Government Contracts Regulation And Legislation To Watch in 2014

By Dietrich Knauth

Law360, New York (January 1, 2014, 10:08 AM EST) — The two-year budget deal signed at the end of 2013 offers at least a pause in the budgetary brinksmanship that led to the haphazard budget cuts of sequestration and a 16-day government shutdown, but Congress will  force contractors in 2014 to think on their feet as lawmakers seek to address embarrassing procurement missteps, such as the early failures of HealthCare.gov, and leverage the power of the purse to pursue social and political goals.

Here are the areas to watch for additional legislation and regulation in 2014:

Information technology procurement reform

The botched rollout of HealthCare.gov ramped up scrutiny of the federal information technology acquisition process, prompting calls for change in 2014 amid a growing consensus that the way the government buys technology is too slow, too burdened by inefficiencies and too prone to high-profile failures.

The legislation with the most momentum behind it, Darrell Issa’s, R-Calif., Federal Information Technology Acquisition Reform Act, suffered a setback when it was removed from the National Defense Authorization Act, the must-pass legislation that authorizes defense spending, in December. FITARA was included in the version of the NDAA that passed the House in June, and offered as an amendment to the Senate NDAA, but it was removed in a last-minute rewrite of the law aimed at quickly passing the bill after the Senate ran short on time for amendments and debate.

Still, FITARA, or legislation like it, remains on Congress’s agenda in 2014, and it could mitigate some of the persistent problems with IT purchases by giving more budget authority and responsibility to agency chief information officers, creating a streamlined approval process for new information technology contracts, and redirecting money from existing contract management funds to fund IT training for the government’s acquisition personnel.

Contractors generally see empowering CIOs as a good step toward fixing some of the dysfunction that plagues IT procurement, according to Alan Pemberton, co-chair of the government contracts group at Covington & Burling LLP. Contractors would rather directly “talk to the people who actually know the technical aspects of the system and can make sure that the right types of systems are being bought,” rather than have the CIO sidelined by budget and acquisition people who are less familiar with the technology requirements in a procurement

Though FITARA’s reforms would help, anyone who suggests that they’d solve the problems behind the troubled rollout of online health insurance exchanges is kidding themselves, according to Alan Chvotkin, general counsel for the Professional Services Council.

“It’s not a perfect bill. It has elements that are helpful, such as clarifying the role of CIOs, that are long overdue, and if the Congress passes it, it will contribute to some of the issues,” Chvotkin said. “It is not a solution for HealthCare.gov, and if it’s being talked about as ensuring that another HealthCare.gov will never happen, I think that oversells what FITARA is capable of doing.”

Suspension and debarment

Suspension and debarment is an increasingly popular topic in Congress, and that won’t change in 2014, as lawmakers seek to prevent taxpayer dollars from flowing to companies with questionable ethics or track records.

Congress has proposed a more comprehensive overhaul of the government’s approach to suspension and debarment through the Stop Unworthy Spending Act, or SUSPEND Act. That bill would create a new governmentwide suspension and debarment board, and allow some civilian agencies and the U.S. Department of Defense to opt out of the planned consolidation if they can demonstrate that they already have strong suspension and debarment offices.

The waiver option could help civilian agencies with relatively sophisticated suspension and debarment programs, such as the U.S. Environmental Protection Agency, maintain control of their programs, and would treat the DOD and military services just like any other executive branch agency. That change has alleviated some criticism of the bill and turned some early skeptics into cautious supporters.

Congress has ramped up its scrutiny of contractor suspension and debarment in recent years, after reports by the U.S. Government Accountability Office and the Commission on Wartime Contracting highlighted weaknesses in the suspension and debarment offices of civilian agencies. The SUSPEND Act was proposed after oversight hearings embarrassed some agencies that rarely suspended or debarred any contractors.

Beyond the obvious impact of  taking suspension and debarment authority away from some agencies, passing the SUSPEND Act would likely lead to more of a litigation-style approach to suspension and debarment, according to Frederic Levy of McKenna Long & Aldridge LLP.

“The rules for responsibility will stay the same,” Levy said. “The process by which it is determined is going to be much more formal, much more rigorous, and with public decisions you’re going to see more and more of a litigation bar arising around suspension and debarment.”

Though the SUSPEND Act is the most dramatic change that’s on the table, it is likely that Congress will also pursue piecemeal additions to the range of offenses that result in automatic debarment, according to David Robbins, a former Air Force debarring attorney who now heads the government contracts practice at Shulman Rogers Gandal Pordy & Ecker PA.

The rise in automatic debarments puts government agencies and their contractors in a tight spot, Robbins said, because the automatic exclusions are a slippery slope, and lingering debarments with no agency discretion would “absolutely ruin everyone’s ability to get anything done.

“The solution to every problem cannot be to eliminate companies from competition,” Robbins said. “There has to be something short of the ‘death penalty’ of suspension and debarment.”

Supply chain management

Rules proposed in 2013 have required contractors to make significantly greater efforts to police their supply chain and their subcontractors for counterfeit electronic parts and evidence of human trafficking. Those rules could be finalized in 2014, and attorneys expect the focus on supply chain scrutiny will spread to other areas, opening up new risks and potential liabilities.

“I think there’s going to be much more focus on sources and how prime contractors supervise and monitor subcontractors in their supply chain,” said Peter Eyre, an attorney with Crowell & Moring LLP. “This is an area that is changing quite rapidly.”

Visibility into a company’s supply chain will cost money, requiring negotiations with subcontractors, pushback and new agreements.

“There’s also a question of who’s going to bear those costs,” Eyre said. “There are dollars associated with closer scrutiny of the supply chain.”

