Sujai C, Author at Nichols Liu

New Law Requires FAR Changes on Organizational Conflicts of Interest (OCI)

Sujai C on December 28, 2022

By Alan Chvotkin on December 28, 2022.

One of the last legislative actions taken at the close of the 117^th Congress was passage by the House of Representatives of the “Preventing Organizational Conflicts of Interest in Federal Acquisition Act” on December 14, 2022. The president signed that bill into law on December 27, 2022. Enactment marks the end of a journey that began in the United States Senate with the introduction of this legislation (S. 3905) in March by two Democratic and two Republican Senators who are members of the Homeland Security and Government Affairs Committee, and unanimous passage of an amended version of the bill by the United States Senate on August first.

Similar legislation was introduced in the House in April by Oversight and Reform Committee chair Maloney, following her release of an interim majority staff report that looked at issues related to potential conflicts of interest by McKinsey & Company concerning their work at the Food and Drug Administration while also working with certain opioid manufacturers. The House approved the Senate-passed bill on a largely party-line vote of 219-205.

I previously posted two blog posts on June 6, 2022 [Click Here] and on August 25, 2022 [Click Here] that traced the congressional actions relating to this bill and related legislation, as well as highlighting recent Government Accountability Office (GAO) bid protest decisions challenging awards based on allegations of improper conflicts of interest.

Under this new law, within 18 months after enactment, the Federal Acquisition Regulatory Council is directed to amend the Federal Acquisition Regulation (FAR) to:

Provide and update definitions on specific types of organizational conflicts, including the three types of conflicts that have long been recognized by GAO bid protest decisions: (a) unequal access to information; (b) impaired objectivity; and (c) biased ground rules.
Include examples of potential conflicts of interest based on contractors’ relationships with public, private, domestic and foreign entities.
Provide solicitation provisions and contract clauses directing contractors to disclose potential organizations conflicts. The current FAR does not have a standard OCI solicitation or contract clause, although a few agencies, such as DoD, FDA and Department of Education, have agency supplemental acquisition regulations that impose varying degrees of disclosure responsibilities on bidders and contract awardees.
Require agencies to establish and update their internal procedures to implement these changes.
Allow contracting officers to consider professional standards to prevent organizational conflicts of interest affecting bidders and awarded contractors.

I don’t expect a proposed FAR rule to be issued until late summer or early fall 2023. I’ll use future editions of this column to keep you up to date. In the interim, federal contractors would be well advised to look at their company policies regarding all forms of personal and organizational conflicts of interest, and review actions they can take to minimize and mitigate any that arise.

With the close of the 117^th Congress, a House bill (HR 8325) introduced by Oversight and Reform Committee chair Maloney relating to personal conflicts of interest failed to get traction. Like the OCI bill that was enacted into law, this proposed legislation directs the Federal Acquisition Regulatory Council to (1) expand the scope of rules to prevent personal conflicts of interest beyond the limited types of functions or services that are currently addressed in a specified part of the Federal Acquisition Regulation (FAR), and (2) revise the FAR to address the functions and services that give rise to heightened concerns for personal conflicts of interest. In addition, the bill prohibits contractors, contractor employees, and subcontractors and their employees from providing services supporting the regulatory, policymaking, or adjudicative functions of an agency while at the same time that contractor, employees, or subcontractor provides services to an entity regulated by, or having non-routine business before, the agency, except where there is a compelling reason, as documented in writing.

While the Committee favorably ordered the bill reported on July 20, 2022, it was never formally filed by the Committee and thus never considered by the House and will have to be reintroduced in the new Congress. There was no companion bill introduced in the Senate. But Mrs. Maloney was not reelected and she had no cosponsors of her bill as introduced, so a new sponsor of the bill will have to be found for the new Congress. I’ll be reporting on developments on this issue, too.

Nichols Liu has extensive expertise in this area and can help you attain your compliance goals through an assessment of your company’s organizational and personal conflicts of interest policies and related matters. Please contact the author of this article or the Nichols Liu attorneys with whom you regularly work.

How effective are bid protests at obtaining relief? Greater than 50%, according to GAO.

Sujai C on November 10, 2022

By Robert Nichols, Michael Bhargava, and Madison Plummer

The U.S. Government Accountability Office (“GAO”) released its bid protest statistics for FY2022 in its Annual Report to Congress on November 1, 2022. As discussed in our briefing paper, Should We Protest?, data-driven analyses of bid protests do not tell the full story, but they do provide insight into interesting trends that illustrate the efficacy of the procurement process at large. We digested the stats from the last few years and noticed several notable trends.

GAO reported a continuing increase in the “effectiveness rate” of protests—that is, where protestors identified errors that warranted “corrective action.” For pre-award protests, corrective action may mean reshaping the solicitation to level the playing field. For post-award protests, corrective action may mean that the agency must reevaluate offers or allow further proposal revisions.

The effectiveness rate 20 years ago hovered around 33 percent and remained in the low- to mid-40 percent range for the last 15 years. For the past three years, however, it has averaged 50 percent, and the rate was 51 percent last year. In other words, at least half of the protests filed resulted in reshaping the solicitation or obtaining “another bite at the apple” in a competition.

