Michael Joseph Montalbano
In January, the Department of Defense (“DoD”) released more information on its much-anticipated Cybersecurity Maturity Model Certification (“CMMC”) framework. While a final rule is not expected until the fall, contractors need to begin preparing now so they do not miss out on DoD contract opportunities.
What Is the CMMC?
The CMMC is a certification system that all DoD prime and subcontractors must comply with to be eligible to compete for and perform future DoD contracts. Under the new CMMC requirements, an accreditation body tapped by DoD will begin training third-party assessors in the spring of 2020, who will in turn certify defense contractors under the CMMC. There will be five CMMC certification levels, of ascending sophistication:
- Level 1 – Basic Cyber Hygiene
- Level 2 – Intermediate Cyber Hygiene
- Level 3 – Good Cyber Hygiene
- Level 4 – Proactive
- Level 5 – Advanced / Progressive
The contractor must comply with a combination of the following cybersecurity safeguards, depending on the certification level a contractor wants to achieve: (1) FAR 52.204 (Basic Safeguarding of Covered Contractor Information Systems); (2) NIST Special Publication 800-171 Revision 1 (“NIST Requirements”); (3) select subsets of a supplement to the NIST Requirements called NIST SP 800-171B; and (4) up to 171 “practices” identified in the CMMC. Though this may sound like a lot for contractors to process, DoD has released helpful appendices that put many of the requirements in easy-to-understand terms. Continue reading “New DoD Cybersecurity Regulations Are Coming—Is Your Company Ready?”
Merle M. DeLancey Jr., Jay P. Lessler, and James R. Staiger
The Federal Circuit’s recent decision in Acetris has left many contractors scratching their heads and asking questions. To recap, on February 10, 2020, the Federal Circuit held that, under the Federal Acquisition Regulation (“FAR”), to qualify as a “U.S.-made end product” under the Trade Agreements Act (“TAA”), a drug must be either “manufactured” in the United States or “substantially transformed” in the United States. (See Federal Circuit Holds Generic Drugs Manufactured in the U.S. from API Produced in India Qualify for Sale to U.S. under Trade Agreements Act (Acetris Decision).) This is a stark change from the Government’s long-held position that manufacturing and substantial transformation were one in the same.
As a result of the Acetris decision, federal contractors seeking to comply with or maintain compliance with the TAA are facing many questions. Some of the more prominent questions are below. Continue reading “After Acetris Decision, Trade Agreements Act Compliance Questions Abound: Contractors Need Guidance”
Merle M. DeLancey Jr., Jay P. Lessler, and James R. Staiger
Earlier today, the United States Court of Appeals for the Federal Circuit issued a decision that is sure to send shockwaves through the generic drug industry. In Acetris, the Federal Circuit held that a generic drug manufactured in the United States complied with the Trade Agreements Act (“TAA”) and could be sold to the Department of Veterans Affairs. The court made this determination even though the drug’s active pharmaceutical ingredient (“API”) came from a non-designated country, India. In reaching its decision, the court broke away from longstanding Customs and Border Protection (“CBP”) precedent that the country where the API was produced dictated the location of “substantial transformation” and thus the country of origin for any resulting drug. The court held that under the Federal Acquisition Regulation (“FAR”), to qualify as a “U.S.-made end product” under the TAA, a drug must be either “manufactured” in the United States or “substantially transformed” in the United States—but not be both.
For years, generic drug manufacturers that manufacture drugs in the United States from API produced in India and China have been precluded from selling their drugs to the U.S. Government under the TAA. The Federal Circuit’s Acetris decision opens up the U.S. Government market for generic drugs manufactured in the U.S. from API produced in India and China.
Carolyn R. Cody-Jones
A recent decision in the federal district court for the Eastern District of California is one of the first to recognize application of the False Claims Act (“FCA”) to Department of Defense (“DoD”) cybersecurity requirements, and will likely encourage future lawsuits alleging noncompliance with federal cybersecurity procurement regulations. In United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-2245 WBS AC, 2019 WL 2024595 (E.D. Cal. May 8, 2019), the court denied the defendant contractor’s motion to dismiss qui tam complaint fraud allegations against the company. The complaint—brought by a former employee from the company’s cybersecurity department a month after his termination from the company—alleged the defendant fraudulently entered into DoD and National Aeronautics and Space Administration (“NASA”) contracts despite knowing that it did not meet the minimum standards required to receive the awards. The court permitted the case to move forward despite the government declining to intervene.
