On August 25, 2016, DoD, GSA, and NASA issued a final rule amending the FAR to implement President Obama’s Executive Order on “Fair Pay and Safe Workplaces” (“E.O.”) The Department of Labor (“DOL”) also issued final guidance to assist in the implementation of the E.O. The new FAR rule follows a proposed FAR rule that generated substantial comments. The final rule and guidance represent significant new obligations and risks for contractors and subcontractors, who should start preparing now to address them. This post focuses on the final FAR rule because it imposes specific requirements on contractors and subcontractors. Notably, this post provides only a high-level summary because the new rule, related commentary published in the Federal Register, and DOL’s guidance are lengthy and sometimes complex documents. Mayer Brown also published a Legal Update that discusses these developments in greater detail. Continue Reading Substantial New Rules Implementing “Fair Pay and Safe Workplaces” Executive Order Create Risks for Contractors and Subcontractors
Back in August 2015, DoD issued an interim rule, which was effective immediately (and was previously discussed on this blog), imposing substantial new requirements on government contractors with respect to reporting information system network penetrations—and providing new cloud computing requirements. Six weeks later, DoD issued a class deviation giving contractors more time to comply with one of the technical requirements being applied by the new DFARS clauses included with the new rule. Last week, DoD again revised the rule to give contractors more time to comply with many of the new technical standards. Specifically, the revised DFARS provision makes clear that contractors have until December 31, 2017 to comply with the technical standards set forth in National Institute of Standards and Technology (NIST) Special Publication 800-171.
NIST 800-171 describes a series of procedures for “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” These NIST requirements cover a wide array of security issues applicable to contractors’ information systems and are intended to ensure the security of government information that is provided to contractors so that the companies can provide goods and services to DoD.
Initially, DoD made the NIST 800-171 requirements immediately applicable to the large number of businesses that either have a “covered contractor information system” or have “covered defense information transiting their information systems” as part of their contract performance. DoD’s class deviation in October relaxed the standard slightly by amending the DFARS clauses to allow contractors up to nine months (from the date of a new contract award) to comply with section 3.5.3 of NIST 800-171. That section mandates “multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.” (Multifactor authentication requires two or more types of information, e.g., a password and a cryptographic device such as a token, to gain access to the government information.)
Many contractors were unhappy with the unrealistic implementation schedule imposed by the initial (and revised) DFARS provision, and they made their concerns clear to DoD in comments and during a December 14 meeting conducted by the Department to obtain additional feedback. Contractors expressed the need for additional time to analyze the scope of changes that were necessary for their systems—and to implement those changes.
To its credit, DoD modified the DFARS clauses to “provide offerors [contractors] additional time to implement the security requirements specified by NIST 800-171.” Each contractors will now be required to agree, by submitting an offer for a DoD procurement in which DoD information will be provided to contractors, that all of the contractor’s systems will be compliant with NIST 800-171 “not later than December 31, 2017.” Notably, the same requirements must be flowed down in all “subcontracts, or similar contractual instruments, for services that include support for” the goods or services being provided under a contract to which the DFARS clauses apply.
Although the additional time to achieve compliance with NIST 800-171’s requirements is helpful, the new DFARS clauses also impose an additional requirement that must be understood by contractors. “The second interim rule requires contractors, within 30 days of contract award, to notify the DoD Chief Information Officer of any NIST SP 800-171 security requirements that are not implemented at the time of contract award.” Accordingly, contractors will need to track where they are on the path to compliance with 800-171’s requirements so that accurate reports identifying gaps can be provided to the DoD each time contract performance begins under a new award.
A few days ago, on August 26, DoD issued new interim rules amending the Defense Federal Acquisition Regulations (DFARS) with respect to “network penetration reporting and contracting for cloud services.” The new rules, which are now effective, revise several broadly applicable definitions applicable to numerous parts of the DFARS, expand the incident reporting requirements applicable to contractors, and impose security requirements applicable to cloud computing. DoD contractors need to understand these important new rules, which are summarized here, so that they can perform necessary compliance planning and make any necessary disclosures. Continue Reading New Interim Cyber Rules Expand Obligations of DoD Contractors
Last week, several press outlets, a well-regarded legal blog (albeit one that does not generally focus on Government contracts law/policy), and at least one politician criticized the IRS for the award of a relatively small IT services contract to a company called CGI Federal. CGI was the contractor at the center of the problematic rollout of the healthcare.gov website. Although there were clearly substantial problems with the website development and rollout, some of the criticism of CGI—and the implicit calls for substantial punishment of that contractor—demonstrate a lack of fair consideration of publicly available reports about the sources of the problems with the website and misunderstandings of aspects of procurement law and policy. Continue Reading Questionable Criticism of a Government Contractor—and Unfounded Calls for Severe Punishment
This week, the Supreme Court denied the qui tam plaintiff’s petition for certiorari in United States ex. Rel. Rostholder v. Omnicare, Inc., a False Claims Act (FCA) case from the Fourth Circuit. In Omnicare, the relator alleged that the defendants violated the FCA because certain of its practices violated Food and Drug Administration (FDA) safety regulations and Medicare and Medicaid beneficiaries subsequently presented claims for reimbursement for its products. The district court dismissed the relator’s complaint for failure to state a claim upon which relief can be granted, and the Fourth Circuit affirmed. The Supreme Court’s denial of a writ of certiorari sends a signal that there are limits on FCA claims rooted in regulatory violations. Namely, an FCA claim cannot be based on a violation of a regulation that is wholly unrelated to any condition or requirement for payment. Continue Reading Supreme Court Denies Cert in Highly Watched FCA Case—Regulatory Violation Must Be Related to Claim for Payment