Tag: contractors

Federal Contractors Beware – More Data Disclosures Coming!

On October 29, 2024, the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) published a Freedom of Information Act (FOIA) notice, inviting federal contractors to respond to FOIA requests that the OFCCP received related to federal contractors’ 2021 Type 2 EEO-1 Consolidated Reports. These reports, required of federal contractors and subcontractors with at least 50 employees, contain data critical to the government’s diversity efforts consistent with anti-discrimination mandates under Title VII and Executive Order 11246. Contractors have previously relied on FOIA Exemption 4 to protect against disclosing sensitive commercial information that could impact competitive positioning, but in late December 2023 as previously reported here, a federal court ruling concluded that certain demographic data did not qualify as confidential under FOIA Exemption 4. That court decision may spur an increase in FOIA requests for EEO-1 reporting information.

Contractors who wish to object to the disclosure of their EEO-1 reporting information must do so via OFCCP’s online portal, email, or mail on or before December 9, 2024. Per the OFCCP’s notice, contractors can object to releasing their 2021 EEO-1 Type 2 data by providing evidence showing the data satisfies FOIA Exemption 4. To do this, contractors should:

  • Specifically identify the objectionable data;
  • Explain why this data is commercial or competitive to render it confidential;
  • Outline the processes the contractor has in place to safeguard the data;
  • Identify any prior assurances or expectations that the data would remain confidential; and
  • Detail the damage that would occur if the data were disclosed by conducting assessments to see how disclosure would impact business operations.

In addition to raising timely objections to disclosure of data, contractors should also implement clear policies to maintain a consistent approach to data confidentiality. Specifically, contractors should be thoughtful and consistent as to how they define confidential information and the protection measures they take related to such information.

FOIA requests and court decisions in this space will likely continue to make striking a balance between government transparency and protecting contractors’ confidential business information more difficult. To navigate these changes, federal contractors should remain vigilant by staying informed, preparing objections to FOIA requests, and consulting with legal counsel to ensure compliance with this evolving area of law.

Copyright © 2024, Hunton Andrews Kurth LLP. All Rights Reserved.
For more on Federal Contractors, visit the NLR Government Contracts Maritime Military section.

Are We There Yet? DoD Issues Final Rule Establishing CMMC Program

The US Department of Defense (DoD) published a final rule codifying the Cybersecurity Maturity Model Certification (CMMC) Program. The final CMMC rule will apply to all DoD contractors and subcontractors that will process, store, or transmit Federal Contract Information (FCI)[1] or Controlled Unclassified Information (CUI)[2] on contractor information systems. The final CMMC rule builds on the proposed CMMC rule that DoD published in December 2023, which we discussed in depth here.

The final CMMC rule incorporates DoD’s responses to 361 public comments submitted during the comment period and spans more than 140 pages in the Federal Register. Many responses address issues raised in our prior reporting, and DoD generally appears to have been responsive to several concerns raised by the industry. In the coming weeks, we expect to update our separate summaries of CMMC Level 1Level 2, and Level 3 to reflect the final rule. This OTS summarizes the key changes to the CMMC Program in the final rule.

In Depth

THE CMMC PROGRAM

The final CMMC rule adopts in large part the new Part 170 to Title 32 of the Code of Federal Regulations proposed in 2023. The final rule formally establishes the CMMC Program and defines the security controls applicable to each of the three CMMC levels; establishes processes and procedures for assessing and certifying compliance with CMMC requirements; and defines roles and responsibilities for the Federal Government, contractors, and various third parties for the assessment and certification process. 32 C.F.R. § 170.14 codifies the three CMMC levels outlined in CMMC 2.0, which are summarized as follows in an updated CMMC Model Overview included in Appendix A to the final CMMC rule:

CMMC Model 2.0
Model Assessment
Level 3 134 requirements based on NIST SP 800-171 and 800-172 Triennial government-led assessment and annual affirmation
Level 2 110 requirements aligned with NIST SP 800-171 Triennial third-party assessment and annual affirmation; Triennial self-assessment and annual affirmation for select programs
Level 1 15 requirements Annual self-assessment and annual affirmation

See Cybersecurity Maturity Model Certification (CMMC) Model Overview, Version 2.11 – DRAFT at 3-4 (Sept. 2024).

CMMC Level 1 is required for contracts and subcontracts that involve the handling of FCI but not CUI. The security requirements for CMMC Level 1 are those set forth in FAR 52.204-21(b)(1)(i)-(xv), which currently governs contracts involving FCI. Contractors must conduct and report a CMMC Level 1 Self-Assessment in DoD’s Supplier Performance Risk System (SPRS) prior to award of a CMMC Level 1 contract or subcontract. Thereafter, contractors must make an annual affirmation of continued compliance. The final CMMC rule requires compliance with all CMMC Level 1 requirements at the time of the assessment and does not allow contractors to include a Plan of Action and Milestones (POA&M) to comply with unmet requirements in the future.

CMMC Level 2 is required for contracts and subcontracts that involve the handling of CUI. The security requirements for CMMC Level 2 are identical to the requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev 2, and the final CMMC rule adopts the scoring methodology for compliance with those requirements that is currently employed by DFARS 252.204-7020. The final CMMC rule establishes a minimum required score of 88 out of 110 for Conditional Level 2 status with a POA&M. The final CMMC rule allows for certain CMMC Level 2 requirements that are not met at the time of assessment to be addressed through POA&Ms if the contractor meets the minimum required score. A contractor with Conditional status is subject to close out of all POA&Ms, which must be reported in SPRS within 180 days of Conditional status. Conditional status must be achieved prior to the award of any contract subject to CMMC Level 2. If the contractor does not close out all POA&Ms within 180 days of Conditional status, the contractor becomes ineligible for additional awards of CMMC Level 2 contracts.

