GOVERNMENT CONTRACTING LAW

Similar documents
GOVERNMENT CONTRACTING LAW

DECEMBER 2018 vol. 4 no. 12

DFARS Cyber Rule Considerations For Contractors In 2018

REPORT PRATT S PRIVACY & CYBERSECURITY LAW AN A.S. PRATT PUBLICATION FEBRUARY-MARCH 2018 VOL. 4 NO. 2

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

REPORT PRATT S PRIVACY & CYBERSECURITY LAW AN A.S. PRATT PUBLICATION APRIL 2018 VOL. 4 NO. 3

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

Preparing for NIST SP January 23, 2018 For the American Council of Engineering Companies

2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA

Cybersecurity Challenges

Safeguarding unclassified controlled technical information (UCTI)

Cybersecurity Risk Management

Privacy & Law VOL. 4 NO. 1. Editor s Note: Biometrics and Privacy Steven A. Meyerowitz. Lindsay Burke and Moriah Daugherty

INTRODUCTION TO DFARS

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

NIST Special Publication

ROADMAP TO DFARS COMPLIANCE

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

Cyber Security Challenges

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

The FAR Basic Safeguarding Rule

PRIVACY & CYBERSECURITY LAW

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Lexis for Microsoft Office

Get Compliant with the New DFARS Cybersecurity Requirements

DFARS , NIST , CDI

7 Windows Tweaks. A Comprehensive Guide to Customizing, Increasing Performance, and Securing Microsoft Windows 7. Steve Sinchak

Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017

Another Cook in the Kitchen: The New FAR Rule on Cybersecurity

Cyber Security Challenges

Lexis for Microsoft Office

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

MDA Acquisition Updates

Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

PRIVACY POLICY Last Updated May, 2018

DFARS Defense Industrial Base Compliance Information

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

Beginning Transact-SQL with SQL Server 2000 and Paul Turley with Dan Wood

2017 SAME Small Business Conference

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

Hacking and Cyber Espionage

The GDPR Are you ready?

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

Real-Time Optimization by Extremum-Seeking Control

INCLUDING MEDICAL ADVICE DISCLAIMER

ENCORE II REQUIREMENTS CHECKLIST AND CERTIFICATIONS

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)

June 27, Via Electronic Mail. Federal Trade Commission Office of the Secretary Room H Pennsylvania Avenue, NW Washington, D.C.

Cybersecurity & Privacy Enhancements

ISAO SP 4000: Protecting Consumer Privacy in Cybersecurity Information Sharing v1.0

DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors

CANADA S ANTI-SPAM LEGISLATION: Getting ready for July 1 st, 2014

Negotiations or Clarifications - Do you know the difference?

TOP TRENDING THE MAGAZINE. Menu. 1 of 6 6/7/16 4:38 PM. Keep it Simple, Legal. A New Role Bridging Business and Legal at Shell

Beginning Web Programming with HTML, XHTML, and CSS. Second Edition. Jon Duckett

Mastering UNIX Shell Scripting

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

CHIEF EXECUTIVE OFFICER/MANAGING PARTNER AND COMPLIANCE, REGULATORY, AND LEGAL DEPARTMENTS

NY DFS Cybersecurity Regulations August 8, 2017

cybersecurity challenges for government contractors

FISMAand the Risk Management Framework

Anatomy of a Data Breach: A Practical Guide for Small Law Departments

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015

THE CAN-SPAM ACT OF 2003: FREQUENTLY ASKED QUESTIONS EFFECTIVE JANUARY 1, December 29, 2003

Section One of the Order: The Cybersecurity of Federal Networks.

Linux Command Line and Shell Scripting Bible. Third Edtion

Study Guide. Robert Schmidt Dane Charlton

Safeguarding Unclassified Controlled Technical Information

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy. August 10, 2017 version

Quick Start Strategy to Compliance DFARS Rob Gillen

Contracting in the Dark World: Special Considerations for Classified Contracting

Policies & Medical Disclaimer

Cyber Security and the Vulnerability of Networks: Why we Need to Rethink our Cyber Defenses Now

How the SBIR/STTR Programs Help Grow Your Businesses

SAC PA Security Frameworks - FISMA and NIST

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

U.S. Department of Transportation. Standard

Hewlett Packard Enterprise Company Public Sector - Federal

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

MYTH vs. REALITY The Revised Cybersecurity Act of 2012, S. 3414

Investigating Insider Threats

NETWORX PROGRAM INDIVIDUAL SMALL BUSINESS SUBCONTRACTING PLAN IDIQ TASK ORDER BASED

iwork DUMmIES 2ND EDITION FOR

TERMS OF SERVICE. Maui Lash Extensions All Rights Reserved.

