Senate Reintroduces IoT Cybersecurity Improvement Act

On March 11, 2019, a bipartisan group of lawmakers including Sen. Mark Warner and Sen. Cory Gardner introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2019. The Act seeks “[t]o leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices.” In other words, this bill aims to shore up cybersecurity requirements for IoT devices purchased and used by the federal government, with the aim of affecting cybersecurity on IoT devices more broadly.

To accomplish this goal, the Act puts forth several action items for the Director of the National Institute of Standards and Technology (“NIST”) and the Office of Management and Budget (“OMB”). Details of these action items and their deadlines are discussed below.

NIST is directed to complete, by September 30, 2019, all ongoing efforts related to managing IoT cybersecurity, particularly its work in identifying cybersecurity capabilities for IoT devices. Under the bill, those NIST efforts are to address at least: (i) secure development, (ii) identity management, (iii) patching, and (iv) configuration management for IoT devices.
NIST is directed to develop, by March 31, 2020, recommendations on “the appropriate use and management” of IoT devices “owned or controlled by the Federal Government.” These recommendations are expected to include “minimum information security requirements” that address the cybersecurity risks of IoT devices owned or controlled by the federal government. Once these recommendations are issued, OMB will have 180 days to issue guidance to each agency, consistent with NIST’s recommendations.

Additionally, the bill would require NIST to do the following within 180 days of its enactment:

Publish a draft report addressing considerations for managing cybersecurity risks associated with the “increasing convergence of traditional Information Technology devices, networks, and systems with Internet of Things devices, networks, and systems and Operational Technology devices, networks and systems.”
Consult with cybersecurity researchers and private-industry experts to publish guidance relating to the reporting and resolution of security vulnerabilities discovered in federal government IoT devices.

– OMB will then have 180 days to issue guidelines for each government agency, based on NIST’s recommendations. Those recommendations are required to be consistent with the information security requirements that are imposed on federal information systems in Title 44. OMB’s guidelines are also required to prohibit acquisition or use of IoT devices from a contractor or vendor that fails to comply with NIST’s security vulnerability guidance.

– Once OMB issues its guidance to agencies, these requirements will need to be included in a revision to the Federal Acquisition Regulation (FAR), which governs all federal procurement of goods and services using appropriated funds. No specific date for when these regulations should be promulgated are included in the current draft of the bill.

Notably, the Act also recognizes the debate about what constitutes an “IoT device.” It would apply to a “covered device,” which is defined as a “physical object” that: (1) is capable of connecting to and is in regular connection with the internet, (2) has computer processing capabilities that can collect, send, or receive data; and (3) is not a general-purpose computing device, including personal computing systems, smart mobile communications devices, programmable logic controls, and mainframe computing systems. At the same time, it directs OMB to establish a process for interested parties to petition for a decision that a device is not covered by this definition, potentially providing clarity for makers of devices about whether they are covered by the measure.

This bill follows two failed bills from the last congressional term: the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 and the Internet of Things (IoT) Federal Cybersecurity Improvement Act of 2018. The 2017 and 2018 Acts both focused on “provid[ing] minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies.” The prior bills contained only limited guidance to NIST and instead focused on OMB. For example, the 2017 bill required OMB to provide guidelines on specific, enumerated contractual terms in vendor contracts for IoT devices. The 2018 bill directed OMB to consider “voluntary consensus standards” in its promulgation of guidelines on contractual terms.

The current bill also follows increasing efforts by NIST to focus on IoT cybersecurity. Its efforts include development of a “baseline” set of cybersecurity capabilities for IoT devices. NIST announced earlier this month that it is seeking feedback on its proposal, especially insights into identifying those cybersecurity capabilities that could be achieved across the widest set of IoT devices.

When Compliance Is Not Enough: OIG Seeks Voluntary Refund Despite Contractor’s Adherence to “TINA” Requirements

By Michael Wagner, Susan B. Cassidy and Ryan Burnette on March 11, 2019 Posted in Defense Industry, Government Contracts Regulatory Compliance, Procurement Policy, Procurement Reform

On February 25, 2019, the Office of Inspector General (“OIG”) for the Department of Defense (“DoD”) issued an audit report analyzing the prices of spare aviation parts purchased by the Defense Logistics Agency (“DLA”) and the Army from TransDigm Group, Inc. (“TransDigm”). The audit was conducted in response to letters from certain Members of Congress, who had inquired whether the spare parts were sold at fair and reasonable prices and in compliance with the Truthful Cost or Pricing Data Act (“Act”).[1] The OIG’s audit confirmed that both TransDigm and the responsible DoD contracting officers fully complied with the Act and related regulations governing the price negotiations, but the OIG nonetheless concluded that the contractor earned excess profit on the majority of parts sold. In a highly unusual move, the OIG recommended that DoD request a “voluntary refund” from TransDigm of its allegedly “excessive” profits, and the OIG also recommended a number of changes to statutory, regulatory, and administrative policies governing the provision of cost or pricing data. Continue Reading

After the Final Report: Expectations Following the Section 809 Panel’s Third Volume of Acquisition Policy Reforms

By Jordan Hirsch, Samantha Clark and Jeff Bozman on February 26, 2019 Posted in Defense Industry, Government Contracts Regulatory Compliance, Procurement Reform

The Section 809 Panel recently concluded its monumental analysis of defense acquisition law and regulations and released its third volume of recommended changes. As we have written previously, the Panel’s work stands out from previous acquisition reform efforts with the appendices of detailed legislative and regulatory changes that accompany the commissioners’ analysis and recommendations.

Given the scope of the Panel’s work, few believe that Congress or the Department of Defense (“DoD”) will — or even could — simply adopt the recommendations in full. Legislative bandwidth for additional acquisition reform is finite, and some of the Panel’s recommendations will prompt robust debate. In this post, we analyze some of the recommendations that government contractors should follow most closely. We highlight key issues and address the political dynamics involved in enacting them. Continue Reading

Defense Department Releases Artificial Intelligence Strategy

By Zachary Mears, Samantha Clark and Jeff Bozman on February 19, 2019 Posted in Artificial Intelligence (AI), Defense Industry

On February 12, 2019 the Department of Defense released a summary and supplementary fact sheet of its artificial intelligence strategy (“AI Strategy”). The AI Strategy has been a couple of years in the making as the Trump administration has scrutinized the relative investments and advancements in artificial intelligence by the United States, its allies and partners, and potential strategic competitors such as China and Russia. The animating concern was articulated in the Trump administration’s National Defense Strategy (“NDS”): strategic competitors such as China and Russia has made investments in technological modernization, including artificial intelligence, and conventional military capability that is eroding U.S. military advantage and changing how we think about conventional deterrence. As the NDS states, “[t]he reemergence of long-term strategic competition, rapid dispersion of technologies” such as “advanced computing, “big data” analytics, artificial intelligence” and others will be necessary to “ensure we will be able to fight and win the wars of the future.” Continue Reading

Trump’s New Executive Order Requires Additional Buy American Preferences For Infrastructure Projects

By Sandy Hoe, Michael Wagner and Peter Terenzio on February 7, 2019 Posted in Buy American, Construction Contracting, Domestic Preferences

Last week, President Trump issued a new executive order, entitled “Strengthening Buy-American Preferences for Infrastructure Projects.” This order serves as an extension of the President’s earlier April 2017 “Buy American and Hire American” executive order, which we have previously analyzed in this space. The April 2017 order stated that “it shall be the policy of the executive branch to buy American and hire American,” and, among other things, directed agencies to “scrupulously, monitor, enforce, and comply with” domestic preference laws (referred to by the executive order as “Buy American Laws”) and to minimize use of waivers that would permit the purchase of foreign end products.

The President’s new order continues to emphasize the importance of “the use of goods, products, and materials produced in the United States,” but is specifically directed towards infrastructure projects that are recipients of federal financial assistance awards. As we have reported previously, federally-financed infrastructure has also been a stated area of focus for the Trump administration, although the Administration’s “Legislative Outline for Rebuilding Infrastructure in America” released last year curiously lacked any domestic preference requirements.

The new executive order makes up for this previous omission and then some: it has the potential to affect a vast number of programs and projects, and may in fact impose domestic sourcing requirements in areas—such as internet infrastructure—that are not typically targets for domestic preferences.

Debate Over Qui Tam Constitutionality Resumes After 20-Year Hiatus

By Peter B. Hutt II, Herbert Fenster and Carl Wiersum on February 7, 2019 Posted in False Claims Act

The motivating force behind the False Claims Act, 31 U.S.C. §§ 3729-3733 (“FCA”) is its provision for qui tam enforcement, which authorizes private parties (aka relators) to initiate FCA cases on behalf of the United States. Id. § 3730(b)(1). Immediately after re-invigoration of the FCA in 1986, scholars and litigants questioned the constitutional validity of statutory authorization for relators to sue on behalf of the U.S. government. After 15 years of litigation, this debate withered, but has been recently re-invigorated.

