Helping individuals, companies, and organizations understand key legal and practical considerations for promoting compliance and making better business decisions in these types of federal, state, and local government contracting matters MORE

Recently I participated in the National Defense Industrial Association (NDIA) Cyber Division’s Cyber Law and Policy Committee tabletop exercise on the identification and treatment of Controlled Unclassified Information (CUI) for purposes of compliance with DFARS 252.204-7012, Safeguarding covered defense information and cyber incident reporting, and the new Interim DFARS rules, 252.204-7019 and 252.204-7020, on Basic Assessment and Cybersecurity Maturity Model Certification (CMMC).

Co-chair Rolando Sanchez and I wrote the following article on CUI identification and handling which was published in the April 7, 2021 National Defense Magazine: https://www.nationaldefensemagazine.org/articles/2021/4/7/controlled-unclassified-information—the-devil-is-in-the-details .

We are planning another NDIA exercise on cyber incident handling for the late April/May timeframe.  Cybersecurity is an evolving area and government contractors at all tiers have become targets of cyber criminals, terrorists, and nation states.  Staying ahead of the curve, knowing what data you have and your requirements to protect that data, and taking steps to ensure compliance, make for sound cyber hygiene and good business.

This article was published in NDIA Defense Magazine and reprinted here with their permission.  Rolando Sanchez is co-author.

With the change in administration, government contractors should anticipate increased scrutiny of their pay practices. President Biden signaled heightened pay equity enforcement on his first day in office by appointing Jenny Yang the Director of the Office of Federal Contract Compliance Programs (“OFCCP”). Director Yang previously served as the Equal Employment Opportunity Commission (“EEOC”) Chair in the Obama Administration, where she spearheaded the effort to collect pay data from employers as part of the EEO-1 form. See our prior article on the pay data collection saga here. While the result of this story was that pay data will not be part of the 2021 EEO-1 report, like OFCCP, the EEOC also is expected to focus on compensation discrimination under the Biden Administration.

Government contractors are strongly encouraged to be proactive about pay equity analyses and to retain legal counsel to conduct a privileged audit. Such an audit is important for locating potential disparities, obtaining information about whether those disparities can be explained by legitimate non-discriminatory reasons, and, when necessary, identifying actions that may need to be taken to address unexplainable discrepancies. Contractors should also review written compensation policies to ensure that all relevant factors are identified and that the use of market compensation studies do not perpetrate sex-based pay gaps.

The 2019 and 2020 EEO-1 Component 1 data collection is expected to open in April 2021. While again, the data collection does not currently include reporting of pay data, we anticipate subsequent data collections to require pay data collection in some form. States are also beginning to consider pay data reporting laws, and California has already enacted a pay reporting law that requires the first report by March 31, 2021.

Stinson’s government contracting and employment attorneys are monitoring developments in this area.

Recent weeks have brought news on multiple fronts regarding supply chain risks and actions in response thereto:

Commerce ICTS Regulations to Go Into Effect; Chinese ICTS Companies, Products and Services in the Headlights

The Trump Administration rolled out regulations to implement prohibitions on the use or delivery of covered Chinese telecommunications and video surveillance products and services. Additionally, its Department of Commerce had engaged in rulemaking to implement processes and procedures for identifying supply chain risks posed by Chinese Information and Communications Technology Sector (ICTS) companies, products and services. The Biden Administration has come to town and many have wondered what is going to happen to this rulemaking when it becomes effective in March 2021. Law360 quotes the new Secretary of Commerce as saying “The Biden-Harris administration has been clear that the unrestricted use of untrusted ICTS poses a national security risk…Beijing has engaged in conduct that blunts our technological edge and threatens our alliances.” For those wondering whether the Biden Administration will continue its tough stance on Chinese ICTS, China and ICTS remain a target of potential enforcement activities under the Biden Administration: “The administration is firmly committed to taking a whole-of-government approach to ensure that untrusted companies cannot misappropriate and misuse data and ensuring that U.S. technology does not support China’s or other actors’ malign activities.” The Administration has backed up these words with actions, applying the Commerce rules to issue subpoenas to Chinese ICTS firms to further assess the risks they pose to the supply chain. However, the Administration is also holding talks with China this week and one wonders whether and to what extent this action is intended to impact that discussion.

