The Time to Comply is Now: The New “I-9 Sheriff” is in Town!

As we have previously informed our readers, the Department of Homeland Security (DHS) has issued yet another update to U.S. Citizenship & Immigration Services’ (USCIS) Employment Eligibility Verification Form (commonly referred to as Form I-9).

As of September 18, the revised Form I-9 is in effect, bringing a new paperwork duty for all U.S. employers. All employers who have not already done so must immediately disregard the old version of and begin using the new version of Form I-9. The new form is accessible on the (USCIS) website, and older versions of Form I-9 are no longer available to the public. The new version of Form I-9 is not required for existing employees, since it pertains only to new hires joining a company on or after September 18, 2017.

Following are some reminders for employers to keep in mind during the onboarding process:

  1. While the core requirements of Form I-9 remain unchanged, employers will find minor revisions concerning the instructions and the list of acceptable documents that confirm an intended employee’s identity and employment eligibility. Specifically, USCIS changed the name of the U.S. Department of Justice’s enforcement arm on employment eligibility compliance, namely from the Office of Special Counsel for Immigration-Related Unfair Employment Practices to its new name of Immigrant and Employee Rights Section. What is more, USCIS modified the form’s instructions by removing “the end of” from the phrase “the first day of employment.” As a result, employers should amend their Form I-9 procedures to ensure that all intended employees complete the form’s Section 1 at the outset of the first day of employment.
  2. USCIS has also revised the list of acceptable documents concerning employment eligibility. Notably, USCIS added the Consular Report of Birth Abroad Form (Form FS-240) as an acceptable List C [employment eligibility] document. Form FS-240 is generated by the U.S. Department of State (DOS) at U.S. embassies worldwide to record the birth of a U.S. citizen outside U.S. territorial limits. Now, employers completing Form I-9 on a computer will be able to select Form FS-240 from the drop-down menus available in List C pertaining to Section 2 and Section 3. E-Verify users will also be able to select Form FS-240 when creating a case for an employee who has presented this document for Form I-9. Lastly, USCIS combined all the certifications of report of birth issued by the DOS into selection C # 2 in List C and renumbered all List C documents, except the Social Security card.

USCIS has included all these changes in a revised Handbook for Employers: Guidance for Completing Form I-9 (M-274), which is more user friendly than older editions of this document. Unlike previous versions of M-274, users can no longer download the handbook as a PDF document. Instead, USCIS has now organized and posted the M-274 handbook’s content as a web-based resource. It is yet unclear how USCIS will be updating this document.  By consequence, employers should regularly review the most updated, on-line content of the M-274 handbook, as it will likely be a more dynamic document.

3.  Another valuable resource for employers handling Form I-9 issues is the I-9 Central webpage available on the USCIS website. This webpage provides additional information about Form I-9, including learning resources and frequently asked questions.

Although the changes to Form I-9 are minor, failure to use the new version of the form can result in significant fines. Employers should therefore revisit their compliance policies to ensure a seamless transition to the new Form I-9.

This post was written by Roy J. Barquet of Foley & Lardner LLP © 2017
For more Immigration Legal Analysis go to The National Law Review

Revised Travel Ban Coming?

The Trump Administration reportedly may replace the current travel ban with a country-specific set of restrictions.

In June, the Supreme Court allowed the government to begin enforcing the 90-day travel ban against individuals from Iran, Libya, Somalia, Sudan, Syria, and Yemen who had no bona fide relationship to the United States. The 90-day ban will expire on September 24. The 120-day ban on refugees also went into effect in June. The Supreme Court plans to hear the full travel ban case on October 10.

The Department of Homeland Security’s recently finalized classified report on screening foreign travelers may support anticipated changes to the travel ban. Substituting a new ban could change the dynamics, potentially making the case before the Supreme Court moot or leading to a remand of the case for further hearing at the lower court level.

The new restrictions are expected to be open-ended and based upon the DHS review and identification of countries with deficient security standards. More than six countries may have been identified. Additional countries could be added to the banned list, others could be removed, and still others might become subject to certain visa restrictions.

