + Public Procurement

Government Contracts and Procurement Attorneys

Band 1: National: Government Contracts

Tier 1: Government Contracts

Readers Choice Award: Government Contracting

Tina is co-chair of Morrison Foerster’s Government Contracts & Public Procurement practice. She counsels a wide variety of government contractors on compliance with federal acquisition and ethics regulations. She drafts and negotiates contracts on their behalf and has been involved with numerous internal investigations and compliance reviews, and with bid protest, contract claims, and False Claims Act litigation. She also advises on M&A transactions involving government contractors.

Tina D. Reynolds

Jim Tucker is of counsel in Morrison Foerster’s Government Contracts and Public Procurement Practice Group and is based in the firm’s Washington, D.C. office.Jim’s practice runs the gamut of litigation and counseling in federal procurement matters, with an emphasis on bid protests, Cost Accounting Standards disputes, and small business matters. He has represented both protesters and awardees in scores of protests before the Government Accountability Office, the Court of Federal Claims, and procuring agencies, in acquisitions ranging from small business procurements to multibillion-dollar contracts of global significance. His representative protest matters span the aerospace sector, the Intelligence Community, base operations and logistics, healthcare, nuclear and environmental work, and information technology and software acquisitions. His protests have included both classified and unclassified programs. In addition to prevailing in published decisions, Jim has also secured favorable corrective action on behalf of clients in a wide variety of protests that were resolved without a published decision.Jim’s work also focuses on disputes over cost allowability and compliance with the Cost Accounting Standards, and he has appeared before the Armed Services and Civilian Boards of Contract Appeals, in size and status protests before Small Business Administration (SBA) area offices, and appeals before the SBA Office of Hearings and Appeals. Jim regularly counsels clients on contract interpretation, organizational conflicts of interest, and small business compliance.Jim graduated with high honors from the George Washington University Law School, where he focused his studies on federal procurement law, was a member of the Law Review, and interned with the General Services Administration’s suspension and debarment office. Jim also holds a degree in theology magna cum laude from the Pontifical Gregorian University in Rome and a bachelor’s degree in classical languages and literature summa cum laude from the University of Kentucky, where he graduated Phi Beta Kappa.

tucker_james_blog_150x150.png

tucker_james_common_640x280.jpg

tucker_james_heroretina_2700x1160.jpg

tucker_james_mobileretina_750x1040.jpg

tucker_james_social_600x600.jpg

Of Counsel

Jim maintains an active practice in bid protests before the Government Accountability Office and contracting agencies and counsels clients in contract disputes and compliance obligations.

Jim Tucker is of counsel in Morrison Foerster’s Government Contracts and Public Procurement Practice Group and is based in the firm’s Washington, D.C. office. Jim’s practice runs the gamut of litigation and counseling in federal procurement matters, with an emphasis on bid protests, Cost Accounting Standards disputes, and small business matters.

James Tucker

<div style="margin-bottom: 15px;" class="videoWrapper"><iframe class="sticky-video" title="Meet Alex Ward, Government Contracts Practice Co-Chair" src="https://www.youtube-nocookie.com/embed/TkliwdSlTaQ?rel=0" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen="1" title="iframe"></iframe></div>J. Alex Ward is co-chair of Morrison Foerster’s Government Contracts and Public Procurement group. His practice covers a full range of government contracts matters, including investigations, bid protests, claims, general litigation, corporate transactions, and counseling. Alex strives in all matters is to provide his clients the highest level of efficient and effective representation.Alex represents contractors in internal and external investigations, disclosures to the government, and qui tam litigation, with great success in reducing or eliminating his clients’ exposure through active engagement with the government. His work in this area includes obtaining numerous declinations and dismissals of False Claims Act cases in their earliest stages, sparing his clients the cost, risk, and exposure of litigation.He has also served as lead counsel in dozens of bid protests involving military and civilian agency procurements of a wide range of products and services, including all manner of pre- and post-award protests in the GAO, the U.S. Court of Federal Claims, and state tribunals, as well as appeals to the U.S. Court of Appeals for the Federal Circuit and size protest appeals before the SBA’s Office of Hearings and Appeals.Alex handles all aspects of the claims process, from the initial assessment and drafting of requests for equitable adjustment through litigation in the Boards of Contract Appeals and the Court of Federal Claims. Alex’s practice also covers the full gamut of other controversies confronting government contractors, including prime-sub, teaming partner, employer-employee, competitor, and indemnification disputes. His litigation work also includes a wide variety of pro bono engagements, in which he has represented both individual and institutional clients in matters ranging from immigration and criminal defense to sustainable procurement and protection of the environment.Prior to joining the firm, Alex served in the U.S. Army as a commissioned officer and an Assistant to the General Counsel of the Army responsible for civil works and international matters, and as a clerk for judges on the U.S. Courts of Appeals for the Armed Forces and the D.C. Circuit. He is a member of the Boards of the Morrison & Foerster Foundation and the Chesapeake Bay Foundation and of Law360’s Government Contracts Editorial Board.

ward_alex_blog_150x150.png

ward_alex_common_640x280.jpg

ward_alex_heroretina_2700x1160.jpg

ward_alex_mobileretina_750x1040.jpg

ward_alex_social_600x600.jpg

Alex is co-chair of Morrison Foerster’s Government Contracts and Public Procurement practice. His practice covers a full range of government contracts matters, including bid protests, claims, investigations, corporate transactions, and counseling.

J. Alex Ward

favicon.ico

favicon-16x16.png

favicon-32x32.png

apple-touch-icon.png

MoFo Favicons

Morrison Foerster’s Government Contracts Insights blog provides an in-depth analysis of news, developments, and trends impacting government contracting and procurement. Through Insights, attorneys from our nationally recognized Government Contracts and Public Procurement practice will offer a real-time assessment of the statutory, regulatory, legal, and business-related developments that are shaping the industry. This blog will also examine a full array of U.S. and non-U.S. public procurement issues, mindful that our clients compete in a global marketplace.Read about our <a href="http://govcon.mofo.com/editors/">Authors</a>.Never miss a post. Subscribe to get real-time updates.

gov-con-feature-image-thumb1.jpg

Welcome to the Government Contracts Insights Blog

Welcome to the Government Contracts Insights Blog

gov-con-feature-image_(1)1.jpg

The United States Capitol building

Morrison Foerster’s Government Contracts Insights blog provides an in-depth analysis of news, developments, and trends impacting government contracting and proc

Announcements & Press

Blog - Terms of Use

Blog - Privacy Policy

Blog - Blog Disclaimer

Blog - Attorney Advertising

morrison-foerster-blog-logo.png

Provides insights and reports on the most current class actions lawsuits and product liability issues that affect consumer-facing companies.

Class Dismissed Blog

Class Dismissed

Looks behind the headlines to explore the trends, identify the opportunities, analyze the issues, and provide guidance for science and technology-based companies.

MoFo Tech

Mofo Tech

News and thought leadership from lawyers who are adding value to the legal profession and the communities we call home.

  External-Link

MoFo + Blog

Mofo+

Stay on top of emerging issues and stay informed of developments related to the law and business of social media.

Socially Aware

Our Government Contracts Insights blog provides in-depth analysis of developments and trends impacting U.S. government contracting and non-U.S. public procureme

Government Contracts Insights

  Linkedin

MoFo LinkedIN

Blog - Govcon RSS

Stay Connected

Never miss a post from Government Contracts Insights. Enter your email below to stay up-to-date.