Linux Command Line and Shell Scripting Bible

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

TechLaw Institute 2017:

Department of Veterans Affairs VA DIRECTIVE April 17, 2006 WEB PAGE PRIVACY POLICY

Virginia Commonwealth University School of Medicine Information Security Standard

NYDFS Cybersecurity Regulations

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Risk Management Framework for DoD Medical Devices

COSO Enterprise Risk Management

Transcription:

AN A.S. PRATT PUBLICATION DECEMBER 2017 VOL. 3 NO. 12 PRATT S GOVERNMENT CONTRACTING LAW REPORT EDITOR S NOTE: FALSE CLAIMS ACT Victoria Prussen Spears UNDER WHAT CIRCUMSTANCES CAN A PRIVATE QUI TAM PLAINTIFF OVERRULE GOVERNMENT AGENCY EXPERTS USE OF ADMINISTRATIVE DISCRETION TO FILE FALSE CLAIMS ACT ACTIONS IN THE POST-ESCOBAR WORLD? Robert S. Salcido ONE POTENTIAL REMEDY FOR FALSE CLAIMS ACT OVERREACH? Alex D. Tomaszczuk, Michael R. Rizzo, James J. Gallagher, and Aaron S. Dyer DOD ISSUES FURTHER GUIDANCE ON IMPLEMENTATION OF DFARS CYBER RULE Susan B. Cassidy and Calvin Cohen DOD CLASS DEVIATION RESCINDS IR&D TECHNICAL INTERCHANGES REQUIREMENT Michael W. Mutek, Paul R. Hurst, and Thomas P. Barletta IN THE COURTS Steven A. Meyerowitz

PRATT S GOVERNMENT CONTRACTING LAW REPORT VOLUME 3 NUMBER 12 DECEMBER 2017 Editor s Note: False Claims Act Victoria Prussen Spears 411 Under What Circumstances Can a Private Qui Tam Plaintiff Overrule Government Agency Experts Use of Administrative Discretion to File False Claims Act Actions in the Post-Escobar World? Robert S. Salcido 413 One Potential Remedy for False Claims Act Overreach? Alex D. Tomaszczuk, Michael R. Rizzo, James J. Gallagher, and Aaron S. Dyer 428 DOD Issues Further Guidance on Implementation of DFARS Cyber Rule Susan B. Cassidy and Calvin Cohen 431 DOD Class Deviation Rescinds IR&D Technical Interchanges Requirement Michael W. Mutek, Paul R. Hurst, and Thomas P. Barletta 435 In the Courts Steven A. Meyerowitz 438

QUESTIONS ABOUT THIS PUBLICATION? For questions about the Editorial Content appearing in these volumes or reprint permission, please call: Heidi A. Litman at... 516-771-2169 Email:... heidi.a.litman@lexisnexis.com Outside the United States and Canada, please call.............. (973) 820-2000 For assistance with replacement pages, shipments, billing or other customer service matters, please call: Customer Services Department at......................... (800) 833-9844 Outside the United States and Canada, please call.............. (518) 487-3385 Fax Number....................................... (800) 828-8341 Customer Service Website................. http://www.lexisnexis.com/custserv/ For information on other Matthew Bender publications, please call Your account manager or.............................. (800) 223-1940 Outside the United States and Canada, please call.............. (937) 247-0293 Library of Congress Card Number: ISBN: 978-1-6328-2705-0 (print) Cite this publication as: [author name], [article title], [vol. no.] PRATT S GOVERNMENT CONTRACTING LAW REPORT [page number] (LexisNexis A.S. Pratt); Michelle E. Litteken, GAO Holds NASA Exceeded Its Discretion in Protest of FSS Task Order, 1 PRATT S GOVERNMENT CONTRACTING LAW REPORT 30 (LexisNexis A.S. Pratt) Because the section you are citing may be revised in a later release, you may wish to photocopy or print out the section for convenient future reference. This publication is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license. A.S. Pratt is a registered trademark of Reed Elsevier Properties SA, used under license. Copyright 2017 Reed Elsevier Properties SA, used under license by Matthew Bender & Company, Inc. All Rights Reserved. No copyright is claimed by LexisNexis, Matthew Bender & Company, Inc., or Reed Elsevier Properties SA, in the text of statutes, regulations, and excerpts from court opinions quoted within this work. Permission to copy material may be licensed for a fee from the Copyright Clearance Center, 222 Rosewood Drive, Danvers, Mass. 01923, telephone (978) 750-8400. An A.S. Pratt Publication Editorial Office 230 Park Ave., 7th Floor, New York, NY 10169 (800) 543-6862 www.lexisnexis.com (2017 Pub.4938)