The government advanced significant rules on counterfeit electronic parts and human trafficking in 2013, taking the same approach to pursue very different goals. In the counterfeit parts rule, the DOD will evaluate contractors’ efforts to scour its supply lines for counterfeit electronics — which pose greater risk of failure and sabotage — as part of its review of contractor purchasing systems. In the human trafficking rule, proposed in September, the government will require contractors to police subcontractors and recruiters for telltale signs of worker exploitation, such as confiscating passports and charging recruitment fees.

An interim rule issued on Nov. 18 expands the same kind of oversight responsibilities to information technology components sold for use in national security systems. That rule is especially noteworthy for contractors, because it gives the DOD the ability to exclude IT contractors from a contract competition if the DOD determines that a contractor or subcontractor presents a supply chain risk, without requiring a full explanation, according to Susan Cassidy of Covington & Burling LLP.

“You can be excluded from a procurement, and there’s a provision that DOD can limit disclosure of why, so you may not even know why,” Cassidy said. “Just from a practical standpoint, this could put contractors in a terrific bind.

Cybersecurity

Protecting the government’s data will remain a focus for federal agencies and their contractors in 2014, and experts expect more regulation in support of that goal.

“The government is broadening the definition of protected data,” Eyre said. “It’s no longer just classified information, it’s not just technical data under ITAR, it’s more generally protecting contractor networks that contain government data.”

Late in 2013, the government finalized a rule requiring contractors to take additional steps to safeguard unclassified technical data, paring down a cybersecurity rule that was criticized as being too broad when proposed in 2011. Though the 2011 proposed rule would have required enhanced cybersecurity for a broader range of unclassified information provided by or developed for the DOD, the final rule is limited to unclassified technical documents related to DOD-funded research and development — including computer software and documents such as engineering drawings, technical manuals, blueprints, data sets, studies and analyses — and to other technical information that could be used to produce, repair or modify any military or space equipment.

The new rule requires contractors to take enhanced cybersecurity measures to protect DOD technical data. The cybersecurity measures are drawn from commonly used practices codified by the National Institute of Standards and Technology, including access control, awareness and training, contingency planning and maintenance.

Some concerns remain for contractors, including the lack of a safe harbor for contractors who report breaches despite complying with the NIST standards, and some ambiguity in the definition of a cyberevent that must be reported, according to Elizabeth Ferrell of McKenna Long & Aldridge LLP.

“Even though they’ve really narrowed this down, there are certain things that are still troubling from a contractor’s perspective,” Ferrell said.

The DOD said in the final rule that reported cyberincidents will not, by themselves, be considered evidence that a contractor had inadequate security, but flatly denied any safe harbor requests in the comments to the proposed rule, saying “the government does not intend to provide any safe harbor statements.”

Though the DOD has said that the cyberincident reports will not be disclosed as a result of Freedom of Information Act requests, contractors are wary about ways the reports could be used against them, such as impacting their performance reviews or disqualifying them from contract competitions under the supply chain rule, Cassidy said.

“There’s a requirement to report, but it’s unclear what DOD’s going to do with that information,” Cassidy said.

Published by Law360

DOD Dials Back Contractor Rule For Protecting Data

By Dietrich Knauth

Law360, New York (November 18, 2013, 8:35 PM EST) — The U.S. Department of Defense issued on Monday a final rule on contractors’ responsibilities for safeguarding unclassified technical data, paring down a cybersecurity rule that was criticized as being too broad when proposed in 2011.

The new rule requires contractors to take enhanced cybersecurity measures to protect DOD technical data. The cybersecurity measures are drawn from commonly used practices codified by the National Institute of Standards and Technology, including access control, awareness and training, contingency planning, and maintenance.

While the 2011 proposed rule would have required enhanced cybersecurity for a broader range of unclassified information provided by or developed for the DOD, the final rule is limited to unclassified technical documents related to DOD-funded research and development — including computer software and documents like engineering drawings, technical manuals, blueprints, data sets, studies and analyses — and to other technical information that could be used to produce, repair or modify any military or space equipment.

“After comments were received on the proposed rule it was decided that the scope of the rule would be modified to reduce the categories of information covered,” the DOD said. “This final rule addresses safeguarding requirements that cover only unclassified controlled technical information and reporting the compromise of unclassified controlled technical information.”

The change should be a welcome one for contractors, according to Elizabeth Ferrell, a partner in McKenna Long & Aldridge LLP’s government contracts practice.

“What we have now is just one small sliver of what was proposed in 2011,” Ferrell said. “It’s not a perfect rule, but it’s not as controversial as it was before.”

Some concerns remain for contractors, including the lack of a safe harbor for contractors who report breaches despite complying with the NIST standards, and some ambiguity in the definition of a cyberevent that must be reported, Ferrell said.

“Even though they’ve really narrowed this down, there are certain things that are still troubling from a contractor’s perspective,” Ferrell said.

The DOD said in the final rule that reported cyberincidents will not, by themselves, be considered evidence that a contractor had inadequate security, but flatly denied any safe harbor requests in the comments to the proposed rule, saying “the government does not intend to provide any safe harbor statements.”

While some commenters emphasized the costs of complying with additional cybersecurity steps, the DOD said that the NIST controls “represent mainstream industry practices” and that the DOD is willing to accept reasonable additional costs in exchange for better protection of its unclassified technical information.

In light of the new rule, contractors and subcontractors should quickly determine what data needs to be protected and asses their own compliance with the rule’s NIST standards, Ferrell said.

If contractors do not comply with the NIST standards, they should take steps to become compliant, or prepare to explain why the standards do not apply or why other protections provide adequate security, as allowed by the rule, according to Ferrell.

Published by Law360

4 Tips For Navigating Bid Protests Outside The US

By Dietrich Knauth

Law360, New York (September 27, 2013, 7:32 PM EDT) — As U.S. defense companies ramp up their search for opportunities abroad, getting familiar other nations’ evolving bid protest practices can be a helpful step in ensuring they are treated fairly in competitions, experts say.

