On May 11, 2017, the U.S. China Economic and Security Review Commission (“Commission”) issued a Request for Proposal to “to provide a one-time unclassified report on supply chain vulnerabilities from China in U.S. federal information technology (IT) procurement.”

Congress established the Commission in 2000 to monitor and report to Congress on the national security implications of China’s economic relationship with the United States.  See Commission website here.  The Commission is composed of 12 members serving two year terms, three of whom are selected by each of the Majority and Minority Leaders of the Senate, and the Speaker and the Minority Leader of the House.

The report being sought via the RFP will serve as a “reference guide for policymakers on how the U.S. government manages risks associated with Chinese-made products and services and the participation of Chinese companies in its information technology (IT) supply chains.”  It is envisioned that the report would be briefed to the Commission and interested members of Congress, among others.  The winning contractor must produce a report that addresses at least the following:

  • Summary of the laws, regulations, and other requirements since the passage of the Federal Information Technology Acquisition Reform Act in 2015.  See our discussion of final OMB guidance on implementing FITARA here.  Among the requirements is a comparison of the risk management process for non-national security and national-security-related IT procurements.
  • Evaluation of how Chinese firms and Chinese-made IT products and services enter U.S. government IT supply chains.  In particular, an evaluation of how reliant U.S. government and U.S. government IT contractors are on Chinese firms and Chinese-made IT products and services.
  • Assessment of points of vulnerability in the procurement system, particularly for IT products and services designated as high risk by the U.S. government’s Chief Information Officers (CIO).  Evaluation of whether the CIOs are adequately assessing risk in their ratings of IT products and services.
  • Assessment of why the vulnerability points identified above exist, and an explanation of the factors contributing to the challenge of supply chain insecurity.  Explanation of how vulnerabilities are expected to shift in the next 5–10 years, particularly as Chinese firms move up the value-added chain.
  • Assessment of whether the U.S. government’s management of the risks associated with Chinese firms and Chinese-made products and services to its IT procurement supply chains is sufficient.  Provide a comprehensive description of cases in which the Chinese government, Chinese companies, or Chinese products have been implicated in connection with U.S. supply chain vulnerabilities or exploitation.

This focus on supply chain vulnerabilities is consistent with DoD’s emphasis in the past few years on protecting its supply chain, including rules that address the exclusion of contractors that DoD perceives as presenting a supply chain risk in national security systems, as well as the Department’s rules requiring contractors to provide more oversight of their supply chains to help prevent counterfeit electronic parts.

Proposals are due on June 14 with a report due 90 days from contract execution.

On October 30, 2015, the Department of Defense (“DoD” or the “Department”) issued a Final Rule amending the Defense Federal Acquisition Regulation Supplement (“DFARS”) and clarifying the scope of the DoD’s ability to evaluate and exclude contractors that represent “supply chain risks” in solicitations and contracts involving the development or delivery of IT products and services related to National Security Systems (“NSS”). The Final Rule clarifies that the DoD’s exclusion authority is limited to procurement of NSS, explains that decisions apply on a procurement-by-procurement basis, and removes the flow down requirement that was present in the Interim Rule. The Final Rule also encourages contracting officers to consider imposing a Government consent requirement for all subcontracts.  Our in-depth analysis of the Final Rule is available here.

Continue Reading DoD Issues Final Rule Addressing Exclusion of Contractors that Present Supply Chain Risk in National Security System Procurements

Supply chain protection has been a point of increasing emphasis by the Government and especially the Department of Defense (“DoD”) in recent years. In no area is this more true than ensuring that Government systems and equipment are free from counterfeit electronic parts, which can raise both security and defect concerns.  DoD has accordingly taken several steps, many of which have taken the form of new requirements on contractors, to protect against counterfeit electronic parts.  With these requirements has come added risk to contractors that even mistakenly use electronic parts in the goods they sell to DoD.  However, an August 30, 2016, final DFARS rule (implemented at DFARS 231.205-71) seeks to mitigate some of this risk by allowing contractors to recover the cost of replacing counterfeit electronic parts, as long as the contractor has taken certain steps to prevent the use of such parts. Continue Reading DOD Final Rule Addresses Source Requirements and Cost Recovery for Use of Counterfeit Electronic Parts

On March 12, 2024, the Department of Defense (DoD) published a final rule, revising the eligibility criteria for the voluntary DoD Defense Industrial Base (DIB) Cybersecurity (CS) Activities Program.  The intent of the rule is to permit all defense contractors that own or operate unclassified information systems that process, store, or transmit covered defense information to participate in the program.  Previously, only cleared contractors were permitted to participate in the sharing of this information.  The final rule also amends identity proofing requirements by eliminating the need to obtain a medium security certificate to participate in either the voluntary or mandatory reporting regimes.  The rule will take effect on April 11, 2024, and DoD anticipates a significant increase in contractor participation.

Additional information about the rule is outlined below.

Continue Reading DoD Expands Contractor Cybersecurity Information Sharing Program

On March 11, 2024 the Cybersecurity Infrastructure Security Agency (CISA), released the much anticipated final version of its common Secure Software Development Attestation Form.  Finalization of the form is a notable development for developers of software that is sold to the U.S. Government for two reasons.  First, the form is expected to be used widely by Government agencies to fulfill requirements set forth in recent OMB memoranda for those agencies to ensure that the software they procure or use is secure by requiring attestations from software developers.  Second, as set forth under OMB guidance, final approval of the form by the Office of Information and Regulatory Affairs (OIRA) triggers a countdown wherein agencies need to begin collection of the forms within three months for “critical software” and within six months for all other software.

Continue Reading OMB Approves Final CISA Secure Software Attestation Common Form, Triggering Clock for Collection

On January 30, 2024, the Federal Acquisition Regulatory Council (“FAR Council”) proposed a new “Pay Equity and Transparency in Federal Contracting” rule for government contractors.  The proposed rule intends to increase race and gender equity for employees of federal prime contractors and subcontractors by prohibiting them from requesting and relying on certain information about job applicants’ compensation history and requiring contractors to disclose compensation rates in job announcements for certain positions.  These requirements would apply to all prime contracts and subcontracts – including for commercial products and services – where the principal place of performance is within the United States, regardless of dollar amount or tier.  The proposed rule is the latest in a number of steps the Biden Administration has taken to address discriminatory pay practices in federal procurement and contracting since announcing an Executive Order on Advancing Economy, Efficiency, and Effectiveness in Federal Contracting by Promoting Pay Equity and Transparency in March 2022. 

The proposed rule’s potential impact and implications for contractors — as well as opportunities to submit comments on the issue — are discussed below.

Continue Reading New Proposed Rule on Pay Equity and Transparency in Federal Contracting

On January 29, 2024, the Department of Commerce (“Department”) published a proposed rule (“Proposed Rule”) to require providers and foreign resellers of U.S. Infrastructure-as-a-Service (“IaaS”) products to (i) verify the identity of their foreign customers and (ii) notify the Department when a foreign person transacts with that provider or reseller to train a large artificial intelligence (“AI”) model with potential capabilities that could be used in malicious cyber-enabled activity. The proposed rule also contemplates that the Department may impose special measures to be undertaken by U.S. IaaS providers to deter foreign malicious cyber actors’ use of U.S. IaaS products.  The accompanying request for comments has a deadline of April 29, 2024.

The Proposed Rule would effectuate many of the requirements laid out in the Executive Order on Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities (“E.O. 13984”).  E.O. 13984, issued three years prior to the Proposed Rule, set in motion requirements for IaaS providers to enact certain customer identity verification procedures and take special measures to prevent their services from being used by foreign actors for malicious cyber-enabled activities.  The AI provisions of the Proposed Rule stem from the more recent Executive Order on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (“E.O. 14110″), issued on October 30, 2023, which directed the Department to propose regulations for U.S. IaaS providers to (i) submit reports to the Department when a customer transacts with the provider to train an AI model that could be used for malicious cyber-enabled activities and (ii) ensure foreign resellers of IaaS products also conduct identity verification of foreign account holders.

