As described in an earlier blog post, the Department of Defense (DoD) released an Interim Rule on September 29, 2020 that address DoD’s increased requirements for assessing whether contractors are compliant with the 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171).[1]  Under this new

On May 5, 2020 the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (“CISA”) Information and Communications Technology (“ICT”) Supply Chain Risk Management (“SCRM”) Task Force (the “Task Force”) released a six-step guide for organizations to start implementing organizational SCRM practices to improve their overall security resilience.  The Task Force also released a revised fact sheet to further raise awareness about ICT supply chain risk.

As we discussed in a prior blog post on the Task Force’s efforts, the Task Force was established in 2018 with representatives from 17 different defense and civilian agencies, as well as industry representatives across the information technology and communications sectors.  The Task Force has been focused on assessing and protecting security vulnerabilities in government supply chains.  Since its founding, the Task Force has inventoried existing SCRM efforts across the government and industry, including some of the practices reflected in the guide.

The six step guide (key points from which are described in the table below) captures the basic blocking and tackling that companies should consider when establishing their SCRM processes and procedures.
Continue Reading CISA Information and Communications Technology Supply Chain Risk Management Task Force Releases New Guidance on Security Resiliency

The new year has already brought significant news for companies that do business with the U.S. government, and for those that trade in materials and technology that represent priorities for national security stakeholders.  Our colleagues in the firm’s CFIUS practice thoughtfully analyzed the regulations implementing the Foreign Investment Risk Review Modernization Act, and other experts

Almost a year after Assistant Secretary of the Navy James Geurts issued his September 28, 2018 memorandum (Geurts Memo) imposing enhanced security controls on “critical” Navy programs, the Navy has issued an update to the Navy Marine Corps Acquisition Regulations Supplement (NMCARS) to implement those changes more formally across the Navy.  Pursuant to this update, a new Annex 16 in the NMCARS provides Statement of Work (SOW) language that must be added into Navy solicitations and contracts where the Navy has determined “the risk to a critical program and/or technology warrants its inclusion.”  In addition to the technical requirements reflected in the Geurts Memo, the Navy has added Subpart 5204.73 to the NMCARS that, among other things, instructs Contracting Officers (COs) to seek equitable reductions or consider reducing or suspending progress payments for contractor non-compliance with the Annex 16 and DFARS 252.204-7012 (DFARS clause) requirements.

SUBPART 5204.73

Equitable Price Reductions/Suspension and Reduction of Progress Payments.  The Navy added Subpart 5204.73 “Safeguarding Covered Defense Information and Cyber Incident Reporting” to the NMCARS.  This Subpart provides direction to COs in three areas.  First, it provides that Annex 16 must be included in the SOWs of relevant solicitations, contracts and task or delivery orders.  Second, the Subpart directs COs to consider the DFARS clause, Annex 16 and the Geurts Memo as material requirements.[1]  Finally, if COs accept supplies or services with “critical or major non-conformances (e.g., failure to comply with material requirement)” they are directed to impose an equitable price reduction.  The Subpart identifies a “reasonable amount” for this reduction as 5% of the total contract value.  That amount can be increased if there is an increased risk from the non-conformance.  If the CO decides to require correction of nonconforming services or supplies rather than acceptance, the CO is directed to withhold/reduce or suspend progress payments if correction is not made in a timely manner.

This revision to the NMCARS represents a powerful enforcement mechanism for the Navy.  Until now, DOD has stated that the failure to comply with the DFARS clause requirements would be treated as a contract performance issue.  Although that basic concept continues, the Subpart explicitly defines the DFARS clause, Annex 16 and the Geurts Memo as “material requirements” of the contract.  A failure to comply with a material requirement would make contractors potentially liable for significant equitable reductions or for a suspension or reduction of progress payments.  Read literally, a contractor that reports a cyber incident 76 hours (and not 72 hours) after discovery may be violating a material requirement of the contract. Contractors may derive some comfort from the NMCARS’ reliance on FAR 32.503-6, “Suspension or reduction of payments,” which at least requires COs to “act fairly and reasonably” and “base decisions on substantial evidence.”  However, the nonconforming supplies or services provision  in FAR 46.407 does not impose a similar fairness requirement on COs.

ANNEX 16

The Navy’s Annex 16 covers five areas: (1) System Security Plans (SSPs) and Plans of Action and Milestones (POA&Ms) Reviews; (2) Compliance with NIST Special Publication (SP) 800-171; (3) Cyber Incident Response; (4) Naval Criminal Investigative Service (NCIS) Outreach; and (5) NCIS/Industry Monitoring.  The requirements of Annex 16 are similar to various requirements that have been included in various Navy solicitations over the past year.  As described below, although the Annex provides more detail than the Geurts Memo, significant questions remain about how each of these requirements will be interpreted by the Navy going forward.
Continue Reading Navy Modifies Acquisition Supplement to Tighten Cybersecurity Requirements and Implement the Geurts Memorandum

On September 4, the Office of the Assistant Secretary of Defense for Acquisition released Version 0.4 of its draft Cybersecurity Maturity Model Certification (CMMC) for public comment.  The CMMC was created in response to growing concerns by Congress and within DoD over the increased presence of cyber threats and intrusions aimed at the Defense Industrial

On March 26, 2019, the Senate Armed Services Subcommittee on Cybersecurity held a hearing to receive testimony assessing how the Department of Defense’s (“DOD”) cybersecurity policies and regulations have affected the Defense Industrial Base (“DIB”).

To gain a better understanding of the DIB’s cybersecurity concerns, the Subcommittee invited William LaPlante, Senior Vice President and General Manager of MITRE’s National Security Sector; John Luddy, Vice President for National Security Policy at the Aerospace Industries Association; Christopher Peters, Chief Executive Officer of the Lucrum Group; and Michael MacKay, the Chief Technology Officer of Progeny Systems Corporation.
Continue Reading Senate Armed Services Subcommittee on Cybersecurity Holds Hearing to Discuss the Responsibilities of the Defense Industrial Base

On March 11, 2019, a bipartisan group of lawmakers including Sen. Mark Warner and Sen. Cory Gardner introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2019. The Act seeks “[t]o leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices.” In other words, this bill aims to shore up

Canada’s new data breach law, The Personal Information Protection and Electronic Documents Act (“PIPEDA”), took effect on November 1. Official guidance released by the country’s Privacy Commissioner explains a few of the law’s key provisions that will affect organizations, specifically, breach reporting and notification obligations, their triggers, and record retention.

Reporting & Notification Obligations

Under