The U.S. procurement system is unique in its long history of allowing prospective contractors to challenge government contract decisions, and despite domestic criticism of the delays and litigiousness that sometimes result, other nations continue to look to the U.S. as they establish or amend their own versions of bid protests.

Protest systems are increasingly seen as essential to a good public procurement framework, and are encouraged by the United Nations Commission on International Trade Law, the World Trade Organization and the U.S., which insists that partners in free trade agreements, including the North Atlantic Free Trade Agreement, have some kind of bid protest system.

“Bid protests are a standard part of procurement reform all around the world now,” said Daniel Gordon, associate dean for government procurement law at George Washington University. “A bid protest mechanism is typically an unusually efficient way of attaining both transparency and accountability in government contracting.”

Advocates of the U.S. system say allowing private companies to enforce procurement rules increases transparency, reduces corruption and encourages competition, allowing governments to get better value for their purchases. But to take advantage of bid protests in other nations, U.S. companies will have to keep in mind that the rules and culture surrounding bid protests can vary significantly.

Here are four tips for U.S. defense companies looking to take advantage of bid protests abroad:

Recruit Local Counsel

As they adjust to decreased U.S. military spending, American defense companies will have to do business in nations where bid protests are not as ingrained in the procurement process.

Although many countries seem to model their protest systems on the U.S., the rules won’t be the same everywhere. In the U.K., for example, protests are handled in court. In Germany, procurement protests go to specialized administrative bodies.

“Every country is different, and even within the E.U., the 28 member countries have different laws, including different protest laws,” Gordon said. “They have 28 different ways of solving problems.”

Contractors should partner with local counsel to help them navigate the different rules, according to Allen Green, a partner at McKenna Long & Aldridge LLP.

“As you move outside the U.S., E.U. and Canada, you’re really entering into public procurements that are much less transparent. They’re going to have, to varying degrees, some form of protest procedures, but the likelihood of success is something that companies are going to have to think about and work through with knowledgeable local counsel,” Green said.

Adjust Your Expectations

The U.S. bid protest system is stronger in many ways than other nations’, and U.S. companies will have to adjust their expectations when getting involved in protests abroad.

The U.S. allows protests to negate or overturn contract decisions, even after the signing of a contract, and offers an automatic stay that halts work on procurements that are protested at the U.S. Government Accountability Office, which handles most U.S. bid protests and is generally seen as a fast and cheap option for protesters.

American contractors can also protest in the U.S. Court of Federal Claims, which offers legally binding rulings through more extensive litigation and can serve as a backup if a GAO protest fails. Such a system is rarely present in other nations.

In growing markets like China, India, Korea, the United Arab Emirates and Saudi Arabia, U.S. companies will have to temper expectations that bid protests will be as effective as they are in the U.S., Green said.

“If all goes south and you’ve been badly treated, there’s going to be a much narrower spectrum and much less done than  there is the U.S.,” Green said.

In places with less transparent governments, protests could be a dicey proposition even when procedures are in place. University of Maryland law professor Daniel Mitterhoff recently studied a Chinese bid protest that was ignored by the Chinese government for nearly seven years because it fell into a legal grey area between two of China’s multiple bid protest systems.

“In some countries it doesn’t look like there’s a lot of progress toward a meaningful, effective protest system even when they exist on paper,” Gordon said.

Monitor Developing Bid Protest Regimes

Companies should keep an eye on markets that are developing or have recently developed bid protest regimes. Bid protests are growing at an uneven pace across the globe, according to Gordon, who has witnessed the rise of bid protests firsthand.

As the former head of the bid protest division at the GAO, he was consulted by foreign governments interested in setting up their own protest mechanisms, including Norway, Turkey and Tanzania, all of which have protest systems now. He has continued that outreach as an academic, recently working with officials from Vietnam, Morocco, Algeria, Libya and Tunisia — and says international interest in bid protests remains strong.

“Besides an interest in improving legal systems abroad, American companies want to export, and you want to have a solid procurement system overseas to ensure that American companies are treated fairly,” Gordon said of the Commerce Department’s interest in promoting bid protests overseas. “You don’t want to have corruption and you don’t want to have favoritism.”

Ralph White, who currently heads the GAO’s bid protest team, said foreign visitors continue to ask GAO about its protest policies. Not only does the U.S. have the longest tradition of hearing bid protests — a system that began informally in the 1920s and was codified by regulations in the 1970s and the Competition in Contracting Act in 1986 — the U.S. also spends far more on contracts than any other nation, making it a natural source of best practices for protests, White said.

“We end up with visitors from all over the world coming to Washington from other governments. Invariably, they want to talk about bid protests and they are fascinated and amazed that the U.S. government will put itself through this process,” White said. “The idea that you could challenge who it is the Defense Department is giving contracts for missile defense, they’re just amazed by it.”

For governments challenged by corruption and bribery, bid protests are seen as a crime-fighting tool, in a way that they aren’t in the U.S., which will help spur more countries to adopt them, Gordon said.

“Why exactly does having a police car on the side on the side of the road prevent people from driving 80 miles per hour? At least on the margins it causes people to be somewhat more careful,” Gordon said. “Crime hates sunshine, and [protests] provide sunshine to the contracting process. It provides vitamin T, it provides transparency.”

Prepare for Backlash and Reforms

While governments value the transparency and accountability that protests bring, they also struggle with the delays and litigiousness that are part of the package. The U.S. has seen frequent calls for reform, including ideas like charging a fee for “frivolous” protests, raising the dollar-value threshold for which contracts can be protested, and a U.S. Department of Defense proposal that would force contractors to choose between the GAO and the Court of Federal Claims, rather than allowing them to retain the court as a backup plan.

As protests rise across the globe, other governments will face similar pushback, Gordon said. Ten years ago, while Gordon was at GAO, the government of Norway invited him to give advice on setting up a protest forum. It was successful, but after the forum was in place, Gordon said he began to hear familiar complaints out of Norway’s government.

