Bob Huffman represents defense, health care, and other companies in contract matters and in disputes with the federal government and other contractors. He focuses his practice on False Claims Act qui tam investigations and litigation, cybersecurity and supply chain security counseling and compliance, contract claims and disputes, and intellectual property (IP) matters related to U.S. government contracts.

Bob has leading expertise advising companies that are defending against investigations, prosecutions, and civil suits alleging procurement fraud and false claims. He has represented clients in more than a dozen False Claims Act qui tam suits. He also represents clients in connection with parallel criminal proceedings and suspension and debarment.

Bob also regularly counsels clients on government contracting supply chain compliance issues, including cybersecurity, the Buy American Act/Trade Agreements Act (BAA/TAA), and counterfeit parts requirements. He also has extensive experience litigating contract and related issues before the Court of Federal Claims, the Armed Services Board of Contract Appeals, federal district courts, the Federal Circuit, and other federal appellate courts.

In addition, Bob advises government contractors on rules relating to IP, including government patent rights, technical data rights, rights in computer software, and the rules applicable to IP in the acquisition of commercial items and services. He handles IP matters involving government contracts, grants, Cooperative Research and Development Agreements (CRADAs), and Other Transaction Agreements (OTAs).

On November 9, 2021, the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body (AB) hosted a one hour Town Hall focused on CMMC Version 2.0.  Matthew Travis, CEO of the CMMC AB; Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy; David McKeown, Deputy Department of Defense (DoD) Chief Information Officer for Cybersecurity (DCIO(CS)) and DoD’s Senior Information Security Officer (SISO); and Buddy Dees, Director of CMMC, DoD gave prepared remarks and answered questions during the session.

According to Mr. Salazar, CMMC Version 2.0 has been in the making for the past 8 months, and takes into account the over 850 public comments DoD received regarding CMMC 1.0.  Mr. KcKeown explained that CMMC 1.0 may have been too broad and its requirements “too onerous” especially on small and medium sized contractors.  He described CMMC 2.0 — and its use of three levels rather than five levels in CMMC 1.0 — as being based on more of a risk based approach than the original CMMC because it is primarily focused on the type of data being protected.


Continue Reading CMMC Accreditation Body Hosts Town Hall Regarding CMMC 2.0

UPDATE: DoD withdraws the unpublished Advanced Notice of Proposed Rulemaking

On November 5, 2021, an Editorial Note was added to the Federal Register stating “An agency letter requesting withdrawal of this document was received after placement on public inspection. The document will remain on public inspection through close of business November 4, 2021. A copy of the agency’s withdrawal letter is available for inspection at the Office of the Federal Register.”   The reason for the Department of Defense withdrawal of the unpublished Advanced Notice of Proposed Rulemaking was not provided.
Continue Reading DoD Outlines Significant Changes to CMMC with Version 2.0

This is the sixth in the series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, fourth, and fifth blogs described the actions taken by various federal agencies to implement the EO during June, July, August, and September 2021, respectively.  This blog summarizes key actions taken to implement the Cyber EO during October 2021.

Although the recent developments this month are directly applicable to the U.S. Government, the standards being established for U.S. Government agencies could be adopted as industry standards for all organizations that develop or acquire software similar to various industries adopting the NIST Cybersecurity Framework as a security controls baseline.


Continue Reading October 2021 Developments Under President Biden’s Cybersecurity Executive Order

In a December 2020 speech, Deputy Assistant Attorney General Michael Granston warned that cybersecurity fraud could see enhanced enforcement under the False Claims Act (“FCA”).  On October 6, 2021, Deputy Attorney General Lisa Monaco announced that the Department of Justice (“DOJ”) would be following through on that warning with the launch of the DOJ’s Civil Cyber-Fraud Initiative.  The key component of the initiative is the use of the FCA against Government contractors and subcontractors that fail to comply with cybersecurity requirements, including information security standards and cyber incident reporting obligations, imposed by contract, statute, or regulation.

Under the FCA, the Government can recover treble damages and penalties from federal contractors and subcontractors that knowingly submit false claims for payment.  Notably, the FCA incentivizes private citizens (relators), including contractor employees, to file qui tam suits on behalf of the Government by guaranteeing them between 15 and 30 percent of the recovery.  DOJ stated that it intended to work with federal agencies, subject matter experts, and law enforcement partners on the Civil Cyber-Fraud Initiative.  Recently, Assistant Attorney General Brian Boynton confirmed that this initiative was also intended to incentivize relators and the aggressive relators’ bar to focus their attention on potential cybersecurity noncompliance as the basis for qui tam actions.


Continue Reading DOJ Announces New Civil Cyber-Fraud Initiative

This is the fifth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity”, issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, and fourth blogs described the actions taken by various federal government agencies to implement the EO during June, July, and August 2021, respectively.  This blog summarizes  key actions taken to implement the Cyber EO during September 2021.