The final CMMC rule retains the proposed rule’s distinction between CMMC Level 2 Self-Assessments and CMMC Level 2 Certification Assessments. CMMC Level 2 Certification Assessments are issued by CMMC Third-Party Assessment Organizations (C3PAOs) and fulfill one of the primary goals of the CMMC Program: independent verification of contractor compliance with CMMC security requirements. Whether a CMMC Level 2 Self-Assessment or Certification Assessment will apply to a particular contract will be determined by DoD based on the sensitivity of the CUI involved with that contract. When the final CMMC rule is fully implemented, DoD expects that the vast majority of CMMC Level 2 contractors will eventually undergo a Certification Assessment. Under the phased implementation of the CMMC Program discussed below, however, CMMC Level 2 Certification Assessment requirements will not regularly appear in solicitations or contracts until one year after the start of implementation. Contractors that achieved a perfect score with no open POA&Ms on a Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) High Assessment under DFARS 252.204-7020 prior to the effective date of the final CMMC rule will be eligible for a CMMC Level 2 Certification for three years from the date of the High Assessment.

CMMC Level 3 applies to contracts that involve the handling of CUI, but for which DoD has determined that additional safeguarding requirements are necessary. The additional CMMC Level 3 requirements consist of 24 requirements from NIST SP 800-172 listed in Table 1 to Section 170.14(c)(4) of the final CMMC rule. These additional CMMC Level 3 requirements include various “Organization-Defined Parameters” that can be used to tailor these requirements to a particular situation. The applicability of CMMC Level 3 requirements will be determined by DoD on a contract-by-contract basis based on the sensitivity of the CUI involved in the performance of that contract.

CMMC Level 3 assessments are performed exclusively by DCMA DIBCAC. The proposed CMMC rule establishes a scoring methodology for assessing compliance with CMMC Level 3 security requirements and allows for Conditional Level 3 status with POA&Ms for unmet requirements, subject to certain limitations and a general requirement that POA&Ms must be closed within 180 days. To achieve CMMC Level 3, contractors will need to have a perfect CMMC Level 2 score (110) and achieve a score of 20 out 24 for the additional CMMC Level 3 controls, with each control worth one point.

PHASED IMPLEMENTATION

The proposed rule contemplated a four-phase implementation over a three-year period, starting with the incorporation of self-assessment levels in Phase 1 through the full incorporation of CMMC requirements in all contracts in Phase 4. The final CMMC rule keeps the phases substantially the same, except it extends the time between Phase 1 and Phase 2 by six months, providing a full year between self-assessment and certification requirements:

  • Phase 1 – 0-12 Months: Phase 1 will begin when the proposed DFARS rule implementing CMMC is finalized. Our summary of the proposed DFARS rule can be found here. DoD has stated that it expects the final DFARS rule in “early to mid-2025.” During Phase 1, DoD will include Level 1 Self-Assessment or CMMC Level 2 Self-Assessment requirements as a condition of contract award and may include such requirements as a condition to exercising an option on an existing contract. During Phase 1, DoD may also include CMMC Level 2 Certification Assessment requirements as it deems necessary for applicable solicitations and contracts.
  • Phase 2 – 12-24 Months: Phase 2 begins one year after the start date of Phase 1 and will last for one year. During Phase 2, DoD will include CMMC Level 2 Certification Assessment requirements as a condition of contract award for applicable contracts involving CUI and may include such requirements as a condition to exercising an option on an existing contract. During Phase 2, DoD may also include CMMC Level 3 Certification Assessment requirements as it deems necessary for applicable solicitations and contracts.
  • Phase 3 – 24-36 Months: Phase 3 begins one year after the start date of Phase 2 and will also last for one year. During Phase 3, DoD intends to include CMMC Level 2 Certification Assessment requirements, not only as a condition of contract award but also as a condition to exercising an option on an existing contract. DoD will also include CMMC Level 3 Certification Assessment requirements for all applicable DoD solicitations and contracts as a condition of contract award, but DoD may delay inclusion of these requirements as a condition to exercising an option as it deems appropriate.
  • Phase 4 – 36+ Months: Phase 4 begins one year after the start date of Phase 3 and involves the inclusion of all CMMC Program requirements in all DoD solicitations and contracts, including option periods.

    APPLICABILITY TO PERFORMANCE OF DOD CONTRACTS

    The DoD has clarified that CMMC only applies to “contract and subcontract awardees that process, store, or transmit information, in performance of the DoD contract, that meets the standards for FCI or CUI on contractor information systems.” 32 C.F.R. § 170.3(a)(1). Given that CMMC will be implemented through a DFARS clause that is included in DoD contracts and subcontracts, the addition of the italicized language does not appear remarkable at first glance. However, it may prove an important qualification for companies that receive FCI and CUI in different circumstances. A company that receives CUI from the Government in the performance of one contract may also receive CUI from another entity independent of any contract or subcontract. For example, several categories of CUI reflect information that is contractor proprietary and, as such, can ordinarily be disclosed by the contractor that owns that information as that contractor deems appropriate. This can occur when teammates for a new opportunity share audit and business systems information for purposes of submitting a proposal, which information may be marked CUI by DoD to protect the proprietary information of the contractor being audited or whose business system was reviewed. The final CMMC rule’s clarification that it only applies to FCI and CUI handled in performance of the DoD contract may help clarify that the CMMC program does not restrict a contractor’s ability to process, store, or transmit its own information.

    CMMC STATUS BEGINS ON THE EARLIER OF CONDITIONAL STATUS OR FINAL STATUS

    DoD has clarified that although contractors have 180 days to finalize their CMMC certification if they do not originally achieve a passing score, the additional time to finalize does not extend the period for CMMC renewals. Thus, if a contractor’s CMMC certification status was conditionally granted on January 1, 2025, and its final status occurs 180 days later, the contractor’s renewal date will still be three years from the conditional date (January 1, 2028), not the later anniversary of the final status date.

    TEMPORARY AND ENDURING EXCEPTIONS

    DoD will now allow contractors to obtain permanent and temporary variances that have the status of a “MET” requirement when assessed as part of CMMC. These variances are separate from unmet controls that must be addressed within the contractor’s POA&M and completed within 180 days. The final CMMC rule introduces “enduring exceptions” and “temporary deficiencies,” which are defined as follows: An enduring exception is “a special circumstance or system where remediation and full compliance with CMMC security requirements is not feasible.” The final CMMC rule definition includes examples such as “systems required to replicate the configuration of ‘fielded’ systems, medical devices, test equipment, OT, and IoT.” Enduring exceptions must be documented within a system security plan.