“Within the first two or three years of setting up the bid protest forum there was criticism that there were too many bid protests being filed, and I had to chuckle to myself, because I’d been hearing the same criticism back at home,” Gordon said. “Government officials will always tell you that there are too many protests.”

 

Published by Law360

 

US Fails To Shield Contractors From $920M In Afghan Taxes

By Dietrich Knauth

Law360, New York (May 14, 2013, 9:09 PM EDT) — The U.S.’ failure to enforce nontaxation agreements has allowed Afghanistan to collect more than $920 million in improper taxes from U.S. contractors, according to a new report that experts say highlights the persistent challenge of coordinating federal agencies to ensure war spending isn’t wasted.

The Special Inspector General for Afghanistan Reconstruction, or SIGAR, reported Tuesday that his office examined $921 million in business taxes and penalties levied against 43 contractors supporting U.S. rebuilding efforts in Afghanistan, in spite of agreements meant to ensure that U.S. contractors aren’t taxed. Those agreements “appear to be failing in their purpose,” in part because the U.S. Department of Defense, Department of State and the U.S. Agency for International Development have failed to make a coordinated effort to push back against improper taxes, often leaving contractors to fend for themselves.

“It’s disturbing that the Afghan government is targeting American contractors with unjust taxes and intimidation,” Special Inspector General John F. Sopko said. “It’s even more disturbing that U.S. agencies are letting it happen — all at the expense of American taxpayers, who have already shouldered a heavy burden on Afghan reconstruction. This needs to end.”

Of the $921 million examined by SIGAR, $93 million falls clearly under a tax category that both the U.S. and the Afghan government agreed should be exempt, and SIGAR believes that many of the remaining taxes are also illegitimate.

Congress took quick notice of SIGAR’s report, and Rep. Peter Welch, D-Vt., on Tuesday reintroduced legislation that would block all U.S. taxpayer assistance to Afghanistan until a new bilateral agreement on taxes is reached.

“It is incomprehensible that the government of Afghanistan, with its abysmal track record of corruption, would actually think it is a good idea to tax assistance provided by the American taxpayer,” Welch said. “We shouldn’t give another dime to the Afghan government until they agree to stop ripping off the American taxpayer.”

Experts say that SIGAR’s report is just further evidence of the difficulties that the U.S. faces in getting USAID, DOD and the State Department on the same page when it comes to wartime contracting issues. The recently closed office of Sopko’s counterpart in Iraq, the Special Inspector General for Iraq Reconstruction, has recommended creating a new federal agency to oversee rebuilding efforts in future contingency operations, but the agencies have resisted those recommendations, and some contractors have also opposed the plan as creating another layer of bureaucracy.

Charles Tiefer, a law professor at the University of Baltimore and a former member of the Commission on Wartime Contracting, said the U.S. agencies need to present a more unified front on wartime contracting, whether or not a new agency is introduced.

“There needs to be some structural change,” Tiefer said. “If the agencies coordinated and presented a strong and unified stance to the Afghan government, they could at least reduce the scale of improper Afghan taxing of American efforts.”

Fragmented planning for rebuilding contracts greatly increases the risk of waste and fraud, and that’s especially true in Afghanistan, where corruption is part of the culture, and where President Hamid Karzai’s government has tried to maximize its share of the U.S. and international cash that supports its institutions, Tiefer said. Afghanistan’s tax collectors don’t respect the tax exemption agreements signed by its diplomats, and the tax issues seem to be an echo of previous efforts to force contractors to hire a new Afghan security force in place of private guards, Tiefer said.

“The strategy here on the Afghan side may appear chaotic but in fact comes from the Karzai administration, which treats American contract funding in several ways as its very own piggy bank,” Tiefer said. “The U.S. taxpayer puts up money to build schools and infrastructure in Afghanistan, and the Afghan government turns around and engages in double dipping, getting both the U.S. funded project and skimming extorted taxes as well.”

Contractors say the report simply adds concrete data to the reality they’ve been facing for some time. The Professional Services Council, a contractor trade group, agreed with SIGAR’s calls for better coordination between agencies and more training on the tax exemption agreements for U.S. contracting officers, to prevent representatives of the Afghan government from exploiting inconsistencies in an effort to “shake down” contractors.

“The report confirms what PSC has long argued in letters, white papers and meetings with government officials: The U.S. government’s lack of a unified position in resolving the Afghan government’s inappropriate taxation of U.S.-funded contracts has hindered contractors’ efforts to support the U.S. government in Afghanistan,” said Alan Chvotkin, general counsel and executive vice president of PSC. “As the IG found, the lack of response increases the costs of U.S. government projects in Afghanistan and diverts U.S. funding from program objectives specifically defined by Congress and the contracting agencies.”

Because of tax disputes, the Afghan Ministry of Finance has restricted contractors’ freedom of movement, hurting the ability of contractors to support U.S. missions, and has even arrested at least one contractor because of unresolved tax issues, SIGAR reported.

Some U.S. agencies’ contracting officers do not appear to understand Afghanistan’s tax laws and have improperly reimbursed contractors for taxes paid to the Afghan government, and contractors have begun billing the U.S. government for the tax costs, or adjusting their bids to account for increased costs due to the Afghan taxes, according to SIGAR. The U.S. agencies have paid improper taxes, through contractor reimbursement, without helping contractors fight the taxes or helping contractors obtain tax-exemption certification ahead of time, the report found.

The contractors caught in the middle may face additional trouble down the road, since billing the government for improper taxes may go against federal regulations, Tiefer said.

“These contractors may be violating the rules on reimbursement when they pass on taxes that they shouldn’t have paid,” Tiefer said. “They’re getting away with it now, and that means that in some ways they’re happier avoiding friction with the Afghan government, at the cost of milking the American taxpayer through reimbursement.”

