Information Technology

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (“CISA”) Information and Communications Technology (“ICT”) Supply Chain Risk Management Task Force (the “Task Force”) recently released an interim public report.  The report describes the Task Force’s efforts over the last year to develop recommendations for securing the Government’s supply chain, and outlines the potential focus areas of each of its working groups over the coming year.

The report is particularly relevant to contractors that either sell ICT related products or services to the Government, or that sell ICT related components to higher tier contractors, because it offers some insight into potential supply chain risk management (“SCRM”) best practices, as well as requirements that the Government may seek to impose on contractors in the future.
Continue Reading CISA Information and Communications Technology Supply Chain Risk Management Task Force Issues New Interim Report

On December 30th, the Department of Defense (DoD) issued a Second Interim Rule amending its “Network Penetration Reporting and Contracting for Cloud Services” Interim Rule and giving  contractors until December 31, 2017 to implement the NIST SP 800-171 security controls required by DFARS 252.204-7012.  As noted in a previous post, DoD has already issued a class deviation giving covered contractors up to nine (9) months (from the date of contract award or modification incorporating the new clause(s)) to satisfy the requirement for “multifactor authentication for local and network access” found in Section 3.5.3 of NIST SP 800-171.  This current revision appears responsive to significant concerns raised by Industry about compliance with the remaining safeguarding requirements imposed overnight on contractors on August 26, 2015.

The Second Interim Rule imposes the following changes:
Continue Reading Time Is On My Side: DoD Hears Industry Concerns – Additional Time Provided to Implement Security Controls Under New Cyber Rule

On March 16, U.S. Customs and Border Protection (“CBP”) issued a final country of origin determination that will be of interest to the consumer electronics device industry generally.  CBP ruled that under four different scenarios involving the manufacture and assembly of laptops abroad, downloading an operating system was not enough to change the computers’ country of origin for purposes of U.S. Government procurement.

CBP found each of the four scenarios presented in the ruling request failed to satisfy the “substantial transformation” test under the Trade Agreements Act, and squarely rejected the argument that downloading firmware, including a basic input/output system (“BIOS”), transforms “discrete and inoperable components into a finished product with a different name, character and use.”
Continue Reading Downloading An Operating System Does Not Substantially Transform Laptops for Purposes of U.S. Government Procurement

A major piece of IT acquisition reform legislation called the Federal Information Technology Acquisition Reform Act (“FITARA”), on which we have previously reported, was included in version of the National Defense Authorization Act for Fiscal Year 2015 (“NDAA FY 15”) passed by the House on December 4, 2014, along with other significant IT reform provisions related to open systems requirements for the Department of Defense (“DoD”).

The FITARA portion of the bill includes provisions that would require the federal government to:

  • empower Chief Information Officers (“CIOs”) and prevent the CIO from delegating the duty of reviewing IT contracts before the agency enters into the contract;
  • provide a publicly available list for each major information technology investment, both new and existing, that lists information specified in forthcoming investment evaluation guidance;
  • engage in a detailed review of high-risk information technology investments to identify problems;
  • inventory all information technology;
  • implement a federal data center consolidation initiative, which will include publicized goals regarding cost savings and optimization improvements to be achieved as a result of the initiative, and must be performed consistent with federal guidelines on cloud computing and cybersecurity such as FedRAMP and NIST guidelines;
  • expand the use of specialized IT acquisition experts;
  • develop a federal strategic sourcing initiative to be developed by GSA, which will allow for the use of governmentwide user license agreements.

Additional provisions require the use of open and modular strategies by the DoD, including the following requirements
Continue Reading Federal Information Technology Reform Act Included in the House-Passed NDAA FY 15

On August 29, the U.S. Court of Appeals for the D.C. Circuit upheld the dismissal of a qui tam suit under the False Claims Act (“FCA”) alleging that government contractor Govplace made false statements and false claims by selling to the Government, via its GSA schedule contract, computer and other products not originating in designated countries under the Trade Agreements Act (“TAA”). The decision shows that a contractor may defend against an FCA action by showing that it reasonably relied on a supplier’s certification as to TAA compliance.

The D.C. Circuit Decision: Govplace has been providing information technology (“IT”) integration and product solutions to the Government via a GSA schedule contract since 1999. Products on GSA schedule contracts must comply with the TAA requirement that “only U.S.-made or designated country end products [can] be offered and sold” under such contracts. Govplace acquires many of the products listed in its schedule contract from a distributor, Ingram Micro, which expressly certifies that its products are TAA compliant.

In the Govplace case, the relator alleged that certain products that Govplace acquired from Ingram Micro were manufactured in China, a non-designated country, and that Govplace acted with reckless disregard in relying on Ingram Micro’s certifications.


Continue Reading D.C. Circuit Dismisses FCA Suit & Provides Guidance for Contractor Reliance on Supplier Certifications

Rep. Anna G. Eshoo (D-Calif.) recently introduced the Reforming Federal Procurement of Information Technology (“RFP-IT”) Act. This Act is similar in many ways to earlier drafts of the FITARA bill on which we have previously reported, with a few notable differences. Among other things, the RFP-IT Act would:

  • significantly increase the Simplified Acquisition

When it became law on July 7, 2014, the 2014 Intelligence Authorization Act (“IAA”) gave the Director of National Intelligence (“DNI”) 90 calendar days to issue new regulations addressing the requirement that “cleared intelligence contractors” report any “successful penetration” of their networks and information systems.  With the DNI on the clock, what can these contractors expect?

For one thing, following a penetration of a covered network or information system, the DNI regulations will require that a cleared intelligence contractor report the following information to a designated element of the Intelligence Community (“IC”):