This is part of a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by

Continue Reading October 2024 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

On October 15, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) published software bill of materials (“SBOM”) guidance through the third edition of Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM) (dated September 3, 2024) (the “Guidance”).  The Guidance provides “a minimum expectation for creating

Continue Reading CISA Releases Guidance on Minimum Expectations for Software Bill of Materials

This is part of an ongoing series of Covington blogs on the implementation of Executive Order No. 14110 on the “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” (the “AI EO”), issued by President Biden on October 30, 2023.  The first blog summarized the AI EO’s key provisions and related OMB guidance, and subsequent blogs described the actions taken by various government agencies to implement the AI EO from November 2023 through September 2024.  This blog describes key actions taken to implement the AI EO during October 2024.  We will discuss developments during October 2024 to implement President Biden’s 2021 Executive Order on Cybersecurity in a separate post. Continue Reading October 2024 Developments Under President Biden’s AI Executive Order

On Tuesday, October 22, 2024, Pennsylvania State University (“Penn State”) reached a settlement with the Department of Justice (“DoJ”), agreeing to pay the US Government (“USG”) $1.25M for alleged cybersecurity compliance violations under the False Claims Act (“FCA”).  This settlement follows a qui tam action filed by a whistleblower and former employee of Penn State’s Applied Research Laboratory.  The settlement agreement provides some additional insight into the priorities of DoJ’s Civil Cyber Fraud Initiative (“CFI”) and the types of cybersecurity issues of interest to the Department.  It also highlights the extent to which DoJ is focusing on the full range of cybersecurity compliance obligations that exist in a company’s contract in enforcement actions.Continue Reading Penn State Agrees to Pay $1.25M in Settlement for Cybersecurity Non-Compliance False Claims Act Allegations

SBA’s “Rule of Two” often requires federal agencies to set aside an acquisition for small businesses whenever there is reasonable expectation that offers will be obtained from at least two small businesses that are competitive in terms of fair market prices, quality, and delivery. 

On Friday, SBA issued a Proposed Rule that would extend the reach of the Rule of Two by applying it to orders issued under many multiple-award contracts.  As such, under SBA’s proposal, agencies would be required to set aside an order under a multiple-award contract when there is a reasonable expectation of obtaining competitive offers from two or more small business contract holders, unless an exception – including an exception for Federal Supply Schedule (FSS) contracts – applies.

SBA believes that this rule, if adopted, would: (1) align multiple-award contract purchases with the Small Business Act’s requirement that a fair proportion of the total purchases and contracts for goods and services be awarded to small businesses; (2) resolve confusion created by contradictory interpretations of the Rule of Two; and (3) increase contracting opportunities for small businesses, particularly small disadvantaged businesses (SDBs).  

More details are below. Continue Reading It Takes Two: SBA Proposes Applying “Rule of Two” to Multiple-Award Contracts

The Office of Strategic Capital (“OSC”) within the Department of Defense (“DOD”) has launched a Credit Program, under which it will provide debt financing in critical technology areas that drive national and economic security.  As an initial step, OSC is soliciting applications for equipment loans, which may be submitted between

Continue Reading DOD Office of Strategic Capital Begins Its Direct Lending Efforts to Secure U.S. Industrial Base

This is part of a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through August 2024.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during September 2024.  We discuss developments during September 2024 to implement President Biden’s Executive Order on Artificial Intelligence in a separate post. Continue Reading September 2024 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

The Small Business Administration (“SBA”) recently issued a proposed rule that would significantly change the rules concerning small business recertification in M&A transactions and other events (the “Proposed Rule”).  SBA has framed the Proposed Rule as a consolidation of what is currently a scattered set of regulations, but the rule goes further than consolidating and clarifying existing law.  It would expand recertification requirements in several key ways, including eliminating exemptions that currently allow contractors to continue to utilize set-aside multiple award vehicles after a so-called “disqualifying recertification” (i.e., a recertification as other than small or other than disadvantaged).

SBA invited public comment on the Proposed Rule.  The deadline for submitting comments passed last week.  We have spent some time reviewing the comments submitted thus far, which provide insight into the issues that affect both small business contractors and the industry writ large.  As discussed below, many of the comments describe the potential chilling effects of the Proposed Rule, which could deprive contractors of key income streams just as they graduate from small business status and discourage investors and other contractors from acquiring small businesses that hold multiple award contracts. 

The sections below describe the Proposed Rule in greater detail and provide an overview of the comments to the Proposed Rule.Continue Reading Public Comments to Proposed Rule Underscore the Need for Additional Clarity on SBA Recertification Requirements

In the wake of the U.S. Supreme Court’s decision in Students for Fair Admissions, Inc. v. President & Fellows of Harvard College, there has been an increase in legal challenges to race and gender-based programs and initiatives in multiple contexts, including within government contracting.  While the holding of Students for Fair Admissions did not address public contracting or disturb existing case law that considers the validity of similar government contracts programs, the decision has informed and reshaped the landscape for strict scrutiny challenges to these programs, and there has been a significant uptick in challenges to diversity-focused government procurement regulations.

Last month, in Mid-America Milling Company, LLC, et al., v. U.S. Department of Transportation, the U.S. District Court for the Eastern District of Kentucky temporarily enjoined the Department of Transportation (“DOT”) from mandating the use of race- and gender-based presumptions for DOT contracts impacted by Disadvantaged Business Enterprise (“DBE”) goals.  The court found, among other things, that while DOT’s DBE program intends to combat historical discrimination and its lingering effects on the ability of disadvantaged businesses to equally compete for government contracts, the plaintiff was likely to prevail on the merits of its argument that the program’s “race and gender classifications” violate the Equal Protection clause.

Although the preliminary injunction currently remains geographically constrained to Kentucky and Indiana, the case is an important development for government contractors that are impacted by DBE related contracts.  We summarize the key takeaways from the court’s holding, as well as its implications for government contractors, below.Continue Reading Federal Court Enjoins DOT Disadvantaged Business Enterprise Program On Equal Protection Grounds

On October 11, 2024, the U.S. Department of Defense (“DoD”) released an unpublished version of the Cybersecurity Maturity Model Certification (“CMMC”) Program Rule.  The final rule will be published in the Federal Register on October 15, 2024 and will become effective sixty days after publication.  This rule formally establishes the CMMC Program for DoD and is one of two complementary sets of regulations that govern operation of the Program.  Continue Reading Cybersecurity Maturity Model Certification (CMMC) Program Final Rule Announced