Helping individuals, companies, and organizations understand key legal and practical considerations for promoting compliance and making better business decisions in these types of federal, state, and local government contracting matters MORE

Understanding the requirements for compliance with the interim DFARS rule on basic assessment and compliance with Cybersecurity Maturity Model Certification (CMMC) is not a task for the faint of heart. The rule requires that you accurately report the status of your compliance with the cybersecurity requirements in National Institute of Standards and Technology Special Publication (NIST SP) 800-171 and, for specific procurements in the initial CMMC pilot program and moving forward, that you address your level of compliance under the CMMC program.  Preparation here is crucial as the Department of Defense (DoD) has announced that all contractors, except those solely furnishing Commercial Off-The-Shelf (COTS), must submit their basic compliance assessment into the Supplier Performance Risk System (SPRS) to be considered for future contract awards.

Continue Reading How Do You Address Solicitation Requirements and Contract Performance After CMMC Rollout?

If you live on the East Coast and tried to get gasoline last week, you already know firsthand of the impacts that a cyber incident can wreck on the supply chain.  As a result of the Colonial Pipeline cyber incident, a ransomware attack that led to the six-day shutdown of a key pipeline for gasoline, diesel and jet fuel, the East Coast experienced widespread gas station outages. According to CNN, impacts from the attack are anticipated to continue through Memorial Day.  Specifically, the 5,500-mile pipeline flows at five miles per hour and they anticipate it could take weeks to refill the nearly empty storage caused by the cyber-initiated stop. Readers of this blog have seen a number of our reports on the increasing number and scope of threats to the supply chain being posed by cyber criminals, terrorists, nation states, and nation state actors. However, experiencing the long lines and closed gas stations brings home in a very personal way the criticality of protecting our nation’s infrastructure against cyberattacks.

In the wake of the shutdown, a $5 million ransom was paid to the hackers, DarkSide.  NBC News reported that the White House’s deputy national security adviser for cyber and emerging technologies apparently acknowledged that companies’ paying ransom to the criminals may be in their best interest. However, that same source reported that the White House’s advice remains that victims do not pay the ransom. This advice is consistent with advice issued during the Trump Administration by the Department of Treasury Office of Foreign Assets Control (OFAC), which issued an advisory on October 1, 2020 stating that paying ransom to bad actors may violate OFAC regulations and lead to sanctions. Government contractors and those in their supply chain that violate OFAC regulations may be debarred, suspended or other otherwise ineligible to receive government contracts, subcontracts, grants or agreements if they violate OFAC sanctions.  OFAC will “consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome.”  These various positions leave companies not knowing which way to go if they suffer a cyberattack.

On May 12, 2021, President Biden issued a twenty-one page Executive Order on Improving the Nation’s Cybersecurity (EO), with the apparent intent of establishing a path for securing the supply chain and addressing cyber vulnerabilities and incidents. The EO states that “the prevention, detection, assessment, and remediation of cyber incidents is a top priority” and it seeks to address the cybersecurity of not only government and government contractors, but also the consumer public.  The EO addresses five main areas: (1) removing barriers to sharing threat information; (2) moving towards Software Bills of Material (SBOMs) and Zero Trust Architecture and establishing standards and procedures to modernize federal cybersecurity; (3) establishing a public-private Cyber Safety Review Board, akin to the National Transportation Safety Review Board, to review and assess significant cyber incidents and provide follow up recommendations; (4) improving detection of cybersecurity vulnerabilities and incidents on Federal government networks; and (5) adopting additional requirements for National Security Systems.

