Search
Close this search box.

The Debt Ceiling: Three Immediate Actions for Government Contractors

By Alan Chvotkin

In a periodic political standoff, the House of Representatives, the Senate and the President are in a debate about how to handle the rapidly approaching date when the U.S. Government will no longer have the ability to pay all of the debts previously incurred by the United States; it thus risks default on some or all of those prior debts because it could only make payments from cash it has on hand on any specific day. For federal contractors, this is a significant business risk with only limited actions that can be taken to reduce exposure.

The Federal Government has already hit the statutory $31.4 trillion debt ceiling. As a result, in January 2023, Treasury Secretary Yellin announced that Treasury started taking “extraordinary measures” to extend the time before the U.S. Government runs out of cash to make the payments as they become due. While this so-called “X” date was not expected to be reached before summer, updated February projections from the non-partisan Congressional Budget Office showed that the deficit gap – the difference between annual revenue and annual spending – increased significantly over the prior fiscal year, thus adding to the overall federal debt levels and likely shortening the time for reaching the “X” date.

For federal contractors, the debt ceiling presents a different set of challenges, and even fewer options, than a lapse in appropriations and any resulting government shutdown. Significantly, even with hitting the debt ceiling, the Federal Government remains open, will continue in operations, and can make new contract awards. Federal employees are not furloughed and contractor employees are not denied entry to government installations nor access to critical federal employees.

However, if the U.S. Government runs of out borrowing authority, government contractors risk not getting paid for work already performed. And one of the key tenants of federal contracting – that the U.S. Government always makes timely payment to contractors for work properly performed – is destroyed. As contractors know, federal bids are prohibited from including any contingencies for delayed payments and the cost principles prohibit charging the U.S. Government interest on borrowing to cover contracting work. In exchange, the federal “Prompt Payment Act” provides that the Federal Government will automatically pay interest on valid invoices that are not paid according to the terms of the contract and the government’s cash management practices. But recovering interest on amounts due for work already performed is a small consolation for not being paid the base amount.

What three actions should contractors take now?

First, check the status of all of your open accounts receivable from federal work. Stay on top of the contracting officers to be sure they acknowledge acceptance of the work. Stay on top of the payment offices to be sure they are processing your invoices. With the overwhelming number of payment invoices submitted and processed electronically, usually with no issues involved, you still want to be sure you are in the queue to be paid on time.

Second, be sure you are ready to immediately invoice for new work completed as soon as your contract allows. Don’t give the U.S. Government any greater grace period on payments due to you than they already get.

If you have non-segregable work that may not be able to be invoiced for some future period of time (typically after the completion of all work), check with your contracting officer to see if you can arrange for a partial earlier payment for work already completed. While this is not a common action for the government, program and contracting officers with long-term successful projects may be willing to take this action to ensure your continued cash flow.

Finally, now is a good time to have a discussion with your preferred financial institution. They are probably already aware of your invoicing and payment receipt record, and aware of your firm’s cash flow needs. Validating or increasing a stand-by line of credit, should it be needed, will minimize your short-term business risk if the political debate fails to achieve an acceptable and timely solution.

Nichols Liu attorneys have extensive experience in working with contractors on the policy and financial implications of payments, including under debt ceiling circumstances. Contact the author or any of the attorneys at Nichols Liu with whom you regularly work.

DoD Issues Long-Awaited Small Business Strategy 2023

By Alan Chvotkin and Sam Van Kopp

On January 26, 2023, the Department of Defense (DoD) published its long-awaited, 25-page, first strategy under Secretary Austin and new director of the Office of Small Business Programs, Farooq Mitha. The overall objective of the strategy is to enable the Department to “expand and strengthen its relationship with small business and better leverage their capabilities to help solve the Department’s and our nation’s most complex challenges.”[1] While DoD has again been the Executive Branch leader in dollars awarded to small businesses, there are mounting challenges in sustaining that momentum and achieving the strategy’s objectives.

The DoD 2023 strategy is built on three main objectives, all focused primarily on internal departmental functions:

  1. Implement a unified management approach for small business programs and activities;
  2. Ensure DoD’s activities align with national security priorities; and
  3. Strengthen the Department’s engagement and support of small business.

Each objective has three specific implementing objectives and a set of action plans to pursue those objectives. However, there is no timetable for initiating, let alone completing, any of these actions.

Furthermore, the Secretary’s message embedded in the strategy, and the details in the plan, are subject to significant headwinds. As the strategy acknowledges, the number of small businesses participating in the defense industrial base has declined by over 40 percent in the past decade for reasons that are not completely understood.[2] Yet the dollars awarded to small businesses are increasing. As such, fewer small businesses are winning an increasing share of the Department’s small business awards.

