Information Technology Contracting

The Government Accountability Office (“GAO”) released a decision on Friday finding that the Department of Homeland Security (“DHS”) followed the wrong order of succession after Secretary Kirstjen Nielsen resigned in April 2019.  As a result, the Acting Secretaries who have served since then were invalidly selected.  In particular, GAO has questioned the appointments of Acting Secretary Chad Wolf, former Acting Secretary Kevin McAleenan, and Deputy Secretary Kenneth Cuccinelli.

GAO’s decision tees up a thorny question for DHS contractors:  If these officials were invalidly selected, what does it mean for the agency’s policies and procurement decisions made during their tenure?Continue Reading [Updated] If the Acting DHS Secretary Was Unlawfully Selected, What Does that Mean for DHS Procurements?

(This article was originally published in Law360 and has been modified for this blog.)

Companies in a range of industries that contract with the U.S. Government—including aerospace, defense, healthcare, technology, and energy—are actively working to assess whether or not their information technology systems comply with significant new restrictions that will take effect on August 13, 2020.  These new restrictions prohibit the use of certain Chinese telecommunications equipment and services, and a failure to comply can have dramatic consequences for these companies.  The new restrictions also will have an immediate impact on mergers and acquisitions involving a company that does—or hopes to do—business with the Federal government.  In this article, we highlight some key considerations for M&A practitioners relating to these restrictions.

Background

On July 14, 2020, the U.S. Government’s Federal Acquisition Regulatory Council (“FAR Council”) published an interim rule to implement Section 889(a)(1)(B) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (“FY19 NDAA”).[1]  When the new rule takes effect on August 13, it will prohibit the Department of Defense and all other executive branch agencies from contracting—or extending or renewing a contract—with an “entity” that “uses” “covered telecommunications equipment or services as a substantial or essential part of any system.”  The restrictions cover broad categories of equipment and services produced and provided by certain Chinese companies—namely Huawei, ZTE, Hytera, Hangzhou Hikvision, Dahua, and their affiliates.[2]

The new rule will be applicable to all contracts with the U.S. Government, including those for commercial item services and commercially available-off-the-shelf products.[3]  Companies with a single one of these contracts will soon have an ongoing obligation to report any new discovery of its internal “use” of certain covered telecommunications equipment and services to the Government within one business day with a report of how the use will be mitigated ten business days later.[4]  Further, although companies can seek to obtain a waiver on a contract-by-contract basis from agencies, these waivers must be granted by the head of the agency, and may only extend until August 13, 2022 at the latest.[5]

The new rule is the second part of a two-stage implementation of Section 889’s restrictions on covered telecommunications equipment and services in Government contracting.  It builds on an earlier rule that implemented Section 889(a)(1)(A) of the FY19 NDAA on August 13, 2019 by prohibiting an executive branch agency from acquiring certain covered telecommunications equipment or services that is a substantial or essential part of any system.[6]

The new rule is expansive in scope, and its effects will be felt far beyond the traditional defense industrial base.  Thus, mergers and acquisitions practitioners are well advised to become familiar with the rule and consider how it might impact any future transaction where an acquisition target does at least some business with the Government or has aspirations to do so in the future.Continue Reading M&A and Section 889: Due Diligence and Integration Considerations

In recent years, both Congress and the Executive Branch have made it a key priority to mitigate risks across the industrial and innovation supply chains that provide hardware, software, and services to the U.S. government (“USG”).  Five of these initiatives are likely to result in new regulations in 2020, each of which could have a fundamental impact on companies’ ability to sell Information, Communications, Technology and Services (“ICTS”) to the USG.  As these requirements begin to take hold, federal contractors should be mindful of potential impacts and the actions that can be taken now to prepare for increased USG scrutiny of their supply chain security.
Continue Reading Contractor Supply Chain Readiness – An Update on Expected Regulatory Changes

On May 5, 2020 the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (“CISA”) Information and Communications Technology (“ICT”) Supply Chain Risk Management (“SCRM”) Task Force (the “Task Force”) released a six-step guide for organizations to start implementing organizational SCRM practices to improve their overall security resilience.  The Task Force also released a revised fact sheet to further raise awareness about ICT supply chain risk.

As we discussed in a prior blog post on the Task Force’s efforts, the Task Force was established in 2018 with representatives from 17 different defense and civilian agencies, as well as industry representatives across the information technology and communications sectors.  The Task Force has been focused on assessing and protecting security vulnerabilities in government supply chains.  Since its founding, the Task Force has inventoried existing SCRM efforts across the government and industry, including some of the practices reflected in the guide.
Continue Reading CISA Information and Communications Technology Supply Chain Risk Management Task Force Releases New Guidance on Security Resiliency

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (“CISA”) Information and Communications Technology (“ICT”) Supply Chain Risk Management Task Force (the “Task Force”) recently released an interim public report.  The report describes the Task Force’s efforts over the last year to develop recommendations for securing the Government’s supply chain, and outlines the potential focus areas of each of its working groups over the coming year.

