White House Doubles Down on Private Sector Outreach for Cybersecurity Push
Government Contracts Legal Round-Up is a podcast focusing on important developments facing government contractors and grant recipients. Hosts David Robbins and Marc Van Allen discuss key developments in this ever-changing field in an easy-to-absorb style. Often joined by colleagues and guests, programs focus on the most relevant executive orders, regulations, proposed and final rules that affect the FAR and relevant agency FAR supplements, decisions from GAO, the boards and courts.
By: David Bitkower, David B. Robbins, Shoba Pillay, Aaron R. Cooper, and Tali R. Leinwand
The White House sent an open letter last week to “corporate executives and business leaders” urging their companies to take “immediate steps” toward better protecting themselves against ransomware attacks. Although the White House cannot generally dictate the actions that private companies take, the Biden administration has emphasized that “
usiness leaders have a responsibility to strengthen their cyber defenses to protect the American public and . . . economy.” To that end, the letter referenced the five “best practices” set forth in the recently issued Executive Order on Cybersecurity, including (1) multifactor authentication; (2) endpoint detection; (3) endpoint response; (4) encryption; and (5) a skilled and empowered security team. The letter also outlined five basic but impactful security practices that the White House recommended companies implement:
- Back-up Data. Back-up data, system images, and configurations, regularly test them, and keep the backups offline. If network data is encrypted with ransomware, the organization may still be able to restore its systems.
- Update Systems. Promptly update and patch systems, including applications and firmware.
- Test Plans. Test incident response plans to help identify gaps and understand how long business operations can be sustained without access to certain systems.
- Conduct Independent Checks. Check the security team’s work and ability to defend against a sophisticated attack, thereby increasing the likelihood that back doors or other loopholes can be addressed.
- Segment networks. Separate corporate business functions from manufacturing and production operations, and limit internet access to operational networks.
The letter, which was authored by Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, was sent in light of a reported uptick in attacks involving ransomware (software that seizes control of a computer until the victim pays a fee), most recently an attack that reportedly closed off beef and pork production from one of the country’s leading food suppliers.
The letter also reflects the Biden administration’s growing emphasis on the need to improve the government’s cybersecurity defenses, both within and across various agencies. Yesterday, in a press conference regarding the ransomware attack on Colonial Pipeline, Deputy Attorney General Lisa Monaco emphasized that companies should take preemptive action against ransomware attacks, urging them to “pay attention now” and “invest resources now” because “[f]ailure to do so could be the difference between being secure now – or a victim later.” The press conference came just a few days after Deputy Attorney General Monaco issued an internal memorandum directing US prosecutors to report all ransomware investigations that they may be working on, stressing the need for better coordination within the Department. Two weeks ago, the Department of Homeland Security’s Transportation Security Administration announced a security directive requiring pipelines to report confirmed and potential cyber incidents and review current cybersecurity practices. And last month, the White House issued the Executive Order imposing a variety of requirements on federal agencies and government contractors that are aimed at improving the government’s cybersecurity defenses.
As companies seek to evaluate cybersecurity and expand their protections, it is important to consider the following legal issues alongside business and technical concerns:
- Importance of a Multi-Functional Team. Cybersecurity and information protection are broad efforts encompassing many different skills within a company. Legal counsel should be included in the team to advise about the application of relevant laws, regulations, and policies, and to prepare for potential litigation and enforcement actions.
- Importance of Legal Privilege. Companies should consider how to maximize the application of legal privilege to internal factfinding efforts that are designed to address potential legal exposure from cybersecurity and data protection rules.
Outside counsel can help bolster in-house teams and provide broad industry perspective on common issues in these reviews. Jenner & Block lawyers stand ready to assist.
 Letter from Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger to Corporate Executives and Business Leaders (June 3, 2021).
 Press Briefing by Press Secretary Jen Psaki (June 3, 2021), https://www.whitehouse.gov/briefing-room/press-briefings/2021/06/03/press-briefing-by-press-secretary-jen-psaki-june-3-2021/; see also Tucker Higgins, CEOs Need to Prepare Now for Exponential Increase in Ransomware Attacks, Top DOJ Official Says, CNBC (June 4, 2021), https://www.cnbc.com/2021/06/04/ceos-need-to-prepare-for-increase-in-ransomware-attacks-doj-official.html.
 Letter from Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger to Corporate Executives and Business Leaders (June 3, 2021).
 David E. Sanger and Nicole Perlroth, White House Warns Companies to Act Now on Ransomware Defenses, N.Y. Times (June 3, 2021), https://www.nytimes.com/2021/06/03/us/politics/ransomware-cybersecurity-infrastructure.html.
 Office of Public Affairs, Department of Justice, DAG Monaco Delivers Remarks at Press Conference on Darkside Attack on Colonial Pipeline (June 7, 2021).
 Deputy Attorney General Lisa Monaco, Memorandum for all Federal Prosecutors on Guidance Regarding Investigations and Cases Related to Ransomware and Digital Extortion (June 3, 2021).
 Press Release, DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators, Department of Homeland Security (May 27, 2021).
Biden Administration Expands Cybersecurity Requirements for Government Contractors that Are Likely to Have a Broad Impact on the Private Sector
By: David Bitkower, David B. Robbins, Shoba Pillay, Aaron R. Cooper, and Tali R. Leinwand
An Executive Order released by the Biden administration last month (the Cybersecurity EO) seeks to bolster the federal government’s cybersecurity defenses and resilience by imposing a variety of requirements on federal agencies and government contractors that are likely to have spillover effects in the private sector. While many federal agencies and contractors already abide by existing agency-specific cybersecurity measures, the Cybersecurity EO establishes additional criteria to ensure that all information systems used or operated by federal agencies “meet or exceed” the cybersecurity requirements set forth in the Cybersecurity EO. In particular, the Cybersecurity EO will directly affect companies that provide information technology (IT) and operational technology (OT) services, cloud computing software, and other technology to the federal government. In turn, the private sector, even when not servicing the federal government, is expected to see a renewed emphasis on security requirements and assessment standards.
President Biden signed the highly anticipated Cybersecurity EO just a few months after the discovery of major cybersecurity incidents that targeted the United States, including Solar Winds (the reported Russian cyber espionage operation that affected nine federal agencies and about 100 American companies), a reported Chinese cyber hacking campaign that compromised tens of thousands of small and midsize firms that used Exchange email servers, and, most recently, the largest known cyberattack on the US energy sector, which led to the shutdown of the Colonial Pipeline. Referencing these events, the Cybersecurity EO and corresponding White House fact sheet (1) make clear that the directives are aimed at improving the government’s “insufficient cybersecurity defenses,” (2) cast remediation of these incidents as a “top priority and essential to national and economic security,” and (3) order several dozen actions be taken beginning as soon as this summer.
We highlight here the key initiatives and imminent deadlines that the EO sets out:
- Remove barriers to threat information-sharing between the government and private sector. Contractual barriers that prevent IT and OT service providers from sharing threat information will be removed, and such providers will be required to share certain breach information with the government. This structure is intended to facilitate a more robust information-sharing regime. Traditionally, only defense contractors have been subject to federal requirements regarding breach reporting, and while the Federal Acquisition Regulation (FAR) imposes basic safeguarding requirements, it stops short of requiring breach notification. The Cybersecurity EO now extends the reporting requirement to all providers of IT and OT services to the federal government. Contractors will also be required to collect and share information related to cyber threats, incidents, and risks with the Cybersecurity and Information Security Agency (CISA), the Federal Bureau of Investigation, and other agencies. While changes to government contracts will take time to implement, deadlines have been imposed on federal agencies to hasten these initiatives, beginning as soon as this month:
- June 2021: The Secretary of Homeland Security, in consultation with other agency heads, is directed to recommend to the FAR Council the nature and type of information pertaining to cyber incidents that require reporting.
- July 2021: The Director of the Office of Management and Budget (OMB), in consultation with other agency heads, is directed to review and recommend updates to contractual requirements and language for IT and OT service providers to report cyber incidents.
- September 2021: The Secretary of Homeland Security and the Director of OMB are directed to take “appropriate steps” to ensure service providers are sharing data with certain agencies. This requirement is broad; it implicates information that “may be necessary for the Federal government to respond to cyber threats, incidents, and risks,” and that information must be shared “to the greatest extent possible.” It remains to be seen whether these open-ended directives are ultimately cabined by their implementing regulations.