SIGAR recommends that the secretary of state take the lead in developing a consistent, unified position on what the U.S. government deems appropriate taxation of contractors, and make efforts to recover any improper tax payouts. But while the DOD concurred with SIGAR’s recommendations, State resisted, saying it “did not explicitly agree or disagree,” while arguing that the agencies already have a unified position. State also said it “neither agreed nor disagreed” on recommendations to recover tax payments.

The State Department also questioned SIGAR’s authority to examine issues related to the tax treatment of contracts, causing SIGAR to write that it is “concerned that State chose to focus initially on the bureaucratic question of which oversight agency is the appropriate one to examine this issue, rather than turning its attention to devising solutions to the problems we identified in this report.”

While the tax issue is serious on its own, it also points to a larger pattern of the Afghan government trying to maximize what it can take from U.S. and internationally funded rebuilding efforts, Tiefer said. Afghanistan previously banned contractors from hiring foreign-owned private security companies, forcing them to hire a new Afghan government agency, the Afghan Public Protection Force, at a higher price than the contractors were originally paying.

The focus on maximizing short-term payouts doesn’t bode well for the future, Tiefer said, especially as U.S. forces plan to exit Afghanistan and turn over the country’s security to its fledgling armed forces in 2014.

“Supplying their treasury by extorting tax payments from the US treasury is a very short-term strategy, and they are materially diminishing their country’s prospect for surviving after American troops pull out and some of the reconstruction effort drops off,” Tiefer said. “This report shows that the Afghan government is sucking only too much from the teat of the American treasury, and needs to be weaned off its rich diet.”

Foreign aid projects make up an enormous part of Afghanistan’s economy — 97 percent, according to a Senate Foreign Relations Committee report from 2011. Since 2002, Congress has appropriated over $89 billion to U.S. government agencies, including DOD, State and USAID, for humanitarian and reconstruction programs and projects in Afghanistan, according to SIGAR.

Published by Law360

US Agencies Get Major Update To Cybersecurity Guidelines

Under the Information Security Management Act, the Office of Management and Budget and the NIST take the lead in setting minimum security requirements used across the federal government, such as giving tips for secure passwords or requiring physical security for sensitive computer systems. The NIST standards have governed federal cybersecurity steps in the absence of federal legislation, and the overhaul is the first such update since 2005.

“This update was motivated by the expanding threats we all face,” project leader and NIST fellow Ron Ross said in a statement. “These include the increasing sophistication of cyberattacks and the fact that we are being challenged more frequently and more persistently.”

The revision’s new assurance controls will help agencies have confidence in the security of their systems and give guidance to contractors that develop information systems, information technology component products and services for the government, according to Ross, who said the focus on trustworthiness in the federal information systems supported the NIST’s slogan of “Build it right, then continuously monitor.”

Contractors may welcome the update as an improvement over ad hoc rules pursued separately by separate agencies. In comments submitted to the NIST on April 8, the Professional Services Council urged the government to halt ongoing efforts to create cybersecurity contract requirements until the NIST framework was in place.

“We strongly believe that the NIST cybersecurity framework should be developed prior to the further development or implementation of new acquisition-specific cybersecurity requirements,” PSC President and CEO Stan Soloway said. “To ensure that consistency is achievable by agencies in both the cybersecurity framework and the federal acquisition arena, PSC recommends that the [Federal Acquisition Regulation] and [Defense Federal Acquisition Regulatory Supplement] initiatives be suspended until the initial NIST framework is completed.”

The new guidelines promote cutting-edge security controls aimed at addressing evolving threats — particularly issues related to mobile and cloud computing, insider threats, supply chain risks, advanced persistent threats, and other areas that have evolved greatly over the past eight years, the NIST said.

To address supply chain risks — an area that has been the focus of recent reports from the Senate Armed Services Committee and House Intelligence Committee — the guidelines recommend that the government sometimes use “blind or filtered buys” to withhold the ultimate purpose of electronic parts from the contractors who supply them.

The guidelines also encourage agencies to offer incentives to contractors that are open about their procedures for vetting the security of their electronic parts and subcontract suppliers, something the U.S. Department of Defense is addressing as it implements the 2013 National Defense Authorization Act. The NDAA provided a safe harbor for contractors who have DOD-approved vetting procedures, while requiring other contractors to pay for the cost of replacing counterfeit electronics that supply to a military system.

Previous NIST guidelines, as well as a change in the 2013 National Defense Authorization Act, have pushed contractors to report data breaches affecting government systems. The 2013 NDAA included a last-minute amendment added by Senate Armed Services Committee Chairman Carl Levin, D-Mich., that required cleared contractors to report on cyberattacks and grant the DOD access to information systems for security checks.

Contractors complained that the amendment’s initial language would have provided the DOD with open-ended access to data — even to the point of long-term confiscation of computer servers — with very few controls on how that information would be used or safeguarded. While the final version of the NDAA limits the amendment in a few key ways, requiring the DOD to safeguard trade secrets and commercial information and preventing the DOD from sharing the information outside of the agency, some said the change didn’t go far enough toward addressing contractors’ concerns.

Published on Law360

Obama’s Cybersecurity Order Could Squeeze Contractors

By Dietrich Knauth

Law360, New York (February 26, 2013, 8:01 PM EST) — President Barack Obama’s recent cybersecurity executive order envisions a more centralized approach to protecting the government from hackers, but contractors worry a slew of new costs and burdensome information-sharing requirements could also accompany the well-intentioned move.

Government contractors, already a target for hackers because of their closeness to government data, are among the biggest groups affected by Obama’s Feb. 12 cybersecurity executive order, which pushes federal agencies to work more closely with defense contractors, banks, electric power companies, communications providers and other critical infrastructure operators through voluntary security standards and increased dialog about cyberthreats. The order and an accompanying policy directive also direct the agencies to consider changing the Federal Acquisition Regulation to include cybersecurity concerns in new government contracts.

But the government’s effort to incorporate cybersecurity standards into acquisition planning, and to harmonize existing procurement requirements could be a mixed bag for contractors. While the new standards will likely carry new compliance costs, those additional costs could be offset by smoothing out a “Tower of Babel” of conflicting agency-by-agency and even contract-by-contract approaches, according to Crowell & Moring LLP partner David Bodenheimer.

“It is not all downside. An upside to a FAR regulatory scheme for cybersecurity would be greater uniformity and less compliance burden on contractors,” Bodenheimer said. “One of the problems right now, for federal contractors, is having to comply with a host of changing federal regulations at the agency level.”

But many are concerned that new regulations arising out of the executive order will ask too much of contractors, especially because the government will have to frequently update its standards in order to combat rapidly evolving cyberattacks and new techniques employed by hackers.

“The goal sounds like a good idea, but we’ll have to wait and see what’s proposed,” said Elizabeth Ferrell, a partner at McKenna Long & Aldridge LLP. “Consistency would be helpful but there’s always concerns that the standards will be too strict and too much of a burden on contractors.”

Contractors will also be asked to take part in the executive order’s voluntary information sharing program, which is based on a pilot program already underway between the DOD and some defense contractors. As long as the information sharing remains voluntary, contractors, as with other companies affected by the order, will closely watch as the government settles on a mix of incentives and penalties to encourage the cooperation they’re seeking.

Many companies are worried that reporting on cyberthreats and data breaches will open them to new liability, from exposure of trade secrets and proprietary data, to liability for inadvertently disclosed personal information, to damaged corporate reputations. Contractor groups, including the Professional Services Council and TechAmerica, have already called for granting indemnification to companies that meet cybersecurity standards or exempting their disclosures from Freedom of Information Act requests, steps that would assure contractors, but would require legislative action.

In addition to the reporting risks faced by other companies affected by the order, contractors face a few unique risks when reporting data breaches or cyberattacks — particularly if they lead the government to see the contractor as a less secure partner than potential competitors. Many federal agencies now include information security and safeguards as an element of past performance and experience during a contract competition, according to Bodenheimer.

“That breach may be used against it in other contexts as well, such as being penalized in a competitive source selection,” Bodenheimer said.

Information also carries more risk for contractors than most private sector companies, because government contractors are subject to a number of additional statutory, regulatory and contractual reporting requirements. Noncompliance with one of those additional reporting requirements could open up government contractors to accusations of procurement fraud or whistleblower suits under the False Claims Act.

“Government contractors, by nature, are very cautious because there are a lot of potential liabilities associated with any kind of noncompliance,” Ferrell said. “False Claims Act liability certainly is one of those, so I think that would be on a list of potential lawsuits that a company might face that might originate from voluntary disclosures.”

There is also the fear, perhaps well-grounded, that the voluntary information sharing framework in the executive order will be a mere stepping stone to a mandatory reporting requirement in the future.

Defense contractors, whose early efforts provided a framework for the executive order’s information sharing program, experienced something similar in December, when the 2013 National Defense Authorization Act required contractors with security clearances to report cyberattacks and system breaches.

“If I was an industry member, I would wonder if we’ll see a broader mandatory disclosure requirement that will apply to non-cleared contractors,” said Jon Burd, a government contracts attorney at Wiley Rein LLP. “None of that is on the immediate horizon, but  it’s reasonable to wonder out loud whether that is a path that we may head down in the not too distant future.”

Published by Law360

Entergy Sues US Over Breached Nuclear Waste Contract

By Dietrich Knauth

Law360, New York (September 27, 2012, 10:22 PM EDT) — An Entergy Co. unit sued the U.S. government Wednesday, seeking damages for what it calls the government’s decadelong, ongoing failure to dispose of spent nuclear fuel at two power plants in Michigan, which it says breaches a waste disposal contract.

Entergy Nuclear Palisades LLC filed its suit in the U.S. Court of Federal Claims, saying it and the plants’ previous owner have paid the Department of Energy $274 million in fees under the 1983 waste disposal contract, as a contribution toward building a long-term waste depository.

Under the terms of the plants’ contract with the government, the U.S. agreed to begin picking up the spent nuclear fuel and high-level radioactive waste no later than January 1998, according to the complaint. But it has not done so, in part because political battles have scuttled every plan to build a long-term disposal site, the complaint says.

While the complaint did not mention specific damages, the court’s docket sheet lists Entergy’s demand as $100 million.

Entergy bought the Palisades Nuclear Plant and the Big Rock Point plant from Consumers Energy Co. in 2007. Entergy continues to pay roughly $6 million a year in fees relating to the plant, the complaint said.

But the government still has no plan to begin disposal of the waste, despite several breach of contract judgments and court orders against it in similar lawsuits, according to the complaint.

“Consumers and [Entergy] have fully complied with all their fee payment obligations under the contract,” the complaint said. “The government, however, has failed to perform its reciprocal obligation to dispose of the spent nuclear fuel, and currently has no plan to meet these obligations.”

Entergy says the government’s foot-dragging has caused it to rack up other costs, including regulatory costs, taxes and fees associated with efforts to ensure sufficient on-site storage or find off-site alternatives, and has delayed Entergy’s plans to decommission the shuttered Big Rock Point.

“As a direct consequence of the government’s disregard of its contractual obligations and defiance of the D.C. Circuit’s rulings, [Entergy] has been incurring and will be forced to incur substantial additional costs to provide for extended on-site storage of its spent nuclear fuel,” the complaint said.

These expenses include buying, loading and maintaining storage casks and related equipment; monitoring storage facilities; and making necessary changes to the plants, according to the complaint.

The DOE is fighting dozens of lawsuits by utilities that had contracted with the agency over the past 20 years to send their spent fuel to the planned Yucca Mountain nuclear waste repository.

The project has been beset by delays and legal challenges, and in the past two years the DOE and the Nuclear Regulatory Commission have suspended their licensing on Yucca Mountain, leaving operators to deal with spent fuel themselves.

Taxpayers could face $19 billion in liabilities by 2020, as the U.S. Department of Energy reneges on contracts with nuclear operators to dispose of thousands of tons of spent fuel accumulating at their plants, the U.S. Government Accountability Office reported in September.

The GAO found that spent fuel stored on-site at nuclear plants will likely increase by about 2,000 tons annually before the DOE can open a new centralized storage facility, which could take as many as four decades. In addition to the $19.1 billion in liabilities racked up by 2020, the DOE could be on the hook for an additional $500 million annually thereafter.

ENP is represented by Layton Jager Smith Jr. of Jager Smith LLC.

The case is Entergy Nuclear Palisades LLC v. U.S., case number 12-cv-01641, in the U.S. Court of Federal Claims.

Published by Law360

OFCCP’s Regulatory Agenda Has Contractors Seething

By Dietrich Knauth

Law360, New York (September 5, 2012, 5:52 PM EDT) — An ambitious but stalled effort to revamp affirmative action rules for contractors has put President Barack Obama’s Office of Federal Contractor Compliance Programs at loggerheads with federal contractors, and the worsening relationship has bogged down audits and added to the financial strain on both private companies and the agency.

Obama’s OFCCP has proposed 10 major rule changes — far more than the four changes the regulator pushed during the Bush administration — that include widely criticized new rules aimed at boosting affirmative action hires of veterans and disabled workers, and a revised audit policy that seeks more detailed data on employee compensation. But contractors say the regulatory overload and the OFCCP’s combative attitude have hindered real progress.

The disconnect between the regulator and government contractors was on display at the 2012 National Industrial Liaison Group conference in Hawaii, where OFCCP officials including Director Patricia Shiu and Policy Director Debra Carr spoke via teleconference to companies about proposed and pending regulations.

The distance was more than simply physical — while Carr and Shiu both emphasized the importance of communication and outreach, contractors at the conference said they felt ignored, bullied or even lied to by the OFCCP.

“I’ve never seen so much acrimony,” said John Fox of Fox Wang & Morgan PC, who added that the OFCCP had put itself on “war footing” with contractors. “I’ve frankly never seen the contractor community so active and mobilized against a common threat.”

At the ILG conference, Fox characterized the OFCCP as a “broken” agency, and one company representative raised the possibility of “civil disobedience” as a corrective against what he saw as agency overreach during audits.

Valerie Hoffman, head of Seyfarth Shaw LLP’s OFCCP and affirmative action compliance group, said a lack of private sector experience within the OFCCP and the agency’s failure to reach out to contractors had led it to greatly underestimate the costs of compliance with its proposed rules. And the sheer number of proposed reforms has helped slow the pace with which new regulations are enacted, and left contractors nervous and uncertain about delayed changes, she said.

“This administration has the most ambitious regulatory agenda of any recent administration,” Hoffman said. “It looks like they’ve bitten off more than they can chew, and the contractor community is rightly concerned about the breadth of the new regulations and the burdens associated with them.”

The OFCCP has also pursued audits more aggressively than it did during the Bush administration, when it would commonly shut down audits if it didn’t find systematic discrimination that affected 10 or more employees, according to David Cohen of DCI Consulting. Cohen dates the change in attitude to 2010, when the OFCCP renamed its approach from Active Case Management to Active Case Enforcement.

“And OFCCP is wondering why we’re all feeling so anxious?” Cohen said. “I call it the ‘No Lawyer Left Behind Act,’” he said of the OFCCP’s package of proposed reforms.

Making matters worse for both OFCCP and the contractors it oversees, data from the OFCCP’s public enforcement database shows that the OFCCP is burying itself in technical violations that require reporting and burden both the agency and contractors, without bringing any settlement money back to OFCCP, Cohen said.

While the number of audits that resulted in financial remedies rose slightly between 2004 to 2011, from 1.12 percent of audits to 2.5 percent, the percentage of audits that ended in conciliation agreements, without payment to OFCCP or individuals, rose much more sharply, from 5.25 percent to 24.9 percent.

Carr acknowledged that federal budget pressures are weighing on the agency, saying she’s “doing more with less,” and estimating the number of employees in the policy office as “in the mid-20s.”

Fox said the OFCCP is “starving to death” for lack of funds and argued that Carr needs three times as many employees to get the regulations right.

“She can’t do a big job like that with 20 people,” Fox said. “No one can.”

Near the close of the ILG conference, Fox suggested that contractors step up and do the OFCCP’s work for it, writing proposed regulations themselves and submitting them to OFCCP for editing. Everyone agrees that the regulations are out of date, he said, citing the OFCCP’s obsolete sex discrimination rules that don’t even allow the agency to prevent contractors from firing women who become pregnant.

“OFCCP is broken. We all know that,” Fox said, saying contractors should not only write rules, but lend managers to the OFCCP to give guidance and assistance. “Don’t whine any more; just do it. It’s a classic partnership — you fill in where they’re weak, and they fill in where you’re strong.”

Hoffman called Fox’s proposal interesting but said most contractors are “overwhelmed” with their own responsibilities and would likely have few resources to devote to assisting the OFCCP’s policymaking. Sandy Zeigler, a retired OFCCP regional director, added that it would be tough to convince contractors to go through the effort and expense of rewriting regulations without any guarantee that the OFCCP would listen.

Zeigler said the OFCCP should listen more to contractors, rather than “regulate without even thinking about it.”