FCC Votes to Revoke US Operating Licenses of Two Chinese Telecommunications Carriers

China Unicom, Pacific Networks and subsidiary ComNet USA LLC are now being considered for termination of their Section 214 licenses to interconnect with U.S. networks. Last spring, they were identified as potentially under the influence and control of the Chinese government. While they objected to that notion, Law360 reports that a Federal Communications Commission (FCC) staffer said that both “failed to dispel serious concerns’ about their security and data use practices.”

White House Previews Cybersecurity Ratings System

The White House recently previewed a proposal to promote more informed government procurement of software through a cybersecurity rating system. During a March 12, 2021 background press call, a senior administration official explained that the Biden Administration would like to make it easier to know the degree of cybersecurity offered by software companies selling to the federal government. The official touted the example of New York City Mayor Mike Bloomberg’s requiring restaurants to display their sanitation rating (A, B, C, D) in their front window “to make a market around health and sanitation.” They also referenced a similar approach being used by Singapore for Internet of Things devices, which provides cybersecurity standards for different types of devices (e.g. baby monitors) so consumers will know the level of cybersecurity offered by the product they’re buying. The Administration hopes to spur the development of a similar market for cybersecurity in the United States and promises an Executive Order addressing these issues in a couple weeks.

Court Enjoins DoD’s Designation of Xioami Corp. as a Communist Chinese Military Company

Under Section 1237 of the National Defense Authorization Act for FY 1999, the International Emergency Economic Powers Authority (IEEPA), U.S. persons are prohibited from purchasing or otherwise possessing publicly traded securities of Communist Chinese Military Companies (CCMC) or derivatives of such securities. CCMCs are defined under the IEEPA to include a person owned or controlled by, or affiliated with, the People’s Liberation Army, ministry of the People’s Republic of China (PRC), or an entity affiliated with the PRC defense industrial base. Executive Order 13959, issued in November 2020, implements the IEEPA.

Xioami, a multinational consumer electronics corporation that is headquartered in China and incorporated in the Cayman Islands, is the third-largest smartphone manufacturer in the world by volume and has a significant presence in the United States. In January 2021, the Department of Defense (DoD) submitted to Congress its list of designated CCMC companies, which included Xioami.

To avoid implementation and the adverse effects of the action, Xioami filed a suit for emergency injunctive relief and a preliminary injunction against enforcement of the IEEPA restrictions in the District Court for the District of Columbia. In that suit, the District Court found that Xioami had established that it was likely to succeed on the merits, suffer irreparable harm absent an injunction, and that the balance of equities tipped in favor of granting Xioami injunctive relief and such injunction was in the public interest. The decision indicates that the Court relied on the Administrative Procedure Act and determined that, under that authority, the DoD, in its defense of the action, did not provide sufficient reasoning to show the nexus of the facts to the conclusion that Xioami was a CCMC: “Even given this deferential standard, the Court finds that reasonable minds would be hard-pressed to accept as adequate the Department of Defense’s Xiaomi CCMC determination based on the paltry evidence on which the decision rests.” This decision makes real the conundrum of how to address supply chain risks when disclosure of the basis for the finding may pose risks in and of itself.

For government contractors, moving forward, there is still the DoD Federal Acquisition Regulation Supplement (DFARS) Supply Chain Risk Rule, 252.239-7018, which provides the DoD with authority to manage its supply chain risks by considering public and non-public information to determine whether an entity that sells information technology supplies or services to the DoD poses a supply chain risk. That rule provides that there is no right to appeal or protest. The District Court decision did not discuss the Supply Chain Risk Rule in making its decision. Given this, we are still left to question whether the District Court would even take jurisdiction over an action to enforce a supply chain risk ruling based on the DFARS rule, and related statute, 10 U.S.C. 2339a.