Why the decline in small business participation?  In part, regulation.  At Nichols Liu, we have helped small business contractors navigate overlapping layers of regulatory compliance imposed by the Small Business Administration (SBA), the Federal Acquisition Regulatory Council through the Federal Acquisition Regulation (FAR), and DoD through the Defense Federal Acquisition Regulation Supplement (DFARS).  In addition, such rules are always in flux.  As the Secretary acknowledged, “regulations and business practices can be difficult to understand or otherwise create barriers or increase the cost of doing business with DoD.”[3]

In our experience, the Federal government’s complicated regulatory environment not only deters small business contractors in general, it specifically disincentivizes cutting-edge work.  About 49 percent of DoD’s contract awards in Fiscal Year 2021 were for products, 42 percent were for services, and only 9 percent for research and development. A large segment of the 49 percent that was awarded for “products” support the Department’s major weapons systems and related activities, with the top 5 major primes winning an increasing share of Department’s total contract dollars awarded.  Though Secretary Austin’s report lauds small business achievements in research and development, the cost of compliance limits the pool of qualified offerors and puts those who do perform at risk. The more innovative the contractor, the greater their need for legal counsel.

We will be carefully watching the Department’s implementation actions for this strategy. In addition, we have extensive experience in the small business policies, regulations, and the competitive landscape to help companies of all sizes engage with the Department on this strategy, navigate the Department’s competitive landscape, and stay in compliance with the ever-more complex acquisition regulations and requirements.

For more information, please contact the authors of this article or the Nichols Liu attorneys with whom you regularly work.

 

[1] DoD Small Business Strategy, available at https://media.defense.gov/2023/Jan/26/2003150429/-1/-1/0/SMALL-BUSINESS-STRATEGY.PDF, at 5.

[2] DoD Small Business Strategy, at 5 and Figure 1.

[3] DoD Small Business Strategy, at 5.

Nichols Liu Hires Laura Kennedy, a Former Chief Ethics and Compliance Officer at Honeywell, SAIC and Emergent BioSolutions, to Co-Chair Global Compliance and Risk Practice

Washington DC (January 25, 2023) – Nichols Liu has hired Laura Kennedy to co-chair its Global Compliance and risk practice. Laura joins the firm as a partner.

Laura spent the past 21 years as a corporate executive for leading government contractors—specifically, as the Chief Ethics and Compliance Officer at Honeywell, SAIC, and Emergent BioSolutions.  In those roles, Laura was responsible for corporate ethics, compliance, and risk management programs.

Laura is a thought leader in ethics and compliance.  She was a two-term Chair of the Defense Industry Initiative on Business Ethics and Conduct (DII) – a non-profit organization comprised of ethics and compliance professionals from 80 government contractors in the aerospace and defense industry.  As Chair, Laura led DII’s efforts to develop a compliance toolkit for its members.

Prior to moving in-house, Laura spent 21 years in private practice at global law firms Seyfarth Shaw, Holland & Knight, and Jenner & Block.

“Laura’s skills and experience will add a new dimension to our already strong bench and further solidify Nichols Liu as a full-service government contracts firm.  Her experience in enterprise risk management will enhance the firm’s capabilities and dovetail well with the firm’s other areas of expertise,” says Robert Nichols, Chair of the firm.

Laura will co-chair the firm’s Global Risk and Compliance practice with Lynne Halbrooks.  Lynne previously served as the Acting Inspector General at the U.S. Department of Defense Inspector General and as Chief Compliance Officer and Deputy General Counsel at Acuity International.

Together, Laura and Lynne will bring an insider’s perspective to serving government contractors, including expertise in legal regulatory compliance, enterprise risk management, investigations, mandatory disclosures, ethics, and Board of Director training and reporting.

“Laura’s unique combination of experience from private practice and corporate leadership positions offers our clients deep insights into how government contractors operate and the best practices for compliance and risk management,” says Halbrooks.

“I chose Nichols Liu for my return to private practice for its culture, flexibility, and close group of top-flight government contracts practitioners.  The people here really enjoy working together,” says Laura.

New Law Requires FAR Changes on Organizational Conflicts of Interest (OCI)

By Alan Chvotkin on December 28, 2022.

One of the last legislative actions taken at the close of the 117th Congress was passage by the House of Representatives of the “Preventing Organizational Conflicts of Interest in Federal Acquisition Act” on December 14, 2022. The president signed that bill into law on December 27, 2022. Enactment marks the end of a journey that began in the United States Senate with the introduction of this legislation (S. 3905) in March by two Democratic and two Republican Senators who are members of the Homeland Security and Government Affairs Committee, and unanimous passage of an amended version of the bill by the United States Senate on August first.

Similar legislation was introduced in the House in April by Oversight and Reform Committee chair Maloney, following her release of an interim majority staff report that looked at issues related to potential conflicts of interest by McKinsey & Company concerning their work at the Food and Drug Administration while also working with certain opioid manufacturers. The House approved the Senate-passed bill on a largely party-line vote of 219-205.

