On October 18, 2022, Senate Majority Leader Chuck Schumer (D-NY) issued a press release signaling a potentially significant expansion of Section 889 through a proposed amendment to the 2023 National Defense Authorization Act (“NDAA”). Schumer’s proposal is aimed at extending the telecommunications supply chain prohibitions in Section 889 to the semiconductor manufacturing industry.
Section 889 currently prohibits contractors from providing the federal government or using any products or services that incorporate “covered telecommunications equipment or services” from five Chinese telecom companies and their affiliates and subsidiaries: (1) Huawei Technologies Company, (2) ZTE Corporation, (3) Hytera Communications Corporation, (4) Hangzhou Hikvision Digital Technology Company, and (5) Dahua Technology Company.
Schumer’s 2023 NDAA amendment would expand Section 889 by banning semiconductor products like microchips from the following three Chinese entities: (1) Semiconductor Manufacturing International Corporation (“SMIC”), (2) ChangXin Memory Technologies (“CXMT”), and (3) Yangtze Memory Technologies Corp. (“YMTC”). Schumer noted that these companies have known links to the Chinese state security and intelligence apparatuses. The amendment is aimed at filling a gap in federal procurement restrictions that currently do not include semiconductor technology and services, creating a vulnerability for cyberattacks and data privacy. The amendment would not take effect until three years after the NDAA’s enactment, or until 2025.
Although we do not yet know whether Schumer’s amendment will be incorporated into the final NDAA bill, contractors should nevertheless begin evaluating their supply chains to identify any semiconductor products from any of the three named Chinese manufacturers. Schumer’s amendment signals a continually expansive interpretation and enforcement of Section 889, which may be reflected in the final rulemaking for Section 889. The current FAR docket anticipates a final rule in December 2022, although these deadlines continue to be moving targets.
Effective October 1, 2022, Department of Defense (“DoD”) contractors must comply with Part B of Section 889 of the FY 2019 National Defense Authorization Act (“NDAA”). The approximately two-year long Part B waiver granted to the Director of National Intelligence expired October 1. DoD contractors cannot seek a DoD agency-level waiver as DoD cannot grant waivers under the statute. Thus, as with other agencies, DoD is prohibited from entering into, extending, or renewing contracts with contractors who use covered telecommunications or video surveillance equipment and services from certain Chinese companies in any part of their business.
Compliance with Part A of Section 889 was straightforward. Part A prohibited contractors from selling covered technology to the federal agencies. Comparatively, compliance with Part B is much more complicated. Part B requires a contractor to certify that it does not use “any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.” The prohibition applies to all contracts at any dollar value. “Covered telecommunications equipment or services” is defined as equipment, services and/or video surveillance products from Huawei Technologies Company, Hangzhou Hikvision Digital Technology Company, Hytera Communications Company, Dahua Technology Company, ZTE Corporation, or any entity controlled by the People’s Republic of China.
In July 2022, the Accreditation Body (“AB”) of the Cybersecurity Maturity Model Certification program (“CMMC”) released a 47-page CMMC Assessment Process guide (“CAP Guide”). The CAP Guide outlines the assessment process for contractors seeking a CMMC level 2 certification, which, as we discussed in earlier posts, is the required certification level for all contractors who expect to receive or store Controlled Unclassified Information (“CUI”).
The CAP Guide has been widely criticized by members of the Defense Industrial Base for being overly complicated and contrary to the Department of Defense’s (“DoD”) stated intention to reduce the complexity and cost of the CMMC program for small businesses. However, assuming it is adopted by the DoD, the CAP Guide includes helpful guidance for contractors that are beginning to prepare for their CMMC level 2 assessment.
On May 25, 2022, the Department of Defense (“DoD”) issued a memorandum recognizing that contractors are not immune from the “period of unusually high” inflation. The memorandum, titled “Guidance on Inflation and Economic Price Adjustments,” provides guidelines on when relief from cost increases due to inflation is appropriate and provides considerations for the proper use of economic price adjustment (“EPA”) clauses when entering into new contracts.
For existing DoD contracts, whether contractors can get relief from inflation depends on the type of contract.
In February 2021, the Department of Defense (“DoD”) promulgated 32 C.F.R. Part 117. This move converted the National Industrial Security Program Operating Manual (“NISPOM”)—the rules that govern personnel and facility security clearances—from DoD policy into federal law. The move originally garnered little attention because the new regulations include virtually all requirements that were in the prior NISPOM. DoD, however, embedded new requirements with potentially significant implications for cleared contractors and their senior management officials (“SMO”). And the Defense Counterintelligence and Security Agency (“DCSA”) is now signaling that it will hold SMOs accountable if they fail to meet these requirements.
A cleared contractor’s SMO is the person “with ultimate authority over the facility’s operations and the authority to direct actions necessary for the safeguarding of classified information in the facility.” § 117.3(b). Typically, the SMO is the individual who holds the top position at a company, such as a chief executive officer or majority owner. Prior to the promulgation of Part 117, the SMO had discretion to delegate responsibility over the contractor’s industrial security program to another employee. Section 117.7(b)(2) of the new NISPOM regulations has put an end to that practice.
The Department of Defense (“DoD”) recently issued its final rule amending the Defense Federal Acquisition Regulation Supplement (“DFARS”) to provide offerors enhanced post-award debriefing rights. DoD has provided these enhanced debriefing procedures since 2018 through a FAR Class Deviation, allowing offerors to submit additional questions after receiving the post-award debriefing. Four years later, DoD’s final rule clarifies when the clock for an automatic stay begins in an enhanced debriefing and provides greater transparency by allowing unsuccessful offerors in certain procurements access to the agency’s redacted source selection decision.
We highlight below several key elements of the final rule:
Access to Redacted Source Selection Decision Document
The final rule requires DoD to provide the source selection decision document in certain circumstances, redacted to remove confidential and proprietary information of other offerors. For awards over $100 million, DoD must automatically provide the source selection decision during the debriefing. Small businesses and nontraditional defense contractors on procurements resulting in awards over $10 million and up to $100 million are also entitled to a copy of the decision but must specifically request it—the agency will not automatically provide it to offerors.
Stay up to date by subscribing to our blog. Add your e-mail address to the Subscribe box on the right (below the post on mobile) to get our timely posts delivered directly to your inbox.
As the federal government prepares to roll out infrastructure grants and contracts in amounts not seen since the New Deal and the defense industrial base (“DIB”) gears up to support billions in new spending to support Ukraine, a new Department of Defense (“DoD”) report raises serious concerns about the state of competition within the DIB. The report recently released by the Office of the Under Secretary of Defense for Acquisition and Sustainment analyzes the state of competition within the DIB and concluded that it can be summarized in one word: poor. The report discusses the causes for the lack of competition and makes recommendations for improving the solicitation process to increase competition, inspire innovation, reduce prices, and improve quality.
Foremost among the causes for the lack of competition identified by the report is consolidation of the DIB. Of 51 aerospace and defense prime contractors in the 1990s only five exist today. Although the report failed to find significant correlation between this consolidation and increased pricing, the consolidation raises additional concerns for DoD, such as national security, mission risk, and strategic technology innovation. The report notes that “having only a single source or a small number of sources for a defense need can pose mission risk and, particularly in cases where the existing dominant supplier or suppliers are influenced by an adversary nation, pose significant national security risks.” The report recommends that when a merger is likely to harm one of these interests, DoD work closely with the Federal Trade Commission and Department of Justice to take structural or behavioral measures deemed necessary, up to and including blocking the merger.
The attention-grabbing headline from the Department of Justice’s (“DOJ”) annually released statistics on False Claims Act (“FCA”) settlements and judgments is that the government recovered more than $5.6 billion from FCA cases in fiscal year (“FY”) 2021. While this is the second largest annual recovery in FCA history and the largest since 2014, procurement fraud cases represented a substantially smaller percentage of the total recoveries than in years past. Healthcare resolutions dominated, accounting for more than five billion of the $5.6 billion in settlements and judgments. In previous years, healthcare matters have accounted for closer to two-thirds of the total recoveries, making last year’s outsized healthcare figure—driven by the blockbuster opioid settlements of late 2020—an outlier.
Beyond the top-line dollar figures, the report shows that FCA activity continues at a healthy, if not fully robust, pace. The COVID-19 pandemic continues to impact qui tam filings; the number of new whistleblower suits dropped to 598 in FY 2021, a ten-year low. The number of DOJ-initiated matters remains higher than the near-term average, particularly in healthcare, but also in Department of Defense (“DOD”)-related cases. Contractors, healthcare providers, and others—especially those who received federal funding through pandemic aid programs—can anticipate that FCA investigations and resolutions will play out over the next several years.
In response to more than 850 public comments, the Department of Defense (“DOD”) has decided to significantly revamp the Cybersecurity Maturity Model Certification (“CMMC”) program. On November 4, 2021, DOD announced that it was replacing the current CMMC program with CMMC 2.0, which is expected to significantly reduce the regulatory burden on companies in the Defense Industrial Base (“DIB”). DOD made three significant changes through the new CMMC 2.0 program:
Reduces the number of CMMC levels. As we explained in earlier posts, CMMC 1.0 originally had five CMMC levels of ascending sophistication. CMMC 2.0 now only has three levels:
CMMC 2.0 Level One: This level will apply to most DIB companies and requires compliance with 17 basic cyber hygiene practices.
CMMC 2.0 Level Two: This level applies to DIB companies who will receive controlled unclassified information (“CUI”) and is expected to align with the requirements under NIST SP 800-171. Notably, DOD already requires most DIB companies receiving CUI to comply with NIST SP 800-171 through the cybersecurity DFARS clause 252.204-7012.
CMMC 2.0 Level Three: DOD is still developing the requirements for this level, but we expect that this level will apply to only the most sensitive and high-risk DOD projects.
On September 29, 2020, the Department of Defense (“DoD”) issued a long-awaited, interim rule to strengthen cybersecurity protections throughout the Defense Industrial Base. The new rule establishes how DoD will assess contractors under current cybersecurity regulations set out by the National Institute of Standards and Technology Special Publication 800-171 (“NIST Requirements”) and the newly established Cybersecurity Maturity Model Certification (“CMMC”) program. The interim rule goes into effect on November 30, 2020; although, as we have discussed in earlier posts, DoD will gradually roll out the CMMC over the next five years.
NIST Self-Assessment Requirements
The first part of the new rule applies to contracts that incorporate DFARS 252.204-7012, which requires contractors and subcontractors that have access to covered defense information to comply with the NIST Requirements. Under the new rule, these entities will need to conduct a “Basic” self-assessment of their compliance with the NIST Requirements, and submit the results of that assessment to DoD through the Supplier Performance Risk System (“SPRS”). Contractors will need to update this self-assessment every three years or sooner if required by a contract. Starting November 30, 2020, contractors will not be eligible for new contracts (including task orders and delivery orders) or for options on existing contracts, unless the self-assessment score is posted on SPRS. DoD expects that it will take 30 days from submission to have the self-assessment score posted on SPRS, so it is important for contractors to submit their assessment at least 30 days prior to the November 30, 2020 implementation date. Continue reading “New Department of Defense Regulations Clarify Contractors’ Responsibilities to Comply with NIST SP 800-171 and CMMC Requirements”