    A temporary deficiency is “a condition where remediation of a discovered deficiency is feasible, and a known fix is available or is in process.” Temporary deficiencies would arise after the implementation of a particular security requirement, not during its implementation. The example provided is “FIPS-validated cryptography that requires a patch and the patched version is no longer the validated version.” A temporary deficiency must be documented in an “operational plan of action.”

    An operational plan of action is a contractor’s formal documentation of temporary vulnerabilities and temporary deficiencies in the contractor’s implementation of the CMMC security requirements. The operational plan of action documents how these temporary vulnerabilities and deficiencies are to be “mitigated, corrected, or eliminated.”

    The proposed DFARS rule requires 72-hour notification for “any lapses in information security or changes in the status of CMMC certification or CMMC self-assessment levels during the performance of the contract.” Proposed DFARS 204.7503(b)(4)). As we pointed out in our summary of the proposed DFARS rule, it does not define “lapses in information security,” but that term appears substantially broader than the term “cyber incident,” which contractors must also report within 72 hours. Because the CMMC rule in C.F.R Title 32 establishes the cybersecurity controls that form the foundation of the CMMC Program, we expected that the final CMMC rule might provide the clarity missing from the proposed DFARS rule; however, the final CMMC rule does not discuss lapses, and it is unclear whether a temporary deficiency is the same as a lapse. The scope of a contractor’s notification obligations under the CMMC Program and the contractor’s DoD contracts and subcontracts therefore remains unclear, particularly whether a contractor must notify the Government every time a measure for complying with a particular CMMC control does not function as planned.

    DEFINITION OF SECURITY PROTECTION DATA

    In the interim rule, DoD introduced Security Protection Data (SPD) as an undefined term. The final CMMC rule defines SPD as follows:

    Security Protection Data (SPD) means data stored or processed by Security Protection Assets (SPA) that are used to protect [a contractor’s] assessed environment. SPD is security relevant information and includes but is not limited to: configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment. (Emphasis added).

    In our earlier analysis, we discussed the concern that the ambiguous nature of SPD would make it difficult for contractors to determine which external service providers (ESPs) were in-scope for CMMC. The definition of SPD in the final CMMC rule retains this ambiguity, thus missing an opportunity for further clarity in the use of ESPs.

    DIBCAC ASSESSMENTS

    For Level 2 and Level 3 CMMC assessments, DoD now reserves the right to conduct a DCMA DIBCAC assessment of any contractor, in addition to other investigative evaluations of an OSA. The results of an investigative DCMA DIBCAC assessment will supersede any preexisting CMMC status, and DoD will update SPRS to show that the OSA is out of compliance. This replaces previous language in the proposed CMMC rule that allowed DoD to merely revoke CMMC status after its investigation. Notably, the final CMMC rule removes the ability to revoke CMMC Level 1 status and does not substitute a DCMA DIBCAC assessment in its place. These changes bring the CMMC program into alignment with the DoD Self-Assessment methodology required in DFARS 252.204-7019/7020.

    CSPS AND ESPS

    Of significant interest to service providers will be the changes to the requirements for cloud service providers (CSPs) and other ESPs. The final CMMC rule is less prescriptive than the proposed rule with respect to how these service providers fit into the scope of a contractor’s CMMC certification.

    First, as before, the final CMMC rule allows the use of CSPs to process, store, or transmit CUI where the CSP is Federal Risk and Authorization Management Program (FedRAMP) Authorized at FedRAMP Moderate baseline or higher, or where the CSP meets FedRAMP Equivalency. The final CMMC rule, however, states that FedRAMP Moderate and FedRAMP Moderate Equivalent determinations will be “in accordance with DoD Policy,” thereby incorporating the DoD Chief Information Officer policy memo on FedRAMP Moderate equivalency issued after the proposed rule. This reference may also allow DoD to change this policy in the future without further notice-and-comment rulemaking.

    Second, for ESPs that process, store, or transmit CUI or SPD, CMMC certification is no longer required in advance of the contractor’s certification. Instead, ESPs will be assessed as in-scope for the contractor itself against all of the relevant requirements. This change may relieve pressure not only on ESPs but also on contractors and CMMC C3PAOs if non-contractor ESPs do not need to be at the front of the line for certifications. Although many ESPs with significant Federal contracting customer bases will likely choose to obtain CMMC certification directly, smaller ESPs may choose to support Federal contractor customers in the customer’s own certifications on a case-by-case basis.

    Notably, this is a model that many service providers may be familiar with from a different context and standard. In practice, it seems similar to the method for service providers to comply with Payment Card Industry Data Security Standards (PCI DSS). Under PCI DSS, a service provider may obtain its own Attestation of Compliance (AOC) or may participate in the compliance efforts of each merchant it supports. Also, like the PCI DSS model, there now is a requirement to document the roles and responsibilities between ESPs and the contractors. 32 C.F.R. § 170.19(c)(2)(ii) (“documented in the OSA’s SSP and described in the ESP’s service description and customer responsibility matrix (CRM)”).

    APPLICABILITY TO SUBCONTRACTORS

    The final CMMC rule updates the applicability of the CMMC requirements to subcontractors by incorporating requirements not only for CMMC compliance but also explicitly to flow down CMMC requirements for both CMMC level and assessment type through the supply chain. There is again a helpful clarification that such flow-downs are only required for the performance of a “DoD contract” rather than the prior language that did not specify what types of contracts required flowing down. Id. § 170.23(a).

    MISREPRESENTATION AND FALSE CLAIMS ACT RISK

    Although the CMMC Level 1 and Level 2 security requirements are the same requirements in FAR 52.204-21 and NIST SP 800-171 that contractors have been required to follow for years, the final CMMC rule will require all contractors that handle FCI and CUI on their systems – even contractors subject to CMMC Level 1 – to make periodic affirmative representations regarding their cybersecurity programs and controls, in addition to the initial assessments and certifications reported in SPRS. Contractors must vet these representations carefully as any potential inaccuracy or ambiguity could generate litigation risk under a variety of criminal and civil laws, including the False Claims Act (FCA).

    Since the inception of the CMMC Program, the US Department of Justice (DOJ) has increasingly made cybersecurity an enforcement priority. In 2021, DOJ launched its Civil Cyber-Fraud Initiative, which seeks to leverage DOJ’s expertise in civil fraud enforcement to combat cyber threats to the security of sensitive information and critical systems. Deputy Attorney General Lisa Monaco stated at the time: “We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.” As CMMC is implemented, it will provide the “required cybersecurity standards” that DOJ will seek to enforce and a record of statements of compliance that DOJ will use to leverage the FCA in enforcement.