I previously posted two blog posts on June 6, 2022 [Click Here] and on August 25, 2022 [Click Here] that traced the congressional actions relating to this bill and related legislation, as well as highlighting recent Government Accountability Office (GAO) bid protest decisions challenging awards based on allegations of improper conflicts of interest.

Under this new law, within 18 months after enactment, the Federal Acquisition Regulatory Council is directed to amend the Federal Acquisition Regulation (FAR) to:

  1. Provide and update definitions on specific types of organizational conflicts, including the three types of conflicts that have long been recognized by GAO bid protest decisions: (a) unequal access to information; (b) impaired objectivity; and (c) biased ground rules.
  2. Include examples of potential conflicts of interest based on contractors’ relationships with public, private, domestic and foreign entities.
  3. Provide solicitation provisions and contract clauses directing contractors to disclose potential organizations conflicts. The current FAR does not have a standard OCI solicitation or contract clause, although a few agencies, such as DoD, FDA and Department of Education, have agency supplemental acquisition regulations that impose varying degrees of disclosure responsibilities on bidders and contract awardees.
  4. Require agencies to establish and update their internal procedures to implement these changes.
  5. Allow contracting officers to consider professional standards to prevent organizational conflicts of interest affecting bidders and awarded contractors.

I don’t expect a proposed FAR rule to be issued until late summer or early fall 2023. I’ll use future editions of this column to keep you up to date. In the interim, federal contractors would be well advised to look at their company policies regarding all forms of personal and organizational conflicts of interest, and review actions they can take to minimize and mitigate any that arise.

With the close of the 117th Congress, a House bill (HR 8325) introduced by Oversight and Reform Committee chair Maloney relating to personal conflicts of interest failed to get traction. Like the OCI bill that was enacted into law, this proposed legislation directs the Federal Acquisition Regulatory Council to (1) expand the scope of rules to prevent personal conflicts of interest beyond the limited types of functions or services that are currently addressed in a specified part of the Federal Acquisition Regulation (FAR), and (2) revise the FAR to address the functions and services that give rise to heightened concerns for personal conflicts of interest. In addition, the bill prohibits contractors, contractor employees, and subcontractors and their employees from providing services supporting the regulatory, policymaking, or adjudicative functions of an agency while at the same time that contractor, employees, or subcontractor provides services to an entity regulated by, or having non-routine business before, the agency, except where there is a compelling reason, as documented in writing.

While the Committee favorably ordered the bill reported on July 20, 2022, it was never formally filed by the Committee and thus never considered by the House and will have to be reintroduced in the new Congress. There was no companion bill introduced in the Senate. But Mrs. Maloney was not reelected and she had no cosponsors of her bill as introduced, so a new sponsor of the bill will have to be found for the new Congress. I’ll be reporting on developments on this issue, too.

Nichols Liu has extensive expertise in this area and can help you attain your compliance goals through an assessment of your company’s organizational and personal conflicts of interest policies and related matters. Please contact the author of this article or the Nichols Liu attorneys with whom you regularly work.

How effective are bid protests at obtaining relief? Greater than 50%, according to GAO.

By Robert Nichols, Michael Bhargava, and Madison Plummer

The U.S. Government Accountability Office (“GAO”) released its bid protest statistics for FY2022 in its Annual Report to Congress on November 1, 2022.  As discussed in our briefing paper, Should We Protest?, data-driven analyses of bid protests do not tell the full story, but they do provide insight into interesting trends that illustrate the efficacy of the procurement process at large.  We digested the stats from the last few years and noticed several notable trends.

GAO reported a continuing increase in the “effectiveness rate” of protests—that is, where protestors identified errors that warranted “corrective action.”  For pre-award protests, corrective action may mean reshaping the solicitation to level the playing field.  For post-award protests, corrective action may mean that the agency must reevaluate offers or allow further proposal revisions.

The effectiveness rate 20 years ago hovered around 33 percent and remained in the low- to mid-40 percent range for the last 15 years.  For the past three years, however, it has averaged 50 percent, and the rate was 51 percent last year.  In other words, at least half of the protests filed resulted in reshaping the solicitation or obtaining “another bite at the apple” in a competition.

This increased effectiveness rate is not because GAO has sustained more protests.  Quite the opposite.  GAO’s protest sustain rate fell to 13 percent last year, down from 23 percent in FY2016.  Rather, agencies are taking more voluntary corrective action when they see merit to a protest.

GAO has sustained more protests

Of course, these statistics go only to GAO bid protests.  A protester with a clear winning argument may save money and ruffle fewer feathers at the agency by filing an agency-level protest under FAR 33.103.  Or a protester with a strong argument and an intransigent agency may find greater success at the Court of Federal Claims, which often can be more scrutinizing and less deferential to agencies than GAO.  See Nichols Liu Wins Back-to-Back COFC Protests, Which Includes “Reversing” a GAO Decision, Feb. 8, 2022.  In our experience, a well-founded protest in any forum can achieve voluntary corrective action 80 percent of the time or more.