- Modernize and implement stronger cybersecurity standards in federal government.Over the next several months, the government must develop “security best practices,” such as the use of zero-trust architecture, cloud service solutions, and multi-factor authentication and encryption. The government must also modernize the FedRAMP program—the federal government’s main security authorization program for cloud security—to include training for agencies and improved communication with cloud service providers.
- Improve software supply chain security.Over the next year, the Department of Commerce’s National Institute of Standards and Technology (NIST) is directed to develop guidance to “enhance[e] software supply chain security criteria,” with an emphasis on “critical software,” that will include standards, procedures, or criteria regarding data encryption, multi-factor authentication, and other measures. Eventually, and critically, only software that abides by these new rules will be eligible for federal procurement; non-compliant software will be removed from federal contracts and purchase agreements, and legacy software will need to be redesigned as necessary to comply with these new requirements. Further, the Secretary of Commerce, acting through the Director of NIST, is also directed to develop criteria for product labels to explain for consumers the cybersecurity capacities of commercial (including Internet-of-Things) devices and software, including the “levels of testing and assessment” that a product may have undergone. From the perspective of companies concerned about potential Federal Trade Commission enforcement, the labelling regime will be especially important to bear in mind so as to ensure that device or software development processes meet or exceed the stated criteria, and accurately reflect existing practice.
- Establish a cyber safety review board.An incident review board will convene when there are “significant” cybersecurity incidents. The board reflects a public-private partnership centered on digital defense and identifying lessons learned. It will be co-led by the Secretary of Homeland Security and others, including representatives from private sector entities, who will be selected based on the particular incident being investigated.
- Create a standard playbook for responding to cyber incidents.By September 2021, the Department of Homeland Security (DHS), OMB, and other federal agencies will be required to develop a “playbook”—e., a standard set of operating procedures—to be used in planning and conducting cybersecurity vulnerability and incident response activity with respect to Federal Civilian Executive Branch (FCEB) Information Systems. The playbook must (1) incorporate all appropriate NIST standards, (2) be used by FCEB agencies, and (3) articulate progress and completion through all phases of incident response.
- Improve detection of cybersecurity incidents on federal government networks.In order to detect incidents early, agencies must deploy Endpoint Detection and Response initiatives to support proactive detection of cybersecurity incidents within federal government infrastructure, active cyber hunting, containment and remediation, and incident response. These requirements will be based on requirements issued by OMB in consultation with DHS.
- Improve investigative and remediation capabilities.Over the next three months, the Secretary of Homeland Security, in consultation with other federal agencies, is directed to develop standardized requirements for maintaining information event logs for federal agencies. The requirements will include the types of logs to be maintained, the time periods to retain the logs, and guidance for protecting those logs.
As written, the Cybersecurity EO is designed to have a meaningful impact not only on the federal government but also on its contractors and, ultimately, the private sector. Yet for all of the Cybersecurity EO’s ambitious directives and timelines, execution of these directives will take time, and the Cybersecurity EO’s ultimate effect will be heavily informed by implementing regulations that have not yet been announced. It remains to be seen how soon the new initiatives envisioned by the Cybersecurity EO will actually take effect, but IT and OT providers most likely to be directly impacted are on notice that change is on the horizon, and that the security community as a whole is contemplating new benchmarks for what cybersecurity looks like.
Of course, the Cybersecurity EO only offers one vector of the federal government’s cybersecurity response, and therefore is equally notable for what it does not, and cannot, address. For example, in the wake of the hack of Solar Winds and the ransomware attack on Colonial Pipeline, it is natural to ask what the Biden Administration’s response will be to continued Russian and Chinese state-sponsored cyber intrusions and, relatedly, foreign safe-harbors provided to criminal groups. The Cybersecurity EO does not say. Separately, will Congress go beyond the Cybersecurity EO to impose broad-sweeping and mandatory breach disclosure requirements, as some have alluded to? From that perspective, the Cybersecurity EO may signal just the beginning of a broader effort within the federal government that is likely to continue in the coming months.
 White House, Executive Order on Improving the Nation’s Cybersecurity (May 12, 2021), https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.
 Cybersecurity EO § 1.
 Ellen Nakashima, Biden Signs Executive Order Designed to Strengthen Federal Digital Defenses, Washington Post (May 12, 2021), https://www.washingtonpost.com/national-security/biden-executive-order-cybersecurity/2021/05/12/9269e932-acd5-11eb-acd3-24b44a57093a_story.html.
 Cybersecurity EO § 1; White House, Fact Sheet: President Signs Executive Order Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks (May 12, 2021), https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/fact-sheet-president-signs-executive-order-charting-new-course-to-improve-the-nations-cybersecurity-and-protect-federal-government-networks/.
 Cybersecurity EO § 2.
 Cybersecurity EO § 2.
 DFARS 252.204.7012.
 FAR 52.204-21.
 Cybersecurity EO §§ 2(a), 2(e).
 Cybersecurity EO § 2(g)(i).
 Cybersecurity EO § 2(b).
 Cybersecurity EO § 2(e).
 Cybersecurity EO § 2(e) (emphasis added).
 Cybersecurity EO § 3.
 Cybersecurity EO § 3(d).
 Cybersecurity EO § 3(f).
 Cybersecurity EO § 4.
 Cybersecurity EO §§ 4(c)-(e). Under the EO, “critical software” is “software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources),” and which will be subject to additional security guidance. Id. §§ 4(a), (g)-(j).
 Cybersecurity EO §§ 4(p)-(q).
 Cybersecurity EO §§ 4(s)-(t).
 Cybersecurity EO § 5.
 Cybersecurity EO § 5(c).
 Cybersecurity EO § 5(e).
 Cybersecurity EO § 6.
 Cybersecurity EO § 6(b).
 Cybersecurity EO § 6(b).
 Cybersecurity EO § 7.
 Cybersecurity EO § 7(b).
 Cybersecurity EO §§ 7(c)-(d).
 Cybersecurity EO § 8.
 Cybersecurity EO §§ 8(b)-(c).
 Cybersecurity EO § 8(b).
 See Mae Anderson & Frank Bajak, Cyberattack on U.S. Pipeline is Linked to Criminal Gang, Associated Press (May 9, 2021), https://apnews.com/article/europe-hacking-government-and-politics-technology-business-333e47df702f755f8922274389b7e920.
 See Eric Geller & Martin Matishak, A Federal Government Left ‘Completely Blind’ on Cyberattacks Looks to Force Reporting, Politico (May 15, 2021), https://www.politico.com/news/2021/05/15/congress-colonial-pipeline-disclosure-488406.
Government Contracts Legal Round-Up | 2021 Issue 9
Welcome to Jenner & Block’s Government Contracts Legal Round‑Up, a biweekly update on important government contracts developments. This update offers brief summaries of key developments for government contracts legal, compliance, contracting, and business executives. Please contact any of the professionals at the bottom of the update for further information on any of these topics.
1. Executive Order on Improving the Nation’s Cybersecurity (May 12, 2021)
- Described as “the first of many ambitious steps the Administration is taking to modernize national cyber defenses,” this significant order emphasizes that federal action alone is not enough and the private sector (especially critical infrastructure) should augment and align cybersecurity investments to minimize future incidents.
- The scope of order includes systems that process data (information technology) and those that run machinery (operational technology).
- Contractors should expect a number of proposed regulatory changes by the fall of 2021 that will:
- Remove barriers to threat information sharing between the government and the private sector;
- Modernize and strengthen cybersecurity standards in the federal government, including by adopting security best practices and advancing toward a zero trust architecture;
- Establish a Cybersecurity Safety Review Board and create a standard playbook for responding to cyber incidents;
- Improve detection of cyber incidents on federal government networks by establishing endpoint detection and response deployment; and
- Improve investigation and remediation capabilities.
1. Withdrawal of Independent Contract Status Under the Fair Labor Standards Act (FLSA), Final Rule, Wage and Hour Division, Department of Labor (May 6, 2021)
- The Department of Labor has withdrawn the Independent Contractor Rule finalized under the prior administration on January 7, 2021, which would have provided a new interpretation of employee or independent contractor status under the Fair Labor Standards Act.
- After delaying the effective date of the final rule and seeking additional comments, the Department of Labor has concluded that the Independent Contractor Rule is not fully aligned with the FLSA’s text or purpose, or with prior case law applying the multifactor economic realities test.
