On October 3, 2023, the Federal Acquisition Regulation (FAR) Council released two new proposed cybersecurity rules. The first of the two, covered in a separate blog, is titled “Cyber Threat and Incident Reporting and Information Sharing,” and adds new requirements to the cybersecurity incident reporting obligations of federal contractors. The second rule, titled “Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems,” covers cybersecurity contractual requirements for unclassified Federal information systems.

Both rules arise from Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). We have covered developments under this Executive Order as part of a series of monthly posts. The first blog summarized the Cyber EO’s key provisions and timelines, and subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through November 2023. This blog describes key requirements imposed by the proposed “Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems” rule (the “Proposed Standardizing Rule”)

Proposed Cybersecurity Requirements for Unclassified Federal Information Systems

As directed by the Cyber EO, the Proposed Standardizing Rule would establish cybersecurity policies, procedures, and requirements for contractors that develop, implement, operate, or maintain Federal Information Systems (“FIS”). Under the rule, a FIS is defined as “an information system used or operated by an agency, by a contractor of an agency, or by another organization on behalf of an agency.”

Continue Reading Proposed FAR Rule: “Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems”

Since its creation in 2006, the Biomedical Advanced Research and Development Authority has funded the development of medical countermeasures for pandemic influenza, anthrax, smallpox, Ebola virus disease, Zika virus, and, of course, COVID-19.  In just the last year, BARDA has made more than 35 new awards to partners, assisted its partners in achieving 20 FDA approvals of their products, and launched Project NextGen, a $5 billion program it leads alongside the National Institute of Allergy and Infectious Diseases to accelerate the development of COVID-19 vaccines and treatments through public-private collaborations.  

On November 30, BARDA announced its latest plans for Project NextGen, releasing new solicitations for project proposals for the development of next generation COVID-19 vaccines, therapeutics, and enabling technologies.

The three new solicitations – detailed below – were announced through the Rapid Response Partnership Vehicle (RRPV), a consortium that supports BARDA in its objective to develop medical technology to address future pandemic or other biological threats.  All offerors must be members of the RRPV consortium at the time they submit their proposals.  Proposals are due in early January 2024.

Additionally, BARDA also announced a new Area of Interest (AOI) through its Division of Research, Innovation, and Ventures (DRIVe) Agnostic Diagnostics program.  The new AOI focuses on bringing metagenomic next-generation sequencing to routine clinical labs and point-of-care settings through innovation in sequencing hardware, sample preparation, or bioinformatics.

1. Enabling Technology – Decentralized Trial – Home Focus (proposals due January 10, 2024)

BARDA requests project proposals to conduct a study designed to assess potential correlates of protection using immunogenicity data correlated to symptomatic COVID-19 following vaccination with an FDA licensed/authorized COVID-19 vaccine. 

To be eligible, awardees must have a successful history of conducting clinical trials for medical countermeasures.  BARDA expects the period of performance to begin in February 2024.

2. NextGen Vaccinations: Phase 2B Clinical Trial Execution (proposals due January 10, 2024)

BARDA is seeking to partner with developers and other organizations to advance the clinical development of next-generation COVID-19 vaccines into a Phase 2b clinical trial.  BARDA will support development by providing planning and regulatory support as needed.

In order to be eligible, awardees must have (1) a successful history of developing, cGMP manufacturing, release testing, and conducting clinical trials for vaccines and (2) an active or complete Phase 1 clinical trial Next-Generation COVID-19 Vaccine, with unblinded safety and immunogenicity data to support a Phase 2b trial.  BARDA expects the period of performance to begin in the second quarter of fiscal year 2024.

3. COVID-19 Monoclonal Antibody Therapeutics for PrEP (proposals due January 19, 2024)

Finally, BARDA seeks partnerships with developers and other organizations to advance the clinical development of next-generation therapeutics for COVID-19.  Awardees would be responsible for developing of COVID-19 monoclonal antibody therapeutics (single or combination products), with a primary indication of PrEP.

To be eligible, awardees must have a demonstrated successful history of developing, cGMP manufacturing, release testing, and conducting clinical trials for therapeutics and/or vaccines.  BARDA expects performance to begin on the date of contract award.

This is the thirty first in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described actions taken by various government agencies to implement the Cyber EO from June 2021 through October 2023.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during November 2023.  It also describes key actions taken during November 2023 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, secure software, and federal government contractors.

Continue Reading November 2023 Developments Under President Biden’s Cybersecurity andArtificial Intelligence Executive Orders and National Cybersecurity Strategy

Through the Infrastructure Investment and Jobs Act (“IIJA”) and the Inflation Reduction Act, the Department of Energy (“DOE”) has awarded billions of dollars to a series of new infrastructure and clean energy programs.  The scope and size of these programs have, in turn, attracted scrutiny from the DOE’s Office of Inspector General (“OIG”), as evidenced most recently by an OIG Special Report (“Report”) detailing what the OIG characterized as “Management Challenges” at DOE.  The Report is notable for several reasons, but most striking is its sharp criticism of DOE’s apparent reluctance to fully accede to the OIG’s request for vast quantities of agency and contractor data in connection with preventative fraud detection efforts.  This blog will cover the key findings of this Report and the most important takeaways for current and prospective DOE implementing partners.

Continue Reading Department of Energy Office of Inspector General Management Challenges Report: Key Findings and Insights

The requirement to pay “prevailing wages” to covered workers is a perennial aspect of many types of government contracting, including construction contracts subject to the Davis-Bacon Act (“DBA”) and certain related laws (collectively referred to as the Davis-Bacon and Related Acts or “DBRA”).  In recent years, Congress has also expanded the reach of prevailing wage requirements to new industries: clean energy projects seeking to take advantage of federal tax credits under the Inflation Reduction Act are required to ensure that prevailing wages are paid or may be forced to forfeit valuable credits.  Semiconductor manufacturers — as well as manufacturers of materials and equipment used to make semiconductors — that seek to take advantage of the incentives established by the CHIPS Act are likewise required to follow the prevailing wage requirements of the DBA. 