The increased use of agency and court protests may be part of the reason that the number of GAO protests has dropped in recent years.  Protestors filed only 1,658 cases at GAO last year (1,595 protests, 43 cost claims, and 20 requests for reconsideration).  This total number is down 13 percent since last year and down 41 percent from a high of 2,789 cases filed in FY2016.  Indeed, offerors have not filed so few cases since 2008.

GAO has sustained more protests

Nichols Liu has litigated hundreds of bid protests at GAO, the Court of Federal Claims, and at the agency level.  Should you have questions about the protest process or need assistance filing a protest, please contact the authors of this article or the Nichols Liu attorney with whom you regularly work.

Hacks, Attacks, And Compliance Tracks: The Importance Of Safeguarding Government And Client Data

By Michael Bhargava and Madison Plummer

The public disclosure of cyberattacks on Latin American governments further highlights the need for all government contractors to keep constant vigilance over and ensure the protection of sensitive data.

In September, an international group of “hacktivists” called Guacamaya provided journalists access to 10 terabytes of data hacked from the militaries of Colombia, Peru, Chile, Mexico, and El Salvador, as well as the national police of El Salvador.  The Mexican government confirmed last week that data had been stolen from its Defense Ministry, including sensitive information on military operations, surveillance of political and social movements, ties to narco-traffickers, and even  the president’s health.  The Chilean government also confirmed that a leak of 400,000 emails—including top-secret documents—was genuine, and it announced the resignation of the head of its Joint Chiefs of Staff in response.

Guacamaya reportedly used ProxyShell, exploiting Microsoft vulnerabilities that allowed hackers to take control of Exchange email servers to gain access to these networks.  Although patches for these vulnerabilities were released more than a year ago, the timing of the hacks suggests that the vulnerabilities were never patched.   According to a recent study, 42% of companies that experienced a data breach in 2020 failed to patch a known vulnerability.

These cyberattacks illustrate the importance of safeguarding valuable government data.

Federal contractors store, handle, and access government and proprietary data in support of  critical U.S. Government missions and programs.  With such a  target-rich environment, hackers frequently focus on federal contractors for socio-political reasons (e.g., the Guacamaya Hack), economic gain (e.g., the Maui Ransomware), or espionage.  Indeed, government contractors are under constant threat from sophisticated ransomware attacks, leaked credentials, and theft of data from advanced persistent threat activities.

Federal contractors must maintain a comprehensive cybersecurity plan to protect their own data and that of government clients, or risk facing both cyberattacks and legal liability.  Government contractors and entities interested in entering the federal marketplace should, at a minimum, implement a system security plan in addition to complying with individual contract requirements to ensure adequate protection.

  • System Security Plan: At a minimum, contractors should have a comprehensive cybersecurity plan that contains (1) cybersecurity polices, procedures, and plans; (2) the design and implementation of security controls as defined in National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and NIST Special Publication 800-171; and (3) supporting sub-projects that complete the cybersecurity requirements for the company.
    1. Cybersecurity policies, procedures, and plans should outline the internal governance regime for your company’s cybersecurity plan. This includes how the cybersecurity plan will be designed and implemented, what controls and functions will be contained in the plan, which risk mitigation procedures will be followed, how to report breaches and compliance issues internally, and who within the company will be responsible for monitoring and updating the plan.
    2. NIST SP 800-171 provides recommended requirements for protecting the confidentiality of “controlled unclassified information” within supply chains tied to government contracts. Specifically, this publication includes 110 controls that should be mapped across the organization’s relevant policies, standards, or other documents when applicable.  Should contractors want to go above and beyond the minimum requirements established by NIST SP 800-171, NIST SP 800-53 provides a full collection of security and privacy controls for all S. federal information systems.  Furthermore, defense contractors should be preparing for the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) 2.0 certification rule that is to take effect in Spring 2023.
    3. Supporting sub-projects include the tools and plans to support the implementation and validation of both the cybersecurity policies, procedures, and plans and the NIST/CMMC requirements.
  • Contract Compliance. In addition to a System Security Plan, contractors should review each government contract for specific cybersecurity requirements that may exceed the baseline requirements. The Defense Department, for example, has instructed contracting officers to use contractual remedies to ensure that contractors have “adequate” cybersecurity capabilities.  Defense contracts will likely include DFARS 252.204-7012 (and CMMC 2,0), which requires contractors to implement NIST SP 800-171 for covered defense information and requires contractors to report cyber incidents that affect such information.  Failure to adhere to such specific contract requirements may result in default termination, poor past performance ratings, or monetary claims by the Government.  In certain circumstances, failure to comply with these mandatory cybersecurity requirements may lead to False Claims Act liability, as described in the Department of Justice’s Civil Cyber-Fraud Initiative, and, potentially, suspension or debarment.

