Photo of Peter J. EyrePhoto of Daniel R. FormanPhoto of Evan D. WolffPhoto of Kate M. Growley, CIPP/G, CIPP/US

Crowell & Moring has issued its fifth annual report on regulatory trends for in-house counsel. “Regulatory Forecast 2019: What Corporate Counsel Need to Know for the Coming Year” explores a diverse range of regulatory developments coming out of Washington and other leading regulatory centers of power, and it takes a deep dive into international trade—examining the challenges and opportunities that will arise in the year ahead as global businesses compete in the digital revolution and operate their businesses across borders.

The section focusing on government contracts, Battening Down the Hatches on Cybersecurity,” discusses why doing business with the federal government will get tougher as requirements for cybersecurity become stricter.

Also relevant to contractors is the article Congressional Influence on Rulemaking is On the Rise,” which discusses how congressional input on rulemaking is increasing as the Trump administration pursues deregulation.

Be sure to follow the conversation on Twitter with #RegulatoryForecast.

Photo of Evan D. WolffPhoto of Kate M. Growley, CIPP/G, CIPP/USPhoto of Michael G. Gruden, CIPP/GPhoto of Payal NanavatiPhoto of Judy Choi

Adding to the Defense Contract Management Agency’s (DCMA) new cybersecurity responsibilities, the Department of Defense (DoD) Under Secretary of Defense for Acquisition and Sustainment (USDAS) recently issued a memorandum titled Strategically Implementing Cybersecurity Contract Clauses that increases DCMA’s role.  The memorandum tasks DCMA with implementing a process to perform company-wide assessments of contractors’ compliance with the DFARS Safeguarding Clause and the related solicitation provision, DFARS 252.204-7008 Compliance with Safeguarding Covered Defense Information, in lieu of the current contract-by-contract assessment of the Clause and Provision requirements.

Specifically, the memorandum addresses the inefficiencies caused by DFARS 252.204-7008, which requires contractors to self-certify on a contract-specific basis implementation of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 as required by the Safeguarding Clause.  USDAS notes that this approach impedes the effective implementation of requirements to protect the DoD’s Controlled Unclassified Information (CUI).  To resolve these issues, the memorandum directs DCMA to develop a proposed path to issue no-cost bilateral block modifications to contracts administered by DCMA and recommend to the USDAS a set of business strategies to:

  • obtain and assess contractor system security plans (SSPs) and associated plans of action and milestones (POAMs) at a strategic level as an alternative to the contract-by-contract review;
  • propose a methodology to determine contractors’ cybersecurity readiness at a strategic level and assign levels of confidence for contractors’ readiness assessment at the corporate, business sector or facility level; and
  • propose how to communicate contractors’ cybersecurity readiness and confidence level to DoD components.

Of note, DCMA is further instructed to engage industry to discuss methods to oversee the implementation of the DFARS Safeguarding Clause and NIST SP 800-171.  It is possible that this industry engagement may occur through another DoD Industry Day, since the last DFARS Safeguarding Clause-related Industry Day occurred almost two years ago.

Industry will once again take a “wait and see” approach to the DoD’s policy implementation since the DCMA is directed to take action after March 1, 2019.

Photo of Peter J. EyrePhoto of David B. Robbins

This week’s episode covers GSA schedule, cybersecurity, and FCA news, and is hosted by partners Peter Eyre and David Robbins. Crowell & Moring’s “Fastest 5 Minutes” is a biweekly podcast that provides a brief summary of significant government contracts legal and regulatory developments that no government contracts lawyer or executive should be without.