The primary regulations at issue in the case are DFARS 252.204-7012, which recently required, as of December 31, 2017, that contractors have a cybersecurity plan in place complying with 110 recommended security control standards set forth in NIST SP 800-171. However, the court’s decision in Aerojet Rocketdyne focused on the previous 2013 final rule and the two interim rules in 2015 implementing DFARS 252.204-7012, and also a NASA cybersecurity regulation at 48 C.F.R. § 1852.204-76 involving contractor security controls for sensitive but unclassified government information. Continue reading “Eastern District of California Allows False Claims Act Allegations Based on Noncompliance with DoD Cybersecurity Requirements to Go Forward”
Michael J. Slattery
The Department of Justice (“DOJ”) recently released its annual fraud statistics for FY 2018. The statistics reveal that False Claims Act (“FCA”) recoveries reached their lowest level since FY 2009. However, although total recoveries are down, this decrease is more a by-product of a down year in major health care and financial services recoveries, and we think it is too early to view these numbers as reflecting a sea change in enforcement.
The annual statistics published by DOJ on December 21, 2018 demonstrate that the Government recovered a total of $2.88 billion in qui tam and non-qui tam FCA judgments and settlements in FY 2018. This represents the lowest amount recovered since FY 2009, when the Government recovered nearly $2.47 billion. It also demonstrates a short-term trend in declining recovery. FY 2018 was the second straight year in which fraud recovery decreased. However, recent comments by the Trump administration’s nominee for U.S Attorney General likely indicate that no affirmative decision to decrease FCA actions will occur in the next few years. Continue reading “What DOJ’s FY 2018 False Claims Act Recovery Statistics Reveal”
Justin A. Chiarodo and Stephanie M. Harden
The Department of Justice’s (“DOJ”) bombshell statement last month that it would seek dismissal of the Gilead False Claims Act (“FCA”) suit—a qui tam suit alleging misrepresentations and concealments regarding active ingredient sources and quality for HIV medications—surprised many in the government contracts community. Though DOJ had signaled earlier last year in the so-called “Granston memo” that it may seek dismissal of certain FCA cases, the fact that DOJ sought to do so while a case was on appeal to the Supreme Court—and without consulting relators—was unexpected. Continue reading “Breaking Camp(ie): Supreme Court Sends Gilead FCA Case Back for Likely Dismissal, Postponing Escobar’s Return”
Sara N. Gerber
The U.S. Supreme Court has granted a writ of certiorari to address a Circuit Court split concerning whether False Claims Act (“FCA”) relators may rely on the statute of limitations in 31 U.S.C. § 3731(b)(2)—a limitations period which is triggered by the government’s knowledge of the fraud—when the government does not intervene. The Supreme Court granted cert on November 16, 2018, to review the Eleventh Circuit’s decision in U.S. ex rel. Hunt v. Cochise Consultancy, Inc. The Eleventh Circuit reversed the Alabama District Court, reviving the relator’s complaint by giving the relator the benefit of the longer limitations period in § 3731(b)(2).
At the center of the matter is the interplay between the two limitations periods in the FCA after which a “civil action under section 3730” is time-barred: (1) “6 years after the date” of an alleged violation, see 31 U.S.C. § 3731(b)(1); or (2) “3 years after the date” when material facts “are known or reasonably should have been known by the official of the United States charged with responsibility to act in the circumstances, but in no more than 10 years after the date” of the alleged violation, see 31 U.S.C. § 3731(b)(2). The relator in Cochise Consultancy filed his claim more than six years after the alleged fraud occurred, but within three years of his disclosure of the fraud to FBI agents who had interviewed him about his role in a separate kickback scheme, to which he ultimately pled guilty and served time in federal prison. Continue reading “Supreme Court Grants Cert to Resolve Circuit Split on FCA Statute of Limitations”