Due to the high risk of cyberthreats, contractors should pay close attention to their cybersecurity systems and whether such systems are compliant with the NIST standards and specific requirements in their government contracts.  Nichols Liu has extensive expertise in these areas and can help you attain your compliance goals through assessment of your cyber systems,  upgrading of those systems to meet standards,  and  assistance with continuing contract compliance.   Please contact the authors of this article or the Nichols Liu attorneys with whom you regularly work.

Photo: Artem Oleshko | Shutterstock

Former DoD IG and In-House Chief Compliance Officer Lynne Halbrooks joins Nichols Liu

Washington DC (September 12, 2022)Lynne Halbrooks, a former Chief Compliance Officer and Acting Inspector General, has joined Nichols Liu as a Partner.

Ms. Halbrooks joins Nichols Liu from Acuity International where she was the Chief Compliance Officer and Deputy General Counsel.  Prior to that, she served in numerous senior legal and leadership roles within the government, including at the U.S. Department of Defense where she served as the Acting Inspector General and as the Principal Deputy Inspector General, the U.S. Senate Sergeant at Arms, the Special Inspector General for Iraq Reconstruction, and the U.S. Department of Justice, where she served as both an Assistant U.S. Attorney and in the Executive Office for U.S. Attorneys.  She was also previously a partner at Holland & Knight.

“We are delighted that Lynne has chosen Nichols Liu for her return to private practice.  Her stellar reputation and unique experience align perfectly with our mission to provide clients a one-stop shop with the best legal experts to help them navigate the complex issues that arise in government contracting,” said Robert Nichols, founding partner of the firm.

“As a former federal prosecutor and Acting Inspector General, Lynne has insights that will greatly enhance our already strong enforcement practice,” said Andy Liu, managing partner of the firm.  “She has a proven ability to help clients manage risk and solve problems.”

Ms.  Halbrooks’ practice will include advising companies on all aspects of government compliance and representing them in internal and government investigations and audits, including whistleblower reprisal investigations, and suspension and debarment proceedings.  She has experience advising companies and individuals on matters involving the False Claims Act, conflicts of interest, counterfeit parts, labor charging disputes, bribery and kickbacks, the Foreign Corrupt Practices Act, responses to subpoenas, and mandatory disclosures.

“I am thrilled to join the stellar professionals at this elite firm as it continues to grow and serve the government contractor community,” said Ms. Halbrooks.

Family Ties Create Contract Conflicts of Interest in Federal Acquisition. And More.

By Alan Chvotkin on August 25, 2022.

It is often said that you can’t pick your family. But sometimes, family relationships can affect whether a federal agency can pick a company in a competition because of a conflict of interest. Two recent Government Accountability Office (GAO) protest decisions looked at whether there were “hard facts” – not just innuendo and suspicion – necessary for GAO for determine whether a family relationship created a conflict of interest sufficient to sustain a protest of the agency’s award decision. Plus, here’s an update on pending legislation relating to the broader issue of acquisition conflicts of interest.

On July 6, 2022, GAO issued its opinion in KOAM Engineering Systems.[1] KOAM protested an award to McKean Defense Group for a Navy support services contract. One of the protest grounds was that McKean gained an unfair competitive advantage based on an apparent conflict of interest where one of the awardee’s key persons was married to an agency contracting officer’s representative (COR) on the protestor’s incumbent contract. KOAM asserted that, given their marriage, that both worked in close proximity at home, and that they shared a financial interest, there is an “irrefutable presumption of impropriety than cannot be overcome by the Navy’s after-the-fact investigation.” However, the Navy contended that its investigation found no evidence that the COR participated in the procurement or that the COR disclosed competitively useful information. GAO concluded that the unique facts here do not establish any impropriety requiring the exclusion of the awardee or reflect that the alleged conflict prejudiced the protestor.

On July 25, 2022, GAO issued its opinion in Deloitte Consulting/ManTech Advanced Systems.[2] The Defense Health Agency hired a consultant to help the agency with its acquisition planning. The consultant had a brother who worked for a company on the awardee’s team. The DHA contracting officer twice investigated the allegations and, after the second investigation, concluded that the award was not affected by the two brothers’ relationship. GAO concluded that the record before it did not support the allegations that a non-governmental advisor improperly influenced the procurement in favor of the awardee. In addition, GAO concluded that the protestors did not present the “hard facts” necessary to refute the agency’s conclusion.

Companies that become aware of a family relationship are well advised to take immediate action to separate the company employee from future action pending an internal review. It is often advisable to notify the government contracting officer as early in the procurement cycle as possible to allow the government to undertake its own review. You can be sure that competitors are going to know of, or discover, the relationship and potentially challenge any award decision as being tainted by that family relationship.

