Justin A. Chiarodo and Robyn N. Burrows
A very Happy New Year to our GovCon Navigator readers! Further expanding recent supply chain restrictions across federal procurement, the Department of Defense (“DoD”) issued an interim rule prohibiting DoD from procuring equipment or services from certain Chinese entities (and possibly Russian) if used to carry out DoD nuclear deterrence or homeland defense missions. The rule builds on the Section 889 supply chain restrictions we previously covered in a prior blog post.
What should contractors do now given the interim rule is already in effect? Contractors should first evaluate their existing contract portfolios for covered missions and take immediate steps to eliminate all covered products from their supply chain (and find alternate sources of supply). If the rule might impact contract performance, you should be prepared to address this with the appropriate counterparty. And given the requirement for compliance certifications that mirror Section 889, contractors should also harmonize monitoring and compliance with their existing supply chain compliance programs. Among other things, this should address the requirement to obtain compliance certifications from downstream subcontractors and suppliers.
Read on for the specifics. Continue reading “A DoD New Year’s Resolution: No More Chinese (and Possibly Russian) Products and Services in Support of Key Missions”
Justin A. Chiarodo and Robyn N. Burrows
As part of a recent wave of supply chain requirements, Section 889 of the 2019 National Defense Authorization Act (“NDAA”) imposed major new limitations on the use of certain Chinese telecommunications products and services in federal procurement, and recent implementing regulations mandate a range of compliance actions relating to the ban. This blog post provides practical guidance on the new rules and five compliance tips.
Ban against Procuring “Covered Telecommunications Equipment or Services”
The Department of Defense (“DoD”), General Services Administration (“GSA”), and National Aeronautics and Space Administration (“NASA”) recently released an interim rule implementing the first part of Section 889. This ban, which became effective August 13, 2019, sweeps broadly by prohibiting agencies from procuring the following “covered telecommunications equipment or services”:
- Telecommunications equipment produced by Huawei and ZTE Corporation;
- Video surveillance and telecommunications equipment used for public safety, surveillance of “critical infrastructure,” or national security purposes and produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company;
- Telecommunications or video surveillance services provided by such entities for any purpose; or
- Telecommunications or video surveillance equipment produced or provided by an entity that the Secretary of Defense determines is owned or controlled by, or otherwise connected to, the government of the People’s Republic of China.
The ban includes all affiliates and subsidiaries of the listed companies. Continue reading “5 Tips for Complying with New Section 889 Supply Chain Regulations”
Carolyn R. Cody-Jones
A recent decision in the federal district court for the Eastern District of California is one of the first to recognize application of the False Claims Act (“FCA”) to Department of Defense (“DoD”) cybersecurity requirements, and will likely encourage future lawsuits alleging noncompliance with federal cybersecurity procurement regulations. In United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-2245 WBS AC, 2019 WL 2024595 (E.D. Cal. May 8, 2019), the court denied the defendant contractor’s motion to dismiss qui tam complaint fraud allegations against the company. The complaint—brought by a former employee from the company’s cybersecurity department a month after his termination from the company—alleged the defendant fraudulently entered into DoD and National Aeronautics and Space Administration (“NASA”) contracts despite knowing that it did not meet the minimum standards required to receive the awards. The court permitted the case to move forward despite the government declining to intervene.
The primary regulations at issue in the case are DFARS 252.204-7012, which recently required, as of December 31, 2017, that contractors have a cybersecurity plan in place complying with 110 recommended security control standards set forth in NIST SP 800-171. However, the court’s decision in Aerojet Rocketdyne focused on the previous 2013 final rule and the two interim rules in 2015 implementing DFARS 252.204-7012, and also a NASA cybersecurity regulation at 48 C.F.R. § 1852.204-76 involving contractor security controls for sensitive but unclassified government information. Continue reading “Eastern District of California Allows False Claims Act Allegations Based on Noncompliance with DoD Cybersecurity Requirements to Go Forward”
Blank Rome Partner Justin A. Chiarodo will be a presenter at BDO’s Winter 2019 Marketplace Outlook Update for Government Contractors, “Top 10 Trends and Compliance Obligations in the Evolving World of Commercial Item Procurement.” This live webinar will take place Thursday, February 28, 2019, from 12:30 to 1:30 p.m. EST.
For more information, please visit our website.
Michael Joseph Montalbano
Cost, schedule, and performance, the three pillars of defense procurement, may soon be accompanied by a fourth pillar: cybersecurity. As the nature of warfare evolves away from pure kinetic capabilities to the asymmetric, cyber realm, the Department of Defense (“DoD”) has had to grapple with the reality that its defense contractors are prime targets for infiltration. Indeed, in the February 2018 Worldwide Threat Assessment, Director of National Intelligence Daniel Coats specifically identifies defense contractors and IT communications firms as the primary focal points of China—one of the United States’ primary cyber adversaries. As a result of this new reality, DoD has begun the process of revamping the defense procurement system to place greater emphasis on cybersecurity. In response to these moves by DoD, contractors should take a fresh look at their current operations to identify their own cyber vulnerabilities as well as the vulnerabilities of their subcontractors, suppliers, and other partners. Without adequate preparation, contractors risk finding themselves at a significant disadvantage during future contract bids. Continue reading “Cybersecurity Could Make or Break Defense Contractors’ Chances of Future Awards”
Justin A. Chiarodo and Carolyn Cody-Jones
It’s almost here. After years of rulemaking, covered defense contractors will soon be fully subject to heightened cybersecurity standards for covered defense information (“CDI”) on IT systems under DFARS 252.204-7012, and contractors submitting new proposals will be representing that their systems are compliant with these security requirements pursuant to DFARS 252.204-7008. We discuss in this post seven compliance tips beyond the basics that are worth revisiting during this final compliance push. Continue reading “DFARS Cybersecurity Compliance Countdown: Are You Ready?”
The Department of Homeland Security (“DHS”) recently issued three new proposed cybersecurity regulations for DHS contractors which warrant careful attention. Although a freeze on new regulations by the Trump administration will likely delay any final agency action, and extensive comments and meaningful changes to any final rules are expected, these new regulations could radically impact the compliance landscape for DHS contractors. As with recent cybersecurity amendments to the Federal Acquisition Regulation (“FAR”) and Defense Federal Acquisition Regulation Supplement (“DFARS”) (which we’ve covered here and here), these proposed rules seek to impose more safeguarding, handling, reporting, and training requirements on covered contractors. We continue to see cybersecurity as a major business risk in the industry today, and recommend contractors pay close attention to their operational, technology, and risk management practices relating to cybersecurity. We highlight the key elements of the proposed rules below. Continue reading “DHS Contractor? Pricey New Cybersecurity Requirements (and Hidden Risks) May Await You”