The report is particularly relevant to contractors that either sell ICT related products or services to the Government, or that sell ICT related components to higher tier contractors, because it offers some insight into potential supply chain risk management (“SCRM”) best practices, as well as requirements that the Government may seek to impose on contractors in the future.
Continue Reading CISA Information and Communications Technology Supply Chain Risk Management Task Force Issues New Interim Report

Compliance with the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is only the beginning for contractors that receive controlled defense information (CDI) in performance of Department of Defense (DoD) contracts and subcontracts.  Faced with an evolving cyber threat, DoD contractors have experienced an increased emphasis on protecting DoD’s information and on confirming contractor compliance with DoD cybersecurity requirements.  This includes audits by the DoD Inspector General (IG) “to determine whether DoD contractors have security controls in place” to protect CDI and enhanced security controls for certain high risk contractor networks.  And on September 28, 2018, the Navy issued a policy memorandum calling for enhanced cybersecurity requirements, including some that have generated opposition within the defense community such as the installation of network sensors by the Naval Criminal Investigative Service on contractor systems.  Other requiring activities are reportedly requiring similar enhanced protections and NIST is expected to issue a public draft of Revision 2 to NIST SP 800-171 by the end of February, with an appendix of additional enhanced controls.

As discussed in our blog post here, on November 6, 2018, DoD issued final guidance to requiring activities for assessing contractors’ System Security Plans (SSPs) and their implementation of the security controls in NIST SP 800-171.  Since then, DoD has issued two additional guidance memoranda; one that includes contractual language for implementing the November 6th guidance and one that explains how DoD plans to confirm contractor oversight of subcontractor compliance with the DFARS 252.204-7012 cybersecurity requirements.Continue Reading DoD Continues to Up the Ante on Cybersecurity Compliance for Contractors

On the eve of the recent government shutdown over border security, Congress and the President were in agreement on a different issue of national security:  mitigating supply chain risk.  On December 21, 2018, the President signed into law the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act (the “SECURE Technology Act”) (P.L. 115-390).  The Act includes a trio of bills that were designed to strengthen the cyber defenses of the Department of Homeland Security (“DHS”) and mitigate supply chain risks in the procurement of information technology.  The last of these three bills, the Federal Acquisition Supply Chain Security Act, should be of particular interest to contractors that procure information technology-related items related to the performance of a U.S. government contract.  Among other things, the bill establishes a Federal Acquisition Security Council, which is charged with several functions, including assessing supply chain risk.  The bill also gives the Secretary of DHS, the Secretary of the Department of Defense (“DoD”) and the Director of National Intelligence authority to issue exclusion and removal orders as to sources and/or covered articles based on the Council’s recommendation.  Finally, the bill allows federal agencies to exclude sources and/or covered articles deemed to pose a supply chain risk from certain procurements.
Continue Reading Jumping to Exclusions: New Law Provides Government-Wide Exclusion Authorities to Address Supply Chain Risks

The Department of Defense (DoD) recently issued final guidance for requiring activities to assess contractors’ System Security Plans (SSPs) and their implementation of the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.  A draft of this guidance was made available for public comment in April 2018.  As noted in our original post on the draft guidance, DoD’s proposed approach raised significant questions as to what role offerors’ implementation of the security controls in NIST SP 800-171 would play in bid protests, contract performance, and post award audits.  In the memorandum accompanying the final guidance documents, DoD notes that it has incorporated comments it received from the public into the final guidance.  As discussed below, although the DoD has addressed some of the issues raised by the April draft, the final guidance adds some additional concerns and ambiguities.
Continue Reading DoD Issues Final Guidance for Assessing Contractor Compliance with NIST SP 800-171

The National Institute of Standards and Technology (NIST), in coordination with the Department of Defense (DoD) and the National Archives and Records Administration (NARA), will host a Workshop providing an overview of Controlled Unclassified Information (CUI) on October 18, 2018. The agenda for the Workshop shows a full day of panels, including those addressing DoD’s “Safeguarding Covered Defense Information and Cyber Incident Reporting” Clause (DFARS Cyber Rule), overviews of NIST Special Publications (SPs) 800-171 and 800-171A, and Government expectations when evaluating contractor implementation of the 800-171 security controls.
Continue Reading NIST to Host CUI Information Security Workshop

Late last month, the National Institute of Standards and Technology (“NIST”) released a set of documents for public comment that are aimed at helping contractors assess and implement compliance with NIST Special Publication (“SP”) 800-171, which establishes the standards for protecting Covered Defense Information (“CDI”), among other forms of Controlled Unclassified Information (“CUI”). First, NIST released an updated final public draft of SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information. Second, NIST released templates for contractor system security plans (“SSPs”) and plans of action and milestones (“POAMs”). While neither finalized nor mandatory, these documents provide useful guidance for contractors struggling with SP 800-171 compliance.
Continue Reading NIST Seeks to Assist Contractors in Assessing SP 800-171 Compliance