Editor-in-Chief, Editor & Board of Editors EDITOR-IN-CHIEF STEVEN A. MEYEROWITZ President, Meyerowitz Communications Inc. EDITOR VICTORIA PRUSSEN SPEARS Senior Vice President, Meyerowitz Communications Inc. BOARD OF EDITORS MARY BETH BOSCO Partner, Holland & Knight LLP DARWIN A. HINDMAN III Shareholder, Baker, Donelson, Bearman, Caldwell & Berkowitz, PC J. ANDREW HOWARD Partner, Alston & Bird LLP KYLE R. JEFCOAT Counsel, Latham & Watkins LLP JOHN E. JENSEN Partner, Pillsbury Winthrop Shaw Pittman LLP DISMAS LOCARIA Partner, Venable LLP MARCIA G. MADSEN Partner, Mayer Brown LLP KEVIN P. MULLEN Partner, Morrison & Foerster LLP VINCENT J. NAPOLEON Partner, Nixon Peabody LLP STUART W. TURNER Counsel, Arnold & Porter LLP WALTER A.I. WILSON Senior Partner, Polsinelli PC iii

PRATT S GOVERNMENT CONTRACTING LAW REPORT is published twelve times a year by Matthew Bender & Company, Inc. Copyright 2017 Reed Elsevier Properties SA., used under license by Matthew Bender & Company, Inc. All rights reserved. No part of this journal may be reproduced in any form by microfilm, xerography, or otherwise or incorporated into any information retrieval system without the written permission of the copyright owner. For permission to photocopy or use material electronically from Pratt s Government Contracting Law Report, please access www.copyright.com or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For subscription information and customer service, call 1-800-833-9844. Direct any editorial inquires and send any material for publication to Steven A. Meyerowitz, Editor-in-Chief, Meyerowitz Communications Inc., 26910 Grand Central Parkway Suite 18R, Floral Park, New York 11005, smeyerowitz@meyerowitzcommunications.com, 718.224.2258. Material for publication is welcomed articles, decisions, or other items of interest to government contractors, attorneys and law firms, in-house counsel, government lawyers, and senior business executives. This publication is designed to be accurate and authoritative, but neither the publisher nor the authors are rendering legal, accounting, or other professional services in this publication. If legal or other expert advice is desired, retain the services of an appropriate professional. The articles and columns reflect only the present considerations and views of the authors and do not necessarily reflect those of the firms or organizations with which they are affiliated, any of the former or present clients of the authors or their firms or organizations, or the editors or publisher. POSTMASTER: Send address changes to Pratt s Government Contracting Law Report, LexisNexis Matthew Bender, 630 Central Avenue, New Providence, NJ 07974. iv

IMPLEMENTATION OF DFARS CYBER RULE DOD Issues Further Guidance on Implementation of DFARS Cyber Rule By Susan B. Cassidy and Calvin Cohen * The Director of the Defense Pricing/Defense Procurement and Acquisition Policy recently issued guidance to Department of Defense acquisition personnel in anticipation of the December 31, 2017 date for contractors to implement the security controls of National Institute of Standards and Technology Special Publication 800-171. The authors of this article discuss the guidance, which represents a forward leaning approach to addressing industry concerns and questions with regard to the Defense Federal Acquisition Regulation Supplement Cyber Rule. The Director of the Defense Pricing/Defense Procurement and Acquisition Policy ( DPAP ) recently issued guidance 1 to Department of Defense ( DOD ) acquisition personnel in anticipation of the December 31, 2017 date for contractors to implement the security controls of National Institute of Standards and Technology ( NIST ) Special Publication ( SP ) 800-171. The guidance outlines (i) ways in which a contractor may use a System Security Plan ( SSP ) to document implementation of NIST SP 800-171; and (ii) provides examples of how DOD organizations could leverage a contractor s SSP and related Plan of Action and Milestones ( POA&M ) in the contract formation, administration, and source selection processes. COVERED DEFENSE INFORMATION ( CDI ) The guidance states that DOD must mark, or otherwise identify in the contract, any covered defense information that is provided to the contractor, and must ensure that the contract includes the requirement for the contractor to mark covered defense information developed in performance of the contract. Although the requirement for DOD to mark data provided to the contractor during performance is clear, the guidance is less clear as to information developed in performance of the contract. In particular, noting a requirement for the contractor to mark information developed during performance, without specifying which information needs to be marked (i.e., * Susan B. Cassidy is a partner at Covington & Burling LLP advising clients on the rules and regulations imposed on government contractors, with a special emphasis on the defense and intelligence sectors. Calvin Cohen is an associate in the firm s Government Contracts and Data Privacy and Cyber Security practice groups. The authors may be reached at scassidy@cov.com and ccohen@cov.com, respectively. 1 http://www.acq.osd.mil/dpap/policy/policyvault/usa002829-17-dpap.pdf. 431

