Helping individuals, companies, and organizations understand key legal and practical considerations for promoting compliance and making better business decisions in these types of federal, state, and local government contracting matters MORE

The Office of Federal Contract Compliance Programs (OFCCP) just posted its list of companies that are scheduled for an audit of their affirmative action programs here: https://www.dol.gov/agencies/ofccp/foia/library (click on the FY 2020 CSAL links). This is essentially a heads-up from the OFCCP that the contractors listed should be prepared to receive formal notice of an audit. If you find yourself on this list, it is important to proactively get your business in order for an audit to see a smoother and more successful audit process. There are now several different types of audits, so even companies that have been audited in the past might be selected for a new type of audit that they have never experienced.

Stinson regularly advises government contractors in preparing affirmative action plans as well as defending OFCCP audits. Contact the authors if you have any questions about this article, affirmative action plans, OFCCP audits, pre-audit compliance reviews, or OFCCP audit defense. If you are not on this list, it doesn’t mean that you are not considered a government contractor or subcontractor subject to OFCCP oversight, audit, or investigation. OFCCP can initiate an audit without putting a contractor on the CSAL list. If you have questions about your status as a government contractor, or audit-readiness in general, please contact the authors or the co-chairs of Stinson’s Government Contracts & Investigations Practice Group.

The Cybersecurity Maturity Model Certification (CMMC) Advisory Board (CMMC AB) made a major announcement on September 16, 2020, announcing that it has trained an initial group of provisional assessors. As an earlier posting explains, the CMMC establishes cybersecurity controls for certification of government contractors from Level 1, the basic set of controls that all government contractors to DoD must meet, to the highest Level 5, controls that contractors with Controlled Unclassified Information (CUI) facing the need for security to address Advanced Persistent Threats (APTs) must meet.

The plan for the CMMC rollout includes the establishment of a neutral body to provide standards and training, certification of third party assessment organizations (C3PAOs), and provision of a marketplace for these assessors to be identified for assessment of a government contractor regarding its compliance with a designated CMMC Level. Contractors that are assessed and then certified by the DoD as meeting the security controls specified for a designated CMMC Level are then eligible to receive an award of a DoD contract that requires certification at that CMMC Level, or other lower CMMC levels. Thus, establishment of a set of assessors deemed qualified to conduct the assessment of contractors for CMMC is a major step.

That said, there is some other news.

First, while DoD initially planned for ten pilot programs to kickoff CMMC, there are only a few so far. The General Service Administration (GSA) has introduced cybersecurity principles into their acquisition programs as well, but the phased in approach to introducing CMMC appears to be slower than initially scheduled.

Second, there has been a significant change in the leadership and membership of the CMMC AB. In its announcement, the CMMC AB advised that Chairman Ty Schieber and Communications Chair Mark Berman are out and Karlton Johnson, previously Vice Chairman, will not assume the role of Chairman. Additionally, to fill some now vacant positions on the Board, Yong-Gon Chon, Sheryl Hanchar, and Charlie Williams have been added as Directors.

Stay tuned for further developments. In the meantime, keep working to comply with the existing in place requirements of FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems and, if you contract with the DoD, DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, including NIST SP 800-171, as applicable. And, start planning for compliance with CMMC certification level requirements!

If you have questions about this advisory and how it may apply to you, contact the author or your Stinson counsel.

EEO-1 Reports

 With September upon us, many employers are remembering the prior filing deadline for EEO-1 Reports and wondering what is happening with that obligation. The short answer is that the U.S. Equal Employment Opportunity Commission (EEOC) announced that it will delay collecting EEO-1 Reports from covered employers until March 2021.

Covered employers, including private companies with 100 or more employees and federal contractors with 50 or more employees, are required to file EEO-1 Reports each year, identifying the number of employees in various job groups by race and sex (“Component 1”). Last year, with the added collection of pay data (“Component 2”), the EEO-1 Report deadline was changed to the spring.