     (1)   Removing barriers to sharing threat information

A significant focus of the EO is on collecting and preserving information in the hands of information technology (IT) and operational technology (OT) services providers in the Federal supply chain.  However, the EO seeks to collect information beyond that which would normally be covered by contract scope and activity-focused provisions, by seeking the development and implementation of new regulations to require IT and OT services providers to “collect and preserve data, information, and reporting relevant to cybersecurity event prevention, detection, response, and investigation on all information systems over which they have control.” Emphasis added. This direction would include not only requirements for systems operated on behalf of federal agencies, but also the contractor’s other systems “over which they have control.”  Significantly, the EO also would seek recommended provisions to require what could become an unlimited responsibility on the part of service providers to share their data, information, and reporting as “relevant to any agency with which they have contracted … and any other agency that the Director of OMB, in consultation with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, deems appropriate, consistent with applicable privacy laws, regulations, and policies.” Emphasis added.  Since privacy laws and regulations include national security exceptions, this could become a very broad mandate indeed.   The EO also would require service providers to “collaborate” with federal agencies in investigations and responses to actual or potential incidents on Federal information systems, including monitoring networks for threats in collaboration with agencies they support.

The risk here is that an overbroad provision will require that too much information be collected and will overburden the system.  Given limitations on government resources for analysis and action, too much information may lead to delays in the identification of truly significant information. Finding a balance to ensure that the right kinds of information are identified and shared, and that this does not merely become an exercise of garbage in, garbage out, will be imperative. Under the EO, the FAR Council is charged with publishing “proposed updates to the FAR” for these purposes within 90 days of its receipt of the recommendations of the designated government entities.

     (2)   Moving towards SBOMs and Zero Trust Architecture

Many of the threats and incidents reported in recent years have arisen because of flaws or malware that are baked into the software and systems being used to carry data. This portion of the EO would address this situation in part by developing guidance and standards and moving to implementation of Zero Trust Architecture.  The EO broadly defines Zero Trust Architecture in the definition section of the EO as follows:

The term “Zero Trust Architecture” means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries.  The Zero Trust security model eliminated implicit trust in any one element, node, or service and instead requires continuing verification of the operational picture via real-time information from multiple sources to determine access and other system response.  In essence, a Zero Trust Architecture allows users full access but only to the bare minimum they need to perform their jobs. If a device is compromised, zero trust can ensure that the damage is contained.  The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity.  Zero Trust Architecture embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment. ….

The definition goes on.  The intent to ensure restricted access and continuous surveillance to make things safer is understandable.  However, the risks here are that the systems put in place to provide this safety may themselves be too intrusive, or that they may be susceptible to compromise and used as a vehicle to compromise the systems they would monitor and protect.  Thus, the devil will be in the details of how this concept may be implemented.

SBOMs are a concept that has been discussed for quite a while, but implementation in the past has been elusive.  BOMs are traditionally used in major weapon system procurements to ensure that such systems only use qualified products and components and are manufactured and maintained to maximize the integrity of the system, as well as its safety and security.  Requiring the provenance of software being used or incorporated into government systems makes good sense.  Software may be created anywhere, and include software bytes and pieces from open sources and others that are susceptible to compromise.

     (3)   Establishing a public-private Cyber Safety Review Board

The National Transportation Safety Board is a well-known group that swoops in when an accident occurs to assess root causes and render recommendations to respond to significant transportation issues.  Analogously, the EO seeks to establish a Cyber Safety Review Board to review and assess “significant cyber incidents” affecting not only Federal systems, but also “non-Federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses.” The intent is to appoint a Board comprised of Federal officials and a member of the private sector.  Others may be invited to participate on a case-by-case basis.  Key to its success will be the designation of persons with sufficient knowledge and experience.

     (4)   Improving detection of cybersecurity vulnerabilities and incidents on Federal government networks

The EO would establish a standardized set of responses and processes for cyber vulnerabilities and incidents to “ensure a more coordinated and centralized cataloging of incidents and tracking of agencies’ progress.”  The plan includes defining key terms and a shared lexicon among agencies.  Anyone who has been involved in a cyber tabletop exercise or actual cyber incident investigation knows that different agencies have different protocols and contacting the right government officials to report and to obtain direction may be challenging.  Developing lines of authority and  a set of best practices for agencies to apply would be beneficial.

