New Cybersecurity Mandates in Federal Contracts: Is Your Firm Ready?-New Cybersecurity Mandates in Federal Contracts Is Your Firm Ready Slides

New Cybersecurity Mandates in Federal Contracts Is Your Firm Ready Slides

Pdf Summary

This document is a comprehensive briefing by Eric Crusius, partner at Holland & Knight LLP, on new U.S. cybersecurity mandates affecting federal government contractors, particularly focusing on the Department of Defense (DoD) and federal acquisition regulations (FAR).<br /><br />The U.S. government is aggressively advancing cybersecurity standards, requiring certifications for products/services, mandatory incident reporting within tight timeframes, and enhanced controls for firms handling Controlled Unclassified Information (CUI). These mandates originate from executive orders, statutes, and regulatory processes involving agencies like DoD, GSA, NASA, and CISA.<br /><br />Key initiatives include proposed FAR rules establishing government-wide incident reporting requirements (within 8 hours) and standardizing cybersecurity contractual obligations. The Cybersecurity Maturity Model Certification (CMMC) program is evolving to version 2.0, streamlining previous five-tier levels into three. CMMC 2.0 focuses on verifying existing compliance with NIST SP 800-171 (revision 2) controls rather than adding new controls, requiring third-party assessments for most contractors handling CUI. The final program rules take effect in December 2024 with assessments and contract requirements rolling out progressively through 2028.<br /><br />Contractors must self-assess or obtain independent verification of cybersecurity readiness, with impacts extending throughout the supply chain, including subcontractors and international firms. Exemptions apply solely to providers of commercial off-the-shelf (COTS) products. New rules are expected to increase enforcement risks, including under the False Claims Act, particularly due to required annual compliance affirmations.<br /><br />Due to complex and evolving regulations, contractors are urged to actively monitor regulatory developments, update cybersecurity policies, provide workforce training, incorporate compliance clauses into subcontracts, and consider early engagement with Certified Third-Party Assessment Organizations (C3PAOs). Companies should prepare now for the rapid timeline of compliance starting March 2025 and anticipate potential audits, reporting obligations, and enforcement actions.

Keywords

U.S. cybersecurity mandates

federal government contractors

Department of Defense

Federal Acquisition Regulations

Cybersecurity Maturity Model Certification

CMMC 2.0

NIST SP 800-171

Controlled Unclassified Information

incident reporting requirements

third-party assessments