    THE ELEPHANT (STILL) IN THE ROOM

    The final CMMC rule, like the proposed rule, does nothing to address the fundamental uncertainty regarding what constitutes CUI and the widespread overmarking of CUI. We continue to see emails from Government officials with CUI markings embedded in signature blocks that automatically attach to every email that official sends out – even when the email is sent to private entities and individuals who do not hold a contract subject to CMMC. Multiple commentators expressed concerns regarding the mismarking and overmarking of CUI, but DoD generally responded by pointing to its existing guidance on CUI marking, without addressing whether that guidance is sufficient or is actually being followed.

    CONCLUSION

    The final CMMC rule makes several significant changes to the proposed rule, but it largely keeps the structure, content, and format of the proposed rule in place. We will continue to analyze the final CMMC rule, including updating our in-depth analyses of each CMMC certification level, in the weeks to come.

    But are we there yet? No, and if you don’t stop asking, DoD will turn this car around! DoD must still finalize the companion DFARS rule before the CMMC can be fully implemented by DoD for new contracts. Once that final DFARS rule is released, we expect a gradual, phased approach that will take three to four years before CMMC is a reality for all Federal prime contractors and subcontractors that store, process, or transmit FCI or CUI in performance of DoD contracts.

    © 2024 McDermott Will & Emery
    For more on the CMMC Program, visit the NLR Consumer Protection section

NLRB’s Proposed New Joint Employer Rule: What to Do Now to Manage the Risk

On September 7, 2022, the National Labor Relations Board (NLRB) issued a Notice of Proposed Rulemaking (NPRM) that would, if adopted, make it much easier for the NLRB to find a company to be a “joint employer” of persons directly employed by its contractors, vendors, suppliers and franchisees. The consequences of a joint employer finding are significant and can lead to: liability for unfair practices committed by the direct employer; a duty to bargain with a union representing the direct employer’s employees; exposure to liability for one’s own conduct that fails to take into account the indirect employer relationship and spread of a union from the direct employer’s employees to the indirect employer.

Joint-employer theory creates far more risk for employers than related doctrines such as single employer or alter ego because, unlike those theories, joint employer status does not require any common ownership or corporate control. Two companies operating entirely at arm’s length can be found joint employers.

The major proposed change relates to the degree of influence that an indirect employer must have to justify a finding of single employer status. Under the current NLRB standard, the indirect employer must actually exercise “immediate and direct” control over key terms of employment, normally limited to wages, benefits, hours and termination.

The proposed rule relaxes that standard in three key ways. First, it eliminates the actually exercise requirement and states that possession of even unused authority can be sufficient.

Second, it does away with the immediate and direct requirement so that influence exercised by the indirect employer through the direct employer can be used to support a finding.

Third, it expands, beyond the list enumerated in the current rule, the types of employment terms control of which will justify a finding of joint employer status. The Obama Board had adopted the currently proposed standard by an NLRB decision, Browning-Ferris Inds. 362 NLRB No. 186 (2015). However, that decision was overturned by the Trump Board’s adoption of the current rule, 85 FR 11184, codified at 29 CFR 103.40, (Feb. 26, 2020). The proposed rule seeks to reinstate Browning-Ferrisas the governing law.

Because Browning-Ferrisand the NPRM endorse pre-1984 NLRB decisions regarding joint employer status, those decisions provide guidance for how the new rule may be enforced. The NLRB and courts frequently relied on what authority was given to the alleged indirect employer in its agreement with the contractor or vendor. Clauses that required or allowed the indirect employer to approve hirings, terminations or wage adjustments to contractor employees usually resulted in finding joint employer status. In addition, cost-plus arrangements, particularly those that were terminable on short notice were often found to support a joint employer finding. Finally, clauses allowing the indirect employer to set work schedules, production rates, or requiring contractor employees to abide by the indirect employer’s work rules and other policies governing conduct also were found supportive of joint employer status.

The proposed rule is still subject to comment and revision, but it is likely to be adopted without significant change. The comment and review period, which closes on November 21, 2022, provides a window in which savvy employers can assess the risks to their organization when the Rule goes into effect. A key step is to examine existing contractual relationships with vendors to identify and modify those terms that may potentially support joint employer status, or, if modification is untenable, to manage the risk through indemnity agreements with the vendor.

Article By Ahmad Chehab and Robert T. Zielinski of Miller Canfield
© 2022 Miller, Canfield, Paddock and Stone PLC

The COVID-19 Change Order

During the pandemic it has become common for contractors to submit change orders to owners seeking reimbursement for COVID-19 related expenses and costs.  This is especially true for large construction projects.  These “COVID-19 Change Orders” seek reimbursement for everything from masks, dividers, hand sanitizer and other items required to follow and implement CDC guidelines (or to comply with state and local orders) for maintaining a safe work environment.  COVID-19 Change Orders also seek reimbursement for extended general conditions caused by having less workers on site because of social distancing requirements, lost time caused by shorter working hours, and lost time associated with CDC mandated hygiene breaks and temperature checks. On larger projects, COVID-19 Change Orders can escalate into millions of dollars and are often submitted without warning towards the end of a project when final completion and the payment of retainage are approaching.

For owners and contractors that are trying to complete their projects, many of which have been delayed or suffered from cost overruns, these unexpected COVID-19 Change Orders can be very problematic and hard to navigate.  Owners will argue that increased costs associated with the pandemic have affected all businesses, not just contractors.  Contractors will respond that these are real costs that they must pay to operate.  Often, the justification for reimbursement is not black and white because it is hard to find a specific contractual provision that addresses such an unprecedented situation, which causes uncertainty and strained relations between owners and contractors at the end of a project.

