FY 2019 NDAA – Cyber Focus
Client Alert | 1 min read | 08.20.18
The 2019 National Defense Authorization Act (NDAA) includes a robust set of cybersecurity provisions impacting the Defense Industrial Base, including:
- Encouraging federal agencies to avoid using lowest price technically acceptable source selection criteria in procurements predominately for the acquisition of information technology and cybersecurity services.
- Establishing a pilot program to oversee Controlled Unclassified Information (CUI) handled by contractors with foreign ownership, control, or influence.
- Requiring DoD to notify Congress of data breaches involving significant losses of Personally Identifiable Information (PII) or other forms of CUI.
- Encouraging DoD and the National Institute of Standards and Technology (NIST) to assist small businesses in the Defense Industrial Supply Chain by enhancing cyber threat awareness and training, and helping to conduct voluntary cybersecurity self-assessments.
- Requiring DoD to obtain disclosures from vendors regarding foreign government access to products or source codes, before acquiring their cybersecurity or information technology products and services.
Contacts

Partner and Crowell Global Advisors Senior Director
- Washington, D.C.
- D | +1.202.624.2698
- Washington, D.C. (CGA)
- D | +1 202.624.2500
Insights
Client Alert | 2 min read | 07.15.26
CMMC Phase II Suspension Requires Reconsideration of Such Requirements in Solicitations
As discussed in more detail here, the U.S. Department of War (DoW) recently issued a memorandum (Memo 26-P-1023, dated July 13, 2026) directing the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements (Level I and II self assessments are still permitted). Significantly, the memo directs that “all pending and future CMMC implementation milestones across DoW solicitations and contracts are held in abeyance until further notice.” Moreover, the DoW issued a memorandum on implementing these requirements (available here), directing agencies to issue amendments removing CMMC Level 2 and 3 requirements from active solicitations “as soon as practicable.” Contractors should monitor the government’s compliance with this requirement and should be prepared, if needed, to file a bid protest to protect their rights.
Client Alert | 3 min read | 07.15.26
Client Alert | 3 min read | 07.14.26
Client Alert | 3 min read | 07.13.26
Amici Rally Behind Liberty Global, Urging Tenth Circuit to Rein in Economic Substance Doctrine