When an agency makes an award to the incumbent, the disappointed offerors often believe that the incumbent’s performance of the previous contract must have given it an impermissible leg up on the competition in the form of an organizational conflict of interest (“OCI”). However, as the recent Government Accountability Office (“GAO”) decision in Lukos-VATC JV III, LLC, B-418427.9; B-418427.11 (December 22, 2020), makes clear, in and of themselves, the natural advantages of incumbency do not  constitute an impermissible OCI—and aspirational arguments to the contrary will be unavailing.

This protest involved the award of a contract for training support services to be provided in conjunction with the Special Operations Forces Requirements Analysis, Prototyping, Training, Operations and Rehearsal (SOF RAPTOR) IV requirement. The SOF RAPTOR IV contract would provide special operations forces (SOF) training for counter terrorism, counter narco-terrorism, counter proliferation and unconventional warfare missions using a mix of live, virtual, and constructive simulation scenarios.

The protester, Lukos VATC JV III, LLC (“Lukos”), was one of ten offerors, along with the awardee, F3EA, Inc. (“F3EA”). After taking corrective action in response to other protests of the initial award to F3EA, the agency reevaluated the proposals and again awarded to F3EA after finding F3EA’s proposal offered the highest technical rating and the lowest price of eligible offerors.

After requesting and receiving a debriefing, Lukos protested the decision, asserting among other things that an OCI rendered F3EA ineligible for award. More specifically, Lukos argued generally that F3EA has either an unequal access to information OCI or a biased ground rules OCI because F3EA allegedly wrote the performance work statement (“PWS”) for the predecessor RAPTOR III contract. According to Lukos, F3EA’s alleged creation of the earlier solicitation’s PWS put F3EA in a position to favor its own products or capabilities under the current requirement, thereby creating an unfair competitive advantage.

The agency’s response explained that the government itself prepared the PWSs under both the RAPTOR III and IV contracts. While F3EA was a member of the incumbent joint venture and was involved in helping to refine the customer’s needs on task orders performed under the RAPTOR III contract, F3EA did not author those requirements, and the agency purposefully and significantly changed the requirements when developing the RAPTOR IV requirements and so it denied the existence of an OCI. Lukos contended that the changes were insufficient to mitigate the OCI.

However, the GAO disagreed with the protester and found that absent “hard facts” to evidence preferential treatment or unfair action by the agency, it would uphold the agency’s reasonable consideration of F3EA’s situation and action to prepare the RAPTOR IV requirements itself.

In its decision, the GAO reiterated the well-established guidance that contracting officers must exercise “common sense, good judgment, and sound discretion” in assessing whether a potential conflict exists and in developing appropriate ways to resolve it, and that the primary responsibility for determining whether a conflict is likely to arise, and the resulting appropriate action, rests with the contracting agency. The GAO then noted the equally well-established requirement that OCI determinations be based on “hard facts” indicating the existence or potential existence of a conflict. Mere inference or suspicion of an actual or potential conflict is not enough. The GAO reviews agency OCI determinations for reasonableness and, so long as the agency has given meaningful consideration to whether a significant conflict of interest exists, the GAO will not substitute its judgment for the agency’s absent clear evidence that the agency’s conclusion is unreasonable.

Here, the GAO found that Lukos’s protest arguments lacked the necessary hard facts, characterizing them instead as essentially the contention that F3EA was the incumbent contractor, and thus, had a competitive advantage in the competition. Lukos did not, provide any evidence that F3EA prepared the PWS for the RAPTOR IV procurement or set its ground rules, had unequal access to non-public information of the nature that gives rise to an OCI, or otherwise had impaired objectivity in its performance of the RAPTOR IV contract. Nor did the GAO find F3EA’s role in “refining” requirements under the RAPTOR III contract to equate to preparing the PWS under the RAPTOR IV contract, based in part on the fact that the agency did provide hard facts demonstrating the opposite.