2. Placing Rated Orders Under the Defense Priorities and Allocations System for Novel Coronavirus Disease 2019 (COVID-19), General Services Administration (May 7, 2021)
- This policy provides guidance for placing DPAS rated orders to purchase cleaning supplies, IT equipment for telework, and IT equipment for healthcare.
- The delegation of authority to place DO rated orders in support of GSA’s COVID-19 response and recovery activities extends through March 31, 2022, or until the Presidential Emergency Declaration is rescinded.
1. M R Pittman Group, LLC, B-419569 (May 5, 2021)
- GAO dismissed a protest as untimely where the protester waited until after its bid was rejected to challenge a patent ambiguity in the solicitation.
- The Army Corps of Engineers issued an invitation for bids (IFB) that included standard FAR clauses indicating the procurement was being set aside for small businesses, but the IFB did not include other regulatory requirements for set asides, such as the NAICS code or size standard.
- The Army rejected the protester’s low bid because the company was other than small, and the company protested.
The protest decision is a stark reminder that a company that competes under an ambiguous solicitation cannot wait until after the company is not selected for award to challenge the ambiguous solicitation terms. As GAO has explained, a patent solicitation ambiguity exists where the solicitation contains an obvious, gross, or glaring error, and an offeror has an affirmative obligation to seek clarification of a patent ambiguity prior to the due date for bids. When a patent ambiguity exists but is not challenged prior to the bid submission deadline, GAO will not consider subsequent untimely arguments asserting the protester’s own interpretation of the ambiguous provision.
2. Tridentis, LLC, B-418690.4 (Jan. 5, 2021) (publicly released May 11)
- GAO found unobjectionable the Department of the Navy’s decision to reject a proposal as technically unacceptable where the protester failed to establish that it possessed a facility security clearance on the due date for receipt of proposals, as required by the solicitation.
- The Navy initially evaluated the facility identified in the protester’s proposal as meeting the solicitation requirements, but following corrective action related to other allegations, the agency re-reviewed these aspects and found that the facility identified was not cleared to safeguard secret information after all.
- GAO agreed with the Navy that an offeror’s showing that it met the facility clearance requirement at the time of proposal submission was a material term of the solicitation, and one of technical acceptability, not responsibility.
- GAO then found that the agency’s conclusion that Tridentis failed to clearly demonstrate that it met the facility clearance requirement at the time of proposal submission was reasonable. While its proposal contained the address of its teaming partner’s Virginia Beach facility—which did possess the required facility clearance—the proposal did not explain that the facility belonged to another firm, or that Tridentis would be relying on that firm’s facility to meet the clearance requirement.
This decision serves as a warning that offerors must clearly explain how they intend to meet mandatory solicitation requirements, as the failure to do so may result in disqualification from competition. It is also important to remember that agencies are free to newly disqualify an offeror when reevaluating proposals following corrective action reevaluation, and GAO will not disturb the revised result if otherwise reasonable.
3. Verizon Business Network Services, Inc., B-419271.5, B-419271.6, B-419271.8 (Apr. 26, 2021) (publicly released May 11)
- GAO dismissed a protest ground where the protester knew, or should have known, the basis of protest back when filed its pre-corrective action protest.
- The Department of Homeland Security awarded AT&T a task order off the Enterprise Infrastructure Solutions (EIS) GWAC. In its first protest, Verizon argued that AT&T was ineligible for award because of the company’s alleged failure to have all required services on its EIS contract. The agency took corrective action.
- After the order was re-awarded to AT&T, Verizon protested again, this time arguing that AT&T was ineligible because of alleged lack of SD-WAN service on its EITS contract, which had not been mentioned in the initial protest. Verizon used the same information database (the EIS Public Pricer tool) as evidence.
- GAO concluded that this argument was untimely because the information underpinning the current protest ground was available to the protester as part of its earlier protest. Likewise, the fact that the information regarding AT&T’s alleged lack of SD-WAN services came from a different webpage (within the same EIS Public Pricer tool) did not negate the fact that the information was just as available to Verizon before as it was when it filed the instant protest.
When filing a protest, it is imperative to raise all arguments known at the time—including those based upon publicly available information. GAO will readily dismiss protest grounds that were known before the filing of either a supplemental protest or a protest following corrective action.
1. Pacific Coast Community Services, Inc. v. U.S., No. 1:19-cv-01187 (April 30, 2021)
- Pacific Coast received a firm-fixed-price contract for administrative services with the Federal Protective Services. The contract included a provision stating that invoices must reflect the services provided each month and identified a monthly contractual hour amount of 1,888.
- FPS began making unilateral deductions from invoices because it did not believe Pacific Coast personnel had worked the stated number of hours. Pacific Coast sued for underpayment, alleging breach of contract.
- Pacific Coast alleged that the firm-fixed-price nature of the contract did not require adjustment for actual hours worked. Specifically, it alleged that such an interpretation would convert the contract to a firm-fixed-price, level-of-effort contract under FAR 16.207-1.
- The Federal Circuit agreed with the lower court that “because productive hours were a specific deliverable,” the government was entitled to deduct payment for hours not actually provided.
Fixed-price contracts with a labor hour component frequently give rise to disputes: the contractor may be able to fully perform the support function with fewer hours and the fixed-price nature of the contract might lead it to believe it is entitled to benefit from its efficiency. But, even where the government has no complaints about the services provided, it may attempt to claw back money based on failure to fully provide the stated hours. This decision extends that problem from FFP-LOE contracts to other labor-hour based fixed-price contracts.
2. Appeal of Glen/Mar Construction, Inc., CBCA No. 6904 (Apr. 2, 2021)
- Glen/Mar received a contract with the Department of Veterans Affairs to remedy seismic deficiencies in buildings at a VA clinic in Oregon. During performance, a dispute arose regarding who was responsible for relocating an internet fiber service line.
- Eventually the VA accepted responsibility and entered into negotiations regarding contract adjustment for this work. During the negotiations, the parties discussed both increased costs and schedule adjustment, but the VA asked Glen/Mar to remove the schedule portion from its request for equitable adjustment.
- The parties executed a contract modification that include zero days of schedule adjustment and contained a broad release.
- Glen/Mar asserted that the parties agreed to resolve the schedule adjustment issues separately and it submitted a claim for costs related to the delay. The VA asserted that the broad release in the contract modification prevented any further recovery.
- The Civilian Board of Contract Appeals concluded that the release language was clear in resolving all issues related to the dispute and denied Glen/Mar’s attempt to introduce extrinsic evidence regarding agreement to resolve schedule issues separately.
This case is a reminder of the importance of reserving rights to additional adjustment in any release that the contractor believes does not fully resolve the contractor’s claim. There are a variety of reasons the government may seek to have the contractor remove a portion of its claim during negotiations, but unless those removed elements are reserved in the resulting modification, they could be waived.
Government Contracts Legal Round-Up | 2021 Issue 6
Welcome to Jenner & Block’s Government Contracts Legal Round‑Up, a biweekly update on important government contracts developments. This update will offer brief summaries of key developments for government contracts legal, compliance, contracting, and business executives.
1. Class Deviation 2021-O0003: DFARS 252.239-7098 Prohibition on Contracting to Maintain or Establish a Computer Network Unless Such Network is Designed to Block Access to Certain Websites – Representation (Apr. 2, 2021)
- This Class Deviation sets out a new representation for contracts to maintain or establish a computer network that are funded under the Consolidated Appropriations Act, 2021 (Pub. L. 116-260) (the Act), or extensions to the Act.
- For covered solicitations, by submission of an offer, the offeror represents “that it is not providing as part of its offer a proposal to maintain or establish a computer network unless such network is designed to block access to pornography websites.”
- Contracting officers will include the provision at 252.239-7098, in all solicitations, including solicitations for the acquisition of commercial items under FAR part 12.
- Funding under the Act may be still used by law enforcement to carry out activities related to criminal investigations, national defense, and intelligence.
Contractors anticipating submitting proposals that include maintaining or establishing a computer network will want to ensure compliance with this new “porn blocking” representation and evaluate any needed changes to supply chain representations.
2. Implementation of the Government Furnished Property Module (Mar. 24, 2021)
- As of January 2021, and in accordance with DFARS subpart 245.102(5), contractors are required to report the loss of Government property in the GFP Module in lieu of the Defense Contract Management Agency (DCMA) Property Loss eTool.