I.   Actions Taken During September 2021 to Modernize Federal Government Cybersecurity

The Office of Management and Budget (OMB) publically released a draft zero trust architecture strategy for federal agencies on September 9, 2021.  On that same day, the Cybersecurity and Infrastructure Agency (CISA) issued two draft documents designed to further OMB’s zero trust strategy: the Zero Trust Maturity Model and the Cloud Security Technical Reference Architecture.  Each of these documents was required by Section 3 of the Cyber EO to modernize and standardize federal government agency approaches to cybersecurity.


Continue Reading September 2021 Developments Under President Biden’s Cybersecurity Executive Order

Many of our clients have been calling to ask whether failure to comply with the Administration’s Executive Order imposing vaccine mandates on federal contractors could lead to False Claims Act liability, and what steps they can take to minimize the risk of liability.  Much remains unknown, especially what specific obligations will be included in the FAR clause to be released on October 8.  However, we have highlighted a few key considerations that should be front of mind for all contractors and subcontractors.

Continue Reading COVID-19 Vaccine Mandate for Federal Contractors Could Pose False Claims Act Risk

This blog continues Covington’s review of important deadlines and milestones in implementing the Executive Order on Improving the Nations’ Cybersecurity (E.O. 14028, or the “Cyber EO”) issued by President Biden on May 12, 2021.  Previous blogs have discussed developments under the Cyber EO in June 2021 and July 2021.  This blog focuses on developments affecting the EO that occurred during August 2021.

The Cyber EO requires federal agencies to meet several important deadlines in August 2021.  These deadlines are in the areas of enhancing critical software supply chain security, improving the federal government’s investigative and remediation capabilities, and modernizing federal agency approaches to cybersecurity.  In addition, the National Institute of Standards and Technology (“NIST”) took several significant actions related to supply chain security in August 2021, not all of which were driven by deadlines in the Cyber EO.  This blog examines the actions taken by federal agencies to meet the EO’s August deadlines as well as the NIST actions referred to above.


Continue Reading August 2021 Developments Under President Biden’s Cybersecurity Executive Order

On May 12, 2021, the Biden Administration issued an Executive Order on Improving the Nation’s Cybersecurity (the “EO”).  The EO sets out a list of deliverables due from a number of governmental entities in June 2021 and successive months.  Our overall summary of the EO and its deliverables can be found here, and our discussion of the EO deliverables that were due in June 2021 can be found here.  This blog addresses the EO deliverables in July 2021.
Continue Reading July 2021 Developments Under the Executive Order on Improving the Nation’s Cybersecurity

On May 12, 2021 the Biden Administration issued an “Executive Order on Improving the Nation’s Cybersecurity” (EO).  Among other things, the EO sets out a list of deliverables from a variety of government entities.  A number of these deliverables were due in June, including a definition of “critical software,” the minimum requirements for a software bill of materials, and certain internal actions imposed on various federal agencies.
Continue Reading June 2021 Developments Under the Executive Order on Improving the Nation’s Cybersecurity

On June 11, 2021, the White House released new guidance on its plans to limit waivers of domestic sourcing laws, bolstering its January 2021 Executive Order on “Ensuring the Future is Made in All of America by All of America’s Workers.”  The guidance, entitled “Increasing Opportunities for Domestic Sourcing and Reducing the Need for Waivers from Made in America Laws,” provides insight on how the Biden Administration intends to enforce domestic sourcing laws such as the Buy American Act (“BAA”) over the coming years.

We have previously written about the January 2021 Executive Order here.  Among other things the Executive Order established a federal Made in America Office (“MIAO”) to review agency decisions to waive laws such as the BAA from procurements, grants, and other government contracting activities.  It also directed the Office of Management and Budget to establish reporting and oversight procedures to promote enforcement of the Made in America Laws.  The guidance fulfills that requirement.

Among other things, the guidance:

  • Requires each agency to designate a Senior Accountable Official, an official responsible for coordinating with the Made in America Director to implement the waiver review process,
  • Establishes the procedures for review of waiver requests by the Made in America Office (“MIAO”),
  • Implements the Executive Order’s requirement that acquiring activities prepare agency reports on compliance with Made in America Laws, and
  • Explains the process to develop the public database of all proposed waivers by early fiscal year 2022.

Importantly, the guidance creates an “initial phase” of implementation for the Executive Order, indicating that future phases will follow.  In this “initial phase,” the Biden Administration will focus on (1) Jones Act waivers and (2) non-availability procurement waivers pursuant to the BAA proposed by the 24 agencies subject to the Chief Financial Officers (“CFO”) Act.  During the first quarter of fiscal year 2022, the MIAO will phase in reviews of waivers proposed by non-CFO Act agencies and other types of waiver requests.

In a blog post announcing the guidance, the new Director of the Made in America Office, Celeste Drake, stated that the guidance is intended “to improve practices and processes to ensure that Made in America laws are not a mere compliance exercise,” as well as “reinforc[e] the actions announced in the 100-Day Supply Chain Review.”


Continue Reading White House Issues Guidance on Limiting Waivers of Domestic Sourcing Laws – What Contractors Need to Know