Another Executive Order on Buying American, and This One Has Teeth

(This article was originally published in Law360 and has been modified for this blog.)

On July 15, 2019, President Trump issued an Executive Order on Maximizing Use of American-Made Goods, Products, and Materials.  The EO directs the FAR Council to “consider” amending the Federal Acquisition Regulation’s provisions governing the implementation of the Buy American Act.  This EO is the Trump administration’s latest – and most concrete – step toward enhancing domestic sourcing preferences and restricting foreign sources of supply for federal customers.  And if implemented, the change promises to have dramatic implications for government contractors and their supply chains. Continue Reading

Back to Basics: Government’s Subjective Views About Contractor’s Performance Do Not Justify Termination for Default

The U.S. Court of Federal Claims recently overturned an agency’s decision to terminate a government contractor for default ─ finding that the government allowed a series of contract disputes, poor practices, conflicting personalities, and a lack of effective communication to cloud its termination analysis.  The case serves as an important reminder that, when reviewing a termination for default, the Court gives little credence to the government’s “subjective beliefs” regarding the contractor’s ability to perform.  Rather, the Court conducts an objective inquiry and scrutinizes the events, actions, and communications that led to the agency’s termination decision.  Continue Reading

House and Senate Will Debate Bid Protest Policy

The House of Representatives passed its version of the FY2020 National Defense Authorization Act (“NDAA”) last week.  The headline story was the remarkably close, party-line vote: in contrast to past years, the bill received no Republican votes, and eight Democratic Members voted against it.

Those partisan dynamics obscured the inclusion of two important amendments – one Republican and one Democratic – regarding bid protest policy that the House quietly adopted in its bill.  The provisions are not yet law, since the House and Senate must still resolve differences in their respective NDAAs through the conference process.  In this post, we summarize these provisions and encourage government contractors to watch them closely in the coming months. Continue Reading

New York City, Vermont, and Other State and Local Governments Evaluating AI Trustworthiness

Earlier this year, the White House issued an Executive Order on AI mandating that the National Institute of Standards and Technology develop a guide to federal engagement on AI technical standards.  While the federal government’s actions have understandably garnered significant attention, state and local governments are also undertaking preliminary efforts to engage on the technical standards for AI procured and utilized by their agencies.  Lee Tiedrich and Nooree Lee discuss those regulatory efforts on Inside Tech Media.

DoD Announces the Cybersecurity Maturity Model Certification (CMMC) Initiative

The Department of Defense (“DoD”) recently announced the development of the ”Cybersecurity Maturity Model Certification” (“CMMC”), a framework aimed at assessing and enhancing the cybersecurity posture of the Defense Industrial Base (“DIB”), particularly as it relates to controlled unclassified information (“CUI”) within the supply chain.

The Office of the Under Secretary of Defense for Acquisition and Sustainment has created a website that provides additional background on the proposed CMMC, including a list of FAQs and details about a CMMC Listening Tour that is intended to solicit feedback from key DIB stakeholders.  DoD is planning to release Version 1.0 the CMMC framework in January 2020 and expects to incorporate CMMC requirements in Requests for Proposals (“RFPs”) beginning in June 2020.

The concept of a CMMC framework arose in response to a series of high profile breaches of DoD information.  This caused DoD to reevaluate its reliance on the security controls in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 as sufficient to thwart the increasing and evolving threat, especially from nation-state actors.  Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, Office of the Under Secretary of Acquisition and Sustainment, is among those leading this effort and addressed DoD’s plans for the CMMC at the May 23, 2019 Georgetown Cybersecurity Law Institute.

Key takeaways from the CMMC website include:

  • The initial implementation of the CMMC is for DoD only.  However, the use of CUI terminology rather than covered defense information (“CDI”), which is used in DFARS 252.204-7012, indicates a potentially broader role for this model beyond DoD.
  • All companies conducting business with the DoD, including subcontractors, must be certified.
  • The CMMC is expected to combine relevant portions of various cybersecurity standards, such as NIST SP 800-171, NIST SP 800-53, ISO 270001, and ISO 27032, into one unified standard for cybersecurity.  Unlike NIST SP 800-171, which measures a contractor’s compliance with a specified set of controls, the CMMC will more broadly “measure the maturity of a company’s institutionalization of cybersecurity practices and processes.”
  • The CMMC is expected to designate maturity levels ranging from “Basic Cybersecurity Hygiene” to “Advanced.”  For a given CMMC level, the associated controls and processes, when implemented, are intended to reduce risk against a specific set of cyber threats.  Notably, DoD will assess which CMMC level is appropriate for a particular contract and incorporate that level into Sections L and M of the RFP as a “go/no go” evaluative determination.  This assessment of appropriate maturity levels on a procurement basis is akin to the Cyber Security Model that the United Kingdom’s Ministry of Defence (“MoD”) currently employs for all MoD contracts.
  • In general, contractors will be required to be certified by a third-party auditor.  The FAQs on the website note that certain “higher level assessments” may be conducted by government assessors, including requiring activity personnel, the Defense Contract Management Agency (“DCMA”), and the Defense Counterintelligence and Security Agency (“DCSA”).  The website does not, however, explain what qualifies as a higher level assessment.
  • How long a certification will remain in effect is still under consideration.  Additionally, certification levels of contractors will be made public, though, details of specific findings will not be publicly accessible.
  • A compromise of a contractor’s systems will not result in automatic loss of certification.   However, depending on the circumstances of the compromise, it appears that DoD intends to authorize program managers to require recertification if they believe necessary.  It is unclear whether this obligation will be imposed via contract or regulation and what standard will be used to determine that a recertification is necessary.
  • The cost of certification will be considered an allowable, reimbursable cost.  The FAQs state that the costs “will not be prohibitive.”

Impact on Contractors

It is too early to assess the potential impact of the CMMC on contractors.  Although details relating to the scope, breadth, and implementation of the CMMC are limited, the framework reflects DoD’s first meaningful attempt to impose a broader assessment regime.  It is unclear whether implementation of the CMMC will eliminate the need for DCMA to conduct audits to measure compliance with NIST SP 800-171.

DIB stakeholders will have a number of opportunities to provide feedback.  The CMMC Listening Tour is expected to include five outreach events throughout July and August 2019, with more expected before the framework is released in January 2020.

Federal Circuit Further Clarifies Maropakis and CDA Interest Rule in Significant “Contractor-on-the-Battlefield” Decision

Earlier this week, the Federal Circuit unanimously affirmed a 2017 ruling by the Armed Services Board of Contract Appeals (“ASBCA”) that held the United States Government breached its contractual obligation to provide physical security to KBR and its subcontractors during the height of the Iraq War.  The decision awards KBR $44 million, plus interest, in private security costs that the Government unilaterally recovered under the LOGCAP III contract.

The Court’s decision is significant in two respects.  First, it confirms that the affirmative defense of prior material breach is not a Contract Disputes Act (CDA) “claim” that must be presented to a contracting officer under M. Maropakis Carpentry, Inc. v. United States, 609 F.3d 1323, 1331 (Fed. Cir. 2010).  Second, the decision makes clear that a contractor is entitled to CDA interest on its claim to recover amounts taken or held by the Government to enforce a government claim.  We discuss each of these important rulings below. Continue Reading

PAHPAI Reauthorizes Key Biodefense Initiatives and Provides Opportunities for Industry Partners

Late last month, the Pandemic and All-Hazards Preparedness and Advancing Innovation Act of 2019 (PAHPAI) was signed into law.[1] The Act is a much anticipated reauthorization of the Pandemic and All-Hazards Preparedness Act, originally passed in 2006.[2] The legislation is a key development in strengthening the country’s ability to respond to bio-threats, disasters, and other national emergencies by defining federal program initiatives and funding states and private researchers. PAHPAI-authorized grants allow for the research and development of biodefense measures and the stockpiling of preparedness supplies.

Continue Reading

Supreme Court Shakes Up FOIA Exemption for Confidential Information

On Monday, the Supreme Court significantly altered how government agencies will treat confidential commercial information protected from disclosure by Exemption 4 of the Freedom of Information Act (“FOIA”) — an issue that recurs repeatedly with respect to information submitted by contractors to government agencies.  Food Marketing Institute v. Argus Leader Media, No. 18-481 (U.S. June 24, 2019). The Court overturned 45 years of lower-court precedent requiring that the submitter show both that the information was not publicly disclosed, and that its release would cause substantial competitive harm.  The Court’s decision seemingly expands the scope of Exemption 4 by removing the “substantial competitive harm” requirement. However, the effect of this apparent expansion is unclear, because the Court suggested but did not resolve whether Exemption 4 also requires a new element: a showing that the submitter’s information was provided under an assurance by the government that it would keep the information confidential.

Notwithstanding the question left open by the Court, Food Marketing points the way to several steps that contractors can take to protect their commercial and financial information from release under the new interpretation of Exemption 4.

Continue Reading

NIST Announces and Seeks Public Comment on 800-171 Update and Related Documents

On June 19, 2019, the National Institute of Standards and Technology (“NIST”) announced the long-awaited update to Special Publication (“SP”) 800-171 Rev. 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which includes three separate but related documents.

Continue Reading

Supreme Court Extends Statute of Limitations for Relators in FCA Cases, in Limited Circumstances

As previously discussed on this blog, the Supreme Court announced last year that it would resolve a circuit split over when a relator needed to file a qui tam action under the False Claims Act (“FCA”).  Earlier this month, the Court decided in Cochise Consultancy Inc. v. United States ex rel. Hunt, that relators can — in limited circumstances — take advantage of the FCA’s 3-year “alternative” statute of limitations, which means they may file their complaints up to four years after the default 6-year period has expired.

Now that the dust has settled, it is worth stepping back to take stock of the ruling’s practical effect.  We believe that Cochise will have limited impact on most qui tam actions, although it leaves some important questions open.  For FCA aficionados, the ruling by Justice Thomas also foreshadows a plain-reading, textual approach to future questions that may arise. Continue Reading

LexBlog