Subscribe

The latest updates and analysis from Morrison Foerster

Morrison Foerster - Footer

Blogs -  Home Button

Home

Blog - Topics

Acquisition Regulations

Artificial Intelligence + Robotics

Compliance

Coronavirus

Cybersecurity & Data Privacy

Data Rights

Defense

Domestic Preferences

False Claims Act

Federal Procurement

Foreign Corrupt Practices Act

Grants

Health Care

Intellectual Property

International Public Procurement

Labor & Employment

Mergers & Acquisitions

National Security

Protests & Litigation

Resources

Schedule Contracting

Small Business

Topics

Blog - Editors

Editors

Blog - About

About

Blog - Subscribe

More

James A. Tucker

Kickstarting AI in the Federal Government: OMB’s Policy to Implement Executive Order 14179

Bid Protest Spotlight: Instructions, Price Evaluation, Standing

FAR Overhaul Underway

FedRAMP 20x: Reformulating the Authorization Process

Court of Federal Claims Confirms Jurisdiction over Other Transaction (OT) Bid Protests

LinkedIN

12_30_cybersecurity_07.jpg

Breaking DOD’s Code: How to Figure Out and Resist What DOD Really, Truly Wants to Do to Your Data Rights

DOJ Cyber-Fraud Initiative Highlights Potential Civil Liability for Failing to Meet Federal Cybersecurity Requirements

Your rights in technical data and software are at greater risk today than at any time during the last 25 years.  The Department of Defense (“DOD”) is proposing 

Breaking DOD’s Code:  How to Figure Out and Resist What DOD Really, Truly Wants to Do to Your Data Rights

In a decision sure to bring some comfort to contractors providing information technology equipment and services to the federal government, a U.S. district court judge recently granted a motion to dismiss a False Claims Act (FCA) suit, finding that the relator both failed to establish materiality under the FCA and failed to prove the necessary scienter on the part of the contractor.In <a href="https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2015cv0608-73" target="_blank" rel="noopener noreferrer">United States ex rel. Adams v. Dell Computer Corp</a>.,<a href="#_ftn1" name="_ftnref1">[1]</a> the relator, a self-described cybersecurity expert not affiliated with Dell, alleged that through his own independent testing methods he had uncovered a vulnerability in certain Dell computer systems.  Adams, the relator whom the government declined to join in this FCA action, argued that, by allowing this vulnerability to persist in computers furnished to the federal government, Dell had made false statements and had falsely certified compliance with government technology policies and requirements in violation of the False Claims Act.Ruling on a motion to dismiss, the court summarily dismissed the false statements count because the complaint did not allege with particularity any specific false statements made by Dell.In considering the second claim, the court acknowledged that the D.C. Circuit has accepted the “implied certification” theory under the FCA.  To establish implied false certification at the motion to dismiss stage, “a relator must allege that (1) defendant certified compliance with a particular contractual condition, (2) defendant failed to comply with that condition, (3) defendant knowingly misrepresented the noncompliance, and (4) compliance was a condition ‘material to the government’s decision to pay.’”<a href="#_ftn2" name="_ftnref2">[2]</a>In addressing whether the defect was, or could have been, material to the government’s decision to purchase the computer systems at issue, the court cited to the Supreme Court’s Escobar decision as creating a “demanding” standard for FCA materiality.<a href="#_ftn3" name="_ftnref3">[3]</a>  The court acknowledged the government’s interest in the security of the computer systems it purchases, as well as the existence of various federal government technology policies, but found that these factors were not sufficient to establish materiality.  The court found some ambiguity as to whether the government’s technology policies extended to the defendant but, even assuming they did, noted that the mere existence of a vulnerability was not enough to establish materiality.  The government’s cybersecurity policies do not specifically require defect-free products, but only computer systems with limited vulnerabilities and the means to remediate and mitigate any vulnerabilities that might appear.  The court also found somewhat persuasive the defendant’s argument that, even after the government was aware of the relator’s allegations, federal agencies continued to purchase the computer systems in question, further demonstrating lack of materiality.Additionally, the court found that the relator had not demonstrated that the company knew, or should have known, of the alleged defect, and therefore concluded that the FCA’s scienter requirement was not met.  In large part, the court found the relator’s claims that he was uniquely qualified to identify the vulnerability, and had only done so through complex testing using “unique methods and tools,” to call into question whether the company could have been aware of the vulnerability.  Even assuming knowledge on the part of the company’s engineers, however, the court determined that there was no reason to believe that the persons with knowledge of the alleged defect were also aware that the defect violated a material provision in agreements with federal government agencies.  The court stated that the FCA knowledge requirement required such a connection.In summary, this decision stands for the principle that a cybersecurity vulnerability that does not violate a federal contract’s explicit terms cannot form a sufficient basis for an FCA claim, particularly where that vulnerability is difficult to identify and test.  The case can be contrasted with other recent decisions finding that certifications made with respect to cybersecurity compliance with knowledge of, or reckless disregard with respect to, their falsity can form the basis of an FCA claim.<a href="#_ftn4" name="_ftnref4">[4]</a>  (See our <a href="https://govcon.mofo.com/defense/federal-court-confirms-that-cybersecurity-gaps-can-form-the-basis-of-false-claims-act-violations/#_ftn1" target="_blank" rel="noopener noreferrer">prior blog article</a> on this point.)While the current D.C. district court decision is a welcome one for contractors faced with potential FCA claims, government contractors should continue to take great care to comply with cybersecurity requirements, particularly those explicitly included in contract terms, to avoid exposure under the False Claims Act and the threat of contract claims or termination for default.<a href="#_ftnref1" name="_ftn1">[1]</a> United States ex rel. Adams v. Dell Computer Corp., No. 1:15-cv-608 (D.D.C. 2020).<a href="#_ftnref2" name="_ftn2">[2]</a> Id. at * 6, citing United States v. Sci. Applications Int’l Corp. (SAIC), 626 F.3d 1257, 1269-71 (D.C. Cir. 2010); Universal Health Servs., Inc. v. United States ex rel. Escobar, 136 S. Ct. 1989, 2001 (2016).<a href="#_ftnref3" name="_ftn3">[3]</a> Universal Health Servs., Inc. v. United States ex rel. Escobar, 136 S. Ct. 1989.<a href="#_ftnref4" name="_ftn4">[4]</a> See, e.g., United States ex rel. Brian Markus v. Aerojet Rocketdyne, Inc., 381 F.Supp.3d 1240 (E.D.Cal. 2019) (denying motion to dismiss of FCA claim where contractor was alleged to have falsely certified to compliance with cybersecurity requirements); United States ex rel. James Glenn v. Cisco Systems Inc., No. 1:11-cv-00400-RJA (W.D.N.Y. 2019) (complaint alleged FCA claims related to vulnerabilities in video surveillance software; Cisco settled the case with the Justice Department for $8.6 million).*Michaela Thornton contributed to this blog post. Michaela is a full-time law student at The George Washington University Law School and a Law Clerk with Morrison & Foerster’s government contracts practice group.

Tina is a partner in Morrison & Foerster’s Government Contracts practice. She represents a wide variety of government contractors including information technology, defense, biotechnology, and pharmace

Tina Reynolds

angle_victoria_blog_150x150.png

angle_victoria_common_640x280.jpg

angle_victoria_heroretina_2700x1160.jpg

angle_victoria_mobileretina_750x1040.jpg

angle_victoria_social_600x600.jpg

Associate

Tori Dalcourt Angle is an associate in the Government Contracts practice in Morrison Foerster’s Washington, D.C. office.
Tori advises clients on various government contract matters, including both pre

Victoria Dalcourt Angle

Victoria Angle

false-claims-300x148.jpg

U.S. District Court for the District of Columbia Finds That Alleged Cybersecurity Vulnerability Is Not Material Under False Claims Act

MoForecast Podcast: Predictions on the False Claims Act (FCA)

In a decision sure to bring some comfort to contractors providing information technology equipment and services to the federal government, a U.S. district court

U.S. District Court for the District of Columbia Finds That Alleged Cybersecurity Vulnerability Is Not Material Under False Claims Act

