On April 24, 2018, the Department of Defense (DoD) issued a Notice and Request for Comment on draft guidance that DoD proposes for assessing contractors’ System Security Plans (SSPs) and their implementation of the security controls in NIST Special Publication (SP) 800-171. This includes assessments as part of source selection decisions and during contract performance. DFARS 252.204-7012 requires defense contractors to provide “adequate security” for networks where covered defense information (CDI) is processed, stored, or transmitted. Adequate security means, “at a minimum,” implementing NIST SP 800-171. To demonstrate implementation or planned implementation of the security controls in NIST SP 800-171, contractors must describe in a SSP how the security requirements have been implemented and develop plans of action and milestones (POA&M) that describe how any unimplemented security requirements will be met. Continue Reading
Department of Homeland Security Secretary Kirstjen Nielsen Proposes “More Forward-Leaning Posture” for Federal Government in Cybersecurity
On April 17, 2018, Department of Homeland Security (DHS) Secretary Kirstjen Nielsen delivered a keynote address at the RSA Conference. A copy of her prepared remarks is available here. Secretary Nielsen’s remarks highlighted efforts by DHS to address the evolving cybersecurity threats to our country’s critical infrastructure.
Secretary Nielsen set the stage by describing the realities of the cyber threat landscape: 2017 was a landmark year in terms of cyberattack volume, with nearly half of all Americans having their sensitive personal information exposed online and ransomware attacks spreading to more than 150 countries. The Secretary stated that cybercrime damages are estimated to reach $6 trillion annually[1] by 2021, and suggested that the emergence of internet-connected devices could make us even more vulnerable to cyberattacks.
To address evolving cyber threats and more sophisticated threat actors, Secretary Nielsen posited a five part approach that DHS is taking to support a “more forward-leaning posture” in the cybersecurity area. Those five approaches are summarized below:
NIST Releases Updated Cybersecurity Framework
Pursuant to Executive Order 13636, the National Institute of Standards and Technology (“NIST”) established the Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, a technology-neutral, voluntary, risk-based cybersecurity framework that includes standards and processes intended to align policy, business, and technological approaches to addressing cybersecurity risks. Four years later, NIST has released an updated version of the Framework.
GAO Debuts New Protest Procedures Effective May 1, 2018
On April 2, 2018, GAO issued a final rule revising its existing regulations to implement a number of changes to its bid protest process. The new rule becomes effective on May 1, 2018.
Several of these changes implement requirements in Section 1501 of the Consolidated Appropriations Act for FY2014 (“Act”), which directed GAO to institute an electronic filing system and authorized GAO to charge a filing fee to cover the cost of that electronic filing system. But the revisions are not limited to those two issues.
Here are the highlights:
CBCA Proposes Changes to its Rules
On March 28, 2018, the Federal Register published proposed changes to the Civilian Board of Contract Appeals’ (“Board”) Rules of Procedure regarding appeals under the Contract Disputes Act (“CDA”). These proposed rules indicate that the Board wishes to: simplify and modernize access to the Board, clarify certain rules, and increase conformity between its rules and the Federal Rules of Civil Procedure (“Federal Rules”). Our key takeaways are below, and a side-by-side comparison between the Board’s current and proposed rules can be found here. Interested parties may submit comments by May 29, 2018. Continue Reading
Key Takeaways From The “New York Buy American Act” And Beyond
[This article was originally published in Law360 and has been modified for the blog.]
This was not an April Fools’ Day joke: The New York Buy American Act (“NY BAA”) went into effect on April 1, 2018. Signed by Governor Andrew M. Cuomo in December 2017 and championed by state legislators on both sides of the aisle, the NY BAA amends the existing domestic content restrictions in Section 146 of the N.Y. State Finance Law and Section 2603-a of the N.Y. Public Authorities Law by adding another layer of “Buy American” requirements focused on structural iron and structural steel products used in certain construction projects.
Although Governor Cuomo has noted that this new law is intended “to support hardworking men and women, revitalize infrastructure across the state, bolster the strength of our manufacturing industries and cement our status as a global economic leader” – a sentiment in step with President Trump’s stated “Buy American” policy – the economic impact of this legislation remains to be seen. As will be discussed, this set of requirements is focused on only two categories of items (structural iron and structural steel) used on a specific set of construction projects (roads and bridges) that will be awarded by certain New York agencies or authorities during a two-year window.
Notwithstanding, the NY BAA is a noteworthy development because it further reinforces the general rallying cry behind “Buy American.” Most importantly, this new law serves as a reminder to contractors that an already cumbersome regime of federal and state domestic preferences will continue to remain complex.
Fraudulent SAM Accounts Lead to More Complicated SAM Registration Requirements
GSA recently announced it is supporting an Inspector General investigation into alleged, third-party fraudulent activity in the System for Award Management (“SAM”). The GSA announcement suggests that fraudulent SAM accounts may have been used to divert certain federal payments to unauthorized bank accounts. The announcement does not elaborate on the scope of potentially impacted entities or the amount of misdirected payments at issue. GSA has advised impacted entities to validate their SAM registration and confirm their financial information. Although GSA has indicated it has or will reach out to impacted entities, contractors would be well advised to confirm independently the accuracy of their current SAM registration.
If Shulkin Didn’t Resign, Who Runs the VA Until a New Secretary Is Confirmed? A Vacancies Act Puzzle
Recent news reports have raised a substantial question about who has authority to run the Department of Veterans Affairs (“VA”) in the wake of Dr. David Shulkin’s departure from the agency. According to the White House, Dr. Shulkin resigned. Meanwhile, Dr. Shulkin himself has publicly insisted that he did not resign and was instead fired.
This inconsistency sets up a potential dispute over whether, under the Federal Vacancies Reform Act of 1998 (“Vacancies Act”), President Trump had the authority to appoint Robert Wilkie, the Undersecretary of Defense for Personnel & Readiness, to serve as Acting Secretary of the VA.
As a result, contractors doing business with the VA have found themselves confronted with a series of knotty questions about the impact this uncertainty may have on the VA’s procurement priorities and actions.
GSA Unveils Plan for Commercial Online Shopping Portal
Following instructions from Congress to create a new online shopping system leveraging existing commercial practices, the General Services Administration (“GSA”), in coordination with the Office of Management and Budget (“OMB”), has released an implementation plan (“Plan”) to begin e-commerce purchases by 2019. As discussed in a previous blog post, GSA’s Plan is a first step toward implementing Section 846 of the National Defense Authorization Act for FY 2018, which requires GSA to develop “e-commerce portals” – essentially online shopping sites – for commercially available off-the-shelf (“COTS”) item procurements.
Oregon HB 4005: New Reporting Requirements for Drug Manufacturers, Health Insurers
On Tuesday, March 13, 2018, Oregon Governor Kate Brown signed into law House Bill 4005 (HB 4005), which imposes substantial new state reporting requirements on pharmaceutical manufacturers regarding drug pricing, including details on manufacturer-sponsored patient assistance programs. HB 4005 also imposes new reporting requirements on health insurers and establishes a temporary task force charged with developing “a strategy to create transparency for drug prices across the entire supply chain of pharmaceutical products.”[1]
