DoD

Small Person Using Calculator

The Government Accountability Office (“GAO”) released a report on the Defense Contract Audit Agency’s (“DCAA”) past and future use of private-sector, independent public accountants to augment its auditor workforce. The initiative—approved under Section 803 of the Fiscal Year (“FY”) 2018 National Defense Authorization Act (“NDAA”)—began in fiscal year 2020 and

Continue Reading GAO: DCAA Built a Valuable Bench of Independent Public Accountants, Now What?

This is the third blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the new Trump Administration.  This blog describes key cybersecurity developments that took place in April 2025. 

NIST Publishes Initial Draft of Guidance for High Performance Computing Systems

U.S. National

Continue Reading April 2025 Cybersecurity Developments Under the Trump Administration

On April 9, 2025, President Trump issued an Executive Order (“EO”), “Modernizing Defense Acquisitions and Spurring Innovation In the Defense Industrial Base,” that may have significant implications for federal government contractors doing business with the Department of Defense (“DoD”), and particularly those with touchpoints to Major Defense Acquisition Programs (“MDAPs”).

The EO requires DoD to take a number of actions, including:

  • Within 60 days (i.e., June 8th), the Secretary of Defense must submit to the President a plan to reform the DoD acquisition process to eliminate inefficiencies.  The plan must prioritize commercial solutions and the use of Other Transactions Authority (“OTA”) agreements and Rapid Capabilities Office mechanisms.  The plan must also eliminate redundant tasks and approvals, centralize decision-making, and incorporate effective risk management for all acquisition programs through a governance structure referred to as a Configuration Steering Board. 
  • Under no specified timeline, DoD is generally directed to revise internal regulations and implementation guidance — including the DoD Financial Management Regulation and the Defense Federal Acquisition Regulation Supplement — utilizing the principle from the “Unleashing Prosperity Through Deregulation” EO (Jan. 31, 2025) that for every new regulation proposed, ten existing regulations should be repealed.
  • Within 90 days (i.e., July 8th)the Secretary of Defense must review all MDAPs and consider for “potential cancellation” programs that are: (1) more than 15% behind schedule; (2) more than 15% above cost; (3) “unable to meet key performance parameters”; or (4) otherwise not aligned with DoD mission priorities.  Following this review of MDAPs, the Secretary of Defense will conduct a similar review for all remaining major systems.
  • Within 120 days (i.e. August 7th)the Secretary of Defense, in collaboration with the Military Departments, must propose a plan to overhaul the defense acquisition workforce by restructuring performance metrics, assessing workforce sizing requirements, and deploying expert-led field training teams to enhance familiarity with innovative acquisition authorities.  These reforms are intended to incentivize prudent risk-taking and expand the workforce’s fluency in commercial solutions and adaptive acquisition strategies.  
  • Within 180 days (i.e., October 6th), the Secretary of Defense, acting through the Deputy Secretary of Defense, the Secretaries of the Military Departments and the Joint Chiefs of Staff, must complete a comprehensive review of the Joint Capabilities Integration and Development System (“JCIDS”), with the aim of streamlining and accelerating acquisition.[1] 

We address the EO’s directives for acquisition process reform and MDAP review in greater detail below. Continue Reading Trump Administration Issues Executive Order Aimed At Modernizing Defense Acquisitions And Spurring Innovation

This is part of a series of Covington blogs on the implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through October 2024.  This blog describes key actions taken to implement the Cyber EO, the U.S. National Cybersecurity Strategy, and other actions taken that support their general principles during November 2024. 

National Institute of Standards and Technology (“NIST”) Publishes Draft “Enhanced Security Requirements for Protecting Controlled Unclassified Information”

On November 13, 2024, NIST published a draft of Special Publication (“SP”) 800-172 Rev. 3 that “provides recommended security requirements to protect the confidentiality, integrity, and availability of [Controlled Unclassified Information] when it is resident in a nonfederal system and organization and is associated with a high value asset or critical program.”  In particular, the draft requirements “give organizations the capability to achieve a multidimensional, defense-in-depth protection strategy against advanced persistent threats . . . and help to ensure the resiliency of systems and organizations.”  The draft requirements “are intended for use by federal agencies in contractual vehicles or other agreements between those agencies and nonfederal organizations.”  In the publication, NIST stated that it does not expect that all requirements are needed “universally.”  Instead, the draft requirements are intended to be “selected by federal agencies based on specific mission needs and risks.”