On September 29, 2020, the Department of Defense (DoD) issued a long-anticipated <a rel="noopener noreferrer" target="_blank" href="https://www.govinfo.gov/content/pkg/FR-2020-09-29/pdf/2020-21123.pdf">interim rule</a> implementing its Cybersecurity Maturity Model Certification (CMMC) program.  The rule introduces a new mandatory construct, the DoD Assessment Methodology, to serve as an interim certification process before contractors undergo a full CMMC review.  A full description of the interim rule and what it means for DoD contractors follows.  The interim rule becomes effective November 30, 2020, although full implementation of CMMC will not be achieved until 2025.******The interim rule amends the Defense Federal Acquisition Regulation Supplement (DFARS) to achieve phased implementation of both the newly required assessment methodology and the CMMC framework.  The NIST SP 800-171 DoD Assessment Methodology, is a standard approach to assess contractor implementation of the cybersecurity requirements in the National Institutes of Standards and Technology (NIST) Special Publication (SP) 800-171.  The Cybersecurity Maturity Model Certificate (CMMC) Framework is a DoD certification process that measures a company’s further implementation of cybersecurity processes and practices beyond NIST SP 800-171.DoD Assessment MethodologyThe current DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is required in all DoD contracts except those solely for commercial off-the shelf (COTS) items. Under the -7012 clause, contractors must apply the cybersecurity requirements of NIST SP 800-171 to “covered contractor information systems,” which are generally those that store, process, generate, transmit or access DoD-related controlled unclassified information (CUI), which DoD terms “covered defense information.”  Presently, contractors and any of their subcontractors with access to “covered defense information” self-certify as to compliance with the clause through acceptance of the clause in contracts and subcontracts.The DoD Assessment Methodology requirement was developed to address perceived flaws in this self-assessment process.  The Methodology involves three levels – Basic, Medium, and High – which reflect the level of confidence DoD has in the assessment, and uses a scoring methodology that takes into account how many of the 110 NIST SP 800-171 controls a contractor has fully implemented.Basic assessments are to be performed by the contractor, using the specified DoD Assessment Methodology.  The results are reported to a Defense Information Systems Agency-run database, the <a rel="noopener noreferrer" target="_blank" href="https://www.sprs.csd.disa.mil/">Supplier Performance Risk System (SPRS)</a>.  Medium and High assessments will be performed by various DoD components (including the Defense Contract Management Agency) under specific circumstances. These DoD components will also report results of the Medium and High reviews to SPRS.The SPRS database will be accessible throughout DoD.  Beginning November 30, 2020, contracting officers will be required to check the database to confirm that an entity that is required to implement NIST SP 800-171 has an active SPRS Assessment prior to the award of a new contract or exercise of an option under an existing contract.  SPRS Assessments are good for three years, and must be renewed prior to expiration in order for DoD contractors to maintain eligibility for contract awards.  Assessments must be completed for each contractor IT system used in connection with a DoD contract.The new contract clauses DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements, and 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, describe the assessment process, and the latter clause requires contractors to provide the government access to its facilities, systems, and personnel when higher-level reviews are required.  Both clauses are to be included in all solicitations and contracts after November 30, 2020, including those for commercial items, unless solely COTS products are involved.The DFARS 252.204-7019 clause walks contractors through the logistics for performing and reporting a Basic DoD Assessment.  As part of the process, each contractor must supply the following information with respect to each system being assessed:  system security plan name, CAGE code, brief description of plan architecture, date of assessment, total score, and date that a score of 110 will be achieved.  Contractors that have fully implemented all 110 NIST SP 800-171 security requirements will be able to report the highest possible score of 110.  Others will merit a lower score depending how many and which requirements are unimplemented.  DoD has indicated that it is requesting this detail so that contractors can no longer leave security controls unaddressed indefinitely.  Now contractors and subcontractors that store, process, generate, transmit or access covered defense information must establish enforceable timelines to address any compliance gaps.DoD will select contractors for Medium and High review post-award, based on the critical nature of the program involved or particular sensitivity of information being handled by the contractor.  The interim rule states that DoD expects to assess 200 entities a year at the Medium level of review and 110 at the High level.With the SPRS information, DoD components will have visibility into contractors’ current levels of compliance without having to undertake contract- or program-specific reviews.  There will also be a single source for information, which will eliminate duplicative, and possibly conflicting, assessments by different DoD components.DFARS 252.204-7019 does not contain a flowdown provision, but the substance of DFARS 252.204-7020 must be flowed down to all subcontractors (except COTS suppliers).  The clause further directs that prime contractors are required to ensure that applicable subcontractors (i.e., those that must meet NIST SP 800-171 requirements) have a current DoD Assessment posted in SPRS.CMMC ImplementationWith the interim rule, DoD is phasing in the rollout of CMMC.  All contracts over the micropurchase threshold (except for COTS) will require CMMC certification beginning September 30, 2025.  Until then, the DoD, specifically, the Office of the Under Secretary of Defense for Acquisition and Sustainment, will decide which solicitations will include the CMMC requirement and the new associated DFARS clause at 252.204-7021, Cybersecurity Maturity Model Certification Requirements.CMMC assessments will be conducted by designated and specially trained CMMC Third Party Assessment Organizations (C3PAOs).  Once the C3PAO has completed an assessment, the contractor is awarded a certification at the appropriate certification level by the CMMC Accreditation Body (AB).  These certifications will be included in the same SPRS database as the DoD Assessment Methodology reviews.  Also as with the DoD Assessment reviews, CMMC certifications will be good for three years.  Once CMMC is in effect, contracting officers cannot make contract awards, or exercise an option on a contract, if the offeror or contractor does not have a current certification at the CMMC level required under the applicable solicitation or contract.The various CMMC levels build upon one another.  Level 1, the most basic level, is the equivalent of the current FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.  Level 2 has more requirements, but is not as robust as Level 3, which includes all 110 NIST SP 800-171 requirements, plus an additional 20 CMMC practices and three CMMC processes.  Levels 4 and 5 represent a significant increase in complexity, with far more practices and processes, which are designed to reduce the risk of Advanced Persistent Threats or attacks by adversaries using multiple, sophisticated techniques.  The requirements for each level are described in the CMMC model.CMMC review can pertain to a contractor’s entire enterprise network or the contractor can elect to have particular network segments or enclaves that will store, process, generate or transmit contract-related information to be evaluated separately (and potentially each at different levels).Where it appears in current contracts, and in all cases after October 1, 2025, the DFARS 252.204-7021 clause is a mandatory flowdown to subcontractors at all tiers.  The level of CMMC certification that will apply to any given subcontractor, however, will be based on the sensitivity of the information provided to that subcontractor.  The interim rule does not specify whether the government or the contractor will make this determination, but implies that this will be the contractor’s responsibility.Open Questions and Other Interesting Aspects of the Interim RuleSubject to the caveat that the final rule may alter the new clause requirements, our preliminary review of the interim rule leads to a few observations:<ul><li>Although this rule has been years in the making, DoD issued it as an interim rule, rather than in draft form, because it made a determination that urgent and compelling circumstances so required. Although DoD has solicited comments, contractors should not expect the final rule to vary significantly from the current interim posture.  Minor clarifications are far more likely than any major policy shift.</li><li>Beginning November 30, 2020, contracting officers will need to confirm that an entity has an active SPRS Assessment in order to award a new contract or exercise an option under an existing contract where the offeror or contractor is required to implement NIST SP 800-171. Previously, contracting officers have not had to determine whether or not contracts require implementation of NIST SP 800-171, because the -7012 clause was simply inserted into every contract.  How are contracting officers going to make this determination?  In some instances, where extensive covered defense information is involved in contract performance, this may be obvious.  Less obvious, however, may be where the contractor performs its work, and whether covered defense information actually passes through the contractor’s systems.</li><li>The purpose of the DoD Assessment rating number and level is unclear. As drafted, the interim rule and new regulations only require contracting officers to make sure that an offeror has a current DoD Assessment prior to making award.  Yet what happens if the Assessment score is very low?  Can this be a basis for rejection of an offer?  Can a contracting officer assign more risk and therefore give less evaluation credit to a company with a Basic score below 110?  Or can the contracting officer rate more highly a company with a Medium or High posture even though companies cannot control whether they will be subjected to Medium or High Assessments?  Review will be done post-award in the first instance, but results will be in SPRS thereafter for use with other programs.</li><li>Because the DoD Assessment Methodology applies not only to new awards but also to the exercise of options, will existing contracts be modified to include DFARS 252.204-7019 and 252.204-7020, or will the clauses only appear in solicitations, and resultant contracts, after the November 30, 2020 effective date for the rule?</li><li>DoD indicates in the interim rule that it expects 129,810 unique entities will receive a CMMC assessment in the next five years, until CMMC is required for all contractors and subcontractors. This is a highly specific number; it would be informative to the contracting community to know how this estimate was derived so that companies can estimate the timing of their CMMC reviews.</li><li>DoD states that CMMC will conduct an onsite assessment for every level of review, including Level 1. The possibility of a virtual review for Level 1 assessments had been discussed, but ultimately DoD has concluded that an onsite assessment would be useful to verify implementation of security practices and also to officially identify contractors and subcontractors in the DoD supply chain.  It is not clear how this onsite review will work for contractors and subcontractors outside the U.S.; presumably, C3PAOs will be available worldwide.</li><li>DoD states that it considered requiring CMMC certification prior to submission of an offer, or after contract award, but ultimately settled on the interim position that an offeror must be certified to the requisite CMMC level at the time of contract award. DoD has invited comment on its decision, perhaps suggesting that it is not wed to this position.</li><li>At one point, DoD had taken the position that CMMC certification requirements would apply to all DoD contracts, including those involving COTS items. This interim rule indicates that the agency has been persuaded that application to COTS contractors is unnecessary and unduly burdensome.</li><li>DoD has stated that it does not intend to issue any contracts that require CMMC Level 2 certification, leaving Level 2 as merely a meaningless way station between Levels 1 and 3. So seemingly the only contractors that will be certified at Level 2 will be those that fail to meet the Level 3 requirements.</li><li>Speaking of CMMC levels, prime contractors are apparently supposed to select the appropriate level for their subcontractors (which may differ from the prime contract level), yet the interim rule and applicable DFARS clauses provide no guidance as to how this is to be accomplished.</li><li>Likewise, primes must verify that their subcontractors have DoD Assessments and, later, CMMC certifications, yet primes will not have access to the SPRS database, except to review their own submissions. Prime contractors will need to create certification requirements for their subcontractors, and/or ask for copies of subcontractors’ SPRS entries in order to meet this verification requirement.</li><li>Despite the lack of public access, the security of the information in the SPRS database is unclear. DFARS 252.204-7019(d)(3)(iii) states that documentation related to a High Assessment will be considered CUI and protected against unauthorized release, with specific reference to FOIA Exemption 4 for confidential and trade secret information.  However, information pertaining to other assessment levels need only be protected in accordance with a DoD Instruction on sharing supplier information.  DFARS 252.204-7019(d)(3)(i); DFARS 252.204-7020(f)(1).  DoD does not state it will treat this information as CUI.</li></ul>What do you contractors and subcontractors need to do now?As with any major regulatory change, contractors need some clear and immediate direction in terms of next steps and timing.  We therefore would offer, in roughly descending order of priority, the following recommendations:<ul><li>Familiarize yourself with the DoD Assessment and prepare to perform a Basic self-assessment. At least based on the language of the interim rule, assessment results must be reported to SPRS in order for your company to receive an award after November 30, 2020.</li><li>If you are not required to implement NIST SP 800-171 security controls because your company does not store, process, generate, transmit or access covered defense information on its systems, be prepared to document why you do not need to conduct a DoD Assessment.</li><li>Plans of Action and Milestones are now risky, as they will lower your Basic DoD Assessment Score and will not be permissible at all under CMMC. Where possible, cybersecurity compliance gaps should be addressed and resolved in the next 60 days.</li><li>Speak with the program and contracting leadership for upcoming procurements (consistent with Procurement Integrity rules, of course) to get a sense of whether the opportunities may include CMMC requirements.</li><li>Continue to prepare for CMMC certification at the level appropriate for your work and systems, with the understanding that for some contractors, the certification process may be several years away.</li></ul>

