Each month, Venable's Government Contracts Group publishes a summary of recent legal developments of interest to the government contractor community. Here are our highlights from the month of May 2021.
Executive Order (EO) 14028
Recently, the ability of cyber threats and ransomware attacks to affect U.S. infrastructure and government systems has become all too real during an already dystopian pandemic. Examples from the last year include shutting down the internet (SolarWinds and Hafnium attacks), poisoning water supplies, and halting the supply of gasoline on the East Coast. To combat this clear and present threat, on May 12, 2021, President Biden issued Executive Order (EO) 14028, Improving the Nation's Cybersecurity. This EO is the first step in a series of major changes and enhancements intended to improve the government's cybersecurity. Importantly, EO 14028 recognizes the importance of the Federal Acquisition Regulation (FAR) and its supplements and federal contracts in implementing such reforms.
a. Promptly Sharing Threat Information
Section 2 leverages information technology or operations contractors who are "service providers, including cloud service providers" to remove contractual barriers and improve information sharing of cyber threats or incidents with "executive departments and agencies…that are responsible for investigating or remediating cyber incidents." It specifically instructs the Director of the Office of Management and Budget (OMB), in consultation with other agencies and the Attorney General, to make recommendations to the FAR Council within 60 days of the EO to generate new contract language allowing for improved information-sharing by requiring service providers to: (i) "collect and preserve data, information, and reporting," (ii) share such data with the agency and any other agency that OMB deems appropriate; (iii) "collaborate with Federal cybersecurity or investigative agencies in their investigations"; and (iv) "share cyber threat and incident information with agencies." It requires the FAR Council to propose contract language within 90 days of receipt of recommendations.
Similarly, it tasks the Secretary of Homeland Security with recommending to the FAR Council contract language that identifies cyber incidents, types of incidents that require reporting, time periods for such reporting, and the types of contractors and service providers that must be covered. While the EO does not set forth the time frames for reporting, it clearly advocates prompt reporting, "with reporting on the most severe cyber incidents not to exceed 3 days after initial detection."
b. Modernizing Federal Government Cybersecurity
Section 3 of the EO instructs agencies to begin creating and implementing plans to adopt cloud technology, Zero Trust Architecture, multifactor authentication, and data encryption. Section 4 focuses on enhancing the security of the software supply chain, instructing the Director of NIST to begin creating guidelines that will incorporate a list of ten criteria. Other sections address the creation of a Cyber Safety Review Board under the Secretary of Homeland Security and a "playbook" for responding to cyber threats or incidents.
c. Enhancing Supply Chain Security
Section 4 of the EO requires NIST to "solicit input from the Federal Government, private sector, academia, and other appropriate actors" regarding existing or new standard tools and best practices to evaluate software security and security practices. The preliminary guidance is to be published within 180 days after the EO.
d. Cyber Safety Review Board
Section 5 establishes a Cyber Safety Review Board modeled after the National Transportation Safety Review Board, which will convene following "a significant cyber incident." The Board's membership will include "Federal officials and representatives from private-sector entities."
e. Standardizing the Playbook
Section 6 recognizes that variations in incident response procedures across the federal government hinder the government's analysis and assessment of which responses are most successful. Agencies that seek to deviate from recommended procedures must demonstrate that their procedures meet or exceed those provided by the playbook described in Section 3.
f. Improving the Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
Section 7 focuses on "increasing the Federal Government's visibility into and detection of cybersecurity vulnerabilities and threats to agency networks." It requires all federal civilian executive branch (FCEB) agencies to deploy "an Endpoint Detection and Response (EDR) initiative" designed to detect cyber threats. The Secretary of Homeland Security has 30 days after the EO to provide the Director of OMB with recommendations on implementing the EDR, and the Director of OMB then has 90 days to issue the requirements for FCEB agencies to adopt the EDR approaches proposed. Section 7 also sets forth a similar track "for improving detection of cyber incidents affecting National Security Systems."
g. Improving Investigative and Remediation Capabilities
Section 8 requires the Secretary of Homeland Security to provide the Director of OMB with "recommendations on requirements for logging events and retaining other relevant data within an agency's systems and networks" within 14 days after the EO. The Director of OMB must formulate policies for agencies to establish such logs within 90 days after those recommendations are issued. Agencies will be required to furnish the logs and related information "[t]o address cyber risks or incidents."
h. National Security Systems
Section 9 states that, within 60 days after the EO, the Secretary of Defense shall adopt "National Security Systems requirements that are equivalent to or exceed the cybersecurity requirements set forth in this order that are not otherwise applicable to National Security Systems."
i. The Need for Speed
The EO is remarkable for its aggressive timeline. Nearly all of the demanded reviews and recommendations are to be conducted within 30-90 days, with full implementation of most of the new policies and procedures within 180 days. While some aspects have a longer timeline—and implementation and finalization of any changes to the FAR or other regulations will surely take more than six months—the EO expresses a clear preference for swift and decisive action that will affect nearly all government contractors.
* * *
GAO Report on Cybersecurity: GAO-21-594T
President Biden's cybersecurity EO was issued in the midst of larger concerns regarding cybersecurity—a prime example being the mess caused earlier in May by the Colonial Pipeline hack. On a related note, the GAO released a report on May 25, 2021, Cybersecurity: Federal Agencies Need to Implement Recommendations to Manage Supply Chain Risks, GAO-21-594T. The report speaks directly to the issues addressed in Section 4 of EO 14028, discussed above. In the report, GAO referenced a report it made in December 2020, which reviewed the adoption of information and communications technology (ICT) supply chain risk management (SCRM) practices. The December 2020 report found only a fraction of the 23 agencies reviewed had implemented any of the seven recommended best practices. This current report, following up with those agencies, found that "none of the agencies have yet fully addressed recommendations to implement foundational practices in their organization-wide approach to ICT SCRM." GAO-21-549T at 15.
* * *
Defense Contract Audit Agency Revised Coronavirus Relief Guidance and FAQs
On April 23, 2021, the Defense Contract Audit Agency (DCAA) released a memorandum to provide guidance to auditors regarding the various coronavirus relief bills passed in 2020 and 2021. Contractors facing an audit from DCAA should know that the memo instructs auditors to ask "which relief opportunities, if any, the contractor chose to employ" and to ask for information on any COVID-19-related policies and procedures and any changes to policies and procedures due to the pandemic.
In addition, the memorandum includes a helpful summary of the relevant legislation and Department of Defense (DOD) guidance that auditors may inquire about.
DCAA also offers two frequently asked questions (FAQs)—one addressing incurred costs and the other forward pricing. The incurred cost FAQ provides guidance regarding how auditors (and contractors) should handle Paycheck Protection Program loans and loan forgiveness and paid leave under the CARES act. For forward pricing, the FAQ notes that the CARES Act has "a potential impact on forward pricing" and goes through a number of issues that may affect that pricing. One consistent thread throughout the FAQs is the need for thorough and careful documentation.
* * *
Enhanced Debriefing – Defense Federal Acquisition Regulation Supplement Proposed Codification of Enhanced Debriefing
On May 20, 2021, the DoD issued a proposed amendment to the Defense Federal Acquisition Regulation Supplement (DFARS) to finally codify the existing enhanced post-award debriefing procedures contained in Section 818 of the National Defense Authorization Act for Fiscal Year 2018 (FY 2018 NDAA) under Class Deviation 2018-O0011. See 86 Fed. Reg. 27,354. The proposed rule will codify these already widely observed procedures and provide clear guidance on the timeliness requirements for filing bid protests and seeking a stay of contract performance. Under the enhanced debriefing procedures, a disappointed offeror is entitled to submit follow-up questions to the agency within two business days after receiving its post-award debriefing. The agency, in turn, is required to respond to those questions within five business days. The clock for filing a protest and seeking a stay of contract performance then begins to run from the date that the contractor receives the agency's response. Comments on the proposed rule are due by July 19, 2021.
