5 Tips for Complying with New Section 889 Supply Chain Regulations

Justin A. Chiarodo and Robyn N. Burrows

As part of a recent wave of supply chain requirements, Section 889 of the 2019 National Defense Authorization Act (“NDAA”) imposed major new limitations on the use of certain Chinese telecommunications products and services in federal procurement, and recent implementing regulations mandate a range of compliance actions relating to the ban. This blog post provides practical guidance on the new rules and five compliance tips.

Ban against Procuring “Covered Telecommunications Equipment or Services”

The Department of Defense (“DoD”), General Services Administration (“GSA”), and National Aeronautics and Space Administration (“NASA”) recently released an interim rule implementing the first part of Section 889. This ban, which became effective August 13, 2019, sweeps broadly by prohibiting agencies from procuring the following “covered telecommunications equipment or services”:

  1. Telecommunications equipment produced by Huawei and ZTE Corporation;
  2. Video surveillance and telecommunications equipment used for public safety, surveillance of “critical infrastructure,” or national security purposes and produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company;
  3. Telecommunications or video surveillance services provided by such entities for any purpose; or
  4. Telecommunications or video surveillance equipment produced or provided by an entity that the Secretary of Defense determines is owned or controlled by, or otherwise connected to, the government of the People’s Republic of China.

The ban includes all affiliates and subsidiaries of the listed companies. Continue reading “5 Tips for Complying with New Section 889 Supply Chain Regulations”

Eastern District of California Allows False Claims Act Allegations Based on Noncompliance with DoD Cybersecurity Requirements to Go Forward

Carolyn R. Cody-Jones

A recent decision in the federal district court for the Eastern District of California is one of the first to recognize application of the False Claims Act (“FCA”) to Department of Defense (“DoD”) cybersecurity requirements, and will likely encourage future lawsuits alleging noncompliance with federal cybersecurity procurement regulations. In United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-2245 WBS AC, 2019 WL 2024595 (E.D. Cal. May 8, 2019), the court denied the defendant contractor’s motion to dismiss qui tam complaint fraud allegations against the company. The complaint—brought by a former employee from the company’s cybersecurity department a month after his termination from the company—alleged the defendant fraudulently entered into DoD and National Aeronautics and Space Administration (“NASA”) contracts despite knowing that it did not meet the minimum standards required to receive the awards. The court permitted the case to move forward despite the government declining to intervene.

The primary regulations at issue in the case are DFARS 252.204-7012, which recently required, as of December 31, 2017, that contractors have a cybersecurity plan in place complying with 110 recommended security control standards set forth in NIST SP 800-171. However, the court’s decision in Aerojet Rocketdyne focused on the previous 2013 final rule and the two interim rules in 2015 implementing DFARS 252.204-7012, and also a NASA cybersecurity regulation at 48 C.F.R. § 1852.204-76 involving contractor security controls for sensitive but unclassified government information. Continue reading “Eastern District of California Allows False Claims Act Allegations Based on Noncompliance with DoD Cybersecurity Requirements to Go Forward”

Top 10 Trends and Compliance Obligations in the Evolving World of Commercial Item Procurement

Blank Rome Partner Justin A. Chiarodo will be a presenter at BDO’s Winter 2019 Marketplace Outlook Update for Government Contractors, “Top 10 Trends and Compliance Obligations in the Evolving World of Commercial Item Procurement.” This live webinar will take place Thursday, February 28, 2019, from 12:30 to 1:30 p.m. EST.

For more information, please visit our website.

Cybersecurity Could Make or Break Defense Contractors’ Chances of Future Awards

Michael Joseph Montalbano

Cost, schedule, and performance, the three pillars of defense procurement, may soon be accompanied by a fourth pillar: cybersecurity. As the nature of warfare evolves away from pure kinetic capabilities to the asymmetric, cyber realm, the Department of Defense (“DoD”) has had to grapple with the reality that its defense contractors are prime targets for infiltration. Indeed, in the February 2018 Worldwide Threat Assessment, Director of National Intelligence Daniel Coats specifically identifies defense contractors and IT communications firms as the primary focal points of China—one of the United States’ primary cyber adversaries. As a result of this new reality, DoD has begun the process of revamping the defense procurement system to place greater emphasis on cybersecurity. In response to these moves by DoD, contractors should take a fresh look at their current operations to identify their own cyber vulnerabilities as well as the vulnerabilities of their subcontractors, suppliers, and other partners. Without adequate preparation, contractors risk finding themselves at a significant disadvantage during future contract bids. Continue reading “Cybersecurity Could Make or Break Defense Contractors’ Chances of Future Awards”

DFARS Cybersecurity Compliance Countdown: Are You Ready?

Justin A. Chiarodo and Carolyn Cody-Jones

It’s almost here. After years of rulemaking, covered defense contractors will soon be fully subject to heightened cybersecurity standards for covered defense information (“CDI”) on IT systems under DFARS 252.204-7012, and contractors submitting new proposals will be representing that their systems are compliant with these security requirements pursuant to DFARS 252.204-7008. We discuss in this post seven compliance tips beyond the basics that are worth revisiting during this final compliance push. Continue reading “DFARS Cybersecurity Compliance Countdown: Are You Ready?”

DHS Contractor? Pricey New Cybersecurity Requirements (and Hidden Risks) May Await You

Justin Chiarodo

Justin A. ChiarodoThe Department of Homeland Security (“DHS”) recently issued three new proposed cybersecurity regulations for DHS contractors which warrant careful attention. Although a freeze on new regulations by the Trump administration will likely delay any final agency action, and extensive comments and meaningful changes to any final rules are expected, these new regulations could radically impact the compliance landscape for DHS contractors. As with recent cybersecurity amendments to the Federal Acquisition Regulation (“FAR”) and Defense Federal Acquisition Regulation Supplement (“DFARS”) (which we’ve covered here and here), these proposed rules seek to impose more safeguarding, handling, reporting, and training requirements on covered contractors. We continue to see cybersecurity as a major business risk in the industry today, and recommend contractors pay close attention to their operational, technology, and risk management practices relating to cybersecurity. We highlight the key elements of the proposed rules below. Continue reading “DHS Contractor? Pricey New Cybersecurity Requirements (and Hidden Risks) May Await You”

Does Your Cybersecurity Program Satisfy Recent DFARS Amendments?

Justin Chiarodo

There is no question cybersecurity is a critical compliance and risk area for federal contractors. A seemingly endless stream of cyberattacks—on corporate databases, government servers, even baby monitors—shows the breadth of these problems and the need for action. Government contractors have the added challenge of specialized regulatory obligations, with compliance (or non-compliance) having a direct impact on the value of their business. Continue reading “Does Your Cybersecurity Program Satisfy Recent DFARS Amendments?”