DOD Archives - The National Law Forum

AUVSI and DOD’s Defense Innovation Unit Announce Collaboration for Cyber Standards for Drones

The Association for Uncrewed Vehicle Systems International (AUVSI), the world’s leading trade association for drones and other autonomous vehicles, announced a collaboration with the Department of Defense’s (DOD) Defense Innovation Unit (DIU) to further commercial cyber methodologies to design a shared standard. AUVSI’s effort is meant to expand the number of vetted drones that meet congressional and federal agency drone security requirements.

This pilot program would extend relevant cyber-credentialing across the U.S. industrial base and assist the DOD and other government entities in streamlining and accelerating drone capabilities across the board. Overall, this collaboration will help make the drone industry more secure. The program will work with numerous cybersecurity firms to conduct technical cyber assessments before the DIU, DOD, and other government entities conduct additional vetting as necessary.

Currently, the Blue UAS (Unmanned Aircraft Systems) Cleared List has 14 drones on it and 13 more drones are scheduled to be added. The Blue UAS Cleared List is routinely updated and contains a list of DOD-approved drones for government users. These drones are section 848 FY20 NDAA compliant, validated as cyber-secure and safe to fly, and are available for government purchase and operation. However, even with these additions, the demand for additional cleared drones with new capabilities and technology has outpaced the DIU’s ability to scale the program. This collaboration seeks to close that gap and offer cybersecurity certification in close cooperation with the DIU. With off-the-shelf drones serving as critical tools to help conduct diverse government operations, partnership with AUVSI and cybersecurity experts will make it easier for government users to use commercial technology and achieve effective operations in a secure manner.

Article By Kathryn M. Rattigan of Robinson & Cole LLP

For more cybersecurity and data privacy news, click here to visit the National Law Review.

Defense Department Takes Aim at Anticompetitive Mergers in Defense Industry

Government says market concentration poses a national security risk.

In 1990, the Department of Defense could turn to 13 companies to produce tactical missiles, eight to make fixed-wing aircraft, and another eight to build ships. Now there are only three missile and three aircraft makers, and only two surface ship builders. There were eight satellite manufacturers in 1990; today there are only four. Tanks and other tracked vehicles are now made by a single company.

Such market consolidation is potentially harmful for the usual reasons, such as less innovation, higher prices, and a lower level of customer service. But when that customer is the DOD, having only one or a handful of defense equipment makers, suddenly critical military missions, military and civilian lives, and national security are put at risk, “[P]articularly in cases where the existing dominant supplier or suppliers are influenced by an adversary nation ….”

That is the worrisome assessment contained in a report issued by the DOD which is following up on President Biden’s July 2021 executive order, titled “Promoting Competition in the American Economy.” DOD is just one of the agencies now responding with plans to evaluate their respective competitive landscapes and to make recommendations to restore productive rivalries.

If market consolidation suggests harmful anticompetitive conditions, then the defense industry’s merger history should send up multiple flares. “Since the 1990s, the defense sector has consolidated substantially, transitioning from 51 to 5 aerospace and defense prime contractors,” the report says.

DOD offers five general recommendations to increase defense industry competition, saying it should:

Strengthen Merger Oversight. When a merger threatens DOD interests, DOD will support the Federal Trade Commission and Department of Justice in antitrust investigations and recommendations involving the defense industry.
Address Intellectual Property Limitations. Certain practices surrounding intellectual property and data rights have been used to limit competition in DOD purchasing and to induce “vendor-lock” and other undesirable results. DOD says it will identify its long-term intellectual property needs early in the bidding process. This should ensure that intellectual property is a key factor in evaluating competitive awards, and a negotiation objective in sole-source awards and when contracting with vendors willing to provide the government the intellectual property and rights it needs.
Increase New Entrants. To counteract the shrinking list of contractors, DOD says it will work to attract new entrants to the defense marketplace by reducing barriers to entry. This will be accomplished through small business outreach and support. DOD says it will use “acquisition authorities” that will give it the flexibility to adopt and incorporate commercial best practices to reduce barriers and attract new vendors.
Increase Opportunities for Small Businesses. DOD will increase small business participation in defense procurement, with an emphasis on increasing competition in priority segments of the defense industry.
Implement Sector-Specific Supply Chain Resiliency Plans. DOD calls for greater resilience in the supply chain for five priority sectors: casting and forgings, missiles and munitions, energy storage and batteries, strategic and critical materials, and microelectronics.

In June 2021, Bradley Martin, Ph.D., a retired Navy captain now with the RAND National Security Supply Chain Institute, wrote of the dangers of the defense industry’s shift to practices that make resupply of military equipment “highly questionable” should demand for equipment suddenly spike.

Abrams Main Battle Tank manufactured by General Dynamics, the sole producer of tanks and other tracked combat vehicles for the Department of Defense. Photo from General Dynamics’ website.

“If evaluated solely against meeting steady-state demand, the military operational supply chain works as it should,” Martin wrote. “The problem is not performance relative to incentives. Rather, the problem is that the existing guidance does not lead the system to conduct analyses and make decisions needed to support the highly demanding combat operations likely in a conflict with a major power. As a result, the ability of this system to properly support the joint force in the event of major conflict is at best untested and could be highly problematic.”

Recent Public and Private Actions

In addition to the government’s focus on the overall industry, it has been taking action to address specific instances of alleged and potentially anticompetitive behavior. In one instance, a private class action quickly followed.

In January, the FTC sued to stop Lockheed Martin Corp.’s $4.4 billion acquisition of Aerojet Rocketdyne Holdings Inc., marking the first time in decades the government opposed a defense industry merger. (Read FTC Sues to Torpedo Lockheed’s $4.4 Billion Aerojet Acquisition.)

The FTC noted that Aerojet, which reported more than $2 billion in 2020 revenue, is the last independent U.S. supplier of defense-critical missile propulsion systems. If the deal were to go through, the FTC said, “Lockheed will use its control of Aerojet to harm rival defense contractors and further consolidate multiple markets critical to national security and defense.”

Lockheed leads the pack of the largest defense contractors in the world. It is one of the leading suppliers of missile technology in a concentrated group that includes Raytheon Technologies, Inc., Northrop Grumman Corporation, and The Boeing Company. All are missile system prime contractors to the Department of Defense. The FTC says these companies are intermediaries between the U.S. government and the missile supply chain, including subcontractors like Aerojet.

In December 2021, a federal grand jury in Connecticut returned an indictment charging a former manager of leading aerospace engineering company Pratt & Whitney, Inc., and five executives of outsource engineering suppliers for participating in a long-running conspiracy to restrict the hiring and recruiting of employees among their respective companies. (Read Aerospace Execs Indicted for Conspiracy to Limit Worker Pay and Job Prospects.)

The conspiracy is said to have affected thousands of engineers and other skilled workers in the aerospace industry who perform services in the design, manufacturing, and servicing of aircraft components for both commercial and military purposes. According to the felony indictment, unsealed in U.S. District Court for the District of Connecticut, six individuals conspired with others to allocate employees by agreeing not to hire or solicit professionals from each other’s ranks.

Following the indictment, a jet engine mechanic formerly employed by Pratt & Whitney filed a class action suit in federal court in Connecticut against the company and five outsource engineer suppliers. The plaintiffs seek damages because of the alleged conspiracy to suppress labor costs and hamper employees’ career prospects using illegal no-poach agreements in violation of antitrust laws.

Ukraine Invasion Demonstrates ‘Rapid Escalation’

Combined with Russia’s invasion of Ukraine and the alarming specter of a widening conflict, security supply chain expert Bradley Martin’s assessment that the industry may not be set up to address a spike in demand for military equipment illustrates why the DOD’s plan to improve competition in the defense industry is an urgent one.

“The Ukraine crisis shows that situations can rapidly escalate, potentially leading to situations where spikes in demand might occur in largely unexpected ways,” Martin told the MoginRubin Blog. “If the U.S. had to deal with an expanded conflict in Europe, such as might occur if Russia were to threaten a NATO ally, DOD could reallocate munitions and supplies for some period, but expanding production and inventory over a longer period would be very challenging. This would likely be exactly the kind of conflict where low-standing issues with supply chains would show themselves, sometimes in unexpected ways.”

Defense is just one of several industries seeing increased scrutiny from enforcers. Healthcare also has been a focus of late (see our article regarding FTC’s action to stop a New England hospital merger). The technology sector is getting attention, too. As we wrote in February, chipmaker Nvidia called off its vertical acquisition of Arm Ltd. following an FTC challenge to the deal. A recent Treasury Department report on the alcoholic beverage industry foreshadows greater attention from the FTC and DOJ regarding deals in that sector.