     (5)   Adopting additional requirements for National Security Systems

The EO does not go into detail on this point.  However, the intent appears to be to include additional requirements to coordinate requirements for the safety and security of National Security Systems through codification of a National Security Memorandum.

The EO borrows in large part from EOs, policies, concepts and activities that have been issued or identified over the past decade or longer. However, it does so in a more expansive way.  The intent appears to be to create a forcing mechanism to develop increased cybersecurity throughout not just the Federal sector and supply chain, but the general public. The directives contained in the EO will need to be implemented through formal rulemaking. While the EO anticipates going through a public notice and comment process, receiving and revising its regulations based on public comment, there is little doubt in this author’s mind at least that the Administration’s activities to implement this EO will be set in motion long before that rulemaking is completed and final regulations are issued.  Contractors should be tracking these developments and considering whether and to what extent to submit comments.  The aim here should be to facilitate final implementation of a set of regulations and requirements that is executable and not overly intrusive.

We are tracking developments in this area closely.  If you have questions about this blog, or other government contracting matters, contact the author or your Stinson counsel.

The Remedy of Divestiture: Steves and Sons, Inc. v. JELD-WEN, Inc.

For what is believed to be the first time ever, a private plaintiff successfully challenged an already consummated merger under antitrust law and won divestiture as part of its remedy. Does this pose a potential increased risk of antitrust enforcement remedies of divestiture only in private party lawsuits? Or does it also give rise to a risk of divestiture in cases brought against entities involved in public sector contracts, grants, and programs?

In Steves and Sons, Inc. v. JELD-WEN, Inc., 988 F.3d 690 (4th Cir. 2021), the Fourth Circuit upheld a district court decision that ordered, inter alia, JELD-WEN, Inc. (“JELD-WEN”) to divest a manufacturing plant that it acquired as part of its merger with a competitor, CMI.

This case involves the “doorskin” market—doorskins form the front and back of “molded doors.” Steves and Sons, Inc. (“Steves”) sells molded doors, but purchases its doorskins from other manufacturers such as JELD-WEN. In contrast, JELD-WEN is vertically aligned. That is, it produces and sells both molded doors and doorskins.

Before merging with CMI, JELD-WEN was one of three manufacturers of doorskins, along with CMI and Masonite. JELD-WEN entered into a long-term supply agreement with Steves (and other independent sellers of molded doors) under which prices would vary according to costs. The agreements were subject to automatic seven-year renewals. When it decided to merge, JELD-WEN and CMI notified the DOJ of the proposed merger. The DOJ investigated, did not take action, and in October 2012 JELD-WEN and CMI consummated the merger.

After the merger, Steves reported that it noted a quality decrease in JELD-WEN products, and that JELD-WEN increased its prices even though trial evidence showed that its costs decreased. Moreover, Masonite, the second of two manufacturers of doorskins post-merger, stopped selling to the independent molded door makers all together. Then, in 2014, JELD-WEN gave notice to Steves that it would terminate its long-term supply agreement, effective September 2021.

After unsuccessfully attempting to resolve the dispute without litigation, Steves filed a private action under the Clayton Act seeking treble damages as a party injured by the merger. A jury trial was conducted and the district court awarded Steves more than $36 million in past damages on the antitrust claim and, perhaps most important, ordered divestiture of Towanda, the doorskin manufacturing plant that JELD-WEN acquired from CMI.

On appeal, the Fourth Circuit considered eight distinct issues and, in addition to other holdings, affirmed the district court’s ruling that divestiture was the proper remedy. In doing so, the Fourth Circuit also denied JELD-WEN’s defense of laches. The court held that Steves’s four-year delay in bringing suit was not presumptively unreasonable because of the fact-intensive nature of the defense. Notably, the court stated that the delay should be measured from when Steves “discover[ed] or with reasonable diligence could have discovered the facts giving rise to its cause of action” and been “able to pursue a claim.” Under this standard, 2014 was the relevant date—that is, Steves did not learn of the threatened antitrust injury until JELD-WEN announced that it was terminating its long-term supply agreement with Steves. Further, the court held that Steves’s efforts to exhaust alternative remedies should not contribute to the establishment of laches.

