Redstone Government Consulting Blog | Cybersecurity

On October 15, 2024, the Department of Defense (“DoD”) published the final rule of the Cybersecurity Maturity Model Certification (“CMMC”) requirements in Title 32 of the Code of Federal Regulations, effective December 16, 2024. The Final Rule updates DoD national security regulations to ensure contractors have implemented cyber security measures to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC will be contractually required when the Defense Federal Acquisition Regulation (“DFARS”) clause has not been finalized (see our article, “DoD Issues CMMC Proposed Rule – Submit your comments by October 15, 2024”). We will refer to this DFARS clause throughout this blog as the DFARS CMMC Clause Final Rule.

DoD issued a proposed rule dated August 15, 2024 (DFARS Case 2019-D041) to amend DFARS to incorporate contractual requirements related to the Cybersecurity Maturity Module Certification (CMMC) Program. This implements a section of the National Defense Authorization Act for FY 2020 to enhance cybersecurity for the US defense industrial base. DoD is estimating that the final rule will be issued during Quarter 1 2025. Contractors should take heed and provide comments by the October 15, 2024, due date.

Since the Department of Justice (DOJ) started promoting its initiative on Cyber Security reporting there have been several settlements related to cyber security noncompliance, four of which involve defense contractors.

The FAR Council submitted a proposed rule amending FAR subparts, provisions, and clauses on October 3, 2023, to implement an Executive order on cyber threats, incident reporting, and information sharing for Federal contracts. This revision is being made to strengthen and standardize contractual requirements for cybersecurity across Federal agencies. The proposed rule also implements OMB Memorandum M-21-07 Completing the Transition to internet Protocol Version 6 (IPv6), dated November 19, 2020.

On June 9, 2023, the Office of Management and Budget (OMB) issued M-23-16, Update to Memorandum M-22-18, providing an extension to the deadline for software developers to submit attestation forms to Federal agencies.

On April 27, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) of The Department of Homeland Security (DHS) published a draft Secure Software Development Attestation Form. Software producers that sell to the government will be required to complete the self-attestation form to attest that the software they produce was developed in conformity with specified secure development practices.

DoD Issued a Final Rule amending the Defense Acquisition Regulation Supplement (DFARS) to require contracting officers to consider Supplier Performance Risk System (SPRS) risk assessments when evaluating a suppliers quote or offer. The final rule is effective March 22, 2023. The Supplier Performance Risk System (SPRS) is the authoritative source to retrieve supplier product and performance information assessments for the DoD acquisition community to use in identifying, assessing, and monitoring unclassified performance.

Office of Management and Budget (OMB) issued a memorandum dated September 14, 2022, Subject Enhancing the Security of the Software Supply Chain through Secure Software Development Practices. This is a result of the President’s Executive Order on Improving the Nation’s Cybersecurity.

The Department of Justice (DOJ) settled one of the first lawsuits related to alleged cybersecurity fraud by Aerojet Rocketdyne, a defense contractor. So how did it begin. Aerojet Rocketdyne hired an employee as the Senior Director for Cyber Security, Compliance and Controls. The employee asserts that Aerojet misrepresented its compliance with the cyber requirements in DFARS 252.204-7012 when communicating with government officials to obtain DOD and NASA contracts between 2013 and 2015. The employee later refused to sign documents stating Aerojet was compliant with the cybersecurity requirements and reported it to the company’s ethics hotline and filed an internal company report. The employee was terminated and filed a qui tam suit alleging cybersecurity fraud under the False Claims Act.

CMMC was put on hold until recently – but is rolling forward again at a high speed. DOD held a CMMC Day Conference in May 2022 stating its goal of submitting a proposed rule in July 2022 ( no proposed rule to date) and issuing two interim final rules by March 2023. If DoD is able to stay on track (which does not appear to be the case) and issue the final interim rule by March 2023, contractors could start seeing CMMC requirements in solicitations soon after.