In October the FTC said it was bringing back its policy of routinely restricting anticompetitive mergers, putting “industry on notice” that it will require aggressive acquirers to obtain prior approval “before closing any future transaction affecting each relevant market for which a violation was alleged, for a minimum of 10 years.” The agency is clearly making good on its promise.

Edited by Tom Hagy for MoginRubin LLP.

Article By Jennifer M. Oliver with MoginRubin.

For more articles about antitrust, visit the NLR Antitrust Law section.

Continuing Effort to Protect National Security Data and Networks

CMMC 2.0 – Simplification and Flexibility of DoD Cybersecurity Requirements

Evolving and increasing threats to U.S. defense data and national security networks have necessitated changes and refinements to U.S. regulatory requirements intended to protect such.

In 2016, the U.S. Department of Defense (DoD) issued a Defense Federal Acquisition Regulation Supplement (DFARs) intended to better protect defense data and networks. In 2017, DoD began issuing a series of memoranda to further enhance protection of defense data and networks via Cybersecurity Maturity Model Certification (CMMC). In December 2019, the Department of State, Directorate of Defense Trade Controls (DDTC) issued long-awaited guidance in part governing the minimum encryption requirements for storage, transport and/or transmission of controlled but unclassified information (CUI) and technical defense information (TDI) otherwise restricted by ITAR.

DFARs initiated the government’s efforts to protect national security data and networks by implementing specific NIST cyber requirements for all DoD contractors with access to CUI, TDI or a DoD network. DFARs was self-compliant in nature.

CMMC provided a broad framework to enhance cybersecurity protection for the Defense Industrial Base (DIB). CMMC proposed a verification program to ensure that NIST-compliant cybersecurity protections were in place to protect CUI and TDI that reside on DoD and DoD contractors’ networks. Unlike DFARs, CMMC initially required certification of compliance by an independent cybersecurity expert.

The DoD has announced an updated cybersecurity framework, referred to as CMMC 2.0. The announcement comes after a months-long internal review of the proposed CMMC framework. It still could take nine to 24 months for the final rule to take shape. But for now, CMMC 2.0 promises to be simpler to understand and easier to comply with.

Three Goals of CMMC 2.0

Broadly, CMMC 2.0 is similar to the earlier-proposed framework. Familiar elements include a tiered model, required assessments, and contractual implementation. But the new framework is intended to facilitate three goals identified by DoD’s internal review.

Simplify the CMMC standard and provide additional clarity on cybersecurity regulations, policy, and contracting requirements.
Focus on the most advanced cybersecurity standards and third-party assessment requirements for companies supporting the highest priority programs.
Increase DoD oversight of professional and ethical standards in the assessment ecosystem.

Key Changes under CMMC 2.0

The most impactful changes of CMMC 2.0 are

A reduction from five to three security levels.
Reduced requirements for third-party certifications.
Allowances for plans of actions and milestones (POA&Ms).

CMMC 2.0 has only three levels of cybersecurity

An innovative feature of CMMC 1.0 had been the five-tiered model that tailored a contractor’s cybersecurity requirements according to the type and sensitivity of the information it would handle. CMMC 2.0 keeps this model, but eliminates the two “transitional” levels in order to reduce the total number of security levels to three. This change also makes it easier to predict which level will apply to a given contractor. At this time, it appears that:

Level 1 (Foundational) will apply to federal contract information (FCI) and will be similar to the old first level;
Level 2 (Advanced) will apply to controlled unclassified information (CUI) and will mirror NIST SP 800-171 (similar to, but simpler than, the old third level); and
Level 3 (Expert) will apply to more sensitive CUI and will be partly based on NIST SP 800-172 (possibly similar to the old fifth level).

Significantly, CMMC 2.0 focuses on cybersecurity practices, eliminating the few so-called “maturity processes” that had baffled many DoD contractors.

CMMC 2.0 relieves many certification requirements

Another feature of CMMC 1.0 had been the requirement that all DoD contractors undergo third-party assessment and certification. CMMC 2.0 is much less ambitious and allows Level 1 contractors — and even a subset of Level 2 contractors — to conduct only an annual self-assessment. It is worth noting that a subset of Level 2 contractors — those having “critical national security information” — will still be required to seek triennial third-party certification.

CMMC 2.0 reinstitutes POA&Ms

An initial objective of CMMC 1.0 had been that — by October 2025 — contractual requirements would be fully implemented by DoD contractors. There was no option for partial compliance. CMMC 2.0 reinstitutes a regime that will be familiar to many, by allowing for submission of Plans of Actions and Milestones (POA&Ms). The DoD still intends to specify a baseline number of non-negotiable requirements. But a remaining subset will be addressable by a POA&M with clearly defined timelines. The announced framework even contemplates waivers “to exclude CMMC requirements from acquisitions for select mission-critical requirements.”