This increased effectiveness rate is not because GAO has sustained more protests. Quite the opposite. GAO’s protest sustain rate fell to 13 percent last year, down from 23 percent in FY2016. Rather, agencies are taking more voluntary corrective action when they see merit to a protest.

Of course, these statistics go only to GAO bid protests. A protester with a clear winning argument may save money and ruffle fewer feathers at the agency by filing an agency-level protest under FAR 33.103. Or a protester with a strong argument and an intransigent agency may find greater success at the Court of Federal Claims, which often can be more scrutinizing and less deferential to agencies than GAO. See Nichols Liu Wins Back-to-Back COFC Protests, Which Includes “Reversing” a GAO Decision, Feb. 8, 2022. In our experience, a well-founded protest in any forum can achieve voluntary corrective action 80 percent of the time or more.

The increased use of agency and court protests may be part of the reason that the number of GAO protests has dropped in recent years. Protestors filed only 1,658 cases at GAO last year (1,595 protests, 43 cost claims, and 20 requests for reconsideration). This total number is down 13 percent since last year and down 41 percent from a high of 2,789 cases filed in FY2016. Indeed, offerors have not filed so few cases since 2008.

Nichols Liu has litigated hundreds of bid protests at GAO, the Court of Federal Claims, and at the agency level. Should you have questions about the protest process or need assistance filing a protest, please contact the authors of this article or the Nichols Liu attorney with whom you regularly work.

Hacks, Attacks, And Compliance Tracks: The Importance Of Safeguarding Government And Client Data

Sujai C on October 7, 2022

By Michael Bhargava and Madison Plummer

The public disclosure of cyberattacks on Latin American governments further highlights the need for all government contractors to keep constant vigilance over and ensure the protection of sensitive data.

In September, an international group of “hacktivists” called Guacamaya provided journalists access to 10 terabytes of data hacked from the militaries of Colombia, Peru, Chile, Mexico, and El Salvador, as well as the national police of El Salvador. The Mexican government confirmed last week that data had been stolen from its Defense Ministry, including sensitive information on military operations, surveillance of political and social movements, ties to narco-traffickers, and even the president’s health. The Chilean government also confirmed that a leak of 400,000 emails—including top-secret documents—was genuine, and it announced the resignation of the head of its Joint Chiefs of Staff in response.

Guacamaya reportedly used ProxyShell, exploiting Microsoft vulnerabilities that allowed hackers to take control of Exchange email servers to gain access to these networks. Although patches for these vulnerabilities were released more than a year ago, the timing of the hacks suggests that the vulnerabilities were never patched. According to a recent study, 42% of companies that experienced a data breach in 2020 failed to patch a known vulnerability.

These cyberattacks illustrate the importance of safeguarding valuable government data.

Federal contractors store, handle, and access government and proprietary data in support of critical U.S. Government missions and programs. With such a target-rich environment, hackers frequently focus on federal contractors for socio-political reasons (e.g., the Guacamaya Hack), economic gain (e.g., the Maui Ransomware), or espionage. Indeed, government contractors are under constant threat from sophisticated ransomware attacks, leaked credentials, and theft of data from advanced persistent threat activities.

Federal contractors must maintain a comprehensive cybersecurity plan to protect their own data and that of government clients, or risk facing both cyberattacks and legal liability. Government contractors and entities interested in entering the federal marketplace should, at a minimum, implement a system security plan in addition to complying with individual contract requirements to ensure adequate protection.

System Security Plan: At a minimum, contractors should have a comprehensive cybersecurity plan that contains (1) cybersecurity polices, procedures, and plans; (2) the design and implementation of security controls as defined in National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and NIST Special Publication 800-171; and (3) supporting sub-projects that complete the cybersecurity requirements for the company.
1. Cybersecurity policies, procedures, and plans should outline the internal governance regime for your company’s cybersecurity plan. This includes how the cybersecurity plan will be designed and implemented, what controls and functions will be contained in the plan, which risk mitigation procedures will be followed, how to report breaches and compliance issues internally, and who within the company will be responsible for monitoring and updating the plan.
2. NIST SP 800-171 provides recommended requirements for protecting the confidentiality of “controlled unclassified information” within supply chains tied to government contracts. Specifically, this publication includes 110 controls that should be mapped across the organization’s relevant policies, standards, or other documents when applicable. Should contractors want to go above and beyond the minimum requirements established by NIST SP 800-171, NIST SP 800-53 provides a full collection of security and privacy controls for all S. federal information systems. Furthermore, defense contractors should be preparing for the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) 2.0 certification rule that is to take effect in Spring 2023.
3. Supporting sub-projects include the tools and plans to support the implementation and validation of both the cybersecurity policies, procedures, and plans and the NIST/CMMC requirements.

Contract Compliance. In addition to a System Security Plan, contractors should review each government contract for specific cybersecurity requirements that may exceed the baseline requirements. The Defense Department, for example, has instructed contracting officers to use contractual remedies to ensure that contractors have “adequate” cybersecurity capabilities. Defense contracts will likely include DFARS 252.204-7012 (and CMMC 2,0), which requires contractors to implement NIST SP 800-171 for covered defense information and requires contractors to report cyber incidents that affect such information. Failure to adhere to such specific contract requirements may result in default termination, poor past performance ratings, or monetary claims by the Government. In certain circumstances, failure to comply with these mandatory cybersecurity requirements may lead to False Claims Act liability, as described in the Department of Justice’s Civil Cyber-Fraud Initiative, and, potentially, suspension or debarment.

