This is the tenth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the secondthirdfourthfifthsixthseventheighth, and ninth blogs described the actions taken by various Government agencies to implement the EO from June 2021 through January 2022, respectively.

This blog summarizes key actions taken to implement the Cyber EO during February 2022.  As with steps taken during prior months, the actions described below reflect the implementation of the EO within the Government.  However, these activities portend further actions in March 2022 that are likely to impact government contractors, particularly those who provide software products or services to government agencies.

Continue Reading February 2022 Developments Under President Biden’s Cybersecurity Executive Order

Addressing climate change has been a priority for President Biden since his first day in office.  On December 8, 2021, President Biden continued that focus by issuing Executive Order (EO) 14057, Catalyzing Clean Energy Industries and Jobs Through Federal Sustainability, which includes a number of requirements directed at introducing sustainability to federal acquisitions.

This most recent EO announces an administration policy to achieve net-zero emissions from federal procurement by 2050 and comes on the heels of the public comment period extension to January 13, 2022 in response to EO 14030, Climate-Related Financial Risk.  Although the administration will likely be rolling out additional sustainability requirements in the coming months, contractors currently have an opportunity to help shape an initial requirement that may end up effectively establishing an environmental, social, and governance or “ESG” reporting requirement.
Continue Reading Contractors Have an Opportunity to Help Shape ESG Requirements

On May 12, 2021, the Biden Administration issued an Executive Order on Improving the Nation’s Cybersecurity (the “EO”).  The EO sets out a list of deliverables due from a number of governmental entities in June 2021 and successive months.  Our overall summary of the EO and its deliverables can be found here, and our discussion of the EO deliverables that were due in June 2021 can be found here.  This blog addresses the EO deliverables in July 2021.
Continue Reading July 2021 Developments Under the Executive Order on Improving the Nation’s Cybersecurity

Last month, the Biden administration released its report on the results of its 100-day review of U.S. supply chains for critical products:  “Building Resilient Supply Chains, Revitalizing American Manufacturing, and Fostering Broad-Based Growth” (the “Report”).  Alongside the Report’s slate of policy recommendations, the Biden administration also announced immediate actions to strengthen supply chains and stimulate domestic competitiveness.

The Report is the result of President Biden’s February 24 “Executive Order on America’s Supply Chains” (the “Order”), which directed federal departments and agencies to conduct a review of supply chain risks in four critical product areas,[1] including pharmaceuticals and active pharmaceutical ingredients (“APIs”).  The Report and its recommendations further the Biden administration’s broader goal of rebuilding the U.S. industrial base, reducing reliance on foreign competitors, and bolstering national and economic security.

The U.S. Department of Health and Human Services (“HHS”) led the review of the supply chain for pharmaceuticals and APIs, which focused primarily on drugs, in particular small-molecule drugs and therapeutic biological products.  The Report makes a number of recommendations discussed herein that have the potential to impact pharmaceutical companies’ business plans and generate significant opportunities, though many such recommendations are long-term and will require dedicated funding so the actual impact of the Report’s suggestions remains to be seen.
Continue Reading Biden Administration 100-Day Supply Chain Assessment: Insights for Pharmaceutical Manufacturers

On May 12, 2021 the Biden Administration issued an “Executive Order on Improving the Nation’s Cybersecurity” (EO).  Among other things, the EO sets out a list of deliverables from a variety of government entities.  A number of these deliverables were due in June, including a definition of “critical software,” the minimum requirements for a software bill of materials, and certain internal actions imposed on various federal agencies.
Continue Reading June 2021 Developments Under the Executive Order on Improving the Nation’s Cybersecurity

The American Rescue Plan, signed into law last month, includes $1.9 trillion in economic stimulus, healthcare, and related funding.  And just last week the Biden administration released an infrastructure proposal, the American Jobs Plan, that includes $2.3 trillion in transportation, connectivity, power, and other critical infrastructure investments.

Contractors are right to view these plans as massive opportunities — but should be cognizant of the regulatory strings that often attach to government spending.  In general, these can include Federal Acquisition Regulation (FAR) and agency-specific FAR supplements for federal procurements, as well as the nonprocurement uniform requirements (2 C.F.R. Part 200) and related agency-specific regulations that attach to Federal grant funds even when disbursed by state or local entities.

Now, some Congressional members are seeking to add new restrictions that would significantly overhaul the existing domestic preference regime for Federal procurements — mere weeks after the promulgation of new Buy American regulations and the release of a new Executive Order to further tighten the application of these rules.

Continue Reading U.S. Senators Propose Trade-Pact Waivers Amidst Focus on Domestic Preference Laws

On February 24, 2021, President Biden signed an Executive Order entitled “Executive Order on America’s Supply Chains” (the “Order”). Among other things, the Order is an initial step toward accomplishing the Biden Administration’s goal of building more resilient American supply chains that avoid shortages of critical products, facilitate investments to maintain America’s competitive edge, and

As described in an earlier blog post, the Department of Defense (DoD) released an Interim Rule on September 29, 2020 that address DoD’s increased requirements for assessing whether contractors are compliant with the 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171).[1]  Under this new Interim Rule, DoD offerors must have a current assessment on file with DoD to document their compliance with NIST 800-171 before they can be eligible to be considered for award.  The Interim Rule specifically requires contractors to ensure that a summary score from an assessment conducted under DoD’s NIST 800-171 Assessment Methodology is submitted into a DoD enterprise application called the Supplier Performance Risk System (SPRS).[2]  We evaluate below how DoD may use the NIST 800-171 assessment scores in SPRS, as well as how updates to SPRS more generally are likely to impact contractors.

Continue Reading How is DoD Planning to Use the Supplier Performance Risk System (SPRS)?

On September 29, 2020, the Department of Defense (DoD) released an interim rule that industry hoped would provide clear guidance with regard to DoD’s implementation of its Cybersecurity Maturity Model Certification (CMMC) framework.  The vast majority of the rule focuses on DoD’s increased requirements for confirming that contractors are currently in compliance with all 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171).  The interim rule also includes a clause for adding CMMC as a requirement in a DoD contract, but the clause fails to address many of the questions that industry has with regard to implementation of the CMMC program.  The rule becomes effective November 30, 2020.  We have written previously on NIST 800-171 and the CMMC here and here respectively.

DoD has been focused on improving the cyber resiliency and security of the Defense Industrial Base (DIB) sector for over a decade.  The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.  The interim rule is one of multiple efforts by DoD focused on the broader supply chain security and resiliency of the DIB and builds on existing FAR and DFARS clause cybersecurity requirements.  Increasing security concerns coupled with recent high-profile data breaches have led DoD to move beyond self-certification to auditable verification systems when it comes to protecting sensitive Government information.

Continue Reading Department of Defense’s Interim Rule Imposes New Assessment Requirements But is Short on Detail on Implementation of CMMC

On August 13, 2020, the Office of Management and Budget (OMB) released new revisions to its Guidance for Grants and Agreements set forth under 2 CFR (commonly referred to as the Uniform Guidance).  The Uniform Guidance governs the terms of federal funding issued by agencies, including grants, cooperative agreements, federal loans, and non-cash assistance awards.