The justifications asserted for COVID-19 Change Orders vary from project to project and are sometimes asserted as an event of force majeure or more commonly as a general change in site conditions.  While many force majeure clauses expressly apply to acts of God, pandemics and government shutdowns, that is not the end of analyzing whether the clause applies.  While the application of a force majeure clause to these situations is highly dependent on the wording of such a clause, most require that performance be completely prevented and do not recognize commercial impracticability as a justification for delay.  There were a small number of projects that were shut down at the beginning of the pandemic by state and local orders in stricter jurisdictions, but for the most part complete shutdowns were uncommon because of various exceptions to such orders for businesses broadly defined as “essential.”  As the pandemic extended through late 2020, and into 2021, shutdowns became non-existent.  Finally, many force majeure clauses don’t allow for the reimbursement of costs for implementing required protective measures, they simply allow for an extension of the contract time.

As a result, many contractors have turned to other contractual provisions, such as language related to changes in site conditions or clauses related to change orders in general.  But prior to the pandemic these provisions were not drafted with this circumstance (a virus) in mind.  Instead, they usually apply to changes in “physical” conditions at the site that are specifically described, like subsurface conditions, otherwise concealed physical conditions or hazardous materials found at the site.   Making the argument that a virus is an unknown “physical” condition at the site can be a challenge since the virus is airborne, not necessarily part of the site itself and not unique to the site.  In addition, because many of these clauses require the approval of the owner or are only triggered by specific conditions, they may not support a unilateral change order.

Because of the ambiguity surrounding COVID-19 Change Orders, many owners will initially be reluctant to cover such reimbursements for their contractors.  Aside from the specific language in their construction contracts, Owners should consider other factors when deciding whether to reject, accept or partially accept COVID-19 Change Orders, including the risk of strained relations with its contractor, distractions at the project and the costs of a potential dispute with its contractor.  If there are remaining construction contingency funds available, and the project has otherwise run smoothly, the owner should consider offering all or part of it at the end of the project to avoid a dispute.  Likewise, contractors should be thoughtful and thorough when deciding whether to seek reimbursement for project costs associated with COVID-19, and make sure the costs at issue were necessary and can be verified.  Finally, if the contractor received government loans or payments because of the pandemic, including funds from the Paycheck Protection Program, it should strongly consider not seeking reimbursement from the owner.

Article By Richard F. Whiteley, Phillip L. Sampson Jr., and Stacianne M. Wilson of Bracewell LLP

For more coronavirus legal news updates, click here to visit the National Law Review.

© 2022 Bracewell LLP

DOL Publishes Final Rule Implementing President Biden’s $15 Federal Contractor Minimum Wage Executive Order 14026

The Department of Labor (DOL) has published its Final Rule implementing President Biden’s April 27, 2021, Executive Order 14026 raising the minimum wage from $10.95 an hour to $15 an hour (with increases to be published annually). The new wage rate will take effect January 30, 2022, though as discussed below, the rate increases will not be applied to contracts automatically on that date.

The Final Rule is substantially similar to the DOL’s proposed Notice of Rulemaking issued in July 2021 and is more expansive in coverage than the current federal contractor minimum wage requirements in effect under former President Obama’s Executive Order 13658.

$15 Wage Rate Does Not Apply to All Federal Contractors, All Federal Contracts, or All Workers

Covered Contracts

The $15 wage rate will apply to workers on four specific types of federal contracts that are performed in the U.S. (including the District of Columbia, Puerto Rico, and certain U.S. territories):

  • Procurement contracts for construction covered by the Davis-Bacon Act (DBA), but not the Davis-Bacon Related Acts
  • Service Contract Act (SCA) covered contracts
  • Concessions contracts – meaning a contract under which the federal government grants a right to use federal property, including land or facilities, for furnishing services. The term “concessions contract” includes, but is not limited to, a contract the principal purpose of which is to furnish food, lodging, automobile fuel, souvenirs, newspaper stands, or recreational equipment, regardless of whether the services are of direct benefit to the government, its personnel, or the general public
  • Contracts related to federal property and the offering of services to the general public, federal employees, and their dependents

The Executive Order does not apply to contracts or other funding instruments, including:

  • Contracts for the manufacturing or furnishing of materials, supplies, articles, or equipment to the federal government
  • Grants
  • Contracts or agreements with Indian Tribes under the Indian Self-Determination and Education Assistance Act
  • Contracts excluded from coverage under the SCA or DBA and specifically excluded in the implementing regulations and
  • Other contracts specifically excluded (See NPRM Section 23.40)

Effective Date; Definition of “New” Contracts Expanded

The Final Rule specifies that the wage requirement will apply to new contracts and contract solicitations as of January 30, 2022. Despite the “new contract” limitation, the regulations, consistent with the language of the Biden Executive Order, strongly encourage federal agencies to require the $15 wage for all existing contracts and solicitations issued between the date of the Executive Order and the effective date of January 30, 2022.

Similarly, agencies are “strongly encouraged” to require the new wage where they have issued a solicitation before the effective date and entered into a new contract resulting from the solicitation within 60 days of such effective date.

Pursuant to the Final Rule, the new minimum wage will apply to new contracts; new contract-like instruments; new solicitations; extensions or renewals of existing contracts or contract-like instruments; and exercises of options on existing contracts or contract-like instruments on or after January 30, 2022.

Geographic Limitations Expanded

The Final Rule applies coverage to workers outside the 50 states and expands the definition of “United States” to include the 50 states, the District of Columbia, Puerto Rico, the Virgin Islands, Outer Continental Shelf lands as defined in the Outer Continental Shelf Lands Act, American Samoa, Guam, the Commonwealth of the Northern Mariana Islands, Wake Island, and Johnston Island.

Workers Performing Work “On or In Connection With” a Covered Contract

Only workers who are non-exempt under the Fair Labor Standards Act and performing work on or in connection with a covered contract must be paid $15 per hour. The wage requirement applies only to hours worked on or in connection with a covered contract.

A worker performs “on” a contract if the worker directly performs the specific services called for by the contract. A worker performs “in connection with” a contract if the worker’s work activities are necessary to the performance of a contract but are not the specific services called for by the contract.

The Final Rule includes a “less-than-20% exception” for those workers who only perform work “in connection with” a covered contract, but do not perform any direct work on the contract. For workers who spend less than 20% of their hours in a workweek working indirectly in connection with a covered contract, the contractor need not pay the $15 wage for any hours for that workweek.