It was in this context that the Department of Labor (“DOL”) introduced a 222-page final rule, “Updating the Davis-Bacon and Related Acts Regulations,” that substantially rewrote the implementing regulations under the DBRA.  Among other things, the final rule alters how DOL calculates the prevailing wage rates for each locality, and expands the definition of the “site of work” and categories of workers subject to the DBA.  Moreover, the final rule imposes the DBA by operation of law on federal construction contracts that would otherwise be covered, but that nevertheless do not include the requisite FAR clauses and wage determinations used to inform contractors of the DBA’s requirements.  The potential impact of these changes has not gone unnoticed:  last month, two trade associations — the Associated Builders and Contractors of Southeast Texas, Inc. (“ABCSETX”) and the Associated General Contractors of America (“AGC”) — filed separate suits challenging multiple aspects of the final rule, including the changes to prevailing wage calculation methodology and the revised definition of the site of work.  We expand on the final rule’s changes — and on the pending legal challenges — below. 

Continue Reading Whose Site Is It Anyway: Trade Groups Challenge DOL’s Prevailing Wage Calculation and Expanded Definition of the Site of Work Under the Davis-Bacon Act

This is the thirtieth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through September 2023.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during October 2023. 

Biden Administration Announces Artificial Intelligence (“AI”) Executive Order

On October 30, 2023, the Biden Administration issued its new Executive Order on Artificial Intelligence, setting out a comprehensive strategy to support the development of safe and secure AI.  According to the Administration’s Fact Sheet, the Executive Order establishes new AI safety and security standards, protects privacy, advances equity and civil rights, protects workers, consumers, and patients, promotes innovation and competition, and advances American leadership.  For example, as relevant to government contractors and critical infrastructure, the AI Executive Order:

·        Sharing Results – Will “require that companies developing any foundation model that poses a serious risk to national security, national economic security, or national public health and safety must notify the federal government when training the model, and must share the results of all red-team safety tests[,]” in accordance with the Defense Production Act.

·        AI Standards – Directs the U.S. National Institute of Standards and Technology (“NIST”) to “set the rigorous standards for extensive red-team testing to ensure safety before public release[,]” which will be applied to critical infrastructure sectors by the U.S. Department of Homeland Security (“DHS”). 

The AI Executive Order follows the administration’s earlier Blueprint for an AI Bill of Rights, which was published in September 2022, as well as other developments in the administration’s cybersecurity efforts more broadly, such as the Cyber EO and U.S. National Cybersecurity Strategy.  A more detailed discussion of the AI Executive Order is available in our prior post.

The U.S. Office of Management and Budget (“OMB”) Releases Implementation Guidance Following President Biden’s AI Executive Order

On November 1, 2023, OMB released draft guidance on Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence.  (While we know that November 1st is not part of October, we decided to include this update as part of this post to accompany the reporting on the AI Executive Order.)  The draft guidance would implement many of the provisions of the AI Executive Order.  For example, the draft guidance would direct federal agencies to: ·         “Designate Chief AI Officers, who would have the responsibility to advise agency leadership on AI[;]”

·        “Remove unnecessary barriers to the responsible use of AI, including those related to insufficient information technology infrastructure[;]” and

·         “Provide recommendations for managing risk in federal procurement of AI[,]” among other actions.

OMB is accepting public comments on the draft guidance until December 5, 2023. 

Federal Acquisition Regulation (“FAR”) Council Releases New Proposed Cybersecurity Rules

On October 3, 2023, the FAR Council released two new proposed cybersecurity rules on (1) Cyber Threat and Incident Reporting and Information Sharing and (2) Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems.  Both of these proposed rules arise under the Cyber EO.

The proposed cyber threat and incident reporting rule implements recommendations made by OMB and CISA concerning the cybersecurity incident reporting obligations of federal contractors.  Specifically, the cyber threat and incident reporting rule amends provisions of several existing FAR Subparts and introduces new FAR clauses for contracting officers to incorporate into future solicitations and contract actions.  The proposed rule also adds new FAR definitions and expands others.  For example, the proposed rule broadly expands the definition of “Information and Communications Technology (ICT)” by specifying that operational technology, such as industrial control systems, building management systems and physical access control mechanisms, are covered by the rule.  A more detailed discussion of the Cyber Threat and Incident Reporting and Information Sharing proposed rule is available here.  The second proposed rule, Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems, will be the subject of a forthcoming post. 

 

Echoing the Obama Administration’s Better Buying Initiative, the Biden Administration announced the Better Contracting Initiative (“BCI”), a four-pronged initiative designed to ensure the Federal Government gets better, and more consistent, terms and prices when purchasing commercial goods and services, while enhancing support for small and disadvantaged businesses.  The Initiative’s four prongs include:

Continue Reading More Bang for the Government’s Buck: The Biden Administration Announces the Better Contracting Initiative

The Armed Services Board of Contract Appeals has issued its annual report for FY 2023, shedding light on how often contractor appeals reach a successful result, and what agencies are most frequently involved in contract litigation.

Continue Reading ASBCA Issues Annual Report, Providing Data on How Often Contractors Prevail

This is the twenty-ninth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through August 2023.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during September 2023. 

Continue Reading September 2023 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

On Thursday, GAO released its Bid Protest Annual Report to Congress for Fiscal Year 2023, which provides bid protest statistics and other interesting information regarding GAO’s protest system.

Continue Reading GAO’s Annual Bid Protest Report:  Protest Filings and Sustain Rate Soar