A DFARS final rule (Nov. 18, 2013) on the safeguarding of unclassified, controlled technical information requires contractors, among other things, to report within 72 hours of discovery any “cyber incident” (an action that results in an actual or potentially adverse affect on an information system and/or the information residing therein), preserve relevant data for at least 90 days, conduct an internal review of its network for evidence and extent of any compromise of data, cooperate with DoD “damage assessments,” and flow the clause down to subcontractors (even for commercial items) — all at the contractor’s own cost. Given the rampant intellectual property and technology losses due to cyber espionage and other thefts documented in Congressional hearings, intelligence assessments, and industry reports this year, these DFARS requirements will apply additional pressure upon contractors to amend their existing compliance policies and procedures to address how to respond to a cyber incident and comply with these regulations.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David C. Hammond David C. Hammond

David Hammond advises, litigates on behalf of, and represents domestic and foreign government contractors before all three branches of the federal government. . In over 30 years of experience, he has developed particular expertise in advising companies regarding complex and difficult situations arising…

David Hammond advises, litigates on behalf of, and represents domestic and foreign government contractors before all three branches of the federal government. . In over 30 years of experience, he has developed particular expertise in advising companies regarding complex and difficult situations arising from the performance of U.S. government contracts in foreign countries, especially involving allegations of foreign government corruption and related defense and risk mitigation strategies. He has successfully represented defense, security, intelligence, and aerospace companies in matters involving awards and protests, internal investigations, voluntary and mandatory disclosures, Congressional investigations and hearings, false claims, suspension and debarment, industrial security, international procurements, joint venture and teaming agreements, and prime-subcontractor disputes. He was the founding Chair of the Government and Legal Affairs Committee of the International Stability Operations Association. He has litigated government contract disputes and other procurement matters before the United States Court of Appeals for the Federal Circuit, Federal District Courts, the Government Accountability Office, the Armed Services Board of Contract Appeals, the Civilian Board of Contract Appeals, the Small Business Administration, and state administrative agencies.

Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.