Photo of Michael G. Gruden, CIPP/GPhoto of Evan D. WolffPhoto of Alexander UrbelisPhoto of Maida Oringher Lerner

Yesterday, the Office of Management and Budget (OMB) released Memorandum M-22-18, implementing software supply chain security requirements that will have a significant impact on software companies and vendors in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity.  The Memorandum requires all federal agencies and their software suppliers to comply with the NIST Secure Software Development Framework (SSDF)NIST SP 800-­218, and the NIST Software Supply Chain Security Guidance whenever third-party software is used on government information systems or otherwise affects government information.  The term “software” includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.  It is critical to note that these requirements will apply whenever there is a major version update or new software that the government will be using. 

Continue Reading Going Hard on Software: OMB Unveils Mandatory Software Supply Chain Security Compliance Requirements

Photo of Michael G. Gruden, CIPP/GPhoto of Evan D. WolffPhoto of Alexander UrbelisPhoto of Maida Oringher Lerner

After much anticipation, the Cyber AB, formerly known as the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body, recently released its pre-decisional draft CMMC Assessment Process (CAP).  The CAP describes the overarching procedures and guidance that CMMC Third-Party Assessment Organizations (C3PAOs) will use to assess entities seeking CMMC certification.  The current version of the CAP applies to contractors requiring CMMC Level 2 certification, which will likely be most contractors handling Controlled Unclassified Information (CUI) based on the Department of Defense’s (DoD) provisional scoping guidance for CMMC 2.0.

Continue Reading No Summer Break for Cyber: Newly Unveiled CMMC Assessment Process Provides Industry with Upcoming Assessment Insights

Photo of Peter J. EyrePhoto of M.Yuan Zhou

This week’s episode covers the final rule implementing further revisions to the Buy American Act, a proposed rule that would amend the FAR to account for recent changes in the Small Business Administration’s regulations, the NIST Secure Software Development Framework, and the first False Claims Act settlement under the DOJ’s Civil Cyber-Fraud Initiative, and is

Photo of Evan D. WolffPhoto of Christopher Hebdon

Crowell & Moring’s “Byte-Sized Q&A” podcast takes the complex world of government contracts cybersecurity and breaks it down into byte-sized pieces.  In this episode, Evan Wolff and Chris Hebdon discuss the notable cybersecurity provisions and omissions in the National Defense Authorization Act (NDAA) for Fiscal Year 2022.

ListenCrowell.com | PodBean | SoundCloud

Photo of Peter J. EyrePhoto of Monica DiFonzo Sterling

This week’s episode covers increased minimum wage for certain federal contract workers, a protest decision involving proposal misrepresentation, cybersecurity and data safeguarding updates from DOD and NIST, and highlights from the Defense Innovation Unit Annual Report, and is hosted by Peter Eyre and Monica Sterling. Crowell & Moring’s “Fastest 5 Minutes” is a biweekly podcast

Photo of Jonathan M. BakerPhoto of Lorraine M. CamposPhoto of Adelicia R. CliffePhoto of Stephanie CrawfordPhoto of Christopher D. GarciaPhoto of Rina GashawPhoto of Lyndsay GortonPhoto of Olivia LynchPhoto of John E. McCarthy Jr.Photo of Liam O'ReillyPhoto of Issac SchabesPhoto of Zachary SchroederPhoto of Allison SkagerPhoto of Abi StokesPhoto of M.Yuan Zhou

During December 2021, the House and Senate reached agreement on a compromise National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2022.  On December 23, 2021, Congress presented S. 1605 to President Biden, which he signed on December 27, 2021.

The FY2022 NDAA contains numerous provisions relating to acquisition policy—which provide new opportunities for government contractors, will result in the imposition of new clauses or reporting requirements on government contractors, require government reporting to Congress on acquisition authorities and programs, alter processes and/or procedures to which government contractors are subject, etc.  Crowell & Moring’s Government Contracts Group discusses the most consequential changes in the FY2022 NDAA for government contractors below.
Continue Reading National Defense Authorization Act for Fiscal Year 2022: Acquisition Policy Changes of Which Government Contractors Should Be Aware

Photo of Kate M. Growley, CIPP/G, CIPP/USPhoto of Evan D. Wolff

Crowell & Moring’s “Byte-Sized Q&A” podcast takes the complex world of government contracts cybersecurity and breaks it down into byte-sized pieces. In this episode, hosts Evan Wolff and Kate Growley talk through the fundamental changes that the DoD has announced will be made under “CMMC 2.0.”

ListenCrowell.com | PodBean | SoundCloud | Apple

Photo of Christopher HebdonPhoto of Michael G. Gruden, CIPP/GPhoto of Maida Oringher LernerPhoto of Evan D. WolffPhoto of Kate M. Growley, CIPP/G, CIPP/US

The Department of Defense (DoD) recently announced significant changes to its Cybersecurity Maturity Model Certification (CMMC) program intended to simplify the requirements and ease the compliance burden on contractors.  Unlike its predecessor, the new CMMC 2.0 moves to three compliance levels rather than five; aligns the required security controls (known as practices) with National Institute

Photo of Evan D. WolffPhoto of Christopher Hebdon

Crowell & Moring’s “Byte-Sized Q&A” podcast takes the complex world of government contracts cybersecurity and breaks it down into byte-sized pieces. In this episode, host Evan Wolff talks with Chris Hebdon about micro-purchases and the cybersecurity obligations that contractors may encounter in the performance of these small dollar contracts.

ListenCrowell.com | PodBean |