With the 2024 election rapidly approaching, the Biden Administration must race to finalize proposed agency actions as early as mid-May to avoid facing possible nullification if the Republican Party controls both chambers of Congress and the White House next year. 

The Congressional Review Act (CRA) allows Congress to overturn rules issued by the Executive Branch by enacting a joint resolution of disapproval that cancels the rule and prohibits the agency from issuing a rule that is “substantially the same.”  One of the CRA’s most unique features—a 60-day “lookback period”—allows the next Congress 60 days to review rules issued near the end of the last Congress.  This means that the Administration must finalize and publish certain rules long before Election Day to avoid being eligible for CRA review in the new year.

Overview of the CRA

The CRA requires federal agencies to submit all final rules to Congress before the rule may take effect.  It provides the House with 60 legislative days and the Senate with 60 session days to introduce a joint resolution of disapproval to overturn the rule.  This 60-day period counts every calendar day, including weekends and holidays, but excludes days that either chamber is out of session for more than three days pursuant to an adjournment resolution.  In the Senate, a joint resolution of disapproval receives only limited debate and may not be filibustered.  Moreover, if it has been more than 20 calendar days since Congress received a final rule and a joint resolution has not been reported out of the appropriate committee, a group of 30 Senators can file a petition to force a floor vote on the petition.   

If a CRA resolution receives a simple majority in both chambers and is signed by the President, or if Congress overrides a presidential veto, the rule cannot go into effect and is treated “as though such rule had never taken effect.”[1]  The agency is also barred from reissuing a rule that is “substantially the same,” unless authorized by future law.[2]    

Election Year Threat: CRA Lookback Period

These procedures pose special challenges for federal agencies in an election year.  If a rule is submitted to Congress within 60 days before adjournment, the CRA’s lookback provision allows the 60-day timeline to introduce a CRA resolution to start over in the next session of Congress.

This procedure ultimately requires the current administration to assess the threat of a CRA resolution against certain rules and determine whether to issue the rule safely before the deadline or risk a potential CRA challenge. 

Mid-May Deadline Estimated for Biden Agency Actions

Calculating the CRA deadline is exceedingly difficult for federal agencies because it is a moving target.  The House and Senate may each cancel or add days to their legislative calendar right up until adjournment, making it impossible to calculate the deadline with precision.  Moreover, the lookback period starts on the date that is 60 days before adjournment, regardless of which chamber reaches that threshold first.  In other words, if the date that is 60 House legislative days before adjournment falls on a date that is 65 Senate session days prior to adjournment, that date starts the lookback window, even though the Senate is not within 60 session days of adjournment. 

While only the House and Senate parliamentarians can determine the lookback window with authority, based on the currently-released House and Senate calendars, agency rules submitted to Congress before May 22, 2024 will not be subject to CRA review by the new 119th Congress in 2025.  However, since this deadline is based on the House calendar, it would be pushed later if the House were to add legislative days to the calendar to complete legislative work.

Administration Preparations

Agency leaders are working to finalize rules in time to meet this deadline.  At a recent conference held by the American Law Institute’s Continuing Legal Education, Vicki Arroyo, the Environmental Protection Agency’s (EPA) Associate Administrator for Policy, explained that the deadline is “something that [the EPA is] very focused on.”[3]  Although the deadline is uncertain, she noted that to be cautious, agencies may submit rules as “early as the end of April or May.”[4]

Federal agencies have already begun or plan to submit rules to Congress before the late May deadline, including:  

  • An EPA rule that sets new standards to reduce air pollutant emissions from cars and a rule that requires fossil fuel plants to rely on new technologies to reduce pollution levels.
  • A Department of Labor rule that modifies Wage and Hour regulations to clarify the criteria for classifying workers as independent contractors as opposed to employees and a rule that narrows the standards to classify as exempt from the Fair Labor Standards Act’s minimum pay and overtime requirements. 
  • A Department of Justice rule that takes additional steps to implement the Bipartisan Safer Communities Act, which makes various changes to federal firearm laws, including expanding background check requirements and broadening the scope of existing restrictions.
  • The Energy Department’s regulations setting consumer water heater energy efficiency standards to lower utility costs for American families and increase energy savings.
  • An Office of Personnel Management rule that would implement stronger guardrails for career employees, allowing them to keep civil service protections unless they voluntarily accept a political appointee position and adding requirements when reclassifying career positions as political appointments.
  • A Bureau of Land Management rule setting management standards that put conservation on par with resource extraction to protect public lands and restore degraded habitats. 
  • A Department of Health and Human Services rule that establishes comprehensive minimum staffing standards for nursing homes.
  • A Department of Housing and Urban Development rule proposing a framework to ensure that federal funding is used in a systematic way to affirmatively support the goals of the Fair Housing Act.

Some rules will not be finalized by the deadline, which could signal that agency leaders view these rules as less vulnerable to the CRA, either because they enjoy bipartisan support or because they are not politically polarizing.  For example, the EPA plans to finalize a rule in October that would mandate actions to reduce lead exposure, including replacing lead pipes within the next ten years. 

In addition, several rules were recently submitted to the Office of Information and Regulatory Affairs (OIRA), which generally has 90 days to review a rule before it is sent to Congress.  It is possible that OIRA’s 90-day review period will push these rules past the May deadline for submission to Congress.  Examples of these rules include:

  • A Department of Education rule that establishes a negotiated rulemaking committee to prepare regulations for the Federal Student Aid programs related to the modification, waiver, release, or compromise of student loans under the Higher Education Act of 1965.
  • A Social Security Administration rule that expands the definition of a public assistance household to reduce administrative burdens for low-income households participating in public assistance programs.
  • A Department of Agriculture rule that sets standards for labeling meat and poultry products produced using animal cell culture technology—a process that involves taking a small number of cells from living animals and growing them in a controlled environment to generate food.

The fate of these rules will depend on how soon the Administration can finish these rulemakings and submit them to Congress.  Otherwise, the outcome of the 2024 election will determine whether these rules ever take effect.


[1] 5 U.S.C. § 801(f).

[2] Id. § 801(b).

[3] Kevin Bogardus, Murky Deadline Looms for Biden’s Regs, E&E News by Politico (Mar. 21, 2024), https://www.eenews.net/articles/murky-deadline-looms-for-bidens-regs/.

[4] Kevin Bogardus, Murky Deadline looms for Biden’s Regs, E&E News by Politico (Mar. 21, 2024), https://www.eenews.net/articles/murky-deadline-looms-for-bidens-regs/.

This is the thirty-fourth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs describes described the actions taken by various government agencies to implement the Cyber EO from June 2021through January 2024.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during February 2024.  It also describes key actions taken during February 2024 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, secure software, and federal government contractors. 

Continue Reading February 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order

The Department of Labor’s Office of Federal Contract Compliance Programs (“OFCCP”) has now opened its Contractor Portal for the 2024 Affirmative Action Program (“AAP”) certification period with a deadline of July 1, 2024.

Continue Reading OFCCP 2024 Affirmative Action Program Certifications: What You Need to Know

On March 27, 2024, the U.S. Cybersecurity and Infrastructure Security Agency’s (“CISA”) Notice of Proposed Rulemaking (“Proposed Rule”) related to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) was released on the Federal Register website.  The Proposed Rule, which will be formally published in the Federal Register on April 4, 2024, proposes draft regulations to implement the incident reporting requirements for critical infrastructure entities from CIRCIA, which President Biden signed into law in March 2022.  CIRCIA established two cyber incident reporting requirements for covered critical infrastructure entities: a 24-hour requirement to report ransomware payments and a 72-hour requirement to report covered cyber incidents to CISA.  While the overarching requirements and structure of the reporting process were established under the law, CIRCIA also directed CISA to issue the Proposed Rule within 24 months of the law’s enactment to provide further detail on the scope and implementation of these requirements.  Under CIRCIA, the final rule must be published by September 2025.

The Proposed Rule addresses various elements of CIRCIA, which will be covered in a forthcoming Client Alert.  This blog post focuses primarily on the proposed definitions of two pivotal terms that were left to further rulemaking under CIRCIA (Covered Entity and Covered Cyber Incident), which illustrate the broad scope of CIRCIA’s reporting requirements, as well as certain proposed exceptions to the reporting requirements.  The Proposed Rule will be subject to a review and comment period for 60 days after publication in the Federal Register. 

Continue Reading CISA Issues Notice of Proposed Rulemaking for Critical Infrastructure Cybersecurity Incident Reporting

On March 12, 2024, the Department of Defense (DoD) published a final rule, revising the eligibility criteria for the voluntary DoD Defense Industrial Base (DIB) Cybersecurity (CS) Activities Program.  The intent of the rule is to permit all defense contractors that own or operate unclassified information systems that process, store, or transmit covered defense information to participate in the program.  Previously, only cleared contractors were permitted to participate in the sharing of this information.  The final rule also amends identity proofing requirements by eliminating the need to obtain a medium security certificate to participate in either the voluntary or mandatory reporting regimes.  The rule will take effect on April 11, 2024, and DoD anticipates a significant increase in contractor participation.

Additional information about the rule is outlined below.

Continue Reading DoD Expands Contractor Cybersecurity Information Sharing Program

On March 11, 2024 the Cybersecurity Infrastructure Security Agency (CISA), released the much anticipated final version of its common Secure Software Development Attestation Form.  Finalization of the form is a notable development for developers of software that is sold to the U.S. Government for two reasons.  First, the form is expected to be used widely by Government agencies to fulfill requirements set forth in recent OMB memoranda for those agencies to ensure that the software they procure or use is secure by requiring attestations from software developers.  Second, as set forth under OMB guidance, final approval of the form by the Office of Information and Regulatory Affairs (OIRA) triggers a countdown wherein agencies need to begin collection of the forms within three months for “critical software” and within six months for all other software.

Continue Reading OMB Approves Final CISA Secure Software Attestation Common Form, Triggering Clock for Collection

On March 7, 2024, the Department of Transportation’s (“DOT”) Federal Highway Administration (“FHWA”) announced a proposed rule to rescind a longstanding general waiver of Buy America requirements for manufactured products (the “Manufactured Products Waiver”).  If finalized, this would be a major change for the agency, reversing a policy that has been in place for more than 40 years.

FHWA has imposed Buy America requirements for domestic iron and steel on its projects since 1978 (see 23 U.S.C. § 313; 23 CFR § 635.410), but in 1983, the agency determined that it was in the public interest to waive the requirement as to manufactured products based on the agency’s belief that manufactured products were not used in federal highway projects in sufficient quantities to have an effect on the overall cost of a project and therefore did not require Buy America protections.  That general waiver has been in place ever since.

This change in policy comes in the wake of the 2021 Infrastructure Investment and Jobs Act’s Build America, Buy America (“BABA”) provisions, which expanded Buy America coverage broadly in federal financial assistance programs for infrastructure.  BABA requires that all steel, iron, construction materials, and manufactured products used in such products be “produced in the United States.”  BABA also discourages the use of general applicability waivers like FHWA’s Manufactured Products Waiver and required review of existing waivers. 

FHWA sought comments on its longstanding manufactured products waiver in March 2023 and received over 9,400 comments from the public.  Commenters included manufacturers, labor organizations, construction contractors, industry associations, State departments of transportation, and even members of Congress.  Based on a consideration of this feedback and in recognition of other domestic content policies, including Executive Order 14005, “Ensuring the Future Is Made in All of America by All of America’s Workers,” FHWA is proposing to discontinue its Manufactured Products Waiver and modify its regulations to include domestic content requirements for manufactured products.

