Uncategorized

On January 29, 2024, the Department of Commerce (“Department”) published a proposed rule (“Proposed Rule”) to require providers and foreign resellers of U.S. Infrastructure-as-a-Service (“IaaS”) products to (i) verify the identity of their foreign customers and (ii) notify the Department when a foreign person transacts with that provider or reseller to train a large artificial intelligence (“AI”) model with potential capabilities that could be used in malicious cyber-enabled activity. The proposed rule also contemplates that the Department may impose special measures to be undertaken by U.S. IaaS providers to deter foreign malicious cyber actors’ use of U.S. IaaS products.  The accompanying request for comments has a deadline of April 29, 2024.

The Proposed Rule would effectuate many of the requirements laid out in the Executive Order on Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities (“E.O. 13984”).  E.O. 13984, issued three years prior to the Proposed Rule, set in motion requirements for IaaS providers to enact certain customer identity verification procedures and take special measures to prevent their services from being used by foreign actors for malicious cyber-enabled activities.  The AI provisions of the Proposed Rule stem from the more recent Executive Order on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (“E.O. 14110″), issued on October 30, 2023, which directed the Department to propose regulations for U.S. IaaS providers to (i) submit reports to the Department when a customer transacts with the provider to train an AI model that could be used for malicious cyber-enabled activities and (ii) ensure foreign resellers of IaaS products also conduct identity verification of foreign account holders.

The proposed regulations are further explained and summarized below:Continue Reading Department of Commerce Issues Proposed Rule to Regulate Infrastructure-as-a-Service Providers and Resellers

In Honeywell International, Inc., the ASBCA declined to dismiss a roughly $151 million claim by DCMA alleging a violation of CAS 410, holding that the government’s allegations were sufficient to state a claim for improper treatment of G&A expenses.  The Board’s decision provides guidance on how to interpret CAS 410 — a topic that is often addressed by auditors, but has rarely been the subject of written opinions by the courts or boards of contract appeals.Continue Reading ASBCA: Government Can Pursue $151 Million Claim Under CAS 410

On June 13, 2023, the Department of Defense announced that the Secretary of Defense approved recommendations for strengthening the Foreign Military Sales program and instructed FMS-implementing agencies to move forward with these recommendations.  It remains to be seen how the DoD agencies will implement the recommendations, and there is a possibility that legislative action will impact FMS reform and supplement or supersede these recommendations.

Last year, the Pentagon formed a Tiger Team to evaluate the FMS program and consider potential improvements.  As part of that process, the Tiger Team solicited industry input in the form of a November 2022 report compiled by the Aerospace Industries Association, the Professional Services Council, and NDIA, and a follow-on set of seven industry recommendations released in February of this year.  Last month, the Tiger Team released (and the DoD adopted) its own set of six recommendations which largely mirror the broad goals – if not the specific action items – set forth in the industry recommendations. Continue Reading The Department of Defense Targets FMS Program Enhancements

The United States National Cybersecurity Strategy, released on March 2, 2023, is poised to place significant responsibility for cybersecurity on federal contractors, technology companies, and critical infrastructure owners and operators.  The Strategy articulates a series of objectives and recommended executive and legislative actions that, if implemented, would increase the cybersecurity responsibilities and requirements of

On December 23, 2022, President Biden signed the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 into law.  The Act contains two significant prohibitions regarding the procurement and use of semiconductor products and services from specific Chinese companies and other foreign countries of concern that will come into effect in December 2027. Continue Reading NDAA Prohibits Government Purchase and Use of Certain Semiconductors

This is the eleventh in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the second through tenth blogs described the actions taken by various Government agencies to implement the EO from June 2021 through February 2022, respectively.  This blog summarizes key actions taken to implement the Cyber EO during March 2022.  As with steps taken during prior months, the actions described below reflect the implementation of the EO within the Government.  However, these activities portend further actions, potentially in or before June 2022, that are likely to impact government contractors, particularly those who provide software products or services to the Government.
Continue Reading March 2022 Developments Under President Biden’s Cybersecurity Executive Order

This is the tenth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the secondthirdfourthfifthsixthseventheighth, and ninth blogs described the actions taken by various Government agencies to implement the EO from June 2021 through January 2022, respectively.

This blog summarizes key actions taken to implement the Cyber EO during February 2022.  As with steps taken during prior months, the actions described below reflect the implementation of the EO within the Government.  However, these activities portend further actions in March 2022 that are likely to impact government contractors, particularly those who provide software products or services to government agencies.Continue Reading February 2022 Developments Under President Biden’s Cybersecurity Executive Order

As discussed in our previous post, multiple federal courts have issued preliminary injunctions blocking the Biden Administration’s COVID-19 vaccine mandate for employees of federal contractors.  On January 27, 2022, the United States District Court of Arizona issued a new and additional injunction barring enforcement of the mandate within the State of Arizona.  In so doing, the Arizona court added to the injunctions previously issued by the U.S. District Courts for the Eastern District of Kentucky, Western District of Louisiana, Eastern District of Missouri, Middle District of Florida, and Southern District of Georgia.

The Georgia injunction is the only one of the rulings that applies nationwide.  Like the Arizona injunction, the Missouri, Florida, and Kentucky injunctions are limited to specific states (collectively, Kentucky, Ohio, Tennessee, Missouri, Nebraska, Alaska, Arkansas, Iowa, Montana, North Dakota, South Dakota, Wyoming, and Florida).  The Louisiana injunction is also limited, but its limitations are based on entities rather than geography; it applies to contracts and other agreements between the federal government and the governments of Louisiana, Mississippi, and Indiana.  The Biden Administration has appealed these earlier decisions; we expect that an appeal of the Arizona decision to the Ninth Circuit will likewise be forthcoming.

At the same time, the Biden Administration’s other primary COVID-19 initiative for large employers — the vaccination and testing emergency temporary standard issued by the Occupational Safety and Health Administration (the so-called “OSHA Mandate”) — was stayed by the United States Supreme Court on January 13, 2022.  In the wake of that decision, OSHA announced on January 25, 2022 that it is withdrawing the enforceable emergency temporary standard.

While the Supreme Court’s decision halted immediate application of the OSHA Mandate, the emergency temporary standard qualifies as a proposed rule for purposes of OSHA’s notice-and-comment rulemaking process under 29 U.S.C. § 655, and OSHA has announced that it will continue to consider the emergency temporary standard pursuant to that process.  Accordingly, OSHA could attempt to promulgate a final rule (as opposed to an emergency temporary standard) that addresses vaccines or testing requirements.

The rest of this post consists of (1) an overview of the Arizona decision regarding the federal contractor vaccine mandate; and (2) an update on the status of the other challenges to the federal contractor vaccine mandate, including the Kentucky, Louisiana, Missouri, Florida, and Georgia litigations.Continue Reading COVID-19 Vaccine Mandate Update: Arizona District Court Issues Additional Injunction; Mandate Remains Enjoined Nationwide; OSHA Mandate Withdrawn

This is the eighth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, fourth, fifth, sixth, and seventh blogs described the actions taken by various government agencies to implement the EO from June through November 2021. This blog summarizes the key actions taken to implement the Cyber EO during December 2021.  Although the actions described below implement different sections of the Cyber EO, each of them portends further actions in February 2022 that are likely to impact government contractors, particularly those who provide software products or services to federal government agencies.
Continue Reading December 2021 Developments Under President Biden’s Cybersecurity Executive Order

The Department of Defense (DoD) released key documentation relating to Cybersecurity Maturity Model Certification (CMMC) 2.0 over the past several weeks, including (1) a CMMC 2.0 Model Overview document, (2) CMMC Self-Assessment Scopes for Level 1 and 2 assessments/certifications, (3) CMMC Assessment Guides for Level 1 and 2 attestations/certifications, and (4) the CMMC Artifact Hashing