This is the eighth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, fourth, fifth, sixth, and seventh blogs described the actions taken by various government agencies to implement the EO from June through November 2021. This blog summarizes the key actions taken to implement the Cyber EO during December 2021. Although the actions described below implement different sections of the Cyber EO, each of them portends further actions in February 2022 that are likely to impact government contractors, particularly those who provide software products or services to federal government agencies.
On December 30, 2021, the FAR Council issued a final rule to update the trade agreements thresholds implemented under the Trade Agreements Act (“TAA”). The new thresholds take effect January 1, 2022.
The TAA thresholds are adjusted every two years and set the value a contract must meet or exceed in order for the World Trade Organization Government Procurement Agreement (“WTO GPA”) and free trade agreements (“FTAs”) to apply. For supply, service, and construction contracts that meet or exceed the stated thresholds, Buy American Act (“BAA”) requirements are waived in accordance with the TAA, and the Government is required to treat eligible products and services from designated countries on an equal basis as domestic products and services.
The updated thresholds, to be listed in FAR 25.402(b), are provided below.
If a contractor is working on a fixed-price contract, can it charge the government for attorney’s fees to defend a False Claim Act (“FCA”) case related to the contract?
In The Tolliver Group, Inc. v. United States (Fed. Cl. Jan. 22, 2020), the Court of Federal Claims (“COFC”) said the answer was “yes,” if the government was liable for an equitable adjustment under the circumstances. The decision was welcomed by contractors facing meritless FCA suits, which are often costly to defend even when the relator plainly does not have a case.
But the Federal Circuit has thrown cold water on Tolliver — at least for now. In a decision last week, the court of appeals vacated Tolliver on jurisdictional grounds, concluding that the legal theory of the COFC’s decision was never presented to the contracting officer for a final decision under the Contract Disputes Act of 1978 (“CDA”), and that the COFC therefore lacked jurisdiction over the contractor’s claim. The Tolliver Group, Inc. v. United States (Fed. Cir. Dec. 13, 2021).
The Department of Defense (DoD) released key documentation relating to Cybersecurity Maturity Model Certification (CMMC) 2.0 over the past several weeks, including (1) a CMMC 2.0 Model Overview document, (2) CMMC Self-Assessment Scopes for Level 1 and 2 assessments/certifications, (3) CMMC Assessment Guides for Level 1 and 2 attestations/certifications, and (4) the CMMC Artifact Hashing Tool User Guide.
DoD has stated that CMMC 2.0 will not be a contractual requirement until the Department completes the rulemaking needed to implement the program. Although that rulemaking process is estimated by DoD at 9 to 24 months, these documents are highly relevant to any contractors selling to DoD. Once CMMC 2.0 is implemented, it will be mandatory where sensitive DoD information is provided to a contractor or generated, processed, stored, or transmitted in support of performance of a DoD contract. Moreover, those contractors who can implement CMMC practices more quickly likely will have a competitive advantage over contractors who wait to address CMMC until right before the clauses appear in individual procurements. Key aspects of each of these documents are discussed below.
CMMC 2.0 Overview Document
As we discussed in more detail in prior posts, CMMC 2.0 is markedly different than CMMC 1.0 in certain ways. Principal differences include the fact that CMMC 2.0 has only three maturity levels — Foundational (Level 1), Advanced (Level 2), and Expert (Level 3) — relative to CMMC 1.0, which had five levels. Under CMMC 2.0, a Level 1 self-assessment is required where Federal Contract Information (FCI) is involved, a Level 2 self-assessment/attestation or third-party certification is required where Controlled Unclassified Information (CUI) is involved, and a Level 3 certification is required where DoD determines that a contractor must implement additional practices to reduce the risk associated with Advanced Persistent Threats.
The newly released overview document outlines the general requirements that contractors must implement to achieve each CMMC level. As set forth in the document, Level 1 of CMMC 2.0 is equivalent to all of the safeguarding requirements from FAR Clause 52.204-21 and Level 2 is equivalent to all of the security requirements in NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” (Rev. 2). The overview document indicates that Level 3 certification requirements will be a subset of the requirements in NIST SP 800-172, “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171”, but it does not specify which requirements will apply, and only notes that details for Level 3 certifications will be released at a later date. In each case, the levels build on one another, i.e., a contractor must implement all of the practices at Levels 1 and 2 plus additional Level 3 requirements in order to achieve a Level 3 certification.
As Level 2 tracks with the requirements set forth under NIST SP 800-171 Rev. 2, the document references the “[d]evelop[ment] and implement[ion of] plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems,” but provide no further specifics. Nonetheless, DoD has indicated elsewhere, including in a recent Federal Register Notice (previously rescinded but now republished with certain changes), that a Plan of Action and Milestone (POA&M) may be used in certain contexts.
CMMC Self-Assessment Scopes for Levels 1 and 2
The CMMC Self-Assessment Scope for Level 1 and Level 2 is used to define those assets within the contractor’s environment that will be in scope of the assessment and self-attestation/third-party certification. Specifically, this document relates to the description of the environment that will store, process, or transmit FCI (Level 1) or CUI (Level 2), which are considered to be “in-scope assets.”
Each of these documents makes clear that there are no documentation requirements for out of scope assets and that such assets should not be part of the assessment. Notably, each document addresses “Specialized Assets,” which includes Government Property, Internet of Things or Industrial Internet of Things, Operational Technology, Restricted Information Systems, and Test Equipment. Specialized Assets are not part of the assessment scope under Level 1 and are therefore not assessed against CMMC practices. Specialized Assets are part of the CMMC assessment scope under Level 2, however, and contractors are required to document these assets in the System Security Plan (SSP) and detail how they are managed using the contractor’s risk-based information security policy, procedures, and practices.
CMMC Assessment Guides for Levels 1 and 2
The Level 1 Assessment Guide and Level 2 Assessment Guide are intended to provide certified assessors, contractors, and IT and cybersecurity professionals with guidance to help prepare for a CMMC assessment (including self-assessments). The two guides are similarly organized, and each provides: (1) an overview of the CMMC assessment and certification process, (2) information about assessment criteria and methodology, (3) clarification of the intent and scope of various terms of the CMMC, and (4) assessment requirements and specifics for each CMMC practice. Specific information in the guides includes the type of documentation to be assessed, documentation of assessment findings, and examples of implemented technical practices, among other things. The Level 2 Assessment Guide also indicates that it leverages information included in NIST SP 800-171A, “Assessing Security Requirements for Controlled Unclassified Information,” that NIST published in 2018.
CMMC Artifact Hashing Tool User Guide
This hashing guide is used for the very specific purpose of overviewing the CMMC’s Artifact Hashing Tool, which is used to create a unique digital fingerprint (i.e. SHA-256 hash) for each document, file, or other artifact used as proof of compliance with CMMC. The document explains that assessors do not take copies of artifacts of evidence with them after an assessment because these articles are proprietary to the contractor. Instead, the assessor generates unique fingerprints of each file using the tool and follows the instructions set forth in the guide so that the assessor can document the exact artifacts, and the contractor could produce those artifacts in the future, if needed.
On December 8, 2021, President Biden signed Executive Order 14057 (“Catalyzing Clean Energy Industries and Jobs Through Federal Sustainability”), the Administration’s latest – and most significant – effort to promote cleaner and more sustainable federal procurement. At the heart of the new Order is the Administration’s goal to meet a net-zero emissions target across the federal government by 2050. To do so, the Administration promises to “transform federal procurement and operations” and to leverage the government’s portfolio of “300,000 buildings, fleet of 600,000 cars and trucks, and annual purchasing power of $650 billion [in] goods and services” to facilitate increased adoption of green technology. The new Executive Order will require further agency action to pursue and execute on these objectives, but once implemented, it appears poised to usher in a new – and greener – era of federal contracting.
In order to achieve net-zero emissions by 2050, the Executive Order and an accompanying “Federal Sustainability Plan” set four primary goals:
- Power: 100 percent carbon pollution-free electricity on a net annual basis by 2030;
- Vehicles: 100 percent zero-emission vehicle acquisitions by 2035, including 100 percent zero-emission light-duty vehicle acquisitions by 2027;
- Buildings: A net-zero emissions building portfolio by 2045, including a 50 percent emissions reduction by 2032; and
- Materials: Net-zero emissions from federal procurement no later than 2050, including a Buy Clean policy to promote use of construction materials with lower embodied emissions.
This blog post consists of three parts: (1) a summary of each of the four major goals referenced above; (2) a description of the Executive Order’s procedures for implementation, together with the exceptions to its coverage; and (3) concluding thoughts about key takeaways of this Executive Order for the contracting community and potential new entrants into the federal marketplace.