This post was written by Michael H. Neifach of Jackson Lewis P.C. © 2017
For more legal analysis go to The National Law Review

President Trump Signs the “Securing our Agriculture and Food Act”

President Trump recently signed the “Securing our Agriculture and Food Act” (H.R. 1238). The bill amends the Homeland Security Act of 2002 to direct the Assistant Secretary for Health Affairs for the Department of Homeland Security (DHS) to carry out a program to coordinate DHS efforts related to defending the food, agriculture and veterinary systems of the United States against terrorism and other high-consequence events that pose a high risk to homeland security.

According to Michigan Farm News, the law will:

  • Provide oversight and management of DHS’s responsibilities pursuant to Homeland Security Presidential Directive 9 – Defense of United States Agriculture and Food;
  • Provide oversight and integration of DHS activities related to veterinary public health, food defense and agricultural security;
  • Lead DHS policy initiatives related to food, animal and agricultural incidents and to overall domestic preparedness for, and collective response to, agricultural terrorism;
  • Coordinate with other DHS components on activities related to food and agriculture security and screening procedures for domestic and imported products; and
  • Coordinate with appropriate federal departments and agencies.
This post was written by Aaron M. Phelps of  Varnum LLP© 2017
For more legal analysis go to The National Law Review

The Department Of Homeland Security Proposes New Rules Affecting Federal Government Contractors

This week, the Department of Homeland Security (“DHS”) issued three proposed rules expanding data security and privacy requirements for contractors and subcontractors. The proposed rules build upon other recent efforts by various federal agencies to strengthen safeguarding requirements for sensitive government information.  Given the increasing emphasis on data security and privacy, contractors and subcontractors are well advised to familiarize themselves with these new requirements and undertake a careful review of their current data security and privacy procedures to ensure they comply.

  • Privacy Training

DHS contracts currently require contractor and subcontractor employees to complete privacy training before accessing a Government system of records; handling Personally Identifiable Information and/or Sensitive Personally Identifiable Information; or designing, developing, maintaining, or operating a Government system of records. DHS proposes including this training requirement in the Homeland Security Acquisition Regulation (“HSAR”) and to make the training more easily accessible by hosting it on a public website.  By including the rule in the HSAR, DHS would standardize the obligation across all DHS contracts.  The new rule would require the training to be completed within thirty days of the award of a contract and on an annual basis thereafter.

DHS invites comment on the proposed rule. In particular, DHS asks commenters to offer their views on the burden, if any associated with the requirement to complete DHS-developed privacy training.  DHS also asks whether the industry should be given the flexibility to develop its own privacy training.  Comments must be submitted on or before March 20, 2017.

  • Information Technology Security Awareness Training

DHS currently requires contractor and subcontractor employees to complete information technology security awareness training before accessing DHS information systems and information resources. DHS proposes to amend the HSAR to require IT security awareness training for all contractor and subcontractor employees who will access (1) DHS information systems and information resources or (2) contractor owned and/or operated information systems and information resources capable of collecting, processing, storing or transmitting controlled unclassified information (“CUI”) (defined below).  DHS will require employees to undergo training and to sign DHS’s Rules of Behavior (“RoB”) before they are granted access to those systems and resources.  DHS also proposes to make this training and the RoB more easily accessible by hosting them on a public website.  Thereafter, annual training will be required.  In addition, contractors will be required to submit training certification and signed copies of the RoB to the contracting officer and maintain copies in their own records.

Through this proposed rule, DHS intends to require contractors to identify employees who will require access, to ensure that those employees complete training before they are granted access and annually thereafter, to provide to the government and maintain evidence that training has been conducted. Comments on the proposed rule are due on or before March 20, 2017.

  • Safeguarding of Controlled Unclassified Information

DHS’s third proposed rule will implement new security and privacy measures, including handling and incident reporting requirements, in order to better safeguard CUI. According to DHS, “[r]ecent high-profile breaches of Federal information further demonstrate the need to ensure that information security protections are clearly, effectively, and consistently addressed in contracts.”  Accordingly, the proposed rule – which addresses specific safeguarding requirements outlined in an Office of Management and Budget document outlining policy on managing government data – is intended to “strengthen[] and expand[]” upon existing HSAR language.

