Starting December 4th, Contractors Must Rid Supply Chains of Covered Articles and Sources Subject to FASC Orders

Robyn N. Burrows ●

Effective December 4, 2023, a new interim rule will prohibit contractors from delivering or using covered articles and sources subject to exclusion or removal orders issued under the Federal Acquisition Supply Chain Security Act of 2018 (“FASCSA”). The rule is intended to eliminate certain technology from the federal supply chain that foreign adversaries might exploit to commit malicious cyber acts. The interim rule allows the executive branch through the Federal Acquisition Security Council (“FASC”) to exclude certain technologies and manufacturers from federal procurements and even to require removal of covered articles from federal or contractor information systems during performance.

The rule imposes a host of new obligations, including certification, monitoring, and reporting requirements. This post provides practical guidance on the rule and several compliance tips to help contractors prepare for the December deadline.

Background

Congress passed Section 202 of the FASCSA to protect the information and communications technology (“ICT”) supply chain against threats and vulnerabilities that may lead to data and intellectual property theft, damage to critical infrastructure, or national security harm. The Act established the FASC as an interagency council authorized to make recommendations for orders that would require the removal of covered articles from agency information systems (removal orders) or the exclusion of sources or covered articles from agency procurement actions (exclusion orders) (collectively referred to as “FASCSA orders”).

In August 2021, the FASC issued a final rule establishing procedures for recommending removal and exclusion orders. The FASC evaluates supply chain risk based on several non-exclusive factors and sends its recommendations to the Secretaries of Homeland Security and Defense and the Director of National Intelligence to consider when deciding whether to issue a FASCSA order. If a FASCSA order is issued, agencies are required to implement the exclusion or removal order.

Continue reading “Starting December 4th, Contractors Must Rid Supply Chains of Covered Articles and Sources Subject to FASC Orders”

Proposed Bill Would Bar Contractors from Conducting Business in Russia

Stay up to date by subscribing to our blog. Add your e-mail address to the Subscribe box on the right (below the post on mobile) to get our timely posts delivered directly to your inbox.

Robyn N. Burrows

On March 21, 2022, Representative Carolyn B. Maloney (D-NY), Chairwoman of the House Oversight and Reform Committee, introduced the “Federal Contracting for Peace and Security Act” (H.R. 7185). In light of Russia’s military invasion of Ukraine, the proposed bill would prohibit federal agencies from contracting with companies operating in Russia. The Committee approved an amended version on April 6, and the bill will be sent to the House of Representatives for further consideration. If passed, the bill would have a significant impact on government contractors that continue to operate in Russia by terminating existing contracts and barring them from further contracting opportunities.

We provide below an overview of the key elements of the bill. We anticipate further clarifications as the bill proceeds through the legislative process. Contractors should closely monitor these developments as this legislation will likely pose challenges to companies seeking to quickly disentangle themselves from any ongoing Russian business.

Continue reading “Proposed Bill Would Bar Contractors from Conducting Business in Russia”

Is Your Company Prepared for the New Cyber Incident Reporting Requirements?

Michael J. Montalbano

Stay up to date by subscribing to our blog. Add your e-mail address to the Subscribe box on the right (below the post on mobile) to get our timely posts delivered directly to your inbox.

On March 11, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The Law includes new reporting requirements for companies who experience cyber incidents or make ransomware payments.

Under the Law, covered entities that experience covered cyber incidents must report the incident to the Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours after the covered entity reasonably believes that a covered cyber incident has occurred. Covered entities must also notify CISA within 24 hours of making a ransomware payment.

The new cyber reporting law tasks CISA with creating more precise definitions for who constitutes a “covered entity” and what constitutes a “cyber incident.” Even the general language of the statute, however, provides some guidance for companies.

Continue reading “Is Your Company Prepared for the New Cyber Incident Reporting Requirements?”

Beyond DOJ’s Blockbuster Year in FCA Recoveries, Whistleblower Activity and Investigations Continue

Stay up to date by subscribing to our blog. Add your e-mail address to the Subscribe box on the right (below the post on mobile) to get our timely posts delivered directly to your inbox.

Elizabeth N. Jochum and Jennifer A. Short

Jennifer A. Short headshot image


The attention-grabbing headline from the Department of Justice’s (“DOJ”) annually released statistics on False Claims Act (“FCA”) settlements and judgments is that the government recovered more than $5.6 billion from FCA cases in fiscal year (“FY”) 2021. While this is the second largest annual recovery in FCA history and the largest since 2014, procurement fraud cases represented a substantially smaller percentage of the total recoveries than in years past. Healthcare resolutions dominated, accounting for more than five billion of the $5.6 billion in settlements and judgments. In previous years, healthcare matters have accounted for closer to two-thirds of the total recoveries, making last year’s outsized healthcare figure—driven by the blockbuster opioid settlements of late 2020[1]—an outlier.

Beyond the top-line dollar figures, the report shows that FCA activity continues at a healthy, if not fully robust, pace. The COVID-19 pandemic continues to impact qui tam filings; the number of new whistleblower suits dropped to 598 in FY 2021, a ten-year low. The number of DOJ-initiated matters remains higher than the near-term average, particularly in healthcare, but also in Department of Defense (“DOD”)-related cases. Contractors, healthcare providers, and others—especially those who received federal funding through pandemic aid programs—can anticipate that FCA investigations and resolutions will play out over the next several years.

Continue reading “Beyond DOJ’s Blockbuster Year in FCA Recoveries, Whistleblower Activity and Investigations Continue”

Expect GSA to More Closely Scrutinize Trade Agreements Act Compliance

Stay up to date by subscribing to our blog. Add your e-mail address to the Subscribe box on the right (below the post on mobile) to get our timely posts delivered directly to your inbox.

Merle M. DeLancey Jr.

On January 21, 2022, the General Services Administration (“GSA”) Office of Inspector General (“OIG”) informed the Federal Acquisition Service (“FAS”) that ongoing monitoring by the OIG found that the FAS failed to properly monitor the sale of products for compliance with the Trade Agreements Act (“TAA”) during the COVID-19 response. Previously, in April 2020, GSA relaxed compliance with the TAA for a limited number of Federal Supply Classes (“FSCs”) to aid the government’s response to the COVID-19 pandemic. The applicable FSCs included those covering N95 masks, cleaners and disinfectants, disposable gloves, and hand sanitizers. After several extensions, the TAA exception policy expired on April 30, 2021.

The OIG identified two deficiencies in FAS’ implementation of the TAA exception policy. First, the OIG found that FAS failed to properly track the addition of non-compliant products to contracts. As a result, after expiration of the exception policy, there was no effective way for GSA to remove the non-compliant products from contracts. Second, the OIG found that GSA improperly permitted the addition of non-compliant products to GSA contracts. For example, some products that were added were unrelated to the government’s response to the pandemic; some products were added to GSA contracts prior to the effective date of the TAA exception policy; and, remarkably, in one case, a product was added to a contract that identified North Korea as its country of origin.

Continue reading “Expect GSA to More Closely Scrutinize Trade Agreements Act Compliance”

Affirmative Action Program Compliance Alert: OFCCP Online Contractor Portal

Stay up to date by subscribing to our blog. Add your e-mail address to the Subscribe box on the right (below the post on mobile) to get our timely posts delivered directly to your inbox.

Merle M. DeLancey Jr.

Beginning February 1, 2022, contractors and subcontractors required to maintain affirmative action plans (“AAPs”) can register for access to a new secure online contractor portal. The portal was developed and will be monitored by the Office of Federal Contract Compliance Programs (“OFCCP”). OFCCP has been working on an information and verification process for three years. In August 2021, the Office of Management and Budget approved OFCCP’s use of the portal. The portal provides contractors a secure method of (i) annually certifying compliance with AAP requirements and (ii) submitting AAPs to OFCCP during audits or compliance evaluations.

Executive Order 11246 and Section 503 of the Rehabilitation Act of 1973 require contractors and subcontractors that hold a contract valued at $50,000 or more and employ 50 or more employees to comply with equal employment and affirmative action requirements. This includes developing and maintaining written AAPs. Currently, only services and supply contractors, not construction contractors, are required to certify compliance.

Continue reading “Affirmative Action Program Compliance Alert: OFCCP Online Contractor Portal”

CMMC 2.0 Brings Much Needed Relief to the Defense Industrial Base

Michael J. Montalbano

In response to more than 850 public comments, the Department of Defense (“DOD”) has decided to significantly revamp the Cybersecurity Maturity Model Certification (“CMMC”) program. On November 4, 2021, DOD announced that it was replacing the current CMMC program with CMMC 2.0, which is expected to significantly reduce the regulatory burden on companies in the Defense Industrial Base (“DIB”). DOD made three significant changes through the new CMMC 2.0 program:

Reduces the number of CMMC levels. As we explained in earlier posts, CMMC 1.0 originally had five CMMC levels of ascending sophistication. CMMC 2.0 now only has three levels:

      • CMMC 2.0 Level One: This level will apply to most DIB companies and requires compliance with 17 basic cyber hygiene practices.
      • CMMC 2.0 Level Two: This level applies to DIB companies who will receive controlled unclassified information (“CUI”) and is expected to align with the requirements under NIST SP 800-171. Notably, DOD already requires most DIB companies receiving CUI to comply with NIST SP 800-171 through the cybersecurity DFARS clause 252.204-7012.
      • CMMC 2.0 Level Three: DOD is still developing the requirements for this level, but we expect that this level will apply to only the most sensitive and high-risk DOD projects.
Continue reading “CMMC 2.0 Brings Much Needed Relief to the Defense Industrial Base”

State Vaccine Mandate Bans: What Are Federal Contractors to Do?

Justin A. Chiarodo and Stephanie M. Harden

Stephanie Harden's Headshot Photo

Texas Governor Greg Abbott just raised the stakes in the inevitable tide of litigation about President Biden’s COVID-19 vaccine mandates by issuing an Executive Order banning vaccine mandates in Texas. We expect other states to follow suit. This raises important questions for federal contractors, who are working against the clock to ensure compliance with the new vaccine mandate applicable to most federal contracts by December 8, 2021 (see our most recent blog post about the details of the mandate, Government Contractor Vaccine Mandate FAQ: Status of Class Deviations and Accommodations Process).

Continue reading “State Vaccine Mandate Bans: What Are Federal Contractors to Do?”

Breaking Down the COVID-19 Safety Guidance for Government Contractors and Subcontractors: What We Know, What We Don’t, and What’s Next

Justin A. Chiarodo and Albert B. Krachman


Answering some questions and raising others, the Safer Federal Workforce Task Force issued its highly anticipated COVID-19 Workplace Safety: Guidance for Federal Contractors and Subcontractors on Friday, September 24. The Guidance follows the president’s September 9, 2021, Executive Order (“EO”), which we summarized in FAQ: Government Contractor COVID Safeguards Executive Order.

In short: a broad vaccine mandate for employees of government contractors is coming. But the exact details on application, exemptions, and compliance remain unclear. New rules due by October 8, 2021, should better address those questions. Adding to this uncertainty, the Guidance encourages individual agencies to issue their own (potentially broader) guidance. That said, we can infer a lot from Friday’s guidance.

Continue reading “Breaking Down the COVID-19 Safety Guidance for Government Contractors and Subcontractors: What We Know, What We Don’t, and What’s Next”

Old Dominion, New Privacy Law: The Virginia Consumer Data Protection Act

With the recent adoption of the Virginia Consumer Data Protection Act (“VCDPA”), the state’s consumers will have new rights to understand what data a company collects about them, how that data is used, and with whom they share it. In short, the new law will have a national impact on any company doing business in the state.

Led by attorneys from Blank Rome’s Privacy, Security & Data Protection and White Collar Defense & Investigation Groups, this complimentary webinar will provide in-depth analysis of the VCDPA and timely insights on how businesses should prepare to comply with its provisions, including discussion of:

      • Scope of the VCDPA;
      • The VCDPA compared to the California Consumer Privacy Act and other privacy regimes;
      • New data rights of consumers;
      • Information security requirements; and
      • Issues related to enforcement.

PRESENTERS

  • Sharon R. Klein, Partner and Chair, Privacy, Security & Data Protection, Orange County, CA
  • Alex C. Nisenbaum, Partner, Privacy, Security & Data Protection, Orange County, CA
  • Jennifer A. Short, Partner, White Collar Defense & Investigations, Washington, D.C.

CLE Credit

This course is anticipated to qualify for the following CLE credits: VA 1.0 general credit

QUESTIONS? Please contact Courtney Litman via e-mail.

Tuesday, September 21, 2021
10:00‒11:00 a.m. PDT / 1:00‒2:00 p.m. EDT
Online Event

REGISTER HERE

%d