Cybersecurity Framework Previews Contracting Changes

The 41-page “Framework for Improving Critical Infrastructure Cybersecurity,” developed by the National Institute of Standards and Technology, lays out best practices and assessment tools aimed at helping banks, utilities and other critical infrastructure operators protect their systems against cyberattacks. The framework is part of an executive order issued by President Barack Obama in February 2013, and while the other parts of that executive order deal more directly with federal contractors, contractors are sure to pay close attention to the voluntary guidelines, which are set to shape debate over future cybersecurity regulations.

“In the face of the government’s present inability or unwillingness to directly regulate critical infrastructure and beyond, I would think that anyone in the contracting space should be paying attention to the framework and seeing how they stack up to its expectations,” said Megan Brown, a partner at Wiley Rein LLP. “The contracting community has often been at the forefront of new government efforts, because it is easier to tack on additional responsibilities to contracts than to regulate private industry directly.”

Contractors have been subject to a host of cybersecurity regulations in recent months, many stemming from the same executive order that created the new voluntary cybersecurity framework. Late in 2013, the U.S. Department of Defense published a rule requiring its contractors to safeguard unclassified technical data and report breaches that affected that data, as well as a rule allowing the DOD to disqualify contractors for sensitive information technology procurements because of perceived cybersecurity risks in those companies’ supply chains.

The General Services Administration and DOD also recently published a report on reforms that could improve cybersecurity in federal acquisitions, and the DOD has run a voluntary threat sharing program with members of its defense industrial base. The government is also expected to amend the Federal Acquisition Regulation in 2014 with a rule requiring all contractors to implement basic information safeguarding policies.

Because of those and other regulations, and the fact that the stakes are so high for contractors handling sensitive DOD information, most defense contractors will be ahead of the curve if they want to adopt the voluntary approach laid out in the framework, according to Charles Blanchard, a partner at Arnold & Porter LLP who previously served as general counsel for both the Air Force and the Army.

But because the framework could provide the basis for legislation that includes cybersecurity incentives prized by the private sector — including grants, subsidized cybersecurity insurance and protection from liability for compliant companies — defense companies will be watching the framework’s evolution closely, he said. And nondefense contractors could look to the framework to see the kinds of best practices they can use to prepare for the upcoming FAR rule.

“For defense contractors that have government technical information that they need to safeguard, the DOD regulation is probably a more important document. This framework, if the incentives come in, could be an extra benefit. It could reward them for complying with the DOD regulations,” Blanchard said. “Most contractors, however are not DOD contractors. For those contractors, this framework could be a hint as to what they can expect when the FAR rule comes out.”

While the framework has been generally well-received by industry stakeholders, some were disappointed by its silence on the issue of incentives, like a safe harbor for companies who follow the NIST guidelines and best practices but still find themselves the victim of a data breach. That kind of safe harbor would have to come through federal legislation, because different states have pursued their own approaches to data breach reporting and liability, and a federal statute is needed to replace that patchwork of state laws, Blanchard said.

Contractors and other companies at risk for cyberattacks can still use their compliance with the NIST guidelines when defending themselves against litigation related to a data breach, although it’s no sure bet, according to Elizabeth Ferrell of McKenna Long & Aldridge LLP.

“I think it would be much more comforting for companies with critical infrastructure, contractors and other companies implementing cybersecurity recommendations if they were able to get some kind of liability limitation in return,” Ferrell said. “They want to make it official instead of rolling the dice on whether a judge or jury would accept these steps as the standard of care and say, ‘You’ve done all you needed to do.'”

While states have created a patchwork of liability laws, federal agencies have also been forced to go it alone, each attempting to manage cyberrisks through their contracts or regulatory power, Ferrell said.

“Agencies are free to tailor their own contract clauses and they are doing so,” Ferrell said. “We are now engaged in a patchwork of cybersecurity initiatives because every part of the federal government recognizes that it is critical to protect our cyberresources, and that the next big attack against the United States could be in the cyberworld.”

The NIST framework, along with its more detailed guidelines on specific issues like password security and physical access controls, could help standardize that patchwork if agencies or Congress use them as a starting point in new regulations and legislation, Ferrell said.

“Even though this framework is only for critical infrastructure, and it is voluntary, there is the sense that this will become the first building block in future regulations,” Ferrell said. “There’s a notion that this framework may be made mandatory for critical infrastructure and other regulated companies, like contractors.”

Replacing the current patchwork of cybersecurity standards with a more centralized guidance could make it easier for contractors to track their responsibilities, leading to lower compliance costs and improved security for agencies and contractors, according to Evan Wolff, a partner at Crowell & Moring LLP.

The stakes are high for contractors that are asked to revamp their cybersecurity practices, especially if the government demands a certification that the contractors comply with security standards in the framework or in other regulations. If there’s a breach or attack, and the contractor is found to have overstated its security, that could lead to risks ranging from contract penalties and poor performance reviews to debarment or False Claims Act liability.

“You could start to see the government expecting more assurances from its contracting partners, and if your abilities are not up to their expectations, you could be at a disadvantage in contracting,” Brown said.

Contractors will also face more government scrutiny than most industries, because the government can use its contracting authority to affect a broader section of the overall economy by forcing contractors to police their supply chain for risks and flow down cybersecurity responsibilities to their subcontractors. The government has already taken that approach in other areas, including in recent rules requiring contractors to police their supply chains for signs of human trafficking or counterfeit electronic parts.

“The government could really attempt to expand its reach if it tries to grab the contracting community and reach one or two circles beyond the prime contractors,” Brown said.

Published on Law360

Obama Uses Contracting Changes To Flex Policy Muscle

By Dietrich Knauth

Law360, New York (January 29, 2014, 9:59 PM EST) — Whether supporting green energy or fighting human trafficking, President Barack Obama has leveraged his authority over federal contracting to push policy goals without the support of Congress, and his newly proposed minimum wage for contractor employees signals a continued willingness to use contracting to push through incremental policy victories.

A key piece of Obama’s State of the Union address on Tuesday centered on his plans to require contractors to pay a minimum wage of $10.10 an hour to employees, part of an overall push for a nationwide minimum wage. While that proposal matched the speech’s theme of promoting executive action when Congress fails to act, it also highlighted the administration’s frequent use of contracting to pursue its policy goals.

“Using executive orders is not new, and contractor employment practices have been an active area for executive branch regulation since the 1960s,” said Charles Tiefer, a law professor at the University of Baltimore and a former member of the congressional Commission on Wartime Contracting. “President Obama, though, is using his power over contracting in a greater variety of ways than did his predecessors. This signals mounting frustration on many, many fronts with congressional inaction.”

Contractors’ employment practices, in particular, have been a sort of proxy war for disagreements between the White House and Republicans in Congress about issues like income inequality, and the minimum wage plan comes just weeks after the president signed a piece of legislation that reined in the amount the government will pay toward the salaries of contractor executives.

Obama has used executive power to change a number of contractor employment practices, requiring them to make more of an effort to retain workers when a federal service contract changes hands, requiring companies to police their suppliers for signs of human trafficking, and introducing new affirmative action rules that require contractors to hire more veterans and people with disabilities — regulations that have drawn protests from many in the contractor community.

Although executive orders cannot match the impact of comprehensive legislation, presidents have often used such orders to build on Congress’ work or prod it to action, Tiefer said.

“Congress can go much further by legislation than the president can by executive fiat, but often it breaks the ice for presidents to go first,” Tiefer said. “The equal employment opportunity program, by executive order, laid the groundwork for later legislation that strengthened the key anti-discrimination statutes.”

Obama’s executive order on human trafficking, for example, was quickly bolstered by legislation that was passed as part of the 2013 National Defense Authorization Act. Sen. Tom Harkin, D-Iowa, said he hopes something similar happens with the minimum wage, asking his colleagues to follow the president’s example and pass his proposal to raise the nationwide minimum wage to $10.10 an hour.

“As I’m sure the president would agree, this is only a first step,” Harkin said in a statement after the speech. “Low-wage workers perform some of the most difficult and important jobs in our society. They should not have to live in poverty, regardless of whether they are employed by a federal contractor or elsewhere in the private sector.”

From a policy perspective, the minimum wage is a curious place to go after contractors, according to Kara Sacilotto, a partner at Wiley Rein LLP. Contractors are already subject to minimum wages set by the U.S. Department of Labor through the Service Contracts Act and the Davis-Bacon Act, among other laws, she said.

“It’s not necessarily fair to single out federal contractors,” Sacilotto said. “They’ve already got some protections. To me this is perhaps a way of moving the needle on the minimum wage. One could argue that it puts a spotlight on an issue and provides greater attention.”

The president’s order will protect some workers not covered by existing laws, although it is unclear how many, according to Jonathan Entin, a law professor at Case Western Reserve University.

“How much of an impact President Obama’s proposal to raise the minimum wage for federal contractors to $10.10 per hour will have could depend on how many minimum-wage workers are employed by federal contractors,” Entin said. “I don’t know the answer to that. But presumably the number is not zero, so the order could make some difference directly and might also exert some pressure on state governments to raise their minimum wages.”

Tiefer estimated that existing minimum wage programs like Davis-Bacon cover less than 50 percent of the contracting workforce, and the practical impact of the executive order will depend in large part on how far it extends into “gray areas” like commercial item procurement and federal subcontracts.

But according to Stan Soloway, president of the Professional Services Council, the Service Contracts Act generally requires higher wages than the proposed $10.10 an hour, and the executive order could create unnecessary ill will toward contractors.

“We are deeply concerned with any implication that federal contractors are paying substandard wages,” he said. “The requirements of the federal prevailing wage laws and the government’s central role in determining the definition of a fair and reasonable wage are clear and long-standing. Moreover, there is natural concern that, amid a national debate over the minimum wage, government contractors are being uniquely singled out.”

Although Obama has been quick to target contractor employment practices in executive orders, he’s sometimes deferred to lawmakers. In 2012, he declined to issue an executive order that would prevent a contractor from discriminating on the basis of sexual orientation because he said it would distract from more comprehensive legislation in Congress.

The president has also used executive orders to change contracting policies in fields far from employment, acting to fill legislation gaps by boosting contractors’ cybersecurity responsibilities, or pursuing an agenda opposed by congressional Republicans by supporting green energy policies through Defense and Energy department contracts.

The military’s green energy initiatives have been a particular point of contention among many Republican lawmakers, who say that the military cannot afford expensive investments in new energy while it cuts costs and downsizes after two wars.

According to Sacilotto, the president’s focus on contracting is part of the higher public profile that contract spending has taken on after the wars in Iraq and Afghanistan, which helped make government contracts into front-page news and a more obvious political battleground.

“Ten years ago, it would have to be a big-time scandal to be in the news, but now you read about government contracts all the time,” Sacilotto said. “If there’s one area where Congress and the president seem to be able to legislate, it’s in regulating government contracts.”

Government Contracts Regulation And Legislation To Watch in 2014

By Dietrich Knauth

Law360, New York (January 1, 2014, 10:08 AM EST) — The two-year budget deal signed at the end of 2013 offers at least a pause in the budgetary brinksmanship that led to the haphazard budget cuts of sequestration and a 16-day government shutdown, but Congress will  force contractors in 2014 to think on their feet as lawmakers seek to address embarrassing procurement missteps, such as the early failures of HealthCare.gov, and leverage the power of the purse to pursue social and political goals.

Here are the areas to watch for additional legislation and regulation in 2014:

Information technology procurement reform

The botched rollout of HealthCare.gov ramped up scrutiny of the federal information technology acquisition process, prompting calls for change in 2014 amid a growing consensus that the way the government buys technology is too slow, too burdened by inefficiencies and too prone to high-profile failures.

The legislation with the most momentum behind it, Darrell Issa’s, R-Calif., Federal Information Technology Acquisition Reform Act, suffered a setback when it was removed from the National Defense Authorization Act, the must-pass legislation that authorizes defense spending, in December. FITARA was included in the version of the NDAA that passed the House in June, and offered as an amendment to the Senate NDAA, but it was removed in a last-minute rewrite of the law aimed at quickly passing the bill after the Senate ran short on time for amendments and debate.

Still, FITARA, or legislation like it, remains on Congress’s agenda in 2014, and it could mitigate some of the persistent problems with IT purchases by giving more budget authority and responsibility to agency chief information officers, creating a streamlined approval process for new information technology contracts, and redirecting money from existing contract management funds to fund IT training for the government’s acquisition personnel.

Contractors generally see empowering CIOs as a good step toward fixing some of the dysfunction that plagues IT procurement, according to Alan Pemberton, co-chair of the government contracts group at Covington & Burling LLP. Contractors would rather directly “talk to the people who actually know the technical aspects of the system and can make sure that the right types of systems are being bought,” rather than have the CIO sidelined by budget and acquisition people who are less familiar with the technology requirements in a procurement

Though FITARA’s reforms would help, anyone who suggests that they’d solve the problems behind the troubled rollout of online health insurance exchanges is kidding themselves, according to Alan Chvotkin, general counsel for the Professional Services Council.

“It’s not a perfect bill. It has elements that are helpful, such as clarifying the role of CIOs, that are long overdue, and if the Congress passes it, it will contribute to some of the issues,” Chvotkin said. “It is not a solution for HealthCare.gov, and if it’s being talked about as ensuring that another HealthCare.gov will never happen, I think that oversells what FITARA is capable of doing.”

Suspension and debarment

Suspension and debarment is an increasingly popular topic in Congress, and that won’t change in 2014, as lawmakers seek to prevent taxpayer dollars from flowing to companies with questionable ethics or track records.

Congress has proposed a more comprehensive overhaul of the government’s approach to suspension and debarment through the Stop Unworthy Spending Act, or SUSPEND Act. That bill would create a new governmentwide suspension and debarment board, and allow some civilian agencies and the U.S. Department of Defense to opt out of the planned consolidation if they can demonstrate that they already have strong suspension and debarment offices.

The waiver option could help civilian agencies with relatively sophisticated suspension and debarment programs, such as the U.S. Environmental Protection Agency, maintain control of their programs, and would treat the DOD and military services just like any other executive branch agency. That change has alleviated some criticism of the bill and turned some early skeptics into cautious supporters.

Congress has ramped up its scrutiny of contractor suspension and debarment in recent years, after reports by the U.S. Government Accountability Office and the Commission on Wartime Contracting highlighted weaknesses in the suspension and debarment offices of civilian agencies. The SUSPEND Act was proposed after oversight hearings embarrassed some agencies that rarely suspended or debarred any contractors.

Beyond the obvious impact of  taking suspension and debarment authority away from some agencies, passing the SUSPEND Act would likely lead to more of a litigation-style approach to suspension and debarment, according to Frederic Levy of McKenna Long & Aldridge LLP.

“The rules for responsibility will stay the same,” Levy said. “The process by which it is determined is going to be much more formal, much more rigorous, and with public decisions you’re going to see more and more of a litigation bar arising around suspension and debarment.”

Though the SUSPEND Act is the most dramatic change that’s on the table, it is likely that Congress will also pursue piecemeal additions to the range of offenses that result in automatic debarment, according to David Robbins, a former Air Force debarring attorney who now heads the government contracts practice at Shulman Rogers Gandal Pordy & Ecker PA.

The rise in automatic debarments puts government agencies and their contractors in a tight spot, Robbins said, because the automatic exclusions are a slippery slope, and lingering debarments with no agency discretion would “absolutely ruin everyone’s ability to get anything done.

“The solution to every problem cannot be to eliminate companies from competition,” Robbins said. “There has to be something short of the ‘death penalty’ of suspension and debarment.”

Supply chain management

Rules proposed in 2013 have required contractors to make significantly greater efforts to police their supply chain and their subcontractors for counterfeit electronic parts and evidence of human trafficking. Those rules could be finalized in 2014, and attorneys expect the focus on supply chain scrutiny will spread to other areas, opening up new risks and potential liabilities.

“I think there’s going to be much more focus on sources and how prime contractors supervise and monitor subcontractors in their supply chain,” said Peter Eyre, an attorney with Crowell & Moring LLP. “This is an area that is changing quite rapidly.”

Visibility into a company’s supply chain will cost money, requiring negotiations with subcontractors, pushback and new agreements.

“There’s also a question of who’s going to bear those costs,” Eyre said. “There are dollars associated with closer scrutiny of the supply chain.”

The government advanced significant rules on counterfeit electronic parts and human trafficking in 2013, taking the same approach to pursue very different goals. In the counterfeit parts rule, the DOD will evaluate contractors’ efforts to scour its supply lines for counterfeit electronics — which pose greater risk of failure and sabotage — as part of its review of contractor purchasing systems. In the human trafficking rule, proposed in September, the government will require contractors to police subcontractors and recruiters for telltale signs of worker exploitation, such as confiscating passports and charging recruitment fees.

An interim rule issued on Nov. 18 expands the same kind of oversight responsibilities to information technology components sold for use in national security systems. That rule is especially noteworthy for contractors, because it gives the DOD the ability to exclude IT contractors from a contract competition if the DOD determines that a contractor or subcontractor presents a supply chain risk, without requiring a full explanation, according to Susan Cassidy of Covington & Burling LLP.

“You can be excluded from a procurement, and there’s a provision that DOD can limit disclosure of why, so you may not even know why,” Cassidy said. “Just from a practical standpoint, this could put contractors in a terrific bind.

Cybersecurity

Protecting the government’s data will remain a focus for federal agencies and their contractors in 2014, and experts expect more regulation in support of that goal.

“The government is broadening the definition of protected data,” Eyre said. “It’s no longer just classified information, it’s not just technical data under ITAR, it’s more generally protecting contractor networks that contain government data.”