Department of Defense Issues CMMC Interim Rule, Setting up a Two-Part Process for Review of Contractor IT Systems

On September 29, 2020, the Department of Defense (DoD) issued a long-anticipated interim rule implementing its Cybersecurity Maturity Model Certification (CMMC)

Department of Defense Issues CMMC Interim Rule, Setting up a Two-Part Process  for Review of Contractor IT Systems

Although, as of late, the coronavirus and its impact have been top of mind for government contractors and, indeed, the entire world, the Department of Defense (DoD) has continued undeterred with its planned implementation of the Cybersecurity Maturity Model Certification (CMMC) program.  Below we highlight some recent developments, preview upcoming activities pertaining to CMMC, and offer some recommendations about what contractors can do now to prepare.DoD Has Issued, and Updated, the CMMC Model.On January 31, 2020, the long-promised CMMC version 1 was issued, along with accompanying appendices.  An updated version (v.1.02) was released on March 18, 2020 to correct various administrative errors.  The detailed assessment guide to accompany the CMMC model is expected soon.  Information from DoD about CMMC is regularly published on the official website:  https://www.acq.osd.mil/cmmc/index.html.The CMMC Accreditation Body Is Up and Running.In January 2020, the CMMC Accreditation Body (CMMC-AB) was registered as a Maryland 501(c)(3) nonprofit organization.  It has a Board of Directors consisting of industry-leading experts and a chairperson from the University of Virginia, Darden School Foundation.  Its website is www.CMMCAB.org.The DoD has tasked the CMMC-AB with running the operational aspects of CMMC, including the selection and training of those persons who will conduct CMMC evaluations.  The relationship between DoD and CMMC-AB is defined in a Memorandum of Understanding that has not been made public.To date, no certified third party assessment organizations (C3PAOs) have been selected or identified.  However, the CMMC-AB has indicated that it expects to start training assessors in the coming months, likely through a combination of online and in-person activities.  Assessors will receive a license from the CMMC-AB after completing the required training and passing an examination.  The assessors will not work for CMMC-AB but will have to be associated with a C3PAO.  Licenses will vary depending on the certification level for which the assessor has been trained.  To conduct assessments at the highest levels, assessors will need to have more experience, although the CMMC-AB has not yet determined the specific experiential requirements.  Training for certification of CMMC levels 1 through 3 will happen first, with the more complex training for levels 4 and 5 to follow.On April 22, 2020, the CMMC-AB released its first RFP, for continuous monitoring services.  Responses to the RFP were due on May 1, with selection anticipated by May 8.The CMMC-Implementing DFARS Rule is Imminent.According to recent public statements by the DoD, the DFARS rule implementing CMMC is expected “any day now.”  Industry associations and major contractors are eagerly awaiting the interim rule, and will be certain to supply extensive comments to shape the final rule.The First Requests for Information Pertaining to CMMC Are Still Expected This Summer.DoD representatives have repeatedly indicated that the first programs to implement CMMC, the so-called “Pathfinder programs,” will be identified this summer in RFIs laying out the expected forthcoming CMMC requirements.  DoD has indicated that it is in active discussions with the prime contractors expected to be part of the Pathfinder programs, so if incumbents have not heard from DoD it may be safe to assume that their programs will not be selected.  DoD has also indicated that it will not slow down any program for CMMC, so if the guidance is not in place and/or assessors are not yet trained before a program needs to be renewed, the CMMC requirement may drop out and another program will be selected for Pathfinder status.DoD Has Provided Additional Guidance Concerning Controlled Unclassified Information.The absence of a clear definition of controlled unclassified information (CUI) and the lack of a process for identifying CUI has confounded contractors charged with implementation of the current DFARS cybersecurity rule in 252.204-7012.  DoD recently attempted to minimize this confusion with a new DoD Instruction, <a href="https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/520048p.PDF">DoDI 5200.48, “Controlled Unclassified Information</a>.”  This DoDI cancels the prior DoD Manual 5200.01 vol. 4, “DoD Information Security Program: Controlled Unclassified Information.”  DoDI 5200.48 establishes an official DoD CUI Registry, and outlines responsibilities and logistics for the handling, marking and dissemination of CUI.  Most helpfully, with respect to contractors, the instruction makes clear that the obligation to mark CUI is in the first instance on DoD.  DoD must mark any CUI provided to contractors, and the requirement to mark CUI that is generated by contractors or other non-DoD entities will be specified in the applicable contract.In addition, the DoD CISO for Assistant Secretary for Defense Acquisition, Katie Arrington, has recently indicated that the DoD intends to do a lot less sharing of CUI with contractors in the future, sharing information that will be housed on contractor systems only when clearly necessary.  In turn, we recommend that contractors closely examine their supply chains and determine whether or not they need to share CUI as widely as they have been.DoD Has Created an Exception from CMMC for Purely Commercial Off-the-Shelf Products.Although DoD initially indicated it would not do so, the agency has recently carved out an exception to CMMC for companies that exclusively supply commercial off-the-shelf (COTS) products that will not be altered in any way for use by the government.<a name="_ftnref1" href="#_ftn1">[1]</a>  Thus, for example, the supplier of chicken or fuel to a military installation does not need to be CMMC certified.  Companies should be careful not to assume they or their subcontractors will fall within this narrow exception.  Commercial items more broadly, including commercial services, are not exempt from CMMC, and companies that provide such products and services will need to be CMMC certified to continue supplying to DoD.CMMC May Expand Beyond DoD.Other federal agencies are showing interest in the CMMC process.  For example, the recent Department of Health and Human Services CIO SP4 draft solicitation has CMMC as an optional item, presumably to accommodate potential future use of the CIO SP4 contract vehicle by DoD customers.  The recently released Cyberspace Solarium Commission <a href="https://www.solarium.gov/">report</a> suggests implementation of CMMC for civilian agencies and recommends that the FAR adopt more rigorous and adaptable cybersecurity standards.<a name="_ftnref2" href="#_ftn2">[2]</a>  In addition, the report suggests that the Sarbanes-Oxley Act should be amended to include cybersecurity reporting requirements.<a name="_ftnref3" href="#_ftn3">[3]</a>So what should companies be doing now to prepare for CMMC?Most importantly, companies should identify what level of CMMC certification they will need.  Those that currently access, process, generate or store CUI will going forward need to be certified at least at CMMC Level 3, which has additional requirements beyond the current NIST SP 800-171 framework.  All DoD contractors and subcontractors at any tier, with the exception of exclusively COTS product providers, will need to be certified at least at Level 1.If your company is not part of a Pathfinder program it will not be among the first to be certified, but that does not mean that the company should wait to start getting its IT systems updated to meet the requisite level’s requirements.  Companies should conduct gap analyses to determine what policies, procedures and requirements may be missing, and then come up with plans of action to address any deficiencies long before certification has to take place.  Once the process for getting into queue for assessment is identified, those companies that are ready to assess should quickly line up, as the initial demand for assessment will be significant.We also recommend that contractors coordinate and consult with their agency customers to determine what level of certification will be needed going forward and to push for identification of precisely what contract-related data needs to be protected as CUI.  DoD has indicated that only a very small percentage of programs will require Level 4 and 5 certification (the most recently suggestion by DoD is .06% of programs at each level).  However, if you are a contractor or subcontractor working on mission critical systems with national security or defense implications, it is likely that you may fall into this small minority of entities that need to be ready for higher-level certification.  This certification process will start later, but it will be imperative that the company is prepared to be assessed in order to continue to be considered for these programs.Finally, even non-DoD contractors must consider that eventually the reach of CMMC, or some close analogue, is going to expand beyond DoD to civilian agencies.<a name="_ftn1" href="#_ftnref1">[1]</a> See CMMC FAQs, responses to FAQs 19 and 20, available at: https://www.acq.osd.mil/cmmc/faq.html.<a name="_ftn2" href="#_ftnref2">[2]</a> See U.S. Cyberspace Solarium Commission March 2020 report at p. 89 (§ 4.4.3), available at <a href="https://www.solarium.gov/">https://www.solarium.gov/</a>.<a name="_ftn3" href="#_ftnref3">[3]</a> See id. at p. 90 (§ 4.4.4).

