Supply Chain

On May 12, 2021 the Biden Administration issued an “Executive Order on Improving the Nation’s Cybersecurity” (EO).  Among other things, the EO sets out a list of deliverables from a variety of government entities.  A number of these deliverables were due in June, including a definition of “critical software,” the minimum requirements for a software bill of materials, and certain internal actions imposed on various federal agencies.
Continue Reading June 2021 Developments Under the Executive Order on Improving the Nation’s Cybersecurity

The American Rescue Plan, signed into law last month, includes $1.9 trillion in economic stimulus, healthcare, and related funding.  And just last week the Biden administration released an infrastructure proposal, the American Jobs Plan, that includes $2.3 trillion in transportation, connectivity, power, and other critical infrastructure investments.

Contractors are right to view these plans as massive opportunities — but should be cognizant of the regulatory strings that often attach to government spending.  In general, these can include Federal Acquisition Regulation (FAR) and agency-specific FAR supplements for federal procurements, as well as the nonprocurement uniform requirements (2 C.F.R. Part 200) and related agency-specific regulations that attach to Federal grant funds even when disbursed by state or local entities.

Now, some Congressional members are seeking to add new restrictions that would significantly overhaul the existing domestic preference regime for Federal procurements — mere weeks after the promulgation of new Buy American regulations and the release of a new Executive Order to further tighten the application of these rules.Continue Reading U.S. Senators Propose Trade-Pact Waivers Amidst Focus on Domestic Preference Laws

On February 24, 2021, President Biden signed an Executive Order entitled “Executive Order on America’s Supply Chains” (the “Order”). Among other things, the Order is an initial step toward accomplishing the Biden Administration’s goal of building more resilient American supply chains that avoid shortages of critical products, facilitate investments to maintain America’s competitive edge, and

As described in an earlier blog post, the Department of Defense (DoD) released an Interim Rule on September 29, 2020 that address DoD’s increased requirements for assessing whether contractors are compliant with the 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171).[1]  Under this new Interim Rule, DoD offerors must have a current assessment on file with DoD to document their compliance with NIST 800-171 before they can be eligible to be considered for award.  The Interim Rule specifically requires contractors to ensure that a summary score from an assessment conducted under DoD’s NIST 800-171 Assessment Methodology is submitted into a DoD enterprise application called the Supplier Performance Risk System (SPRS).[2]  We evaluate below how DoD may use the NIST 800-171 assessment scores in SPRS, as well as how updates to SPRS more generally are likely to impact contractors.
Continue Reading How is DoD Planning to Use the Supplier Performance Risk System (SPRS)?

On September 29, 2020, the Department of Defense (DoD) released an interim rule that industry hoped would provide clear guidance with regard to DoD’s implementation of its Cybersecurity Maturity Model Certification (CMMC) framework.  The vast majority of the rule focuses on DoD’s increased requirements for confirming that contractors are currently in compliance with all 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171).  The interim rule also includes a clause for adding CMMC as a requirement in a DoD contract, but the clause fails to address many of the questions that industry has with regard to implementation of the CMMC program.  The rule becomes effective November 30, 2020.  We have written previously on NIST 800-171 and the CMMC here and here respectively.

DoD has been focused on improving the cyber resiliency and security of the Defense Industrial Base (DIB) sector for over a decade.  The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.  The interim rule is one of multiple efforts by DoD focused on the broader supply chain security and resiliency of the DIB and builds on existing FAR and DFARS clause cybersecurity requirements.  Increasing security concerns coupled with recent high-profile data breaches have led DoD to move beyond self-certification to auditable verification systems when it comes to protecting sensitive Government information.Continue Reading Department of Defense’s Interim Rule Imposes New Assessment Requirements But is Short on Detail on Implementation of CMMC

On August 13, 2020, the Office of Management and Budget (OMB) released new revisions to its Guidance for Grants and Agreements set forth under 2 CFR (commonly referred to as the Uniform Guidance).  The Uniform Guidance governs the terms of federal funding issued by agencies, including grants, cooperative agreements, federal loans, and non-cash assistance awards. 