Late in 2013, the government finalized a rule requiring contractors to take additional steps to safeguard unclassified technical data, paring down a cybersecurity rule that was criticized as being too broad when proposed in 2011. Though the 2011 proposed rule would have required enhanced cybersecurity for a broader range of unclassified information provided by or developed for the DOD, the final rule is limited to unclassified technical documents related to DOD-funded research and development — including computer software and documents such as engineering drawings, technical manuals, blueprints, data sets, studies and analyses — and to other technical information that could be used to produce, repair or modify any military or space equipment.

The new rule requires contractors to take enhanced cybersecurity measures to protect DOD technical data. The cybersecurity measures are drawn from commonly used practices codified by the National Institute of Standards and Technology, including access control, awareness and training, contingency planning and maintenance.

Some concerns remain for contractors, including the lack of a safe harbor for contractors who report breaches despite complying with the NIST standards, and some ambiguity in the definition of a cyberevent that must be reported, according to Elizabeth Ferrell of McKenna Long & Aldridge LLP.

“Even though they’ve really narrowed this down, there are certain things that are still troubling from a contractor’s perspective,” Ferrell said.

The DOD said in the final rule that reported cyberincidents will not, by themselves, be considered evidence that a contractor had inadequate security, but flatly denied any safe harbor requests in the comments to the proposed rule, saying “the government does not intend to provide any safe harbor statements.”

Though the DOD has said that the cyberincident reports will not be disclosed as a result of Freedom of Information Act requests, contractors are wary about ways the reports could be used against them, such as impacting their performance reviews or disqualifying them from contract competitions under the supply chain rule, Cassidy said.

“There’s a requirement to report, but it’s unclear what DOD’s going to do with that information,” Cassidy said.

Published by Law360

DOD Dials Back Contractor Rule For Protecting Data

By Dietrich Knauth

Law360, New York (November 18, 2013, 8:35 PM EST) — The U.S. Department of Defense issued on Monday a final rule on contractors’ responsibilities for safeguarding unclassified technical data, paring down a cybersecurity rule that was criticized as being too broad when proposed in 2011.

The new rule requires contractors to take enhanced cybersecurity measures to protect DOD technical data. The cybersecurity measures are drawn from commonly used practices codified by the National Institute of Standards and Technology, including access control, awareness and training, contingency planning, and maintenance.

While the 2011 proposed rule would have required enhanced cybersecurity for a broader range of unclassified information provided by or developed for the DOD, the final rule is limited to unclassified technical documents related to DOD-funded research and development — including computer software and documents like engineering drawings, technical manuals, blueprints, data sets, studies and analyses — and to other technical information that could be used to produce, repair or modify any military or space equipment.

“After comments were received on the proposed rule it was decided that the scope of the rule would be modified to reduce the categories of information covered,” the DOD said. “This final rule addresses safeguarding requirements that cover only unclassified controlled technical information and reporting the compromise of unclassified controlled technical information.”

The change should be a welcome one for contractors, according to Elizabeth Ferrell, a partner in McKenna Long & Aldridge LLP’s government contracts practice.

“What we have now is just one small sliver of what was proposed in 2011,” Ferrell said. “It’s not a perfect rule, but it’s not as controversial as it was before.”

Some concerns remain for contractors, including the lack of a safe harbor for contractors who report breaches despite complying with the NIST standards, and some ambiguity in the definition of a cyberevent that must be reported, Ferrell said.

“Even though they’ve really narrowed this down, there are certain things that are still troubling from a contractor’s perspective,” Ferrell said.

The DOD said in the final rule that reported cyberincidents will not, by themselves, be considered evidence that a contractor had inadequate security, but flatly denied any safe harbor requests in the comments to the proposed rule, saying “the government does not intend to provide any safe harbor statements.”

While some commenters emphasized the costs of complying with additional cybersecurity steps, the DOD said that the NIST controls “represent mainstream industry practices” and that the DOD is willing to accept reasonable additional costs in exchange for better protection of its unclassified technical information.

In light of the new rule, contractors and subcontractors should quickly determine what data needs to be protected and asses their own compliance with the rule’s NIST standards, Ferrell said.

If contractors do not comply with the NIST standards, they should take steps to become compliant, or prepare to explain why the standards do not apply or why other protections provide adequate security, as allowed by the rule, according to Ferrell.

Published by Law360

3 Key Contractor Suspension Cases To Watch

By Dietrich Knauth

Law360, New York (November 6, 2013, 9:22 PM EST) — Agency decisions to suspend a company from federal contracting are rarely litigated in court, but three cases from 2013 have the chance to shape policy in areas like the treatment of contractor affiliates, the timing of a suspension and the due process rights of suspended contractors.

Suspension and debarment — suspension’s longer-term counterpart — are intended to protect the government from dealing with risky or unscrupulous businesses. But attorneys say that some recent government decisions have blurred the line between protection and punishment and raised questions about how far the government can legally go in cutting ties with disfavored companies.

“I know all the players on the government side personally, and I know their intentions are good,” David Robbins said, who heads the government contracts group at Shulman Rogers Gandal Pordy & Ecker PA and was a top U.S. Air Force suspension and debarment attorney until Nov. 1. “The challenge, however, is knowing where the edges are in what is appropriate. At least in some cases, judicial guidance could help the system.”

Here are three cases that could impact contractors in future suspension and debarment disputes:

BP Exploration & Production Co. Inc. et al. v. McCarthy et al., U.S. District Court for the Southern District of Texas.

BP PLC, along with a host of its affiliates, was suspended from government contracts in November 2012, after pleading guilty to felony misconduct and reaching a $4.5 billion settlement related to the Deepwater Horizon oil spill. BP sued the U.S. Environmental Protection Agency over the suspension in August, arguing that the EPA’s action ignored “the overwhelming evidence and record of BP’s present responsibility as a government contractor” and that the timing of the suspension was both arbitrary and punitive.