This post summarizes four principal challenges to the constitutionality of qui tam enforcement, and then discusses two recent events in which these challenges have reappeared: the confirmation hearings for Attorney General nominee William Barr and a cert petition that asks the Supreme Court to rule on qui tam constitutionality. Continue Reading

A Tale of Two Protests: Recent GAO Decisions Highlight Impaired Objectivity OCIs

By Peter B. Hutt II, Hunter Bennett and Brooke Stanley on February 6, 2019 Posted in Bid Protests, Procurement Policy, Subcontracting

Organizational conflicts of interest (OCIs) are perpetually thorny issues in federal procurement that contracting officers are required to identify and evaluate “as early in the acquisition process as possible.”[1] Although the Government Accountability Office (GAO) has identified several OCI categories,[2] two recent decisions highlight so-called impaired objectivity OCIs, which arise when a contractor’s ability to provide objective advice or recommendations to the government will be undermined by competing interests. The two decisions serve as an important reminder of what does — and does not — qualify as meaningful consideration by the contracting officer in such situations, and how prospective contractors can assist in identifying and mitigating such OCIs.

DoD Continues to Up the Ante on Cybersecurity Compliance for Contractors

By Susan B. Cassidy and Ian Brekke on January 29, 2019 Posted in Cybersecurity, Defense Industry, Government Contracts Regulatory Compliance, Information Technology Contracting

Compliance with the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is only the beginning for contractors that receive controlled defense information (CDI) in performance of Department of Defense (DoD) contracts and subcontracts. Faced with an evolving cyber threat, DoD contractors have experienced an increased emphasis on protecting DoD’s information and on confirming contractor compliance with DoD cybersecurity requirements. This includes audits by the DoD Inspector General (IG) “to determine whether DoD contractors have security controls in place” to protect CDI and enhanced security controls for certain high risk contractor networks. And on September 28, 2018, the Navy issued a policy memorandum calling for enhanced cybersecurity requirements, including some that have generated opposition within the defense community such as the installation of network sensors by the Naval Criminal Investigative Service on contractor systems. Other requiring activities are reportedly requiring similar enhanced protections and NIST is expected to issue a public draft of Revision 2 to NIST SP 800-171 by the end of February, with an appendix of additional enhanced controls.

As discussed in our blog post here, on November 6, 2018, DoD issued final guidance to requiring activities for assessing contractors’ System Security Plans (SSPs) and their implementation of the security controls in NIST SP 800-171. Since then, DoD has issued two additional guidance memoranda; one that includes contractual language for implementing the November 6^th guidance and one that explains how DoD plans to confirm contractor oversight of subcontractor compliance with the DFARS 252.204-7012 cybersecurity requirements.

Surviving the Shutdown: Seven Things Contractors Should Consider If a Cost Overrun Is on the Horizon

By Susan B. Cassidy, Frederic Levy and Evan R. Sherwood on January 23, 2019 Posted in Claims and Contract Disputes, Costs, Government Contracts Regulatory Compliance

The U.S. Government shutdown is now the longest in U.S. history and is starting to have serious implications for Government contractors. One of many key concerns arises when contractors approach their contract funding ceiling — can they continue to work, and what happens if there is a cost overrun?[1]

The answers are often complicated for both contractors and agency officials, and depend on the terms of the contract and the statutory basis for the program. Contractors facing this situation should keep seven points in mind.

GAO Report Shows That Agencies Buy Only A Small Percentage of Non-American Goods, But Buy American Act Implementation Remains A Challenge

By Michael Wagner and Peter Terenzio on January 23, 2019 Posted in Buy American, Domestic Preferences, Trade Agreements Act

Last month, GAO released a report analyzing federal agency implementation of the Buy American Act (“BAA”), 41 U.S.C. §§ 8301-8305. As we have previously reported, BAA enforcement is an area of focus for the Trump Administration, which has repeatedly emphasized the need to “Buy American and Hire American,” including in an April 2017 executive order. And for government contractors, compliance with the BAA and other domestic sourcing regimes also has been an increasingly common subject of litigation, particularly under the civil False Claims Act, as we have detailed in this space.

In keeping with this Buy American focus, GAO was commissioned to report on (A) the extent to which federal agencies procure non-domestic end products through the use of BAA exceptions and waivers, and (B) the ways in which the government’s largest buyers provide training and guidance to implement BAA requirements. Although GAO found that only a relatively small percentage of goods purchased were foreign end products, GAO also found that this number could have been misstated due to reporting errors and system limitations. Moreover, GAO found that the level of BAA training varied significantly among the agencies it canvassed. GAO’s findings, which are discussed in greater detail below, offer a window into the government’s view of its own compliance with the BAA’s complex and often confusing regulatory scheme.