Operational takeaways for the defense industrial base

For many DoD contractors, CMMC 2.0 will not significantly impact their required cybersecurity practices — for FCI, focus on basic cyber hygiene; and for CUI, focus on NIST SP 800-171. But the new CMMC 2.0 framework dramatically reduces the number of DoD contractors that will need third-party assessments. It could also allow contractors to delay full compliance through the use of POA&Ms beyond 2025.

Increased Risk of Enforcement

Regardless of the proposed simplicity and flexibility of CMMC 2.0, DoD contractors need to remain vigilant to meet their respective CMMC 2.0 level cybersecurity obligations.

Immediately preceding the CMMC 2.0 announcement, the U.S. Department of Justice (DOJ) announced a new Civil Cyber-Fraud Initiative on October 6 to combat emerging cyber threats to the security of sensitive information and critical systems. In its announcement, the DOJ advised that it would pursue government contractors who fail to follow required cybersecurity standards.

As Bradley has previously reported in more detail, the DOJ plans to utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors or involving government programs, where entities or individuals, put U.S. information or systems at risk by knowingly:

Providing deficient cybersecurity products or services
Misrepresenting their cybersecurity practices or protocols, or
Violating obligations to monitor and report cybersecurity incidents and breaches.

The DOJ also expressed their intent to work closely on the initiative with other federal agencies, subject matter experts and its law enforcement partners throughout the government.

As a result, while CMMC 2.0 will provide some simplicity and flexibility in implementation and operations, U.S. government contractors need to be mindful of their cybersecurity obligations to avoid new heightened enforcement risks.

Article By Andrew Tuggle and David Vance Lucas with Bradley Arant Boult Cummings LLP.

For more articles about cybersecurity, visit the NLR Cybersecurity, Media & FCC section.

Focus on Military Readiness Means More Construction Work on Military Bases: Are Contractors Ready to Compete and Perform?

The United States military is the most powerful warfighting force in world history.

But Secretary of Defense Jim Mattis made a stark observation in the 2017 National Defense Strategy:

Without sustained and predictable investment to restore readiness and modernize our military to make it fit for our time, we will rapidly lose our military advantage, resulting in a Joint Force that has legacy systems irrelevant to the defense of our people.

The problem, in summary, is a lack of readiness.

But the Future is “BIG”

Readiness is not as exciting as futuristic weapons systems or as dramatic as battle. Instead, readiness focuses on the military’s more mundane, but essential, ability to train, house troops, repair equipment, and plan for mobilization. Readiness undergirds the core ability of the military to defend the United States. We are seeing a new emphasis on readiness. Significantly, the current President and Congress are actively increasing the military’s budget to purchase goods and services, especially those related to the construction of military facilities.

This new construction is required because readiness demands it. For example, many structures at MCAS Cherry Point used for aviator and aircraft ground-support training, repair, and deployment are over 70 years old. Many structures were built for World War II and the Cold War. We now face different enemies, technologies, and strategies. Combat aircraft fleet facility upgrades are essential to meet the raised readiness standard.

In addition, the new F-35 Joint Strike Fighter adds significantly increased technology, infrastructure, and security demands that cannot be met with the current facilities at MCAS Cherry Point and its tenant command, Fleet Readiness Center East (“FRC East”). MCAS Cherry Point will be home for probably 94 F-35 jet fighters. FRC East’s role in servicing Air Force, Navy, and Marine Corps variants of the Joint Strike Fighter is essential to achieving the overwhelming lethality required for proper military readiness.

But MCAS Cherry Point and FRC East cannot fulfill their obligations to the readiness standard without new construction. The President has asked Congress to fund the following major construction projects for the federal fiscal year beginning in October 2018:

$133,970,000 for a new hangar that will house F-35B Lightning II Joint Strike Fighters for the Marine Corps’ Second Marine Air Wing, which is headquartered at MCAS Cherry Point.
$106,860,000 to modernize flight line infrastructure such-as electrical, water, and technology services as well as new access points and loading areas for the new hangar.