- Training resources on how to use the GFP Module are available at the DoD Procurement Toolbox and live webinars are posted here.
Contractors should note increased oversight of Government property. DoD describes its GFP Module as “an important step” in addressing “DoD’s material weakness in better accounting for Government Property” in contractors’ possession. The tool supports DoD’s strategic plan for defense-wide procurement financial and audit improvements. Documentation and data for completed loss cases in the GFP Module will be saved, allowing greater insight into loss patterns.
3. Securing the Information and Communications Technology and Services Supply Chain: Licensing Procedures (Mar. 29, 2021)
- On January 19, 2021, the Department of Commerce (the Department) published an interim final rulemaking, ‘‘Securing the Information and Communications Technology and Services Supply Chain,’’ which became effective on March 22, 2021.
- This rule allows the Secretary of Commerce, in accordance with Executive Order 13873, to prohibit certain information and communications technology and services transactions (ICTS Transactions) to address national security threats.
- ICTS Transactions include provision of services. The term includes all transactions that occurred on or after January 19, 2021, by any person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary. Providing services, such as software updates, to US persons may provide a foreign adversary an opportunity to engage in activities that may threaten US national security.
- In its January 19 notice, the Department stated it would implement a licensing process by May 19th for entities seeking pre-approval before engaging in or continuing to engage in ICTS Transactions.
- Because additional public input is needed and the Department no longer expects to meet its May 19 deadline, the Department seeks public input through April 28, 2021, on such a licensing or other preclearance process.
In this Advanced Notice of Proposed Rulemaking, the Department of Commerce seeks public input by April 28, 2021 on all aspects of a future ICTS licensing process, including potential models for creating a process that would provide entities seeking to engage in an ICTS Transaction greater certainty that the transaction will not be prohibited.
1. TekSynap Corp., B-419464; B-419464.2 (Mar. 19, 2021)
- GAO sustained a protest challenging the National Geospatial-Intelligence Agency’s (NGA) evaluation of proposals and decision not to hold discussions.
- Specifically, GAO found the agency unreasonably assigned only a “slight weakness” to the awardee despite one of its key personnel failing to meet a mandatory qualification. In a cascading effect, this meant the management plan subfactor rating of “outstanding” was unreasonable, and the overall “outstanding” rating for the technical/management factor was unreasonable.
- GAO also held that the assignment of a “moderate strength” rather than a “significant strength” to the protester’s proposal was unreasonable when the evaluators positively described numerous merits of the proposal in detail and used language associated with a significant strength.
- Based upon these errors, GAO concluded that NGA’s decision not to enter into discussions with TekSynap—because the agency had determined the awardee’s proposal was technically superior—was necessarily unreasonable.
2. IAP World Services, Inc., B-418566.2 et al., Aug. 20, 2020 (published Mar. 24, 2021)
- GAO denied a protest alleging that awardee Vectrus-J&J Facilities Support, LLC (VJFS) materially misrepresented its management structure by failing to disclose an imminent sale. One of VJFS’s joint venture members (J&J Maintenance) was subject to a stock purchase several weeks after it was awarded the contract.
- As a general matter, an offeror’s material misrepresentation in its proposal can invalidate an agency’s evaluation, and serve as a basis to cancel any contract award.
- Here, GAO agreed with the contracting agency (the Navy) that even if there had been a misrepresentation, it did not invalidate the agency’s evaluation. While the Navy cited VJFS’s experience and past performance in its best value determination, the stock purchase did not impact VJFS’s stated experience or past performance as J&J’s operations, management team, and resources remained the same.
- Notably, GAO also explained that even assuming that VJFS had a duty to notify the agency about the potential future stock transaction and failed to do so, the protester was not prejudiced by any failure to notify.
Where an offeror’s proposal represents that it will perform a contract in a manner materially different from the offeror’s actual intent, an award based on such proposal cannot stand, since both the offeror’s representations, and the agency’s reliance on such, have an adverse impact on the integrity of the procurement process. But GAO will not sustain a protest alleging a misrepresentation unless the protester can demonstrate competitive prejudice from the awardee’s failure to notify the contracting agency of any changes to its proposal.
1. Appeal of L3 Technologies, Inc., ASBCA Nos. 61811, 61813, 61814 (Mar. 1, 2021)
- L3 appealed multiple contracting officer’s final decisions (COFDs) disallowing costs, including for “other direct costs” and overhead expenses.
- The COFDs were based on DCAA incurred cost audits for 2011-2014, which employed cost sampling and then extrapolated the questioned cost amounts across the entirety of the sample pool.
- During discovery, the contracting officer withdrew the COFDs, stating that the government would no longer challenge the costs. The government moved to dismiss the appeals.
- L3 sought to continue the appeals over the government motion to dismiss, desiring a decision on the merits. L3 argued that the government had engaged in a pattern of asserting and then withdrawing such incurred cost disallowance claims.
- The board dismissed the claims, holding that they were moot and not subject to any exception to the mootness doctrine.
- Judge Clarke dissented, noting that “The majority decision subjects L3 (and other contractors) to the unfortunate chain of events discussed below until DCAA and DCMA resolve whatever their differences are.”
The painful pattern seen here is familiar to many government contractors: delayed DCAA audits result in rushed COFDs to avoid the statute of limitations. Contractors must then defend against a government claim, often seeking millions of dollars in previously paid amounts. Unfortunately, this decision gives contractor’s little hope of relief and highlights the need to pay close attention to all DCAA audits and disallowances.
2. Appeal of SRA International, Inc., CBCA Nos. 6563, 6564 (Mar. 19, 2021)
- SRA appealed COFDs disallowing $29 million in costs on two State Department contracts following DCAA incurred costs audits.
- After a structured negotiation process, SRA secured a complete withdrawal of the COFDs and dismissal of the government claims with prejudice.
Continuing the theme of government cost disallowance claims, this case demonstrates the benefit of engaging experienced outside counsel to assist in dealing with DCAA audits, disallowances, and any resulting COFDs or government claims.
Government Contracts Legal Round-Up | 2021 Issue 5
Welcome to Jenner & Block’s Government Contracts Legal Round‑Up, a biweekly update on important government contracts developments. This update summarizes key developments for government contracts legal, compliance, contracting, and business executives.
1. Withdrawal of Several FAR Cases on March 19, 2021
The change in administration has resulted in the review and withdrawal of several rules pending for years. Because of the passage of time, the FAR Council favors further consideration under new FAR cases, if at all. One FAR case (2018-002) was withdrawn as it was tied to a now-revoked executive action. The rules withdrawn include:
- FAR Case 2011-001: Withdrawal of Organizational Conflicts of Interest
- FAR Case 2012-015: Withdrawal of Small Business Set Asides for Research and Development Contracts
- FAR Case 2013-022: Withdrawal of Extension of Limitations on Contractor Employee Personal Conflicts of Interest
- FAR Case 2018-002: Withdrawal of Protecting Life in Global Health Assistance
2. Request for Comments on Semiconductor Manufacturing by US Department of Commerce
- In response to President Biden’s Executive order on “America’s Supply Chains,” the Secretary of Commerce must submit a report within 100 days that: (1) identifies risks in the semiconductor manufacturing and advanced packaging supply chains; and (2) proposes policy recommendations to address these risks.
- The FY 21 NDAA also includes a provision to incentivize the production of semiconductors for the US, and mandates several actions to secure the semiconductor-related supply chain.
- This notice requests comments by April 5, 2021 to assist the Commerce Department in preparing its report to the White House.Publish
3. Department of Labor Plans to Rescind Two Rules Related to Independent Contractors and Joint Employers Finding They “Weaken” Protections to Workers Under the Fair Labor Standards Act
- The first Notice of Proposed Rulemaking proposes the withdrawal of the Independent Contractor Final Rule issued on Jan. 7, 2021. This rule adopted a new “economic reality” test that narrowed or minimized other factors considered by courts traditionally, making it less likely a worker will be found an employee subject to FLSA protections. Independent contractors have no FLSA protections, but employees are eligible for the federal minimum wage and overtime.
- The second Notice of Proposed Rulemaking seeks to rescind a current regulation on joint employer relationships under the Fair Labor Standards Act, effective March 16, 2020. On September 8, 2020, the US District Court for the Southern District of New York vacated portions of the Joint Employer Rule, stating that the rule was contrary to the FLSA and was “arbitrary and capricious” due to its failure to explain a shift from prior guidance or to consider the effect of the rule on workers.
- The Department of Labor invites comments on both proposed rules by April 12, 2021.
1. People, Technology and Processes, LLC, B-419385, B-419835.2 (Feb. 2, 2021) (published Mar. 15)
- GAO found unobjectionable the General Services Administration’s (GSA) rejection of a late-submitted proposal.
- The request for proposals (RFP) required that offers be submitted by October 13, 2020, via the agency’s online proposal submission portal, “GSA ASSIST.” The RFP warned that proposals received after the closing data and time would not be considered.
- The protester had trouble with the online portal—it uploaded materials but was unable to click submit—so it emailed the proposal to the contracting officer instead.
- Even though the protester had uploaded proposal materials prior to the deadline, GAO noted that the protester maintained the ability to revise its proposal by uploading new, modified attachments until the moment it pressed the “submit” button. Thus, GAO found that the uploaded materials were never under the government’s control.
- GAO also found that the use of email to submit the proposal was not authorized by the RFP.
Late is late. It is an offeror’s responsibility to deliver its proposal to the government office designated in the solicitation by the time specified, and an agency is not required to consider a proposal where there is no evidence that the proposal was actually received.
2. HVF West, LLC v. United States, CAFC No. 2020-1414, 2020-1583 (Feb. 19, 2021)
- The Court of Appeals for the Federal Circuit reversed a Court of Federal Claims decision, finding that the successful protester actually lacked standing to bring its COFC protest.
- HVF protested the Defense Logistics Agency’s (DLA) award of a “sales contract” for the purchase and destruction of surplus Government military equipment. Given that DLA technically was selling the property to the contractor, DLA awarded the contract to the highest bidder, Lamb Depollution, Inc. HVF was fourth in line for the contract.
- First at the agency-level, then at GAO, and eventually at COFC, HVF raised numerous “detailed allegations” to challenge the award to Lamb, and HVF also questioned the experience of the two intervening bidders. COFC sustained the protest, finding that HVF showed that DLA erred in finding Lamb satisfied all non-price criteria in the solicitation.
- On appeal, the Federal Circuit found that HVF’s challenges to the intervening offerors were “based upon conjecture,” which was insufficient for HVF to establish that it had a substantial chance of winning the award such that it qualified as an interested party. More specifically, HVF alleged only that the intervening bidders “failed to meet the standards for a successful pre-award survey,” a conclusory statement deemed insufficient to question the eligibility of the intervening bidders.
To have standing to bring a bid protest, a losing bidder must be an interested party; that is, an actual or prospective bidder whose direct economic interest would be affected by the award of the contract or by failure to award the contract. The Federal Circuit clarified that “even when an agency assesses price-ranked bidders together for technical compliance to select the bid most advantageous to the Government, . . . the least favored price-ranked bidder has standing only upon mounting a credible challenge to the technical acceptability of the better price-ranked bidders in line and in front of the protesting party.”
3. Peraton, Inc., B-416916.11 (Feb. 8, 2021) (published Mar. 16)
- Following a series of protests and corrective action over two years, GAO dismissed as untimely the protester’s new allegation that the RFP no longer reflected the agency’s requirements.
- Under GAO’s timeliness rules, protests challenging the terms of a solicitation must be filed prior to the proposal due date unless no due date has been established, in which case the protester is required to raise any issues within ten days of when it knew or should have known about the defects in the solicitation. An agency’s alleged failure to amend a solicitation based on changed requirements is a challenge to the terms of the solicitation.
- Here, on October 30, the agency set a deadline for proposal submission. While Peraton protested prior to the due date, the company knew about the issues it raised between April 27 and October 30, when no closing time had been established for this procurement. GAO thus concluded Peraton’s protest was untimely.
- In a rare admonishment, GAO also noted that this procurement had been subject to six protests by Peraton, the incumbent contractor that had continued performance throughout, and “permitting a protester to, in effect, hold solicitation challenges in reserve until it becomes clear that they are unlikely to prevail in a competition is antithetical to the idea that allegations of solicitation improprieties should be resolved as early as possible in the procurement process.”
When challenging the terms of a solicitation—including an agency’s failure to amend a solicitation based on changed requirements—the key question for timeliness is whether the date for proposal submissions (or resubmissions) has been set. In situations where no due date has been established, the protest must be filed within ten days of when the basis for protest was known. Failure to protest on time will result in a dismissal.
4. Mission 1st Group, Inc., B-419522 (Mar. 15, 2021)
- GAO denied a protest challenging the company’s elimination from the competition based on a “go/no-go” evaluation factor for ISO 9001:2015 certification.
- Offerors were required to show that they possessed a current/valid certificate, and also that they had possessed one during the period two years prior to the deadline for submitting proposals (October 5, 2020). The protester provided a current certificate, issued on December 27, 2019, but did not submit its prior certification. Based on missing the RFP requirement, the agency said “no-go.”
- GAO found this result unobjectionable, because there was nothing ambiguous about the terms of the RFP, and had the agency requested the company submit additional documentation, that would have amounted to discussions.
A good reminder that contractors must pay close attention to RFP documentation requirements, particularly on “go/no-go” factors, as failure to provide the necessary information will likely result in elimination from the competition.
1. Creative Mgmt. Servs., LLC v. United States, US Court of Appeals for the Federal Circuit, Case No. 2020-1449 (Feb. 26, 2021)
- Creative held a GSA contract to host the annual GovEnergy conference. Under the contract, it was to maintain a separate bank account with all proceeds from the conference and from which it could receive payment. When GSA cancelled the conference in 2012, GSA requested by letter that Creative return the entire amount in this account. Creative responded that it was entitled to keep any remaining funds and submitted a termination for convenience settlement. Eventually the government issued a final decision with a settlement amount and sought return of any difference remaining in the account.
- Creative failed to appeal this Contracting Officer’s Final Decision (COFD) within 12 months, and the Court of Federal Claims found its appeal time barred by the Contract Disputes Act.
- On appeal, Creative argued that the COFD was not proper as it did not state a sum certain.
- The Federal Circuit upheld COFC’s dismissal, holding that a COFD need only be based on a claim stating a sum certain. Even then, the “sum certain” only needs to be “readily ascertainable to the party against whom the claim was made.” The court held that the government’s prior demand letters for the balance of the account constituted a sum certain despite containing different amounts and the word “approximately.” The court held the amount was readily ascertainable to Creative by simply checking the balance in the account.
This case is a reminder to pay close attention when dealing with any government demand for payment or any letter that identifies itself as a Contracting Officer’s Final Decision. Time limits under the Contract Disputes Act are a trap for the unwary. Creative gets credit for making creative technical arguments to attempt to avoid them, but it couldn’t get around its failure to timely appeal the COFD.
Investigations and Enforcement
O'Fallon Building Co. Settles Fraud Claims, USAO-SDIL, Department of Justice
R&W Builders, Inc., agreed to pay $400,000 to resolve allegations that it fraudulently obtained construction contracts reserved for 8(a) businesses. R&W had graduated from the 8(a) program, then stood up a new joint venture and, upon award of a new contract, stepped forward and managed the contracts using its own employees to perform nearly all the work in violation of 8(a) rules.
The International Rescue Committee (IRC) Agrees to Pay $6.9 Million To Settle Allegations That It Performed Procurement Fraud by Engaging in Collusive Behavior and Misconduct on Programs Funded by the United States Agency for International Development, USAO-DC, Department of Justice
International Rescue Committee agreed to pay $6.9 million to settle False Claims Act allegations related to USAID funds for humanitarian assistance for displaced persons in Syria. The allegations involved collusion and kickbacks for goods purchased by USAID funds.
Government Contracts Legal Round-Up | 2021 Issue 3
Welcome to Jenner & Block’s Government Contracts Legal Round‑Up, a biweekly update on important government contracts developments. This update will offer brief summaries of key developments for government contracts legal, compliance, contracting, and business executives.
Defense Federal Acquisition Regulation Supplement (DFARS) Rules
1. Class Deviation 2021-O0004 - DFARS 252.225-7987 Requirements for Contractor Personnel Performing in the US Southern Command Area of Responsibility (Feb. 22, 2021)
- The new deviation is to be used in lieu of the clause DFARS 252.225-7040, Contractor Personnel Supporting US Armed Forces Deployed Outside the United States, in solicitations and contracts that require performance in US Southern Command (USSOUTHCOM).