On June 12, 2020, the Office of Management and Budget approved the collection of EEO-1 Component 1 data from covered employers. The EEOC announced it will begin collecting the 2019 EEO-1 Component 1 data along with the 2020 EEO-1 Component 1 data in March 2021. The EEOC will notify filers of the precise date the collections will open as well as the new deadline by posting a notice on the EEOC home page and sending a notification letter to eligible EEO-1 filers.

Importantly, at this time the EEOC does not plan to continue collecting Component 2 data, after a long fought legal battle to collect such pay data that began in 2016 (See End to EEO-1 Component 2 Pay Data Reporting for Now…). The EEOC explained “[a]t this point in time, the unproven utility to its enforcement program of the pay data as defined 2016 Component 2 is far outweighed by the burden imposed on employers that must comply with the reporting obligation.” Specific details for the 2021 filing of 2019 and 2020 data are forthcoming and we will continue to monitor the situation and provide updates as they become available.

Non-Binary Self-Identification

For years now, employers have struggled with how to report employees who do not identify as male or female in the EEO-1 Report and Affirmative Action Program (“AAP”).

While the EEOC previously issued an FAQ instructing employers to report this information in the comments section of the EEO-1 Report, that may not be a sustainable or efficient solution. Since the Supreme Court’s Bostock v. Clayton County decision holding that Title VII protects LGBTQ people from workplace discrimination, there is increased discussion about whether the EEOC will provide a non-binary reporting option on its EEO-1 Report, in addition to the existing categories of male, female, and wish not to disclose. As of right now, there is no formal guidance beyond the prior FAQ.

The Office of Federal Contract Compliance Programs (“OFCCP”), by contrast, recently released a FAQ addressing self-identification in the AAP context. While OFCCP does not mandate a particular method for collecting self-identification demographic information of its employees and applicants, nearly all contractors covered by OFCCP regulations are required to submit an EEO-1 Report (see above). As a result, most contractors use self-identification forms issued by the EEOC for compiling information about a person’s sex, race, and ethnicity.

OFCCP encourages contractors to rely on employee self-identification to obtain this information. Alternatively, contractors may use visual observation where self-identification is not feasible. However, deference should be given to an individual’s self-identification and it should not be questioned or overridden by a contractor based on visual observation.

OFCCP’s updated FAQs instruct: “If an employee or applicant chooses to self-identify as non-binary, or as a gender other than male or female, the contractor must still include the individual in its affirmative action program (“AAP”). However, the contractor may exclude that individual’s data from the gender-based analyses required by OFCCP’s regulations.” Contractors are forbidden from asking applicants or employees for documentation to prove their gender identity or transgender status. Thus, OFCCP does not require a non-binary option for self-identification, but contractors can certainly add one as opposed to employees and applicants choosing between male, female, and wish not to disclose.

VETS-4212 Reports

 Federal contractors and subcontractors with a contract or subcontract of $150,000 or more are required to file the VETS-4212 Report with the Department of Labor by September 30, 2020.

The VETS-4212 Report requires, among other things, contractors and subcontractors to provide the total number of employees in their workforces by job category and hiring location; the total number of such employees, by job category and hiring location who are protected veterans; the total number of new hires during the period covered by the report; and the total number of new hires during the period covered by the report who are protected veterans.

The saga of what is prohibited and what is covered by an exception to the National Defense Authorization Act, FY 2019, Section 889 prohibition on the use or delivery of covered telecommunications and video surveillance equipment and services continues.

As reported previously, the FAR rule implementing Section 889(a)(1)(B)’s prohibitions was published on July 14, 2020 as an interim rule to be effective August 13, 2020. The representations portion of the rule was recently postponed to October 26, 2020, but the notice of this delay does not state that it applies to the actual FAR 52.204-25 (August 2020) clause that is being put into government procurements and contracts. This means that, without more, contractors must still comply with this clause when it is included in their contracts. Not only is the clause being included in solicitations, but efforts are being taken to include the clause in existing contracts. Thus, though representation of compliance is not required, the compliance with the clause is. The clause requires that you identify and report when you discover covered equipment or services are being used and that you provide a plan for replacement of discovered covered equipment or services. Thus, it is imperative that contractors think about what they are required to do to comply with the provisions of both parts (a)(1)(A) and (a)(1)(B) of Section 889, and work towards compliance.