Due to the high risk of cyberthreats, contractors should pay close attention to their cybersecurity systems and whether such systems are compliant with the NIST standards and specific requirements in their government contracts. Nichols Liu has extensive expertise in these areas and can help you attain your compliance goals through assessment of your cyber systems, upgrading of those systems to meet standards, and assistance with continuing contract compliance. Please contact the authors of this article or the Nichols Liu attorneys with whom you regularly work.

Photo: Artem Oleshko | Shutterstock

Former DoD IG and In-House Chief Compliance Officer Lynne Halbrooks joins Nichols Liu

Sujai C on September 13, 2022

Washington DC (September 12, 2022) – Lynne Halbrooks, a former Chief Compliance Officer and Acting Inspector General, has joined Nichols Liu as a Partner.

Ms. Halbrooks joins Nichols Liu from Acuity International where she was the Chief Compliance Officer and Deputy General Counsel. Prior to that, she served in numerous senior legal and leadership roles within the government, including at the U.S. Department of Defense where she served as the Acting Inspector General and as the Principal Deputy Inspector General, the U.S. Senate Sergeant at Arms, the Special Inspector General for Iraq Reconstruction, and the U.S. Department of Justice, where she served as both an Assistant U.S. Attorney and in the Executive Office for U.S. Attorneys. She was also previously a partner at Holland & Knight.

“We are delighted that Lynne has chosen Nichols Liu for her return to private practice. Her stellar reputation and unique experience align perfectly with our mission to provide clients a one-stop shop with the best legal experts to help them navigate the complex issues that arise in government contracting,” said Robert Nichols, founding partner of the firm.

“As a former federal prosecutor and Acting Inspector General, Lynne has insights that will greatly enhance our already strong enforcement practice,” said Andy Liu, managing partner of the firm. “She has a proven ability to help clients manage risk and solve problems.”

Ms. Halbrooks’ practice will include advising companies on all aspects of government compliance and representing them in internal and government investigations and audits, including whistleblower reprisal investigations, and suspension and debarment proceedings. She has experience advising companies and individuals on matters involving the False Claims Act, conflicts of interest, counterfeit parts, labor charging disputes, bribery and kickbacks, the Foreign Corrupt Practices Act, responses to subpoenas, and mandatory disclosures.

“I am thrilled to join the stellar professionals at this elite firm as it continues to grow and serve the government contractor community,” said Ms. Halbrooks.

Family Ties Create Contract Conflicts of Interest in Federal Acquisition. And More.

Sujai C on August 25, 2022

By Alan Chvotkin on August 25, 2022.

It is often said that you can’t pick your family. But sometimes, family relationships can affect whether a federal agency can pick a company in a competition because of a conflict of interest. Two recent Government Accountability Office (GAO) protest decisions looked at whether there were “hard facts” – not just innuendo and suspicion – necessary for GAO for determine whether a family relationship created a conflict of interest sufficient to sustain a protest of the agency’s award decision. Plus, here’s an update on pending legislation relating to the broader issue of acquisition conflicts of interest.

On July 6, 2022, GAO issued its opinion in KOAM Engineering Systems.[1] KOAM protested an award to McKean Defense Group for a Navy support services contract. One of the protest grounds was that McKean gained an unfair competitive advantage based on an apparent conflict of interest where one of the awardee’s key persons was married to an agency contracting officer’s representative (COR) on the protestor’s incumbent contract. KOAM asserted that, given their marriage, that both worked in close proximity at home, and that they shared a financial interest, there is an “irrefutable presumption of impropriety than cannot be overcome by the Navy’s after-the-fact investigation.” However, the Navy contended that its investigation found no evidence that the COR participated in the procurement or that the COR disclosed competitively useful information. GAO concluded that the unique facts here do not establish any impropriety requiring the exclusion of the awardee or reflect that the alleged conflict prejudiced the protestor.

On July 25, 2022, GAO issued its opinion in Deloitte Consulting/ManTech Advanced Systems.[2] The Defense Health Agency hired a consultant to help the agency with its acquisition planning. The consultant had a brother who worked for a company on the awardee’s team. The DHA contracting officer twice investigated the allegations and, after the second investigation, concluded that the award was not affected by the two brothers’ relationship. GAO concluded that the record before it did not support the allegations that a non-governmental advisor improperly influenced the procurement in favor of the awardee. In addition, GAO concluded that the protestors did not present the “hard facts” necessary to refute the agency’s conclusion.

Companies that become aware of a family relationship are well advised to take immediate action to separate the company employee from future action pending an internal review. It is often advisable to notify the government contracting officer as early in the procurement cycle as possible to allow the government to undertake its own review. You can be sure that competitors are going to know of, or discover, the relationship and potentially challenge any award decision as being tainted by that family relationship.

But potential post-award protestors need to be wary, as well. As these two, and other, GAO decisions affirm, protestors must provide “hard facts” to show that the family relationship created a conflict. Even then, however, a thorough analysis by the agency of the totality of the circumstances may still be enough to sustain the agency’s award decision even if a protest is filed.

Legislative Update

In my June 2022 column titled “Stretching the Limits of FAR OCI Rules”, I wrote about proposed legislation introduced in both the House and Senate that would require the FAR Council to clarify the rules regarding organizational and personal conflicts of interest. Subsequently, on August 1, 2022, the United States Senate passed a modified version of the “Preventing Organizational Conflicts of Interest in Federal Acquisition Act.”[3] Under that Senate-passed bill, among other things, the FAR Council must revise the FAR to provide and update:

definitions related to specific types of organizational conflicts of interest;
definitions, guidance, and illustrative examples related to relationships of contractors with public, private, domestic, and foreign entities that may cause contract support to be subject to potential organizational conflicts; and
illustrative examples of situations related to the potential organizational conflicts identified.

The House Oversight and Reform Committee approved two similar conflict-of-interest reform bills on July 20, 2022 with substitute amendments.

Under H.R. 7602, also titled “Preventing Organizational Conflicts of Interest in Federal Acquisition Act”,[4] the bill directs the Federal Acquisition Regulatory Council to (1) identify contracting methods, types, and services that raise heightened concerns for potential organizational conflicts of interest beyond those currently addressed in the FAR; and (2) revise the FAR to address organizational conflicts of interest and require executive agencies to take certain actions.

Under H.R. 8325, titled “Preventing Personal Conflicts of Interest in Federal Acquisition Act”,[5] the FAR Council is directed to expand the scope of rules relating to personal conflict of interest, including providing improved definitions and examples, and requiring the OFPP Administrator to issue policy to prevent personal conflicts of interest in certain type of federal functions.

Finally, in my June 2022 column, I mistakenly noted that the FAR Council acted in March 2022 to close out one of the oldest unresolved open FAR cases – also dealing with conflicts of interest. In fact, the FAR Council withdrew the proposed rule without further action on March 19, 2021. I regret the error.

I doubt we have seen or heard the last of these GAO bid protests on family conflicts of interest or reached the end of the legislation on organizational or personal conflicts of interest. I’ll use future editions of this column to keep you up to date.

***originally published by Executive Mosaic on 8/25/2022***

[1] KOAM Engineering Systems, Inc., B-420157.2 (July 6, 2022), available at https://www.gao.gov/assets/730/721692.pdf.

[2] Deloitte Consulting LLP; ManTech Advanced Systems International, B-420137.7 through B-420137.11, (July 25, 2022) available at https://www.gao.gov/assets/730/722022.pdf.

[3] S. 3905, Preventing Organizational Conflicts of Interest in Federal Acquisition Act (Aug 1, 2022), available at https://www.congress.gov/117/bills/s3905/BILLS-117s3905es.pdf

[4] HR 7602, Preventing Organizational Conflict of Interest in Federal Acquisition Act (introduced April 27, 2022), available at https://www.congress.gov/117/bills/hr7602/BILLS-117hr7602ih.pdf. The text of the substitute amendment adopted by the Committee is available at https://docs.house.gov/meetings/GO/GO00/20220714/115007/BILLS-117-HR7602-M000087-Amdt-1.pdf.

[5] HR 8325, Preventing Personal Conflicts of Interest in Federal Acquisition Act (introduced July 11, 2022 available at https://www.congress.gov/117/bills/hr8325/BILLS-117hr8325ih.pdf. The text of the substitute amendment adopted by the Committee is available at https://docs.house.gov/meetings/GO/GO00/20220714/115007/BILLS-117-HR8325-M000087-Amdt-1.pdf.

Years in the Making: Aerojet Rocketdyne Settles for $9 Million Amidst Allegations of Cybersecurity Violations

Sujai C on August 1, 2022

By Andy Liu, Robert Nichols, Haaleh Katouzian, Madison Plummer, and Samantha Hoover

Years after relator Brian Markus brought a qui tam action against Aerojet Rocketdyne Holdings, Inc. (“Aerojet Rocketdyne”), the United States Department of Justice (“DOJ”) announced that the government contractor would pay $9 million to the Government to resolve False Claims Act (“FCA”) allegations.[1] As we wrote about in 2019, Markus alleged that Aerojet Rocketdyne had fraudulently induced the government to award Aerojet Rocketdyne contracts by misrepresenting its compliance with cybersecurity requirements.[2] Though the government declined intervention, the case ultimately went to trial and settled on the second day of the proceeding. Markus will receive over $2.6 million of the settlement amount, which will likely inspire similar qui tam actions.

The ever-changing landscape of cybersecurity regulations, compliance, and enforcement can be difficult to track and navigate.[3] DOJ commenced its Civil Cyber-Fraud Initiative in October 2021.[4] DOJ’s announcement of the Aerojet Rocketdyne settlement put the Initiative into context:

The Department’s Civil Cyber-Fraud Initiative . . . aims to hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.[5]

Earlier this year, DOJ announced what it claimed was its first FCA settlement under the Civil Cyber-Fraud initiative against a different contractor.[6] The Settlement Agreement does not mention cybersecurity and, instead, the DOJ alleged that the contractor failed to disclose that it had not complied with the terms of the contract relating to the storage of medical records when it left scanned copies of some records on an internal network drive that could have been accessed by non-clinical staff. DOJ’s touting of this settlement as a part of its current initiative to hold companies accountable for putting U.S. information systems at risk shows how aggressive they will be to categorize allegations as “cyber fraud.”