Department of Defense March Towards CMMC Continues

Although, as of late, the coronavirus and its impact have been top of mind for government contractors and, indeed, the entire world, the Department of Defense (

Department of Defense March Towards CMMC Continues

The COVID-19 pandemic has disrupted operations across the globe as government agencies and corporations grapple with the implications of remote work, workforce and workplace limitations, and employee health and safety.  But while this worldwide crisis has introduced new complexities and challenges, it also has presented an opportunity for hackers seeking to capitalize on the pandemic to maximize the impact of cyber attacks on government and private sector infrastructure.  We expect nation states’ and criminal groups’ activity to increase as they target newly vulnerable remote employees and IT teams distracted by the dramatic increase in usage.For example, the U.S. Health and Human Services Department recently suffered a cyber attack from what it suspects was a foreign nation state seeking to undermine the U.S. response to COVID-19.  Similarly, the Brno University Hospital in the Czech Republic experienced a cyber attack that forced the hospital to shut down its entire information technology network temporarily.In light of these and other cyber incidents, we have identified five “best practices” for government contractors navigating these uncharted waters.  Given the significant impact that  COVID-19 has already had on business continuity, government contractors should take the time now to assess their cyber preparedness and their plan to respond to and report a cyber incident.  Although contractors may not be able to eliminate the risk of a cyber attack, through proactive measures designed to facilitate expeditious and efficient cyber incident reviews and disclosures, contractors can at least ensure that they have procedures in place to respond swiftly to cyber incidents, even during these challenging times.1. Know your disclosure obligations. Although there is no universal federal law requiring government contractors to disclose cyber attacks or cyber incidents, government contractors performing contracts with the U.S. Department of Defense (DoD) generally are required to comply with <a href="https://www.law.cornell.edu/cfr/text/48/252.204-7012">DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting</a>.  This clause requires contractors to provide “adequate security” for information technology systems, defined as “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.”  It also requires contractors to “rapidly report” – e., within 72 hours – any “cyber incident” which is defined as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein” after conducting a review for evidence of compromise.In addition to this DoD requirement, many other federal agency contracts include cyber reporting requirements.  Government contractors should be familiar with all such disclosure obligations in their federal contracts and subcontracts.  In addition, contractors should review disclosure requirements at the state level to determine their relevance and applicability.  All fifty states have data protection laws in place, and they generally all require disclosure when cyber incidents compromise personally identifiable information (e.g., Social Security numbers).2. Investigate cyber incidents carefully and deliberately before disclosure. DFARS 252.204-7012 requires cyber incident reviews to, at a minimum:  (1) identify “compromised computers, servers, specific data, and user accounts”; and (2) analyze “covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor’s ability to provide operationally critical support.”  Conducting such detailed reviews can be time-consuming and difficult to accomplish within the DFARS’ 72-hour disclosure window.  This is especially true during global crises such as the COVID-19 pandemic, when workforce and workplace limitations increase the difficulty of mobilizing resources and rapid communication and responses.Fortunately, the 72-hour disclosure window in DFARS 252.204-7012 is triggered only after the “discovery of any cyber incident.”  Thus, while still moving quickly and deliberately, contractors can (and should) take the time necessary to complete a reasonably diligent investigation to determine whether a cyber incident, as defined in the clause, has actually occurred, before any disclosure obligation arises.3. Obtain a Medium Assurance Certificate. In the event a cyber attack occurs and the ensuing cyber incident review results in a determination that disclosure is legally required, government contractors must report the cyber incident to DoD by completing the form at <a href="https://dibnet.dod.mil">https://dibnet.dod.mil</a>.  Before a contractor can make such a disclosure, however, it must have a Medium Assurance Certificate issued by one of the External Certification Authorities approved by DoD (<a href="https://public.cyber.mil/eca/">https://public.cyber.mil/eca/</a>).  Contractors with active facility security clearances are likely to already have this capability but, in any event, it is prudent for all contractors to check.  For those without the certificates in hand, it would be prudent to obtain the required certification in advance of a cyber incident, to avoid unnecessarily delaying submission of a cyber incident report.4. Compile inputs in advance for cyber incident reports. When submitting a cyber incident report to DoD, contractors must provide certain information for each affected contract and subcontract, including:  contract and subcontract numbers, clearance levels, contracting officer contact information, and government program manager contact information.  Compiling such information can be difficult under ordinary circumstances, but may be especially difficult during crises such as the COVID-19 pandemic due to workplace and workforce limitations and communication impediments.  Contractors should maintain a database of contract and subcontract information that they can easily leverage in the event of a cyber incident.5. Revisit communication and cyber response protocols. Government contractors should maintain standard operating procedures for communications, including disclosures, and decision-making related to cyber incidents.  These procedures should identify specific individuals with responsibility for particular actions, identify required approvals, and otherwise provide sufficient detail to ensure the company can respond swiftly to a cyber incident.  Given the impact that the COVID-19 pandemic has already had on business continuity and operations, government contractors should revisit their existing procedures to ensure that they remain feasible in light of remote work, workforce and workplace limitations, and employee health and safety precautions.Please contact any of the authors for more information about cyber incident reporting obligations.

nandivada_sandeep_blog_150x150.png

nandivada_sandeep_common_640x280.jpg

nandivada_sandeep_heroretina_2700x1160.jpg

nandivada_sandeep_mobileretina_750x1040.jpg

nandivada_sandeep_social_600x600.jpg

Sandeep Nandivada is a partner in the Litigation Department of Morrison Foerster’s Washington, D.C. office.

Sandeep N. Nandivada

Sandeep Nandivada

02_28_elc_blog_600px_v2.jpg

Cyber Preparedness for Government Contractors: Opportunistic Hackers and the COVID-19 Pandemic

Updated Coronavirus (COVID-19) Guidelines For Employers

02_28_elc_blog_600px_v2

The COVID-19 pandemic has disrupted operations across the globe as government agencies and corporations grapple with the implications of remote work, workforce 

Cyber Preparedness for Government Contractors: Opportunistic Hackers and the COVID-19 Pandemic

Please join Morrison & Foerster LLP, Coalfire Federal, and Grant Thornton Public Sector on Thursday, February 27 at 12PM EST for a deep dive into the key aspects of the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) process and how it will affect your business. Register <a rel="noopener noreferrer" target="_blank" href="https://veracast.com/webcasts/mofo/mcle_programs/54143125.cfm">here</a>.Panelists will provide an overview of CMMC, discuss what contractors can do to prepare for third-party review, and outline what to expect, and when, based on what we know today.Presenters<ul><li><a href="https://protect-us.mimecast.com/s/zBRwCkROBgiRLzAwfQW2i9?domain=www2.mofo.com">Tina D. Reynolds</a> – Partner, Morrison & Foerster LLP</li><li>Mike Pitcher – Vice President, Technical Cyber Services, Coalfire Federal</li><li>Chris Ballister – Director, Grant Thornton Public Sector</li><li>Dave Simprini – Principal, Grant Thornton Public Sector</li></ul>We are collecting pre-webinar questions through the Veracast platform. Once you register, you may log-in and submit your questions for presenters to answer during the webinar.