GOVERNMENT CONTRACTING LAW REPORT specifying a particular Contract Data Requirements List ( CDRL ) presents a compliance challenge and increases the opportunity for miscommunications between DOD and its contractors. The DOD s slides and statements at the June 2017 Industry Day were more explicit, noting that the DOD must [d]ocument in the contract (e.g., Statement of Work, CDRLs) information, including covered defense information, that is required to be developed for performance of the contract, and specify requirements for the contractor to mark, as appropriate, information to be delivered to DoD. (see, e.g., MIL-Handbook 245D, and Contract Data Requirements List (CDRL) (DD Form 1423)). 2 Contractors may see additional clarification of this point in the Frequently Asked Questions that DOD is expected to issue soon. Otherwise, contracting personnel may take a narrow view of their responsibilities to identify CDI that will be developed during performance. IMPLEMENTATION OF NIST 800-171 SECURITY CONTROLS The guidance recognizes that NIST SP 800-171 provides latitude to contractors for how they choose to implement applicable security controls and for how contractors assess their own compliance with those requirements. DOD recognizes that compliance with NIST SP 800-171 involves both policy/procedures and technical controls. To the extent that a contractor seeks additional clarification as to the interpretation of NIST SP 800-171 security controls, the guidance points contractors to the corresponding NIST SP 800-53 security controls, as well as the 800-53 Supplemental Guidance. DOCUMENTING COMPLIANCE WITH AN SSP Under 252.204-7012(b)(2)(ii)(A), contractors shall implement 800-171, as soon as practical, but not later than December 31, 2017. Key to that implementation is the 110th security control, which was added in Revision 1 to NIST SP 800-171. This control requires contractors to create an SSP, which describe[s] the boundary of [a contractor s] information system; the operational environment for the system; how the security requirements are implemented; and the relationships with or connections to other systems. At the June 23, 2017 Industry Day, DOD clarified that if a contractor is not in compliance with all 110 security controls by December 31, 2017, but has an SSP and POA&M that accurately reflect the status of its compliance with those 2 See Cybersecurity Challenges, Protecting DoD s Unclassified Information, June 23, 2017 Industry Day at Slide 27, available at http://dodcio.defense.gov/portals/0/documents/public Meeting-Jun 23 2017 Final.pdf?ver=2017-06-25-022504-940. 432

IMPLEMENTATION OF DFARS CYBER RULE controls, that contractor has implemented 800-171 for purposes of the 7012 clause. 3 In the guidance, DOD further noted that in addition to a POA&M, the SSP should describe how and when any unimplemented security requirements will be met, how any planned mitigations will be implemented, and how and when they will correct deficiencies and reduce or eliminate vulnerabilities in the systems. DOD again noted that there is no required format for an SSP and that it may be separate or combined documents. ROLE OF THE SSP AND POA&M IN CONTRACT FORMULATION, ADMINISTRATION, AND SOURCE SELECTION Revision 1 to NIST SP 800-171 provides that federal agencies may consider a contractor s SSP and POA&Ms as critical inputs to an overall risk management decision to process, store or transmit CUI [controlled unclassified information] on a contractor s internal networks. Although not mandatory, agencies will be permitted to use implementation of NIST SP 800-171 as an evaluation criteria. The guidance notes the following examples: Using proposal instructions and corresponding evaluation specifics as to the implementation of NIST SP 800-171 to permit DOD to determine whether it is an acceptable or unacceptable risk to process, store, or transmit CDI on a contractor s system; Establishing compliance with [Defense Federal Acquisition Regulation Supplement ( DFARS )] 252.204-7012 as a separate technical evaluation factor ; Identifying any NIST SP 800-171 security requirements not implemented at the time of the award and including associated POA&Ms implementation; and/or Identifying in the solicitation that all security requirements in NIST SP 800-171 must be implemented at the time of award. Because contractors have objected that SSPs contain highly sensitive data about their networks, the guidance suggests that contracting officers incorporate the SSPs by reference as part of the contract. Thus, the accuracy of the SSPs and compliance with the POA&Ms are crucial because by incorporating these documents, DOD would make compliance with those documents a contractual obligation. This contractual obligation is further exacerbated by DFARS 252.204-7008, which provides that by submitting the offer, a contractor is representing that it has implemented the 800-171 security controls, including the requirement for an SSP. 3 See, id., Cybersecurity Challenges, Protecting DoD s Unclassified Information, June 23, 2017 Industry Day at Slide 46. 433

GOVERNMENT CONTRACTING LAW REPORT This guidance represents DOD s forward leaning approach to addressing industry concerns and questions with regard to the DFARS Cyber Rule. The next iteration of Frequently Asked Questions is expected soon and should provide further guidance to contractors. 434

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback