Keen observers of federal suspension and debarment practice have noticed a recent change at the Department of Labor (DOL): After years of inactivity, DOL’s discretionary suspension and debarment program suddenly came to life in 2017 and has been issuing suspensions and debarments at a steady clip ever since. [1] Now, according to a recent announcement, DOL is poised to turn up its suspension and debarment activity yet another notch. Starting this month and continuing through April 2020, DOL will be instituting a pilot program aimed at promoting and expediting its suspension and debarment activity, with the stated goal of “reduc[ing] the processing time on discretionary suspension and debarment actions from months to days.” Continue Reading
The Topsy-Turvy World of State and Local Bid Protests
Many contractors are familiar with the well-established processes of federal bid protests. Less known is the dizzying variety of procedures applicable to state and local bid protests. Each jurisdiction has its own rules — in terms of timing, protestable issues, standard of review, document production, and more. A fundamental tenet in one jurisdiction may be completely inapplicable in another.
What does that mean for a contractor looking to grow its state and local business? Be prepared: Become familiar with the rules and practices for bid protests in the relevant jurisdiction prior to the award decision. When the award decision is made, you’ll be in a better position to assess whether to protest and, if so, when and how to do it.
Here are a few issues that are often helpful to consider while preparing for a potential state or local protest:
Senate Armed Services Subcommittee on Cybersecurity Holds Hearing to Discuss the Responsibilities of the Defense Industrial Base
On March 26, 2019, the Senate Armed Services’ Subcommittee on Cybersecurity held a hearing to receive testimony assessing how the Department of Defense’s (“DOD”) cybersecurity policies and regulations have affected the Defense Industrial Base (“DIB”).
To gain a better understanding of the DIB’s cybersecurity concerns, the Subcommittee invited William LaPlante, Senior Vice President and General Manager of MITRE’s National Security Sector; John Luddy, Vice President For National Security Policy at the Aerospace Industries Association; Christopher Peters, Chief Executive Officer of the Lucrum Group; and Michael MacKay, the Chief Technology Officer of Progeny Systems Corporation.
In their opening remarks, the Chairman of the Subcommittee, Senator Mike Rounds (R-SD), and Ranking Member, Senator Joe Manchin (D-WV), acknowledged industry concerns about the DOD’s lack of clarity and disparate implementation of cybersecurity regulations, such as guidance relating to DFARS 252.204-7012 (“DFARS Cyber Rule” or “Rule”) and National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171.
Senator Rounds stated that he “expects [DOD] to come up with measured policies to make improvements in [cybersecurity]” and he “hope[s] DOD takes seriously the concerns of the DIB.” He further noted that DOD “cannot simply apply increasingly stringent cybersecurity requirements on its contractors” and that “doing so without subsidy or assistance is unlikely to particularly improve cybersecurity [for] the DIB” and would likely drive the most innovative small businesses out of the supply chain. Senator Rounds called for putting a program in place to ensure the best possible protections for contractors regardless of size and referred to the “Achilles heel” of this issue as the desire to use a large number of small contractors while still needing to protect sensitive government information. Later in the hearing, Senator Manchin expressed great concern over the cyber incidents experienced by DOD contractors and urged the witnesses to “tell [the Subcommittee] what you need . . . [the Subcommittee] is here to fix it and you’re here to tell us what’s broken.”
Summarized below are key points discussed during the hearing:
- Clear, Scalable, and Consistent Cybersecurity Policy: Witnesses representing the DIB agreed that the future of the defense industry is dependent on robust cybersecurity and, to that end, expressed the need for DOD to clarify critical aspects of existing policy. For instance, the identification and definition of Controlled Unclassified Information and its subset, Covered Defense Information (“CDI”) was highlighted as an area of concern. DIB witnesses testified that the current definition of CDI in the DFARS Cyber Rule has become very broad. They suggested that DOD collaborate with the DIB to identify critical information so contractors are not protecting mundane data, but focusing on securing truly sensitive information. John Luddy noted that “with limited resources, if [contractors] try to protect everything that is currently considered CDI, we may under-protect the really important things.”