That’s about $180,000,000 more than MCAS Cherry Point has seen in a single fiscal year for at least the last 20 years. But this new funding is only the beginning of a rapidly accelerating plan to rebuild Cherry Point’s aging facilities, roads, and infrastructure. We also expect the following projects to be funded over the next 10 years:

New streets, parking, security enhancements, and F-35 hangars at MCAS Cherry Point at a cost of around $600 million.
New repair hangars, test facilities, and improved facilities at FRC East at of a cost of around $400 million.

Overall, we expect to see around $1.2 billion in new construction and facility upgrades at MCAS Cherry Point and FRC East over the next 15 years.

A Place for Private Contractors

Successful construction needs more than just funding. It also needs private contractors who can build, install, and maintain the facilities and infrastructure.

The federal procurement process for construction of Defense Department facilities is a complex undertaking. Once a company enters the procurement process, there are special rules unique to federal contracting that the contractor must understand. Therefore, companies should become familiar with the federal procurement rules before pursuing their first contract. While a comprehensive primer on these rules is beyond the scope of this article, our attorneys handling government contracts are seeing an increase in the use of small business preferences and teaming arrangements. These programs allow small businesses to benefit both from their size status and the competitive advantage of teaming with a larger or more sophisticated company.

Incentives: Federal Small Business Preferences

We have seen a marked increase in contractors interested in qualifying for the small business “set-aside” and other programs available in federal procurements. At the same time, the Defense Department itself is, at least in theory, promoting the set-aside programs. Opportunity abounds for companies who qualify for small business programs.

Unlike most private sector commercial contracts, federal government contracts are used to support certain socio-economic goals. Many of these programs favor small or disadvantaged businesses. The federal government has a specific goal every year for the percentage of contracts given to small and disadvantaged businesses. The following programs are currently the most active for participation and promotion:

Woman-owned small businesses
Historically underutilized businesses in certain geographical areas (“HUBZone businesses”)
Veteran-owned small businesses (especially service-disabled veterans)
Mentor-protégé joint ventures and teaming agreements between large and small businesses, especially those teaming with Section 8(a) disadvantaged businesses.

Construction companies and other contractors who are ready for this wave of new projects will benefit from the increased attention to readiness upgrades. Unprepared companies will lose out on these opportunities. This may not seem a big problem while the economy is strong, but in our experience, contractors who planned for federal work survived and even thrived during the recent Great Recession.

Conclusion

Fortunately, with proper planning, a good business plan, and sound legal advice, there is no reason to be discouraged from beginning or expanding your federal government contracts. Although entering and working within the federal contracting arena can be daunting, several programs assist small and innovative companies with getting and keeping federal contracts.

This post was written by James W. Norment of Ward and Smith, P.A.

A Change to the Suspending and Debarring Official (SDO) Position at NASA

On March 8, 2016, a final rule changed the position of the National Aeronautics and Space Administration’s (“NASA”) suspending and debarring official (“SDO”). The SDO had been NASA’s Assistant Administrator for Procurement. The final rule reassigns the position to NASA’s Deputy General Counsel. Public comments were not accepted because NASA concluded that the change “affects only the internal operating procedures” of the agency.

Not mentioned in this action is Section 861(a) of the National Defense Authorization Act of 2013. That law applies to the U.S. Department of Defense (“DoD”), the U.S. Department of State (“State”), and the U.S. Agency for International Development (“USAID”), not to NASA, but for those agencies it specifically prohibits the not-uncommon practice of having a procurement officer act as an SDO. Last year, in International Relief and Development, Inc. et al. v. United States Agency for International Development et al., No. 15-CV-854 RCL (D.D.C.), a federal court concluded that such an arrangement at USAID likely violated Section 861(a).

Section 861(a) precipitated a necessary discussion on the independence and impartiality of SDOs. It is not hard to imagine how an SDO who also serves as a procurement officer could be predisposed against a contractor. But even if NASA’s change tacitly acknowledges this concern, it hardly resolves it. Conditioned already to advocate for a particular client, agency counsel are sure to have predispositions, as well.

Article By Frederic M. Levy & Jade C. Totman of Covington & Burling LLP

Wasn't That Supposed to be Made in the USA?

Made in the USA.jpg Despite the existence of long-standing U.S. laws strongly favoring the purchase of domestic products for use by governmental entities, in governmental programs and particularly the fulfillment of Department of Defense (“DoD”) contracts, a surprising number of companies still attempt to circumvent these laws. They do so at their own peril. Recognizing the harm likely to befall American workers as a result, an increasing number of employees and former employees have “blown the whistle” on these practices in recent years and teamed up with the U.S. Government to curtail this trend.

