Regulatory & Statutory Developments

Johnny, rosin up your bow and play your fiddle hard
’Cause Hell’s broke loose in Georgia and the Devil deals the cards
And if you win, you get this shiny fiddle made of gold
But if you lose the Devil gets your soul
~ The Charlie Daniels Band

Some might say there’s little difference between dealing with the devil and being a federal contractor. And for the unwary or unprepared, that may not be far off. Federal contracting comes with a litany of “fine print” that would make “Old Scratch” proud. However, as most savvy contractors recognize, it’s all hiding in plain sight, with the devil in the details. Take, for example, the cybersecurity requirements found in the Federal Acquisition Regulations (FAR) at 52.204-21 and the Department of Defense (DoD) FAR Supplement (DFARS) at 252.204-7012, -7019, and -7020. These requirements have been the topic of countless articles, trainings, webinars, whole conferences, etc., so it is surprising while simultaneously not surprising that they form the basis of a federal False Claims Act (FCA) claim the Department of Justice (DOJ) recently filed in its complaint in intervention.

Continue Reading DOJ Went Down to Georgia: Lessons Learned from Recent Cybersecurity Enforcement Actions

On August 1, 2024, the US Department of Justice (DOJ) Criminal Division introduced its Corporate Whistleblower Awards Pilot Program (Program), which, like a modern-day Western posse, aims to bring justice to the wild frontier of corporate America. The DOJ is enticing anyone willing to saddle up and provide information on corporate outlaws—i.e., those involved in corruption, financial crimes, foreign corruption, bribery, and/or healthcare fraud. In sum, the Program closes the gaps left by existing whistleblower programs and bolsters the DOJ’s efforts to combat corporate crime. For those who decide to ride with it, the DOJ is promising substantial financial rewards—up to 30 percent of the loot recovered from those outlaws—to insiders, whistleblowers, and relators who come forward with information leading to significant criminal or civil forfeiture actions. As the Program unfolds over its three-year pilot period, it will—or should—be closely watched by False Claims Act defense counsel, plaintiff’s counsel, corporate leaders, and potential whistleblowers alike. If successful, it could permanently expand whistleblower incentives and further embolden an already aggressive DOJ (as if more encouragement were needed), signaling a new frontier in corporate governance and accountability in the United States.

Continue Reading A New Frontier in Corporate Accountability: The DOJ’s Corporate Whistleblower Awards Pilot Program

On April 29, 2024, the Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) released guidance to federal contractors regarding the use of artificial intelligence (AI) in their employment practices. See https://www.dol.gov/agencies/ofccp/ai/ai-eeo-guide. The guidance reminds federal contractors of their existing legal obligations, the potentially harmful effects of AI on employment decisions if used improperly, and best practices. Arriving early, the guidance puts contractors on notice of their responsibilities when using AI in their employment decisions.

Continue Reading Department of Labor Issues New Guidance on the Use of Artificial Intelligence and Employment Decision-Making

After a series of preliminary, narrowly decided, and conflicting court decisions concerning requests for preliminary injunctions (see August 20, 2024 Alert), a federal district court in Texas has now entirely set aside the Federal Trade Commission (FTC) rule that would have invalidated tens of millions of non-compete agreements in the United States (see judge’s 

On August 7, 2024 the Federal Communications Commission (FCC) adopted a new Notice of Proposed Rule Making (NPRM) proposing regulations that prohibit the use of AI in automated dialing or artificial or pre-recorded voice calls absent the prior written consent of the call recipient, unless otherwise exempted by the FCC. The action was taken under

The third revision of NIST Special Publication 800-171 brings substantial changes across several key areas: the structure of control families has been expanded to better address new threats, individual security controls have been updated to enhance overall system security, and the criteria for tailoring these controls to specific organizational needs have been clarified, all in

In Percipient.ai v. United States, the US Court of Appeals for the Federal Circuit may have triggered a legal “Big Bang” moment in government procurement law. The case centered on whether the Federal Acquisition Streamlining Act’s (FASA) “task order bar” could suppress claims alleging violations of 10 U.S.C. § 3453, which mandates a preference for commercial products. The Panel’s interpretation of the Tucker Act’s definition of “interested party” expanded the universe of standing, allowing prospective subcontractors to exert gravitational influence in legal challenges regardless of their role as indirect offerors. At the risk of offending real physicists, from a legal perspective, the Percipient.ai v. United States decision looks to expand a universe of legal scrutiny. Like the cosmic forces that shape galaxies, the Percipient.ai decision may shape the parameters of government contracting jurisdiction and procedural fairness in the procurement process.

Continue Reading Big Bang?: The Federal Circuit, Percipient.ai, and Expanding Jurisdiction

DOD released a final rule which updates the DFARS to address requirements outlined in Executive Order 14005, “Ensuring the Future is Made in All of America by All of America’s Workers.” Marcos Gonzalez explains the changes and what contractors should be aware of while making adjustments to their supply chains in order to continue supplying

On May 16, 2024, the Securities and Exchange Commission (SEC) adopted amendments to Regulation S-P to “modernize and enhance the rules that govern the treatment of consumers’ nonpublic personal information by certain financial institutions.”  Affected financial institutions have 18-24 months (depending on their size) to comply, and should begin preparing now.

Continue Reading SEC Adopts Rule Amendments to Regulation S-P to Safeguard Customer Information and Enhance Cybersecurity Procedures at Financial Institutions

Cyber incidents involving critical infrastructure pose a serious risk to the US. In March 2024, the Environmental Protection Agency and the National Security Advisor warned state governors about potential attacks on drinking water and wastewater facilities by specific Iran- and China-aligned hackers. The following month (on April 4, 2024), in an attempt to prepare for such attacks and otherwise improve the federal government’s ability to collect and analyze data related to cyber incidents on critical infrastructure, the Cybersecurity and Infrastructure Security Agency (CISA) issued a proposed rule to implement cyber incident reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Enacted in an omnibus appropriation, CIRCIA directed CISA to issue rulemaking requiring the reporting of cyber incidents or the payment of ransoms in response to cyberattacks affecting critical infrastructure.  

Continue Reading CISA’s CIRCIA Proposed Rule: Another Player Enters the Reporting Regime