In the ever-evolving world of cybersecurity, even organizations that meet stringent security standards can be victims of sophisticated cyberattacks. A notable example of this is the December 8, 2024 cybersecurity incident involving the U.S. Department of the Treasury and its third-party cloud service provider, BeyondTrust. This incident underscores some critical lessons for entities (both government agencies and private sector) that rely on third-party cloud service providers (“CSPs”).
Continue Reading Looking Beyond FedRAMP – Lessons from the U.S. Treasury Cybersecurity Incident

On January 8, 2025, the Department of Justice (“DOJ”) published its final rule addressing Executive Order (E.O.) 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” With the final rule, the DOJ National Security Division’s Foreign Investment Review Section (“FIRS”) defines prohibited and restricted data transactions, and outlines trusted data flows for companies with overseas operations involving countries of concern, including IT infrastructure. The general effect of the rule is to close “front door” access to bulk sensitive personal data on U.S. persons and certain U.S.-government-related data. Until now—or rather, April…
Continue Reading Data, Deals, and Diplomacy, Part III: DOJ Issues National Security Final Rule with New Data Compliance Obligations for Transactions Involving Countries of Concern

Over the last few years, the Federal Risk and Authorization Management Program (“FedRAMP”) Program Management Office (“PMO”) has released two draft guidance documents related to defining the applicable boundary for security assessments of cloud service offerings, but final versions were never released. On January 16, 2025, FedRAMP released another draft authorization boundary guidance document (RFC-0004). FedRAMP’s authorization boundary guidance is “the most frequently requested policy update” as it forms the foundation for determining the scope of review for assessment and authorization. The new draft currently is open for public comment through February 17, 2025.
Continue Reading FedRAMP Releases New Draft Authorization Boundary Guidance

In the Fiscal Year 2025 National Defense Authorization Act (“FY25 NDAA”), Congress included some important provisions related to the bid protest process at the U.S. Government Accountability Office (“GAO”). These provisions (1) raise the dollar threshold for task order protests of Department of Defense (“DoD”) procurements and (2) task DoD and GAO with exploring processes to make protesting DoD procurements more difficult.
Continue Reading FY2025 NDAA Increases the Threshold for DoD Task Order Protests and Asks GAO and DoD to Explore Changes to Bid Protest Process

Important Update: On January 28, 2025 the U.S. District Court for the District of Columbia granted an Administrative Stay enjoining OMB from enforcing OMB Memorandum M-25-13 until the Court can hear full arguments, scheduled for February 3. We continue to monitor developments.
Continue Reading ALERT: Trump Administration Issues “Pause” on Federal Grant Spending Effective January 28

On November 15, 2024, the Department of Defense (“DoD”) issued a long-awaited Proposed Rule to implement Section 1655 of the National Defense Authorization Act for Fiscal Year 2019.
Continue Reading DoD Issues Proposed Rule for New Disclosures on Foreign Review of Computer Code

Cell phone and laptop searches do happen but they are relatively rare. Although the Fourth Amendment right to be free of unreasonable searches and seizures is drastically reduced at a port of entry, as are expectations of privacy, U.S. Customs & Border Protection (“CBP”) has internal protocols requiring Officers to have some basis for the search. Below, we dive into the CBP protocols and what to expect if you are selected for a search. …
Continue Reading Will CBP Search Your Laptop and Cell Phone at the Port of Entry?

On October 22, 2024, the Department of Justice (“DOJ”) announced that Pennsylvania State University (“Penn State”) has agreed to pay $1,250,000 to settle a False Claims Act (“FCA”) case brought against the University approximately two years ago. The whistleblower in the case, former chief information officer of the Penn State Applied Research Laboratory, alleged that Penn State failed to comply with cybersecurity requirements in fifteen contracts and/or subcontracts with the Department of Defense (“DoD”) and National Aeronautics and Space Administration (“NASA”) between 2018 and 2023.
Continue Reading Update – Penn State to Pay Up for Cyber-Related FCA Case

On October 15, 2024, the Department of Defense (“DoD”) published the final version of its Cybersecurity Maturity Model Certification (“CMMC”) rule in Title 32 of the Code of Federal Regulations (the “Final Rule”). (Reminder, there are two CMMC rulemakings going on in parallel. This Final Rule updates DoD national security regulations while the other rulemaking effort under Title 48 will update the Defense Federal Acquisition Regulation (“DFARS”) and trigger requirements for DoD contractors.)…
Continue Reading Countdown to Compliance: DoD Finalizes the CMMC Program Rule

While most contractors think of the Government Accountability Office and Court of Federal Claims (or even the agency) when considering whether to challenge a government contract award, there are additional options for small business set-asides – small business size and status protests. The government, recognizing the importance of small businesses to the American economy, provides small businesses certain preferences in government contracting, including only allowing eligible small businesses to compete for certain contracts (referred to as small business set-asides). But in order to be eligible for this exclusive federal marketplace (that was worth more than $178 billion dollars in…
Continue Reading Keep Your Eyes on the Size: Small Business Size Protests

On April 1, 2024, the FAR Council published a new Final Rule that establishes FAR Part 40 – but without any new provisions of substance. This Final Rule becomes effective on May 1, 2024. Subsequently, the FAR Council published a Request for Information (“RFI”) on April 10, 2024. The RFI seeks feedback on the scope and organization of FAR Part 40 and is open for comment until June 10, 2024.
Continue Reading Not an April Fools Joke – FAR Part 40 Final Rule Has Been Published

Welcome back to the Cost Corner, where we provide practical insight into the complex cost and pricing requirements that apply to Government contractors. The current topic is Federal Acquisition Regulation (FAR) Cost Principles applicable to contracts with commercial organizations. The previous four Cost Corner articles addressed the Cost Principles pertaining to the general criteria for determining the allowability of costs, direct and indirect costs, accounting for unallowable costs, and penalties for unallowable costs. This article begins coverage of FAR 31.205, Selected Costs, which includes forty-seven Cost Principles, each of which governs the allowability of a particular type of cost. The…
Continue Reading The Cost Corner: Government Contracts Cost and Pricing – Compensation for Personal Services (Part I)

Welcome back to the Cost Corner, where we provide practical insight into the complex cost and pricing requirements that apply to Government contractors. This is the second article in a multi-part series on the Federal Acquisition Regulation (FAR) Cost Principles applicable to contracts with commercial organizations. The previous Cost Corner addressed the applicability of the Cost Principles and their general criteria for determining the allowability of costs. This Cost Corner focuses on the allocation of direct and indirect costs. We will address the applicable Cost Principles (FAR 31.202 and FAR 31.203) as well as the overlapping provisions of the Cost…
Continue Reading Government Contracts Cost and Pricing: Allocation of Direct and Indirect Costs