The Buy American Act, 41 U.S.C. §§ 8301–8305, (“BAA”) was enacted in 1933 under President Hoover as part of New Deal legislation intended to help struggling American depression era companies. The BAA superseded an 1875 statute that “related to preferential treatment of American material contracts for public improvements.” (1933, Sect. 10). The law carried with it a very simple idea: require the government to exercise a clear preference for US-made products in its purchases to bolster the American economy.

To this day, the BAA continues to require federal agencies to purchase “domestic end products” and use “domestic construction materials” in contracts exceeding certain dollar amounts performed in the United States. Unmanufactured end products or construction materials qualify as “domestic” if they are mined or produced in the United States. Manufactured products are treated as “domestic” if they are manufactured in the United States, and either (1) the cost of components mined, produced, or manufactured in the United States exceeds 50% of the cost of all components, or (2) the items are commercially available off-the-shelf items.

Exemptions and exceptions to the applicability of the BAA exist. For example, the BAA does not apply if the purchasing agency determines “it to be inconsistent with the public interest, or the cost to be unreasonable.” Furthermore, the U.S. Trade Agreements Act of 1979 authorizes the President to waive any procurement law or regulation that accords foreign products less favorable treatment than that given to domestic products in foreign lands. Additionally, purchases from Canada and Mexico are exempt from BAA prohibitions under the North American Free Trade Agreement. Other treaties and agreements also limit the BAA. Despite these, the BAA continues to cast a wide liability net for those that seek to willfully or knowingly circumvent it.

Similar to the BAA, the Berry Amendment was passed in 1941 to promote the U.S. economy through the preferential purchase of certain U.S. goods. The Amendment was eventually codified as 10 U.S.C. 2533a in 2002. The law prohibits the Department of Defense (“DoD”) from utilizing any funding available to or appropriated by the DoD for the purchase of the following end product items from “non-qualifying countries” unless these items are wholly of U.S. origin: food; clothing; tents, tarpaulins, or covers; cotton and other natural fiber products; woven silk or woven silk blends; spun silk yarn for cartridge cloth; synthetic fabric or coated synthetic fabric (including all textile fibers and yarns that are for use in such fabrics); canvas products, or wool (whether in the form of fiber or yarn or contained in fabrics, materials, or manufactured articles); or any item of individual equipment manufactured from or containing such fibers, yarns, fabrics, or materials; and hand or measuring tools. Noticeably absent from the definition of “qualifying country” are China, Japan, Thailand and Korea- among others.

Congress revised the Berry Amendment for fiscal years 2007 and 2008 with National Defense Authorization Act. The revised statute, 10 U.S.C. 2533b, declares that the DoD is prohibited from acquiring specialty metals or component parts for the use in the construction of aircraft, missile and space systems, ships, tank and automotive items, weapon systems, or ammunition unless the DoD itself acquires those materials directly. In other words, contractors engaged in the production of these items must use American made specialty metals or require that the DoD obtain these materials and component parts for use in any such fabrication and manufacturing.

Despite the existence numerous limitations with the Buy American Act, Berry Amendment and Trade Agreements Act, as discussed above, the United States Government and private citizen plaintiffs (known as Relators) have recently collaborated in bringing numerous False Claims qui tam actions against companies seeking to profit at the expense of the American Taxpayers. In the majority of these cases, contractors attempted to pass off foreign goods as made in the U.S.A. Examples of these include: MedTronic (relabeled Chinese devices allegations – $4.4 million settlement); ECL Solutions (conceal country of origin-$1.066 million civil forfeiture); Invacare (wrongfully certified as American Made- $2.6 Million settlement); Staples (foreign made goods- $7.4 million settlement), Office Depot (foreign made goods – $4.75 million settlement) and Office Max (sale of goods not permitted by Trade Agreements Act results in $9.72 million settlement).

According to Justice Department statistics released last week, whistleblowers filed 638 False Claims Act lawsuits in FY2015. Because these cases remain under seal sometimes for years, we do not know how many involved violations of BAA or related laws. We are aware from conversations with the Justice Department of an uptick in these claims, however.

Whistleblowers who bring claims under the False Claims Act can earn up to 30% of whatever the government collects from the wrongdoer. To qualify, one must have original knowledge or information about the fraud. Successful whistleblowers are usually current or former employees but anyone with inside information can file.