But potential post-award protestors need to be wary, as well. As these two, and other, GAO decisions affirm, protestors must provide “hard facts” to show that the family relationship created a conflict. Even then, however, a thorough analysis by the agency of the totality of the circumstances may still be enough to sustain the agency’s award decision even if a protest is filed.

Legislative Update

In my June 2022 column titled Stretching the Limits of FAR OCI Rules”, I wrote about proposed legislation introduced in both the House and Senate that would require the FAR Council to clarify the rules regarding organizational and personal conflicts of interest. Subsequently, on August 1, 2022, the United States Senate passed a modified version of the “Preventing Organizational Conflicts of Interest in Federal Acquisition Act.”[3] Under that Senate-passed bill, among other things, the FAR Council must revise the FAR to provide and update:

  • definitions related to specific types of organizational conflicts of interest;
  • definitions, guidance, and illustrative examples related to relationships of contractors with public, private, domestic, and foreign entities that may cause contract support to be subject to potential organizational conflicts; and
  • illustrative examples of situations related to the potential organizational conflicts identified.

The House Oversight and Reform Committee approved two similar conflict-of-interest reform bills on July 20, 2022 with substitute amendments.

Under H.R. 7602, also titled “Preventing Organizational Conflicts of Interest in Federal Acquisition Act”,[4] the bill directs the Federal Acquisition Regulatory Council to (1) identify contracting methods, types, and services that raise heightened concerns for potential organizational conflicts of interest beyond those currently addressed in the FAR; and (2) revise the FAR to address organizational conflicts of interest and require executive agencies to take certain actions.

Under H.R. 8325, titled “Preventing Personal Conflicts of Interest in Federal Acquisition Act”,[5] the FAR Council is directed to expand the scope of rules relating to personal conflict of interest, including providing improved definitions and examples, and requiring the OFPP Administrator to issue policy to prevent personal conflicts of interest in certain type of federal functions.

Finally, in my June 2022 column, I mistakenly noted that the FAR Council acted in March 2022 to close out one of the oldest unresolved open FAR cases – also dealing with conflicts of interest. In fact, the FAR Council withdrew the proposed rule without further action on March 19, 2021. I regret the error.

I doubt we have seen or heard the last of these GAO bid protests on family conflicts of interest or reached the end of the legislation on organizational or personal conflicts of interest. I’ll use future editions of this column to keep you up to date.

***originally published by Executive Mosaic on 8/25/2022***

[1] KOAM Engineering Systems, Inc., B-420157.2 (July 6, 2022), available at https://www.gao.gov/assets/730/721692.pdf.

[2] Deloitte Consulting LLP; ManTech Advanced Systems International, B-420137.7 through B-420137.11, (July 25, 2022) available at https://www.gao.gov/assets/730/722022.pdf.

[3] S. 3905, Preventing Organizational Conflicts of Interest in Federal Acquisition Act (Aug 1, 2022), available at https://www.congress.gov/117/bills/s3905/BILLS-117s3905es.pdf

[4] HR 7602, Preventing Organizational Conflict of Interest in Federal Acquisition Act (introduced April 27, 2022), available at https://www.congress.gov/117/bills/hr7602/BILLS-117hr7602ih.pdf. The text of the substitute amendment adopted by the Committee is available at https://docs.house.gov/meetings/GO/GO00/20220714/115007/BILLS-117-HR7602-M000087-Amdt-1.pdf.

[5] HR 8325, Preventing Personal Conflicts of Interest in Federal Acquisition Act (introduced July 11, 2022 available at https://www.congress.gov/117/bills/hr8325/BILLS-117hr8325ih.pdf. The text of the substitute amendment adopted by the Committee is available at https://docs.house.gov/meetings/GO/GO00/20220714/115007/BILLS-117-HR8325-M000087-Amdt-1.pdf.

Years in the Making: Aerojet Rocketdyne Settles for $9 Million Amidst Allegations of Cybersecurity Violations

By Andy Liu, Robert Nichols, Haaleh Katouzian, Madison Plummer, and Samantha Hoover

Years after relator Brian Markus brought a qui tam action against Aerojet Rocketdyne Holdings, Inc. (“Aerojet Rocketdyne”), the United States Department of Justice (“DOJ”) announced that the government contractor would pay $9 million to the Government to resolve False Claims Act (“FCA”) allegations.[1]  As we wrote about in 2019, Markus alleged that Aerojet Rocketdyne had fraudulently induced the government to award Aerojet Rocketdyne contracts by misrepresenting its compliance with cybersecurity requirements.[2]  Though the government declined intervention, the case ultimately went to trial and settled on the second day of the proceeding.  Markus will receive over $2.6 million of the settlement amount, which will likely inspire similar qui tam actions.