The decision to suspend BP more than two years after the spill shows some of the difficulties the government faces when balancing the need to protect itself from unethical contractors, with the need to give accused companies time to explain and address deficiencies.

Suspension is intended to protect the government from unscrupulous contractors, not to punish companies — so the timing of BP’s suspension seemed strange to some, even within the government’s suspension and debarment community, according to Robbins.

“Frankly, its probably very good for the community to have this discussion about when should these actions be kicked off, to ensure that they’re not used to punish,” Robbins said. “The EPA case, I understand there’s some tension about the timing of this, and I think it’s healthy to have the courts take a look at this.”

Agility Defense & Government Services Inc. et al. v. U.S. Department of Defense et al., U.S. Court of Appeals for the 11th Circuit.

The 11th Circuit is poised to rule on ambiguous regulations for suspending contractors that are affiliated with indicted companies, in a case that challenges the government’s effort to keep a suspension alive beyond an 18-month limit written into the Federal Acquisition Regulation.

An Alabama federal judge had lifted the suspensions of two U.S.-based affiliates of Kuwait-based Agility Public Warehousing Co. KSC, which is accused of providing false invoices defrauding the U.S. military on food supply contracts worth $8.5 billion. The U.S. could suspend the companies from receiving contracts as a protective measure, the judge found, but couldn’t keep them suspended for nearly three years without attempting to prove any wrongdoing beyond their affiliation with Agility.

The appeal could clear up an ambiguity in the FAR’s language on suspending affiliates of a company suspected of wrongdoing. The FAR rule clearly allows agencies to suspend affiliates of a suspect contractor for up to 18 months before legal proceedings are initiated, but it is less clear about whether affiliates can remain suspended once legal proceedings have been brought only against the parent company.

“The DLA case is a fascinating question about how long you can continue to have a suspension in effect,” Robbins said. “There’s some room for clarification in the regulatory language.”

In its appeal, the government argues that it needs to maintain the suspensions to prevent prime contractors from shifting business to their affiliates to avoid the consequences of suspension from government contracting. Contracting experts are divided on the lower court ruling, with some supporting the government’s position and others saying it raises serious questions about contractors’ due process rights.

The attorney overseeing Agility’s defenses, Richard Marmaro of Skadden Arps Slate Meagher & Flom LLP, said that Agility’s 128 affiliates have been suspended for too long — even longer than the three-year debarment period typical for companies that have been convicted of wrongdoing.

The affiliates in this case, and other affiliates that aren’t actively litigating their suspensions, have never even been accused of complicity with their parent company’s alleged misconduct, Marmaro said. The DLA and outside critics who say Agility could shift business to its affiliates to get around its suspension have no evidence to back up their allegations, he added.

“The affiliates are not alleged to have done anything wrong. Nor is there any allegations that the affiliates were involved in any way in the charges in the indictment against [Agility],” Marmaro said.

The 11th Circuit has a chance to set an important precedent that will protect innocent affiliates of indicted companies from being suspended for more than 18 months without any evidence being presented against them, Marmaro said.

“The purpose of the 18-month period is to give the government time to determine whether a contractor is responsible,” Marmaro said. “If, during that time period, the government’s investigation shows that the affiliate is complicit with the parent’s alleged misconduct, then the government must initiate legal proceedings against the affiliate in order to maintain the suspension.”

The DLA has lifted the suspensions of two affiliates, but those companies were forced to essentially sever all ties to the company, Marmaro said. And another affiliate, Gulf Catering Company for General Trade and Contracting WLL, has launched a separate lawsuit in Georgia federal court to challenge its suspension.

MG Altus Apache Co. v. U.S., U.S. Court of Federal Claims.

A case decided in May could impact contractors that believe suspensions or debarments violate their rights to due process.

In MG Altus Apache Co. v. U.S., the U.S. Court of Federal Claims rejected a contractor’s challenge to a secret vendor vetting blacklist that effectively debarred a trucking contractor in Afghanistan without its knowledge. The contractor, unaware it had been placed on a vendor vetting blacklist, wasted time and money submitting contract bids that had no chance of success, and eventually sued, arguing that the U.S. Army had violated its due process rights by secretly debarring it.

Agencies are not generally allowed to use de facto debarments, like the secret vendor blacklist, to get around the rules regarding notice and due process, according to Todd Canni, an attorney at McKenna Long & Aldridge LLP and a former Air Force suspension and debarment attorney.

The court found the Army had used a de facto debarment against MG Altus Apache but had been justified in doing so because of national security concerns. According to Canni, this finding risks encouraging other contracting personnel to use similar “blacklists,” rather than formally referring matters to their agency suspension and debarment official.

Steven Shaw, a senior of counsel at Covington & Burling LLP and a former debarment official for the Air Force, says secret blacklists not only are unfair to contractors, but also raise the risk that the government will continue to do business with unethical companies. A formal debarment or suspension excludes the company from contracting with any federal agency, but secret lists create a risk that the company will continue to get contracts if the blacklisting agency doesn’t share its information within the government.

“This concept of secret lists is something that always bothered me at the Air Force,” Shaw said. “If you keep it quiet, you are protecting one agency on one program, and meanwhile you’re allowing the entire federal government to be at risk of contracting with this particular company. It’s a huge disservice to the government and the taxpayers.”

The Army said it couldn’t tell MG Altus Apache about the blacklisting because its evidence was classified, but that doesn’t mean the debarment decision must be classified too, Shaw says.

“The evidence itself can be classified, but you can design the administrative record in such as way as to support a suspension or debarment on a classified program. … It’s cumbersome, but you can do it,” he said.

4 Tips For Navigating Bid Protests Outside The US

By Dietrich Knauth

Law360, New York (September 27, 2013, 7:32 PM EDT) — As U.S. defense companies ramp up their search for opportunities abroad, getting familiar other nations’ evolving bid protest practices can be a helpful step in ensuring they are treated fairly in competitions, experts say.

The U.S. procurement system is unique in its long history of allowing prospective contractors to challenge government contract decisions, and despite domestic criticism of the delays and litigiousness that sometimes result, other nations continue to look to the U.S. as they establish or amend their own versions of bid protests.

