DOD and GSA Seek Comments on Draft Cybersecurity Implementation Plan

Justin A. Chiarodo and Daniel A. Broderick

Justin A. ChiarodoDaniel A. BroderickOn Wednesday, March 12, 2014, the Department of Defense (DOD) and General Services Administration (GSA) Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition (Working Group) requested public comments on its draft implementation plan (draft plan) for federal cybersecurity acquisition. See 79 Fed. Reg. 14042 (Mar. 12, 2014). The draft plan is the first of several steps toward implementing the recommendations outlined in the Working Group’s recently finalized report on Improving Cybersecurity and Resilience Through Acquisition (summarized here).

As comments are due on April 28, 2014, federal contractors and other stakeholders should act quickly to submit their views on what will have a significant and lasting impact on federal cybersecurity acquisition practices.

The draft plan proposes a repeatable, scalable, and flexible framework for addressing cyber risk in federal acquisitions, and by design, it will affect nearly all contracting entities. The draft plan proposes a “taxonomy” for categorizing procurements so that the government can effectively prioritize those in need of additional resources, attention, and safeguards. As proposed, the taxonomy is modeled on Federal Information and Communications Technology (ICT) acquisitions—though the Working Group has asked whether this framework is a workable model for the categorization of all acquisitions. The Working Group would use the ICT framework to categorize all acquisitions that present cyber risk, after which it would separately assess the risks within each category. Categories that present greater cybersecurity risk (based on threats, vulnerabilities, and impacts) would receive more and faster attention in acquisitions. The taxonomy is, in our view, the most significant new development in the draft plan, as it will serve as the principal basis for categorizing the extent of cyber regulations for procurements. This aspect of the plan accordingly warrants particularly close attention. Continue reading “DOD and GSA Seek Comments on Draft Cybersecurity Implementation Plan”

The DOD Gets Serious About Supply Chain Integrity

David Yang

David YangThe issue of counterfeit electronic parts in the Department of Defense (DOD) supply chain has taken center stage in recent years given the performance and security concerns that such parts can pose. Hearings before the Senate Armed Services Committee in November 2011 revealed an “open and notorious” counterfeit parts industry and led to the inclusion of Section 818 in the FY 2012 National Defense Authorization Act (NDAA), which was enacted on December 31, 2011. Section 818, which was further amended by the 2013 NDAA, requires the DOD to implement regulations to define, identify, and prevent the use of counterfeit electronic parts in DOD procurements as well as limit the allowability of costs to replace, rework, or take other corrective action in connection with such parts. Notably, the risks and costs associated with these requirements will largely be placed on contractors.

Although final regulations have yet to be issued, the DOD issued proposed rules on May 16, 2013 and December 3, 2013 for industry consideration. As issued, however, the proposals, which raise more questions than they answer, place significant cost and performance risks (including breach, termination, and perhaps even false claims liability) on covered contractors and will almost certainly and significantly increase compliance costs. Continue reading “The DOD Gets Serious About Supply Chain Integrity”

DoD and GSA Issue Final Report on Improving Cybersecurity and Resilience through Acquisition

Justin A. Chiarodo and Daniel A. Broderick

Justin A. ChiarodoDaniel A. BroderickOn January 23, 2014, the Department of Defense (DoD) and General Services Administration (GSA) Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition (Working Group) submitted its eagerly anticipated final report on integrating cybersecurity requirements into all federal procurements. This report, which satisfies Executive Order (EO) 13636 and Presidential Policy Directive (PPD) 21, includes recommendations on the increased use of cybersecurity standards in all federal acquisition activities, including strategic planning, capabilities needs assessment, systems acquisitions, and program and budget development.

The final report is perhaps most notable as another step toward an era where most every government contractor must satisfy baseline cybersecurity requirements. While the final report does not provide explicit guidance on the details of creating such a new procurement environment, in light of recent, imminent and forthcoming government activity, including the final rule imposing cybersecurity and reporting obligations on DoD contractors (issued November 18, 2013 and summarized here), the upcoming final cybersecurity framework of the National Institute of Standards and Technology (NIST) (to be released in mid-February), and the forthcoming final rule governing the safeguarding of government contractor information systems (likely finalized next year), we view this final report as a bellwether. Government contractors who ignore the final report and the course it has set do so at their own peril. Continue reading “DoD and GSA Issue Final Report on Improving Cybersecurity and Resilience through Acquisition”

Final DFARS Rule Imposes New Cybersecurity and Reporting Obligations

Justin A. Chiarodo and Daniel A. Broderick

Justin A. ChiarodoDaniel A. BroderickLast November, the U.S. Department of Defense (DoD) issued a final rule imposing enhanced cybersecurity and reporting obligations on contractors and subcontractors with information systems containing unclassified controlled technical information (UCTI). 78 Fed. Reg. 69273 (Nov. 18, 2013). UCTI is defined to mean technical information with a military or space application that is subject to controls on its access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.

The final rule adds a new subpart (224.73) and corresponding contract clause (252.204-7012) to the Defense Federal Acquisition Regulation Supplement (DFARS), and together they direct contractors that handle UCTI to (1) implement enhanced safeguards and (2) report and investigate certain incidents affecting such information.

This final rule implements one part of the broader and more controversial proposed rule, published in June 2011. 76 Fed. Reg. 38089 (June 29, 2011). That rule, which proposed substantial compliance obligations for protection of unclassified information, applied to a larger class of nonpublic information, including nonpublic information either provided by or on behalf of the DoD or collected, developed, received, or transmitted in conjunction with the contractor’s support of an official DoD activity. Unlike the proposed rule, however, this final rule is narrower in scope because it concerns only a single category of data: UCTI. Continue reading “Final DFARS Rule Imposes New Cybersecurity and Reporting Obligations”

AAA Expands Review of Arbitration Awards With New Appellate Rules

Scott Arnold, Justin A. Chiarodo and Christian N. Curran

Scott Arnold Justin A. ChiarodoChristian N. Curran The American Arbitration Association (AAA) recently adopted optional Appellate Rules which significantly change the resolution of post-award issues. The new Appellate Rules, effective November 1, 2013, permit appeals of arbitration rulings directly to an AAA appellate panel. Given the difficulty in overturning traditional arbitration awards, these new rules could help protect against factually and legally flawed outcomes. However, they also could add both time and expense to an arbitration, limiting the efficiencies and cost savings that often lead contractors to use arbitration provisions in the first place. This alert discusses the new Appellate Rules, and some things to keep in mind when evaluating whether to use them.

New Appeal Grounds

One of the traditional features of arbitration compared to litigation is that arbitrations are designed to reach a final decision sooner. Vacating an arbitration award is extremely difficult and can generally only be done under limited circumstances (e.g., plain and obvious bias of an arbitrator, fraud or corruption, misconduct of an arbitrator, or if arbitrators exceed their powers). See Federal Arbitration Act, 9 U.S.C. § 10. An arbitration panel’s legal or factual errors alone are not traditional grounds to overturn an award.

Addressing some of these limitations, the new Appellate Rules provide an optional appellate proceeding for parties who agree to use the rules-either by stipulation or contract provision-to appeal an award based on two grounds: “(1) an error of law that is material or prejudicial; or (2) determinations of fact that are clearly erroneous.” Appellate Rule A-10. Continue reading “AAA Expands Review of Arbitration Awards With New Appellate Rules”

First Circuit Ends Closely Watched Takeda Suit With Limited Ruling

Justin A. Chiarodo

Justin A. ChiarodoThe First Circuit recently affirmed the dismissal of a closely watched False Claims Act (FCA) suit in United States ex rel. Ge v. Takeda Pharmaceutical Co. because the relator’s complaint failed to identify any examples of actual false claims presented to the federal government. The relator Helen Ge, alleged that Takeda, a pharmaceutical company, failed to inform the U.S. Food and Drug Administration (FDA) of adverse events associated with its drugs Uloric, Kapidex/Dexlant, Prevacid, and Actos. Federal law requires Takeda to inform the FDA of such adverse events. According to Ge, claims for the reimbursement of Takeda drugs under federal Medicare and state Medicaid programs must have been false because Takeda failed to inform the FDA of adverse events associated with those drugs. The First Circuit held that such allegations do not rise to the level of particularity required by the federal rules.

The Takeda case has been closely watched since the district court dismissed the case in November 2012. The district court’s dismissal order stated that compliance with the FDA’s reporting requirements was not a material condition of payment. Although the FDA has the discretion to remove drugs that are marketed in violation of the adverse-event reporting requirement, it is not required to do so. Thus, in the district court’s view, claims such as Ge’s would always be subject to dismissal. Continue reading “First Circuit Ends Closely Watched Takeda Suit With Limited Ruling”

Increased Profit Under a Firm-Fixed Price Contract a False Claim? Not So Says One Federal District Court

Richard J. Conway and Justin A. Chiarodo

Justin A. ChiarodoIn a significant decision regarding the application of the False Claims Act (FCA) to firm-fixed price procurement contracts, the U.S. District Court for the Middle District of Florida recently held that a government contractor working under a fixed-price contract is not liable under the FCA for higher than expected profits and “failing to notify the Government that the work could be performed less expensively and charged a lower price” than the contract price. U.S. ex rel. Prime v. Post, Buckley, Schuh & Jernigan, Inc., 2013 WL 4506357, No. 6:10-cv-1950 (M.D. Fla. Aug. 23, 2013).

The defendant was a joint venture that had entered into a fixed price indefinite delivery/indefinite quantity (ID/IQ) contract with the government to provide architect and engineering services for an Everglades restoration project overseen by the Army Corps of Engineers. As the project was a first-of-its-kind effort, the Corps planned to reduce its cost risk by using a fixed-price contract performed through task orders. The ID/IQ contract provided negotiated fixed-price labor rates and a negotiated profit component, derived primarily from past Corps contract experience. Subsequent fixed-price task orders were lump-sum, determined in accordance with the agreed-upon labor rates multiplied by the number of days required to complete the work, and included the agreed-upon profit component. The joint venture saw its profit margin increase through the use of efficient staffing of task orders with lower-cost resources than those contemplated in the original ID/IQ formulas. Continue reading “Increased Profit Under a Firm-Fixed Price Contract a False Claim? Not So Says One Federal District Court”