Cyber incidents involving critical infrastructure pose a serious risk to the US. In March 2024, the Environmental Protection Agency and the National Security Advisor warned state governors about potential attacks on drinking water and wastewater facilities by specific Iran- and China-aligned hackers. The following month (on April 4, 2024), in an attempt to prepare for such attacks and otherwise improve the federal government’s ability to collect and analyze data related to cyber incidents on critical infrastructure, the Cybersecurity and Infrastructure Security Agency (CISA) issued a proposed rule to implement cyber incident reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Enacted in an omnibus appropriation, CIRCIA directed CISA to issue rulemaking requiring the reporting of cyber incidents or the payment of ransoms in response to cyberattacks affecting critical infrastructure.  Continue Reading CISA’s CIRCIA Proposed Rule: Another Player Enters the Reporting Regime

Arm me with harmony.” – Treach, Naughty By Nature[1]

On May 14, 2024, the National Institute of Standards and Technology (NIST) dropped the third remix…er, revision…of its Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” It even came with a critical sidekick in the form of the companion assessment guide, “NIST SP 800-171A, Revision 3,” which gives organizations the necessary lowdown on “assessment procedures and methodologies” to check if they’re playing by NIST SP 800-171’s rules. Over a year in the making after previous releases in May and November of 2023, NIST’s finalized revision takes inspiration from industry by laying down the cybersecurity rules that contractors should expect to follow when handling Controlled Unclassified Information (CUI) for the US Department of Defense (DoD). While DoD isn’t requiring contractors who handle CUI to roll with Rev. 3 just yet, contractors can expect that DoD will eventually bring Rev. 3 into the mix for DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting” (DFARS 7012), and will be harmonizing it with the upcoming Cyber Maturity Model Certification (CMMC) program at some point soon.Continue Reading NIST SP 800-171 Revision 3 Goes Final: Who’s Down with ODP?

If you happen to be a government contractor and are contemplating additions to your Summer reading list, consider adding the FAR Council’s May 3, 2024 advanced notice of proposed rulemaking (“ANPR”) to the mix. The ANPR, which was issued in furtherance of implementing Section 5949 of the FY 2023 National Defense Authorization Act (“NDAA”), contemplates various forthcoming changes to the FAR, all of which focus on banning agencies from purchasing certain products or services that contain or otherwise utilize semiconductors that are produced, designed, or provided by three Chinese entities and their subsidiaries, affiliates, or successors: Semiconductor Manufacturing International Corporation (“SMIC”), ChangXin Memory Technologies (“CXMT”), and Yangtze Memory Technologies Corp. (“YMTC”). In addition, the FAR will likely be amended to prohibit the acquisition of semiconductor products or services from any entity that is owned, controlled by, or otherwise connected to China, North Korea, Iran, Russia and any other “foreign country of concern” – a designation to be determined by the Secretary of Defense or the Secretary of Commerce, in consultation with the Director of National Intelligence or the Director of the Federal Bureau of Investigation.Continue Reading Supply Chain Checkup: FAR Council Announces New Rulemaking Focused on Prohibiting Certain Semiconductor Acquisitions

Welcome, dear readers, to the height of protest season! Around the end of the federal fiscal year, the number of contract awards being made increases greatly. Which means so do the number of protests challenging those award decisions. If you are currently asserting or defending a protest (or think you will be before October is over), you are certainly not alone. Unfortunately, if you are somewhat confused about the details, mechanics, timing and procedures relating to protests—well, you also are not alone. This is undoubtedly one of the most complex and confusing areas of government contracting. But fear not! We’re here to help clear up the confusion and get you on the right track, to ensure you obtain those awards improperly awarded to a competitor and maintain those awards that you fairly won. To that end, below is a summary list of the 10 most common bid protestor mistakes, with links to more detailed information about each mistake and how to avoid it!Continue Reading Avoiding Common Bid Protest Mistakes: A Seasonal Guide to Our Top 10 Protest Don’ts!

Parties litigating False Claims Act (FCA) cases have long struggled with a thorny question around the essential element of scienter (the defendant’s intent, or state of mind): What/how much does a contractor need to know when submitting an invoice for payment for the related claim to be considered knowingly false when made? When that question arises in FCA litigation, a court’s determination of that essential element of scienter/knowledge often pivots on what the judge believes matters more:

(A) The defendant’s subjective belief at the time a claim is made; or

(B) An objective textual reading of what a person may have known or believed when a claim is made.Continue Reading The False Claims Act’s Fuzzy Scienter Element Brought into Sharp Focus

On April 27, 2023, the Small Business Administration (SBA) issued a final rule, finalizing a September 9, 2022 proposed rule, and making a myriad of changes to the Small Business Regulations. Those changes are effective at the end of this month, on May 30, 2023. We will be covering a number of those changes in upcoming posts. But for now, we’re focusing on a change that will make some contractors very happy and other contractors very worried: real, negative consequences for small businesses that fail to comply with 13 CFR 125.6, which governs subcontracting limitations for small business set-aside contracts over the simplified acquisition threshold (presently defined in FAR 2.101 as $250,000).Continue Reading Small Business Contractors Rejoice or Repent: Final SBA Rule Adds Teeth to 13 CFR 125.6 Subcontracting Limitations

Scenario 1: A pharmacy chain hires a value consultant to review its Medicare and Medicaid billing practices for ways to optimize the coding of drug reimbursements to maximize profits. Drugs that had historically been charged for government reimbursement at $1/pill as the “usual and customary price” are now getting coded for reimbursement at $3/pill—a 200% markup that represents a pure profit windfall to the pharmacy chain. Is this a violation of the False Claims Act (FCA)?

Scenario 2: A construction company that has years of experience in federal procurement contracting had never charged the government for reimbursement of several cost items, because the company’s previous CFO did not feel such reimbursement would meet the “reasonableness” requirements of FAR Part 31 (e.g., FAR 31.201-2(a)(1) and 31.201-3). But the company’s new CFO, holding a different interpretation of the reasonableness standards and Cost Accounting Standards (CAS), instructs his program leads to start charging those items for reimbursement in all new and existing contracts. Is this a violation of the FCA?Continue Reading Knowing IS the Battle: Supreme Court to Address the FCA’s Scienter Standard

The U.S. Department of Justice (DOJ) Procurement Collusion Strike Force (PCSF, or Strike Force) celebrates its third anniversary this month. Formed in November 2019 as an interagency partnership consisting of DOJ’s antitrust prosecutors, lawyers in 13 U.S. attorneys’ offices, and investigators from the FBI and federal Offices of Inspector General, the Department of Defense, the General Services Administration, and the U.S. Postal Service, the Strike Force leverages joint resources to investigate public procurement crimes, employ complementary enforcement and prosecution strategies, eliminate anticompetitive collusion and fraud, and promote the integrity of government procurement. Employing education and state-level liaising, the Strike Force has been remarkably omnipresent and successful in that short time, despite numerous pandemic-related interruptions/delays in the courts. The pace of the Strike Force’s enforcement activity has quickened dramatically in 2022—and shows no signs of slowing in 2023.
Continue Reading DOJ’s Procurement Collusion Strike Force: Widening Its Stride on Its Third Anniversary

The Federal Acquisition Regulation (FAR) Council has returned from an extended vacation to publish a final rule to align the FAR with similar subcontracting regulations implemented by the Small Business Administration more than a half decade ago. McCarter & English Government Contracts and Global Trade co-leaders Franklin Turner and Alex Major and Senior Associates Cara