- Designed to implement the President’s March 13, 2020, “Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak,” this new class deviation adds the following requirements for contracts supporting USSOUTHCOM, as follows:
- Recertification of medical fitness for medical suitability screening;
- Requirements for Synchronized Predeployment and Operational Tracker data for contractor personnel support and tracking; and
- Personnel recovery requirements.
Contractors operating in the USSOUTHCOM area of responsibility should note this new class deviation, which rescinds and supersedes class deviation 2014-O0016. It includes new medical and tracking requirements in response to COVID-19 outbreak, in addition to continued operational requirements.
DoD Implements New Contracting Certification Program for DoD Acquisition Professionals
1. Restructuring of the Certification Program for the Contracting Functional Area (Feb. 18, 2021)
- The Under Secretary of Defense for Acquisition and Sustainment (USD(A&S)), has released a plan for a new certification program for its workforce as part of its phased implementation of a Back-to-Basics (BtB) talent management framework.
- A Contracting Certification Taskforce has designed a new Contracting Professional Certification Program for DoD’s Contracting Functional Area.
- Effective October 1, 2021, DoD will be adopting a single level of certification with foundational training and an examination designed to verify competency.
- The certification is based on the American National Standards Institute / National Contract Management Association (ANSI / NCMA ASD 1-2019) accredited Contract Management Standard.
- A “significant undertaking,” the deployment of the new certification program and credentials is designed to enable “an improved talent development approach for a professional, capable, and mission-focused contracting workforce.”
Training DoD’s acquisition workforce has long been a key issue. This new Contracting Competency model is designed to comply with section 861 of the Fiscal Year 2020 National Defense Authorization Act (Public Law 116-92). That provision requires DoD contracting professionals to earn a professional certification based on standards developed by a third-party accredited program.
1. Audit of Contracts for DoD Information Technology Products and Services Procured by DoD Components in Response to the Coronavirus Disease–2019 Pandemic (DODIG-2021-050) (Feb. 12, 2021)
- DoD’s Office of Inspector General concluded that DoD has complied with the CARES Act and other Federal and DoD requirements in procuring approximately $81.5 million in information technology products and services in response to the COVID-19 pandemic at reasonable prices and at a reduced risk of cybersecurity vulnerabilities.
- Contractors should note that DoD will continue to focus on compliance with the CARES Act and cybersecurity to reduce waste, fraud, and abuse, and mitigate cyber vulnerabilities, each of which could potentially jeopardize the DoD’s missions, information, and assets.
2. Audit of Cybersecurity Requirements for Weapon Systems in the Operations and Support Phase of the Department of Defense Acquisition Life Cycle (DODIG-2021-051) (Feb. 10, 2021)
- The objective of this audit was to determine whether DoD Components took action to update cybersecurity requirements for weapon systems in the Operations and Support (O&S) phase of the acquisition life cycle, based on publicly acknowledged or known cybersecurity threats and intelligence-based cybersecurity threats.
- For the five DoD weapon systems assessed, DoD IG concluded that program officials followed the Risk Management Framework requirements and updated cybersecurity requirements to account for additional countermeasures implemented or needed to protect the weapon systems from the identified threats.
- Contractors should be prepared for cybersecurity requirements to evolve during an O&S phase of a program if threats are identified.
1. Coventry Healthcare Workers’ Compensation, Inc., B-417237.5 (Jan. 29, 2021)
- GAO denied a protest asserting that a price-technical tradeoff was flawed because the agency failed to assign a monetary value to savings that purportedly would be realized from the protester’s technical solution.
- GAO rejected the argument because nothing in the solicitation’s evaluation scheme contemplated that the agency would “monetize” any aspect of an offeror’s technical approach.
An agency is not required to take into account monetary savings that could be realized during performance unless the solicitation contemplates an analysis or consideration of the potential cost savings associated with an offeror’s technical approach.
2. FreeAlliance.com, LLC; Radus Software LLC/Radus CTA; Mobomo, LLC, B-419201.3 et al. (Jan. 19, 2021)
- GAO sustained a protest where the evaluation record did not explain why the strengths and weaknesses assigned to each quotation merited a particular adjectival rating. Apart from a recitation of the definition for the adjectival ratings, the record did not explain the agency’s basis for assigning the ratings.
- GAO was unable to conclude that the agency’s evaluation was administered on an even-handed basis because quotations with the same strengths were assigned different ratings without any explanation.
GAO will sustain a protest where the evaluation record is insufficient to conclude that differences in evaluation ratings assigned to quotations stemmed from differences between the quotations.
3. DynCorp International, LLC v. United States, No. 20-cv-1293 C (Feb. 16, 2021)
- COFC dismissed a protest on the basis that it was “connected to the issuance of the task order” and did not fit into the jurisdictional exception for task orders that exceed the scope of the IDIQ contract.
- The protest alleged that an Army task order was improperly awarded to CACI, Inc. because, following CACI’s conversion from Inc. to LLC, CACI, Inc. no longer held a GISS IDIQ contract.
- Because DynCorp could not show that the statement of work described in the task order Performance Work Statement (PWS) was beyond the PWS for CACI’s GISS IDIQ contract, the scope exception did not apply.
- In addition, the Court explained that the protest would have been denied on the merits, because the conversion from CACI, Inc. to CACI, LLC was completed in accordance with the FAR, with full government awareness, and did not affect the Army’s award to CACI in any way.
This decision highlights two important issues for contractors. First, protesting a task order at COFC is only available in the narrowest of circumstances, and GAO is generally a contractor’s only recourse. Second, when a contractor takes any action that affects the company’s corporate identity, it is vital to engage the federal customer and follow appropriate practices to ensure that any awards made are to the correct entity.
1. Appeals of Harry Pepper and Associates, ASBCA Nos. 62038-42
- Harry Pepper and Associates encountered numerous changes while performing a $36.5 million contract to restore and reinforce a rocket booster support tower at NASA’s Stennis Space Center.
- Pepper submitted 12 claims asserting a variety of changes, including to the contract performance method and welding procedures, and alleging defective design by the government.
- In addition, Pepper argued in the alternative that the contract had been constructively changed by pervasive out-of-scope work, increased performance time, different equipment requirements, and increased labor demands.
- The Armed Services Board of Contract Appeals (ASBCA) held there was no cardinal change because, despite a great number of alterations made in the work, the changes were not out of character with the work contemplated in the contract and were foreseeable by the contractor.
As contract changes begin to balloon on a contract, it is tempting to assume the cumulative effect will equal a cardinal change. But this case is a reminder that cardinal change is very difficult to demonstrate through voluminous changes to the work or significant increase in performance time. Courts and Boards are loath to find the government in breach and will seek to redress changes—no matter how voluminous—under the contact’s changes clause. Thus, as changes mount and performance time increases, it is especially important to engage in developing comprehensive requests for equitable adjustment to ensure you can fully capture cost and schedule impact.
2. Appeal of SkyQuest Aviation, LLC, ASBCA No. 62586
- SkyQuest received an Air Force contract to provide test pilots and flight engineers. During performance, the Air Force asserted that the pilots must have specific Air Force certification paperwork. SkyQuest responded to a cure notice disputing that the certification paperwork was required by the contract. The Air Force terminated SkyQuest for default.
- SkyQuest filed a pro se complaint at the ASBCA seeking $429,000 in payment, revocation of the default termination, and adjustment of its CPAR rating.
- SkyQuest did not obtain a contracting officer’s final decision on any of these items prior to its appeal, and the Air Force asserted the Board lacked jurisdiction to hear SkyQuest’s appeal.
- The ASBCA held that, although it did not have CDA jurisdiction over the monetary claim or the CPAR adjustment, the termination for default was a government claim for which a contracting officer’s final decision was not necessary. In addition, because SkyQuest disputed the termination only based on compliance with the contract terms, it was not required to obtain a COFD to proceed.
Challenging government claims, including termination for default or claims for liquidated damages, implicates nuanced procedural questions. The Maropakis case required that affirmative defenses must be the subject of a COFD. SkyQuest Aviation reflects evolution of the Maropakis line of cases in recent years to clarify that submission to the contracting officer is not required where the defense is merely that the government has not met its burden of proof for an element of its claim.
