There is no question cybersecurity is a critical compliance and risk area for federal contractors. A seemingly endless stream of cyberattacks—on corporate databases, government servers, even baby monitors—shows the breadth of these problems and the need for action. Government contractors have the added challenge of specialized regulatory obligations, with compliance (or non-compliance) having a direct impact on the value of their business.
In the most recent regulatory development, the Defense Department recently issued a final rule modifying its principal cybersecurity clause—DFARS 252.204-7012 (SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING). The final rule contains several updates to the interim rule published a year ago. I’ve listed the key differences between the interim and final rules below; and we’ve already taken a detailed look at the key provisions, many of which haven’t changed in the final version. You can read the final rule here.
- Covered Defense Information Definition. “CDI” has been redefined to align with the definition of “Controlled Unclassified Information” published by the National Archives and Record Administration in September 2016.
- COTS Exclusion. Acquisitions solely for commercially available off-the-shelf items (“COTS”) should be excluded from the rule; commercial item procurements are still subject.
- Security Requirements. “Adequate security” must be implemented on all covered contractor information systems (not just those involved in performing the contract). NIST SP 800-171 remains the baseline standard for covered systems not operated on behalf of the government (though a contractor may petition for the use of alternative means that are “equally effective.”)
- Investigation and Reporting. Post-incident investigation and reporting requirements remain largely intact, with tweaks to the handling requirements for malicious software and scope of DoD access to potentially compromised systems.
- Flowdowns. Flowdown requirements to subcontractors have been modified, in part by limiting flowdowns to subcontractors providing operationally critical support or where CDI is necessary for subcontract performance. Subs do not need to report cyber incidents to the prime under the final rule.
- Cloud Computing. The Final Rule provides that cloud computing service providers (“CSPs”) that store, process, or transmit CDI must meet applicable security requirements (i.e., applicable FedRAMP standards, which vary based on whether the services are being operated on behalf of the Government or not).
Despite a phase-in period through October 2017, defense contractors should be actively working to ensure their compliance with final rule requirements. Indeed, covered contractors must conduct a gap analysis and notify DoD of any NIST SP 800-171 standards they do not meet at the time of contract award (which can impact contract negotiations).
Given the rapid change in this area, the final rule presents an important checkpoint for contractors to review, among other things: 1) their incident response plans (including identification of key stakeholders, responsibility delegations, and involvement of counsel and forensic specialists in the event of a cyber incident); 2) contracts management (addressing cybersecurity flowdown requirements and risk allocations in prime and subcontracts); 3) insurance coverage for cyber incidents; and, of course, 4) technology. It is only a question of when—not if—your business will be impacted by a cyber incident. The final rule should reinforce that contractors treat cybersecurity compliance as an integral part of broader enterprise risk management, involving the right people, processes, and procedures.
Christian N. Curran
In what may be the most significant change to contractor compliance this year, the Fair Pay and Safe Workplaces final rule takes effect on October 25, 2016. On August 25, 2016, the FAR Council and Department of Labor (“DOL”) issued the final rule and guidance implementing the Fair Pay and Safe Workplaces Executive Order, also known as “The Blacklisting Order” (originally issued on July 31, 2014). The order created new requirements for contractors, adding pre- and post-award reporting demands on covered contracts regarding contractor compliance with 14 separate labor laws. The proposed rule that was published on May 28, 2015, resulted in over 10,000 comments being submitted. The rule contains substantial new compliance obligations for contractors and drastic consequences for noncompliance. As discussed below, contractors need to take immediate steps in order to ensure readiness for these expansive new obligations. Continue reading “Fair Pay and Safe Workplaces Final Rule Takes Effect in October: Are You Ready?”
Justin Chiarodo and Stephanie Zechmann
The 2016 election season is unlike any other in recent memory. But like elections past and yet to come, political contributions and lobbying remain a mainstay of the political process. This is particularly true in the federal government contracting community, which is heavily influenced by executive and legislative action (and inaction). Though we can expect the unexpected in the three months leading up to the election, we offer below five fundamental “do’s and don’ts” that government contractors should keep in mind to guide their political activities. Continue reading “Five Things Government Contractors Should Keep in Mind about Political Activities this Election Season”
Justin A. Chiarodo and Christian N. Curran
After a long wait and much anticipation, the Small Business Administration (“SBA”) issued its final rule expanding the mentor-protégé program to all small businesses on July 25, 2016. The new rule broadly expands upon the existing 8(a) mentor-protégé program, and is projected to result in $2 billion in federal contracts to program participants. Though the final rule largely tracks the February 2015 proposed rule, which we previously wrote about here, the final rule does make some key changes, including changes regarding size certification and reporting. As the new rule goes into effect on August 24, 2016, contractors both large and small should prepare now to take advantage of what the newly expanded program has to offer. Continue reading “SBA Final Rule Expanding Mentor-Protégé Program to Take Effect This Month”
Merle DeLancey, Justin Chiarodo and Philip Beshara
Last month, the General Services Administration (“GSA”) finalized a rule marking what the agency describes as the most significant development to its Schedules program in over two decades. The rule completely changes how GSA will analyze vendor pricing for products and services.
Under the rule, vendors will eventually be required to submit monthly transactional data reports with information related to orders and prices under certain GSA Schedule contracts and other vehicles. Along with the implementation of the new Transactional Data Reporting (“TDR”) requirement, GSA will relieve vendors from two preexisting compliance burdens—eliminating the Commercial Sales Practices (“CSP”) and Price Reductions Clause (“PRC”) reporting requirements when vendors begin submitting transactional data.
While vendors should welcome the relief provided from the elimination of two burdensome regulations, the shift to TDR will not be without cost and risk; and, the eventual efficiencies promised by GSA remain to be seen. Indeed, the impact of the change will likely extend beyond compliance burdens, with potential effects varying from the nature of False Claims Act suits to the potential publication of competitive information.
We summarize these and other key takeaways from the new rule below, and answer questions important to vendors as GSA rolls out this significant development. Continue reading “GSA’s Transactional Data Reporting Rule Ushers in a New Era”
Merle M. DeLancey and Lyndsay A. Gorton
On June 15, 2016, the Department of Labor (“DOL”) Office of Federal Contract Compliance Programs (“OFCCP”) issued a final rule updating its 1970 sex discrimination guidelines. The final rule, available here, enforces Executive Order 11246, which prohibits federal contractors and subcontractors from employment discrimination based on race, color, religion, sex, sexual orientation, gender identity, or national origin. The rule applies to companies that have federal government contracts of $10,000 or more and will be effective on August 15, 2016. Continue reading “Department of Labor Issues Final Rule Updating Sex Discrimination Guidelines”
David Yang and Christian N. Curran
On June 16, 2016, the Supreme Court issued its decision in Universal Health Services, Inc. v. United States ex rel. Escobar, holding that “implied certification” is a valid theory of liability under the False Claims Act (“FCA”), and further concluding that a failure to comply with a contract requirement, regulation, or statute may support a false claims case even if the provision is not an “express condition of payment.” While the unanimous opinion settles the debate over the viability of the implied certification theory, its reliance on a subjective materiality standard will likely make FCA cases more difficult to resolve on the pleadings and also increase the number of FCA cases filed. Continue reading “How UHS v. U.S. ex rel. Escobar Will Impact Government Contractors”