On January 31 the U.S. Department of Defense issued CMMC v1.0, a new unified cybersecurity standard coupled with a certification program for all DoD contractors and subcontractors. While many questions remain, our overview of CMMC v1.0 provides background on the model and key considerations to assist your organization in understanding and adopting the framework.
On Monday, 7 July, the president signed into law the Intelligence Authorization Act for Fiscal Year 2014, which requires intelligence contractors with security clearances to promptly report network and information system penetrations and provide government investigators access to such systems. This new statutory cybersecurity reporting requirement for cleared intelligence contractors is largely consistent with a reporting requirement applicable to cleared U.S. Department of Defense contractors under the National Defense Authorization Act for FY 2013.
On October 14, 2011, the US Department of Defense, the General Services Administration, and the National Aeronautics and Space Administration published a proposed rule that would amend the Federal Acquisition Regulation (FAR) to strengthen government contractor privacy training. This blog entry links to a Hogan Lovells Government Contracts and Privacy and Information Management Alert.
The U.S. Department of Defense (DOD) has issued an advanced notice of proposed rulemaking regarding amendments to the Defense Federal Acquisition Regulation Supplement (DFARS) that would add new data protection requirements for unclassified DOD information used or handled by contractors. See 75 F.R. 9563 (March 3, 2010). The proposed amendments would create a two-tiered system of data security requirements as well as an obligation to notify the DOD of security incidents, including all intrusions attempted by an “advanced persistent threat.”