MoFo Webinar: Are You Ready for CMMC? Do You Need to Be?

Please join Morrison & Foerster LLP, Coalfire Federal, and Grant Thornton Public Sector on Thursday, February 27 at 12PM EST for a deep dive into the key aspect

MoFo Webinar: Are You Ready for CMMC? Do You Need to Be?

On January 31, 2020, the Department of Defense (DoD) issued the widely anticipated final version (v.1) of its Cybersecurity Maturity Model Certification (CMMC) Model. The version followed seven drafts and multiple rounds of comments from the contracting community. In the lead up to the release, DoD representatives walked back the timing for full implementation of CMMC. Contractors will all need to be certified in the coming years, but concerns about a mad scramble towards certification of the entire defense industrial base in calendar year 2020 have now been allayed.As we have <a href="https://govcon.mofo.com/cybersecurity-and-data-privacy/a-watershed-moment-in-cybersecurity-for-government-contractors-anticipated-impacts-of-the-department-of-defenses-cybersecurity-maturity-model-certification-program/">previously described</a>, CMMC represents a major pivot in DoD’s approach to cybersecurity compliance. First, contractors and subcontractors will no longer self-certify their compliance with security requirements but instead will have their IT systems evaluated for compliance by neutral third-party evaluators. Second, all contractors and subcontractors will now need to meet some level of certification and all will need to be evaluated, not just those companies that generate, possess, transmit, or store “covered defense information.”When the CMMC was first announced in the summer of 2019, the timing for implementation was ambitious. DoD stood by the aggressive timeline until very recently when it became clear that it was simply not going to be possible to have the program up and running in full this year. Now, DoD has indicated it will take a slower approach – described by Undersecretary of Defense for Acquisition and Sustainment Ellen Lord as a “crawl, walk, run” toward CMMC. The new standards will be phased in over the next five years so that, by fiscal year 2026, all DoD contracts will include CMMC requirements. The requirements will first start to be included in a limited number of requests for information around June of this year, and then in requests for proposals in September or October. See <a href="https://www.defense.gov/Watch/Live-Events/#/?currentVideo=22831">here</a> for a complete video of the DoD presentation with commentary by Undersecretary Lord and others.DoD has helpfully created a briefing chart and series of appendices that provide additional guidance and references.Morrison & Foerster LLP is sponsoring a CMMC informational webinar on February 27, together with Grant Thornton Public Sector and Coalfire Federal.

Department of Defense Takes a More Gradual Approach to Cybersecurity Maturity Model Certification

On January 31, 2020, the Department of Defense (DoD) issued the widely anticipated final version (v.1) of its Cybersecurity Maturity Model Certification (CMMC) 

Department of Defense Takes a More Gradual Approach to Cybersecurity Maturity Model Certification

As 2020 begins, one of the biggest changes facing contractors working with the U.S. Department of Defense (“DoD”) is the implementation of DoD’s enhanced cybersecurity regulations, known as the Cybersecurity Maturity Model Certification (“CMMC”) program. CMMC has the potential to be a game changer as cybersecurity becomes a gating item in connection with the contract evaluation process and the focus of increased oversight and scrutiny. CMMC may exclude some companies from DoD work, or at least certain types of procurements, altogether. Further, CMMC likely will create a cottage industry of advisors and evaluators that will either assist companies with implementing CMMC protocols or assess the results of those implementations. Our predictions about the most significant impacts of CMMC in the coming year follow.<ol><li> CMMC Cements Cybersecurity as a Key Evaluation Consideration</li></ol>Cyber and data security have increasingly become key differentiators for companies as agencies have increasingly incorporated cybersecurity compliance into the evaluation process. CMMC ensures that cybersecurity will be a consideration in every DoD procurement, further elevating its import for government contractors. More significantly, whereas certain contractors and subcontractors previously did not have to adhere to DoD cybersecurity standards because they did not house “covered defense information” on their IT systems, CMMC will involve all DoD contractors and subcontractors, whether their IT systems have DoD data or not.One key advantage of the CMMC program to contractors is that it will take the assessment of security compliance out of the hands of individual government contracting officers and technical evaluators and put it into the hands of neutral third-party assessors, who will apply consistent standards for security level assessment. This will eliminate concerns that certain agencies may not have the broad technical expertise needed to conduct accurate and thorough reviews of contractors’ IT security. Further, at least within DoD, the CMMC process should eliminate situations where multiple assessments are being undertaken simultaneously by different agencies, or even different components within the same agency. Finally, contractors will face less risk of making a misrepresentation as to their security posture that could potentially lead to False Claims Act liability because they will be relying on a neutral third party’s assessment of their cybersecurity protections.<ol start="2"><li> Some Companies May Opt Out of Certain Procurements at the Highest CMMC Levels, and Others May Decide Not to Do Business with the DoD at All</li></ol>CMMC involves five different maturity levels, each with increasing security obligations.  The DoD will select which maturity level applies to a particular procurement based upon perceived cyber threat level and the sensitivity of information involved.CMMC Levels 1 and 2 involve basic cyber hygiene – controls expected to be implemented by most companies, whether DoD contractors or not, as a best practice. CMMC Level 3 is most closely analogous to the current DoD cybersecurity requirements for protection of covered defense information, as reflected in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cybersecurity Incident Reporting. In its current form, this clause requires implementation of the NIST 800-171 Rev. 1 security standards for contractor IT systems and/or use of a cloud-based system certified at a minimum security level of FedRAMP Moderate.In June 2019, NIST introduced the draft <a href="https://csrc.nist.gov/publications/detail/sp/800-171b/draft">SP 800-171b</a>, a further refinement of NIST 800-171 that includes enhanced security requirements for “critical programs” and “high value assets.” The 800-171b document lays out 31 new recommendations for contractors to harden their defense and protect controlled unclassified information (“CUI”)<a name="_ftnref1" href="#_ftn1">[1]</a> residing on their networks from advanced persistent threats and government-sponsored hackers. These include specific processes for implementing dual-authorization access controls for critical operations, employing network segmentation where appropriate, deploying deception technologies and threat-hunting teams, and establishing security operations centers to engage in continuous monitoring or system and network activity. With its most recent draft of CMMC (version 7), DoD has confirmed that the security standards required for achievement of CMMC Levels 4 and 5 closely resemble many of the enhanced security standards of NIST 800-171b, though many controls are based on other information security standards or are unique to CMMC.Although DoD has made clear that it does not believe CMMC Levels 1 or 2 will be costly or difficult for most companies to achieve, it remains to be seen how many businesses will be willing to undergo the assessment process in order to have their systems certified at these levels. Predominantly commercial companies, in particular, may simply decide it is more trouble than it is worth and decide to forego future business with DoD. At the highest certification levels, companies that have only recently installed NIST 800-171 Rev. 1 security controls may be reluctant to employ further controls. Although DoD has indicated that security fixes to meet CMMC requirements will be recoverable costs, this is only helpful to companies with cost reimbursement contracts. Even with such contracts, contractors may be hesitant to seek security cost recovery if it may put them at a competitive disadvantage vis-à-vis other offerors.DoD thus may find itself, especially in the near term, with more limited competitions and without willing contractors to provide certain goods and services. Prime contractors in turn may scramble to secure essential suppliers if their subcontractors are unwilling or unable to achieve necessary certification. This could especially be an issue at CMMC Levels 4 and 5. This said, contractors that already have robust cybersecurity programs may find themselves at a competitive advantage and embrace the new system.<ol start="3"><li> Cybersecurity Consulting Firms Must Decide Which Side of the Fence They Think Will Be Most Lucrative</li></ol>The CMMC program will rely heavily on certified independent third-party auditing organizations (“C3PAOs”) to conduct audits of contractors and subcontractors to assess their CMMC security levels. DoD plans to select a non-profit CMMC accreditation body to operate the certification program and to oversee the C3PAOs that will issue credentials to contractors. These C3PAOs are expected to conduct the vast majority of the estimated 300,000+ security audits required for CMMC certification, although DoD has indicated that some of the higher‑level assessments may be performed by DoD organizations such as the Defense Contract Management Agency (“DCMA”) or the Defense Counterintelligence and Security Agency (“DCSA”).With implementation of the DFARS network penetration and cybersecurity clause (DFARS 252.204-7012), numerous IT consulting companies saw an opportunity to advise contractors on how to strengthen their IT security networks and how to segregate DoD work in a cost‑effective and compliant manner. A quick internet search demonstrates that these same companies, and presumably many more to follow, are posturing to provide CMMC consulting advice to contractors pre-CMMC assessment. Without a doubt, there will be tremendous demand for such assistance.On the other side of the fence, DoD will need hundreds of C3PAOs to conduct CMMC assessments, not just initially, but on an ongoing basis. According to statements made by DoD, companies that serve as C3PAOs under CMMC will not be permitted to assist contractors and subcontractors in getting their IT systems up to speed for CMMC review. IT consulting companies thus will need to assess where the grass may be greener and choose a position accordingly.<ol start="4"><li> DoD and Contractors Should Expect Delays and Bumps in the Road to Full Rollout of CMMC</li></ol>Over the past seven years or so, DoD has been at the forefront of efforts to protect contractor systems that house sensitive information and critical infrastructure. As many recall, however, the rollout and implementation of DFARS 252.204-7012 was not as straightforward as DoD had planned. The clause was modified multiple times in response to contractor protestations, implementation was delayed more than once, and the final word on what constituted “compliance” with the clause ultimately deviated from the original intent. In the end, DoD indicated that the existence of a system security plan and a plan of actions and milestones, not full implementation of both, was sufficient to constitute implementation of the clause requirements.Against this historical backdrop, DoD’s aggressive timeline for rollout of CMMC has created stress throughout the contracting community. To date, DoD has consistently maintained that it will adhere to its planned schedule for rollout of CMMC and will include CMMC requirements in certain RFPs beginning in June 2020 and in most by late Fall. It is difficult to imagine how this schedule will be achievable. Notably, although it released a Request for Information from interested parties in October, DoD has not yet issued a solicitation for the CMMC accreditation position, much less selected an accreditation body, and no C3PAOs have been chosen to conduct assessments. Even once these entities are in place, it will take an extremely long time for the entire defense industrial base to be assessed. It remains unclear how certain contractors will be prioritized for review, although DoD has stated that it will roll out the program in a strategic way, beginning with the contractors that support the most “critical programs and technologies.”<ol start="5"><li> CMMC Will Usher in a New Wave of Cybersecurity Regulations </li></ol>DoD has already announced that following implementation of CMMC, it will begin a follow-on effort – currently (and uncreatively) called CMMC 2 – that will examine and restrict the products that contractors use to secure their systems.While a government-wide FAR clause along the lines of CMMC is a long way off, additional guidance concerning the protection of CUI may be on the horizon. Except for DoD’s efforts, agencies have yet to develop and implement coordinated policies for protection of CUI as mandated by Executive Order 13556 and subsequent National Archives and Record Administration CUI guidelines. A FAR rule on this topic was expected in 2019; it remains to be seen whether one will materialize in 2020.It is also likely that certain agencies that regularly deal with national security and other sensitive information, such as the Department of Homeland Security, will further modify and refine their cybersecurity standards and make more frequent use of cybersecurity as an evaluation criteria. For contractors’ sake, one can only hope that any new cybersecurity requirements will hew closely to CMMC and that other agencies appreciate that the benefits of the DoD standard will be minimal if civilian agencies do not adopt something similar.Finally, while, as noted above, CMMC may provide some False Claims Act protection, we do not expect the recent trend of the use of cybersecurity-related misrepresentations serving as the basis for False Claims Act suits to decline outside the DoD realm. In fact, CMMC may only serve to brighten the spotlight already shining on cybersecurity compliance.<a name="_ftn1" href="#_ftnref1">[1]</a> “Controlled Unclassified Information,” or CUI, is any unclassified information to which special access controls or security protocols apply, such as export controlled information, information considered “for official use only,” etc. “Covered defense information” essentially is any form of CUI that pertains to the DoD.

