On Aug. 15, 2024, the Department of Defense (DoD) published a proposed rule that would implement contract clauses under 48 CFR related to the Cybersecurity Maturity Model Certification (CMMC) Program (Proposed Rule). DoD previously published a related proposed rule that would implement the CMMC 2.0 Program under 32 CFR 170 and provided the relevant security
Eleanor M. Ross
Eleanor (Elle) Ross advises government contractors from a diverse range of industries on regulatory matters including compliance with government regulations, contract disputes, defense of claims, and government investigations. She litigates bid protests before the Court of Federal Claims and the Government Accountability Office. She advises clients in connection with an array of agreements and multi-award procurements, including challenging award decisions in a variety of fora.
Elle also counsels clients on federal and state compliance obligations, particularly in connection with cybersecurity (including CMMC and NIST requirements) and supply chain risk management practices. She works with clients to understand government regulations and to develop compliance plans and to implement those plans. She also assists with making mandatory and voluntary disclosures to federal agencies and represented clients in subsequent investigations and administrative proceedings. She manages sanctions proceedings against contractors, including cases alleging fraud and corruption.
Elle also represents clients in commercial contract disputes, both in mediation and in federal court.
Previously, Ms. Ross was a legal consultant to World Bank Office of Suspension and Debarment, where she reviewed cross-border investigations to determine contractor compliance with World Bank regulations.
DOJ Files Complaint in First Cybersecurity False Claims Act Qui Tam Case Intervention
In July 2022, two relators sued the Georgia Tech Research Corporation (GTRC) and the Georgia Institute of Technology (GA Tech) under the FCA. The allegations include violations of the FCA and employment law, based on the “increasing retaliation” experienced by the relators after they escalated their concerns.
Proposed Cyber Incident Reporting Requirements for DIB Contractors Under CIRCIA
On April 4, 2024, CISA published its long-awaited Notice of Proposed Rulemaking to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). If passed in their current form, the Rules would create extensive reporting obligations for an estimated 316,244 covered entities across 16 critical infrastructure sectors.
DOJ’s First Intervention in Cybersecurity FCA Qui Tam Case Signals Continued Cyber Enforcement
In July 2022, two relators sued the GTRC and GA Tech under the FCA. The allegations include violations of the FCA and employment law based on the relators’ claims of “increasing retaliation” experienced after they escalated their concerns.
DoD Issues Proposed CMMC Rule for Contractors
On Dec. 26, 2023, DoD published a proposed rule implementing the CMMC Program (the Proposed Rule). The regulations come more than three years after the release of the initial CMMC regulations (November 2020) and two years after the Biden administration announced the revised “CMMC 2.0” program (January 2021). The Proposed Rule largely reflects the CMMC…
The National Cybersecurity Strategy Implementation Plan: What Contractors Need to Know
In July 2023 the Biden administration announced the National Cybersecurity Strategy Implementation Plan, detailing how the government will advance the cyber strategy. The plan describes 65 initiatives to achieve the objectives laid out in the strategy, and several of them will impact federal contractors.
NIST Updates Guidelines for Protecting Sensitive Unclassified Info: Implications for Defense Contractors
On May 10, 2023, the National Institutes of Standards and Technology (NIST) released Revision 3 to its foundational publication, 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The publication provides guidelines for protecting sensitive unclassified information in contractor systems, and these guidelines establish the baseline cybersecurity requirements for federal defense contractors. …