The Civil Cyber-Fraud Initiative came in the wake of President Biden’s Executive Order on Improving the Nation’s Cybersecurity, which stressed the federal government’s role in identifying, deterring, protecting against, detecting, and responding to sophisticated malicious cyber campaigns.[7] Notably, that Executive Order also directed the Office of Management and Budget (“OMB”) to review the Federal Acquisition Regulation (“FAR”) and provide recommendations for updates to contract requirements and clauses. Several agencies have also initiated notice & comment rulemaking procedures describe their intent to amend agency FAR supplements to enhance cybersecurity obligations.[8]

Just as we predicted FCA cases against Federal contractors for non-compliance, we also anticipate that there will be one or more suspensions and debarments for contractors who are not presently responsible regarding cyber compliance. As such, it’s important for contractors to understand the regulatory obligations and to pursue a holistic approach that includes technical, governance, and legal risk management aspects.

Nichols Liu has teamed with a leading cyber compliance firm to develop a templated approach to cyber compliance. We also have extensive experience advising clients on FCA matters, having served as lead counsel for hundreds of FCA cases.

[1] https://www.justice.gov/opa/pr/aerojet-rocketdyne-agrees-pay-9-million-resolve-false-claims-act-allegations-cybersecurity

[2] https://nicholsliu.com/cybersecurity-as-an-insecurity-in-the-fca-space/

[3] https://nicholsliu.com/dojs-new-cyber-fraud-initiative-looming-wave-of-fca-liability/

[4] https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative

[5] https://www.justice.gov/opa/pr/aerojet-rocketdyne-agrees-pay-9-million-resolve-false-claims-act-allegations-cybersecurity

[6] https://www.justice.gov/opa/pr/medical-services-contractor-pays-930000-settle-false-claims-act-allegations-relating-medical

[7] https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

[8] https://www.federalregister.gov/documents/2021/09/10/2021-18866/general-services-acquisition-regulation-gsar-gsar-case-2016-g511-contract-requirements-for-gsa;

https://www.federalregister.gov/documents/2021/11/17/2021-24880/cybersecurity-maturity-model-certification-cmmc-20-updates-and-way-forward.

Cyber Risks: DoD To Strictly Enforce Cybersecurity Regulations

Sujai C on July 21, 2022

By Robert Nichols, Alan Chvotkin, Michael Bhargava, and Madison Plummer

On June 16, 2022, the Department of Defense (“DoD”) published a memorandum that emphasized the potential consequences when contractors fail to comply with cybersecurity regulations.[i] Although the memorandum addresses DoD contracting personnel, it sends a direct message to all defense contractors: become compliant or risk breaching your contracts. Non-defense contractors are also well-advised to heed this warning.

What does compliance entail? Contractors must understand and follow a litany of cybersecurity regulations and certifications, including:

cybersecurity of covered defense information and cyber incident reporting (DFARS 252.204-7012);
supply chain monitoring of covered defense telecommunications equipment or services (DFARS Sections 252.204-7016–18);
National Institute of Standards and Technology (NIST) Special Publication 800-171 certification (DFARS 252.204-7019–20); and soon
Cybersecurity Maturity Model Certification (CMMC) certification (DFARS 252.204-7021).

The DoD memorandum—from Principal Director of Defense Pricing and Contracting John M. Tenagalia—focuses first on the requirements of DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” In effect since December 31, 2017, this clause requires contractors to provide adequate security on all unclassed contractor information systems owned or operated by/for a contractor and that processes, stores, or transmits covered defense information.[ii] Adequate security is explained in NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations;” it requires contractors to be fully compliant with 110 controls in the Standard and a plan of action and milestones for each control not yet implemented. In addition, the -7012 Clause mandates reporting cybersecurity incidents within 72 hours of discovery, compliance with cloud computing services security, and a flow-down requirement to subcontractors.

DFARS 252.204-7020, “NIST SP 800-171 DOD Assessment Requirements,” applies to contractor information systems covered under DFARS 252.204-7012. It allows the Government access to contractor facilities, systems, and personnel to conduct assessments of a contractor’s compliance with the NIST standards.[iii] Contractors must upload a “Basic Assessment” of their summary level scores into the DoD-unique Supplier Performance Risk System (SPRS). DoD will then conduct its own direct assessment and post the “High” and/or “Medium Assessment” summary level scores to SPRS for each system security plan assessed.

Importantly, the DFARS regulatory framework, as a whole, sets NIST SP 800 as the floor—not the ceiling. Within the next year, contractors will be required to certify compliance with the DoD-unique CMMC 2.0.[iv] DoD has made clear that the NIST SP 800-171 Assessment and CMMC assessments will not duplicate efforts, except in rare circumstances. Thus, defense contractors need, at a minimum, a plan of action to implement both the NIST system security plan and the upcoming CMMC 2.0—or risk contract termination or award ineligibility.

For now, under the -7012 Clause, contractors self-certify their implementation of NIST SP 800-171. But the 2022 DFARS Clause 252.204-7020 Clause enables the Government to audit a contractor’s implementation of the NIST SP 800-171 to validate the results of the contractor’s self-assessment.

