The Trump administration’s focus on enhancing “Buy American” requirements in federal procurement took a leap forward on July 15, 2019, with the issuance of an Executive Order (EO) on Maximizing Use of American-Made Goods, Products, and Materials. Unlike the administration’s previous executive orders – Executive Order 13788 of April 18, 2017 (Buy American and Hire American) and Executive Order 13858 of January 31, 2019 (Strengthening Buy American Preferences for Infrastructure Projects), this EO contains instructions to the FAR Council to change regulations that have been in place since the Eisenhower administration, tightening restrictions on acquiring foreign end products. In particular, the EO makes dramatic changes to the domestic origin requirements for iron and steel products.
As DOD continues to expand its supply chain cybersecurity demands on federal contractors, McCarter & English Government Contracts and Export Controls co-leaders Alex Major and Franklin Turner provide critical guidance for federal contractors in a two-part Feature Comment for Thomson Reuters’ The Government Contractor. In the comprehensive article they address not only the recent and planned updates to NIST publications, but also weigh those efforts against Defense Contract Management Agency’s (DCMA) auditing efforts, the revised Contractor Purchasing System Review (CPSR) Guidebook, and the new Cybersecurity Maturity Model Certification (CMMC) program. Information on how these efforts align along with practical guidance for weathering these changes can be found at Part 1 accessible here and Part 2 accessible here.
DoD’s recent efforts to address cybersecurity have caused confusion and chaos for Government contractors. As we all know, cybersecurity is an issue that is impossible to ignore, and the sobering reality is that compliance with federal cybersecurity requirements is critical to avoiding catastrophic liability. Recently, McCarter & English Government Contracts and Export Controls co-leaders Alex Major and Franklin Turner provided much-needed guidance for federal contractors in a two-part Feature Comment for Thomson Reuters’ The Government Contractor. The Feature Comment addresses certain changes to the NIST, the auditing effort underway by DCMA, and the Cybersecurity Maturity Model Certification (“CMMC”) program that will likely be implemented by DOD in the coming months.
Part 1 can be accessed here
As we stated last month, further restrictions are afoot on the use of Chinese technology in federal acquisitions. An Interim Rule issued by the Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) (collectively, the “FAR Council”) implements the first phase of Section 889 of the FY2019 National Defense Authorization Act (NDAA). The Interim Rule, effective August 13, 2019, broadly prohibits federal agencies, federal contractors, and grant or loan recipients from procuring “covered telecommunications equipment or services” produced by Huawei Technologies Company and ZTE Corporation and, with respect to certain public safety or surveillance applications, Hytera Communications Corporation, Dahua Technology Company, and Hangzhou Hikvision Digital Technology Company. In particular, federal suppliers are prohibited from sourcing “substantial or essential component of any system, or as critical technology as part of any system” from the foregoing companies.
Changes to the Federal Acquisition Regulation’s (FAR) small business subcontracting rules have been slow in coming, but the FAR Council is finally catching up with the Small Business Administration (SBA) in making regulatory modifications to implement a few changes intended to help prime contractors reach their small business subcontracting goals as required by Section 1614 of the National Defense Authorization Act of 2014 (2014 NDAA). Specifically, the changes focus on aiding prime contractors possessing an individual subcontracting plan for a contract with a single executive agency. Now, in such instances, the prime contractor will receive credit toward its subcontracting goals for awards made to small business concerns employed at any tier by subcontractors through their respective subcontracting plans. This should be helpful news to prime contractors.
As we reported last month, the Department of Defense (DoD) has been engaging in an unusual rollout of its new cybersecurity certification program by way of road tours—led by Katie Arrington, the Special Assistant to the Assistant Secretary of Defense for Acquisition and Sustainment for Cyber—that address the tiered, five-level Cybersecurity Maturity Model Certification (CMMC). At bottom, DoD intends for the CMMC to help streamline the acquisition process by providing acquiring agencies and consenting contractors with more exacting cybersecurity requirements for future acquisitions. What’s unique about the CMMC rollout is the lack of written guidance on the program. DoD representatives have orally provided a majority of publicly available information about CMMC only during various webinars and defense-industry events held over the past couple of months. Indeed, a quick Google search for “CMMC” indicates that, at this time, hard facts about the program appear to be limited to FAQs on a DoD website.
Every government contractor hesitates and ponders whether information confidential and valuable to its business that is disclosed – either voluntarily or by compulsion – in a submission to a U.S. Government agency will be protected from release to a third party pursuant to that dreaded four-letter acronym: F-O-I-A. In a June 24, 2019, landmark decision, the U.S. Supreme Court, in Food Marketing Institute v. Argus Leader Media, has spoken for the first time on FOIA exemption covering such information – and the news is good for contractors seeking maximum protection of their valuable confidential IP and business information.
Continue Reading Good News for Federal Contractors – FOIA “Exemption 4” Protecting Confidential Information Gets Expansive Definition by U.S. Supreme Court in Food Marketing Institute v. Argus Leader Media
Cough…cough…ahem…cough… Any contractor who has had the misfortune of dealing with the Defense Contract Audit Agency (DCAA) likely knows all too well that the agency is the Will Rogers of costs – it never met a cost it didn’t question. Indeed, DCAA auditors typically question costs with reckless abandon and based often on a patent misreading of applicable regulations. The net effect, of course, is that contractors have to expend significant time and money trying to explain to boards and courts why DCAA’s auditors are…uh…incorrect as a matter of fact and law. A recent Memorandum for Regional Directors (MRD) provides some transparency into why this sort of thing happens with unfortunate regularity. Issued on May 14, 2019, the MRD (No. 19-PAC-002(R)), corrects…er…“revises” internal guidance issued in 2014 and 2015 relating to the identification of expressly unallowable costs. The newly issued memo sets out DCAA’s current stance on identifying expressly unallowable costs under the cost principles codified at Federal Acquisition Regulation (FAR) Part 31 and Defense Federal Acquisition Regulation Supplement (DFARS) Part 231. This MRD – like all MRDs – is intended to be used as a tool by well-meaning (but often overzealous) auditors when reviewing a contractor’s compliance with federal cost principles. Contractors should, thus, pay careful attention to this MRD in order to be prepared for questions that may arise during DCAA-led frolics and detours.
Cybersecurity. It’s never over, is it? In what can only be described as a “soft” release, the Department of Defense (DoD) has slowly and quietly begun to reveal its intent to provide federal contractors with formal cybersecurity certification as early as next year. The program, known as the Cybersecurity Maturity Model Certification (CMMC), is an effort to streamline the acquisition process by providing acquiring agencies and consenting contractors with more exacting cybersecurity requirements for forthcoming acquisitions.
Continue Reading Never Stop Never Stopping: Defense Department Quietly Unveils Proposed Cybersecurity Maturity Model Certification Standards and Confirms the Allowability of Certain Cybersecurity Costs
Here’s another reminder of limitations that exist when there is a third party claim of infringement against a U.S. Government agency. In such a case, the patent owner must sue in the United States Court of Federal Claims and may recover only “reasonable and entire compensation” for the unauthorized use. See 28 U.S.C. Section 1498(a). No injunctive relief is afforded the plaintiff. Within the context of that proceeding, the Government agency is free to seek a determination that the patent is invalid, and if the claimed invention does not meet one or more of the patentability requirements, the Government agency will have no liability.