- Unified DOD Approach: All of the witnesses emphasized the need for DOD to take a unified approach to cybersecurity that helps to minimize the burden on industry. The industry witnesses were clear that, together with large prime contractors, DOD can help support the middle and lower-tier suppliers to be cyber secure, but clear guidance and programs must first be in place. Currently, DOD has taken an “ad hoc, service-by-service” approach as it works towards developing actionable regulations that has resulted in segmented and overlapping contractor infrastructure, and increased costs. The DIB witnesses commended recent memoranda issued by Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment, that clarified requirements for contracts overseen by the Defense Contract Management Agency, but they also noted that the memoranda “raised issues that need to be collaboratively assessed.” The witnesses made plain the need for more opportunities to contribute to future standards and guidance by DOD.
- Measuring and Certifying Cybersecurity Compliance: The DIB witnesses highlighted the numerous NIST SP 800-171 controls and the need to develop an approach using “real, objective metrics” that helps industry measure their cybersecurity performance against those controls. Defense contractors have been frustrated with the lack of clear metrics for compliance, which has resulted in the perception of DOD’s uneven enforcement of standards. The witnesses urged DOD to adopt a standard interpretation of NIST SP 800-171 as a useful baseline and starting point. They would prefer that DOD “set the bar high and set it once to hold all [companies] accountable, not only to spare companies from the cost, but also the need to adjudicate between different and potentially conflicting direction.”
- Information Sharing: The witnesses also drew attention to the need for greater information sharing. One idea raised by the DIB witnesses included the formation of a centralized DOD threat sharing initiative that distributes relevant and timely data to the DIB to bolster cybersecurity efforts. The representatives acknowledged the tension between information sharing that is aimed at identifying and addressing threats and information that is competitive or business sensitive. But, there was a consensus that progress on information sharing has been made within the DIB and that further improvements would be welcome.
Throughout the hearing, members of the Subcommittee and representatives from the DIB seemed to agree that greater collaboration with DOD on contractor cybersecurity issues and supply chain issues would be necessary to address systemic concerns. While there was a broad focus on DFARS requirements and NIST SP 800-171, a number of related issues were raised with the goal of helping businesses prioritize investments and meet DOD’s cybersecurity standards. As the cybersecurity efforts by DOD and the DIB continue, there was consensus during the hearing for a considered approach to partitioning cybersecurity responsibility among DOD, prime contractors, and their subcontractors so that no single entity shoulders the entire burden.
Keeping Up With DoD Cybersecurity Compliance Demands
(This article was originally published in Law360 and has been modified for this blog.)
On Jan. 21, 2019, Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment, issued a memorandum focused on assessing contractor compliance with the DFARS cyber clause via audits of a Contractor’s purchasing system.[1] One intent of this guidance is to have the Defense Contract Management Agency, or DCMA, “validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS clause 252.204-7012.”[2]
This would be done as part of a review of a contractor’s purchasing system in accordance with DFARS 252.244-7001. Pursuant to this DFARS clause, contractors are required to provide adequate security on their internal networks to protect Covered Defense Information (CDI) and are required to flow DFARS clause 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” to subcontractors without alteration.
CBCA Recognizes that Discovery May Uncover New Claims
In Amec Foster Wheeler Environment & Infrastructure, Inc. v. Department of the Interior, CBCA 5168 et al. (Feb. 27, 2019), the Civilian Board of Contract Appeals (“CBCA” or “Board”) recently reiterated that a contractor need not assert every conceivable legal theory of relief as soon as it encounters an unforeseen condition on a construction project. Rather, a contractor may later be able timely to assert additional claims under distinct theories based on operative facts learned during discovery. Apropos of recently celebrated St. Patrick’s Day, this case indicates that discovery may be the rainbow that leads a contractor to a bigger pot of gold, i.e., operative facts that permit assertion of more valuable claims based on alternative legal theories.
Senate Reintroduces IoT Cybersecurity Improvement Act
On March 11, 2019, a bipartisan group of lawmakers including Sen. Mark Warner and Sen. Cory Gardner introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2019. The Act seeks “[t]o leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices.” In other words, this bill aims to shore up cybersecurity requirements for IoT devices purchased and used by the federal government, with the aim of affecting cybersecurity on IoT devices more broadly.
To accomplish this goal, the Act puts forth several action items for the Director of the National Institute of Standards and Technology (“NIST”) and the Office of Management and Budget (“OMB”). Details of these action items and their deadlines are discussed below.
When Compliance Is Not Enough: OIG Seeks Voluntary Refund Despite Contractor’s Adherence to “TINA” Requirements
On February 25, 2019, the Office of Inspector General (“OIG”) for the Department of Defense (“DoD”) issued an audit report analyzing the prices of spare aviation parts purchased by the Defense Logistics Agency (“DLA”) and the Army from TransDigm Group, Inc. (“TransDigm”). The audit was conducted in response to letters from certain Members of Congress, who had inquired whether the spare parts were sold at fair and reasonable prices and in compliance with the Truthful Cost or Pricing Data Act (“Act”).[1] The OIG’s audit confirmed that both TransDigm and the responsible DoD contracting officers fully complied with the Act and related regulations governing the price negotiations, but the OIG nonetheless concluded that the contractor earned excess profit on the majority of parts sold. In a highly unusual move, the OIG recommended that DoD request a “voluntary refund” from TransDigm of its allegedly “excessive” profits, and the OIG also recommended a number of changes to statutory, regulatory, and administrative policies governing the provision of cost or pricing data. Continue Reading
After the Final Report: Expectations Following the Section 809 Panel’s Third Volume of Acquisition Policy Reforms
The Section 809 Panel recently concluded its monumental analysis of defense acquisition law and regulations and released its third volume of recommended changes. As we have written previously, the Panel’s work stands out from previous acquisition reform efforts with the appendices of detailed legislative and regulatory changes that accompany the commissioners’ analysis and recommendations.
Given the scope of the Panel’s work, few believe that Congress or the Department of Defense (“DoD”) will — or even could — simply adopt the recommendations in full. Legislative bandwidth for additional acquisition reform is finite, and some of the Panel’s recommendations will prompt robust debate. In this post, we analyze some of the recommendations that government contractors should follow most closely. We highlight key issues and address the political dynamics involved in enacting them. Continue Reading
Defense Department Releases Artificial Intelligence Strategy
On February 12, 2019 the Department of Defense released a summary and supplementary fact sheet of its artificial intelligence strategy (“AI Strategy”). The AI Strategy has been a couple of years in the making as the Trump administration has scrutinized the relative investments and advancements in artificial intelligence by the United States, its allies and partners, and potential strategic competitors such as China and Russia. The animating concern was articulated in the Trump administration’s National Defense Strategy (“NDS”): strategic competitors such as China and Russia has made investments in technological modernization, including artificial intelligence, and conventional military capability that is eroding U.S. military advantage and changing how we think about conventional deterrence. As the NDS states, “[t]he reemergence of long-term strategic competition, rapid dispersion of technologies” such as “advanced computing, “big data” analytics, artificial intelligence” and others will be necessary to “ensure we will be able to fight and win the wars of the future.” Continue Reading
Trump’s New Executive Order Requires Additional Buy American Preferences For Infrastructure Projects
Last week, President Trump issued a new executive order, entitled “Strengthening Buy-American Preferences for Infrastructure Projects.” This order serves as an extension of the President’s earlier April 2017 “Buy American and Hire American” executive order, which we have previously analyzed in this space. The April 2017 order stated that “it shall be the policy of the executive branch to buy American and hire American,” and, among other things, directed agencies to “scrupulously, monitor, enforce, and comply with” domestic preference laws (referred to by the executive order as “Buy American Laws”) and to minimize use of waivers that would permit the purchase of foreign end products.
The President’s new order continues to emphasize the importance of “the use of goods, products, and materials produced in the United States,” but is specifically directed towards infrastructure projects that are recipients of federal financial assistance awards. As we have reported previously, federally-financed infrastructure has also been a stated area of focus for the Trump administration, although the Administration’s “Legislative Outline for Rebuilding Infrastructure in America” released last year curiously lacked any domestic preference requirements.
The new executive order makes up for this previous omission and then some: it has the potential to affect a vast number of programs and projects, and may in fact impose domestic sourcing requirements in areas—such as internet infrastructure—that are not typically targets for domestic preferences.