The ever-changing landscape of cybersecurity regulations, compliance, and enforcement can be difficult to track and navigate.[3]  DOJ commenced its Civil Cyber-Fraud Initiative in October 2021.[4]  DOJ’s announcement of the Aerojet Rocketdyne settlement put the Initiative into context:

The Department’s Civil Cyber-Fraud Initiative . . . aims to hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.[5]

Earlier this year, DOJ announced what it claimed was its first FCA settlement under the Civil Cyber-Fraud initiative against a different contractor.[6]  The Settlement Agreement does not mention cybersecurity and, instead, the DOJ alleged that the contractor failed to disclose that it had not complied with the terms of the contract relating to the storage of medical records when it left scanned copies of some records on an internal network drive that could have been accessed by non-clinical staff.   DOJ’s touting of this settlement as a part of its current initiative to hold companies accountable for putting U.S. information systems at risk shows how aggressive they will be to categorize allegations as “cyber fraud.”

The Civil Cyber-Fraud Initiative came in the wake of President Biden’s Executive Order on Improving the Nation’s Cybersecurity, which stressed the federal government’s role in identifying, deterring, protecting against, detecting, and responding to sophisticated malicious cyber campaigns.[7]  Notably, that Executive Order also directed the Office of Management and Budget (“OMB”) to review the Federal Acquisition Regulation (“FAR”) and provide recommendations for updates to contract requirements and clauses.  Several agencies have also initiated notice & comment rulemaking procedures describe their intent to amend agency FAR supplements to enhance cybersecurity obligations.[8]

Just as we predicted FCA cases against Federal contractors for non-compliance, we also anticipate that there will be one or more suspensions and debarments for contractors who are not presently responsible regarding cyber compliance.  As such, it’s important for contractors to understand the regulatory obligations and to pursue a holistic approach that includes technical, governance, and legal risk management aspects.

Nichols Liu has teamed with a leading cyber compliance firm to develop a templated approach to cyber compliance.  We also have extensive experience advising clients on FCA matters, having served as lead counsel for hundreds of FCA cases.

[1] https://www.justice.gov/opa/pr/aerojet-rocketdyne-agrees-pay-9-million-resolve-false-claims-act-allegations-cybersecurity

[2] https://nicholsliu.com/cybersecurity-as-an-insecurity-in-the-fca-space/

[3] https://nicholsliu.com/dojs-new-cyber-fraud-initiative-looming-wave-of-fca-liability/

[4] https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative

[5] https://www.justice.gov/opa/pr/aerojet-rocketdyne-agrees-pay-9-million-resolve-false-claims-act-allegations-cybersecurity

[6] https://www.justice.gov/opa/pr/medical-services-contractor-pays-930000-settle-false-claims-act-allegations-relating-medical

[7] https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

[8] https://www.federalregister.gov/documents/2021/09/10/2021-18866/general-services-acquisition-regulation-gsar-gsar-case-2016-g511-contract-requirements-for-gsa;

https://www.federalregister.gov/documents/2021/11/17/2021-24880/cybersecurity-maturity-model-certification-cmmc-20-updates-and-way-forward.

Cyber Risks: DoD To Strictly Enforce Cybersecurity Regulations

By Robert Nichols, Alan Chvotkin, Michael Bhargava, and Madison Plummer

On June 16, 2022, the Department of Defense (“DoD”) published a memorandum that emphasized the potential consequences when contractors fail to comply with cybersecurity regulations.[i]  Although the memorandum addresses DoD contracting personnel, it sends a direct message to all defense contractors: become compliant or risk breaching your contracts.  Non-defense contractors are also well-advised to heed this warning.

What does compliance entail?  Contractors must understand and follow a litany of cybersecurity regulations and certifications, including:

  • cybersecurity of covered defense information and cyber incident reporting (DFARS 252.204-7012);
  • supply chain monitoring of covered defense telecommunications equipment or services (DFARS Sections 252.204-7016–18);
  • National Institute of Standards and Technology (NIST) Special Publication 800-171 certification (DFARS 252.204-7019–20); and soon
  • Cybersecurity Maturity Model Certification (CMMC) certification (DFARS 252.204-7021).

The DoD memorandum—from Principal Director of Defense Pricing and Contracting John M. Tenagalia—focuses first on the requirements of DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.”  In effect since December 31, 2017, this clause requires contractors to provide adequate security on all unclassed contractor information systems owned or operated by/for a contractor and that processes, stores, or transmits covered defense information.[ii]  Adequate security is explained in NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations;” it requires contractors to be fully compliant with 110 controls in the Standard and a plan of action and milestones for each control not yet implemented.  In addition, the -7012 Clause mandates reporting cybersecurity incidents within 72 hours of discovery, compliance with cloud computing services security, and a flow-down requirement to subcontractors.