ListenCrowell.com | PodBean | SoundCloud | iTunes 

Photo of Michael G. Gruden, CIPP/G

With even DoD officials acknowledging cyber threats ranging from exfiltrating our top military secrets (“the terabyte of death” per DISA’s Director) to seizing control of SECDEF’s car to sinking Navy vessels with critical infrastructure attacks, both federal agencies and government contractors are in the pressure cooker.  For contractors, bad cybersecurity not only opens the door to cyber espionage and privacy breaches followed by costly clean-up and lost trade secrets, but now – with the latest DoD guidance – may put critical contract awards at risk.  Join us this Thursday, May 17, at 1:00 PM Eastern, as Crowell & Moring attorneys Paul Rosen, Evan Wolff, David Bodenheimer, and Michael Gruden lead a discussion highlighting recent developments impacting the volatile privacy and cybersecurity sector.  Specific topics include:

  • Navigating Government Contracts Information Security and Privacy Risks:  Updates to NIST Cybersecurity Standards, Pending FAR Cyber Clauses, and DFARS Safeguarding Clause New Developments
  • Trekking the  Internet of Things (IoT) Cyber Frontier
  • Managing Effective Cyber Incident Response: Preparing Incident Response Plans, Practicing Tabletop Exercises, and Executing Effective Cybersecurity Defense

For more information and to register for OOPS, please click here.

Photo of David B. RobbinsPhoto of Peter J. Eyre

This week’s episode covers False Claims Act items, GAO protests, and cybersecurity and is hosted by partners Peter Eyre and David Robbins. Crowell & Moring’s “Fastest 5 Minutes” is a biweekly podcast that provides a brief summary of significant government contracts legal and regulatory developments that no government contracts lawyer or executive should be without.

We are still accepting questions for Ask Us Anything! Have questions you’d like answered anonymously? Want our thoughts in general on a particular topic? Send in questions and we’ll do our best to feature them in a future podcast. Email your questions to David at drobbins@crowell.com. Disclaimer: we cannot give legal advice unless and until we have an engagement letter in place.

ListenCrowell.com | PodBean | SoundCloud | iTunes 

 

Photo of Steve McBrady

Please join us for an evening of conversation and cocktails while our panelists from the commercial, industrial, government contracting, higher education, and insurance arenas discuss critical emerging cyber security issues.  From the dark web, to cyber pitfalls, cybersecurity policy and legislation, and how to ensure a secure future, our panel discussion will explore the rapidly expanding world of cybersecurity and debate best practices for protecting yourself, your clients, and your business.

When: Thursday, May 18, 2017

Registration: 4:30PM

Program 5:00-6:45PM

Cocktails: 6:45-8:00PM

Address:  1001 Pennsylvania Avenue, NW

         Washington, DC 20004

For more information, register here.

Photo of Peter J. EyrePhoto of Daniel R. Forman

We have already seen many changes from the new administration and it seems more and more are happening every day.  What more can you expect and how will this effect government contractors?  The team of Crowell & Moring lawyers from our Government Contracts, Labor & Employment, White Collar, Corporate and Privacy & Cybersecurity practice groups discussed this topic during a 90-minute webinar this week.  Areas covered included: update on executive orders and other labor and employment issues, costs, claims, commercial item contracting, cyber and privacy issues, compliance, data rights and bid protests (plus many more).  If you were not able to participate, we have posted the presentation and the recorded session on our webpage here.  As important changes and developments occur, we will continue to provide updates.  The best way to stay informed is through these free resources – Bullet Points, blog posts and Podcastssubscribe today!

Photo of Kate M. Growley, CIPP/G, CIPP/US

Companies of all sizes are increasingly subject to the practical and legal implications of today’s cybersecurity environment, and contractors are no exception.  On May 26, 2016, at 11:00 AM Eastern, Crowell & Moring attorneys David Bodenheimer, Evan Wolff, and Kate Growley will lead a discussion highlighting some of the past year’s most significant cyber contracting developments, what trends are worth watching for the future, and how contractors can craft a comprehensive approach to get ahead of it all.  Specific topics include:

  • Revisions to DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
  • Publication of FAR 52.204-21, Basic Safeguarding of Contractor Information Systems
  • Managing the “Internet of Things”
  • Approaches to cyber lifecycle management, including compliance, supply chain risk, and information sharing

Check back in the coming days for more updates as we count down to OOPS on May 25th (in DC)! You can also check for updates on Twitter using the hashtag #cm2016oops, and at crowell.com/OOPS.

Click here to register for OOPS on May 25-26th in Washington, DC.