The GAO also voiced its consistent refrain that (i) the mere existence of a prior or current contractual relationship between a contracting agency and a firm does not create an unfair competitive advantage; and (ii) an agency is not required to compensate for every competitive advantage gleaned by a potential offeror’s prior performance of a particular requirement. For example, an incumbent contractor’s acquired technical expertise and firsthand knowledge of the costs related to a requirement’s complexity are not generally considered to constitute unfair advantages the procuring agency must eliminate. There must be more.

Here, Lukos alleged only general assertions and no hard facts. That, along with the absence of any evidence of preferential treatment or unfair action by the agency, led the GAO to conclude that the agency’s OCI determination concerning F3EA reflected a reasonable conclusion that F3EA has only the normally occurring advantage that any incumbent may possess—and no OCI problem. The protest was denied.

The lesson here is simple: if you want to challenge a contract award on OCI grounds, you need to make sure that you have some hard facts indicating that an OCI exists or may exist. Without that, the protest will likely result in more disappointment for you.

If you have questions about this blog, protests, OCIs, or other government contracting questions, contact the author or your Stinson counsel.

 

If you don’t know about SolarWinds, then you haven’t been reading the news for the past six months. Last October 2020, it was reported that a widely-used networking tool that helps companies in the public and private sectors manage their Information Technology (IT) portfolios – SolarWinds Orion product — had been compromised. Publicly, it has been reported that about 18,000 private and government users downloaded the tainted software update, and it provided Russian hackers access to their systems. The hack hit Federal agencies, including the Departments of Treasury, Commerce, and State, the Department of Homeland Security (DHS), National Security Agency, and parts of the Pentagon, as well as public and private sector companies. The breadth and depth of this hack are still being assessed.

On December 13, 2020, the DHS Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01, Mitigate SolarWinds Orion Code Compromise. At that time it reported that the only known mitigation measure available was to disconnect or power down the SolarWinds Orion platform. The Emergency Directive advised readers to review the MITRE ATT&CK site to aid in identification of possible Advanced Persistent Threat (APT) tactics, including account manipulation, cloud credentialing, delegated email permissions, added global administrator roles, and so on. The Emergency Directive has been updated a number of times since that initial notice – December 18, 2020, December 30, 2020, and currently January 6, 2021. The current version of the Emergency Directive identifies a “malicious backdoor AKA TEARDROP or SUNBURST” and various Orion Platform versions affected by the hack. The current Emergency Directive also identifies follow up actions, including continuing to keep certain networks that ran the affected malware “and have evidence of follow-on threat actor activity” disconnected and to not rebuild or reimage the affected platforms and host operating systems pending consultation with CISA. This Emergency Directive also prohibits rejoining or joining the host operating system to the enterprise domain for those entities affected by the hack. Other Federal agency networks that did not use the platform or that only experienced “initial beaconing activity” and no follow-on activity are also required to take appropriate actions as specified by the Emergency Directive.

On March 3, 2021, the CISA issued a new Emergency Directive 21-02, Mitigate Microsoft Exchange On-Premises Product Vulnerabilities. This Emergency Directive identifies another incident involving active exploitation of vulnerabilities, this time involving Microsoft Exchange on-premises products. The Emergency Directive 21-02 advises that “Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.” It provides that agencies are to conduct a forensic analysis, disconnect where indication of compromise is detected, and report, as well as other actions. Agencies that do not have expertise to conduct these types of actions are required to immediately report the incident to CISA.

While these Emergency Directives are aimed at Federal agencies, they also provide insight into APTs targeting the public sector contracting community. Forewarned is forearmed. Maintaining sound cyber hygiene, developing a cyber threat incident response plan, keeping abreast of developments and emerging threats, and taking appropriate action swiftly are essential to a company’s continued security.

The American Bar Association (ABA) Public Contract Law Section in conjunction with the ABA Cybersecurity, Privacy and Data Protection Committee, SciTech Homeland Security Committee, and the ABA Cybersecurity Legal Task Force are hosting a webinar on March 5th, to discuss the implications of SolarWinds and its impact on the supply chain on March 5th.

If you have questions about this blog, or other government contracting questions, contact the author or your Stinson counsel.