Protest systems are increasingly seen as essential to a good public procurement framework, and are encouraged by the United Nations Commission on International Trade Law, the World Trade Organization and the U.S., which insists that partners in free trade agreements, including the North Atlantic Free Trade Agreement, have some kind of bid protest system.

“Bid protests are a standard part of procurement reform all around the world now,” said Daniel Gordon, associate dean for government procurement law at George Washington University. “A bid protest mechanism is typically an unusually efficient way of attaining both transparency and accountability in government contracting.”

Advocates of the U.S. system say allowing private companies to enforce procurement rules increases transparency, reduces corruption and encourages competition, allowing governments to get better value for their purchases. But to take advantage of bid protests in other nations, U.S. companies will have to keep in mind that the rules and culture surrounding bid protests can vary significantly.

Here are four tips for U.S. defense companies looking to take advantage of bid protests abroad:

Recruit Local Counsel

As they adjust to decreased U.S. military spending, American defense companies will have to do business in nations where bid protests are not as ingrained in the procurement process.

Although many countries seem to model their protest systems on the U.S., the rules won’t be the same everywhere. In the U.K., for example, protests are handled in court. In Germany, procurement protests go to specialized administrative bodies.

“Every country is different, and even within the E.U., the 28 member countries have different laws, including different protest laws,” Gordon said. “They have 28 different ways of solving problems.”

Contractors should partner with local counsel to help them navigate the different rules, according to Allen Green, a partner at McKenna Long & Aldridge LLP.

“As you move outside the U.S., E.U. and Canada, you’re really entering into public procurements that are much less transparent. They’re going to have, to varying degrees, some form of protest procedures, but the likelihood of success is something that companies are going to have to think about and work through with knowledgeable local counsel,” Green said.

Adjust Your Expectations

The U.S. bid protest system is stronger in many ways than other nations’, and U.S. companies will have to adjust their expectations when getting involved in protests abroad.

The U.S. allows protests to negate or overturn contract decisions, even after the signing of a contract, and offers an automatic stay that halts work on procurements that are protested at the U.S. Government Accountability Office, which handles most U.S. bid protests and is generally seen as a fast and cheap option for protesters.

American contractors can also protest in the U.S. Court of Federal Claims, which offers legally binding rulings through more extensive litigation and can serve as a backup if a GAO protest fails. Such a system is rarely present in other nations.

In growing markets like China, India, Korea, the United Arab Emirates and Saudi Arabia, U.S. companies will have to temper expectations that bid protests will be as effective as they are in the U.S., Green said.

“If all goes south and you’ve been badly treated, there’s going to be a much narrower spectrum and much less done than  there is the U.S.,” Green said.

In places with less transparent governments, protests could be a dicey proposition even when procedures are in place. University of Maryland law professor Daniel Mitterhoff recently studied a Chinese bid protest that was ignored by the Chinese government for nearly seven years because it fell into a legal grey area between two of China’s multiple bid protest systems.

“In some countries it doesn’t look like there’s a lot of progress toward a meaningful, effective protest system even when they exist on paper,” Gordon said.

Monitor Developing Bid Protest Regimes

Companies should keep an eye on markets that are developing or have recently developed bid protest regimes. Bid protests are growing at an uneven pace across the globe, according to Gordon, who has witnessed the rise of bid protests firsthand.

As the former head of the bid protest division at the GAO, he was consulted by foreign governments interested in setting up their own protest mechanisms, including Norway, Turkey and Tanzania, all of which have protest systems now. He has continued that outreach as an academic, recently working with officials from Vietnam, Morocco, Algeria, Libya and Tunisia — and says international interest in bid protests remains strong.

“Besides an interest in improving legal systems abroad, American companies want to export, and you want to have a solid procurement system overseas to ensure that American companies are treated fairly,” Gordon said of the Commerce Department’s interest in promoting bid protests overseas. “You don’t want to have corruption and you don’t want to have favoritism.”

Ralph White, who currently heads the GAO’s bid protest team, said foreign visitors continue to ask GAO about its protest policies. Not only does the U.S. have the longest tradition of hearing bid protests — a system that began informally in the 1920s and was codified by regulations in the 1970s and the Competition in Contracting Act in 1986 — the U.S. also spends far more on contracts than any other nation, making it a natural source of best practices for protests, White said.

“We end up with visitors from all over the world coming to Washington from other governments. Invariably, they want to talk about bid protests and they are fascinated and amazed that the U.S. government will put itself through this process,” White said. “The idea that you could challenge who it is the Defense Department is giving contracts for missile defense, they’re just amazed by it.”

For governments challenged by corruption and bribery, bid protests are seen as a crime-fighting tool, in a way that they aren’t in the U.S., which will help spur more countries to adopt them, Gordon said.

“Why exactly does having a police car on the side on the side of the road prevent people from driving 80 miles per hour? At least on the margins it causes people to be somewhat more careful,” Gordon said. “Crime hates sunshine, and [protests] provide sunshine to the contracting process. It provides vitamin T, it provides transparency.”

Prepare for Backlash and Reforms

While governments value the transparency and accountability that protests bring, they also struggle with the delays and litigiousness that are part of the package. The U.S. has seen frequent calls for reform, including ideas like charging a fee for “frivolous” protests, raising the dollar-value threshold for which contracts can be protested, and a U.S. Department of Defense proposal that would force contractors to choose between the GAO and the Court of Federal Claims, rather than allowing them to retain the court as a backup plan.

As protests rise across the globe, other governments will face similar pushback, Gordon said. Ten years ago, while Gordon was at GAO, the government of Norway invited him to give advice on setting up a protest forum. It was successful, but after the forum was in place, Gordon said he began to hear familiar complaints out of Norway’s government.

“Within the first two or three years of setting up the bid protest forum there was criticism that there were too many bid protests being filed, and I had to chuckle to myself, because I’d been hearing the same criticism back at home,” Gordon said. “Government officials will always tell you that there are too many protests.”

 

Published by Law360

 

SBA Rule Will Boost Prosecution of Small-Biz Contract Fraud

A Small Business Administration rule finalized Friday says that fraudulently obtained small business contracts provide no value to the federal government, a change that will increase the number of enforcement actions by clearing the government to seek repayment for the entire contract.

The rule implements part of the Small Business Jobs Act of 2010, which says that when a company wins a contract by willfully misrepresenting its small business status, the government’s presumed loss is the value of the contract.

While the law already provided for criminal and civil penalties, including False Claims Act liability, the government had a hard time winning these cases because rulings like the one in Ab-Tech Construction v. United States had made it difficult to establish damages. In that 1994 case, the Court of Federal Claims limited the government’s recoverable damages because the contractor had provided the agreed-on services.

But the SBA regulation, which takes effect Aug. 27, will allow prosecutors and private relators to pursue fraud much more easily, under the assumption that contracts obtained through misrepresentation have no value to the government. This puts the entire value of the contract at stake.

“I expect to see a substantial uptick in prosecutions,” said Richard Oliver, a partner with McKenna Long & Aldridge LLP. “There have been very few prosecutions for false size certifications over the last 20 years. The only prosecutions we’ve seen have been extremely blatant situations.”

Read the full article on Law360: https://bit.ly/2Kwp4hO

US Fails To Shield Contractors From $920M In Afghan Taxes

By Dietrich Knauth

Law360, New York (May 14, 2013, 9:09 PM EDT) — The U.S.’ failure to enforce nontaxation agreements has allowed Afghanistan to collect more than $920 million in improper taxes from U.S. contractors, according to a new report that experts say highlights the persistent challenge of coordinating federal agencies to ensure war spending isn’t wasted.

The Special Inspector General for Afghanistan Reconstruction, or SIGAR, reported Tuesday that his office examined $921 million in business taxes and penalties levied against 43 contractors supporting U.S. rebuilding efforts in Afghanistan, in spite of agreements meant to ensure that U.S. contractors aren’t taxed. Those agreements “appear to be failing in their purpose,” in part because the U.S. Department of Defense, Department of State and the U.S. Agency for International Development have failed to make a coordinated effort to push back against improper taxes, often leaving contractors to fend for themselves.

“It’s disturbing that the Afghan government is targeting American contractors with unjust taxes and intimidation,” Special Inspector General John F. Sopko said. “It’s even more disturbing that U.S. agencies are letting it happen — all at the expense of American taxpayers, who have already shouldered a heavy burden on Afghan reconstruction. This needs to end.”

Of the $921 million examined by SIGAR, $93 million falls clearly under a tax category that both the U.S. and the Afghan government agreed should be exempt, and SIGAR believes that many of the remaining taxes are also illegitimate.

Congress took quick notice of SIGAR’s report, and Rep. Peter Welch, D-Vt., on Tuesday reintroduced legislation that would block all U.S. taxpayer assistance to Afghanistan until a new bilateral agreement on taxes is reached.

“It is incomprehensible that the government of Afghanistan, with its abysmal track record of corruption, would actually think it is a good idea to tax assistance provided by the American taxpayer,” Welch said. “We shouldn’t give another dime to the Afghan government until they agree to stop ripping off the American taxpayer.”

Experts say that SIGAR’s report is just further evidence of the difficulties that the U.S. faces in getting USAID, DOD and the State Department on the same page when it comes to wartime contracting issues. The recently closed office of Sopko’s counterpart in Iraq, the Special Inspector General for Iraq Reconstruction, has recommended creating a new federal agency to oversee rebuilding efforts in future contingency operations, but the agencies have resisted those recommendations, and some contractors have also opposed the plan as creating another layer of bureaucracy.

Charles Tiefer, a law professor at the University of Baltimore and a former member of the Commission on Wartime Contracting, said the U.S. agencies need to present a more unified front on wartime contracting, whether or not a new agency is introduced.

“There needs to be some structural change,” Tiefer said. “If the agencies coordinated and presented a strong and unified stance to the Afghan government, they could at least reduce the scale of improper Afghan taxing of American efforts.”

Fragmented planning for rebuilding contracts greatly increases the risk of waste and fraud, and that’s especially true in Afghanistan, where corruption is part of the culture, and where President Hamid Karzai’s government has tried to maximize its share of the U.S. and international cash that supports its institutions, Tiefer said. Afghanistan’s tax collectors don’t respect the tax exemption agreements signed by its diplomats, and the tax issues seem to be an echo of previous efforts to force contractors to hire a new Afghan security force in place of private guards, Tiefer said.

“The strategy here on the Afghan side may appear chaotic but in fact comes from the Karzai administration, which treats American contract funding in several ways as its very own piggy bank,” Tiefer said. “The U.S. taxpayer puts up money to build schools and infrastructure in Afghanistan, and the Afghan government turns around and engages in double dipping, getting both the U.S. funded project and skimming extorted taxes as well.”

Contractors say the report simply adds concrete data to the reality they’ve been facing for some time. The Professional Services Council, a contractor trade group, agreed with SIGAR’s calls for better coordination between agencies and more training on the tax exemption agreements for U.S. contracting officers, to prevent representatives of the Afghan government from exploiting inconsistencies in an effort to “shake down” contractors.

“The report confirms what PSC has long argued in letters, white papers and meetings with government officials: The U.S. government’s lack of a unified position in resolving the Afghan government’s inappropriate taxation of U.S.-funded contracts has hindered contractors’ efforts to support the U.S. government in Afghanistan,” said Alan Chvotkin, general counsel and executive vice president of PSC. “As the IG found, the lack of response increases the costs of U.S. government projects in Afghanistan and diverts U.S. funding from program objectives specifically defined by Congress and the contracting agencies.”

Because of tax disputes, the Afghan Ministry of Finance has restricted contractors’ freedom of movement, hurting the ability of contractors to support U.S. missions, and has even arrested at least one contractor because of unresolved tax issues, SIGAR reported.

Some U.S. agencies’ contracting officers do not appear to understand Afghanistan’s tax laws and have improperly reimbursed contractors for taxes paid to the Afghan government, and contractors have begun billing the U.S. government for the tax costs, or adjusting their bids to account for increased costs due to the Afghan taxes, according to SIGAR. The U.S. agencies have paid improper taxes, through contractor reimbursement, without helping contractors fight the taxes or helping contractors obtain tax-exemption certification ahead of time, the report found.

The contractors caught in the middle may face additional trouble down the road, since billing the government for improper taxes may go against federal regulations, Tiefer said.

“These contractors may be violating the rules on reimbursement when they pass on taxes that they shouldn’t have paid,” Tiefer said. “They’re getting away with it now, and that means that in some ways they’re happier avoiding friction with the Afghan government, at the cost of milking the American taxpayer through reimbursement.”

SIGAR recommends that the secretary of state take the lead in developing a consistent, unified position on what the U.S. government deems appropriate taxation of contractors, and make efforts to recover any improper tax payouts. But while the DOD concurred with SIGAR’s recommendations, State resisted, saying it “did not explicitly agree or disagree,” while arguing that the agencies already have a unified position. State also said it “neither agreed nor disagreed” on recommendations to recover tax payments.

The State Department also questioned SIGAR’s authority to examine issues related to the tax treatment of contracts, causing SIGAR to write that it is “concerned that State chose to focus initially on the bureaucratic question of which oversight agency is the appropriate one to examine this issue, rather than turning its attention to devising solutions to the problems we identified in this report.”

While the tax issue is serious on its own, it also points to a larger pattern of the Afghan government trying to maximize what it can take from U.S. and internationally funded rebuilding efforts, Tiefer said. Afghanistan previously banned contractors from hiring foreign-owned private security companies, forcing them to hire a new Afghan government agency, the Afghan Public Protection Force, at a higher price than the contractors were originally paying.

The focus on maximizing short-term payouts doesn’t bode well for the future, Tiefer said, especially as U.S. forces plan to exit Afghanistan and turn over the country’s security to its fledgling armed forces in 2014.

“Supplying their treasury by extorting tax payments from the US treasury is a very short-term strategy, and they are materially diminishing their country’s prospect for surviving after American troops pull out and some of the reconstruction effort drops off,” Tiefer said. “This report shows that the Afghan government is sucking only too much from the teat of the American treasury, and needs to be weaned off its rich diet.”

Foreign aid projects make up an enormous part of Afghanistan’s economy — 97 percent, according to a Senate Foreign Relations Committee report from 2011. Since 2002, Congress has appropriated over $89 billion to U.S. government agencies, including DOD, State and USAID, for humanitarian and reconstruction programs and projects in Afghanistan, according to SIGAR.

Published by Law360

US Agencies Get Major Update To Cybersecurity Guidelines

Under the Information Security Management Act, the Office of Management and Budget and the NIST take the lead in setting minimum security requirements used across the federal government, such as giving tips for secure passwords or requiring physical security for sensitive computer systems. The NIST standards have governed federal cybersecurity steps in the absence of federal legislation, and the overhaul is the first such update since 2005.

“This update was motivated by the expanding threats we all face,” project leader and NIST fellow Ron Ross said in a statement. “These include the increasing sophistication of cyberattacks and the fact that we are being challenged more frequently and more persistently.”

The revision’s new assurance controls will help agencies have confidence in the security of their systems and give guidance to contractors that develop information systems, information technology component products and services for the government, according to Ross, who said the focus on trustworthiness in the federal information systems supported the NIST’s slogan of “Build it right, then continuously monitor.”

Contractors may welcome the update as an improvement over ad hoc rules pursued separately by separate agencies. In comments submitted to the NIST on April 8, the Professional Services Council urged the government to halt ongoing efforts to create cybersecurity contract requirements until the NIST framework was in place.

“We strongly believe that the NIST cybersecurity framework should be developed prior to the further development or implementation of new acquisition-specific cybersecurity requirements,” PSC President and CEO Stan Soloway said. “To ensure that consistency is achievable by agencies in both the cybersecurity framework and the federal acquisition arena, PSC recommends that the [Federal Acquisition Regulation] and [Defense Federal Acquisition Regulatory Supplement] initiatives be suspended until the initial NIST framework is completed.”

The new guidelines promote cutting-edge security controls aimed at addressing evolving threats — particularly issues related to mobile and cloud computing, insider threats, supply chain risks, advanced persistent threats, and other areas that have evolved greatly over the past eight years, the NIST said.

To address supply chain risks — an area that has been the focus of recent reports from the Senate Armed Services Committee and House Intelligence Committee — the guidelines recommend that the government sometimes use “blind or filtered buys” to withhold the ultimate purpose of electronic parts from the contractors who supply them.

The guidelines also encourage agencies to offer incentives to contractors that are open about their procedures for vetting the security of their electronic parts and subcontract suppliers, something the U.S. Department of Defense is addressing as it implements the 2013 National Defense Authorization Act. The NDAA provided a safe harbor for contractors who have DOD-approved vetting procedures, while requiring other contractors to pay for the cost of replacing counterfeit electronics that supply to a military system.

Previous NIST guidelines, as well as a change in the 2013 National Defense Authorization Act, have pushed contractors to report data breaches affecting government systems. The 2013 NDAA included a last-minute amendment added by Senate Armed Services Committee Chairman Carl Levin, D-Mich., that required cleared contractors to report on cyberattacks and grant the DOD access to information systems for security checks.

Contractors complained that the amendment’s initial language would have provided the DOD with open-ended access to data — even to the point of long-term confiscation of computer servers — with very few controls on how that information would be used or safeguarded. While the final version of the NDAA limits the amendment in a few key ways, requiring the DOD to safeguard trade secrets and commercial information and preventing the DOD from sharing the information outside of the agency, some said the change didn’t go far enough toward addressing contractors’ concerns.

Published on Law360