Photo of Michael G. Gruden, CIPP/GPhoto of Nkechi KanuPhoto of Evan D. WolffPhoto of Maida Oringher LernerPhoto of Alexis Ward

On March 22, 2022, the Department of Defense (DoD) issued a final rule requiring contracting officers to consider supplier risk assessments in DoD’s Supplier Performance Risk System (SPRS) when evaluating offers. SPRS is a DoD enterprise system that collects contractor quality and delivery performance data from a variety of systems to develop three risk assessments:

Photo of Peter J. EyrePhoto of M.Yuan Zhou

This week’s episode covers the National Cyber Security Strategy, a final DFARS clause requiring disclosure of use of workforce and facilities in the China, the Department of Commerce’s first Notice of Funding Opportunity under the CHIPS and Science Act of 2022, and congressional inquiries about financial conflicts of interest and ethically questionable behavior by senior

Photo of Evan D. WolffPhoto of Matthew B. WellingPhoto of Maida Oringher LernerPhoto of Jennie Wang VonCannonPhoto of Alexander UrbelisPhoto of Christiana StatePhoto of Neda ShaheenPhoto of Jacob CanterPhoto of Garylene “Gage” JavierPhoto of Sarah RippyPhoto of Alexis WardPhoto of Maria Sokova

On March 2, 2023, the Biden Administration released the 35-page National Cybersecurity Strategy (the “Strategy”) with a goal “to secure the full benefits of a safe and secure digital ecosystem for all Americans.”

Summary and Analysis

The Strategy highlights the government’s commitment to investing in cybersecurity research and new technologies to protect the nation’s security and improve critical infrastructure defenses.  It outlines five pillars of action, each of which implicates critical infrastructure entities, from strengthening their cybersecurity processes, to receiving support from the federal government. For example, the Strategy highlights improving the security of Internet of Things (IoT) devices and expanding IoT cybersecurity labels, investing in quantum-resisting systems, developing a stronger cyber workforce, evolving privacy-enhancing platforms, and adopting security practices that are aligned with the National Institute of Standards and Technology (NIST) framework are some other suggested approaches that the private sector could take.

Continue Reading Biden Administration Releases Comprehensive National Cybersecurity Strategy

Photo of Michael G. Gruden, CIPP/GPhoto of Evan D. WolffPhoto of Alexander UrbelisPhoto of Maida Oringher Lerner

Yesterday, the Office of Management and Budget (OMB) released Memorandum M-22-18, implementing software supply chain security requirements that will have a significant impact on software companies and vendors in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity.  The Memorandum requires all federal agencies and their software suppliers to comply with the NIST Secure Software Development Framework (SSDF)NIST SP 800-­218, and the NIST Software Supply Chain Security Guidance whenever third-party software is used on government information systems or otherwise affects government information.  The term “software” includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.  It is critical to note that these requirements will apply whenever there is a major version update or new software that the government will be using. 

Continue Reading Going Hard on Software: OMB Unveils Mandatory Software Supply Chain Security Compliance Requirements

Photo of Michael G. Gruden, CIPP/GPhoto of Evan D. WolffPhoto of Alexander UrbelisPhoto of Maida Oringher Lerner

After much anticipation, the Cyber AB, formerly known as the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body, recently released its pre-decisional draft CMMC Assessment Process (CAP).  The CAP describes the overarching procedures and guidance that CMMC Third-Party Assessment Organizations (C3PAOs) will use to assess entities seeking CMMC certification.  The current version of the CAP applies to contractors requiring CMMC Level 2 certification, which will likely be most contractors handling Controlled Unclassified Information (CUI) based on the Department of Defense’s (DoD) provisional scoping guidance for CMMC 2.0.

Continue Reading No Summer Break for Cyber: Newly Unveiled CMMC Assessment Process Provides Industry with Upcoming Assessment Insights

Photo of Peter J. EyrePhoto of M.Yuan Zhou

This week’s episode covers the final rule implementing further revisions to the Buy American Act, a proposed rule that would amend the FAR to account for recent changes in the Small Business Administration’s regulations, the NIST Secure Software Development Framework, and the first False Claims Act settlement under the DOJ’s Civil Cyber-Fraud Initiative, and is

Photo of Evan D. WolffPhoto of Christopher Hebdon

Crowell & Moring’s “Byte-Sized Q&A” podcast takes the complex world of government contracts cybersecurity and breaks it down into byte-sized pieces.  In this episode, Evan Wolff and Chris Hebdon discuss the notable cybersecurity provisions and omissions in the National Defense Authorization Act (NDAA) for Fiscal Year 2022.

ListenCrowell.com | PodBean | SoundCloud

Photo of Peter J. EyrePhoto of Monica DiFonzo Sterling

This week’s episode covers increased minimum wage for certain federal contract workers, a protest decision involving proposal misrepresentation, cybersecurity and data safeguarding updates from DOD and NIST, and highlights from the Defense Innovation Unit Annual Report, and is hosted by Peter Eyre and Monica Sterling. Crowell & Moring’s “Fastest 5 Minutes” is a biweekly podcast

Photo of Jonathan M. BakerPhoto of Lorraine M. CamposPhoto of Adelicia R. CliffePhoto of Stephanie CrawfordPhoto of Christopher D. GarciaPhoto of Rina GashawPhoto of Lyndsay GortonPhoto of Olivia LynchPhoto of John E. McCarthy Jr.Photo of William B. O'ReillyPhoto of Issac SchabesPhoto of Zachary SchroederPhoto of Rachel SchumacherPhoto of Allison SkagerPhoto of Abi StokesPhoto of M.Yuan Zhou

During December 2021, the House and Senate reached agreement on a compromise National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2022.  On December 23, 2021, Congress presented S. 1605 to President Biden, which he signed on December 27, 2021.

The FY2022 NDAA contains numerous provisions relating to acquisition policy—which provide new opportunities for government contractors, will result in the imposition of new clauses or reporting requirements on government contractors, require government reporting to Congress on acquisition authorities and programs, alter processes and/or procedures to which government contractors are subject, etc.  Crowell & Moring’s Government Contracts Group discusses the most consequential changes in the FY2022 NDAA for government contractors below.
Continue Reading National Defense Authorization Act for Fiscal Year 2022: Acquisition Policy Changes of Which Government Contractors Should Be Aware