There’s an often mistranslated Taoist adage that counsels “A journey of a thousand miles begins with a single step.” So it is presently with the Department of Defense’s (DoD’s) Cybersecurity Maturity Model Certification (CMMC), which continues its cybersecurity journey with the recently released update of standard CMMC .6.
In a rule published and effective October 9, 2019, China’s key manufacturers of video surveillance products have been added to the Bureau of Industry and Security (BIS) Entity List by an interagency End-User Review Committee (ERC) comprised of representatives of the Departments of Commerce State, Defense, Energy and, where appropriate, Treasury. The Entity List (15 CFR, Subchapter C, part 744, Supplement No. 4) identifies entities believed to be involved, or to pose a significant risk of being or becoming involved, in activities contrary to the national security or foreign policy interests of the United States.
So you want to acquire a government contractor? Makes sense, and you’re not alone. Over the past few years, the federal contracting landscape continues to evolve as a result of mergers and acquisitions (M&A), primarily involving the acquisition of small and midsize contractors by larger entities as a means to quickly expand into new federal markets. This trend is especially prevalent in the information technology (IT) market, where the acquisition of small or midsize IT firms with new capabilities can provide larger firms with shiny new toys to share with their roster of government clients to gain a larger share of the federal IT “pie,” if not create—almost overnight—new IT market leaders in areas such as cloud computing, cybersecurity, software, and predictive intelligence.
On August 6, 2014, plaintiff-relator Andrew Scollick filed a complaint in the United States District Court for the District of Columbia against eighteen defendants for multiple violations of the False Claims Act (“FCA”) in connection with an alleged scheme to submit bids and obtain millions of dollars in government construction contracts by fraudulently claiming or obtaining service-disabled veteran-owned small business (“SDVOSB”) status, HUBZone status, or Section 8(a) status, when the bidders did not qualify for the statuses claimed. United States ex. rel. Scollick v. Narula, et al., No. 14-cv-1339 (D.D.C.). Unique in this case were not the claims against the contractors, who were alleged to have falsely certified their status or ownership. Rather, what set this case apart was that Scollick also named as defendants the insurance broker who helped secure the bonding that the contractor defendants needed to bid and obtain the contracts, and the surety that issued bid and performance bonds to the contractor defendants. Scollick alleged that the bonding companies “knew or should have known” that the construction companies were shells acting as fronts for larger, non-veteran-owned entities violating the government’s contracting requirements—and thus the bonding companies should be held equally liable with the contractors for “indirect presentment” and “reverse false claims” under the FCA.
As the frequency and sophistication of existential threats to national security over the past decade have drastically increased, the United States’ reliance on software to identify threats, rapidly share information, and manage its military resources has increased. Accordingly, the federal government’s ability to timely develop, procure, and deploy software to the field has been—and continues to be—a critical component of national security. Notwithstanding the growing importance of software to national security, the Department of Defense (DoD) software-acquisition process mirrors the lengthy, inflexible process typically reserved for the acquisition of major weapon systems. As a result, the DoD’s software development and acquisition cycles are significantly longer for their commercial counterparts, thus affecting the DoD’s ability to deliver timely solutions to users and rapidly respond to urgent threats.
The Trump administration’s focus on enhancing “Buy American” requirements in federal procurement took a leap forward on July 15, 2019, with the issuance of an Executive Order (EO) on Maximizing Use of American-Made Goods, Products, and Materials. Unlike the administration’s previous executive orders – Executive Order 13788 of April 18, 2017 (Buy American and Hire American) and Executive Order 13858 of January 31, 2019 (Strengthening Buy American Preferences for Infrastructure Projects), this EO contains instructions to the FAR Council to change regulations that have been in place since the Eisenhower administration, tightening restrictions on acquiring foreign end products. In particular, the EO makes dramatic changes to the domestic origin requirements for iron and steel products.
As DOD continues to expand its supply chain cybersecurity demands on federal contractors, McCarter & English Government Contracts and Export Controls co-leaders Alex Major and Franklin Turner provide critical guidance for federal contractors in a two-part Feature Comment for Thomson Reuters’ The Government Contractor. In the comprehensive article they address not only the recent and planned updates to NIST publications, but also weigh those efforts against Defense Contract Management Agency’s (DCMA) auditing efforts, the revised Contractor Purchasing System Review (CPSR) Guidebook, and the new Cybersecurity Maturity Model Certification (CMMC) program. Information on how these efforts align along with practical guidance for weathering these changes can be found at Part 1 accessible here and Part 2 accessible here.
DoD’s recent efforts to address cybersecurity have caused confusion and chaos for Government contractors. As we all know, cybersecurity is an issue that is impossible to ignore, and the sobering reality is that compliance with federal cybersecurity requirements is critical to avoiding catastrophic liability. Recently, McCarter & English Government Contracts and Export Controls co-leaders Alex Major and Franklin Turner provided much-needed guidance for federal contractors in a two-part Feature Comment for Thomson Reuters’ The Government Contractor. The Feature Comment addresses certain changes to the NIST, the auditing effort underway by DCMA, and the Cybersecurity Maturity Model Certification (“CMMC”) program that will likely be implemented by DOD in the coming months.
Part 1 can be accessed here
As we stated last month, further restrictions are afoot on the use of Chinese technology in federal acquisitions. An Interim Rule issued by the Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) (collectively, the “FAR Council”) implements the first phase of Section 889 of the FY2019 National Defense Authorization Act (NDAA). The Interim Rule, effective August 13, 2019, broadly prohibits federal agencies, federal contractors, and grant or loan recipients from procuring “covered telecommunications equipment or services” produced by Huawei Technologies Company and ZTE Corporation and, with respect to certain public safety or surveillance applications, Hytera Communications Corporation, Dahua Technology Company, and Hangzhou Hikvision Digital Technology Company. In particular, federal suppliers are prohibited from sourcing “substantial or essential component of any system, or as critical technology as part of any system” from the foregoing companies.
Changes to the Federal Acquisition Regulation’s (FAR) small business subcontracting rules have been slow in coming, but the FAR Council is finally catching up with the Small Business Administration (SBA) in making regulatory modifications to implement a few changes intended to help prime contractors reach their small business subcontracting goals as required by Section 1614 of the National Defense Authorization Act of 2014 (2014 NDAA). Specifically, the changes focus on aiding prime contractors possessing an individual subcontracting plan for a contract with a single executive agency. Now, in such instances, the prime contractor will receive credit toward its subcontracting goals for awards made to small business concerns employed at any tier by subcontractors through their respective subcontracting plans. This should be helpful news to prime contractors.