On March 22, 2022, the Department of Defense (DoD) issued a final rule requiring contracting officers to consider supplier risk assessments in DoD’s Supplier Performance Risk System (SPRS) when evaluating offers. SPRS is a DoD enterprise system that collects contractor quality and delivery performance data from a variety of systems to develop three risk assessments:
Cybersecurity
Fastest 5 Minutes: National Cyber Security Strategy, CHIPS, Conflicts of Interest


This week’s episode covers the National Cyber Security Strategy, a final DFARS clause requiring disclosure of use of workforce and facilities in the China, the Department of Commerce’s first Notice of Funding Opportunity under the CHIPS and Science Act of 2022, and congressional inquiries about financial conflicts of interest and ethically questionable behavior by senior…
Biden Administration Releases Comprehensive National Cybersecurity Strategy












On March 2, 2023, the Biden Administration released the 35-page National Cybersecurity Strategy (the “Strategy”) with a goal “to secure the full benefits of a safe and secure digital ecosystem for all Americans.”
Summary and Analysis
The Strategy highlights the government’s commitment to investing in cybersecurity research and new technologies to protect the nation’s security and improve critical infrastructure defenses. It outlines five pillars of action, each of which implicates critical infrastructure entities, from strengthening their cybersecurity processes, to receiving support from the federal government. For example, the Strategy highlights improving the security of Internet of Things (IoT) devices and expanding IoT cybersecurity labels, investing in quantum-resisting systems, developing a stronger cyber workforce, evolving privacy-enhancing platforms, and adopting security practices that are aligned with the National Institute of Standards and Technology (NIST) framework are some other suggested approaches that the private sector could take.
Continue Reading Biden Administration Releases Comprehensive National Cybersecurity Strategy
Going Hard on Software: OMB Unveils Mandatory Software Supply Chain Security Compliance Requirements




Yesterday, the Office of Management and Budget (OMB) released Memorandum M-22-18, implementing software supply chain security requirements that will have a significant impact on software companies and vendors in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity. The Memorandum requires all federal agencies and their software suppliers to comply with the NIST Secure Software Development Framework (SSDF), NIST SP 800-218, and the NIST Software Supply Chain Security Guidance whenever third-party software is used on government information systems or otherwise affects government information. The term “software” includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software. It is critical to note that these requirements will apply whenever there is a major version update or new software that the government will be using. …
No Summer Break for Cyber: Newly Unveiled CMMC Assessment Process Provides Industry with Upcoming Assessment Insights




After much anticipation, the Cyber AB, formerly known as the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body, recently released its pre-decisional draft CMMC Assessment Process (CAP). The CAP describes the overarching procedures and guidance that CMMC Third-Party Assessment Organizations (C3PAOs) will use to assess entities seeking CMMC certification. The current version of the CAP applies to contractors requiring CMMC Level 2 certification, which will likely be most contractors handling Controlled Unclassified Information (CUI) based on the Department of Defense’s (DoD) provisional scoping guidance for CMMC 2.0.
Fastest 5 Minutes: Buy American Act, Small Business, DOJ’s Civil Fraud Initiative


This week’s episode covers the final rule implementing further revisions to the Buy American Act, a proposed rule that would amend the FAR to account for recent changes in the Small Business Administration’s regulations, the NIST Secure Software Development Framework, and the first False Claims Act settlement under the DOJ’s Civil Cyber-Fraud Initiative, and is …
Byte-Sized Q&A – What Should Contractors Know About the Cybersecurity Provisions Included In, and Left Out of, the National Defense Authorization Act


Crowell & Moring’s “Byte-Sized Q&A” podcast takes the complex world of government contracts cybersecurity and breaks it down into byte-sized pieces. In this episode, Evan Wolff and Chris Hebdon discuss the notable cybersecurity provisions and omissions in the National Defense Authorization Act (NDAA) for Fiscal Year 2022.
Listen: Crowell.com | PodBean | SoundCloud
Fastest 5 Minutes – Bid Protests, Data Safeguarding, Defense Innovation Unit


This week’s episode covers increased minimum wage for certain federal contract workers, a protest decision involving proposal misrepresentation, cybersecurity and data safeguarding updates from DOD and NIST, and highlights from the Defense Innovation Unit Annual Report, and is hosted by Peter Eyre and Monica Sterling. Crowell & Moring’s “Fastest 5 Minutes” is a biweekly podcast …
National Defense Authorization Act for Fiscal Year 2022: Acquisition Policy Changes of Which Government Contractors Should Be Aware
















During December 2021, the House and Senate reached agreement on a compromise National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2022. On December 23, 2021, Congress presented S. 1605 to President Biden, which he signed on December 27, 2021.
The FY2022 NDAA contains numerous provisions relating to acquisition policy—which provide new opportunities for government contractors, will result in the imposition of new clauses or reporting requirements on government contractors, require government reporting to Congress on acquisition authorities and programs, alter processes and/or procedures to which government contractors are subject, etc. Crowell & Moring’s Government Contracts Group discusses the most consequential changes in the FY2022 NDAA for government contractors below. …
Continue Reading National Defense Authorization Act for Fiscal Year 2022: Acquisition Policy Changes of Which Government Contractors Should Be Aware
Byte-Sized Q&A: What’s not in CMMC 2.0?


Crowell & Moring’s “Byte-Sized Q&A” podcast takes the complex world of government contracts cybersecurity and breaks it down into byte-sized pieces. In this episode, hosts Evan Wolff and Kate Growley talk through some key elements that are no longer expected under CMMC 2.0.
Listen: Crowell.com | PodBean | SoundCloud | Apple Podcasts