* * *
Historically Underutilized Business Zone (HUBZone) Freeze on Redesignations Resulting from the 2020 Census – HUBZone Expansion Continues
The Small Business Administration's (SBA) HUBZone program provides federal contracting opportunities to small businesses in low-income communities that hire low-income residents. On May 5, 2021, the SBA issued a final rule to extend the HUBZone map "freeze" mandated by the National Defense Authorization Act for Fiscal Year 2018 (NDAA 2018) from December 31, 2021 to June 30, 2023. The initial freeze was implemented to ensure that small business concerns had enough time to adjust to redesignations based on the results of the 2020 census data. Because of the pandemic-related delays in the 2020 census results, the extension will allow certain certified small business concerns to maintain their HUBZone status until the HUBZone map is updated in 2023.
However, the "freeze" did not pause the expansion of HUBZone-designated areas. On May 18, 2021, the SBA announced that it will expand its HUBZone program to new "Governor-Designated Covered Areas." The new HUBZone rule allows state governors to submit one petition per year requesting that SBA designate certain qualifying areas as Governor-Designated Covered Areas. In reviewing a request for designation, the SBA will consider how the selections meet the objectives of the state's economic development strategies. Eligible communities must have a population of 50,000 or less, an average unemployment rate of at least 120 percent of the average unemployment rate for the U.S. or state (whichever is lowest), and be located outside of an urbanized area.
* * *
Contract Disputes Act Anti-Fraud Six-Year Time Bar Runs from Submission to the Contracting Officer
Last month, the Court of Federal Claims dismissed the government's counterclaim under the Contract Disputes Act's (CDA) anti-fraud provision as time-barred and strictly held the government to the plain language of time bar at 41 U.S.C. § 7103(c)(2). See Lodge Constr., Inc. v. United States, No. 13-499 (Fed. Cl. Apr. 14, 2021). The CDA provides that fraud claims must "be determined within 6 years of the commission of the misrepresentation of fact or fraud." 41 U.S.C. § 7103(c)(2) (emphasis added). The Court characterized this language as "somewhat surprising limitations language" and rejected the government's argument that it was merely required to determine there was fraud and file a claim within six years. Id. at 5. Instead, it agreed with the contractor and held that the statute requires the government to reach a successful resolution of its fraud counterclaim within six years, as only courts can "determine" liability.
* * *
Armed Services Board of Contract Appeals Holds That Liquidated Damages Are Improper Where Performance Is Substantially Complete
The Armed Services Board of Contract Appeals (ASBCA) granted in part a contractor's motion for summary judgment on its claim for remission of liquidated damages assessed by the government for late work. See Appeal of Sauer Inc., ASBCA No. 62395. The contractor argued that it was improper to assess liquidated damages because it had substantially completed the performance. The ASBCA agreed in part, finding that the contractor had substantially completed Phases I and II of the performance, and therefore the government's assessment of liquidated damages for these substantially completed portions was unenforceable. The Board found that questions of fact remained as to whether Phase III was substantially completed, but, to the extent liquidated damages were appropriate, they should be apportioned to include only the work that was not completed in Phase III.
* * *
U.S. Government Accountability Office Denies Protest Costs for Abandoned Protest Ground and Grounds Not Identified in Alternative Dispute Resolution
The Government Accountability Office (GAO) granted in part and denied in part the protester's request for reimbursement of protest costs. See Protection Strategies, Inc.—Costs, B-419302.3, May 6, 2021. After outcome prediction alternative dispute resolution (ADR), the agency took corrective action and the protester requested reimbursement of costs. The GAO held that the protester was entitled to costs for arguments that were meritorious, as well as those that were intertwined with meritorious arguments However, it denied costs for arguments that the protester abandoned by failing to respond to the agency's arguments in its comments. In addition, the GAO denied costs for arguments that were neither identified in ADR as an area where the protester would prevail nor intertwined with issues identified as meritorious.
* * *
SAM.gov Goes Live
Finally, all contractors and other members of the industry should be aware that, on May 24, 2021, the GSA retired beta.SAM.gov and replaced it with SAM.gov. The general interface and look have changed, but all prior functions and data have been retained. This video from the GSA explains the changes. As in the rollout of beta.SAM.gov, many users have reported issues, but the new site is here to stay—the GSA has stated that it is working to resolve problems as they are reported. Contractors' login.gov credentials should work, but we recommend that everyone familiarize themselves with the new layout and ensure that all logins function correctly before they are absolutely needed.