As to the equitable factors leading to the divestiture remedy, the court focused on the fact that Steves was a family-owned business in operation for more than 150 years. Permanent loss of business and corresponding goodwill has long been recognized as an irreparable injury that money damages are incapable of curing. Moreover, the Clayton Act authorizes divestiture to serve “the high purpose of enforcing the antitrust laws.” Without divestiture, the threat to Steves would remain. The court noted that although the financial hardship to JELD-WEN would be significant, its hardship was outweighed by the threat of Steves non-existence in the future. Finally, the court concluded that the remedy of divestiture was appropriate in a private suit, just as it is in a government suit.

The Fourth Circuit ruled that this case was a “poster child” for the remedy of divestiture because it involved a merger that resulted in a duopoly of two companies that were vertically aligned and that had used their market power to threaten the existence of independent molded door manufacturers. True, the court said, the case was far from over given the remaining tasks of appointing a special master to locate a satisfactory buyer and possible future challenges, but, as affirmed here, divestiture was the proper remedy for Steves.

While divestiture has been pursued previously, this case is the first to show that private plaintiffs can be successful in challenging already consummated mergers and seeking divestiture as a remedy. More of these challenges may come, and courts deciding future cases may be more likely to consider divestiture as a remedy. Also noteworthy here is the defense of laches. Although JELD-WEN did not prevail, laches remains relevant as a defense to divestiture and may be addressed in the currently pending Federal Trade Commission suit against Facebook and the Department of Justice case against Google. The outcome of each case remains highly fact-dependent, however, and only time will tell whether divestiture cases (and divestiture orders) will become more common.

Government contractors and grant and program recipients need to take note of this new case on the availability of divestiture as an antitrust remedy. Government contractor antitrust activities have been a focal point for the Department of Justice. In 2019, the Antitrust Division of the Department of Justice announced the formation of a Procurement Collusion Strike Force (PCSF) “focusing on deterring, detecting, investigating and prosecuting antitrust crimes, such as bid-rigging conspiracies, which undermine competition in government procurement, grant, and program funding.” In 2020, the PCSF announced the addition of eleven new partners, raising the number of PCSF agencies and offices committed to the pursuit of antitrust crimes and related fraud to twenty-nine.  The PCSF is active and currently pursuing antitrust crimes and related schemes in government procurement, grant, and program funding at Federal, state and local government levels.  The PCSF webpage contains links for reporting COVID-19 procurement collusion, in addition to links for reporting other procurement collusion activities.  As new laws are passed and programs are implemented to fund the new Administration’s anticipated environment, infrastructure and other programs, we can expect that the PCSF will be on the lookout for those who would take improper advantage of government programs and funding through collusive schemes and fraud-related crimes.  Further, whistleblower actions are still actively being pursued under the civil False Claims Act.  Antitrust actions in the Steves case, above, involved anti-competitive pricing and other activities to restrict competition by depriving competitors of necessary sources of supply.  Given the importance of pricing and fair competition requirements and certifications in government contracts, such as those relating to the Truthfulness In Negotiations Act and the Independent Price Determination clauses, it is possible that not only the Government, but competitors in the government contracting space may see the remedies available in a private cause of action as another tool in their arsenal.

A key take-away from this case and the continuing focus on Antitrust in government contracting: if you are engaged in competing and supplying in the government contracting space, you need to take steps to ensure that such transactions are fair and in compliance with applicable law and regulation, and you need to prepare and preserve the documentation of your analyses and actions. At some point, if a challenge is raised, you may need to establish that you had proper bases for these actions. Documenting your decision-making and having an effective compliance program that proactively trains personnel on what is and is not acceptable conduct and includes self-audit and training may help you avoid antirust risks and the kind of situation in which divestiture is considered an appropriate option.

If you have questions about this blog, please contact the Nathaniel Gier, Susan Ebner, or your Stinson counsel.

The U.S. Equal Employment Opportunity Commission (“EEOC”) announced on April 26, 2021, that the 2019 and 2020 EEO-1 Component 1 data collection is now open after being delayed in May of 2020 due to the COVID-19 pandemic. See our prior post addressing the anticipated open date here.

The deadline for submitting 2019 and 2020 EEO-1 Component 1 data is Monday, July 19, 2021. The EEOC is providing employers additional time to file, extending the data collection period this year from 10 weeks to 12 weeks, but employers should start preparing now in anticipation of the July 19 filing deadline.

Contact Amy Conway for more information.

Numerous pieces of legislation and regulation have been issued in recent years to address the increased threats to the supply chain.  We previously reported on the various aspects of the Section 889 ban on the Government and government contractors’ use and delivery of covered Chinese telecommunications and video surveillance equipment, components and services, and the Section 889 rip and replace requirements being implemented through the Federal Acquisition Regulation (FAR). The Department of Defense (DoD) is engaged in the development of a list of covered product and services entities to identify security threats and facilitate the implementation of Section 889 prohibitions.  Contractors across the supply chain are taking steps now to check whether they have or use such covered products or services so that they can rip and replace and truthfully certify their status in the mandatory representations and certifications contained in the System for Award Management (SAM) registration, which registration is essential for doing business with the Federal government.

In addition, activities have also been taking place that impact even those that don’t consider themselves to be government contractors or subcontractors. In July 2020, the Federal Communications Commission (FCC) designated Huawei Technologies Company and ZTE Corporation as “national security threats.”  In March 2021, the FCC issued additional designations of five Chinese companies, Huawei Technologies Co, ZTE Corp, Hytera Communications Corp, Hangzhou Hikvision Digital Technology Co and Zhejiang Dahua Technology Co., “found to pose an unacceptable risk to U.S. national security.”  There is also litigation involving such designation pending – Huawei has challenged the declaration in the U.S. Court of Appeals for the Fifth Circuit. And on April 14, 2021, Law360 reported that the Biden Administration’s Department of Commerce has issued its second subpoena against Chinese information and communications technology companies using authority under the Trump Administration’s executive order which prohibits transactions with foreign actors that threaten national security. Under that authority, the Department Commerce may investigate to determine whether the entity poses a national security threat.

Congress in the Consolidated Appropriations Act of FY 2021, passed at the end of 2020, appropriated $1.895 billion to “remove, replace, and dispose of communications equipment and services that pose a national security threat.” On March 22, 2021, the FCC issued a proposed rule to modify its Secure and Trusted Communications Networks Reimbursement Program in order to set ground rules for the issuance of payments to fund this rip and replace rule.  Comments were due on April 12, 2021, and reply comments are due on April 26, 2021.

One thing is clear from these activities – there is a bipartisan recognition that covered equipment and services pose a national security threat in the U.S. and abroad, and this Administration is not likely to seek a roll back of the prohibition and requirements.

Government contractors previously have been told in the FAR rule that they are not required to “audit” but are to certify based on what they know.  However, the Government cannot contract with them if they use or provide this equipment and/or services absent an applicable exception or waiver. Even those that are not direct contractors need to take note as the rule applies to the government contractor supply chain in direct and not-so-direct ways.

For some there may be a carrot to implementation in the form of compensation for the rip and replacement given the FY 2021 Congressional appropriation and the FCC’s recent proposed rule; for others there may be the stick that they will not be able to obtain government contracts or subcontracts, or have options under existing contracts exercised! Stay tuned for further developments as infrastructure proposals or bills are being considered.  The author believes it is likely that they too will address this aspect of national security, and that the path of identifying and replacing equipment and services in the supply chain that pose a threat to national security may become a larger part of that agenda.

If you have questions about this advisory, or government contract supply chain matters, contact the author or your Stinson counsel.