The recent DoD memorandum not only stresses the importance of these clauses, but also cites the contractual remedies available to DoD contracting officers to ensure compliance with these cybersecurity requirements:

“Failure to have or to make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements. Remedies for such a breach may include: withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole.”

The memorandum reminds Contracting Officers to verify, prior to award, that a contractor has a summary level score of the current NIST SP 800 DoD Assessment posted in SPRS for each new contract, option exercise, extension or modification, or order, regardless of whether the new award includes DFARS 242.204-7020. In addition, Contracting Officers are reminded of their ability to negotiate bilateral modifications to include the DFARS 242.204-7020 in current contracts.

Non-DoD Government contractors should also begin implementation of these cybersecurity requirements, in light of President Biden’s May 2021 Executive Order “Improving the Nation’s Cyber Security,” which stressed the federal government’s role in responding to malicious cyber campaigns.[v] As evidence, last fall, several civilian agencies initiated their own notice and comment rulemaking procedures to amend their FAR supplements to enhance cybersecurity preparedness to include, inter alia, compliance with the several NIST publications.[vi] We expect that civilian agency Contracting Officers will be reminded that they have the same contractual remedies at their disposal as DoD Contracting Officers for contractors that fail to comply with requisite cybersecurity regulations.

For assistance on navigating these current and planned regulations applicable to either DoD or the civilian agencies, and/or developing your cybersecurity compliance plan, please contact the authors of this article or the Nichols Liu attorney with whom you regularly work.

[i] Memorandum from John M. Tenaglia, Principal Director of Defense Pricing and Contracting, “Contractual Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulation Supplement Clause 252.204-7012, for contracts and orders not subject to Clause 252.204-7020; and Additional Considerations Regarding National Institute of Standards and Technology Special Publication 800-171 Department of Defense Assessments,” June 16, 2022, available at https://www.acq.osd.mil/dpap/policy/policyvault/USA000807-22-DPC.pdf

[ii] DFARS 252.204-7012; Memorandum from Shay D. Assad, Director of Defense Pricing/Defense Procurement and Acquisition Policy, “Implementation of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting,” Sept. 21, 2017, available at https://www.acq.osd.mil/dpap/policy/policyvault/USA002829-17-DPAP.pdf

[iii] DFARS 252.204-7020.

[iv] Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019–D041)86 Fed. Reg. 61,505 (Nov. 30, 2020) https://www.govinfo.gov/content/pkg/FR-2020-09-29/pdf/2020-21123.pdf

[v] Exec. Order No. 14028, “Improving the Nation’s Cyber Security” (May 12, 2021), available at https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

[vi] See, e.g., General Services Acquisition Regulation (GSAR); GSAR Case 2016-G511, Contract Requirements for GSA Information Systems, 86 Fed. Reg. 50,689 (Sept. 10, 2021), available at https://www.federalregister.gov/documents/2021/09/10/2021-18866/general-services-acquisition-regulation-gsar-gsar-case-2016-g511-contract-requirements-for-gsa; see, e.g., Semiannual Regulatory Agenda, “Federal Acquisition Regulation (FAR); FAR Case 2021–017, Cyber Threat and Incident Reporting and Information Sharing,” 87 Fed. Reg. 5,317 (Jan. 31, 2022), available at https://www.govinfo.gov/content/pkg/FR-2022-01-31/pdf/2021-27966.pdf (“DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to increase the sharing of information about cyber threats and incident information between the Government and certain providers, pursuant to OMB recommendations, in accordance with section 2(b)–(c), and Department of Homeland Security recommendations, in accordance with section 8(b), of Executive Order 14028, Improving the Nation’s Cybersecurity.”).

Chief Compliance Officers Over a Barrel: Sign and Certify, or No Deal?

Sujai C on July 5, 2022

By Andy Liu, and Haaleh Katouzian on July 5, 2022.

During a speech last month, Lauren Kootman, the Assistant Chief of the Corporate Enforcement, Compliance, and Policy Unit of the Fraud Section of the Department of Justice (“DOJ”), signaled a daunting change for chief compliance officers (“CCOs”).

It was reported that Kootman touted a “likely” new requirement that would be incorporated into every corporate fraud settlement. This requirement would require CCOs to certify that the company’s compliance program was “reasonably designed” to prevent violations in the future. Kootman reportedly took the position that this would “empower” CCOs—giving them involvement in transactions and decision-making.

Though claiming that the new requirement would not “put a target on the back of a chief compliance officer,” in essence DOJ indicated that without certification from the CCO there would be no deal with the Government. DOJ has already included such a certification in last month’s $1.1 billion settlement with Glencore to resolve bribery and market manipulation charges.

Putting aside the vagaries of what constitutes a reasonably designed program and whether DOJ implicitly blessed the program as part of the agreement to settle a case, such a requirement could also put CCOs (and the company) in DOJ’s crosshairs in the event of a post-settlement violation. It also remains to be seen whether such a requirement would be imposed only in settlements involving DOJ’s Criminal Division or whether they will also be required in False Claims Act settlements.

Stretching the Limits of FAR OCI Rules

Sujai C on June 9, 2022

By Alan Chvotkin on June 6, 2022.

