Photo of Peter J. EyrePhoto of M.Yuan Zhou
Cyber, Semiconductors, AI, False Claims Act

This week’s episode covers cybersecurity updates, a proposed rule regarding prohibition on semiconductors produced by certain Chinese manufacturers, DOL guidance entitled “Artificial Intelligence and Equal Employment Opportunity for Federal Contractors,” and two settlements under the civil False Claims Act, and is hosted by Peter Eyre and Yuan Zhou. Crowell

Photo of Evan D. WolffPhoto of Michael G. Gruden, CIPP/GPhoto of Maida Oringher LernerPhoto of Jacob Harrison

On May 14, 2024, the National Institute of Standard and Technology (NIST) published the final versions of Special Publication (SP) 800-171 Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and its companion assessment guide, NIST SP 800-171A, Revision 3 (collectively, “Rev. 3 Final Version”).  While the Department of Defense (DoD) is not requiring contractors who handle Controlled Unclassified Information (CUI) to implement Rev. 3 for now, it is expected that DoD will eventually incorporate Rev. 3 into both DFARS 252.204-7012,  Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012) as well as the forthcoming Cyber Maturity Model Certification (CMMC) program. Continue Reading NIST Releases Final Version of NIST SP 800-171, Revision 3

Photo of Michael G. Gruden, CIPP/GPhoto of Evan D. WolffPhoto of Maida Oringher LernerPhoto of Jacob HarrisonPhoto of Alexis Ward

On March 11, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) published an updated Secure Software Development Attestation Form, meaning that producers of software and providers of products containing software used by the federal government may be required to submit their attestations in the very near future. The Attestation Form, first published in April 2023, is a key cog in CISA’s implementation of software supply chain security requirements in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity and OMB Memoranda M-22-18 and M-23-16.Continue Reading Software Developments: CISA Finalizes Attestation Form, Triggering Secure Software Development Implementation

Photo of Evan D. WolffPhoto of Michael G. Gruden, CIPP/GPhoto of Nkechi KanuPhoto of Jacob Harrison

The Department of Defense (DoD) recently published a memorandum clarifying what it means for a cloud service provider (CSP) to be Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline “equivalent” and meet incident reporting requirements under Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012). The memorandum states, in order to be considered FedRAMP equivalent going forward, CSPs must (1) be FedRAMP Moderate/High-Authorized, or (2) secure a third-party assessment confirming their compliance with all FedRAMP Moderate baseline security controls.Continue Reading No Longer Cloudy: DoD Issues New Guidance on FedRAMP Moderate Equivalency Cloud Security Requirements

Photo of Peter J. EyrePhoto of Michael G. Gruden, CIPP/GPhoto of Nkechi Kanu

CMMC

This special edition covers DoD’s proposed rule for the Cybersecurity Maturity Model Certification Program, and is hosted by Peter Eyre, Michael Gruden, and Nkechi Kanu. Crowell & Moring’s “Fastest 5 Minutes” is a biweekly podcast that provides a brief summary of significant government contracts legal and regulatory developments that no government contracts lawyer or

Photo of Evan D. WolffPhoto of Michael G. Gruden, CIPP/GPhoto of Maida Oringher LernerPhoto of Nkechi KanuPhoto of Jacob HarrisonPhoto of Alexis Ward

On December 26, 2023, the Department of Defense (DoD) released the highly anticipated proposed rule for the Cybersecurity Maturity Model Certification Program (CMMC), a cybersecurity regulatory program that will likely impact most of the government contractor community. Every contractor who handles sensitive data such as Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) during DoD contract performance will be covered by this regulation. While the CMMC program builds upon the security requirements included in Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, CMMC will bring greater scrutiny to contractors’ cybersecurity compliance and potentially greater consequences for failure to comply in the era of the Department of Justice’s Civil Cyber Fraud Initiative and False Claims Act litigation. If finalized as proposed, the rule will significantly impact the CMMC regime, notably by requiring senior company officials to complete an affirmation for every CMMC level self-assessed or certified, thus increasing legal compliance risks.Continue Reading DoD’s New Year Resolution: A Cybersecurity Maturity Model Certification Program (CMMC) Proposed Rule

Photo of Evan D. WolffPhoto of Michael G. Gruden, CIPP/GPhoto of Nkechi KanuPhoto of Alexis Ward

Almost a decade after the Department of Defense developed rules requiring mandatory reporting of cyber incidents, on October 3, 2023, the Federal Acquisition Regulation (FAR) Council released new proposed rules—one addressing cyber incident reporting and another addressing cybersecurity requirements for contractors maintaining a Federal Information System (FIS).  When enacted, these rules could implement new security measures and incident reporting requirements via FAR clauses for contractors across the entire federal government.  The “Cyber Threat and Incident Reporting and Information Sharing” proposed rule focuses on increasing the sharing of information about cyber threats between government and private industry, while the “Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems” proposed rule focuses on implementing policies, procedures, and requirements for contractors maintaining an FIS.  These rules implement Biden Administration initiatives pursuant to Executive Order (“EO”) 14028, “Improving the Nation’s Cybersecurity” issued in May 2021. Continue Reading FAR Council’s Cyber Harvest: New Incident Reporting and Federal Information System Requirements Await Government Contractors

Photo of Peter J. EyrePhoto of M.Yuan Zhou

This week’s episode covers two notable False Claims Act settlements and the White House National Cybersecurity Strategy Implementation Plan, and is hosted by Peter Eyre and Yuan Zhou. Crowell & Moring’s “Fastest 5 Minutes” is a biweekly podcast that provides a brief summary of significant government contracts legal and regulatory developments that no government contracts

Photo of Sarah RippyPhoto of Evan D. WolffPhoto of Neda ShaheenPhoto of Garylene “Gage” JavierPhoto of Kate Growley

On June 18, 2023, the Biden-Harris administration announced the launch of a new “U.S. Cyber Trust Mark” program (hereinafter the “Program”). First proposed by Federal Communication Commission (“FCC”) Chairwoman Jessica Rosenworcel, the Program aims to increase transparency and competition across the smart devices sector and to assist consumers in making informed decisions about the security of the devices they purchase. Continue Reading Biden Admin Eyes IoT Cyber Practices

Photo of Peter J. EyrePhoto of M.Yuan Zhou

This week’s episode covers a DHS final rule implementing measures to safeguard Controlled Unclassified Information and facilitate improved incident reporting to DHS, a letter from Silicon Valley defense technology and venture capital firms calling on DoD to better embrace and scale commercial innovation for military use, a bid protest decision in which the Court found