3. Appeals of San Point Services, LLC, ASBCA Nos. 61819, 61820
In another example of government contracting and surety industries colliding, the ASBCA quashed a government subpoena seeking information relating to a payment bond claim filed by a subcontractor. In a rather odd case, NASA sought to defend against an ASBCA claim by arguing that a separate payment bond case, filed by a subcontractor, contained admissions concerning fraud. NASA served a subpoena duces tecum on the surety, which successfully moved to quash based on undue burden. The Navy’s arguments that the contractor had been less than forthcoming were not compelling—in the eyes of the ASBCA—to justify placing the burden of a subpoena on the surety.
There are a number of ongoing lawsuits and/or investigations alleging that sureties owe the government certain duties to prevent fraud (see, e.g., U.S. ex rel. Scollick v. Narula), but here the ASBCA limited the government’s reach into the surety business while upholding the ASBCA’s periodically announced practice of not letting the government’s blanket assertion of fraud divest the Board of jurisdiction over an appeal.
Investigations and Enforcement
There have been a number of cases dealing with recovery of attorney’s fees in False Claims Act cases lately:
- Beware the parallel proceeding. Where civil settlement funds were seized by the government investigating a separate criminal matter, the court denied motions by the plaintiff’s lawyers to release a third of those funds to satisfy the contingent fee earned by those attorneys on the civil case. U.S. ex rel. Glasser v. Boykin Contracting, Inc. (Civil Action No.: 3:14-cv-00224-JMC, D.S.C. Columbia Division)
- And a court refused to permit double dipping by qui tam plaintiffs, shaming a relator for not removing from its fee requests amounts for unsuccessful claims and failing to account for prior recoveries. U.S. and State of New York ex re. Nichols v. Computer Sciences Corp. and City of New York (S.D.N.Y)
And the District Court for the Northern District of Illinois reminding qui tam plaintiffs that fraud must be pled with particularity, dismissing the complaint in U.S. ex rel. Noreen Lanahan v. County of Cook for failure to plead relevant details about alleged false statements and certifications, such as who made them, when they were made, and how much money was involved.
The Eleventh Circuit affirmed a district court’s rejection of a False Claims Act retaliation claim in Hickman v. Spirit of Athens, holding to the standard that an objectively reasonable belief that the individual was attempting to prevent a violation of the False Claims Act was necessary to support a retaliation claim. A sincere belief is not enough—that belief must be objectively reasonable.
Suspension / Debarment Summary
The World Bank released its debarment/sanctions results. The Bank debarred 267 companies and individuals, which was a substantial increase over prior years. The Bank also announced, that beginning in 2021, it would state the reason for debarments / sanctions in the future. By comparison, the US suspension / debarment system is less transparent, and does not release the causes for suspensions and debarments in the annual Interagency Suspension and Debarment Committee Report to Congress (which is a trailing publication, the most current edition published in early 2021 only covered Fiscal Year 2019 activities).
Key Developments in the FY 2021 National Defense Authorization Act
By: Cynthia J. Robertson, David B. Robbins, and Noah B. Bleicher
Jenner & Block’s Government Contracts Practice is pleased to highlight key components of the William M. (Mac) Thornberry National Defense Authorization Act (NDAA) for Fiscal Year 2021 (FY 21). This annual legislation—filled with thousands of provisions—provides a roadmap of acquisition policies that will drive future regulatory changes for government contractors of all types, sizes, and customer bases.
Perennial topics, including cybersecurity, foreign influence, domestic sourcing, data rights, Other Transaction Authority (OTA), commercial item contracting, ethics, and small business participation continue to dominate. Joining these subjects are newer topics, including expediting US Space Force acquisition.
We highlight some of the key developments and offer guidance on what contractors should anticipate in the coming months and years. We will be closely tracking the reports to Congress and anticipated regulatory changes. Should you have questions on these or any other NDAA developments, we welcome your outreach.
Cybersecurity / IT Development
Perhaps more than any other subject area, the NDAA contains a vast number of cybersecurity provisions. The legislation adopts numerous recommendations from the reauthorized Cyberspace Solarium Commission, which described the FY 21 NDAA as “the most comprehensive and forward-looking piece of national cybersecurity legislation in the nation’s history.” Key recommendations include developing cyber leadership roles reporting to the White House and better coordination of cybersecurity between federal, state, the private sector, and international stakeholders. Below we highlight other cyber provisions of interest.
Sec. 835: Balancing Security and Innovation in Software Development and Acquisition
- Addresses concern regarding software developed or produced by adversary nations.
- Directs DoD to create a “software pathway” to allow software to be delivered in a timely and secure manner.
Sec. 837: Safeguarding Defense-Sensitive United States Intellectual Property, Technology, and Other Data and Information
- Requires DoD to establish, enforce, and track actions to protect defense-sensitive US intellectual property, including hardware and software, from acquisition by China.
- Requires DoD to generate a list of critical national security technology and provide for mechanisms to restrict employees or former employees of the defense industrial base from working directly for companies owned or directed by China.
Section 1712: Modification of Requirements Relating to the Strategic Cybersecurity Program and the Evaluation of Cyber Vulnerability of Major Weapons Systems of the Department of Defense (DoD)
- Requires DoD to develop a plan for each major weapon system to undergo an annual cyber-vulnerabilities assessment and to share lessons learned and best practices from the annual assessment of cyber resiliency of nuclear command and control system.
Section 1716: Subpoena Authority
- Authorizes DHS’s Cybersecurity and Infrastructure Security Agency (CISA) to issue administrative subpoenas upon detection of security vulnerabilities and to notify public and private system owners.
Section 1722: Assessing Risk to National Security of Quantum Computing
- Requires DoD to complete an assessment of the current and potential threats and risks posed by quantum computing technologies to critical national security systems, including an assessment of NIST standards.
Section 9005: Government Accountability Office (GAO) Study of Cybersecurity Insurance
- Requires GAO to study methods to improve the market for cybersecurity insurance.
Sec. 819: Modifications to Mitigating Risks Related to Foreign Ownership, Control, or Influence (FOCI) of Department of Defense Contractors and Subcontractors
- Adjusts the analytical framework to mitigate FOCI by adding an additional proactive, government-driven assessment.
- Requires reports and examinations on a “periodic basis” of covered contractors or subcontractors to assess compliance with FOCI reporting and mitigation obligations.
Domestic Sourcing of Strategic and Critical Materials
Sec. 848: Supply of Strategic and Critical Materials for the Department of Defense
- Requires, to maximum extent practicable, acquisition of strategic and critical materials from US sources, then from sources within the national technology and industrial base, then other sources.
Sec. 849: Analyses of Certain Activities for Action to Address Sourcing and Industrial Capacity
- Requires DoD to assess national security industry sectors, including microelectronics and pharmaceutical ingredients, to determine how to increase domestic industrial capacity.
- Contractors can expect DoD to explore ways to entice critical technology industries to move production to the United States, with recommendations likely in future NDAAs.
Sec. 851: Report on Strategic and Critical Materials
- Directs DoD to issue a report on supply chain vulnerabilities related to the acquisition of rare earth minerals and metals.
Sec. 852: Report on Aluminum Refining, Processing, and Manufacturing
- Rejects a proposal for required domestic sourcing of aluminum.
- Requires DoD to report to Congress on how to increase incentives for domestic aluminum production.
Sec. 804: Implementation of Modular Open Systems Approaches
- Increases emphasis on modular open systems for weapons systems, including for cybersecurity systems, to more easily enable competition for upgrades and sustainment.
- Continues DoD’s interest in obtaining data rights that will facilitate the replacement, enhancement, and maintainence of parts over the life cycle of products and systems.
Sec. 807: Space System Acquisition and the Adaptive Acquisition Framework
- Describes, in detail, expedited acquisition processes and responsibilities affecting major defense acquisition programs for the United States Space Force.
- Sets goal of quickly and effectively acquiring end-to-end space warfighting capabilities to address requirements of national defense strategy.
Other Transaction Authority
Sec. 831: Contract Authority for Development and Demonstration of Initial or Additional Prototype Units
- Directs DoD to assess authorities designed to streamline the process for moving prototype technologies into production under the same contract as the technology is matured.
- Requires DoD to issue a report on this topic by March 31, 2021, potentially enabling regulatory action later this year depending upon that report’s findings.
Sec. 833: Listing of Other Transaction Authority Consortia
- Ensures greater scrutiny of OTAs issued by consortia.
- Requires a report to Congress by December 1, 2021 that assesses:
- The number and dollar value of other transaction awards through consortia;
- The benefits and challenges of using consortia;
- A comparison of DoD’s use of consortia compared to other Federal agencies; and
- Any other matters the Comptroller General determines to be appropriate.
Contractor Business Systems
Sec. 806: Definition of Material Weakness for Contractor Business Systems
- Revises and defines terminology for the evaluation of contractor business systems to better align with generally accepted auditing standards.
- “Significant deficiencies” will be deemed “material weaknesses,” and defined as one or more deficiencies that causes a reasonable possibility of material misstatement.
- “Reasonable possibility” will mean “probable” or “more than remote but less than likely.”
Sec. 816: Documentation Pertaining to Commercial Item Determinations
- Ensures better documentation of prior commercial item determinations, which may be relied upon for future contracts.
- Allows the contracting officer to request assistance in commercial determinations, including from DoD’s Commercial Items Group within DCMA, and requires the contracting officer to document determinations.
Sec. 883: Prohibition on Awarding of Contracts to Contractors that Require Nondisclosure Agreements Relating to Waste, Fraud, or Abuse
- Requires representations that nondisclosure agreements relating to fraud, waste, and abuse are not used.
- Similar to FAR 52.203-19, prohibits award of contracts to contractors that require such agreements.
Sec. 885: Disclosure of Beneficial Owners in Database for Federal Agency Contract and Grant Officers
- Requires disclosure of beneficial ownership of contractors and grant recipients.
Sec. 815: Prompt Payment of Contractors
- Strengthens DoD’s goal to pay small business contractors within 15 days of receipt of an invoice.
- Intends to improve small businesses' ability to continue to do business in the federal marketplace, especially during economic downturns.
Sec. 862: Transfer of Verification of Small Business Concerns Owned and Controlled by Veterans or Service-Disabled Veterans to the Small Business Administration (SBA)
- Transfers the function of certifying Service Disabled Veteran Owned Small Businesses (SDVOSBs) and Veteran Owned Small Businesses (VOSBs) from the Department of Veterans Affairs to the SBA.
- Phases out self-certification of SDVOSBs.
- Seeks to harmonize within 2 years the SDVOSB and VOSB contracting programs with other small business contracting programs administered by SBA.
Section 863: Employment Size Standard Requirements for Small Business Concerns
- Extends from 12 months to 24 months the time period to which an agency must refer when categorizing a manufacturer as a small business based on its average employment.
Section 868: Past Performance Ratings of Certain Small Business Concerns
- Requires contracting officers to consider a small business concern’s past performance in a joint venture or as a first-tier subcontractor when evaluating the small business concern’s offer for a prime contract.
- Once implemented, a prime contractor will be required to provide a small business first tier subcontractor a “record of past performance” upon request by the small business.
Section 869: Extension of Participation in 8(a) Program
- Allows small businesses participating in the section 8(a) business development program (on or before September 9, 2020) to extend their participation in the 8(a) program for an additional year.
Section 886: Repeal of Pilot Program on Payment of Costs for Denied Government Accountability Office Bid Protests
- Repeals the pilot program established in the FY 2018 NDAA that explored the effectiveness of requiring contractors with revenues in excess of $250 million to reimburse DoD for costs incurred in defending against bid protests denied by GAO.
Contract Types / Other Matters
Sec. 888: Revision to Requirement to Use Firm Fixed-Price Contracts for Foreign Military Sales (FMS)
- Repeals default requirement for firm fixed-price contracts for FMS sales established by FY 2017 NDAA.
Sec. 890: Identification of Certain Contracts Relating to Construction or Maintenance of a Border Wall
- Requires disclosure of any contracts (including task orders) more than $7 million relating to construction or maintenance of the US / Mexico border wall.
Section 891: Waivers of Certain Conditions for Progress Payments Under Certain Contracts During the COVID-19 National Emergency
Government Data Rights: Defense Contractors May Use Custom Markings to Signal Rights against Third Parties
- To support increased cash flow, DoD may temporarily increase the progress payment rate for undefinitized contract actions during the COVID-19 national emergency.
- Institutes conditions to the waiver pertaining to companies’ receipt of progress payments under contracts.
- Directs a report by September 30, 2021 on how increasing rate of progress payments from 80 percent to 95 percent has benefitted subcontractors and suppliers.
By: Steven R. Englund and Grant B. Schweikert
In the final days of 2020, the US Court of Appeals for the Federal Circuit decided a case providing defense contractors a tool to enhance protection of their technical data (such as specifications and drawings) and computer software when delivering them to the government by including markings asserting rights against third parties not acting under the government’s authority.
Sophisticated government contractors regularly look for strategies to protect the “secret sauce” of their technologies from disclosure to and use by competitors. The standard “data rights” clauses included in most government contracts provide various options for doing so, but those clauses also provide that the government will receive “unlimited rights” to certain types of technical data and computer software. However, even when the government receives unlimited rights (a very broad license), the contractor generally retains ownership of the underlying intellectual property rights and potentially the ability to enforce those rights against third parties who are not acting under color of the government’s license.
The issue before the Federal Circuit in Boeing Co. v. Secretary of the Air Force stemmed from Boeing’s use on technical data delivered to the government of a restrictive legend not authorized by the Defense FAR Supplement (DFARS) to restrict third party use of technical data in which the government had unlimited rights. Boeing Co. v. Secretary of the Air Force, No. 2019-2147 (Fed. Cir. Dec. 21, 2020). The court held that use of such a legend is consistent with the standard DFARS data rights clause, so long as the legend does not restrict the rights of the government.
As background, DFARS 227.7103 and DFARS 227.7203 establish five types of government licenses for noncommercial technical data and computer software: (1) unlimited rights; (2) government purpose rights; (3) limited rights (for technical data); (4) restricted rights (for computer software); and (5) specifically negotiated license rights. The parallel clauses at DFARS 252.227-7013 and DFARS 252.227-7014 are generally incorporated into defense contracts to address the contractor’s and the government’s respective rights in noncommercial technical data and computer software. Paragraph (f) of these clauses contains specific instructions for contractors to mark qualifying technical data and computer software to provide the government less than unlimited rights. Those instructions include specific markings corresponding to each of the license types other than unlimited rights. Other provisions address removal and correction of nonconforming markings.
When Boeing was required to deliver technical data to the government with unlimited rights, it had a longstanding practice of marking that data with what it called a “Non-U.S. Government Notice” claiming the data as proprietary and advising that non-governmental entities may use and disclose the data only as authorized by Boeing or the government. Eventually, a contracting officer rejected technical data marked with that legend, finding it nonconforming because it is not one of the legends specifically authorized by DFARS 252.227-7013.
Boeing’s argument on appeal to the Armed Services Board of Contract Appeals, and later to the Federal Circuit, was based on the specific language of DFARS 252.227-7013(f), which states that the authorized legends are to be used when a contractor wishes to assert “restrictions on the Government’s rights to use, modify, reproduce, release, perform, display, or disclose technical data” (emphasis added). Specifically, Boeing argued that because its legend did not restrict the Government’s rights, but rather the rights of third parties, DFARS 252.227-7013(f) did not provide a basis for the government to object to its marking.
While the Board upheld the contracting officer’s decision, the Federal Circuit agreed with Boeing, finding that “the plain language of Subsection 7013(f) demonstrates that it applies only in situations when a contractor seeks to assert restrictions on the government’s rights.” The court noted that this conclusion had “the added benefit” of allowing Boeing “to notify the public of its ownership” of the relevant technical data. Although the Court agreed with Boeing’s legal argument concerning the interpretation of DFARS 252.227-7013(f), it declined to opine on whether the specific text of Boeing’s legend actually did restrict the Government’s rights. That question, the Court decided, was a question of fact that must be determined by the Board on remand.
While the court’s decision concerned interpretation of the technical data provisions in DFARS 252.227-7013(f), it would seem to apply with equal force to the parallel provisions for computer software in DFARS 252.227-7014(f).
In view of the decision, it makes sense for defense contractors to consider using a restrictive legend to notify third parties of their claims to ownership when delivering technical data or computer software to the government with unlimited rights. While such a legend may not create any substantive rights against third parties, it would at least serve as a reminder to competitors that certain uses of the data may implicate enforceable intellectual property rights and have an in terrorem effect.
Jenner & Block lawyers stand ready to assist contractors in protecting their intellectual property rights while complying with this complex regulatory regime.