This blog continues Covington’s review of important deadlines and milestones in implementing the Executive Order on Improving the Nations’ Cybersecurity (E.O. 14028, or the “Cyber EO”) issued by President Biden on May 12, 2021.  Previous blogs have discussed developments under the Cyber EO in June 2021 and July 2021.  This blog focuses on developments affecting the EO that occurred during August 2021.

The Cyber EO requires federal agencies to meet several important deadlines in August 2021.  These deadlines are in the areas of enhancing critical software supply chain security, improving the federal government’s investigative and remediation capabilities, and modernizing federal agency approaches to cybersecurity.  In addition, the National Institute of Standards and Technology (“NIST”) took several significant actions related to supply chain security in August 2021, not all of which were driven by deadlines in the Cyber EO.  This blog examines the actions taken by federal agencies to meet the EO’s August deadlines as well as the NIST actions referred to above.


Continue Reading August 2021 Developments Under President Biden’s Cybersecurity Executive Order

The FAR explains that the Government must accept or reject work as “promptly as practicable after delivery.”  FAR 52.246-2(j).  But what if the contractor knows its work is not compliant, but has asked the agency for a deviation from the contract’s terms?  A recent decision from the ASBCA provides guidance on this tough but not uncommon issue.

Continue Reading Accepting What You Can’t Change: ASBCA Holds that an Agency Must Accept Non-Conforming Goods After Waiting to Consider a Deviation

Government contractors should take note of the Fifth Circuit’s June 30, 2021 decision in Taylor Energy Co. v. Luttrell, which reaffirmed that contractors can enjoy a broad immunity from third-party liabilities—known as “derivative sovereign immunity,” or “Yearsley immunity.” Yearsley immunity emanates from Yearsley v. W.A. Ross Const. Co., an 80-year-old Supreme Court decision, which established that a contractor is immune when (i) it performed acts pursuant to a valid authorization of Congress and (ii) the contractor did not exceed the scope of that authority.

In Taylor Energy, the court dismissed claims arising out of an oil spill containment project in the Gulf of Mexico. The basic claim in the suit was that the contractor failed to effectively remediate and contain the oil. The Fifth Circuit found that the government: (i) provided direction to the contractor through the statement of work, in the form of “goals” and specific contract deliverables and deadlines; and (ii) periodically met with the contractor and reviewed and approved the work during performance. Based on these core facts, the court held the contractor was immune. The court held that it was irrelevant that the statement of work was “barebones,” and that the contractor—rather than the government—designed certain elements of the remediation effort. Following the Fourth Circuit’s 2018 decision in Cunningham v. GDIT, the Taylor Energy decision is another appellate court victory for contractors in the wake of the Supreme Court reaffirming Yearsley’s core principles in Campbell-Ewald Co. v. Gomez.


Continue Reading Fifth Circuit Reaffirms Breadth of Yearsley Immunity For Government Contractors

On April 27, 2021, President Biden signed an Executive Order entitled “Increasing the Minimum Wage for Federal Contractors” that will raise the hourly minimum wage for federal contractors to $15.00 effective January 30, 2022.  This Executive Order builds on Executive Order 13658 (“Establishing a Minimum Wage for Contractors”), issued by President Obama in 2014, which first implemented an hourly minimum wage of $10.10 for covered federal contractors.[i]

Continue Reading Government Contractors Should Prepare Now for the $15 Per Hour Minimum Wage

On February 24, 2021, President Biden signed an Executive Order entitled “Executive Order on America’s Supply Chains” (the “Order”). Among other things, the Order is an initial step toward accomplishing the Biden Administration’s goal of building more resilient American supply chains that avoid shortages of critical products, facilitate investments to maintain America’s competitive edge, and

If your company delivers technical data to the Department of Defense, you should take a close look at the Federal Circuit’s decision issued yesterday in The Boeing Co. v. Secretary of the Air Force.

The Court acknowledged that contractors may retain ownership and other interests in unlimited rights data, and it held that they may take steps to put third parties on notice of those rights.  In particular, the Court held that, in addition to the standard legends required by the Defense Federal Acquisition Regulation Supplement (“DFARS”), contractors may also include a legend notifying third parties of the contractor’s retained rights.


Continue Reading Technically Still Yours: Court Holds that Contractors May Mark Unlimited Rights Data with a Proprietary Legend

As described in an earlier blog post, the Department of Defense (DoD) released an Interim Rule on September 29, 2020 that address DoD’s increased requirements for assessing whether contractors are compliant with the 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171).[1]  Under this new Interim Rule, DoD offerors must have a current assessment on file with DoD to document their compliance with NIST 800-171 before they can be eligible to be considered for award.  The Interim Rule specifically requires contractors to ensure that a summary score from an assessment conducted under DoD’s NIST 800-171 Assessment Methodology is submitted into a DoD enterprise application called the Supplier Performance Risk System (SPRS).[2]  We evaluate below how DoD may use the NIST 800-171 assessment scores in SPRS, as well as how updates to SPRS more generally are likely to impact contractors.

Continue Reading How is DoD Planning to Use the Supplier Performance Risk System (SPRS)?

On September 29, 2020, the Department of Defense (DoD) released an interim rule that industry hoped would provide clear guidance with regard to DoD’s implementation of its Cybersecurity Maturity Model Certification (CMMC) framework.  The vast majority of the rule focuses on DoD’s increased requirements for confirming that contractors are currently in compliance with all 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171).  The interim rule also includes a clause for adding CMMC as a requirement in a DoD contract, but the clause fails to address many of the questions that industry has with regard to implementation of the CMMC program.  The rule becomes effective November 30, 2020.  We have written previously on NIST 800-171 and the CMMC here and here respectively.

DoD has been focused on improving the cyber resiliency and security of the Defense Industrial Base (DIB) sector for over a decade.  The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.  The interim rule is one of multiple efforts by DoD focused on the broader supply chain security and resiliency of the DIB and builds on existing FAR and DFARS clause cybersecurity requirements.  Increasing security concerns coupled with recent high-profile data breaches have led DoD to move beyond self-certification to auditable verification systems when it comes to protecting sensitive Government information.


Continue Reading Department of Defense’s Interim Rule Imposes New Assessment Requirements But is Short on Detail on Implementation of CMMC

On August 13, 2020, the Office of Management and Budget (OMB) released new revisions to its Guidance for Grants and Agreements set forth under 2 CFR (commonly referred to as the Uniform Guidance).  The Uniform Guidance governs the terms of federal funding issued by agencies, including grants, cooperative agreements, federal loans, and non-cash assistance awards. 

The National Institute for Standards and Technology released the draft of NIST Special Publication 800-172 (“NIST SP 800-172”) on July 6, 2020.  This draft special publication succeeds the prior draft NIST SP 800-171B that NIST published in June 2019, and operates as a supplement to the NIST SP 800-171 controls that federal contractors generally must comply with in order to transmit, process, and store Controlled Unclassified Information (“CUI”).

Like the draft of NIST SP 800-171B released last year that it replaces, the publication recognizes that the basic and derived security controls in NIST SP 800-171 are “not designed to address APTs [Advanced Persistent Threats].”  As the publication notes,  “the APT may find ways to breach and/or compromise boundary defenses and deploy malicious code within a defender’s system.”  Thus, the additional safeguards in NIST SP 800-172 are meant to “outmaneuver, confuse, deceive, mislead, and impede the adversary—that is, take away the adversary’s tactical advantage and protect and preserve the organization’s critical programs and high value assets.”

Comments on the draft are due on August 21, 2020.


Continue Reading National Institute for Standards and Technology Releases Draft of NIST SP 800-172