OOPS-2016

Photo of Kate M. Growley, CIPP/G, CIPP/USPhoto of Maida Oringher LernerPhoto of Evan D. Wolff

Yesterday, the DoD published an Interim Rule that, if finalized as drafted, would expand the already onerous requirements of the DFARS Safeguarding Clause to a broader array of potentially 10,000 defense contractors.  Citing “recent high-profile breaches of federal information,” the DoD’s Interim Rule emphasizes the need for clear, effective, and consistent cybersecurity protections in its contracts. 

It seeks to do so primarily by expanding the application of the DFARS Safeguarding Clause, which was once itself a heated point of debate.  Currently, the DFARS Safeguarding Clause imposes two sets of requirements on covered defense contractors.  First, they must implement “adequate security” on certain information systems, typically by implementing dozens of specified security controls.  Second, they must report various cyber incidents to the DoD within 72 hours of their discovery.  These requirements, however, apply only to information systems housing “unclassified controlled technical information” (UCTI), which is generally defined as controlled technical or scientific information that has a military or space application. 

The Interim Rule would expand that application to information systems that possess, store, or transmit “covered defense information” (CDI).  CDI would encompass UCTI, meaning that most contractors subject to the DFARS Safeguarding Clause would remain subject to the Interim Rule.  But CDI goes beyond the DFARS Safeguarding Clause by also including information critical to operational security, export controlled information, and “any other information,  marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government policies.”  Significantly, the Interim Rule lists “privacy” and “proprietary business information” as examples of the latter, leaving many covered contractors to wonder exactly how far the definition of “covered defense information” goes.  To keep up with its new application, the Interim Rule would change the name of Clause 252.204-7012 from “Safeguarding Unclassified Controlled Technical Information” to “Safeguarding Covered Defense Information and Cyber Incident Reporting.” 

Another notable point of expansion would affect subcontractors.  Under the current DFARS Safeguarding Clause, subcontractors suffering a cyber incident must report to the pertinent prime contractor, who then submits the required report to the DoD.  Subcontractors do not report directly to the DoD under the current rule.  The Interim Rule would continue to require subcontractors to report cyber incidents to their primes, but it would also require subs to submit the required report directly to the DoD, creating the potential for inconsistent reports from the prime and sub regarding the same cyber incident.

Other key provisions of the DFARS Safeguarding Clause, however, would remain same.  For example, the Interim Rule would continue to apply to all solicitations and contracts, including those for commercial items.  The government would also remain required to protect any proprietary information that contractor reports pursuant to the Interim Rule.  The reporting timeline of 72 hours would also remain the same, which the Interim Rule dubs “rapid reporting.”  Additionally, and importantly, the Interim Rule would continue to recognize the probability that even information systems with “adequate security” may still suffer a cyber incident.  That is, the Interim Rule would explicitly state that the fact that a contractor has suffered a cyber incident and submitted a corresponding report would not necessarily mean that the contractor had failed to comply with the Clause’s broader cybersecurity requirements.

The Interim Rule likely does not come as a surprise to many.  Congress passed provisions to the National Defense Authorization Acts of 2013 and 2015 that called for the regulations that the Interim Rule now seeks to implement.  The Interim Rule has thus been a long time coming, but that the DoD chose to publish it now seems appropriate.  The executive branch has been implementing a whirlwind of cyber regulations specific to federal contractors, all in an effort to stem the nation’s cyber vulnerabilities.  Just last week, the Office of Management & Budget released proposed cybersecurity guidance that could lead to further amendments to the Federal Acquisition Regulation (FAR).  

 

Comments on the Interim Rule, which separately addresses cloud computer services and is discussed here, are due on or before October 26, 2015.

 

 

Photo of Peter J. Eyre

Contractors felt the squeeze from budget cutbacks and increased compliance requirements during 2013. As government agencies continue to operate under constrained budgets, competition for the federal contracts will remain intense. What should contractors expect in 2014? Join our Crowell & Moring team on Thursday, January 9 at 1:00 pm EST for a free webinar as we discuss the hot issues contractors will be facing next year. We will cover the likely trends in the areas of costs, suspension and debarment, cybersecurity, bid protests, international issues, procurement fraud, small business, OFCCP, claims/contractor recovery, data rights, and many others. Presenters include some of the most experienced attorneys in the field, and we hope you can join us.

Please click here to register.