Cybersecurity

US Department of Justice sign

The Department of Justice (“DOJ”) recently released its 2025 statistics for federal False Claims Act cases. With settlements and judgments exceeding $6.8 billion last year, DOJ’s report shows that the False Claims Act (“FCA”) remains one of DOJ’s most potent and frequently-used investigation tools. The annual report also suggests that, after a year of change and turnover that touched virtually every corner and level of DOJ, the coming year will likely see a historically high volume of FCA cases. Contractors and grant recipients, therefore, should pay careful attention to every claim for payment or compliance certification submitted to any federal authority.

After a Senate vote on Sunday evening, Congress appears closer to ending the record-setting government shutdown. The Senate advanced a funding package that includes appropriations for military construction and calls for the reinstatement of all furloughed federal employees.

Alert Data Center Ransomware

The increased concern about ransomware incidents from both quantitative and severity standpoints, spurred the White House to urge corporate business leaders to improve their defenses and resilience posture against ransomware attacks. In a June 2, 2021 open letter to Corporate Executives and Business Leaders (the Letter), Anne Neuberger, the White House Deputy National Security Advisor for Cyber and Emergency Technology, appealed for business leaders to act following on the heels of the President’s directives to federal agencies and contractors.

Alert Data Center Ransomware

President Biden’s newly released Executive Order on Improving the Nation’s Cybersecurity represents a comprehensive approach to tackling cybersecurity threats in the U.S. and will likely result in new FAR and DFARS contract requirements. It represents the next step towards the inclusion of mandatory breach notifications in government contracts following widespread speculation that breach notification requirements were on the horizon.

Alert Data Center Ransomware

The Biden Administration has committed to making cybersecurity a top priority and is now turning its focus towards energy infrastructure, which is widely recognized as vulnerable to cyberattack due to grid control systems. The U.S. Department of Energy (DOE) has launched a 100-day initiative to “advance technologies and systems that will provide cyber visibility, detection, and response capabilities for industrial control systems of electric utilities.”

The Biden Administration is imminently expected to release an executive order that will require government contractors to notify the government in the event of a cybersecurity breach. Despite the relatively steady rise in cyberattacks and breaches over the years, and the enactment of consumer data breach disclosure laws in all 50 states, there is currently no standardized reporting requirement for government contractors. However, the Biden administration has promised executive action on the issue, largely in response to a cyberattack by a suspected nation-state against multiple software companies, including the SolarWinds software company.

Have you received a Section 889 letter yet? If not, you may soon. The letters ask whether you provide or use “covered telecommunications equipment or services.” They are part of the implementation of Section 889 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (the 2019 NDAA), which has two phases. The first phase started in August 2019 but has a limited scope. The second phase—which started in August 2020—is much broader and raises a lot more questions. This article answers some of those questions and provides some tips on how to comply.

Keep in mind that Section 889 is still being implemented. Much of this analysis is based on interim rulemakings at 85 F.R. 42665 and 85 F.R. 53126. Final rules may change based on public comments.

On December 4, 2020 the President signed into law the IoT Cybersecurity Improvement Act of 2020, Pub. L. No. 116-207 (the “IoT Act”). The legislative purpose behind the new law is to ensure the highest level of cybersecurity at federal agencies by working collaboratively within government, industry and academia. Pub. L. No. 116-207 § 2.

The IoT Act mandates specific actions by the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) regarding: (i) standards and guidelines for IoT devices, (ii) determining whether federal agencies adhere to those standards, (iii)implementing guidelines to disclose security vulnerabilities to contractors and report the resolution of those vulnerabilities.

The National Defense Authorization Act for Fiscal Year 2016 [pdf], signed into law just before Thanksgiving, authorizes $607 billion for Department of Defense activities in FY 2016. It also implements a number of acquisition reforms intended to enhance the Government’s cybersecurity efforts and streamline the various acquisition regulations.  Here we break down some of the key acquisition provisions:

  • Rapid acquisition authority for cyber attacks. Section 803 of the 2016 NDAA expands the DoD’s ability to employ rapid acquisition procedures established under the 2003 NDAA to enhance its ability to respond to combat emergencies and urgent operational needs. Under Section 803, rapid acquisition procedures may now be used to acquire “needed offensive or defensive cyber capabilities, supplies, and associated support services” to respond to a cyber attack that “has resulted in critical mission failure, the loss of life, property destruction, or economic effects.” The term “cyber attack” is broadly defined as including any “deliberate action to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information or programs” in those systems. Acquisitions made pursuant to this authority are subject to an aggregate limit of $200 million in each fiscal year.
  • U.S. Cyber Command acquisition authority and liability protection for cybersecurity contractors. In addition to expanding DoD’s rapid acquisition authority to deal with cyber attacks, Section 807 of the NDAA provides new limited acquisition authority for the Commander of the United States Cyber Command (CYBERCOM). The Commander is authorized to procure “cyber operations-peculiar equipment and capabilities,” subject to an annual limit of $75 million for each fiscal year from 2016 through 2021. Section 1647 of the NDAA also requires the evaluation of cyber vulnerabilities of all major DoD weapons systems by the end of 2019. Section 1641 of the NDAA provides enhanced liability protection for reporting cyber incidents for both “cleared” and “operationally critical” contractors, so long as there is no willful misconduct.