Late last month, the National Institute of Standards and Technology (“NIST”) released a set of documents for public comment that are aimed at helping contractors assess and implement compliance with NIST Special Publication (“SP”) 800-171, which establishes the standards for protecting Covered Defense Information (“CDI”), among other forms of Controlled Unclassified Information (“CUI”). First, NIST released an updated final public draft of SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information. Second, NIST released templates for contractor system security plans (“SSPs”) and plans of action and milestones (“POAMs”). While neither finalized nor mandatory, these documents provide useful guidance for contractors struggling with SP 800-171 compliance.
Continue Reading NIST Seeks to Assist Contractors in Assessing SP 800-171 Compliance

Earlier this week, both chambers on Capitol Hill took steps that would increase the Department of Homeland Security’s (DHS) role in the area of cybersecurity.  On the Senate side, the Senate Homeland Security and Governmental Affairs Committee approved a DHS reauthorization bill that included amendments to rename and reorganize the DHS National Protection and Programs Directorate (NPPD), to increase protections for certain personally identifiable information (PII), and to emphasize the need for cybersecurity research.  On the House side, the House Homeland Security Committee approved the Cyber Incident Response Teams Act, which would establish teams within DHS devoted to cyber incident response.
Continue Reading DHS Cybersecurity Legislation Advances Through Capitol Hill

On February 22, 2018, the General Services Administration (GSA) issued a Final Rule to address common commercial supplier agreement terms that it contends are inconsistent with federal law. The purpose of this rule is to streamline negotiations over commercial supplier agreements (“CSAs”), end-user license agreements (“EULAs”), Terms of Sale (“TOSs”) or similar sets of standard terms and conditions. Significantly, the rule reverses several controversial provisions from the Proposed Rule and an earlier class deviation by reverting the order of precedence and eliminating the burdensome requirement of providing the full text of all provisions. Less controversially, but nonetheless important, the Final Rule also formalizes GSA’s longstanding position that certain terms and conditions are unenforceable under federal law.
Continue Reading GSA Issues Final Rule Governing Negotiations of Common Commercial Terms

A few years ago, we reported on regulations governing federal contractors’ nondiscrimination obligations with respect to LGBT employees.  The Trump Administration has taken steps to roll back many Obama-era efforts, although the Executive Order and rules establishing LGBT-related protections for employees of federal contractors remain in force, at least for now.  The Second Circuit recently decided a high-profile case that affirmed the legal basis for those obligations and extended them beyond the federal contractor community.  In doing so, the Second Circuit rejected the Trump Justice Department’s position with respect to LGBT nondiscrimination.

The case, which has generated significant press coverage, deserves close attention from all employers, including contractors, as LGBT nondiscrimination rules continue to develop in courts, executive agencies, and legislatures.  In this post, we examine the considerations for government contractors and outline some best practices for companies that work with the federal government. 
Continue Reading In Sexual Orientation Nondiscrimination Claims, “EEO Is the Law,” and Not Just for Government Contractors

Few issues have bedeviled the GSA Schedules program as much as the provision of incidental supplies and services under Schedule orders.  For years, it has been unclear how such supplies and services are to be purchased and priced, since they are not themselves on Schedule.

But now, with GSA’s new Order-Level Materials (“OLM”) rule, GSA has resolved this issue by expressly permitting the government to easily and quickly obtain incidental supplies and services through the Schedules program.Continue Reading At Long Last – GSA Issues Final Rule on Purchasing “Order-Level Materials” on Schedule Orders

Inflection Point for IoT

In a relatively short amount of time, the adoption of the Internet of Things (IoT) and its applications — from smart cars to the myriad of interconnected sensors in the General Service Administration building reminiscent of HAL 9000 from 2001: A Space Odyssey — has rapidly proliferated, providing significant opportunities and benefits. However, the increased ubiquity of IoT comes with heightened risks to security, privacy and physical safety and without a standardized set of cybersecurity requirements, many IoT devices and systems are vulnerable to attack. Earlier this month, the National Institute of Standards and Technology (NIST) (through the Interagency International Cybersecurity Standardization Working Group (IICS WG)) released a draft report to help both federal agencies and private companies plan and develop cybersecurity standards in their use and production of IoT components, products, systems and services. The draft report stresses the importance of coordination across the private and public sectors in developing standards to bolster the security and resilience of IoT, provides a snapshot of current international cybersecurity standards, and offers recommendations for gap-filling.Continue Reading Latest NIST Draft Report a Call to Action for Federal Agencies and Private Companies

Last week, President Donald Trump released his long-awaited infrastructure plan, entitled a “Legislative Outline for Rebuilding Infrastructure in America.”  Clocking-in at 53 pages, this plan is designed to “stimulate at least $1.5 trillion in new investment over the next 10 years” through $200 billion of federal funding.  The infrastructure plan is intended to provide a “roadmap for the Congress to draft and pass the most comprehensive infrastructure bill in our Nation’s history.”  Our high-level key takeaways from that plan are discussed below.
Continue Reading Key Takeaways from Trump’s Infrastructure Plan—Private Financing And A Capital Budget, But No “Buy American” Requirements?

On February 7, the Department of Defense (DoD) awarded REAN Cloud a contract valued at up to $950 million to work with defense agencies to migrate existing applications to commercial cloud solutions. The award is of significant relevance to efforts currently underway in connection with the upcoming DoD Joint Enterprise Defense Infrastructure—or “JEDI”—procurement. However, the award is also important in a broader context in that it was issued as a follow-on production contract to an “other transaction” (OT) prototype agreement awarded on an expedited basis by DoD’s Defense Innovation Unit Experimental organization (DIUx). The award, therefore, reflects DoD’s increased comfort with issuing high-value production contracts following preliminary work with DIUx under OT prototype agreements.
Continue Reading DIUx and DoD Other Transaction Prototype Agreements: The Fast Track to DoD Funding

On January 31, 2018, the Department of Defense (“DoD” or the “Department”) published a final rule regarding commercial item purchasing requirements.  Among other key amendments, the final rule modifies the Defense Federal Acquisition Regulation Supplement (“DFARS”) by:  (i) formalizing a presumption of commerciality for items that DoD previously treated as commercial; (ii) providing commercial item treatment to goods and services offered by nontraditional defense contractors; and (iii) prioritizing the types of information that the contracting officer (“CO”) can consider when determining price reasonableness in the absence of adequate competition.

The final rule adopts much of DoD’s August 2016 proposed rule, which itself was a revised version of a retracted August 2015 proposed version.  We discussed the August 2016 proposed rule on this subject (and linked to an article regarding the August 2015 version) in a prior post.  Despite receiving repeated input from industry and Congress, DoD’s final rule still provides little concrete guidance, and although these changes were made with the stated purpose of promoting consistency across purchasing components, it appears likely that inconsistencies will persist.  In particular, the final rule continues to leave the door open for individual contracting officers to make potentially burdensome requests for information to support the proposed pricing of commercial items.
Continue Reading Third Time Around: Inconsistencies Persist with Final DFARS Commercial Items Rule

On February 1, the Office of Federal Contract Compliance Programs (OFCCP) issued 1,000 corporate scheduling announcement letters (CSALs) to federal contractors, a move that suggests a renewed emphasis on the agency’s enforcement of anti-discrimination and affirmative action employment laws. CSALs are informal notices that precede the official initiation of an OFCCP compliance evaluation, but the issuance of these letters serves as both a sign of OFCCP’s enforcement posture under the Trump administration and a call to action for the contractor establishments that receive these notifications.
Continue Reading Incoming! Issuance of 1,000 Notifications Portends Ramp-Up of OFCCP Enforcement Activity