GSA

The GSA has issued a set of decision trees for agency evaluation of whether and to what extent the prohibition of, or an exception to, Section 889(a)(1)(A) and (a)(1)(B) will apply. The decision trees do not, however, afford the user any further clarity on what is intended by key terms of the Section – “use,” “public safety,” “security of Government facilities,” “critical infrastructure,” or “national security purposes.”

Notable, as well, is that the decision tree does not explain how the user can determine whether equipment can “route or redirect user data traffic or permit visibility into any user data.” Given reported concerns with the incorporation of USBAnywhere “bugs” into baseboard management controllers that then can be used by attackers to exfiltrate data or manipulate images or systems through a virtual mouse and keyboard, one wonders how a contractor could on its own without a forensic analysis reasonably determine that equipment cannot route or redirect traffic or data.

For those that have questions like these or others, GSA is hosting a “GSA Live Webinar regarding GSA’s Implementation of Section 889” on September 10th.

NASA

On August 11, 2020, NASA issued a memorandum for its contracting community regarding implementation of Section 889(a)(1)(B). The NASA memorandum emphasizes that the rule “does not flowdown to subcontractors,” but it provides little guidance concerning the parameters of the “reasonable inquiry” its prime contractors are required to undertake. Thus, despite stating that “[t]he purpose of this memorandum is to work with our industry partners to ensure there is awareness about this FAR requirement and to assess if your company will be impacted by it,” the memorandum and its attachments are not particularly helpful.

The takeaway: In light of the imminent application of the clause, contractors should be on the lookout for guidance being issued by their contracting agency and consider asking questions in order to ascertain how these prohibitions will be interpreted and implemented under their contracts.

We are following these issues closely. If you have questions about Section 889 implementation or other government contracts matters, contact the author, or your Stinson counsel.

Stinson LLP Partner Eric Whytsell was elected this August to serve as Section Secretary of the American Bar Association’s (ABA) Public Contract Law Section.

The secretary position is the first step on the “leadership ladder” of the Public Contract Law Section, the preeminent professional association of lawyers engaged in public contracting, including federal, state, local government contracting, research and development, grants, and agreements, as well as contingency, battlefield and host nation contracting. The section includes attorneys from all segments of the public contracting community.

This position further expands Whytsell’s involvement as a leader within the section. He will continue to co-chair the section’s Publications Board, and will also sit on the section’s Finance Committee and serve as liaison to other procurement organizations such as the National Defense Industry Association (NDIA) and the National Contract Management Association (NCMA). In addition, he will become a member of the ABA’s Section Officers Council, which is comprised of the officers from all ABA sections, divisions and forums.

He aspires to collaborate with other section leaders to improve public procurement and grant law at the federal, state and local levels; promote the national security interests of the United States through cybersecurity and supply chain integrity; and drive membership, diversity and inclusion throughout the public contracting community.

Whytsell has been actively involved with the Public Contract Law Section for more than a decade, serving as co-chair and vice chair of various section committees, including State and Local Procurement, Intellectual Property, Cybersecurity, Privacy and Data Protection, and Subcontracting, Teaming and Strategic Alliances. He has also co-edited two books published by the section relating to subcontract terms and conditions.

In his practice, Whytsell helps clients assess, understand, and develop and implement practical strategies to address complicated issues throughout the government contract life-cycle. He helps contractors and subcontractors navigate a wide variety of complex compliance issues and represents them in bid and size protests, government and contractor claims, and audits and internal investigations. A significant portion of his work involves negotiating contracts, subcontracts, teaming and joint venture agreements, and joint IP development and license agreements. He assists client in a range of sectors, including technology and IT services, R&D, defense, cybersecurity, construction, transportation, manufacturing, financial services, education, health care, and biotech. Whytsell co-chairs Stinson’s Government Contracts and Investigations practice group.