Photo of Susan B. Cassidy

Susan B. Cassidy

Susan Cassidy co-chairs Covington’s Aerospace and Defense Industry Group, and has been advising government contractors for more than 35 years on the requirements imposed on companies contracting with the U.S. Government.

Susan’s practice focuses on the intersection of cybersecurity, national security, and supply chain risk management for companies that sell products and services to the U.S. Government. Susan advises contractors at all phases of the procurement cycle, and regularly:

advises clients on compliance obligations imposed by the FAR, DFARS, and other agency regulatory requirements;
leads internal and government False Claims Act (FCA) investigations addressing allegations of violations of government cybersecurity, national security, supply chain, quality, and MIL-SPEC requirements; and
advises clients who have suffered a cyber breach where U.S. government information may have been impacted.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 252.204-7012, FedRAMP, controlled unclassified information (CUI), and NIST SP 800-171 requirements;
Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 semiconductor product and service restrictions, and limitations on sourcing a variety of products from China; and
Federal Acquisition Security Council (FASC) regulations and product exclusions.

 

Susan previously served as senior in-house counsel for two major defense contractors (Northrop Grumman Corporation and Motorola Incorporated) and is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. Chambers USA has quoted sources stating that “Susan's in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Susan’s pro-bono work extends to assisting veterans in a variety of matters, as well as providing advice to elderly clients on their wills and other end-of-life planning documents.

Contact:Read more about Susan B. CassidyEmail

It has been publicly reported that discussions are underway within the Trump Administration for a coordinated interagency initiative to remove key industrial supply chain dependencies from overseas, especially China, and redouble efforts to secure such supply chains in the United States. While this initiative proceeds alongside ongoing efforts to secure
Continue Reading Frequently Asked Questions and Answers Regarding the Trump Administration’s Push to Secure Supply Chains in the United States/New Interagency Effort Aimed at Expanding Sectors, Measures

On May 5, 2020 the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (“CISA”) Information and Communications Technology (“ICT”) Supply Chain Risk Management (“SCRM”) Task Force (the “Task Force”) released a six-step guide for organizations to start implementing organizational SCRM practices to improve their overall security resilience.  The Task Force also released a revised fact sheet to further raise awareness about ICT supply chain risk.

As we discussed in a prior blog post on the Task Force’s efforts, the Task Force was established in 2018 with representatives from 17 different defense and civilian agencies, as well as industry representatives across the information technology and communications sectors.  The Task Force has been focused on assessing and protecting security vulnerabilities in government supply chains.  Since its founding, the Task Force has inventoried existing SCRM efforts across the government and industry, including some of the practices reflected in the guide.

The six step guide (key points from which are described in the table below) captures the basic blocking and tackling that companies should consider when establishing their SCRM processes and procedures.
Continue Reading CISA Information and Communications Technology Supply Chain Risk Management Task Force Releases New Guidance on Security Resiliency

As the COVID-19 virus extends its global reach, defense contractors may be called upon to begin implementing their contracts’ mission-essential services plans. These plans, required by DFARS 252.237-7023, facilitate mission-essential functions in extended crisis situations, including pandemics, which are explicitly noted in the DFARS. As the coronavirus outbreak continues,
Continue Reading The Show Must Go On: Mission-Essential Services During the Coronavirus Outbreak

Almost a year after Assistant Secretary of the Navy James Geurts issued his September 28, 2018 memorandum (Geurts Memo) imposing enhanced security controls on “critical” Navy programs, the Navy has issued an update to the Navy Marine Corps Acquisition Regulations Supplement (NMCARS) to implement those changes more formally across the Navy.  Pursuant to this update, a new Annex 16 in the NMCARS provides Statement of Work (SOW) language that must be added into Navy solicitations and contracts where the Navy has determined “the risk to a critical program and/or technology warrants its inclusion.”  In addition to the technical requirements reflected in the Geurts Memo, the Navy has added Subpart 5204.73 to the NMCARS that, among other things, instructs Contracting Officers (COs) to seek equitable reductions or consider reducing or suspending progress payments for contractor non-compliance with the Annex 16 and DFARS 252.204-7012 (DFARS clause) requirements.

SUBPART 5204.73

Equitable Price Reductions/Suspension and Reduction of Progress Payments.  The Navy added Subpart 5204.73 “Safeguarding Covered Defense Information and Cyber Incident Reporting” to the NMCARS.  This Subpart provides direction to COs in three areas.  First, it provides that Annex 16 must be included in the SOWs of relevant solicitations, contracts and task or delivery orders.  Second, the Subpart directs COs to consider the DFARS clause, Annex 16 and the Geurts Memo as material requirements.[1]  Finally, if COs accept supplies or services with “critical or major non-conformances (e.g., failure to comply with material requirement)” they are directed to impose an equitable price reduction.  The Subpart identifies a “reasonable amount” for this reduction as 5% of the total contract value.  That amount can be increased if there is an increased risk from the non-conformance.  If the CO decides to require correction of nonconforming services or supplies rather than acceptance, the CO is directed to withhold/reduce or suspend progress payments if correction is not made in a timely manner.

This revision to the NMCARS represents a powerful enforcement mechanism for the Navy.  Until now, DOD has stated that the failure to comply with the DFARS clause requirements would be treated as a contract performance issue.  Although that basic concept continues, the Subpart explicitly defines the DFARS clause, Annex 16 and the Geurts Memo as “material requirements” of the contract.  A failure to comply with a material requirement would make contractors potentially liable for significant equitable reductions or for a suspension or reduction of progress payments.  Read literally, a contractor that reports a cyber incident 76 hours (and not 72 hours) after discovery may be violating a material requirement of the contract. Contractors may derive some comfort from the NMCARS’ reliance on FAR 32.503-6, “Suspension or reduction of payments,” which at least requires COs to “act fairly and reasonably” and “base decisions on substantial evidence.”  However, the nonconforming supplies or services provision  in FAR 46.407 does not impose a similar fairness requirement on COs.

ANNEX 16

The Navy’s Annex 16 covers five areas: (1) System Security Plans (SSPs) and Plans of Action and Milestones (POA&Ms) Reviews; (2) Compliance with NIST Special Publication (SP) 800-171; (3) Cyber Incident Response; (4) Naval Criminal Investigative Service (NCIS) Outreach; and (5) NCIS/Industry Monitoring.  The requirements of Annex 16 are similar to various requirements that have been included in various Navy solicitations over the past year.  As described below, although the Annex provides more detail than the Geurts Memo, significant questions remain about how each of these requirements will be interpreted by the Navy going forward.
Continue Reading Navy Modifies Acquisition Supplement to Tighten Cybersecurity Requirements and Implement the Geurts Memorandum

On September 4, the Office of the Assistant Secretary of Defense for Acquisition released Version 0.4 of its draft Cybersecurity Maturity Model Certification (CMMC) for public comment.  The CMMC was created in response to growing concerns by Congress and within DoD over the increased presence of cyber threats and intrusions


Continue Reading DoD Releases Public Draft of Cybersecurity Maturity Model Certification and Seeks Industry Input

The FAR Council released an Interim Rule in August implementing part of Section 889 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019.  In this briefing, we highlight points where the Interim Rule provides clarity; definitional issues that remain unresolved; and new procedural requirements that government
Continue Reading Section 889 Update: First Wave of Acquisition Prohibitions Take Effect

On March 26, 2019, the Senate Armed Services Subcommittee on Cybersecurity held a hearing to receive testimony assessing how the Department of Defense’s (“DOD”) cybersecurity policies and regulations have affected the Defense Industrial Base (“DIB”).

To gain a better understanding of the DIB’s cybersecurity concerns, the Subcommittee invited William LaPlante, Senior Vice President and General Manager of MITRE’s National Security Sector; John Luddy, Vice President for National Security Policy at the Aerospace Industries Association; Christopher Peters, Chief Executive Officer of the Lucrum Group; and Michael MacKay, the Chief Technology Officer of Progeny Systems Corporation.
Continue Reading Senate Armed Services Subcommittee on Cybersecurity Holds Hearing to Discuss the Responsibilities of the Defense Industrial Base

(This article was originally published in Law360 and has been modified for the blog.)

Peter Navarro, assistant to the president for trade and manufacturing policy, recently offered in a New York Times op-ed that “[a] strong manufacturing base is critical to both economic prosperity and national defense.” The Trump Administration’s maxim that “economic security is national security” is rooted in several government initiatives, ranging from large-scale policy reforms (like renegotiating the North American Free Trade Agreement and strengthening the so-called “Buy American Laws”) to more granular contracting procedures (like the Department of Defense’s proposed changes to commercial item contracting and increased scrutiny of security across all levels of defense supply chains).

Business leaders should therefore pay close attention to the government’s long-awaited interagency assessment of the manufacturing and defense industrial base, available in unclassified form here.  The report was commissioned by Executive Order 13806, which described “[s]trategic support for a vibrant domestic manufacturing sector, a vibrant defense industrial base, and resilient supply chains” as “a significant national priority.”  The Department of Defense served as the lead agency coordinating the report, in partnership with the White House’s Office of Trade and Manufacturing Policy.

Throughout the 140-page report, the Interagency Task Force (the “Task Force”) identifies myriad threats, risks and gaps in the country’s manufacturing and industrial base, and concludes that “[a]ll facets of the manufacturing and defense industrial base are currently under threat, at a time when strategic competitors and revisionist powers appear to be growing in strength and capability.”  To address these concerns, the Task Force lays out a methodology, diagnosis, and framework for policy recommendations and gives the government significant flexibility in crafting responses.  The report recommends – and we expect the President to issue – a follow-on Executive Order directing action on those responses.  That creates an opportunity for industry to participate in shaping the major implementing policies and regulations that are coming.Continue Reading “Economic Security Is National Security”: Key Takeaways from the Defense Industrial Base Report

The Department of Defense (“DoD”) recently released the summary of its cyber strategy for 2018.  The 2018 DoD Cyber Strategy, which replaces the DoD’s 2015 cyber strategy, is focused broadly on “defending forward,” shaping day-to-day competition, and preparing for conflict.  But the strategy includes items that are sure to
Continue Reading 2018 DoD Cyber Strategy: The DoD Defends Forward While the DIB Must Defend its Cyber Practices

Timothy M. Persons, GAO Chief Scientist Applied Research and Methods, recently provided testimony on artificial intelligence (“AI”) before the House of Representatives’ Subcommittees on Research and Technology and Energy, Committee on Science, Space, and Technology.  Specifically, his testimony summarized a prior GAO technological assessment on AI from March 2018.  Persons’
Continue Reading GAO Testimony Before Congress Regarding Emerging Opportunities, Challenges, and Implications for Policy and Research with Artificial Intelligence