This is part of an ongoing series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through March 2024.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during April 2024.  It also describes key actions taken during April 2024 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, national security, and secure software.

Continue Reading April 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order

Recently, the Department of Labor (“DOL”) Office of Federal Contract Compliance Programs (“OFCCP”) unveiled new guidance regarding the use of automated systems and artificial intelligence (collectively referred to as “AI”) in the workplace.  This guidance was issued as a part of a series of actions that the Biden administration has taken to address AI in various contexts and industries. 

The OFCCP guidance follows President Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, which directed the Secretary of Labor to “publish guidance for Federal contractors regarding nondiscrimination in hiring involving AI and other technology-based hiring systems.”  Specifically, the guidance addresses how federal prime contractors and subcontractors should approach employment nondiscrimination risks and best practices when using AI in the context of the laws that OFCCP enforces.

Continue Reading Office of Federal Contract Compliance Programs Releases New Guidance on the Use of Artificial Intelligence in Federal Contracting Employment Processes

On May 16, 2024, the Internal Revenue Service (“IRS”) and Department of Treasury (“Treasury”) published Notice 2024-41 (the “2024 Guidance”), which provides new guidance for securing the domestic content bonus credit established by the Inflation Reduction Act (“IRA”).  As described in more detail below, the 2024 Guidance builds on the existing framework contained in Notice 2023-38 (the “2023 Guidance”), which was released last May.  Most notably, the 2024 Guidance expands the range of applicable projects subject to the safe harbor in the 2023 Guidance and adds a “New Elective Safe Harbor” to determine cost percentages for the domestic content calculation in solar, onshore wind, and battery storage projects.

Continue Reading Treasury and IRS Release New Guidance on Inflation Reduction Act Domestic Content Bonus Credit

Today, the Federal Acquisition Regulatory Council (“FAR Council”) released an Advance Notice of Proposed Rulemaking (the “ANPRM”) describing the agencies’ plan to implement Section 5949 of the National Defense Authorization Act (“NDAA”) for FY 23 (Pub. L. 117-263).

Section 5949 prohibits the Federal Government from procuring certain semiconductor parts, products, or services traceable to named Chinese companies and potentially other foreign countries of concern.  To that end, the ANPRM invites public comment on the proposed contents of an implementing FAR clause, to take effect December 23, 2027.

As discussed below, the FAR Council proposed applying the regulations broadly to all solicitations and contracts, including commercial item and commercially available off-the-shelf (“COTS”) contracts, subject only to a limited waiver.  Although not set out in the statute, the clause would require contractors to conduct a “reasonable inquiry” into their supply chain to detect potential violations.  It would also require both disclosure and the taking of corrective action in the event that nonconforming products or services are discovered. 

More details are below, and our previous coverage of Section 5949 is available here.

Continue Reading Chips on the Table: FAR Council Releases Advance Notice of Proposed Rulemaking to Implement Prohibition on Purchase and Use of Certain Semiconductors

This is part of a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs  described the actions taken by various government agencies to implement the Cyber EO from June 2021through February 2024.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during March 2024.  It also describes key actions taken during March 2024 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, secure software, and federal government contractors. 

Continue Reading March 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order

With the 2024 election rapidly approaching, the Biden Administration must race to finalize proposed agency actions as early as mid-May to avoid facing possible nullification if the Republican Party controls both chambers of Congress and the White House next year. 

The Congressional Review Act (CRA) allows Congress to overturn rules issued by the Executive Branch by enacting a joint resolution of disapproval that cancels the rule and prohibits the agency from issuing a rule that is “substantially the same.”  One of the CRA’s most unique features—a 60-day “lookback period”—allows the next Congress 60 days to review rules issued near the end of the last Congress.  This means that the Administration must finalize and publish certain rules long before Election Day to avoid being eligible for CRA review in the new year.

Overview of the CRA

The CRA requires federal agencies to submit all final rules to Congress before the rule may take effect.  It provides the House with 60 legislative days and the Senate with 60 session days to introduce a joint resolution of disapproval to overturn the rule.  This 60-day period counts every calendar day, including weekends and holidays, but excludes days that either chamber is out of session for more than three days pursuant to an adjournment resolution.  In the Senate, a joint resolution of disapproval receives only limited debate and may not be filibustered.  Moreover, if it has been more than 20 calendar days since Congress received a final rule and a joint resolution has not been reported out of the appropriate committee, a group of 30 Senators can file a petition to force a floor vote on the petition.   

If a CRA resolution receives a simple majority in both chambers and is signed by the President, or if Congress overrides a presidential veto, the rule cannot go into effect and is treated “as though such rule had never taken effect.”[1]  The agency is also barred from reissuing a rule that is “substantially the same,” unless authorized by future law.[2]    

Election Year Threat: CRA Lookback Period

These procedures pose special challenges for federal agencies in an election year.  If a rule is submitted to Congress within 60 days before adjournment, the CRA’s lookback provision allows the 60-day timeline to introduce a CRA resolution to start over in the next session of Congress.

This procedure ultimately requires the current administration to assess the threat of a CRA resolution against certain rules and determine whether to issue the rule safely before the deadline or risk a potential CRA challenge. 

Mid-May Deadline Estimated for Biden Agency Actions

Calculating the CRA deadline is exceedingly difficult for federal agencies because it is a moving target.  The House and Senate may each cancel or add days to their legislative calendar right up until adjournment, making it impossible to calculate the deadline with precision.  Moreover, the lookback period starts on the date that is 60 days before adjournment, regardless of which chamber reaches that threshold first.  In other words, if the date that is 60 House legislative days before adjournment falls on a date that is 65 Senate session days prior to adjournment, that date starts the lookback window, even though the Senate is not within 60 session days of adjournment. 

While only the House and Senate parliamentarians can determine the lookback window with authority, based on the currently-released House and Senate calendars, agency rules submitted to Congress before May 22, 2024 will not be subject to CRA review by the new 119th Congress in 2025.  However, since this deadline is based on the House calendar, it would be pushed later if the House were to add legislative days to the calendar to complete legislative work.

Administration Preparations

Agency leaders are working to finalize rules in time to meet this deadline.  At a recent conference held by the American Law Institute’s Continuing Legal Education, Vicki Arroyo, the Environmental Protection Agency’s (EPA) Associate Administrator for Policy, explained that the deadline is “something that [the EPA is] very focused on.”[3]  Although the deadline is uncertain, she noted that to be cautious, agencies may submit rules as “early as the end of April or May.”[4]

Federal agencies have already begun or plan to submit rules to Congress before the late May deadline, including:  

  • An EPA rule that sets new standards to reduce air pollutant emissions from cars and a rule that requires fossil fuel plants to rely on new technologies to reduce pollution levels.
  • A Department of Labor rule that modifies Wage and Hour regulations to clarify the criteria for classifying workers as independent contractors as opposed to employees and a rule that narrows the standards to classify as exempt from the Fair Labor Standards Act’s minimum pay and overtime requirements. 
  • A Department of Justice rule that takes additional steps to implement the Bipartisan Safer Communities Act, which makes various changes to federal firearm laws, including expanding background check requirements and broadening the scope of existing restrictions.
  • The Energy Department’s regulations setting consumer water heater energy efficiency standards to lower utility costs for American families and increase energy savings.
  • An Office of Personnel Management rule that would implement stronger guardrails for career employees, allowing them to keep civil service protections unless they voluntarily accept a political appointee position and adding requirements when reclassifying career positions as political appointments.
  • A Bureau of Land Management rule setting management standards that put conservation on par with resource extraction to protect public lands and restore degraded habitats. 
  • A Department of Health and Human Services rule that establishes comprehensive minimum staffing standards for nursing homes.
  • A Department of Housing and Urban Development rule proposing a framework to ensure that federal funding is used in a systematic way to affirmatively support the goals of the Fair Housing Act.

Some rules will not be finalized by the deadline, which could signal that agency leaders view these rules as less vulnerable to the CRA, either because they enjoy bipartisan support or because they are not politically polarizing.  For example, the EPA plans to finalize a rule in October that would mandate actions to reduce lead exposure, including replacing lead pipes within the next ten years. 

In addition, several rules were recently submitted to the Office of Information and Regulatory Affairs (OIRA), which generally has 90 days to review a rule before it is sent to Congress.  It is possible that OIRA’s 90-day review period will push these rules past the May deadline for submission to Congress.  Examples of these rules include:

  • A Department of Education rule that establishes a negotiated rulemaking committee to prepare regulations for the Federal Student Aid programs related to the modification, waiver, release, or compromise of student loans under the Higher Education Act of 1965.
  • A Social Security Administration rule that expands the definition of a public assistance household to reduce administrative burdens for low-income households participating in public assistance programs.
  • A Department of Agriculture rule that sets standards for labeling meat and poultry products produced using animal cell culture technology—a process that involves taking a small number of cells from living animals and growing them in a controlled environment to generate food.

The fate of these rules will depend on how soon the Administration can finish these rulemakings and submit them to Congress.  Otherwise, the outcome of the 2024 election will determine whether these rules ever take effect.


[1] 5 U.S.C. § 801(f).

[2] Id. § 801(b).

[3] Kevin Bogardus, Murky Deadline Looms for Biden’s Regs, E&E News by Politico (Mar. 21, 2024), https://www.eenews.net/articles/murky-deadline-looms-for-bidens-regs/.

[4] Kevin Bogardus, Murky Deadline looms for Biden’s Regs, E&E News by Politico (Mar. 21, 2024), https://www.eenews.net/articles/murky-deadline-looms-for-bidens-regs/.

This is the thirty-fourth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs describes described the actions taken by various government agencies to implement the Cyber EO from June 2021through January 2024.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during February 2024.  It also describes key actions taken during February 2024 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, secure software, and federal government contractors. 

Continue Reading February 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order

The Department of Labor’s Office of Federal Contract Compliance Programs (“OFCCP”) has now opened its Contractor Portal for the 2024 Affirmative Action Program (“AAP”) certification period with a deadline of July 1, 2024.

Continue Reading OFCCP 2024 Affirmative Action Program Certifications: What You Need to Know

On March 27, 2024, the U.S. Cybersecurity and Infrastructure Security Agency’s (“CISA”) Notice of Proposed Rulemaking (“Proposed Rule”) related to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) was released on the Federal Register website.  The Proposed Rule, which will be formally published in the Federal Register on April 4, 2024, proposes draft regulations to implement the incident reporting requirements for critical infrastructure entities from CIRCIA, which President Biden signed into law in March 2022.  CIRCIA established two cyber incident reporting requirements for covered critical infrastructure entities: a 24-hour requirement to report ransomware payments and a 72-hour requirement to report covered cyber incidents to CISA.  While the overarching requirements and structure of the reporting process were established under the law, CIRCIA also directed CISA to issue the Proposed Rule within 24 months of the law’s enactment to provide further detail on the scope and implementation of these requirements.  Under CIRCIA, the final rule must be published by September 2025.

The Proposed Rule addresses various elements of CIRCIA, which will be covered in a forthcoming Client Alert.  This blog post focuses primarily on the proposed definitions of two pivotal terms that were left to further rulemaking under CIRCIA (Covered Entity and Covered Cyber Incident), which illustrate the broad scope of CIRCIA’s reporting requirements, as well as certain proposed exceptions to the reporting requirements.  The Proposed Rule will be subject to a review and comment period for 60 days after publication in the Federal Register. 

Continue Reading CISA Issues Notice of Proposed Rulemaking for Critical Infrastructure Cybersecurity Incident Reporting

On March 12, 2024, the Department of Defense (DoD) published a final rule, revising the eligibility criteria for the voluntary DoD Defense Industrial Base (DIB) Cybersecurity (CS) Activities Program.  The intent of the rule is to permit all defense contractors that own or operate unclassified information systems that process, store, or transmit covered defense information to participate in the program.  Previously, only cleared contractors were permitted to participate in the sharing of this information.  The final rule also amends identity proofing requirements by eliminating the need to obtain a medium security certificate to participate in either the voluntary or mandatory reporting regimes.  The rule will take effect on April 11, 2024, and DoD anticipates a significant increase in contractor participation.

Additional information about the rule is outlined below.

Continue Reading DoD Expands Contractor Cybersecurity Information Sharing Program