Tipped Employees

Under the Final Rule, DOL is phasing out lower wages and tip credits for tipped employees on covered contracts. Employers must pay tipped employees $10.50 per hour in 2022 and increase those wages incrementally, under a proposed formula in the NPRM. Beginning in 2024, tipped employees must receive the full federal contractor wage rate.

$15 Wage Contract Clause Requirements, Enforcement Obligations

The Final Rule provides that a Minimum Wage contract clause will appear in covered prime contracts, except that procurement contracts subject to the Federal Acquisition Regulation (FAR) will include an applicable FAR Clause (to be issued by the Federal Acquisition Regulation Council) providing notice of the wage requirement.

In addition, covered prime contractors and subcontractors must include the Contract Clause in covered subcontracts and, as will be in the applicable FAR Clause, procurement prime contractors and subcontractors will be required to include the FAR clause in covered subcontracts.

In addition, the Final Rule provides that contractors and subcontractors:

“… shall require, as a condition of payment, that the subcontractor include the minimum wage contract clause in any lower-tier subcontracts … [and] shall be responsible for the compliance by any subcontractor or lower-tier subcontractor with the Executive Order minimum wage requirements, whether or not the contract clause was included in the subcontract.”

The DOL will investigate complaints and enforce the requirements but under the Final Rule, contracting agencies may also enforce the minimum wage requirements and take actions including contract termination, suspension and debarment for violations.

Preparation for the $15 wage

To prepare, contractors and subcontractors of covered contracts should consider taking the following steps:

  • Review existing multi-year contracts with options or extensions that may be exercised on or after January 30, 2022, to plan for wage increases at the exercise of the option or extension, but also review any contract modifications to see if an agency is including the requirement early than required, as is allowed under the Final Rule
  • Identify job titles that typically perform work directly on covered contracts and those that perform indirect work above 20% in a workweek
  • Plan for wage increases for covered workers who are not already making $15 per hour
  • Determine impact on existing collective bargaining agreements particularly on SCA-covered contracts
  • Prepare for submission of price/equitable adjustments based on wage increases if allowed under the contract terms

Article By Leslie A. Stout-Tabackman of Jackson Lewis P.C.

For more labor and employment legal news, read more at the National Law Review.

Jackson Lewis P.C. © 2021

EEOC Proposes Rule Requiring Employers to Disclose Pay Data on EEO-1 Forms and Key Recent Pro-Employee Changes in New York State’s and New York City’s Employment Laws and Regulations

EEOC EEO-1 Form Pay Data Requirement Raises Risks for Management

In a proposed regulation announced on January 29, 2015, the U.S. Equal Employment Opportunity Commission set forth changes that would require federal contractors and all other private-sector employers throughout the nation of more than 100 employees to report wage and salary data on their annual EEO-1 Forms. This new rule would mandate that such employers disclose compensation ranges and hours worked on their EEO-1 Forms, which already must contain data on employees’ gender, ethnicity, and race.

The Commission’s plans to require management to submit this data is part of the Obama Administration’s aggressive efforts to enforce the federal Equal Pay Act and other fair employment statutes and to promote pay equity in the workplace. Complying with the new regulation would require employers to spend substantial additional time and resources in gathering compensation information, which often involves many variables, and then organizing it into the format that the EEOC will mandate. Reporting this data to the EEOC would give the U.S. Government data without context and may lead to burdensome Commission investigations and enforcement actions based on misunderstandings of incomplete compensation information. Further, even though EEO-1 data enjoys some protections, the confidential status of employers’compensation information will now be vulnerable either to Freedom of Information Act requests or to kind of hacking attacks to which the federal government, with its antiquated IT systems in agencies such as the EEOC, has already suffered.

In sum, employers in New Jersey, New York, and around the country would become subject to higher EEOC scrutiny of their payroll practices, would face more Commission inquiries and litigations, would have to expend additional resources to complete EEO-1 Forms, and would need to live with a higher risk that their competitors will be able to obtain the confidential compensation data that the new rule would require management to submit each year to the EEOC.

Key Pro-Employee Changes in New York State and New York City Employment Laws and Regulations

New York State and New York City made significant changes in their labor and employment laws and regulations last year and this month. The NYS Legislature enacted, and Governor Cuomo signed, key revisions to laws that affect management throughout New York State. Mayor de Blasio and the City Council expanded local laws that further burden employers in the City. These important developments include:

A. New York State Women’s Equality Agenda

The Women’s Equality Agenda that went into effect on January 19, 2016 significantly amended New York State’s sex discrimination, sexual harassment, and equal pay laws to afford women greater protection in the workplace. These new statutes promoting gender equality in New York State include provisions that:

1. Amend New York State’s Equal Pay Act to require that an employer which pays lower wages to women than to men, for a job of equal skill, effort, and responsibility, demonstrate that such disparity is due to a bona fide factor other than sex, such as education, training, or experience, and that the difference in pay is job related and consistent with business necessity.

2. Make it unlawful for employers, in general, to prohibit employees from discussing or disclosing their wages — a new provision which affects both women and men.

3. Significantly increase the penalties for New York State Equal Pay Act violations by allowing employees to recover liquidated damages of three times (300%) the unlawfully unpaid wages, in addition to making the employee whole by requiring payment of the unpaid wages.

4. Allow a court to award attorneys’ fees to a prevailing plaintiff in sexual harassment and other sex discrimination actions.

5. Add familial status as a protected class under the New York State Human Rights Law. This new provision applies equally to men and women who are parents or guardians.

6. Expand the New York State Human Rights Law’s coverage of sexual harassment claims to all employers, including employers of from one to three employees who were not previously covered.

7. Require employers to provide reasonable accommodation for pregnancy-related medical conditions.

B. New NYS and NYC Protections for Transgender Individuals

1. Earlier this month, the New York State Division of Human Rights adopted regulations that make discrimination on the basis of a person being transgender unlawful under the New York State Human Rights Law. These regulations also prohibit harassment of transgender persons and require New York employers to reasonably accommodate employees who have been diagnosed with a “gender dysphoria” medical condition.

2. On December 21, 2015, the New York City Commission on Human Rights issued new enforcement guidelines on discrimination against transgender individuals, which the New York City Human Rights Law prohibits. The guidelines provide for penalties of up to $250,000 for violations that are found to be willful, wanton, or malicious.