Continue Reading Federal Highway Administration Announces Proposed Rule Ending Longstanding Buy America Waiver for Manufactured Products

On February 15, 2024, the Department of Defense (“DOD”) issued a final rule that increases the domestic content requirements for defense procurements. 

The new rule amends the Defense Federal Acquisition Regulation Supplement (“DFARS”) to implement Executive Order 14005 (“EO”).  The EO was intended to strengthen the requirements of the Buy American Act (“BAA”) by, among other things, directing the FAR Council to issue new rules increasing the domestic content threshold for determining whether a product qualifies as a domestic end product. 

Although the FAR Council issued a final rule implementing the EO on March 7, 2022, the BAA requirements for defense procurements remained unchanged.  The new DOD rule aligns the DFARS BAA provisions with the FAR revision implemented in 2022.

The new rule (1) increases the applicable domestic content threshold for domestic end products, and (2) creates a framework for the application of an enhanced price preference for domestic products that are considered critical products or are made up of critical components.

Higher Domestic Content Threshold

Previously, the cost of domestic components had to exceed 55 percent of the cost of all components in order for a product to qualify as a domestic end product.  Under the new rule, the domestic content threshold is 65 percent in calendar years 2024 through 2028.  Beginning in calendar year 2029, the threshold will be 75 percent.  The increased threshold modifies the DFARS definitions for domestic end product, qualifying country end product, and domestic construction material. 

To help contractors transition to the increased domestic content requirements, the new rule includes exceptions for awards made prior to January 1, 2030.  First, there will be a 55 percent fallback threshold for situations where domestic products at a higher threshold are not available or the cost to acquire them would be unreasonable.  Second, an alternate domestic content threshold may be applied at the discretion of an agency senior procurement executive in instances where it is not feasible to meet the increasing threshold, e.g., under an indefinite-delivery, indefinite-quantity contract.  Under the alternate domestic content threshold, the threshold in effect at the time of contract award would apply to the entire period of performance.

Enhanced Price Preferences for Critical Items and Components

Under the new rule, domestic end products containing a critical component or item are eligible for an enhanced price preference.  The rule relies on FAR 25.105 for its definition of “critical item” and “critical component.”  For now, FAR 25.105 itself has only a placeholder for the list of critical items and components.  The list will be populated in a separate rulemaking. 

Under the new framework, contractors must meet additional reporting requirements for certain products.  Defense contractors must identify all domestic end products containing a critical component or item.  They must also identify all foreign end products and indicate whether each foreign end product exceeds 55 percent domestic content.  Commercially available off-the-shelf (“COTS”) items are exempt from the enhanced reporting requirements.

The new rule also maintains certain domestic content provisions that are unique to defense procurements.  For example, the rule defines domestic content to include components that are mined, produced, or manufactured not only in the U.S., but also in qualifying countries — countries with reciprocal defense procurement memoranda of understanding or international agreements with the U.S. in which both countries agree to remove certain barriers to the purchase of supplies.

Defense contractors should be prepared to comply with the now-effective increased domestic content threshold and make plans for how they will eventually meet the 75 percent threshold before it is implemented in 2029.  Further, contractors should continue to monitor additional developments in this area, as policymakers on both sides of the aisle are increasingly focused on expanding domestic content requirements and incentivizing enforcement.

This is the thirty-third in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through December 2023.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during January 2024.  It also describes key actions taken during January 2024 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, secure software, and federal government contractors.

Anticipated Q1 2024 Actions Implementing the AI EO

Several agencies are expected to satisfy milestones related to the AI EO’s key requirements in the coming months.  For example, the Secretary of Commerce is expected to issue proposed rules requiring companies that develop certain large and sophisticated AI models to make periodic disclosures to the government.  A new post on the Covington Inside Global Tech blog provides substantive background and a sense of timing for that action and numerous others.  For more on the Executive Order, see our summary of its key provisions. 

This is the thirty-second in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through November 2023.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during December 2023.  It also describes key actions taken during December 2023 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, secure software, and federal government contractors.

Continue Reading December 2023 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order