Insights

Washington – February 22, 2019: Crowell & Moring LLP is pleased to announce that its Government Contracts Group has been recognized as one of Law360’s “Practice Groups of the Year” for government contracts. This is the ninth consecutive year that the group has earned this honor.

Washington, D.C. – January 9, 2015: Crowell & Moring LLP is pleased to announce that its Government Contracts Group has been named to Law360's "Practice Groups of the Year" listing for Government Contracts for the fifth straight year. For this listing, Law360 recognizes "firms that came through for their clients in 2014, sealing the big deals and winning the high-stakes suits."

On March 11, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) published an updated Secure Software Development Attestation Form, meaning that producers of software and providers of products containing software used by the federal government may be required to submit their attestations in the very near future. The Attestation Form, first published in April 2023, is a key cog in CISA’s implementation of software supply chain security requirements in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity and OMB Memoranda M-22-18 and M-23-16.

On December 26, 2023, the Department of Defense (DoD) released the highly anticipated proposed rule for the Cybersecurity Maturity Model Certification Program (CMMC), a cybersecurity regulatory program that will likely impact most of the government contractor community. Every contractor who handles sensitive data such as Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) during DoD contract performance will be covered by this regulation. While the CMMC program builds upon the security requirements included in Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, CMMC will bring greater scrutiny to contractors’ cybersecurity compliance and potentially greater consequences for failure to comply in the era of the Department of Justice’s Civil Cyber Fraud Initiative and False Claims Act litigation. If finalized as proposed, the rule will significantly impact the CMMC regime, notably by requiring senior company officials to complete an affirmation for every CMMC level self-assessed or certified, thus increasing legal compliance risks.

On November 9, 2023, the National Institute of Standards and Technology (“NIST”) released the Final Public Draft (“FPD”) of Special Publication (“SP”) 800-171 Revision (“Rev.”) 3, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” and the Initial Public Draft of NIST SP 800-171A Rev 3, “Assessing Security Requirements for Controlled Unclassified Information.”  The FPD of SP 800-171 Rev. 3 condenses several control requirements from the initial public draft while adding new requirements under existing controls.  The initial draft of SP 800-171A now aligns with SP 800-171 Rev. 3 and includes more detailed assessment procedures than its predecessor.  Changes in both documents forecast the evolving compliance requirements for organizations required to safeguard Controlled Unclassified Information (“CUI”).

Crowell & Moring's Ounce of Prevention Seminar, hosted by the firm's Government Contracts Group, is featured in a BNA article discussing compliance measures for federal contractors. George Washington University law professor Steven Schooner, who spoke at the conference, discussed key compliance cases to highlight the importance of risk avoidance for contractors.

Washington, D.C.-based Government Contracts partner Evan Wolff and senior counsel Maida Lerner are featured in BNA after speaking at Crowell & Moring’s annual Ounce of Prevention Seminar. Wolff and Lerner highlight best practices that lawyers can recommend to mitigate cybersecurity risks, noting that the most important step is to prepare for an incident. Wolff and Lerner also advised that firms should clearly establish who is in charge of cyber issues and should advise clients to have well-established policies and procedures related to cybersecurity.