The agency’s plan to have contractors give veterans and disabled applicants written letters of denial when they are not hired, including a reminder that they are protected classes that can sue for discriminatory hiring practices, was one example of a poorly thought-out requirement Zeigler cited. The change would create recordkeeping burdens, while encouraging contractors to keep the denial letters as bland and uninformative as possible to prevent applicants from getting ideas for lawsuits.

“You’re going to send out a lot of pabulum to a lot of people. That’s a waste of your time, that’s a waste of paper,” Zeigler said. “Why regulate to have a bland statement like that?”

The new recordkeeping burdens and a “gotcha” mentality that focuses on technical violations during audits has damaged the relationship between the agency and federal contractors, and the hostile environment can distract from affirmative action programs that actually work, Zeigler said.

“I don’t want to civil rights to be hurt by people who are intending to help it,” Zeigler said.

Published by Law360

With New Rules In Limbo, OFCCP Ramps Up Vet Hiring Push

By Dietrich Knauth

Law360, New York (August 31, 2012, 6:11 PM EDT) — In lieu of new veterans hiring rules that have stalled during an ambitious regulatory push in the Office of Federal Contract Compliance Programs, the government is leaning on audits and more aggressive interpretations of current regulations to support its affirmative action policies, experts said.

The OFCCP has proposed new affirmative action rules for veterans that would require contractors to track those who apply for jobs and write reports explaining decisions not to hire protected veterans. But a regulatory logjam in the OFCCP has put the proposed regulation more than nine months behind schedule, and many experts wonder if the rules will be finalized before a November election that could change the OFCCP’s makeup regardless of whether there is a change in the White House.

In the meantime, the OFCCP is using audits to take a much harder look at contractors’ good-faith efforts at veterans outreach; expecting contractors to check back and evaluate the results of those efforts; and demanding information about how many applicants were referred by a particular job board or organization, how many applicants were interviewed and how many were hired.

“We’ve seen these changes over the last 18 months, and the changes are massive,” Mickey Silberman, head of the affirmative action and OFCCP practice at Jackson Lewis LLP, said. “OFCCP’s approach to good-faith efforts has changed in a fundamental way.”

Employers who appear to be going through the motions will face greater scrutiny during OFCCP audits, and the agency will issue technical violations to contractors that are found deficient in either outreach or recordkeeping, according to Silberman, who spoke about the issue during the 2012 Industrial Liaison Group meeting. To protect themselves, contractors should make more of an effort to track the number and quality of applicants referred by recruitment sources and stop using ineffective recruitment sources, Silberman said.

“It’s not about getting through the audit. The goal is to increase veterans’ employment,” Silberman said. “What’s the point of good-faith efforts if you don’t monitor their effectiveness?”

The OFCCP is focusing its efforts on affirmative action and applicants who are not hired in part because it is rarely able to substantiate claims of discrimination against veterans or disabled workers who have been hired, according to David Cohen of the Center for Corporate Equality.

OFCCP data shows that the agency has alleged discrimination against veteran or disabled workers just three times during 22,000 compliance evaluations conducted since 2007, Cohen said. And in 871 investigations initiated since 2004 as a result of disabled or veteran workers complaining to the OFCCP, it identified just 60 violations, he added.

In response to the OFCCP’s more aggressive audits, contractors should make efforts to improve their outreach to veterans, but they shouldn’t try to anticipate the stalled regulations and start asking applicants whether or not they are veterans, according to Jennifer Seda, an attorney at Jackson Lewis. Employers have no obligation to ask, and if they do, they could open themselves up to OFCCP scrutiny if they do not hire or interview veteran applicants.

“Until the regulations are passed, please don’t ask your applicants if they are veterans,” Seda said.

While Silberman and Seda both recommended that contractors do more to evaluate the results of their outreach efforts, they also said contractors should push back against another OFCCP attempt to use current regulations on behalf of veterans. The agency has adopted a more aggressive interpretation of a current rule that requires contractors to undertake a “thorough and systematic consideration” of “known veterans” for all positions, including new hires, promotions and retraining opportunities.

Even if no veterans apply for a position, the OFCCP has taken the position that contractors should look internally at their veteran employees, as well as applicants for other positions, to see if they are qualified and interested, which would put a large burden on some contractors and give veterans a kind of preferential treatment that runs counter to the philosophy of equal employment opportunity, Silberman said. Contractors should consider fighting the OFCCP on the issue — even if the legal fight costs more than a settlement — because it’s a fight they can win, he said.

“The EEO lawyers have a pretty good sense that this interpretation makes people uncomfortable, and it should,” Silberman said.

The new audit policies are, at least temporarily, taking the place of the proposed new rules that would require contractors to set hiring goals for veterans; compile additional data on hiring decisions, including reports to explain why qualified veterans not hired; and keep relevant records for five years. Contractors and their advocates, including attorneys with Littler Mendelson PC, the Association of General Contractors and the Equal Employment Advisory Council, argue that the rule creates enormous additional burdens on employers while not significantly increasing veterans’ rights or opportunities for employment.

“These regulations are not going to create revenue-generating jobs for veterans. They are not going to level the playing field for qualified veterans and ensure equal access,” Littler Mendelson said in response to the veterans rule. “They are going to create layers upon layers of overhead for companies ill-prepared to absorb these costs in the current economy.”

But despite contractors’ concerns about the proposed veterans rule, it is the most likely of several pending OFCCP regulatory changes to be finalized before the election, because of political support for veterans affirmative action. While other pending rules — including a proposal that would require contractors to work towards a goal of hiring disabled workers in 7 percent of its jobs — would likely be scrapped if President Barack Obama is not re-elected, the veterans rules have a chance to survive even if Mitt Romney becomes president, according to Silberman. And even if Romney wins, Obama’s OFCCP could still push them out as midnight regulations, he said.

“For all the proposals, they’d like to have something to show for it,” Silberman said. “This should have been an easy one. Everybody wins, and the administration gets to trumpet the fact that they’re helping veterans.”

Published by Law360