A New Path to TAA Compliance: U.S.-Made End Products in Acetris

On Monday, the U.S. Court of Appeals for the Federal Circuit issued an opinion in Acetris Health, LLC v. United States, No. 2018-2399 (Fed. Cir. Feb. 10, 2020) (“Acetris”), that would permit pharmaceutical manufacturers to source a drug’s active pharmaceutical ingredient (“API”) from India, China and other non “designated countries” and yet still offer the end product for sale to the U.S. Government.  Under the Trade Agreements Act (“TAA”), if a drug’s API was sourced from outside of the United States or a designated country, at least some Government agencies previously had taken the position that the U.S. Government could not purchase it.  In Acetris, the Federal Circuit explained that the TAA inquiry should turn not on where the API (or some other component) is sourced, but instead on where the pill (or other end product) is manufactured.  Consistent with this approach, the court held that a pill manufactured in the United States was compliant with the TAA and implementing regulations even though the pill’s API was sourced from India.

Although the full implications of the Acetris decision are not yet clear, there is no doubt that the ruling alters the TAA compliance landscape and offers broader lessons outside of the pharmaceutical manufacturing context.  Consequently, the decision warrants close attention by contractors seeking to maximize supply chain efficiency. Continue Reading

A Closer Look at Version 1.0 of DoD’s Cybersecurity Maturity Model Certification

On January 31, the Department of Defense (“DoD”) released Version 1.0 of its Cybersecurity Maturity Model Certification (“CMMC”).  This is the fourth iteration of the CMMC that DoD has publicly released since it issued the first draft in October, and it is intended to be the version that auditors will be trained against, and that will eventually govern defense contractors’ cybersecurity obligations.  (We discussed the draft versions of the CMMC in earlier blog posts, as well as DoD’s Version 1.0 release announcement.)

As outlined in more detail below, the CMMC is a framework that “is designed to provide increased assurance to the DoD that a DIB [Defense Industrial Base] contractor can adequately protect CUI [Controlled Unclassified Information] at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.”

DoD stated publicly that it plans to add CMMC requirements to ten Requests for Information (“RFIs”) and ten Requests for Proposals (“RFPs”) by the end of this year, with contractors and subcontractors expected to meet all applicable CMMC requirements at the time of award.  DoD has indicated that these RFPs may involve relatively large awards, as it anticipates that each award will impact approximately 150 different contractors at all levels of the supply chain and at various levels of CMMC certification.  DoD’s goal is to have CMMC requirements fully implemented in all new contract awards by Fiscal Year 2026.

Continue Reading

U.S. Government Seeks Industry Solutions in Novel Coronavirus Response

As of February 10, 2020, the World Health Organization (WHO) reported that 40,554 cases of the Novel Coronavirus (2019-nCoV) have been confirmed globally, with twelve cases confirmed in the United States.  The WHO has been issuing situation reports on a daily basis since January 21, and each report in February alone has identified more than 2,000 to 3,000 new cases each day.

Due to the lack of approved therapeutics, vaccines, and diagnostics for this threat, developing new products and testing products already approved for other uses is a high priority for the U.S. interagency response effort—the Medical Countermeasure (MCM) Task Force.  The Biomedical Advanced Research and Development Authority (BARDA), under the Office of the Assistant Secretary for Preparedness and Response (ASPR) in the U.S. Department of Health and Human Services (HHS), is leading this Task Force in partnership with U.S. Department of Defense, Food and Drug Administration, Centers for Disease Control and Prevention, and National Institutes of Health.

BARDA is currently looking at the effectiveness of existing countermeasures for similar viruses, as well as potential new responsive technologies, including vaccines, diagnostics, therapeutics, and medical supplies.  BARDA is serving as the sole point of entry for product and technology submissions to ensure there is an expedited process for receipt and review of proposed solutions for 2019-nCoV.  In this capacity, BARDA has released two opportunities to submit potential solutions for the 2019-nCoV response discussed below: (1) the EZ-BAA for 2019-nCoV diagnostics and (2) market research packages for any and all potential products and supplies.  Covington encourages those with technology that could be potentially useful to respond.

Continue Reading

DoD Announces the Release of CMMC Version 1.0

On Friday January 31, 2020, Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment, Kevin Fahey, Assistant Secretary of Defense for Acquisition, and Katie Arrington, the Chief Information Security Officer for the Department of Defense (“DoD”), briefed reporters on the release of the Cybersecurity Maturity Model Certification (“CMMC”) Version 1.0.  We have discussed draft versions of the CMMC in earlier blog posts.

At the press conference, Under Secretary Lord and her staff emphasized the concerns that the DoD has with regard to sensitive, unclassified government data that resides in the networks of its supply chain, discussed the timeline for rolling out the CMMC, confirmed that DoD will be promulgating a new DFARS regulation to implement aspects of the CMMC, and acknowledged that DoD is continuing to work through the accreditation process.

First, Secretary Lord emphasized the significant national security threat that contractors and their subcontractors face from sophisticated cyber adversaries.  She noted that cyber attacks are low cost to conduct, but that in the past year alone, cyber attacks resulted in approximately $600 billion dollars of global GDP lost through cyber theft.  She also emphasized that DoD has expended considerable efforts communicating with and receiving input from industry and sees this as a key partnership between DoD and the defense industry to protect sensitive government information.

Second, DoD representatives explained that DoD is taking a “crawl, walk, run” approach with implementation of the CMMC.  Although the rollout will begin this year, DoD’s goal is to have the requirement fully implemented by Fiscal Year 2026.  This year, DoD intends to select third party accreditation vendors, to be called “C3PAOs.”  Although no significant details as to content were shared, DoD also plans to publish a new DFARS regulation in late spring or in early summer.  Finally, DoD plans to add CMMC requirements to ten procurements at the end of this year with contractors and subcontractors expected to meet all applicable CMMC requirements at the time of award.  DoD’s expectation is that each individual procurement will affect a relatively large number of contractors once subcontract awards at various levels of the supply chain are taken into account.  These procurements are expected to include a mix of CMMC Levels.

Third, DoD provided some insight into the Accreditation Body, which it stood up in early January 2020.  The Accreditation Body is charged with overseeing training, quality, and administration of the C3PAOs and will consist of 13 members from the defense industrial base, cybersecurity community, and academic community who self-nominate to join.  The names of the members of the Accreditation Body were not provided at the press conference, but DoD shared that the Body has elected a Chairman and that it has a Board of Directors.  DoD is currently drafting a memorandum of understanding (“MOU”) with the Accreditation Body that will outline the roles, rules, and responsibilities of the parties.  Given the sensitive information that the Accreditation Body and the auditors will have access to, the MOU is expected to address potential conflicts of interest.

Finally, DoD clarified some operational questions.  DoD confirmed that it will not seek to modify current contracts to apply the CMMC retroactively (although it is unclear whether the CMMC could be applied to an existing contract when DoD exercises an option).  DoD also stated that subcontractors will only need to be certified to the appropriate level based on the data that they receive or develop and the work they will perform on a contract.  Thus, depending on the type of work being flowed down, it is possible that a Level 3 procurement could have Level 1 subcontractors.  CMMC accreditation will be effective for three years, but DoD did not provide further guidance on the costs of obtaining the certification or specifics on how the audit process will work.

Shortly following the press conference, DoD published Version 1.0 of the CMMC, found here.  Although the press conference clarified some outstanding questions, others still remain.  We are analyzing the requirements imposed by Version 1.0 of the CMMC and will publish our analysis in an upcoming post.

Trump Administration Renews Focus on Anti-Human Trafficking Efforts

The Trump Administration has declared this month National Slavery and Human Trafficking Prevention Month, calling on industry associations, law enforcement, private businesses, and others to work toward ending modern slavery and human trafficking. This proclamation follows the Administration’s efforts to combat human trafficking, which we have previously discussed here, and comes on the heels of an OMB memorandum released last fall aimed at “enhanc[ing] the effectiveness of anti-trafficking requirements in Federal acquisition while helping contractors manage and reduce the burden associated with meeting these responsibilities.”

Continue Reading

Momentum In Drug Pricing Reform: House Passes New Legislation on the Heels of Presidential Candidates’ Drug Pricing Proposals

Late last week, House Democrats passed Speaker Nancy Pelosi’s Elijah E. Cummings Lower Drug Costs Now Act. This bill would, among other things, permit the Department of Health and Human Services (“HHS”) to negotiate lower prices for 250 of the costliest drugs on behalf of Medicare beneficiaries and other consumers. Although this particular legislation appears to have little chance of passing the Senate and appears to lack support from President Trump, it comes on the heels of several other efforts aimed at reducing prescription drug prices. For instance, the Trump administration has released its drug pricing blueprint to use similar price control mechanisms to lower Medicare drug prices.  Additionally, just last month, Senator Cory Booker, along with Senators Bernie Sanders and Kamala Harris, introduced the Prescription Drug Affordability and Access Act (“Act” or “Prescription Act”) to regulate the cost of prescription drugs and threaten the abolishment of patent protections for non-compliant drug manufacturers. The current version of the proposal raises significant questions.

The Prescription Act proposes to create two new bodies: (1) the Bureau of Prescription Drug Affordability and Access (“Bureau”) within HHS to determine list prices for new and existing drugs; and (2) a Consumer Advisory Council (“Council”) comprised of patients, patient organizations, and medicine and health care finance experts to oversee the Bureau. Before a new drug can go to market, the Act obligates drug makers to provide the Bureau with sensitive information regarding the cost of research and development, the cost of the drug and comparable medications in other countries, and the federal investments of the drug’s discovery and production, among other things, in order for the Bureau to determine an “appropriate” price. For drugs already on the market, the Bureau would review the drug manufacturer’s cost profile and set an appropriate price based on the lesser of the Bureau-determined price or the median list price of eleven listed drug reference countries including Japan, Germany, the United Kingdom, France, Italy, Canada, Australia, Spain, the Netherlands, Switzerland, and Sweden. If drug makers charge an “inappropriate” price for a drug – i.e., a price above the amount determined by the Bureau, they must remit a rebate based on the surplus revenue earned to patients affected by the higher price. Further, if a drug maker fails to comply with the Bureau’s list price or remit excessive revenue earned within 30 days of receiving a notice that its price is “inappropriate,” HHS may void any patent related to the medication or clinical trial data or end other government-granted exclusivity. In the event HHS invalidates the patent, the Act contemplates that third parties should provide “reasonable compensation” to the patent holders, but the Act does not discuss how reasonable compensation would be determined.

In addition to the uncertainty regarding the calculation of “reasonable compensation,” the Act (like other similar proposals) does not appear to ensure that a drug product’s price reflects its true value. For instance, although the Bureau may take into account the cost of research and development for the particular drug at issue, there is no guarantee that the Bureau will account for (1) the often significant investment made in unsuccessful attempts to bring other drugs to market, or (2) the savings that a drug might bring to the healthcare market by preventing future illness or avoiding more costly treatment options. Also, the Act’s incorporation of reference pricing does not account for the nuances in healthcare systems in the reference countries, including the availability of alternative treatment methods in those countries.

Providing HHS the authority to invalidate patents and government licenses based on drug maker’s failure to abide by a drug price set on what appears to be an incomplete list of relevant factors promises to create further uncertainty for companies investing in drug product development. Companies would be well advised to continue monitoring progress on the Prescription Act, as well as drug pricing reforms more generally, as we head into an election year where government action on drug pricing appears to remain a central issue.