A Watershed Moment in Cybersecurity for Government Contractors – Anticipated Impacts of the Department of Defense’s Cybersecurity Maturity Model Certification Program

As 2020 begins, one of the biggest changes facing contractors working with the U.S. Department of Defense (“DoD”) is the implementation of DoD’s enhanced cybers

A Watershed Moment in Cybersecurity for Government Contractors – Anticipated Impacts of the Department of Defense’s Cybersecurity Maturity Model Certification Program

The Department of Defense (DoD) has taken another step on the path toward full implementation of its Cybersecurity Maturity Model Certification (CMMC) initiative. On September 5, 2019, the Office of the Assistant Secretary of Defense for Acquisition released version 4 of the CMMC and has requested public comment.The CMMC process began early this year and has been an iterative process. According to DoD, it anticipates continuing to refine and improve the model over the coming months and releasing a version 6 for further public review in November 2019.DoD has designed CMMC to add a verification component to cybersecurity compliance. Currently, DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, outlines the requisite security measures that must be taken to protect controlled unclassified information (CUI)<a name="_ftnref1" href="#_ftn1">[1]</a> generated, accessed, used, or stored on contractors’ or subcontractors’ IT systems in connection with the performance of DoD contracts and subcontracts. Since the inception of the rule, contractors and subcontractors have self-certified that they are compliant with the DFARS -7012 clause.With CMMC, DoD is abandoning the self-certification approach and replacing it with a third‑party verification requirement. In an approach similar to that used for FedRAMP certification of cloud service providers, DoD will use certified and independent third‑party organizations to audit compliance with cybersecurity requirements across the defense industrial base.In addition to mandating third-party evaluation, CMMC will also involve identification of “maturity levels” of security that apply to DoD contracts. The levels will range from “Basic Cybersecurity Hygiene” to “Advanced.”  Each increasing level will require implementation of more extensive cybersecurity protections by contractors. DoD will assess whether a contractor is compliant at the appropriate maturity level as part of the initial proposal evaluation process. While some of the required protections will closely mirror the current NIST SP 800-171 standard used in the DFARS -7012 clause, the intent of CMMC is to combine multiple cybersecurity control standards, including not only NIST SP 800-171, but also NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933, and others, into one unified standard for cybersecurity.As presently envisioned, all contractors and subcontractors in the defense industrial base will need to obtain CMMC, whether or not they handle CUI. While yet-to-be-identified third‑party assessment organizations will perform most CMMC reviews, DoD also has indicated that some higher‑level assessments may be performed by the Defense Contract Management Agency, the Defense Counterintelligence and Security Agency, or other DoD organizations.DoD’s move towards third-party audits and more comprehensive risk assessment and analysis is in large part a response to the continued risk to national security and national economic interests posed by increasing malicious cyber activity targeted towards CUI. While this is no doubt a serious concern both for DoD and the defense industrial base at large, there remain a number of unanswered questions about when and how CMMC will be fully implemented. Full implementation of the DFARS -7012 clause stretched out over several years and included multiple iterations and rounds of public comment. DoD seems to be moving more quickly to implement CMMC, but a number of factors inevitably will introduce delay, including, but not limited to: the need to finalize and standardize the security criteria for each maturity model; the need to educate the DoD procurement community on inclusion of CMMC standards in solicitations and requests for proposals; the need to identify and certify a significant number of third-party assessors; and, last but not least, the need for those assessors to complete hundreds of thousands of assessment. CMMC is the wave of the future, but also perhaps a long ways away.<a name="_ftn1" href="#_ftnref1">[1]</a> CUI is an umbrella term for all unclassified information that requires special safeguarding or dissemination controls. The DFARS -7012 clause refers to CUI that relates to DoD programs as “covered defense information,” or CDI.

