Information Technology Contracting

On March 20, 2025, President Trump issued executive order (“EO”) Eliminating Waste and Saving Taxpayer Dollars by Consolidating Procurement, which will have significant effects on federal government contracting.  The EO is intended to consolidate “domestic Federal procurement” within the General Services Administration (“GSA”) to “eliminate waste and duplication.”

The EO has two primary objectives:

  1. It grants GSA an increased role in the U.S. Government’s acquisition of “common goods and services”.
  2. It designates the GSA Administrator as “the executive agent for all Government-wide acquisition contracts for information technology” pursuant to 40 U.S.C. § 11302(e).[1]

We have summarized key provisions and potential effects of the EO further below.Continue Reading Executive Order Issued To Expand GSA’s Role in Acquisition of “Common Goods and Services” and Information Technology

The FY 2025 National Defense Authorization Act (“NDAA”) sustains Congress’s continued focus on countering China’s expanding influence and enhancing U.S. resilience in an era of great power competition.  This year’s legislation reflects the practice of carrying the State Department and Intelligence Authorization Acts within the NDAA—marking the third consecutive year that these critical measures have been advanced in tandem.  The Foreign Relations and Intelligence Committees in both chambers of Congress have increasingly adopted the Armed Services Committees’ playbook, embedding China-focused legislation modeled on past defense measures in their respective authorizations.  This blog examines key provisions designed to address what Congress views as strategic challenges posed by China while closing loopholes that could confer military, economic, or technological advantages to Beijing.  We divide these provisions into the following five categories:  (1) provisions that address potential security risks linked to Chinese-origin technology; (2) provisions that limit the transfer of U.S. technology or data to China; (3) so-called “time to choose” provisions that curtail Department of Defense (“DoD”) engagement with third parties that engage with China; (4) provisions that tackle a range of broader geopolitical concerns; and (5) studies and reports to identify emerging issues and concerns.
Continue Reading FY2025 NDAA: Congressional Efforts to Bolster U.S. Resilience Against Chinese Tech and Influence

The Cybersecurity and Infrastructure Security Agency (“CISA”) released a new guide on August 2, 2024 titled, “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle” (the “Software Acquisition Guide”).  This guide addresses the cybersecurity risks associated with the acquisition and use of third-party developed software and certain related physical products in an agency enterprise environment, and provides recommendations to agency personnel for understanding, addressing, and mitigating those risks.  This guide was followed on August 6, 2024, by a separate guide issued jointly by CISA and the FBI titled, “Secure By Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem” (the “Secure By Demand Guide”).  Together, these two guides provide agency and industry personnel a series of questions that can be used to obtain information from suppliers, set technical requirements, and develop contract terms for the acquisition of secure software as contemplated by the Biden Administration’s May 2021 Cybersecurity Executive Order (“EO”) and the Office of Management and Budget (“OMB”) memoranda implementing that Order. 

The specific impact that the guides will have on federal procurements and software developers in the federal supply chain is not yet clear.  With this said, all software producers in the federal supply chain are currently required to fully comply with new secure software development minimum requirements promulgated by the Office of Management and Budget by September 8 of this year, as detailed in our prior post here.  The Software Acquisition Guide in particular builds on those requirements and thus could be adopted by agencies that opt to impose additional obligations on contractors beyond those minimum requirements.Continue Reading New Guides Released Relating to Secure Software Development Requirements

This is part of an ongoing series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through June 2024.  This blog describes key actions taken to implement the Cyber EO during July 2024.  It also describes key actions taken during July 2024 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, national security, and software supply chain security.Continue Reading July 2024 Developments Under President Biden’s Cybersecurity Executive Order and AI Executive Order

Today, the Federal Acquisition Regulatory Council (“FAR Council”) released an Advance Notice of Proposed Rulemaking (the “ANPRM”) describing the agencies’ plan to implement Section 5949 of the National Defense Authorization Act (“NDAA”) for FY 23 (Pub. L. 117-263).

Section 5949 prohibits the Federal Government from procuring certain semiconductor parts, products, or services traceable to named Chinese companies and potentially other foreign countries of concern.  To that end, the ANPRM invites public comment on the proposed contents of an implementing FAR clause, to take effect December 23, 2027.

As discussed below, the FAR Council proposed applying the regulations broadly to all solicitations and contracts, including commercial item and commercially available off-the-shelf (“COTS”) contracts, subject only to a limited waiver.  Although not set out in the statute, the clause would require contractors to conduct a “reasonable inquiry” into their supply chain to detect potential violations.  It would also require both disclosure and the taking of corrective action in the event that nonconforming products or services are discovered. 

More details are below, and our previous coverage of Section 5949 is available here.Continue Reading Chips on the Table: FAR Council Releases Advance Notice of Proposed Rulemaking to Implement Prohibition on Purchase and Use of Certain Semiconductors

This is the thirtieth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken

Continue Reading October 2023 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

This is the twenty-ninth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through August 2023.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during September 2023. Continue Reading September 2023 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

On October 5, 2023, the Federal Acquisition Regulatory Council (FAR Council) issued an interim Federal Acquisition Regulation rule (FAR rule) that implements the Federal Acquisition Supply Chain Security Act (FASCSA).  This FAR rule implements the requirements of the Federal Acquisition Supply Chain Security Act of 2018 and the Federal Acquisition Security Council (FASC) final rule for complying with exclusion or removal orders. The FAR rule represents yet another step by the Government to mitigate the security risks that the Government perceives with the use of information technology that may be produced or provided by countries considered to be foreign adversaries.  Like similar supply chain prohibitions, the rule requires contractors to conduct diligence to ensure that articles and sources covered by a FASCA exclusion or removal order are not provided to the Government, to make an affirmative representation to the Government that such articles and sources will not be provided, and to promptly report if any are identified.  The FAR rule will become effective on December 4, 2023, and will apply to new contracts and contracts subject to extension or renewal.  The rule instructs that existing IDIQ contracts should be modified by the Government within six months of December 4, 2023 to apply the requirements to future orders.

Additional information about the rule and its relationship to existing FASCSA regulations is outlined below.Continue Reading FAR Council Issues Interim Rule Outlining Procedures Relating to Excluded Covered Articles and Sources

This is the twenty-seventh in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through June 2023.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during July 2023. Continue Reading July 2023 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

This is the twenty-sixth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken

Continue Reading June 2023 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy