On Tuesday, November 30, 2021, the U.S. District Court for the Eastern District of Kentucky issued a preliminary injunction blocking the Biden Administration from enforcing its federal contractor COVID-19 vaccine mandate in Kentucky, Ohio, and Tennessee.  As discussed in our previous posts, via Executive Order 14042, President  Biden mandated that employees of federal contractors and subcontractors be vaccinated against COVID-19.  Executive Order 14042 relies on the president’s authority under the U.S. Constitution and the Federal Property and Administrative Services Act (“FPASA”) to effectuate this policy.  Federal contractors are required to have covered employees fully vaccinated by January 18, 2022.  Numerous states have sued to block the mandate but yesterday was the first time a court has upheld such a challenge.

Continue Reading Contractor COVID-19 Vaccine Mandate Blocked in Three States and Numerous Additional Challenges Pending

Last Tuesday, GAO released its Fiscal Year 2021 protest statistics, which as always contains a wealth of interesting information about GAO’s protest system.

  • Protest filings dropped by 12% from FY20.  After remaining fairly steady in FY19 and FY20, filings dropped in FY21, with the lowest number of cases filed since FY08.  It seems likely, however, that at least part of the drop is attributable to the pandemic, which may have slowed the pace of federal procurement in the spring and summer of 2020, leading to a smaller than usual wave of protests in the first quarter of FY21.
  • The sustain rate remained steady at 15%.  The sustain rate considers only the subset of cases that go all the way to a decision on the merits, and measures the percentage of those decisions that sustained the protest.  In FY21, GAO issued 581 merits decisions, and 85 of those were sustains, resulting in a sustain rate of 15% — solidly within GAO’s historical range of sustain rates.  The four most prevalent reasons for sustaining protests were (1) unreasonable technical evaluation; (2) flawed discussions; (3) unreasonable cost or price evaluation; and (4) unequal treatment.

But the more indicative statistic for favorable outcomes in a bid protest is the effectiveness rate, and . . .

  • The effectiveness rate remained high at 48%.  That figure is the second-highest effectiveness rate ever recorded by GAO (the all-time high of 51% occurred last year).  The effectiveness rate measures the percentage of all protests filed in which the protestor obtains “some form of relief from the agency . . . either as a result of voluntary agency corrective action or [GAO] sustaining the protest.”  So in nearly half of all protests in FY21, the protestors obtained some relief, confirming that protests can be worthwhile for disappointed offerors who have legitimate concerns about a procurement.
  • The number of hearings remained steady at 1%.  Hearings remain rare, especially as compared to a decade ago when 8-10% of fully-developed cases received a hearing.

GAO’s annual bid protest report is always an exciting event, and this year’s edition shows that GAO’s process has continued to run smoothly throughout an unprecedented time.

[This article was originally published in Law360.]

Amidst the whirlwind of M&A activity in the government contracts industry, a recent bid protest decision from the Government Accountability Office (GAO) highlights the importance of proper planning to protect prime contract proposals during M&A and other corporate transactions.  Last month, GAO denied a protest from ICI Services Corporation (ICI), which challenged the U.S. Navy’s decision to award a task order to Serco, Inc. (Serco) under the SeaPort Next Generation (SeaPort-NxG) vehicle.  Although ICI raised a “multitude of challenges,” GAO focused on what it considered the gravamen of ICI’s protest — that Serco was ineligible for award because it allegedly was not a complete successor-in-interest to the Naval Systems Business Unit (NSBU) of Alion Science and Technology Corporation (Alion).  Serco had acquired the NSBU from Alion in July 2019, and has been operating the NSBU in the several months since then.

For years, contractors have faced an amalgamation of protest decisions assessing the impact of transactions on proposals for new prime contracts.  The recent ICI decision provides some additional guidance and, more importantly, underscores GAO’s stated intent that its decisions not frustrate pending proposals merely because a corporate transaction has taken place or is expected to take place, but instead ensure that the procuring agency has reasonably considered the impact of the transaction and concluded that the resulting contract will be performed in materially the same way as described in the proposal.  In the absence clear guidance in the Federal Acquisition Regulation (FAR) on the treatment of bids in connection with a corporate transaction, GAO’s decision in ICI offers some clarity for contractors and a framework for agencies when assessing the impact of a transaction.  Although every transaction and proposal is unique, the ICI decision highlights some key considerations for contractors. Continue Reading Buying a Business Without Losing the Pipeline: Further Guidance for Protecting Proposals

On November 9, 2021, the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body (AB) hosted a one hour Town Hall focused on CMMC Version 2.0.  Matthew Travis, CEO of the CMMC AB; Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy; David McKeown, Deputy Department of Defense (DoD) Chief Information Officer for Cybersecurity (DCIO(CS)) and DoD’s Senior Information Security Officer (SISO); and Buddy Dees, Director of CMMC, DoD gave prepared remarks and answered questions during the session.

According to Mr. Salazar, CMMC Version 2.0 has been in the making for the past 8 months, and takes into account the over 850 public comments DoD received regarding CMMC 1.0.  Mr. KcKeown explained that CMMC 1.0 may have been too broad and its requirements “too onerous” especially on small and medium sized contractors.  He described CMMC 2.0 — and its use of three levels rather than five levels in CMMC 1.0 — as being based on more of a risk based approach than the original CMMC because it is primarily focused on the type of data being protected.

Continue Reading CMMC Accreditation Body Hosts Town Hall Regarding CMMC 2.0

UPDATE: DoD withdraws the unpublished Advanced Notice of Proposed Rulemaking

On November 5, 2021, an Editorial Note was added to the Federal Register stating “An agency letter requesting withdrawal of this document was received after placement on public inspection. The document will remain on public inspection through close of business November 4, 2021. A copy of the agency’s withdrawal letter is available for inspection at the Office of the Federal Register.”   The reason for the Department of Defense withdrawal of the unpublished Advanced Notice of Proposed Rulemaking was not provided. Continue Reading DoD Outlines Significant Changes to CMMC with Version 2.0

Earlier today, the FAR Council issued a final rule revising the FAR definition of “commercial item.”  The final rule effectively splits the prior definition of “commercial item” into separate definitions for “commercial product” and “commercial service,” without making substantive changes to the existing definitions.  The final rule also replaces references to “commercial items” throughout the FAR with corresponding references to “commercial products,” “commercial services,” or both, as appropriate.

Continue Reading New Final Rule Replaces “Commercial Item” Definition and Implements Definitions for “Commercial Products” and “Commercial Services”

This is the sixth in the series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, fourth, and fifth blogs described the actions taken by various federal agencies to implement the EO during June, July, August, and September 2021, respectively.  This blog summarizes key actions taken to implement the Cyber EO during October 2021.

Although the recent developments this month are directly applicable to the U.S. Government, the standards being established for U.S. Government agencies could be adopted as industry standards for all organizations that develop or acquire software similar to various industries adopting the NIST Cybersecurity Framework as a security controls baseline.

Continue Reading October 2021 Developments Under President Biden’s Cybersecurity Executive Order

Federal government contractors face many uncertainties as they implement President Biden’s COVID-19 vaccine mandate. This includes the distinct possibility of civil lawsuits arising out of their implementation of the mandate, including potential allegations of invasion of privacy, wrongful termination, lost wages, discrimination, personal injury or other common law claims or statutory violations. At least one such lawsuit already has been filed. In that suit, dozens of aggrieved employees allege that the contractor’s vaccine mandate violates state law, and they seek an injunction and other relief. Other lawsuits are sure to follow.

But there is good news for contractors: Established legal doctrines should provide contractors some degree of protection—and perhaps complete immunity—against such lawsuits. In addition to the statutory protections afforded to contractors under the PREP Act, contractors may be protected from civil liability based on federal-law-based defenses that have been recognized and applied in analogous government contracting settings. In the coming weeks, as contractors navigate the many challenges associated with the vaccine mandate, they should carefully consider the risk of civil litigation, and, in order to minimize potential exposure in such lawsuits, proactively implement practices that maximize the likelihood that these doctrines and defenses will be applicable, as discussed below.

Continue Reading Are Federal Contractors Immunized From Vaccination Litigation? Mitigating The Risk Of Civil Liabilities Arising Out Of The COVID-19 Vaccine Mandate

In a December 2020 speech, Deputy Assistant Attorney General Michael Granston warned that cybersecurity fraud could see enhanced enforcement under the False Claims Act (“FCA”).  On October 6, 2021, Deputy Attorney General Lisa Monaco announced that the Department of Justice (“DOJ”) would be following through on that warning with the launch of the DOJ’s Civil Cyber-Fraud Initiative.  The key component of the initiative is the use of the FCA against Government contractors and subcontractors that fail to comply with cybersecurity requirements, including information security standards and cyber incident reporting obligations, imposed by contract, statute, or regulation.

Under the FCA, the Government can recover treble damages and penalties from federal contractors and subcontractors that knowingly submit false claims for payment.  Notably, the FCA incentivizes private citizens (relators), including contractor employees, to file qui tam suits on behalf of the Government by guaranteeing them between 15 and 30 percent of the recovery.  DOJ stated that it intended to work with federal agencies, subject matter experts, and law enforcement partners on the Civil Cyber-Fraud Initiative.  Recently, Assistant Attorney General Brian Boynton confirmed that this initiative was also intended to incentivize relators and the aggressive relators’ bar to focus their attention on potential cybersecurity noncompliance as the basis for qui tam actions.

Continue Reading DOJ Announces New Civil Cyber-Fraud Initiative

Under the January 2021 “Made in America” Executive Order 14005, President Biden established a new Made in America Office to oversee and administer domestic preference requirements in federal procurements.  Housed within the Office of Management and Budget (“OMB”), the Made in America Office was tasked with, among other things, reviewing and approving agency waivers of any Made in America Laws—including, for example, waivers of the Buy American Act (“BAA”) and Trade Agreements Act (“TAA”), as well as developing a publicly available website to post the descriptions of the proposed waivers and justifications for each.  Last week, the Made in America Office launched its new website, establishing for the first time a centralized, government-wide database of all proposed waivers of Made in America Laws.

Continue Reading The Made in America Office Website Is Live