The Federal Acquisition Regulation (FAR) has included coverage on organizational conflicts of interest (OCI) since its inception. Today, an OCI is defined in FAR 2.101 by three prongs: a situation where (1) “because of other activities or relationships with other persons, a person is unable or potentially unable to render impartial assistance or advice to the Government,” or (2) “the person’s objectivity in performing the contract work is or might be otherwise impaired,” or (3) “a person has an unfair competitive advantage.” The first prong of this definition requires that the agency define the nature of the activities or relationship that will impinge on the performance required by the instant (or group of) contract(s). It is only this first prong of the definition that is the subject of this commentary.

FAR coverage

Several pages of coverage in FAR Subpart 9.5 outline the general rules and procedures for agencies to identify, evaluate and resolve an OCI. However, while FAR 9.5 addresses creating solicitation provisions and contract clauses to highlight and address potential issues appropriate to the nature of the actual or perceived OCI, the FAR has never, appropriately in my view, had a standard (FAR Part 52) solicitation provision or contract clause because the nature of the OCI is dependent on the facts and circumstances of each agency procurement. When a buying agency is concerned about a potential conflict of interest, it is required to tailor a specific solicitation and contract clause appropriate to the work at hand.

Thus, FAR 9.507-1 (relating to solicitation provisions) and FAR 9.507-2 (relating to contract clauses) put the responsibility on the buying agency to identify what work called for under the current solicitation (and resulting contract) would give rise to a current or future (but never a past) conflict of interest. It is only after the agency has made that identification can the solicitation then require a bidding contractor to identify whether their “other activities or relationships” preclude the bidder from rendering impartial assistance or advice and, if desired by the agency, to propose a mitigation/avoidance plan for such potential conflict of interest. If the contractor does have an OCI that cannot be mitigated or avoided, the government may choose to waive the identified conflict.

FAR 9.508 provides eight non-exclusive examples of situations in which questions concerning OCI may arise “to help the contracting officer apply the general rules to individual contract situations.” There is an extensive litany of Government Accountability Office (GAO) decisions interpreting and applying the FAR OCI provisions. Many of the early GAO decisions addressed the contours of the three prongs in the definition. More recently, many of these GAO OCI cases properly focused on the buying agency’s behavior. If the agency had a concern about a potential OCI, did the agency follow the dictate of FAR 9-507-1 and “invite offerors’ attention to this concern?” Did the agency state the nature of the potential conflict as seen by the contracting officer? Did the agency state the nature of the proposed restraint on future contractor activities? If presented with a mitigation plan from an offeror, did the agency evaluate that plan? If the agency evaluated the plan, and the offeror was the successful offeror, did the agency incorporate the mitigation plan into the resultant contract and monitor compliance with it?

There have been very few regulatory initiatives to further address these matters in the FAR. The most significant was a FAR proposed rule, published on April 26, 2011 (eleven years ago!); in it, DoD, GSA, and NASA proposed to amend the FAR to revise regulatory coverage on organizational conflicts of interest (OCI) and provide additional coverage regarding contractor access to nonpublic information. But on March 19, 2022, the FAR Council withdrew the proposed rule without further action.[1]

Pending Legislation

The application of the OCI rules is also highlighted in pending legislation. On March 23, 2022, four United States Senators – two Democrats and two Republicans – introduced S. 3905, the “Preventing Organizational Conflicts of Interest in Federal Acquisition Act.”[2] The legislation was introduced “to help identify and mitigate potential conflicts of interest between taxpayer-funded projects and government contractors’ other business opportunities,” the sponsors said in a March 28, 2022 press release.[3] One of the concerns behind the legislation was the “danger that conflicts of interest can pose in government contracting, such as when the consulting firm McKinsey worked for opioid manufacturers at the same time it was working for the FDA (Food and Drug Administration) on opioid-related projects,” according to Senator Charles Grassley (R-IA), a cosponsor of the bill. On May 27, 2022, an identical bill was introduced in the U.S. House of Representatives by Congresswoman Carolyn Maloney (D-NY), chair of the House Oversight Committee;[4] there has been no further action on this House legislation.

The Senate bill was amended and approved by the Senate Homeland Security and Governmental Affairs at its business meeting on May 25, 2022;[5] the amended version is an improvement over the introduced version although it is still vague on the outcomes to be achieved. It is awaiting future action by the United States Senate and additional amendments to the committee-reported are likely to be offered; one such amendment may be offered by Senator Hassan (D-NH) relating to company compliance actions and penalties for non-compliance, as she previewed during the committee markup.

In addition, on April 13, 2022, the House Oversight Committee released a 52-page interim majority staff report titled “The Firm and the FDA: McKinsey & Company’s Conflicts of Interest at the Heart of the Opioid Epidemic.”[6] The report asserts that “McKinsey had significant and long-running conflicts of interest due to its overlapping and conflicting work for FDA and opioid manufacturers,”[7] and that McKinsey’s conduct raises significant questions about the lack of regulation over consulting companies that advise both the federal government and private sector clients.”[8] The report addresses the FAR provisions on OCI, and acknowledges that the FDA included a generic OCI clause in many of the McKinsey contracts,[9] but faulted McKinsey for failing to make disclosures to the FDA regarding these “conflicting activities.”

So What?