These requirements serve as a supplement to NIST SP 800-171, and apply to particular high-risk entities.  To that end, the current version of this NIST SP 800-172 (i.e., Rev. 2) is used by the U.S. Department of Defense (“DoD”) for its forthcoming Cybersecurity Maturity Model Certification (“CMMC”) program, which we discussed in more detail here.  Specifically, contractors must implement twenty-four controls that DoD selected from SP 800-172 Rev. 2 in order to obtain the highest level of certification – Level 3.  Just as the CMMC Final Rule incorporated Rev. 2 of SP 800-171 (rather than Rev. 3), the CMMC program will not immediately incorporate SP 800-172 Rev. 3 requirements.  However, the draft requirements provide insight into how CMMC could evolve.Continue Reading November 2024 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

On Tuesday, October 22, 2024, Pennsylvania State University (“Penn State”) reached a settlement with the Department of Justice (“DoJ”), agreeing to pay the US Government (“USG”) $1.25M for alleged cybersecurity compliance violations under the False Claims Act (“FCA”).  This settlement follows a qui tam action filed by a whistleblower and former employee of Penn State’s Applied Research Laboratory.  The settlement agreement provides some additional insight into the priorities of DoJ’s Civil Cyber Fraud Initiative (“CFI”) and the types of cybersecurity issues of interest to the Department.  It also highlights the extent to which DoJ is focusing on the full range of cybersecurity compliance obligations that exist in a company’s contract in enforcement actions.

DoJ’s Civil Cyber-Fraud Initiative

On October 6, 2021, following a series of ransomware and other cyberattacks on government contractors and other public and private entities, DoJ announced the CFI.  We covered the CFI as it was first announced in more detail here, and in a comprehensive separately published article here.  As explained by Deputy Attorney General Lisa Monaco and other DoJ officials, DoJ is using the civil FCA to pursue government contractors and grantees that fail to comply with mandatory cyber incident reporting requirements and other regulatory or contractual cybersecurity requirements.  Moreover, depending on the facts, DoJ Criminal likely will be interested in some of these cases.

About the Settlement

On October 5, 2022, a relator – the former chief information officer for Penn State’s Applied Research Laboratory – filed a qui tam action in the United States District Court of the Eastern District of Pennsylvania.  The relator alleged in an amended complaint from 2023 that he discovered and raised non-compliance issues, which Penn State management did not address, and that Penn State falsified compliance documentation.  On October 23, 2024, DoJ formally intervened and notified the court that it reached a settlement agreement with Penn State.  The settlement agreement alleges that Penn State violated the FCA by failing to implement adequate safeguards and to meet cybersecurity requirements set forth under National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”  As set forth in the settlement agreement, these issues related to fifteen contracts and subcontracts involving the Department of Defense (“DoD”) and the National Aeronautics and Space Administration (“NASA”) between January 2018 and November 2023. Continue Reading Penn State Agrees to Pay $1.25M in Settlement for Cybersecurity Non-Compliance False Claims Act Allegations

Following our recent overview of key topics to watch in the National Defense Authorization Act (“NDAA”) for Fiscal Year (“FY”) 2024, available here, we continue our coverage with a “deep dive” into NDAA provisions related to the People’s Republic of China (“China” or “PRC”) in each of the House and Senate bills.  DoD’s focus on strengthening U.S. deterrence and competitive positioning vis-à-vis China features prominently in the 2022 National Defense Strategy (“NDS”) and in recent national security discourse.  This focus is shared by the Select Committee on Strategic Competition Between the United States and the Chinese Communist Party (“Select Committee”), led by Chairman Mike Gallagher (R-WI) and Ranking Member Raja Krishnamoorthi (D-IL). 

It is no surprise, then, that House and Senate versions of the NDAA include hundreds of provisions—leveraging all elements of national power—intended to address what the NDS brands as China’s “pacing” challenge, including many grounded in Select Committee policy recommendations.  Because the NDAA is viewed as “must-pass” legislation, it has served in past years as a vehicle through which other bills not directly related to DoD are enacted in law.  In one respect, this year is no different—the Senate version of the NDAA incorporates both the Department of State and Intelligence 2024 Authorization bills, each of which includes provisions related to China. 

To get a flavor of the approach to China in this year’s NDAA, look no further than the “Ending China’s Developing Nation Status Act” in Section 1399L of the Senate bill, which would require U.S. opposition to granting China “developing nation” status in treaties under negotiation and by international organizations of which the U.S. and China are members, such as the World Trade Organization.  Classification as a “developing nation” affords China access to preferential loans and other economic benefits intended to increase trading opportunities, notwithstanding its current status as an upper-middle income country (as determined by the World Bank), and the world’s second largest economy, trailing only the U.S.  Not to be outdone, Section 155 of the House bill contains a provision mandating expedited deployment of advanced radars to track high-altitude balloons and other potential threats to the U.S., in direct response to the incident earlier this year in which a Chinese balloon flew across the U.S. before being shot down by the Air Force.