DHS’s proposed rule broadly defines “CUI” as “any information the Government creates or possesses, or an entity creates or possesses for or on behalf of the Government (other than classified information) that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls[,]” including any “such information which, if lost, misused, disclosed, or, without authorization is accessed, or modified, could adversely affect the national or homeland security interest, the conduct of Federal programs, or the privacy of individuals.” The new safeguarding requirements, which apply to both contractors and subcontractors, include mandatory contract clauses; collection, processing, storage, and transmittal guidelines (which incorporate by reference any existing DHS policies and procedures); incident reporting timelines; and inspection provisions. Comments on the proposed rule are due on or before March 20, 2017.

  • Other Recent Efforts To Safeguard Contract Information

DHS’s new rules follow a number of other recent efforts by the federal government to better control CUI and other sensitive government information.

Last fall, for example, the National Archives and Record Administration (“NARA”) issued a final rule standardizing marking and handling requirements for CUI. The final rule, which went into effect on November 14, 2016, clarifies and standardizes the treatment of CUI across the federal government.

NARA’s final rule defines “CUI” as an intermediate level of protected information between classified information and uncontrolled information.  As defined, it includes such broad categories of information as proprietary information, export-controlled information, and certain information relating to legal proceedings.  The final rule also makes an important distinction between two types of systems that process, store or transmit CUI:  (1) information systems “used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency”; and (2) other systems that are not operated on behalf of an agency but that otherwise store, transmit, or process CUI.

Although the final rule directly applies only to federal agencies, it directs agencies to include CUI protection requirements in all federal agreements (including contracts, grants and licenses) that may involve such information.  As a result, its requirements indirectly extend to government contractors.  At the same time, however, it is likely that some government contractor systems will fall into the second category of systems and will not have to abide by the final rule’s restrictions.  A pending FAR case and anticipated forthcoming FAR regulation will further implement this directive for federal contractors.

Similarly, last year the Department of Defense (“DOD”), General Services Administration, and the National Aeronautics and Space Administration issued a new subpart and contract clause (52.204-21) to the FAR “for the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information.”  The provision adds a number of new information security controls with which contractors must comply.

DOD’s final rule imposes a set of fifteen “basic” security controls for covered “contractor information systems” upon which “Federal contract information” transits or resides.  The new controls include: (1) limiting access to the information to authorized users; (2) limiting information system access to the types of transactions and functions that authorized users are permitted to execute; (3) verifying controls on connections to external information systems; (4) imposing controls on information that is posted or processed on publicly accessible information systems; (5) identifying information system users and processes acting on behalf of users or devices; (6) authenticating or verifying the identities of users, processes, and devices before allowing access to an information system; (7) sanitizing or destroying information system media containing Federal contract information before disposal, release, or reuse; (8) limiting physical access to information systems, equipment, and operating environments to authorized individuals; (9) escorting visitors and monitoring visitor activity, maintaining audit logs of physical access, and controlling and managing physical access devices; (10) monitoring, controlling, and protecting organizational communications at external boundaries and key internal boundaries of information systems; (11) implementing sub networks for publically accessible system components that are physically or logically separated from internal networks; (12) identifying, reporting, and correcting information and information system flaws in a timely manner; (13) providing protection from malicious code at appropriate locations within organizational information systems; (14) updating malicious code protection mechanisms when new releases are available; and (15) performing periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

“Federal contract information” is broadly defined to include any information provided by or generated for the federal government under a government contract.  It does not, however, include either:  (1) information provided by the Government to the public, such as on a website; or (2) simple transactional information, such as that needed to process payments.  A “covered contractor information system” is defined as one that is:  (1) owned or operated by a contractor; and (2) “possesses, stores, or transmits” Federal contract information.

ARTICLE BY Connie N BertramAmy Blackwood & Emilie Adams of Proskauer Rose LLP