Appropriately, the FAR has placed the initial responsibility on the buying activity and its purchasing contracting officer to identify what areas of contractor activity would give rise to the agency’s concern about an organizational conflict of interest. Once the contractor responds to that concern, it is incumbent on the agency to evaluate the risk and offered mitigation factors before making a source selection decision. Suggestions that agencies skip that first step – or shift the responsibility to future offerors or to current contractors to speculate on whether its actions do, or should, raise a concern with an agency – create untenable positions for both agencies and contractors.

Improvements can certainly be made in the current FAR coverage. For example, the acquisition community would benefit from updated FAR OCI examples based on what the government now buys (e.g. solutions, not simply products or services) and how the government now buys (e.g. through multiple-award IDIQ contracts). But before launching into unchartered territory, it is worth Congress and the FAR principals, including the Office of Federal Procurement Policy, engage contracting agencies, contractor representatives, and the legal community in a robust discussion of the FAR’s current and future OCI policy and practice.

***** an “excerpt” was published by Executive Mosaic*****

________________________________________

[1]Federal Acquisition Regulation Case 2011-001, “Withdrawal of Organizational Conflicts of Interest,” March 19, 2022, available at https://www.govinfo.gov/content/pkg/FR-2021-03-19/pdf/2021-05658.pdf (concluding that “given the amount of time that has passed since publication of the proposed rule, and potential changed circumstances, a decision has been made not to proceed with finalization of the FAR rule”).

[2] S. 3905, introduced March 23, 2022, available at https://www.congress.gov/117/bills/s3905/BILLS-117s3905is.pdf.

[3] See press release from the Senate Homeland Security and Governmental Affairs Committee, March 28, 2022, available at https://www.hsgac.senate.gov/media/majority-media/peters-grassley-hassan-and-ernst-introduce-bipartisan-legislation-to-prevent-conflicts-of-interest-in-federal-contracting.

[4] HR 7602, introduced April 27, 2022, available at https://www.congress.gov/117/bills/hr7602/BILLS-117hr7602ih.pdf.

[5] See press release from the Senate Homeland Security and Governmental Affairs Committee, May 25, 2022, available at https://www.hsgac.senate.gov/media/majority-media/peters-grassley-hassan-and-ernst-bipartisan-legislation-to-prevent-conflicts-of-interest-in-federal-contracting-advances-in-senate.

[6] See Majority Interim Staff Report by House Committee on Oversight and Reform (“Majority Interim Staff Report”), available at https://oversight.house.gov/sites/democrats.oversight.house.gov/files/2022-04-13.McKinsey%20Opioid%20Conflicts%20Majority%20Staff%20Report%20FINAL.pdf.

[7] Majority Interim Staff Report at 52

[8] Majority Interim Staff Report at 53

[9] Majority Interim Staff Report at 34-36

As Desperation Sets In, Biden Invokes Defense Production Act to Address Baby Formula Crisis

Sujai C on June 1, 2022

By Andrew Victor, Haaleh Katouzian, Madison Plummer

On May 18, 2022, President Biden invoked the Defense Production Act of 1950 (the DPA) to alleviate the baby formula shortage.

Biden’s Memorandum, addressed to the Secretary of Health and Human Services (HHS), stated that the “disruption threatens the continued functioning of the national infant formula supply chain, undermining critical infrastructure that is essential to the national defense, including to national public health or safety.” Thus, to ensure a continued supply of formula, the HHS Secretary, in consultation with other cabinet and agency heads, may prioritize and allocate “all ingredients necessary to manufacture infant formula, including controlling the distribution of such materials . . . in the civilian market[.]”

The DPA, as amended, gives the President broad authority to influence domestic industries in the interest of national security. Importantly, the President can mandate that persons and corporations (1) accept prioritized contracts; and (2) follow the President’s allocation of materials, services, and facilities. 50 U.S.C. § 4511(a); Defense Production Act of 1950, Section 101(a) (emphasis added). Stated differently, the President can invoke the DPA to “prioritize government contracts for goods and services over competing customers, and offer incentives within the domestic market to enhance the production and supply of critical materials and technologies when necessary for national defense.”[i]

Most recently, the President invoked the DPA to address medical supply chain issues related to COVID-19. Agencies used DPA authorities to 1) prioritize contracts for critical materials, such as COVID-19 vaccines, 2) fund projects for the expansion of domestic supply production, and 3) promote public-private partnerships.[ii] In response, private companies found DPA awards provided “timely access to raw materials and supplies and helped them expand production faster than they could have on their own.”

With the DPA being utilized for more than the traditional defense context, government contractors should become familiar with this law as its use expands to different industries. When working with federal agency partners, contractors should understand policies and procedures related to the DPA. Additionally, contractors should consider how they can compete for DPA awards as these contracts offer not only monetary allocations, but also business development and growth opportunities.

If you have any questions or need any additional information, please do not hesitate to contact the authors.

Authors: Andrew Victor, Haaleh Katouzian, Madison Plummer

_______________________

Reference

[i] Heidi M. Peters & Michael H. Cecire, Cong. Research Serv., R43767, The Defense Production Act of 1950: History, Authorities, and Considerations for Congress 1 (2022), https://sgp.fas.org/crs/natsec/R43767.pdf.

[ii] U.S. Gov’t Accountability Off., GAO-22-105380, COVID-19: Agencies Are Taking Steps to Improve Future Use of Defense Production Act Authorities (2021), https://www.gao.gov/assets/gao-22-105380.pdf.