Last week, President Trump issued an executive order aimed at encouraging the expansion American manufacturing of essential medical products — Executive Order on Ensuring Essential Medicines, Medical Countermeasures, and Critical Inputs Are Made in the United States (August 6, 2020) (the “Order”).  The Order sets forth an ambitious plan requiring extensive agency action on a tight timeline that suggests a significant impact.  Closer examination of the Order raises significant questions about the practicalities of implementation and the realistic impact of the Order once the substantial stated exceptions are taken into account.

The List

The heart of the Order is a list of Essential Medicines, Medical Countermeasures (“MCMs”), and Critical Inputs to which the Order’s requirements apply — but the key components of this list do not yet exist.  Instead, the Order directs the Food and Drug Administration (“FDA”) to produce the list within 90 days and to include on the list Essential Medicines, MCMs, and Critical Inputs “that are medically necessary to have available at all times in an amount adequate to serve patient needs and in the appropriate dosage forms.”

The Order provides the following definitions that give some insight into what may be on the FDA’s eventual list:
Continue Reading Trump Administration Increases Uncertainty for Pharmaceutical Manufacturing

(This article was originally published in Law360 and has been modified for this blog.)

Companies in a range of industries that contract with the U.S. Government—including aerospace, defense, healthcare, technology, and energy—are actively working to assess whether or not their information technology systems comply with significant new restrictions that will take effect on August 13, 2020.  These new restrictions prohibit the use of certain Chinese telecommunications equipment and services, and a failure to comply can have dramatic consequences for these companies.  The new restrictions also will have an immediate impact on mergers and acquisitions involving a company that does—or hopes to do—business with the Federal government.  In this article, we highlight some key considerations for M&A practitioners relating to these restrictions.

Background

On July 14, 2020, the U.S. Government’s Federal Acquisition Regulatory Council (“FAR Council”) published an interim rule to implement Section 889(a)(1)(B) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (“FY19 NDAA”).[1]  When the new rule takes effect on August 13, it will prohibit the Department of Defense and all other executive branch agencies from contracting—or extending or renewing a contract—with an “entity” that “uses” “covered telecommunications equipment or services as a substantial or essential part of any system.”  The restrictions cover broad categories of equipment and services produced and provided by certain Chinese companies—namely Huawei, ZTE, Hytera, Hangzhou Hikvision, Dahua, and their affiliates.[2]

The new rule will be applicable to all contracts with the U.S. Government, including those for commercial item services and commercially available-off-the-shelf products.[3]  Companies with a single one of these contracts will soon have an ongoing obligation to report any new discovery of its internal “use” of certain covered telecommunications equipment and services to the Government within one business day with a report of how the use will be mitigated ten business days later.[4]  Further, although companies can seek to obtain a waiver on a contract-by-contract basis from agencies, these waivers must be granted by the head of the agency, and may only extend until August 13, 2022 at the latest.[5]

The new rule is the second part of a two-stage implementation of Section 889’s restrictions on covered telecommunications equipment and services in Government contracting.  It builds on an earlier rule that implemented Section 889(a)(1)(A) of the FY19 NDAA on August 13, 2019 by prohibiting an executive branch agency from acquiring certain covered telecommunications equipment or services that is a substantial or essential part of any system.[6]

The new rule is expansive in scope, and its effects will be felt far beyond the traditional defense industrial base.  Thus, mergers and acquisitions practitioners are well advised to become familiar with the rule and consider how it might impact any future transaction where an acquisition target does at least some business with the Government or has aspirations to do so in the future.Continue Reading M&A and Section 889: Due Diligence and Integration Considerations

On July 10, 2020, the interim rule implementing Section 889(a)(1)(B) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Pub. L. No. 115-232) was released by the U.S. Government’s Federal Acquisition Regulatory Council. Section 889 prohibits the U.S. Government from buying (as of August 2019)—or contracting with an entity that uses

In recent years, both Congress and the Executive Branch have made it a key priority to mitigate risks across the industrial and innovation supply chains that provide hardware, software, and services to the U.S. government (“USG”).  Five of these initiatives are likely to result in new regulations in 2020, each of which could have a fundamental impact on companies’ ability to sell Information, Communications, Technology and Services (“ICTS”) to the USG.  As these requirements begin to take hold, federal contractors should be mindful of potential impacts and the actions that can be taken now to prepare for increased USG scrutiny of their supply chain security.
Continue Reading Contractor Supply Chain Readiness – An Update on Expected Regulatory Changes