C. New NYC Protections for Caregivers

1. The New York City Council has amended the New York City Human Rights Law to include caregiver as a protected class. The new local legislation, which Mayor de Blasio signed on January 5, 2016, defines caregivers as persons who provide direct and ongoing care for a minor child or a care recipient, such as a relative or individual with a disability who resides in the caregiver’s household. This amendment will go into effect on May 4, 2016.

Article By David I. RosenGalit Kierkut & Charles H. Kaplan of Sills Cummis & Gross P.C.

© Copyright 2016 Sills Cummis & Gross P.C.

DoD Issues Targeted Class Deviation Updating Recently Adopted Cybersecurity DFARS Clauses

Last week, on October 8th, DoD issued a class deviation replacing DFARS 252.204-7012 and 252.204-2008 with revised clauses that give covered contractors up to nine (9) months (from the date of contract award or modification incorporating the new clause(s)) to satisfy the requirement for “multifactor authentication for local and network access” found in Section 3.5.3 of National Institute of Standards and Technology (NIST) Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

We previously reported on the August 26th Department of Defense (DoD) interim rule that greatly expanded the obligations imposed on defense contractors for safeguarding “covered defense information” and for reporting cybersecurity incidents involving unclassified information systems that house such information. The interim rule, which went into effect immediately, requires non-cloud contractors to comply with several new requirements, including those in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting” and DFARS 252.204-7008, “Compliance with Safeguarding Covered Defense Information Controls.”  While the class deviation is a welcomed development for contractors that may struggle to implement the NIST SP 800-171 requirements for multifactor authentication, the deviation: (1) requires contractors to notify the government if they need more time to satisfy those requirements, and (2) does not alter any other aspect of the August 26th interim rule. 

DFARS 252.204-7012 requires prime contractors and their subcontractors to employ “adequate security” measures to protect “covered defense information.” Specifically, contractors must adhere to the security requirements in the version of NIST SP 800-171 that is in effect “at the time the solicitation is issued or as authorized by the Contracting Officer,” or employ alternative security measures approved in writing by an authorized representative of the DOD Chief Information Officer. Special Publication 800-171 describes fourteen families of basic security requirements. As described in section 2.2 of 800-171, each of these fourteen families has “derived security requirements,” which provide added detail of the security controls required to protect government data. These basic requirements are based on FIPS Publication 200, which “provides the high level and fundamental security requirements” for government information systems. The derived requirements are taken from the security controls contained in NIST Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations.” Among those derived requirements is one for “multifactor authentication for local and network access.”

DoD contractors and subcontractors should be aware of what the class deviation does and does not change:

  1. Effective immediately, DoD contractors and subcontractors are required to comply with the clauses at DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DEVIATION 2016-O0001) (OCT 2015) and DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls (DEVIATION 2016-O0001) (OCT 2015), in lieu of the clauses that were issued as part of the August 26th interim rule.
  2. Under the new clauses, DoD contractors (and subcontractors, through the prime contractor) may notify the contracting officer that they need up to 9 months (from the date of award or the date of a modification incorporating the new clauses) to comply with the requirements for “multifactor authentication for local and network access” in Section 3.5.3 of NIST SP 800-171.
  3. The revised clauses apply to all DoD contracts and subcontracts, including those for the acquisition of commercial items.
  4. The class deviation only impacts non-cloud contractor information systems that are not operated on behalf of the government (e.g., contractor internal systems).
  5. DoD contractors and subcontractors that cannot meet the specific requirements of NIST 800-171, including the requirements of Section 3.5.3, may still seek authorization from DoD to use “[a]lternative but equally effective security measures.”
  6. With the exception of the targeted changes to DFARS 252.204-7012 and DFARS 252.204-7008 (i.e., affording contractors up to 9 months to comply with Section 3.5.3 of NIST 800-171, provided they notify the contracting officer), all other requirements introduced by the August 26th interim rule remain in effect.
  7. Non-cloud contractor information systems that are operated on behalf of the government remain “subject to the security requirements specified [in their contracts].”
  8. The class deviation does not impact DoD cloud computing contracts, which remain subject to DFARS 252.239-7010, Cloud Computing Services.

Ensuring Compliance With the Revised DFARS Clauses and NIST SP 800-171 Section 3.5.3

During the solicitation phase of a procurement subject to the revised DFARS clauses, DoD contractors and subcontractors should engage technical experts to determine whether they would need additional time to satisfy the NIST requirements for multifactor authentication. If a contractor determines that additional time is needed, and is later awarded a contract subject to the new requirements, then the contractor should immediately notify the contracting officer in writing and should ensure that all subsequent communications with the government are adequately documented.

Upon providing such notice, contractors will have up to nine months (from the date of contract award or modification incorporating the revised clauses) to comply with Section 3.5.3 of NIST SP 800-171, which requires contractors to: “Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.” See NIST SP 800-171, Section 3.5.3 (emphasis added). Section 3.5.3 is a derived requirement of the basic security requirement in section 3.5 for identification and authentication. Section 3.5.3 of NIST SP 800-171 notes that:

  • “Multifactor authentication” requires two or more different factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic device, token); or (iii) something you are (e.g., biometric). The requirement for multifactor authentication does not require the use of a federal Personal Identification Verification (PIV) card or Department of Defense Common Access Card (CAC)-like solutions. Rather, “[a] variety of multifactor solutions (including those with replay resistance) using tokens and biometrics are commercially available. Such solutions may employ hard tokes (e.g., smartcards, key fobs, or dongles) or soft tokens to store user credentials. See id., n. 22.
  • “Local access” is any access to an information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.

“Network access” is any access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).

Article By Susan B. CassidyAlejandro L. SarriaPatrick Stanton & Catlin M. Meade of Covington & Burling LLP
© 2015 Covington & Burling LLP

Making a Claim against a Payment Bond Posted by a General Contractor or Sub-Contractor

In construction projects that are performed either on behalf of a municipality or a state agency, a general contractor and potentially a sub-contractor are typically required to post payment and/or performance bonds with the county or municipality. A general contractor or sub-contractor is required to post a payment and/or performance bond, because this ensures that sub-contractors or suppliers are paid, and enables the Township or state agency to have the work completed should the contractor fail to do so in a timely fashion. As a supplier or sub-contractor on such a municipal or state project, it is important to know your rights with regard to making a claim against a payment bond.

The most important thing that any sub-contractor or supplier must do prior to providing materials or services for a public contract is to provide the proper notice as required by N.J.S.A. 2A.44-145. This strict notice requirement specifies that the sub-contractor or supplier notify the party who posted the payment bond for the project in writing via certified mail of their intent to provide materials or services for the project. This is a prerequisite to being able to make a claim against the bond, or to receive a payment for materials and services with regard to the project if they are not paid by the sub-contractor or general contractor. As such, it is very important that any sub-contractor or supplier provide the appropriate notice to the party that posted the bond prior to performing any work or providing any materials.

If proper notification has been sent and a sub-contractor or supplier did not receive payment for materials or services provided, they may make a claim against the bond posted by the general contractor or the sub-contractor. It is always suggested that a sub-contractor or supplier obtain a copy of the bond posted by the general contractor or sub-contractor before providing materials or services. This is to ensure that any claim against the bond is made in a timely manner and is not forfeited by failing to comply with the terms of the bond, which require that a claim be made within a certain specified period of time.

Assuming that you have complied with the time requirements of the bond, a sub-contractor or supplier would first send a Notice of Demand for Payment to the bonding company with a copy to the contractor who posted the bond. Typically, the bonding company will require the production of any and all documents which justify the payment sought by the claimant that was not tendered by the sub-contractor or general contractor. Upon receipt of this information, the bonding company will make a determination whether payment is due for the materials and services which were provided.

Article By Paul W. Norris of Stark & Stark

COPYRIGHT © 2015, STARK & STARK

The New OFCCP Sexual Orientation And Gender Identity Protections Are Now In Effect

Proskauer Rose LLP, Law Firm

Executive Order (“EO”) 11246, as amended by EO 13762, officially went into effect, representing the first time in the federal sector that sexual orientation and gender identity have been expressly protected. On July 21, 2014, President Obama issued EO 13762, which amended EO 11246 to prohibit federal contractors from discriminating against employees on the basis of sexual orientation or gender identity. These additional protections are being incorporated into the Federal Acquisition Regulations (“FAR”), which will become effective tomorrow, April 10, 2015.

In order to educate the public on these new protections, the Office of Federal Contractor Compliance Programs (“OFCCP”) is conducting a series of webinars regarding the new sexual orientation and gender identity protections. Thus far, the webinars have focused on the obligations of federal contractors and the procedures available to claimants for filing a complaint under the new protections. We have summarized below key points from the webinar:

To Whom Does This Apply?

These new protections apply to any federal contractor, subcontractor, or government funded construction contractor that enters into or renews a federal contract or contracts valued at $10,000 or more per year. These new protections only apply to contracts entered into or renewed on or after April 8, 2015. These protections do not apply to organizations receiving grants from the federal government.

Administrative Changes Required By Employers

Under the new protections, employers must update the EEO language on their job advertisements, their EEO policies, and their “EEO is the Law” poster. The poster need not be updated until the OFCCP releases a supplement. The OFCCP has not yet announced when this supplement will be released.

With respect to the EEO language, the OFCCP has said that employers can simply say “Equal Employment Opportunity” on their job postings. However, if the employer chooses to list out the protected groups, it must list “sexual orientation” and “gender identity.” The OFCCP does not endorse the use of the acronym “LGBT,” as this is not representative of the entire protected class.

Dual Filing With The EEOC

The OFCCP clarified that any complaints alleging sexual orientation or gender identity discrimination are considered “dual-filed” with the EEOC. This means that the OFCCP will stand in the shoes of the EEOC when investigating the Title VII component of the complaint. While Title VII does not overtly protect against gender identity and sexual orientation discrimination, the EEOC has taken the position that these classifications are protected under Title VII and will pursue cases on behalf of these individuals.

As a consequence of the dual-filing process, if the OFCCP does not find cause or does not dispose of a case within 180 days, an employee can request a Notice of Right to Sue from the OFCCP to bring a private cause of action against the employer. This is significant as EO 11246 does not provide for a private cause of action. The OFCCP clarified, however, that it does not intend to pursue the compensatory and punitive damages available under Title VII (which are not available under the EO).

Religious Affiliated Contractors

In one of the webinars, the OFCCP clarified that all federal contractors, including religiously affiliated federal contractors, are required to comply with the new protections. This means that even those contractors who have been granted certain religious exemptions under EO 11246 may not discriminate based upon sexual orientation or gender identity.

Restroom Access Policies

The OFCCP clarified how employers must approach restroom access under the new protections. OFCCP explained that employers must allow employees to use restrooms based upon their gender identity. This means that if an employee was identified as a male at birth, but identifies as a female, the employer must permit that employee to use the female restroom if the employee desires to do so.

Benefits

The new protections provide that the same benefits must be provided to same-sex spouses as non-same-sex spouses. However, employers are not required to provide the same benefits to couples in civil unions or domestic partnerships as long as the denial of benefits is not based on discrimination. Consequently, if a contractor provides heterosexual domestic partners with benefits, it must provide homosexual domestic partners with the same benefits.

ARTICLE BY

Connie N Bertram
Alex C Weinstein
Proskauer Rose LLP

President Obama Urged to “Ban the Box” for Federal Contractors

Proskauer Rose LLP, Law Firm

In a letter this past week, nearly 200 interest groups urged President Obama to issue an executive order “banning the box” for federal contractors and to implement other “fair chance” hiring reforms protecting ex-offenders. “Ban the box” refers to a movement that has swept across state and local legislatures in recent years requiring contractors (and employers more broadly) to remove the check box from job applications asking whether prospective employees have a criminal history.

To date, several state and local jurisdictions have “banned the box” for contractors, including California (for construction contractors), Compton (CA), Richmond (CA), Hartford (CT), New Haven (CT), Indianapolis (IN), Louisville (KY), Boston (MA), Cambridge (MA), Worcester, (MA), Detroit (MI), Atlantic City (NJ), New York City (NY) (for human services contractors), Pittsburgh (PA), and Syracuse (NY). Delaware and Madison (WI) have “encouraged” the same.

In addition, six states—Hawaii, Illinois, Massachusetts, Minnesota, New Jersey, and Rhode Island—and twelve localities— