Tag: Regulatory Compliance and Ethics

President Biden’s Recent Cybersecurity Executive Order Will Increase Compliance Obligations on the Private Sector

Sharon R. Klein, Alex C. Nisenbaum, Karen H. Shin, Justin A. Chiarodo, and Michael Joseph Montalbano

Companies providing information technology products and services to U.S. government agencies are now required to notify such agencies of cyber incidents and meet specific cybersecurity standards. The executive order attempts to modernize the federal government’s cybersecurity defenses by “protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the [United States]’ ability to respond to incidents when they occur.” The executive order is just one example of the Biden administration’s push to improve the nation’s data privacy and cybersecurity practices in response to the recent series of ransomware attacks.

On May 12, 2021, President Biden signed an executive order to bolster the federal government’s cybersecurity practices and contractually obligate the private sector to align with such enhanced security practices (“the Order”). The Order comes on the heels of a ransomware attack on Colonial Pipeline that occurred on May 6, 2021, which shut down the largest oil pipeline in the United States and disrupted supplies of gasoline, diesel, and jet fuel to the East Coast. This initiative to improve the security of the software supply chain also stems from the SolarWinds cyberattack that occurred last year. In the attack, Russian hackers used a routine software update that Texas-based SolarWinds Corp. provided to its customers to install malicious code, allowing the hackers to infiltrate nine federal agencies and about 100 companies.

Proposed amendments are expected soon from the Federal Acquisition Regulation (“FAR”) and the Defense Federal Acquisition Regulation Supplement (“DFARS”) that will increase compliance obligations for government contractors and their vendors, building on a string of supply chain and cybersecurity regulation in recent years (including Section 889’s prohibition on the use of certain Chinese telecommunications, new registration requirements in the Supplier Performance Risk System, and the Department of Defense’s Cybersecurity Maturity Model Certification program). We see the biggest impacts on government contractors, such as developers and users of software.

To read the full client alert, please click here

Will Federal Contractors Be Required to Certify Employee COVID Vaccinations?

Albert B. Krachman and Brooke T. Iley

Do not be surprised if, before the end of 2021, the federal government begins requiring contractors to certify or represent that their employees have received COVID vaccinations. The federal government has long conditioned contract awards on contractor compliance with emerging social policy mandates. This practice dates backs to the 1960s, when collateral social policy clauses began appearing in federal contracts. The National Emergency created by COVID-19 would appear ripe for a similar federal government action in federal contracting.

Several factors are converging in the United States which signal the potential for a COVID vaccine Certification or Representation. First, the supply issue should be mostly resolved by June 30, 2021. The Biden administration has committed to make enough vaccines available for every adult in the country by the end of May 2021. Second, the administration has been extremely active in making procurement law changes to conform to its policy objectives. Crafting an Executive Order on COVID Vaccines for federal contractor employees is clearly within the administration’s wheelhouse and target zone. Third, as reported in the March 8, 2021, Wall Street Journal, the largest employers in the country, across all sectors, are already engaged in large scale efforts to vaccinate their own employees. Fourth, while the law in this area is still evolving, the prevailing view is that, with certain exceptions, private employers are legally permitted to mandate their employees receive COVID vaccinations as a condition of continuing employment, subject to a variety of considerations related to employee legal, medical, and workplace accommodations. Finally, the federal government might find a federal contractor vaccine mandate a helpful leverage point in the evolving conflict with those states choosing to disregard COVID protections.

Continue reading “Will Federal Contractors Be Required to Certify Employee COVID Vaccinations?”

Fifty Ways to Lose Your Federal Contract Award – Part 1: Failing to Secure Your Key Person Supply Chain

Albert B. Krachman

With apologies to Paul Simon, this is Part 1 of a series of articles on the many ways contractors can lose awards on federal contracts. These cautionary tales should inform anyone in a contractor organization with responsibility for authorizing, preparing, or negotiating competitive federal proposals.

Like a prize-winning recipe, the ingredients for losing an award are well known: one part carelessness, a pinch of greed, and some lack of attention to detail. Throw in a dash of procrastination, a late proposal revision, and then garnish it with an 11th-hour e-mailing of your proposal. Voila—you have cooked up a complete waste of proposal resources! 

We kick off this series with a story of an incumbent contractor who lost a billion-dollar follow-on contract by failing to contractually secure the services of a key person designated in the proposal.

Continue reading “Fifty Ways to Lose Your Federal Contract Award – Part 1: Failing to Secure Your Key Person Supply Chain”

Where Are We Going with Section 889 Part B?

Justin A. Chiarodo, Merle M. DeLancey, Jr., and Robyn N. Burrows

About two months have passed since the August 13, 2020, effective date of Part B of Section 889 of the FY 2019 National Defense Authorization Act. Part B, sometimes referred to as the Chinese telecommunications equipment ban, broadly prohibits the federal government from contracting with entities that use certain Chinese telecommunications (including video surveillance) equipment and services.

After the FAR Council published its July 10, 2020, Interim Rule, contractors, large and small, spent countless hours working to be able to certify compliance by August 13. This deadline was critical because the Interim Rule said that absent such a certification, a contractor was ineligible for future contract awards. That is, government agencies were prohibited from renewing or extending existing contracts with contractors unable to certify Part B compliance. Indeed, agencies were prohibited from issuing an order under an existing contract to a contractor that failed to certify compliance.

Yet, despite the Rule’s laudable policy goals, the government’s piecemeal and inconsistent implementation has placed government contractors in an untenable position. Continue reading “Where Are We Going with Section 889 Part B?”

Preparing for the Rollout of the Cybersecurity Maturity Model Certification: It Is All about the Timing

Michael Joseph Montalbano

The Department of Defense (“DoD”) is expected to begin rolling out the Cybersecurity Maturity Model Certification (“CMMC”) program later this year. As a brief refresher, the CMMC is a certification system implemented by DoD to protect Controlled Unclassified Information (“CUI”) and other sensitive contract information. There are five CMMC levels of ascending sophistication. The most common CMMC levels are expected to be Level 1 and Level 3. Level 1 will require contractors to put into place basic safeguarding practices to protect federal contract information. Level 3 will require contractors to put into place more stringent safeguarding practices that are designed to protect CUI. Contractors receive their CMMC after they pass an assessment by a CMMC Third Party Assessment Organization (“C3PAO”) or an individual assessor.

Although DoD will not fully implement the CMMC program until 2026, more and more contracts will require offerors to hold a CMMC demonstrating that their organizations have implemented the necessary cybersecurity controls. A nightmare scenario for any defense contractor is to find itself unable to compete for a lucrative DoD contract due to insufficient time to obtain the required CMMC before proposal deadlines. Fortunately, the Accreditation Body (“AB”) that is responsible for rolling out the CMMC program has provided estimated timelines for contractors seeking a CMMC. Continue reading “Preparing for the Rollout of the Cybersecurity Maturity Model Certification: It Is All about the Timing”

Part B Interim Rule Bans Contractors from Using Covered Technology Starting August 13th: 5 Steps for Meeting the Compliance Deadline

Justin A. Chiarodo, Merle M. DeLancey, Jr., and Robyn N. Burrows

 

We previously discussed key elements of the newly released interim rule (“the interim rule” or “the rule”) implementing Part B of Section 889 (“Part B”), which prohibits the federal government from contracting with entities that use certain Chinese telecommunications equipment. This post provides a more detailed analysis of the scope and application of the rule, as well as five compliance recommendations given the impending August 13th deadline.

Rule Applies to All Contracts Effective August 13, 2020

Part B applies to all solicitations, options, and modifications on or after August 13th, including contracts for commercial items, commercially available off-the-shelf (COTS) items, and contracts at or below both the micro-purchase and simplified acquisition thresholds. Like it did with respect to Part A, GSA intends to issue a Mass Modification requiring contractors to certify compliance with Part B. GSA has also released Q&As and FAQs to assist contractors with Part B implementation. The interim rule acknowledges that Part B will have a broad impact across contractors in a range of industries, including healthcare, education, automotive, aviation, and aerospace. The rule, however, does not apply to federal grant recipients (which are subject to a separate rulemaking). Continue reading “Part B Interim Rule Bans Contractors from Using Covered Technology Starting August 13th: 5 Steps for Meeting the Compliance Deadline”

Newly Released Interim Rule Implementing Part B of Section 889

Justin A. Chiarodo, Merle M. DeLancey Jr., and Robyn N. Burrows

On July 10, the government issued the    long-awaited Interim Rule implementing Part B of Section 889 (here is a link to the pre-publication version, with the official version soon to follow). Part B prohibits the federal government from contracting with entities that use certain Chinese telecommunications equipment (previously discussed in our blog posts here and here). The Interim Rule is 86 pages and addresses issues related to compliance with Part B, as well as clarifying aspects of Part A.

These are the key points federal contractors need to know:

  • Effective Date: The effective date remains August 13, 2020. The ban applies to solicitations, options, and modifications on or after August 13. However, as we previously discussed, the Department of Defense may allow its contractors more time to comply, despite the statutory deadline.
  • Required Representation: An offeror must represent that, after conducting a reasonable inquiry, it does/does not use covered telecommunications equipment/services.
    • “Reasonable inquiry” means an inquiry designed to uncover any information in the entity’s possession about the identity of the producer or provider of covered telecommunications equipment or services used by the entity. An internal or third-party audit is not required.
  • Scope of “Use”: Applies to the contractor’s use of covered technology, regardless of whether it is used to perform a federal contract. Thus, a contractor’s commercial operations are included.
  • Affiliates/Subsidiaries: The required representation is not applicable to affiliates or subsidiaries at this time. The FAR Council is considering whether to expand the scope of the representation/prohibition to cover an offeror’s domestic affiliates, parents, and subsidiaries. If expanded, it would be effective August 13, 2021.
  • Subcontractors: The ban and required representation are not applicable to subcontractors at this time. The ban only applies at the prime contractor level and does not include a flow down obligation.
  • Detailed Waiver Process: The Interim Rule includes a detailed and complex process for seeking a waiver (really a two-year delayed application).
  • Suggested Compliance Steps: The Interim Rule suggests contractors adopt a “robust, risk-based compliance approach” to include educating personnel on the ban and implementing corporate enterprise tracking to identify covered equipment/services.

Regulators are still seeking feedback from industry, which suggests the government’s willingness to incorporate changes in a final rule. But prime contractors need to act now. In the next 30 days, prime contractors need to determine through a “reasonable inquiry” whether they use covered equipment, regardless of whether that use relates to performance of a federal contract. To demonstrate a reasonable inquiry, contractors should memorialize all steps taken and decisions made in performing the inquiry.

A more detailed analysis is forthcoming. In the meantime, if you have any questions regarding compliance, please contact one of Blank Rome’s Government Contracts practice group attorneys for guidance.

What Does a Potential One-Year Delay for Part B of Section 889 Mean for Your Compliance Efforts?

Justin A. Chiarodo, Merle DeLancey Jr., and Robyn N. Burrows


In remarks to Congress and statements this week, the Department of Defense (“DoD”) announced that it is considering a one-year delay for full implementation of Part B of the Section 889 ban (we previously summarized the ban, which prohibits the government from contracting with entities using certain Chinese telecommunications equipment, here). The ban is currently scheduled to go into effect on August 13, 2020. What does this welcome development mean for contractors? We think it warrants prioritizing near-term compliance efforts to high-risk areas, pending forthcoming rulemaking that will provide needed specifics on the way forward.

During June 10 remarks before the House Armed Services Committee, Undersecretary for Acquisition and Sustainment Ellen Lord expressed the DoD’s full support for the intent of Section 889, but admitted she is “very concerned” about being able to accomplish Part B implementation by August 13. As to whether the DoD can meet the current timeline given COVID-19 disruptions and the lack of an interim rule, Ms. Lord acknowledged that “we need more time” for contractors to comply.

Following the undersecretary’s testimony, the DoD announced that it is considering adding contract language giving its suppliers an additional year to reach full compliance with Part B. Though not final, the DoD’s proposed delay could relieve DoD contractors from full compliance with the impending August deadline. We anticipate this approach would be similar to the phase-in period for compliance with the Defense Federal Acquisition Regulation Supplement Safeguarding and Cyber Incident Reporting clause. It is not yet clear whether the Office of Management and Budget, which currently has the draft interim rule for Part B, will incorporate a delayed implementation into that forthcoming rule.

