The Department of Labor’s Office of Federal Contract Compliance Programs (“OFCCP”) has now opened its Contractor Portal for the 2024 Affirmative Action Program (“AAP”) certification period with a deadline of July 1, 2024.

Continue Reading OFCCP 2024 Affirmative Action Program Certifications: What You Need to Know

On March 27, 2024, the U.S. Cybersecurity and Infrastructure Security Agency’s (“CISA”) Notice of Proposed Rulemaking (“Proposed Rule”) related to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) was released on the Federal Register website.  The Proposed Rule, which will be formally published in the Federal Register on April 4, 2024, proposes draft regulations to implement the incident reporting requirements for critical infrastructure entities from CIRCIA, which President Biden signed into law in March 2022.  CIRCIA established two cyber incident reporting requirements for covered critical infrastructure entities: a 24-hour requirement to report ransomware payments and a 72-hour requirement to report covered cyber incidents to CISA.  While the overarching requirements and structure of the reporting process were established under the law, CIRCIA also directed CISA to issue the Proposed Rule within 24 months of the law’s enactment to provide further detail on the scope and implementation of these requirements.  Under CIRCIA, the final rule must be published by September 2025.

The Proposed Rule addresses various elements of CIRCIA, which will be covered in a forthcoming Client Alert.  This blog post focuses primarily on the proposed definitions of two pivotal terms that were left to further rulemaking under CIRCIA (Covered Entity and Covered Cyber Incident), which illustrate the broad scope of CIRCIA’s reporting requirements, as well as certain proposed exceptions to the reporting requirements.  The Proposed Rule will be subject to a review and comment period for 60 days after publication in the Federal Register. 

Continue Reading CISA Issues Notice of Proposed Rulemaking for Critical Infrastructure Cybersecurity Incident Reporting

On March 12, 2024, the Department of Defense (DoD) published a final rule, revising the eligibility criteria for the voluntary DoD Defense Industrial Base (DIB) Cybersecurity (CS) Activities Program.  The intent of the rule is to permit all defense contractors that own or operate unclassified information systems that process, store, or transmit covered defense information to participate in the program.  Previously, only cleared contractors were permitted to participate in the sharing of this information.  The final rule also amends identity proofing requirements by eliminating the need to obtain a medium security certificate to participate in either the voluntary or mandatory reporting regimes.  The rule will take effect on April 11, 2024, and DoD anticipates a significant increase in contractor participation.

Additional information about the rule is outlined below.

Continue Reading DoD Expands Contractor Cybersecurity Information Sharing Program

On March 11, 2024 the Cybersecurity Infrastructure Security Agency (CISA), released the much anticipated final version of its common Secure Software Development Attestation Form.  Finalization of the form is a notable development for developers of software that is sold to the U.S. Government for two reasons.  First, the form is expected to be used widely by Government agencies to fulfill requirements set forth in recent OMB memoranda for those agencies to ensure that the software they procure or use is secure by requiring attestations from software developers.  Second, as set forth under OMB guidance, final approval of the form by the Office of Information and Regulatory Affairs (OIRA) triggers a countdown wherein agencies need to begin collection of the forms within three months for “critical software” and within six months for all other software.

Continue Reading OMB Approves Final CISA Secure Software Attestation Common Form, Triggering Clock for Collection

On March 7, 2024, the Department of Transportation’s (“DOT”) Federal Highway Administration (“FHWA”) announced a proposed rule to rescind a longstanding general waiver of Buy America requirements for manufactured products (the “Manufactured Products Waiver”).  If finalized, this would be a major change for the agency, reversing a policy that has been in place for more than 40 years.

FHWA has imposed Buy America requirements for domestic iron and steel on its projects since 1978 (see 23 U.S.C. § 313; 23 CFR § 635.410), but in 1983, the agency determined that it was in the public interest to waive the requirement as to manufactured products based on the agency’s belief that manufactured products were not used in federal highway projects in sufficient quantities to have an effect on the overall cost of a project and therefore did not require Buy America protections.  That general waiver has been in place ever since.

This change in policy comes in the wake of the 2021 Infrastructure Investment and Jobs Act’s Build America, Buy America (“BABA”) provisions, which expanded Buy America coverage broadly in federal financial assistance programs for infrastructure.  BABA requires that all steel, iron, construction materials, and manufactured products used in such products be “produced in the United States.”  BABA also discourages the use of general applicability waivers like FHWA’s Manufactured Products Waiver and required review of existing waivers. 

FHWA sought comments on its longstanding manufactured products waiver in March 2023 and received over 9,400 comments from the public.  Commenters included manufacturers, labor organizations, construction contractors, industry associations, State departments of transportation, and even members of Congress.  Based on a consideration of this feedback and in recognition of other domestic content policies, including Executive Order 14005, “Ensuring the Future Is Made in All of America by All of America’s Workers,” FHWA is proposing to discontinue its Manufactured Products Waiver and modify its regulations to include domestic content requirements for manufactured products.

Continue Reading Federal Highway Administration Announces Proposed Rule Ending Longstanding Buy America Waiver for Manufactured Products

On February 15, 2024, the Department of Defense (“DOD”) issued a final rule that increases the domestic content requirements for defense procurements. 

The new rule amends the Defense Federal Acquisition Regulation Supplement (“DFARS”) to implement Executive Order 14005 (“EO”).  The EO was intended to strengthen the requirements of the Buy

Continue Reading DOD Issues Final DFARS Rule Implementing Increased Buy American Restrictions for Defense Procurements

This is the thirty-third in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken

Continue Reading January 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order

This is the thirty-second in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through November 2023.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during December 2023.  It also describes key actions taken during December 2023 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, secure software, and federal government contractors.

Continue Reading December 2023 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order

On January 30, 2024, the Federal Acquisition Regulatory Council (“FAR Council”) proposed a new “Pay Equity and Transparency in Federal Contracting” rule for government contractors.  The proposed rule intends to increase race and gender equity for employees of federal prime contractors and subcontractors by prohibiting them from requesting and relying on certain information about job applicants’ compensation history and requiring contractors to disclose compensation rates in job announcements for certain positions.  These requirements would apply to all prime contracts and subcontracts – including for commercial products and services – where the principal place of performance is within the United States, regardless of dollar amount or tier.  The proposed rule is the latest in a number of steps the Biden Administration has taken to address discriminatory pay practices in federal procurement and contracting since announcing an Executive Order on Advancing Economy, Efficiency, and Effectiveness in Federal Contracting by Promoting Pay Equity and Transparency in March 2022. 

The proposed rule’s potential impact and implications for contractors — as well as opportunities to submit comments on the issue — are discussed below.

Continue Reading New Proposed Rule on Pay Equity and Transparency in Federal Contracting

On January 29, 2024, the Department of Commerce (“Department”) published a proposed rule (“Proposed Rule”) to require providers and foreign resellers of U.S. Infrastructure-as-a-Service (“IaaS”) products to (i) verify the identity of their foreign customers and (ii) notify the Department when a foreign person transacts with that provider or reseller to train a large artificial intelligence (“AI”) model with potential capabilities that could be used in malicious cyber-enabled activity. The proposed rule also contemplates that the Department may impose special measures to be undertaken by U.S. IaaS providers to deter foreign malicious cyber actors’ use of U.S. IaaS products.  The accompanying request for comments has a deadline of April 29, 2024.

The Proposed Rule would effectuate many of the requirements laid out in the Executive Order on Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities (“E.O. 13984”).  E.O. 13984, issued three years prior to the Proposed Rule, set in motion requirements for IaaS providers to enact certain customer identity verification procedures and take special measures to prevent their services from being used by foreign actors for malicious cyber-enabled activities.  The AI provisions of the Proposed Rule stem from the more recent Executive Order on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (“E.O. 14110″), issued on October 30, 2023, which directed the Department to propose regulations for U.S. IaaS providers to (i) submit reports to the Department when a customer transacts with the provider to train an AI model that could be used for malicious cyber-enabled activities and (ii) ensure foreign resellers of IaaS products also conduct identity verification of foreign account holders.

The proposed regulations are further explained and summarized below:

Continue Reading Department of Commerce Issues Proposed Rule to Regulate Infrastructure-as-a-Service Providers and Resellers