DFARS 252.204-7020, “NIST SP 800-171 DOD Assessment Requirements,” applies to contractor information systems covered under DFARS 252.204-7012.  It allows the Government access to contractor facilities, systems, and personnel to conduct assessments of a contractor’s compliance with the NIST standards.[iii]  Contractors must upload a “Basic Assessment” of their summary level scores into the DoD-unique Supplier Performance Risk System (SPRS).  DoD will then conduct its own direct assessment and post the “High” and/or “Medium Assessment” summary level scores to SPRS for each system security plan assessed.

Importantly, the DFARS regulatory framework, as a whole, sets NIST SP 800 as the floor—not the ceiling.  Within the next year, contractors will be required to certify compliance with the DoD-unique CMMC 2.0.[iv]  DoD has made clear that the NIST SP 800-171 Assessment and CMMC assessments will not duplicate efforts, except in rare circumstances.  Thus, defense contractors need, at a minimum, a plan of action to implement both the NIST system security plan and the upcoming CMMC 2.0—or risk contract termination or award ineligibility.

For now, under the -7012 Clause, contractors self-certify their implementation of NIST SP 800-171.  But the 2022 DFARS Clause 252.204-7020 Clause enables the Government to audit a contractor’s implementation of the NIST SP 800-171 to validate the results of the contractor’s self-assessment.

The recent DoD memorandum not only stresses the importance of these clauses, but also cites the contractual remedies available to DoD contracting officers to ensure compliance with these cybersecurity requirements:

“Failure to have or to make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements.  Remedies for such a breach may include: withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole.”

The memorandum reminds Contracting Officers to verify, prior to award, that a contractor has a summary level score of the current NIST SP 800 DoD Assessment posted in SPRS for each new contract, option exercise, extension or modification, or order, regardless of whether the new award includes DFARS 242.204-7020.  In addition, Contracting Officers are reminded of their ability to negotiate bilateral modifications to include the DFARS 242.204-7020 in current contracts.

Non-DoD Government contractors should also begin implementation of these cybersecurity requirements, in light of President Biden’s May 2021 Executive Order “Improving the Nation’s Cyber Security,” which stressed the federal government’s role in responding to malicious cyber campaigns.[v]  As evidence, last fall, several civilian agencies initiated their own notice and comment rulemaking procedures to amend their FAR supplements to enhance cybersecurity preparedness to include, inter alia, compliance with the several NIST publications.[vi]  We expect that civilian agency Contracting Officers will be reminded that they have the same contractual remedies at their disposal as DoD Contracting Officers for contractors that fail to comply with requisite cybersecurity regulations.

For assistance on navigating these current and planned regulations applicable to either DoD or the civilian agencies, and/or developing your cybersecurity compliance plan, please contact the authors of this article or the Nichols Liu attorney with whom you regularly work.

[i] Memorandum from John M. Tenaglia, Principal Director of Defense Pricing and Contracting, “Contractual Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulation Supplement Clause 252.204-7012, for contracts and orders not subject to Clause 252.204-7020; and Additional Considerations Regarding National Institute of Standards and Technology Special Publication 800-171 Department of Defense Assessments,” June 16, 2022, available at https://www.acq.osd.mil/dpap/policy/policyvault/USA000807-22-DPC.pdf

[ii] DFARS 252.204-7012; Memorandum from Shay D. Assad, Director of Defense Pricing/Defense Procurement and Acquisition Policy, “Implementation of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting,” Sept. 21, 2017, available at https://www.acq.osd.mil/dpap/policy/policyvault/USA002829-17-DPAP.pdf

[iii] DFARS 252.204-7020.

[iv] Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019–D041)86 Fed. Reg. 61,505 (Nov. 30, 2020) https://www.govinfo.gov/content/pkg/FR-2020-09-29/pdf/2020-21123.pdf

[v] Exec. Order No. 14028, “Improving the Nation’s Cyber Security” (May 12, 2021), available at  https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

[vi] See, e.g., General Services Acquisition Regulation (GSAR); GSAR Case 2016-G511, Contract Requirements for GSA Information Systems, 86 Fed. Reg. 50,689 (Sept. 10, 2021), available at https://www.federalregister.gov/documents/2021/09/10/2021-18866/general-services-acquisition-regulation-gsar-gsar-case-2016-g511-contract-requirements-for-gsa; see, e.g., Semiannual Regulatory Agenda, “Federal Acquisition Regulation (FAR); FAR Case 2021–017, Cyber Threat and Incident Reporting and Information Sharing,” 87 Fed. Reg. 5,317 (Jan. 31, 2022), available at https://www.govinfo.gov/content/pkg/FR-2022-01-31/pdf/2021-27966.pdf (“DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to increase the sharing of information about cyber threats and incident information between the Government and certain providers, pursuant to OMB recommendations, in accordance with section 2(b)–(c), and Department of Homeland Security recommendations, in accordance with section 8(b), of Executive Order 14028, Improving the Nation’s Cybersecurity.”).