Addressing climate change has been a priority for President Biden since his first day in office. On December 8, 2021, President Biden continued that focus by issuing Executive Order (EO) 14057, Catalyzing Clean Energy Industries and Jobs Through Federal Sustainability, which includes a number of requirements directed at introducing sustainability to federal acquisitions.
This most recent EO announces an administration policy to achieve net-zero emissions from federal procurement by 2050 and comes on the heels of the public comment period extension to January 13, 2022 in response to EO 14030, Climate-Related Financial Risk. Although the administration will likely be rolling out additional sustainability requirements in the coming months, contractors currently have an opportunity to help shape an initial requirement that may end up effectively establishing an environmental, social, and governance or “ESG” reporting requirement. Continue Reading Contractors Have an Opportunity to Help Shape ESG Requirements
On December 2, 2021, the Department of Labor’s Office of Federal Contractor Compliance Programs (“OFCCP”) announced the creation of a new Contractor Portal. Starting next year, federal prime contractors and subcontractors will be required to register on the portal and submit a formal certification, on an annual basis, as to whether they have developed and maintained an Affirmative Action Program (“AAP”) in accordance with OFCCP requirements. If selected by OFCCP for a compliance review, contractors will use the same portal to upload their AAPs in addition to any other requested information. The Contractor Portal is expected to open for registrations on February 1, 2022, with the certification features available March 31, 2022. By June 30, 2022, all existing contractors and subcontractors must certify compliance with the AAP requirements.
This is the seventh in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, fourth, fifth, and sixth blogs described the actions taken by various government agencies to implement the EO during June, July, August, September, and October 2021, respectively. This blog summarizes the key actions taken to implement the Cyber EO during November 2021.
Although most of the developments in November were directed at U.S. Government agencies, the standards being developed for such agencies could be imposed upon their contractors or otherwise be adopted as industry standards for all organizations that develop or acquire software.
Several federal courts have issued preliminary injunctions blocking the Biden Administration from enforcing its federal contractor COVID-19 vaccine mandate. As discussed in our previous posts, President Biden issued Executive Order 14042 mandating that employees of federal contractors and subcontractors be vaccinated against COVID-19 and take various other workplace safety measures. Executive Order 14042 relies on the president’s authority under the U.S. Constitution and the Federal Property and Administrative Services Act (“FPASA”) to effectuate this policy. Prior to issuance of the injunctions, contractors were required to have covered employees fully vaccinated by January 18, 2022.
Last Tuesday, GAO released its Fiscal Year 2021 protest statistics, which as always contains a wealth of interesting information about GAO’s protest system.
- Protest filings dropped by 12% from FY20. After remaining fairly steady in FY19 and FY20, filings dropped in FY21, with the lowest number of cases filed since FY08. It seems likely, however, that at least part of the drop is attributable to the pandemic, which may have slowed the pace of federal procurement in the spring and summer of 2020, leading to a smaller than usual wave of protests in the first quarter of FY21.
- The sustain rate remained steady at 15%. The sustain rate considers only the subset of cases that go all the way to a decision on the merits, and measures the percentage of those decisions that sustained the protest. In FY21, GAO issued 581 merits decisions, and 85 of those were sustains, resulting in a sustain rate of 15% — solidly within GAO’s historical range of sustain rates. The four most prevalent reasons for sustaining protests were (1) unreasonable technical evaluation; (2) flawed discussions; (3) unreasonable cost or price evaluation; and (4) unequal treatment.
But the more indicative statistic for favorable outcomes in a bid protest is the effectiveness rate, and . . .
- The effectiveness rate remained high at 48%. That figure is the second-highest effectiveness rate ever recorded by GAO (the all-time high of 51% occurred last year). The effectiveness rate measures the percentage of all protests filed in which the protestor obtains “some form of relief from the agency . . . either as a result of voluntary agency corrective action or [GAO] sustaining the protest.” So in nearly half of all protests in FY21, the protestors obtained some relief, confirming that protests can be worthwhile for disappointed offerors who have legitimate concerns about a procurement.
- The number of hearings remained steady at 1%. Hearings remain rare, especially as compared to a decade ago when 8-10% of fully-developed cases received a hearing.
GAO’s annual bid protest report is always an exciting event, and this year’s edition shows that GAO’s process has continued to run smoothly throughout an unprecedented time.