Department of Defense’s Cybersecurity Maturity Model Certification Planning Moves Forward

The Department of Defense (DoD) has taken another step on the path toward full implementation of its Cybersecurity Maturity Model Certification (CMMC) initiativ

Department of Defense’s Cybersecurity Maturity Model Certification Planning Moves Forward

You can rejoice in a recent Supreme Court decision if you have ever spent hours trying to convince a government agency not to release your company’s confidential information to the public in response to a Freedom of Information request. In a reversal of long-standing precedent in federal district and circuit courts, the Supreme Court ruled Monday that those submitting confidential information to the government need not demonstrate a “substantial competitive harm” to protect that information from disclosure under the Freedom of Information Act (FOIA). Instead, the Court held in <a href="https://www.supremecourt.gov/opinions/18pdf/18-481_5426.pdf" target="_blank" rel="noopener noreferrer">Food Marketing Institute v. Argus Leader Media</a> that those seeking to prevent disclosure of confidential commercial or financial information under FOIA Exemption 4 need simply demonstrate that (1) the information is “customarily kept private” or “closely held”; and (2) the government, in receiving the information, provided “some assurance that it will remain secret.”  The extent to which this new rule will limit the nature and type of federal contractor information released under FOIA is unclear. But the Court’s decision, at the very least, assures contractors that they will no longer be forced to prove (to an agency or to a court) that they will be substantially harmed by the release of information they provide to a federal agency, so long as that information has been provided with the expectation that it remain confidential.At the center of Food Marketing Institute is “Exemption 4” to FOIA’s mandatory disclosure requirement, which states that FOIA does not apply to “trade secrets and commercial or financial information obtained from a person and privileged or confidential.”  5 U.S.C. § 552(b)(4). Congress provided no guidance in the FOIA statutes as to what would make commercial or financial information “confidential,” but for 45 years, federal courts all but unanimously applied the D.C. Circuit’s National Parks test, requiring a party to demonstrate that disclosure of such information would either “impair the Government’s ability to obtain necessary information in the future” or “cause substantial harm to the [submitter’s] competitive position.”  See National Parks & Conservation Assn. v. Morton, 498 F.2d 765, 770 (D.C. Cir. 1974).In an opinion authored by Justice Gorsuch and joined by Chief Justice Roberts and Justices Thomas, Alito, Kagan, and Kavanaugh, the Supreme Court rejected that test as “a relic from a ‘bygone era of statutory construction,’”<a href="#_ftn1" name="_ftnref1">[1]</a> one that inappropriately elevated legislative history above statutory text. The Court, turning instead to an assortment of English‑language and legal dictionaries contemporary to FOIA’s enactment, found no mention of “substantial competitive harm” in their definitions of “confidential.”  Instead, the Court gleaned “two conditions” that “might be required” to make information confidential. Based on definitions such as “known only to a limited few,” “not publicly disseminated,” and “intended to be held in confidence or kept secret,” the Court found that information could be considered confidential if it “is customarily kept private, or at least closely held, by the person imparting it.”  Based on definitions such as “spoken or written in confidence” and “told in confidence,” the Court found that information also could be confidential if “the party receiving it provides some assurance that it will remain secret.”The Court questioned whether both conditions must be met. The first “has to be,” it figured, as “it is hard to see how information could be deemed confidential if its owner shares it freely.”  But the Court left open whether “privately held information [can] lose its confidential character for purposes of Exemption 4 if it’s communicated to the government without assurances that the government will keep it private,”<a href="#_ftn2" name="_ftnref2">[2]</a> finding the information at issue clearly satisfied both conditions.So, for now at least, a contractor seeking to prevent the release under FOIA of information it has submitted to the government must show that information was submitted under some assurance that the government would keep it secret. But what kind of assurance satisfies?  In Food Marketing Institute, the Court cited the government’s promises of privacy in the Federal Register when promulgating regulations requiring submission of the data at issue. If text supporting a regulation counts, then one would strongly suspect the government’s assurances in FAR 15.506(e)(3) — that it will not disclose in a debriefing any confidential manufacturing processes or techniques, cost breakdowns, profit, indirect cost rates, or similar information submitted with a proposal — should also suffice. By corollary, the promise to disclose information such as overall cost or price, including unit prices, in FAR 15.506(d) means such information would not be protected under Food Marketing Institute.In all events, it is as important now as ever that contractors mark their proposals with the legend supplied in FAR 52.215-1:<blockquote>This proposal includes data that shall not be disclosed outside the Government and shall not be duplicated, used, or disclosed — in whole or in part — for any purpose other than to evaluate this proposal. If, however, a contract is awarded to this offeror as a result of — or in connection with — the submission of this data, the Government shall have the right to duplicate, use, or disclose the data to the extent provided in the resulting contract. This restriction does not limit the Government’s right to use information contained in this data if it is obtained from another source without restriction. The data subject to this restriction are contained in sheets [insert numbers or other identification of sheets]</blockquote>or such other legend or marking as prescribed in the RFP. Use of this legend will help ensure that the proposal — and any portions of it not incorporated into the final contract — will remain confidential. Furthermore, during contract performance, it is essential to mark all technical data and computer software in accordance with the applicable data-rights clauses.<a href="#_ftn3" name="_ftnref3">[3]</a>  And, where appropriate, mark other documents with a FOIA legend such as the following:<blockquote>This document contains trade secrets and commercial or financial information which are proprietary and confidential and exempt from disclosure under the Freedom of Information Act, 5 U.S.C. § 552(b)(4). Furthermore, this information is prohibited from disclosure under the Trade Secrets Act, 18 U.S.C. § 1905. <a style="font-size: 1rem;" href="#_ftn4" name="_ftnref4">[4]</a></blockquote>These practices should not be new to government contractors, but if your company has not been using them routinely, we recommend that you implement them immediately. Although the scope of information protectable under FOIA Exemption 4 may have grown, the sensitive information that keeps contractors up at night — cost breakdowns, indirect rates, confidential technical information, and trade secrets — have long been exempt from disclosure, if marked appropriately. The difference now is that, under Food Marketing Institute, contractors will be spared the time, cost, and aggravation of having to prove, at the behest of an aggressive FOIA-requester or insistent government official, that disclosure could cause them substantial harm when, in many cases, the FAR itself already recognizes as much. This is welcome, and warranted, relief.<a href="#_ftn1">[1]</a> This quotes the United States in its amicus brief, in which the Administration’s position was a marked departure from those before it and undoubtedly in contrast with the government’s position in many ongoing FOIA disputes.<a href="#_ftn2">[2]</a> Emphasis in original.<a href="#_ftn3">[3]</a> See, e.g., FAR 52.227-14(g)(3)-(4) (Alternates II and III), DFARS 252.227-7013(f), and DFARS 252.227-7014(f).<a href="#_ftn4">[4]</a> This additional sentence recognizes a nuance that is beyond the scope of this post, but one that might be affected by the Food Marketing Institute holding — that is, FOIA does not itself prohibit the government from disclosing information that falls within an exemption; the Act’s exemptions merely enumerate categories of information the government is not required to disclose pursuant to a FOIA request. Courts have long held that FOIA Exemption 4 is coextensive with (or at least wholly within) the scope of the Trade Secrets Act, 18 U.S.C. § 1905, which prohibits government officials from disclosing “information concern[ing] or relat[ing] to the trade secrets, processes, operations, style of work, or apparatus, or to the identity, confidential statistical data, amount or source of any income, profits, losses, or expenditures of any person, firm, partnership, corporation, or association,” and can serve as a basis for injunctive relief under the Administrative Procedure Act if an agency has decided to disclose information falling into FOIA Exemption 4. See Chrysler Corp. v. Brown, 441 U.S. 281 (1979); CNA Financial Corp. v. Donovan, 830 F.2d 1132, 1151-52 (D.C. Cir. 1987); McDonnell Douglas Corp. v. Dep’t of the Air Force, 375 F.3d 1182, 1186 (D.C. Cir. 2004). With the scope of FOIA Exemption 4 now greatly enlarged under Food Marketing Institute, however, it’s possible courts could find situations in which information would be exempt from disclosure under FOIA but not necessarily protected from disclosure under the Trade Secrets Act.

Jim Tucker is of counsel in Morrison & Foerster’s Government Contracts and Public Procurement Practice Group and is based in the firm’s Washington, D.C. office.
Jim’s practice runs the gamut of litiga

bell_locke_blog_150x150.png

bell_locke_common_640x280.jpg

bell_locke_heroretina_2700x1160.jpg

bell_locke_mobileretina_750x1040.jpg

bell_locke_social_600x600.jpg

Locke Bell is a partner in the firm’s Government Contracts & Public Procurement practice.

Locke Bell

cybersecurity-2-300x148.jpg

Supreme Court Removes “Substantial Competitive Harm” Requirement for Contractors Seeking to Protect Confidential Information from Release Under FOIA