Given these provisions, and many more (some we discuss below), this year’s NDAA strikes us as different.  It incorporates many more China-related provisions and many of these would impose greater obligations on government contractors to limit their interactions with the PRC and entities affiliated with the PRC Government.  Whether the laundry list of China-related provisions in the current NDAA survive, and in what form, will be determined by the conference process currently underway.  But these provisions have the potential to impose significant near-term burdens on contractors—requiring them to assess their obligations and make adjustments to ensure compliance.  Indeed, these provisions may be far more disruptive than requirements imposed by prior year NDAA China provisions that contractors have navigated by reassessing supply chains and increasing due diligence.  All government contractors and suppliers to government contractors with any connection to China would be well advised to monitor how the NDAA conference approaches resolution of this legislation over the coming months.Continue Reading Not to Be Outpaced: NDAA Presents Measures Addressing China

This is the twenty-sixth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken

Continue Reading June 2023 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

The Department of Defense (“DoD” or “the Department”) released its annual report to Congress on the Military and Security Developments Involving the People’s Republic of China (“PRC”) on May 2, 2019. This annual report details DoD’s assessment of Chinese security strategy and military strategy over the next 20 years, with a particular focus on China’s future course of military-technological developments. The Secretary of Defense sends both a classified and unclassified version of the report to Congress each year to fulfill the requirements of Section 1202 of the National Defense Authorization Act for Fiscal Year (“FY”) 2000, as amended by Section 1260 of the NDAA for FY 2019. Notably, the 2019 amendments refined the scope of the reporting requirements to include elements regarding emerging efforts by the PRC on espionage, technology transfer, economic pressure, political coercion, information operations, and predatory lending under its Belt and Road initiative.

The report highlights significant strategic challenges presented by Chinese foreign and military policy.  Its tone underscores sharp differences with several recent policy decisions and comments that take a more accommodating view of Chinese policy.  The UK defense minister, for example, was recently ousted over a leak concerning Britain’s proposed decision to allow Huawei to participate in certain parts of its 5G network.  The DoD report, by contrast, describes serious threats from China’s coercive military-civilian strategy.  China is taking major steps to modernize its military capabilities and can force cooperation under its laws from all potential sources of innovation within its borders.

Industry leaders in the United States should take note of this approach.  As they engage with U.S. government leaders and policy makers, it will be important to look for ways to continue building on key innovation efforts in the United States, and with allies and partners, to harness dual-use emerging technologies for future capabilities. The report also makes clear that cybersecurity and counter-espionage protocols will be key to thwarting efforts of the Chinese government – acting either through governmental agencies or through Chinese companies – to gain insight into the military and industrial capabilities of the United States.
Continue Reading Department of Defense Releases Annual Report to Congress on the Military and Security Developments Involving the People’s Republic of China

The Senate Armed Services Committee heard testimony last week from Acting Secretary of Defense Pat Shanahan, Secretary of the Air Force Heather Wilson, Marine General Joe Dunford (Chairman of the Joint Chiefs of Staff), and Air Force General John Hyten (Commander of U.S. Strategic Command and the presumptive next Vice Chairman of the Joint Chiefs).

The witnesses presented unified support for the creation of the Space Force. Secretary Wilson, notably, voiced support for the proposal, which would put the new Space Force under the Air Force.  That structure mimics the design of the Marine Corps and the Department of the Navy; Wilson acknowledged that she had previously been critical of proposals that would establish a new independent department for space.  From the perspective of continuity, the key testimony came from General Hyten; both Wilson and Dunford are lame ducks, and Shanahan’s nomination for Secretary remains uncertain.  Many of the Senators voiced concerns about the fundamental need for a Space Force and the significant bureaucratic expansion contemplated by the proposal.

It was clear from the hearing that the Administration and the Department still have much to do to market this Space Force proposal to the Congress.  Given the reactions so far, it is extremely unlikely to be included as written in the Fiscal Year 2020 National Defense Authorization Act. While Congress continues to debate the proposal, now is the window to engage with the congressional defense committees with comments on the proposal and suggestions for how to modify it.
Continue Reading Senators Question the Administration’s Space Force Proposal