Helping individuals, companies, and organizations understand key legal and practical considerations for promoting compliance and making better business decisions in these types of federal, state, and local government contracting matters MORE

Increasingly, the Federal government implements a rule for government contractors which then makes its way in some form into all of US industry.  Cybersecurity regulations, mandating that government contractors, grant and agreement holders, and their subcontractors, maintain certain security controls and report on cyber incidents, have been in effect for a number of years.  Indeed, Deputy Attorney General Lisa Monaco announced a Civil Cybersecurity Fraud initiative to go after government contractors, grant and agreement holders that falsely represent the cybersecurity of their products and services or the state of their compliance with cybersecurity requirements in seeking or performing government contracts.  With a reported 1885% increase in ransomware attacks and high profile cyber events such as Colonial Pipeline in 2021, therefore, it is not surprising that the Securities and Exchange Commission (SEC) is making the move to require public companies to increase their cybersecurity activities and to report cyber incidents so investors have greater insight into their investments.
Continue Reading SEC Issued Proposed Rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

In the wake of increasing cybersecurity threats and incidents, the U.S. Department of Defense (DoD) amended its Federal Acquisition Regulation Supplement (DFARS) in 2015 to issue the 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting clause (DFARS clause).  The DFARS clause, which is included in all DoD solicitations and contracts, including those for acquisitions of commercial items, requires that the contractor must “provide adequate security on all covered contractor information systems.” Covered contractor information systems are those that are “owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.” The DFARS clause also requires that a contractor discovering a cyber incident that “affects a covered contractor information system or the covered defense information residing therein, or affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract,” must conduct a review and “rapidly report” the cyber incident to the DoD Cyber Crime Center (DC3).  A “cyber incident” is defined as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.”  The current version of the clause goes on to define “compromise,” “covered defense information,” and more.  Thus, a reportable event only arises when a number of elements are present.  There still remain questions about the timing and scope of reporting under the clause.  Recognizing this, even when there are not mandatory reporting requirements, DoD has established a voluntary public-private Defense Industrial Base (DIB) Cybersecurity program that allows for the sharing of information on cyber threats and more.
Continue Reading A Sea Change in Handling of Government Contractor Cyber Incident Reporting?

Previously we reported on President Trump’s Executive Orders banning U.S. nationals’ investment in designated Chinese companies that pose a threat to our national security under the International Emergency Economic Powers Act. Law360 reports that under that ban a total of 44 companies were designated as Communist Chinese Military Companies (CCMCs).  In addition, we reported on the implementation of requirements of the Federal government and its supply chain not to use or purchase designated Chinese telecommunications and video surveillance equipment and services due to the threats they pose to our national security.  Contractors are now required to report if they use or would deliver covered equipment or services and the agencies are directed not to buy from such contractors unless an exception or exemption applies.
Continue Reading President Expands Ban on Chinese Military-Industrial Complex Companies Based on Finding of Unusual and Extraordinary Threats – Actions to Address Cybersecurity and Supply Chain Risk Continuing

If you live on the East Coast and tried to get gasoline last week, you already know firsthand of the impacts that a cyber incident can wreck on the supply chain.  As a result of the Colonial Pipeline cyber incident, a ransomware attack that led to the six-day shutdown of a key pipeline for gasoline,

If you don’t know about SolarWinds, then you haven’t been reading the news for the past six months. Last October 2020, it was reported that a widely-used networking tool that helps companies in the public and private sectors manage their Information Technology (IT) portfolios – SolarWinds Orion product — had been compromised. Publicly, it has