In Amec Foster Wheeler Environment & Infrastructure, Inc. v. Department of the Interior, CBCA 5168 et al. (Feb. 27, 2019), the Civilian Board of Contract Appeals (“CBCA” or “Board”) recently reiterated that a contractor need not assert every conceivable legal theory of relief as soon as it encounters an unforeseen condition on a construction project. Rather, a contractor may later be able timely to assert additional claims under distinct theories based on operative facts learned during discovery. Apropos of recently celebrated St. Patrick’s Day, this case indicates that discovery may be the rainbow that leads a contractor to a bigger pot of gold, i.e., operative facts that permit assertion of more valuable claims based on alternative legal theories.
On March 11, 2019, a bipartisan group of lawmakers including Sen. Mark Warner and Sen. Cory Gardner introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2019. The Act seeks “[t]o leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices.” In other words, this bill aims to shore up cybersecurity requirements for IoT devices purchased and used by the federal government, with the aim of affecting cybersecurity on IoT devices more broadly.
To accomplish this goal, the Act puts forth several action items for the Director of the National Institute of Standards and Technology (“NIST”) and the Office of Management and Budget (“OMB”). Details of these action items and their deadlines are discussed below.
- NIST is directed to complete, by September 30, 2019, all ongoing efforts related to managing IoT cybersecurity, particularly its work in identifying cybersecurity capabilities for IoT devices. Under the bill, those NIST efforts are to address at least: (i) secure development, (ii) identity management, (iii) patching, and (iv) configuration management for IoT devices.
- NIST is directed to develop, by March 31, 2020, recommendations on “the appropriate use and management” of IoT devices “owned or controlled by the Federal Government.” These recommendations are expected to include “minimum information security requirements” that address the cybersecurity risks of IoT devices owned or controlled by the federal government. Once these recommendations are issued, OMB will have 180 days to issue guidance to each agency, consistent with NIST’s recommendations.
Additionally, the bill would require NIST to do the following within 180 days of its enactment:
- Publish a draft report addressing considerations for managing cybersecurity risks associated with the “increasing convergence of traditional Information Technology devices, networks, and systems with Internet of Things devices, networks, and systems and Operational Technology devices, networks and systems.”
- Consult with cybersecurity researchers and private-industry experts to publish guidance relating to the reporting and resolution of security vulnerabilities discovered in federal government IoT devices.
– OMB will then have 180 days to issue guidelines for each government agency, based on NIST’s recommendations. Those recommendations are required to be consistent with the information security requirements that are imposed on federal information systems in Title 44. OMB’s guidelines are also required to prohibit acquisition or use of IoT devices from a contractor or vendor that fails to comply with NIST’s security vulnerability guidance.
– Once OMB issues its guidance to agencies, these requirements will need to be included in a revision to the Federal Acquisition Regulation (FAR), which governs all federal procurement of goods and services using appropriated funds. No specific date for when these regulations should be promulgated are included in the current draft of the bill.
Notably, the Act also recognizes the debate about what constitutes an “IoT device.” It would apply to a “covered device,” which is defined as a “physical object” that: (1) is capable of connecting to and is in regular connection with the internet, (2) has computer processing capabilities that can collect, send, or receive data; and (3) is not a general-purpose computing device, including personal computing systems, smart mobile communications devices, programmable logic controls, and mainframe computing systems. At the same time, it directs OMB to establish a process for interested parties to petition for a decision that a device is not covered by this definition, potentially providing clarity for makers of devices about whether they are covered by the measure.
This bill follows two failed bills from the last congressional term: the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 and the Internet of Things (IoT) Federal Cybersecurity Improvement Act of 2018. The 2017 and 2018 Acts both focused on “provid[ing] minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies.” The prior bills contained only limited guidance to NIST and instead focused on OMB. For example, the 2017 bill required OMB to provide guidelines on specific, enumerated contractual terms in vendor contracts for IoT devices. The 2018 bill directed OMB to consider “voluntary consensus standards” in its promulgation of guidelines on contractual terms.
The current bill also follows increasing efforts by NIST to focus on IoT cybersecurity. Its efforts include development of a “baseline” set of cybersecurity capabilities for IoT devices. NIST announced earlier this month that it is seeking feedback on its proposal, especially insights into identifying those cybersecurity capabilities that could be achieved across the widest set of IoT devices.
On February 25, 2019, the Office of Inspector General (“OIG”) for the Department of Defense (“DoD”) issued an audit report analyzing the prices of spare aviation parts purchased by the Defense Logistics Agency (“DLA”) and the Army from TransDigm Group, Inc. (“TransDigm”). The audit was conducted in response to letters from certain Members of Congress, who had inquired whether the spare parts were sold at fair and reasonable prices and in compliance with the Truthful Cost or Pricing Data Act (“Act”). The OIG’s audit confirmed that both TransDigm and the responsible DoD contracting officers fully complied with the Act and related regulations governing the price negotiations, but the OIG nonetheless concluded that the contractor earned excess profit on the majority of parts sold. In a highly unusual move, the OIG recommended that DoD request a “voluntary refund” from TransDigm of its allegedly “excessive” profits, and the OIG also recommended a number of changes to statutory, regulatory, and administrative policies governing the provision of cost or pricing data. Continue Reading
The Section 809 Panel recently concluded its monumental analysis of defense acquisition law and regulations and released its third volume of recommended changes. As we have written previously, the Panel’s work stands out from previous acquisition reform efforts with the appendices of detailed legislative and regulatory changes that accompany the commissioners’ analysis and recommendations.
Given the scope of the Panel’s work, few believe that Congress or the Department of Defense (“DoD”) will — or even could — simply adopt the recommendations in full. Legislative bandwidth for additional acquisition reform is finite, and some of the Panel’s recommendations will prompt robust debate. In this post, we analyze some of the recommendations that government contractors should follow most closely. We highlight key issues and address the political dynamics involved in enacting them. Continue Reading
On February 12, 2019 the Department of Defense released a summary and supplementary fact sheet of its artificial intelligence strategy (“AI Strategy”). The AI Strategy has been a couple of years in the making as the Trump administration has scrutinized the relative investments and advancements in artificial intelligence by the United States, its allies and partners, and potential strategic competitors such as China and Russia. The animating concern was articulated in the Trump administration’s National Defense Strategy (“NDS”): strategic competitors such as China and Russia has made investments in technological modernization, including artificial intelligence, and conventional military capability that is eroding U.S. military advantage and changing how we think about conventional deterrence. As the NDS states, “[t]he reemergence of long-term strategic competition, rapid dispersion of technologies” such as “advanced computing, “big data” analytics, artificial intelligence” and others will be necessary to “ensure we will be able to fight and win the wars of the future.” Continue Reading
Last week, President Trump issued a new executive order, entitled “Strengthening Buy-American Preferences for Infrastructure Projects.” This order serves as an extension of the President’s earlier April 2017 “Buy American and Hire American” executive order, which we have previously analyzed in this space. The April 2017 order stated that “it shall be the policy of the executive branch to buy American and hire American,” and, among other things, directed agencies to “scrupulously, monitor, enforce, and comply with” domestic preference laws (referred to by the executive order as “Buy American Laws”) and to minimize use of waivers that would permit the purchase of foreign end products.
The President’s new order continues to emphasize the importance of “the use of goods, products, and materials produced in the United States,” but is specifically directed towards infrastructure projects that are recipients of federal financial assistance awards. As we have reported previously, federally-financed infrastructure has also been a stated area of focus for the Trump administration, although the Administration’s “Legislative Outline for Rebuilding Infrastructure in America” released last year curiously lacked any domestic preference requirements.
The new executive order makes up for this previous omission and then some: it has the potential to affect a vast number of programs and projects, and may in fact impose domestic sourcing requirements in areas—such as internet infrastructure—that are not typically targets for domestic preferences.
The motivating force behind the False Claims Act, 31 U.S.C. §§ 3729-3733 (“FCA”) is its provision for qui tam enforcement, which authorizes private parties (aka relators) to initiate FCA cases on behalf of the United States. Id. § 3730(b)(1). Immediately after re-invigoration of the FCA in 1986, scholars and litigants questioned the constitutional validity of statutory authorization for relators to sue on behalf of the U.S. government. After 15 years of litigation, this debate withered, but has been recently re-invigorated.
This post summarizes four principal challenges to the constitutionality of qui tam enforcement, and then discusses two recent events in which these challenges have reappeared: the confirmation hearings for Attorney General nominee William Barr and a cert petition that asks the Supreme Court to rule on qui tam constitutionality. Continue Reading
Organizational conflicts of interest (OCIs) are perpetually thorny issues in federal procurement that contracting officers are required to identify and evaluate “as early in the acquisition process as possible.” Although the Government Accountability Office (GAO) has identified several OCI categories, two recent decisions highlight so-called impaired objectivity OCIs, which arise when a contractor’s ability to provide objective advice or recommendations to the government will be undermined by competing interests. The two decisions serve as an important reminder of what does — and does not — qualify as meaningful consideration by the contracting officer in such situations, and how prospective contractors can assist in identifying and mitigating such OCIs.
Compliance with the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is only the beginning for contractors that receive controlled defense information (CDI) in performance of Department of Defense (DoD) contracts and subcontracts. Faced with an evolving cyber threat, DoD contractors have experienced an increased emphasis on protecting DoD’s information and on confirming contractor compliance with DoD cybersecurity requirements. This includes audits by the DoD Inspector General (IG) “to determine whether DoD contractors have security controls in place” to protect CDI and enhanced security controls for certain high risk contractor networks. And on September 28, 2018, the Navy issued a policy memorandum calling for enhanced cybersecurity requirements, including some that have generated opposition within the defense community such as the installation of network sensors by the Naval Criminal Investigative Service on contractor systems. Other requiring activities are reportedly requiring similar enhanced protections and NIST is expected to issue a public draft of Revision 2 to NIST SP 800-171 by the end of February, with an appendix of additional enhanced controls.
As discussed in our blog post here, on November 6, 2018, DoD issued final guidance to requiring activities for assessing contractors’ System Security Plans (SSPs) and their implementation of the security controls in NIST SP 800-171. Since then, DoD has issued two additional guidance memoranda; one that includes contractual language for implementing the November 6th guidance and one that explains how DoD plans to confirm contractor oversight of subcontractor compliance with the DFARS 252.204-7012 cybersecurity requirements.
The U.S. Government shutdown is now the longest in U.S. history and is starting to have serious implications for Government contractors. One of many key concerns arises when contractors approach their contract funding ceiling — can they continue to work, and what happens if there is a cost overrun?
The answers are often complicated for both contractors and agency officials, and depend on the terms of the contract and the statutory basis for the program. Contractors facing this situation should keep seven points in mind.