In Ingham Regional Medical Center v. U.S. (Jan. 6, 2020), the Court of Federal Claims compelled production of certain government investigatory documents that the Court found were not privileged work product prepared “in anticipation of litigation.” The Medical Center sued to recover payments for outpatient healthcare services performed in connection with DoD’s TRICARE program
Government Contracting
No Summer Vacation for Government as New Cybersecurity Legislation Passes
The federal government has kept busy this summer by issuing multiple regulations impacting government contractors’ cybersecurity. First, the Department of Defense released the 2019 National Defense Authorization Act (NDAA), which included notable cybersecurity provisions involving foreign ownership and Controlled Unclassified Information (CUI), among others. Second, Congress passed the NIST Small Business Cybersecurity Act requiring the…
Upcoming NIST Hosted DFARS Safeguarding Clause & CUI Training – October 18, 2018
The National Institute of Standards and Technology (“NIST”) is hosting a cybersecurity workshop on the Defense Federal Acquisition Regulation System (“DFARS”) Safeguarding Clause and related regulations on Thursday, October 18, 2018. The workshop, in coordination with the Department of Defense (“DoD”) and the National Archives and Records Administration (“NARA”), will provide an overview of Controlled…
FTC Submits Public Comment to Working Group Tasked with Developing Guidance on IoT Security, Upgradability, and Patching
On June 19, 2017, the Federal Trade Commission (FTC) issued a public comment regarding the National Telecommunications & Information Administration’s (NTIA) draft guidance titled Communicating IoT Device Security Update Capability to Improve Transparency for Customers. In commenting on the guidance, the FTC acknowledged the benefits of and challenges to IoT device security, and encouraged…
Interim Rule Could Expand Already Onerous DFARS Cyber Requirements
Yesterday, the DoD published an Interim Rule that, if finalized as drafted, would expand the already onerous requirements of the DFARS Safeguarding Clause to a broader array of potentially 10,000 defense contractors. Citing “recent high-profile breaches of federal information,” the DoD’s Interim Rule emphasizes the need for clear, effective, and consistent cybersecurity protections in its contracts. The Interim Rule proposes to significantly expand the scope of covered information and to require subcontractors to report cyber incidents directly to the DoD (in addition to prime contractors). Together, these changes will likely increase the scope of potential liability for government contractors and subcontractors who fail to implement adequate cybersecurity measures.
The Interim Rule seeks to enhance cybersecurity protections primarily by expanding the application of the DFARS Safeguarding Clause, which was once itself a heated point of debate. Currently, the DFARS Safeguarding Clause imposes two sets of requirements on covered defense contractors. First, they must implement “adequate security” on certain information systems, typically by implementing dozens of specified security controls. Second, they must report various cyber incidents to the DoD within 72 hours of their discovery. These requirements, however, apply only to information systems housing “unclassified controlled technical information” (UCTI), which is generally defined as controlled technical or scientific information that has a military or space application.
The Interim Rule would expand that application to information systems that possess, store, or transmit “covered defense information” (CDI). CDI would encompass UCTI, meaning that most contractors subject to the DFARS Safeguarding Clause would remain subject to the Interim Rule. But CDI goes beyond the DFARS Safeguarding Clause by also including information critical to operational security, export controlled information, and “any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government policies.” Significantly, the Interim Rule lists “privacy” and “proprietary business information” as examples of the latter, leaving many covered contractors to wonder exactly how far the definition of “covered defense information” goes. To keep up with its new application, the Interim Rule would change the name of Clause 252.204-7012 from “Safeguarding Unclassified Controlled Technical Information” to “Safeguarding Covered Defense Information and Cyber Incident Reporting.”Continue Reading Interim Rule Could Expand Already Onerous DFARS Cyber Requirements
Partner David Bodenheimer Recognized as Co-Chair of ABA PCL “Committee of the Year”
Crowell & Moring is proud to announce that the ABA Public Contract Law Section has recognized Partner David Bodenheimer, along with Maureen Kelly of Northrop Grumman and Annejanette Pickens of General Dynamics, for their exceptional efforts as co-chairs of the Section’s Committee on Cybersecurity, Privacy, and Data Protection. The Section recently presented the Committee with…