What Does a Potential One-Year Delay for Part B of Section 889 Mean for Your Compliance Efforts?

Justin A. Chiarodo, Merle DeLancey Jr., and Robyn N. Burrows

In remarks to Congress and statements this week, the Department of Defense (“DoD”) announced that it is considering a one-year delay for full implementation of Part B of the Section 889 ban (we previously summarized the ban, which prohibits the government from contracting with entities using certain Chinese telecommunications equipment, here). The ban is currently scheduled to go into effect on August 13, 2020. What does this welcome development mean for contractors? We think it warrants prioritizing near-term compliance efforts to high-risk areas, pending forthcoming rulemaking that will provide needed specifics on the way forward.


During June 10 remarks before the House Armed Services Committee, Undersecretary for Acquisition and Sustainment Ellen Lord expressed the DoD’s full support for the intent of Section 889, but admitted she is “very concerned” about being able to accomplish Part B implementation by August 13. As to whether the DoD can meet the current timeline given COVID-19 disruptions and the lack of an interim rule, Ms. Lord acknowledged that “we need more time” for contractors to comply.

Following the undersecretary’s testimony, the DoD announced that it is considering adding contract language giving its suppliers an additional year to reach full compliance with Part B. Though not final, the DoD’s proposed delay could relieve DoD contractors from full compliance with the impending August deadline. We anticipate this approach would be similar to the phase-in period for compliance with the Defense Federal Acquisition Regulation Supplement Safeguarding and Cyber Incident Reporting clause. It is not yet clear whether the Office of Management and Budget, which currently has the draft interim rule for Part B, will incorporate a delayed implementation into that forthcoming rule.

The DoD also signaled that it is poised to advocate for a more risk-based approach to Part B implementation and rulemaking. During her testimony, Ms. Lord expressed concern with the “unintended consequences” of a minor infraction several layers deep within the supply chain potentially shutting down major portions of the defense industrial base by disqualifying key prime contractors from doing business with the federal government. The DoD suggested that the use of a risk-based approach may be useful to achieve effective implementation. The DoD’s consideration of a risk-based approach indicates that it is equally concerned about its contractors’ ability to comply with a strict application of Part B.

How DoD’s Announcements Inform Compliance Efforts with Part B

Without an interim rule and with less than two months before the statutory August deadline, how should contractors begin implementing Part B? Given the DoD’s recent comments suggesting a risk-based approach, contractors should consider adjusting their Part B implementation efforts using a risk assessment framework, prioritizing high-risk areas. That is, contractors should identify the extent to which telecommunications or video surveillance equipment is used to support government contracts, the nature of that work, and the frequency with which the technology is used.

The nature of the product’s telecommunication function also informs its risk potential. For example, computers, routers, phones, and network equipment can generally be considered a higher priority area than technology that, although technically subject to the ban, presents a moderate to low cybersecurity risk, depending on the nature and frequency of use (e.g., HVAC systems, fax machines, copiers, scanners).

Contractors should also communicate with key suppliers to ensure that they are aware of the rule and are similarly working to prepare for Part B.

Although the DoD’s statements are welcome news—and reflect that the government is mindful of the challenges presented by the ban—the DoD remains committed to Section 889 and contractors should proceed accordingly.

Nothing Is Certain except Death, Taxes, and Now COVID-19 Contracts and Relief Funding Audits

Merle M. DeLancey Jr.

Despite COVID-19 article overload—and understandable fatigue—there is no doubt that there will be substantial audit activity related to COVID-19 contracts and receipt of relief funding. All of the ingredients for a Perfect Storm are present: unprecedented federal and state spending causing significant government budget deficits, coupled with hyper-partisan politics, and the creation of multiple government audit functions. Add in revenue-stressed government contractors perhaps focusing less on compliance, with a workforce working remotely, and you have everything necessary for a Perfect Storm. Let’s face it, the press and politicians are—or will be—on the lookout for relief funds and sweetheart contracts awarded to companies with cozy relationships with the executive branch, contracts that didn’t provide the intended benefit, and contracts and relief funds that have otherwise already received media attention.

There is nothing you can do to prevent an audit, but you can be prepared.  Below are some very general guidelines you can follow now to make your life easier in the future if you do become the target of an audit or potential audit.

  1. Memorialize Everything. Too many things are happening too fast.  Information that you think you will remember (so you don’t bother to write down or don’t write down with sufficient detail) will be forgotten. Audits can occur two, three, or even five years after the fact. Memories fade. Employees retire or move on.
  2. Ensure You Have Contracting Officer Approvals. Only contracting officers have warrants and only they can authorize changes to contracts that affect dollars, schedule changes, deliverables, and requirements. If you didn’t get contracting officer approval at the time, go back and request approval (in writing) now.
  3. Establish Commonsensical and Clear Labeling. At some point in time, you have moved to a new home and someone has told you to take an extra 30 seconds to add more detailed descriptions on your boxes. For example, while the label “closet” seemed adequate when packing-up, it is not useful when you are looking for bed sheets to sleep on at midnight for the first night in your new home. The same is true with government contracts. Simply labeling a folder or e-mail “HHS contract” is better than nothing, but it is not very helpful when trying to locate a specific conversation or contract modification.
  4. Centralize Contract Files for a Later, Easy Location. It is of no value to maintain documents and records if you cannot find them. Establish standard operating procedures (“SOPs”) so that someone walking in off the street two years from now can read them and easily understand where files are located.
  5. Archive E-mails to Avoid Automatic Deletion Programs. Company information technology systems are overwhelmed. As a result, many companies have implemented programs that automatically delete e-mails after a certain period of time. Design an SOP so that relevant government contracting e-mails are archived in a manner to avoid deletion.
  6. Perform Periodic Internal Spot Reviews. Simply having a compliance policy and procedures are no longer enough. You need to periodically confirm that the policy and procedures are being followed—and are effective. Conduct periodic spot checks and memorialize the results. Remember, the only thing worse than not having a compliance program, is having a program and not following it.
  7. Conduct Exit Interviews and Laptop Ghosting. Know how to find former employees. Don’t simply accept a former employee’s laptop, clean it, and reissue it to another employee. Take the extra time to ghost the laptop and save the contents in a place that you can locate at a later date (again, think two years from now). In addition, take the time to interview departing employees and, among other information, determine the location (hard and soft copy) of relevant government contracting files.

It makes no sense to work hard to win these contracts, help a state or the federal government respond to the COVID-19 national emergency, and record revenue today to only years later have to give back the money you earned because you don’t have documents in your contract files to substantiate information requested by an auditor. To be clear, auditors may be very nice people, but they don’t care that you did a great job and helped an agency achieve its mission. Auditors have a job to do. They have checklists to follow. If the required documents are not provided or available, they cannot and will not check the box. Rather, they will tell you to provide your explanation to the next level of review. Take the time now and follow the above guidelines to protect yourself. You will hate it now and claim that there just isn’t enough time in the day but, if and when you get that audit request, you will be thankful.

12 Steps for Reducing CARES Act Enforcement Risks

William E. Lawler III, Gregory F. Linsin, Justin A. Chiarodo, Dominique L. Casimir, and Sara N. Gerber

The Coronavirus Aid, Relief and Economic Security, or CARES, Act provides more than a trillion dollars in relief to both small and large businesses in the form of loans, grants and tax credits, designed to quickly stabilize the economy during the ongoing crisis.

But this is not free money: The CARES Act also includes a robust oversight and enforcement regime to enable the government to combat fraud, waste and abuse. Experience shows that when this much government money is being spent, there will be investigations and enforcement actions.

The CARES Act is complex with evolving regulatory guidelines, and this increases the potential for missteps by companies trying to take advantage of the program’s benefits while navigating program requirements. How can companies manage this uncertainty and reduce the risk of becoming an enforcement target?

We offer 12 suggested steps.

To read the full article that was published in Law360 on May 11, 2020, please click here.

Veterans Affairs Granted Unprecedented Procurement Authority under P.L. 85-804

John M. Clerici and Merle M. DeLancey Jr.

On April 10, 2020, the President issued a Memorandum to the Secretary of the Department of Veterans Affairs (“DVA”) authorizing the exercise of authority under Public Law 85-804, 50 U.S.C. §§ 1431-35. (See Memorandum on Authorizing the Exercise of Authority under Public Law 85-804.) This is a significant action that contractors must understand and be prepared to use for their benefit.

P.L. 85-804’s expansive powers are rarely invoked, used only in unique circumstances that require “extraordinary contractual actions.” See FAR Part 50. President Obama relied on P.L. 85-804 in 2014 when he granted the Administrator of the United States Agency for International Development (“USAID”) the authority to indemnify companies from lawsuits related to contracts performed in Africa in support of USAID’s response to the Ebola outbreak. Because there are now other legal authorities the U.S. Government may use to offer liability protection in certain circumstances (e.g., the SAFETY Act of 2002; the PREP Act of 2005), conferring liability protection under P.L. 85-804 is uncommon. The use of the law to broadly expand the U.S. Government’s contracting powers is truly extraordinary. Continue reading “Veterans Affairs Granted Unprecedented Procurement Authority under P.L. 85-804”

VA Federal Supply Schedule Contracts and the Coronavirus

Merle M. DeLancey Jr.

In response to the coronavirus COVID-19 pandemic, the Department of Veterans Affairs (“VA”) has relaxed procurement rules and regulations to facilitate purchases from VA federal supply schedules (“FSS”). On March 20, 2020, the VA National Acquisition Center (“NAC”) informed all VA FSS holders that, based upon the President’s invocation of the Robert T. Stafford Disaster Relief and Emergency Assistance Act, 42 U.S.C. 5121-5207 (the “Stafford Act”), state and local governments, territories, and tribes have full access to VA FSS contracts. See Presidential Declaration of National Emergency COVID-19 – State and Local Government Ordering Procedures.

Thus, even if a contractor did not elect to participate in Disaster Recovery Purchasing at the time of contract award, contractors are now permitted to accept any orders by state and local governments. However, whether to accept any state or local government order is voluntary not mandatory. Continue reading “VA Federal Supply Schedule Contracts and the Coronavirus”

GSA Federal Supply Schedules Contracts and the Coronavirus: Risks and Rewards

Merle M. DeLancey Jr.

On March 19, 2020, the General Services Administration (“GSA”) issued guidance regarding its process for issuing Defense Priorities and Allocation System (“DPAS”) Rated Orders. Significantly, however, GSA reminded its contracting officers that “[e]xisting Government sources of supply and contract vehicles should be considered first. Check to see if the required supplies are available.” See gsa.gov/buying-selling/purchasing-programs/gsa-schedules/gsa-schedule-offerings/consolidated-schedule/industrial-products-services-category and gsaadvantage.gov/advantage/search/specialCategory.do?cat=ADV.DR. GSA federal supply schedules (“FSS”) can be a contracting officer’s one-stop shop for protective equipment, disinfectants, hand sanitizers, and other products and supplies to combat the coronavirus COVID-19. The GSA FSS also offers a variety of solutions for agencies looking for teleworking options. See gsa.gov/buying-selling/purchasing-programs/gsa-schedules/gsa-schedule-offerings/consolidated-schedule/professional-services-category.

The largest active buyer in the market right now remains the federal government. FSS is an important tool for the government to get supplies and services, but do not be fooled. With these potential opportunities, there also are potential risks for FSS contractors that fail to follow the terms and conditions of their FSS contracts and/or seek to cut corners.

As is often the case, FSS vendors go above and beyond to provide services or deliver supplies to federal agencies to respond to emergency situations like the COVID-19 pandemic. As is also the case, months later, after the dust settles, agency offices of inspector general arrive to audit contracts. Inevitably, in the effort to expeditiously fill government orders, things get overlooked or ignored, and “but I was helping the agency fulfill its mission in response to a pandemic” is not a defense that will resonate with government auditors.

Based upon our experience, here are some tips for FSS vendors to follow and/or traps to avoid: Continue reading “GSA Federal Supply Schedules Contracts and the Coronavirus: Risks and Rewards”

Defense Production Act: Government Contractor Cheat Sheet

Merle M. DeLancey Jr.

On March 18, 2020, by Executive Order (“E.O.”), President Trump invoked the Defense Production Act of 1950 (“DPA”). The E.O. delegates DPA authority to the Secretary of the Department of Health and Human Services with respect to “all health and medical resources needed to respond to the spread of COVID-19 within the United States.” This means that the performance of rated contracts and orders (i.e., certain contracts and orders in support of programs covered by the DPA, as explained below) must be prioritized over competing commercial or non-rated governmental obligations—even if doing so could result in a breach of other obligations.

Set forth below is a checklist for contractors that have received (or believe they may receive) a rated order from a federal government agency:

1. Memorialize Standard Operating Procedures (“SOP”)

Effectively managing rated orders requires careful attention, particularly given the operational disruptions from coronavirus COVID-19. A company should consider establishing (or updating) SOPs for rated orders covering the following:

      • Designating a Point of Contact (“POC”) Responsible for Rated Orders. Publicize the POC within the company so that management and employees (e.g., C-Suite, Sales, and Marketing) who do not normally handle government contracting matters know who to contact.
      • Establish a Process to Communicate with Subcontractors. A prime contractor in receipt of a rated order stands in the shoes of the federal government and is required to notify applicable subcontractors of compliance with the rated order. Consider notifying subcontractors of the possibility of receiving a rated order and provide background on the DPA so they are not caught by surprise.
      • Establish a Commercial Customer Communications Plan. Because a rated order can delay or interfere with performance of commercial contracts, consider keeping commercial customers aware of potential impacts in the event that the government issues a rated order.
      • Frequent Communication with Contracting Officers. If the company believes it might receive a rated order, establish clear lines of communication with your Contracting Officers. Provide or re-confirm contact information for the company’s POC for rated orders.

Continue reading “Defense Production Act: Government Contractor Cheat Sheet”

New DoD Cybersecurity Regulations Are Coming—Is Your Company Ready?

Michael Joseph Montalbano

In January, the Department of Defense (“DoD”) released more information on its much-anticipated Cybersecurity Maturity Model Certification (“CMMC”) framework. While a final rule is not expected until the fall, contractors need to begin preparing now so they do not miss out on DoD contract opportunities.

What Is the CMMC?

The CMMC is a certification system that all DoD prime and subcontractors must comply with to be eligible to compete for and perform future DoD contracts. Under the new CMMC requirements, an accreditation body tapped by DoD will begin training third-party assessors in the spring of 2020, who will in turn certify defense contractors under the CMMC. There will be five CMMC certification levels, of ascending sophistication:

    • Level 1 – Basic Cyber Hygiene
    • Level 2 – Intermediate Cyber Hygiene
    • Level 3 – Good Cyber Hygiene
    • Level 4 – Proactive
    • Level 5 – Advanced / Progressive

The contractor must comply with a combination of the following cybersecurity safeguards, depending on the certification level a contractor wants to achieve: (1) FAR 52.204 (Basic Safeguarding of Covered Contractor Information Systems); (2) NIST Special Publication 800-171 Revision 1 (“NIST Requirements”); (3) select subsets of a supplement to the NIST Requirements called NIST SP 800-171B; and (4) up to 171 “practices” identified in the CMMC. Though this may sound like a lot for contractors to process, DoD has released helpful appendices that put many of the requirements in easy-to-understand terms. Continue reading “New DoD Cybersecurity Regulations Are Coming—Is Your Company Ready?”

For Part B of Section 889, Is Compliance by August 13, 2020, Realistic?

Merle M. DeLancey Jr., Justin A. Chiarodo, and Robyn N. Burrows

On March 10, 2020, the Department of Commerce extended the deadline for U.S. companies to stop doing business with Huawei Technologies Co. Ltd. and its non-U.S. affiliates. The deadline has been extended multiple times and is now May 15, 2020. Under the extension, U.S. businesses can continue to work with Huawei on the operation of existing networks and mobile services, including cybersecurity research considered critical for network reliability.

Huawei was added to the Commerce Department’s Bureau of Industry and Security “Entity List” in May 2019. The Entity List includes foreign entities who have engaged in activities sanctioned by the State Department and activities contrary to U.S. national security and/or foreign policy interests.

In addition to the extension, the Commerce Department is seeking public comments through March 25, 2020, regarding the continuing need for, and scope of, possible future extensions concerning Huawei. The multiple extensions and new request for public comments are intended to allow time for companies and persons to shift from Huawei or its affiliates to alternative sources of equipment, software, and technology. Continue reading “For Part B of Section 889, Is Compliance by August 13, 2020, Realistic?”

Five Steps to Take to Prepare for Part B of the Section 889 Ban

Merle M. DeLancey Jr., Justin A. Chiarodo, and Robyn N. Burrows

Part B of Section 889 takes effect August 13, 2020. The ban prohibits the federal government from contracting with any “entity that uses” telecommunications and video surveillance products or services from Huawei Technologies Company Ltd. (Huawei) and four other Chinese entities, including their affiliates and subsidiaries (we’ve previously covered Section 889 here and here). This post examines recent industry feedback during a public meeting with the Department of Defense (“DoD”) and provides five compliance recommendations pending forthcoming rulemaking.

On March 2, 2020, DoD held a public meeting on Part B. Several trade associations gave feedback, and raised five major concerns: 1) the broad scope of the rule; 2) the inability of many contractors to meet the August 2020 compliance deadline; 3) whether the rule will apply outside the United States; 4) whether the term “use” would include a reseller’s commercial sales of prohibited products, thus precluding a supplier from contracting with the federal government; and 5) whether the “entity” subject to the ban includes only the legal entity executing the contract with the federal government, or also its affiliates and subsidiaries. Unfortunately, DoD did not indicate when an interim rule might issue. Continue reading “Five Steps to Take to Prepare for Part B of the Section 889 Ban”