The proposed regulations are further explained and summarized below:

Continue Reading Department of Commerce Issues Proposed Rule to Regulate Infrastructure-as-a-Service Providers and Resellers

On January 4, 2024, the U.S. Attorney’s Office for the District of New Jersey announced that it has filed criminal wire fraud and false statement charges against the Chief Executive Officer (CEO) of a company that knowingly sold certain surveillance and security cameras to prosecutors’ offices, sheriffs’ offices, and police departments in the state of New Jersey that were prohibited by Section 889.

As described in more detail in a prior client alert, Section 889 contains two prohibitions.

Section 889(a)(1)(A) took effect on August 13, 2019 and provides that “The head of an executive agency may not … procure or obtain or extend or renew a contract to procure or obtain any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”  A similar prohibition, Section 889(b)(1), effective on August 13, 2020, is imposed on loan and grant funds, and prohibits agencies from expending any such funds on covered telecommunications equipment or services.  Because state and local governments regularly receive federal loans and grants, they are generally prohibited from using any of those funds to purchase covered telecommunications equipment or services.

Section 889(a)(1)(B) took effect on August 13, 2020 and prohibits the head of an executive agency contracting with (including extending or renewing a contract) any “entity” that “uses” “covered telecommunications equipment or services as a substantial or essential component of any system or as a critical technology of any system.”  In each case, covered telecommunications equipment or services includes all telecommunications equipment or services produced and provided by Huawei Technologies Company or ZTE Corporation, and video surveillance and telecommunications equipment or services produced and provided by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company, or any subsidiaries or affiliates of the five entities.

The Complaint alleges that the CEO (1) knew that state and local customers were subject to Section 889 prohibitions when expending certain funds used to buy cameras manufactured by Hangzhou Hikvision Digital Technology Company, and (2) falsely represented to those customers that the cameras that he was selling were compliant with Section 889 requirements.  The Complaint specifically notes that the CEO helped certain customers to obtain federal funding to purchase products that he was selling, and that approximately $15 million of the $35 million in cameras and equipment purchased by state and local government customers from the CEO’s company was federally funded. 

The Complaint further alleges that the CEO’s company sent wire transactions to an unnamed entity that was identified as one of the five entities or their affiliates that are defined within Section 889 as providers of covered telecommunications equipment.  The Complaint also alleges that when purchasing cameras from the prohibited company, the CEO’s company would take steps to conceal the origins of the cameras, including by requesting that the branding of the cameras be removed.  The compliant also states that the CEO informed state and local customers that his company had previously sold these cameras to federal agencies when he had not. 

Ultimately, although the facts described by the Complaint paint a picture of more extreme and willful efforts to skirt Section 889 requirements, the charges reflect that the Government is increasingly focused on supply chain security, and that is willing to bring criminal action for non-compliance where it feels that prosecution is appropriate. 

This is the thirty first in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described actions taken by various government agencies to implement the Cyber EO from June 2021 through October 2023.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during November 2023.  It also describes key actions taken during November 2023 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, secure software, and federal government contractors.

Continue Reading November 2023 Developments Under President Biden’s Cybersecurity andArtificial Intelligence Executive Orders and National Cybersecurity Strategy

Echoing the Obama Administration’s Better Buying Initiative, the Biden Administration announced the Better Contracting Initiative (“BCI”), a four-pronged initiative designed to ensure the Federal Government gets better, and more consistent, terms and prices when purchasing commercial goods and services, while enhancing support for small and disadvantaged businesses.  The Initiative’s four prongs include:

Continue Reading More Bang for the Government’s Buck: The Biden Administration Announces the Better Contracting Initiative