Article By Brian Mahany of Mahany Law

Wasn’t That Supposed to be Made in the USA?

Article By Brian Mahany of Mahany Law

DoD Issues Targeted Class Deviation Updating Recently Adopted Cybersecurity DFARS Clauses

Last week, on October 8th, DoD issued a class deviation replacing DFARS 252.204-7012 and 252.204-2008 with revised clauses that give covered contractors up to nine (9) months (from the date of contract award or modification incorporating the new clause(s)) to satisfy the requirement for “multifactor authentication for local and network access” found in Section 3.5.3 of National Institute of Standards and Technology (NIST) Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

We previously reported on the August 26th Department of Defense (DoD) interim rule that greatly expanded the obligations imposed on defense contractors for safeguarding “covered defense information” and for reporting cybersecurity incidents involving unclassified information systems that house such information. The interim rule, which went into effect immediately, requires non-cloud contractors to comply with several new requirements, including those in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting” and DFARS 252.204-7008, “Compliance with Safeguarding Covered Defense Information Controls.” While the class deviation is a welcomed development for contractors that may struggle to implement the NIST SP 800-171 requirements for multifactor authentication, the deviation: (1) requires contractors to notify the government if they need more time to satisfy those requirements, and (2) does not alter any other aspect of the August 26th interim rule.

DFARS 252.204-7012 requires prime contractors and their subcontractors to employ “adequate security” measures to protect “covered defense information.” Specifically, contractors must adhere to the security requirements in the version of NIST SP 800-171 that is in effect “at the time the solicitation is issued or as authorized by the Contracting Officer,” or employ alternative security measures approved in writing by an authorized representative of the DOD Chief Information Officer. Special Publication 800-171 describes fourteen families of basic security requirements. As described in section 2.2 of 800-171, each of these fourteen families has “derived security requirements,” which provide added detail of the security controls required to protect government data. These basic requirements are based on FIPS Publication 200, which “provides the high level and fundamental security requirements” for government information systems. The derived requirements are taken from the security controls contained in NIST Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations.” Among those derived requirements is one for “multifactor authentication for local and network access.”

DoD contractors and subcontractors should be aware of what the class deviation does and does not change:

Effective immediately, DoD contractors and subcontractors are required to comply with the clauses at DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DEVIATION 2016-O0001) (OCT 2015) and DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls (DEVIATION 2016-O0001) (OCT 2015), in lieu of the clauses that were issued as part of the August 26th interim rule.
Under the new clauses, DoD contractors (and subcontractors, through the prime contractor) may notify the contracting officer that they need up to 9 months (from the date of award or the date of a modification incorporating the new clauses) to comply with the requirements for “multifactor authentication for local and network access” in Section 3.5.3 of NIST SP 800-171.
The revised clauses apply to all DoD contracts and subcontracts, including those for the acquisition of commercial items.
The class deviation only impacts non-cloud contractor information systems that are not operated on behalf of the government (e.g., contractor internal systems).
DoD contractors and subcontractors that cannot meet the specific requirements of NIST 800-171, including the requirements of Section 3.5.3, may still seek authorization from DoD to use “[a]lternative but equally effective security measures.”
With the exception of the targeted changes to DFARS 252.204-7012 and DFARS 252.204-7008 (i.e., affording contractors up to 9 months to comply with Section 3.5.3 of NIST 800-171, provided they notify the contracting officer), all other requirements introduced by the August 26th interim rule remain in effect.
Non-cloud contractor information systems that are operated on behalf of the government remain “subject to the security requirements specified [in their contracts].”
The class deviation does not impact DoD cloud computing contracts, which remain subject to DFARS 252.239-7010, Cloud Computing Services.

Ensuring Compliance With the Revised DFARS Clauses and NIST SP 800-171 Section 3.5.3

During the solicitation phase of a procurement subject to the revised DFARS clauses, DoD contractors and subcontractors should engage technical experts to determine whether they would need additional time to satisfy the NIST requirements for multifactor authentication. If a contractor determines that additional time is needed, and is later awarded a contract subject to the new requirements, then the contractor should immediately notify the contracting officer in writing and should ensure that all subsequent communications with the government are adequately documented.