DoD Releases Version 0.7 of Its Cybersecurity Maturity Model Certification

On December 13, the Department of Defense (“DoD”) released the latest version of its Cybersecurity Maturity Model Certification (“CMMC”).  This is the third iteration of the draft model that DoD has publicly released since it issued the first draft in October.  (We previously discussed Version 0.4 and Version 0.6 of the CMMC in prior blog posts.)

DoD describes the CMMC as “a DoD certification process that measures a DIB sector company’s ability to protect FCI [Federal Contract Information] and CUI [Controlled Unclassified Information].”  DoD has stated publicly that it intends to begin incorporating certification requirements into solicitations starting in Fall 2020, with compliance audits beginning in late 2020 or early 2021.  Depending the sensitivity of the information that contractors will receive in the course of performing work for DoD, they will be expected to demonstrate compliance through third party audits with the requirements set forth under one of five certification levels.  This applies even where contractors will not be handling FCI or CUI in the course of performing their contracts.[1]

The two most significant updates to the model in this version of the draft are (i) the addition of “Practices” for obtaining Level 4 and 5 certifications, and (ii) an expansion of “clarifications” section, which now covers the requirements of Levels 2 and 3 of the model, in addition to Level 1.  These changes and others are discussed in more detail below.  Given the expected release in late January 2020, it is likely that the requirements in this draft will closely resemble those that will be set forth in Version 1.0 of the CMMC framework, which is anticipated to serve as the basis for the first contractor audits.

Continue Reading

Commerce Department Proposes Rule Impacting Information and Communications Technology Supply Chains

On November 27, 2019, the Department of Commerce issued a proposed rule to implement the May 15, 2019 Executive Order entitled “Securing the Information and Communications Technology and Services Supply Chain.”  Once finalized and effective, the regulations will govern the process and procedures that the Secretary of Commerce will use to determine whether certain transactions involving information and communications technology or services (“ICTS”) should be prohibited or otherwise restricted.  As currently drafted, the proposed rule goes further than many other legal authorities, in that it allows the government to prohibit or otherwise restrict a broad range of wholly commercial transactions that the Secretary determines present national security risks.

Details on key aspects of the proposed rule are in a Client Alert that we published on November 27, available here.  The public comment period remains open until December 27.  Given the breadth of the proposed rule and the significant number of open questions, thoughtful comments will be critically important in scoping a final rule. Continue Reading

New FAR Rule Expands Counterfeit Reporting Obligations

Last week, the FAR Council issued a Final Rule, setting forth new FAR provisions that require the reporting of certain counterfeit and suspect counterfeit parts and certain major or critical nonconformances to the Government – Industry Data Exchange Program (“GIDEP”).[1]  This Final Rule comes more than five years after the rule was first proposed in the Federal Register in June 2014.  The FAR Council describes the Final Rule as “significantly de-scoped” from the version proposed in 2014, but it nonetheless constitutes a significant expansion of the existing counterfeit part reporting obligations, which to date have applied only to electronic parts under DOD contracts.

Continue Reading

OFCCP Proposes Rule Removing TRICARE Health Care Providers from Its Regulatory Authority

On November 6, 2019, the Department of Labor’s Office of Federal Contract Compliance Programs (“OFCCP”) issued a Notice of Proposed Rulemaking (“NPRM”) aimed at resolving what OFCCP describes as a “decade of confusion.”[1] At issue is a long-standing question concerning the scope of OFCCP’s enforcement authority over health care providers participating in TRICARE, a federal health care program covering millions of military personnel, veterans, and their families. In particular, the NPRM requests comments on proposed regulations that would amend OFCCP’s definition of “subcontractor” and thereby remove TRICARE providers–and potentially other categories of providers–from OFCCP’s regulatory authority entirely. The deadline for filing comments is December 6, 2019.

Continue Reading