The DoD also signaled that it is poised to advocate for a more risk-based approach to Part B implementation and rulemaking. During her testimony, Ms. Lord expressed concern with the “unintended consequences” of a minor infraction several layers deep within the supply chain potentially shutting down major portions of the defense industrial base by disqualifying key prime contractors from doing business with the federal government. The DoD suggested that the use of a risk-based approach may be useful to achieve effective implementation. The DoD’s consideration of a risk-based approach indicates that it is equally concerned about its contractors’ ability to comply with a strict application of Part B.

How DoD’s Announcements Inform Compliance Efforts with Part B

Without an interim rule and with less than two months before the statutory August deadline, how should contractors begin implementing Part B? Given the DoD’s recent comments suggesting a risk-based approach, contractors should consider adjusting their Part B implementation efforts using a risk assessment framework, prioritizing high-risk areas. That is, contractors should identify the extent to which telecommunications or video surveillance equipment is used to support government contracts, the nature of that work, and the frequency with which the technology is used.

The nature of the product’s telecommunication function also informs its risk potential. For example, computers, routers, phones, and network equipment can generally be considered a higher priority area than technology that, although technically subject to the ban, presents a moderate to low cybersecurity risk, depending on the nature and frequency of use (e.g., HVAC systems, fax machines, copiers, scanners).

Contractors should also communicate with key suppliers to ensure that they are aware of the rule and are similarly working to prepare for Part B.

Although the DoD’s statements are welcome news—and reflect that the government is mindful of the challenges presented by the ban—the DoD remains committed to Section 889 and contractors should proceed accordingly.

Veterans Affairs Granted Unprecedented Procurement Authority under P.L. 85-804

John M. Clerici and Merle M. DeLancey Jr.

On April 10, 2020, the President issued a Memorandum to the Secretary of the Department of Veterans Affairs (“DVA”) authorizing the exercise of authority under Public Law 85-804, 50 U.S.C. §§ 1431-35. (See Memorandum on Authorizing the Exercise of Authority under Public Law 85-804.) This is a significant action that contractors must understand and be prepared to use for their benefit.

P.L. 85-804’s expansive powers are rarely invoked, used only in unique circumstances that require “extraordinary contractual actions.” See FAR Part 50. President Obama relied on P.L. 85-804 in 2014 when he granted the Administrator of the United States Agency for International Development (“USAID”) the authority to indemnify companies from lawsuits related to contracts performed in Africa in support of USAID’s response to the Ebola outbreak. Because there are now other legal authorities the U.S. Government may use to offer liability protection in certain circumstances (e.g., the SAFETY Act of 2002; the PREP Act of 2005), conferring liability protection under P.L. 85-804 is uncommon. The use of the law to broadly expand the U.S. Government’s contracting powers is truly extraordinary. Continue reading “Veterans Affairs Granted Unprecedented Procurement Authority under P.L. 85-804”

VA Federal Supply Schedule Contracts and the Coronavirus

Merle M. DeLancey Jr.

In response to the coronavirus COVID-19 pandemic, the Department of Veterans Affairs (“VA”) has relaxed procurement rules and regulations to facilitate purchases from VA federal supply schedules (“FSS”). On March 20, 2020, the VA National Acquisition Center (“NAC”) informed all VA FSS holders that, based upon the President’s invocation of the Robert T. Stafford Disaster Relief and Emergency Assistance Act, 42 U.S.C. 5121-5207 (the “Stafford Act”), state and local governments, territories, and tribes have full access to VA FSS contracts. See Presidential Declaration of National Emergency COVID-19 – State and Local Government Ordering Procedures.

Thus, even if a contractor did not elect to participate in Disaster Recovery Purchasing at the time of contract award, contractors are now permitted to accept any orders by state and local governments. However, whether to accept any state or local government order is voluntary not mandatory. Continue reading “VA Federal Supply Schedule Contracts and the Coronavirus”