Upon providing such notice, contractors will have up to nine months (from the date of contract award or modification incorporating the revised clauses) to comply with Section 3.5.3 of NIST SP 800-171, which requires contractors to: “Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.” See NIST SP 800-171, Section 3.5.3 (emphasis added). Section 3.5.3 is a derived requirement of the basic security requirement in section 3.5 for identification and authentication. Section 3.5.3 of NIST SP 800-171 notes that:

“Multifactor authentication” requires two or more different factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic device, token); or (iii) something you are (e.g., biometric). The requirement for multifactor authentication does not require the use of a federal Personal Identification Verification (PIV) card or Department of Defense Common Access Card (CAC)-like solutions. Rather, “[a] variety of multifactor solutions (including those with replay resistance) using tokens and biometrics are commercially available. Such solutions may employ hard tokes (e.g., smartcards, key fobs, or dongles) or soft tokens to store user credentials. See id., n. 22.
“Local access” is any access to an information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.

“Network access” is any access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).

Article By Susan B. Cassidy, Alejandro L. Sarria, Patrick Stanton & Catlin M. Meade of Covington & Burling LLP

DOD Issues Interim Rule Addressing New Requirements for Cyber Incidents and Cloud Computing Services

On August 26, 2015, the Department of Defense (DoD) issued an interim rule that imposes expanded obligations on defense contractors and subcontractors with regard to the protection of “covered defense information” and the reporting of cyber incidents occurring on unclassified information systems that contain such information. Nearly three years in the making, this interim rule replaces the DoD’s prior Unclassified Controlled Technical Information (“UCTI”) Rule, imposing new baseline security standards and expanding the information that is subject to safeguarding and can trigger the reporting requirements. Additionally, the interim rule implements policies and procedures for safeguarding data and reporting cyber incidents when contracting for cloud computing services.

Article By Susan B. Cassidy, Alejandro L. Sarria, Patrick Stanton & Catlin M. Meade of Covington & Burling LLP

Department of Defense Contractors Agree to Pay the U.S. Government $5.5 Million for Allegedly Supplying the Military with Low-Grade Batteries for Humvee Gun Turrets Used in Iraq; Minnesota Whistleblower to Receive $990,000

On September 16, 2014, the Department of Justice (DOJ) announced that Department of Defense (DOD) contractors, M.K. Battery, Inc. (M.K. Battery), East Penn Manufacturing Company (East Penn), NPC Robotics, Inc. (NPC), BAE Systems, Inc. (BAE) and BAE Systems Tactical Vehicle Systems LP (BAE) had agreed to a settlement of $5.5 million for allegedly violating the False Claims Act (FCA) by selling the U.S. Military substandard batteries for Humvee gun turrets used on military combat vehicles in Iraq. Minnesota whistleblower, David McIntosh, former employee of M.K. Battery, will receive $990,000 which represents his share of the settlement for reporting fraud against the government – in this case misrepresentation of a vital product supplied to the DOD.

A gun turret is a weapon mount that protects the crew or mechanism of a projectile-firing weapon and at the same time lets the weapon be aimed and fired in many directions. Sealed acid batteries are used as a backup to turn the turrets on the Humvees in the event that the engine gives out. According to Mr. McIntosh, and unbeknownst to the Army, the manufacturing process of the batteries was allegedly changed from the original design presented to the DOD, consequently cutting the battery’s life span by as much as 50 percent and potentially putting U.S. Troops in harm’s way. Mr. McIntosh, from Stacy, Minnesota, who at the time was employed by M.K. Battery as a regional sales representative, brought his concerns to top company officials at M.K. Battery. However, in 2007 after numerous unsuccessful attempts to convince M.K. Battery that its decision to cut costs on these batteries could be hazardous to U.S. Troops, especially during combat, Mr. McIntosh alerted the DOD to this matter. Three month later, M.K. Battery fired Mr. McIntosh.

Shortly thereafter, Mr. McIntosh and his attorneys filed the lawsuit under the whistleblowersprovisions of the False Claims Act, which is one of the most effective methods that the government has implemented for combating fraud. Under the FCA, any person, who knows of an individual or company that has defrauded the federal government, can file a “qui tam” lawsuit to recover damages on the government’s behalf. Mr. McIntosh filed this particular lawsuit on behalf of himself and the Department of Defense. Additionally, a whistleblower who files a case against a company that has committed fraud against the government, may receive an award of up to 30 percent of the settlement. In this case, Mr. McIntosh’s share of $5.5 million is approximately 18 percent of the settlement.

ARTICLE BY

Whistleblower Practice Group

Tycko & Zavareei LLP

Tag: DOD

AUVSI and DOD’s Defense Innovation Unit Announce Collaboration for Cyber Standards for Drones

Like this: