Contractors often assume that government auditors have special authority to interpret the Cost Accounting Standards.  That assumption is easy to understand — auditors frequently take the position that there is just one “right” way for a company to do its contract cost accounting, based on how other companies do things.  But contractors should know that CAS is flexible and generally gives them options about how to comply, based on the circumstances of their business.  In short, a contractor’s business judgment matters, and contractors can use it to push back on auditors who take an overly rigid view of CAS.

Continue Reading So the Auditor Says You Violated CAS?  Remember, Your Business Judgment Matters When Determining Compliance

The United States National Cybersecurity Strategy, released on March 2, 2023, is poised to place significant responsibility for cybersecurity on federal contractors, technology companies, and critical infrastructure owners and operators.  The Strategy articulates a series of objectives and recommended executive and legislative actions that, if implemented, would increase the cybersecurity responsibilities and requirements of these types of entities.  For example, the Strategy proposes that legislation be developed to establish liability for software vendors that fail to take reasonable precautions to secure their software.  The Strategy also outlines the need to use minimum cybersecurity requirements, as opposed to voluntary measures, in critical sectors to enhance national security and public safety.  A new post on Covington’s Inside Privacy blog discusses the main pillars and objectives of the new National Cybersecurity Strategy. 

In August 2020, the Office of Management and Budget (“OMB”) amended its Guidance for Grants and Agreements set forth under 2 CFR (commonly referred to as the “Uniform Guidance”).  The Covington team wrote about that amendment, and in particular, the implementation of Section 889 requirements, here.  Now, almost three years later, OMB is requesting feedback in anticipation of further amending the Uniform Guidance. 

Continue Reading Opportunity to Comment on OMB Efforts to Amend Compliance Requirements for Grant Agreements

This is the twenty-first in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various Government agencies to implement the Cyber EO from June 2021 through December 2022.  This blog describes key actions taken to implement the Cyber EO during January 2023.

Continue Reading January 2023 Developments Under President Biden’s Cybersecurity Executive Order

On February 7, 2023, the House Committee on Armed Services (the “Committee”) held a hearing entitled “The Pressing Threat of the Chinese Community Party to U.S. National Defense.” This hearing marked the Committee’s first in the 118th Congress and it focused on U.S. strategic competition with the Chinese Communist Party (“CCP”) of the People’s Republic of China (“PRC”). This overview is the first in a series of legislative updates we will provide on congressional oversight activities related to China throughout the Congress, including specific activities focused on trade controls, supply chain dependencies, and PRC-sourced telecommunications infrastructure in U.S. networks.

Continue Reading Key Takeaways from the House Armed Services Committee Hearing on the Chinese Communist Party Threat to U.S. National Defense

This is the twentieth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blogsummarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various Government agencies to implement the Cyber EO from June 2021 through November 2022.  This blog describes key actions taken to implement the Cyber EO during December 2022.

Continue Reading December 2022 Developments Under President Biden’s Cybersecurity Executive Order

GAO recently released new procedures for filing and handling bid protests involving classified material.  The procedures emphasize that classified material cannot be filed on GAO’s Electronic Protest Docketing System (EPDS) under any circumstances.  Instead:

Continue Reading GAO Releases New Procedures for Classified Bid Protests

On January 19, 2023, the National Institute of Standards and Technology (“NIST”) published a Concept Paper setting out “Potential Significant Updates to the Cybersecurity Framework” and requesting public feedback and comments on the proposed revisions by March 3, 2023.  Originally released in 2014 and previously updated in 2018, the NIST CSF is a framework designed to assist organizations with developing, aligning, and prioritizing “cybersecurity activities with [] business/mission requirements, risk tolerances, and resources.”  Globally, organizations, industries, and government agencies have increasingly relied upon the Framework to establish cybersecurity programs and measure their maturity.  As the name suggests, the Concept Paper outlines potential significant updates to the Framework, and NIST previews that some of the proposed changes are “larger structural changes that may impact compatibility” with the current version of the Framework.  For example, NIST proposes expanding the Framework’s five functions (Identify, Protect, Detect, Respond, and Recover) to add a new function on cybersecurity governance (“Govern”). 

A new post on Covington’s Inside Privacy blog discusses the potential significant updates to the NIST Cybersecurity Framework.

The Department of Defense is seeking early input on implementation of the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 (the “FY2023 NDAA”) in the Federal Acquisition Regulation and Defense Federal Acquisition Regulation.  Although this early engagement process will not replace the formal rulemaking process, it presents a significant opportunity for government contractors, technology providers, industry associations, and other interested parties to provide their perspectives on acquisition-related provisions of this year’s NDAA.  Providing early input can ensure that industry’s perspective is heard.  Indeed, providing input at this stage may impact the future rulemaking process by guiding areas of focus and influencing ways the rule makers ask for input during the rulemaking process.

Continue Reading DoD Seeks Early Input Regarding FY2023 NDAA Implementation in Acquisition Regulations

On December 23, 2022, President Biden signed the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 (the “FY2023 NDAA”) into law.  As described in Covington’s Client Alert, FY23 NDAA: Provisions of Interest for Almost All Government Contractors, the FY23 NDAA contains provisions of interest for almost all U.S. Government contractors.  One provision likely to be of particular interest to U.S. contractors who provide or plan to provide cloud computing services to the U.S. Government is the FedRAMP Authorization Act (the “Act”), which codifies the Federal Risk and Authorization Management Program (“FedRAMP”).

Of note, the Act creates a “presumption of adequacy” that cloud providers with authorization from one agency can use that authorization with other agencies. This is an expansion compared to the current process which allows authorizations by the FedRAMP Joint Authorization Board, but not authorizations from individual agencies, to serve as the basis for an agency’s own authorization process.  It also creates the Federal Secure Cloud Advisory Committee, comprised of 15 members of the public and private sector, to provide recommendations regarding FedRAMP and the acquisition of cloud services more generally.

Continue Reading FY2023 NDAA Makes Notable Changes to FedRAMP Program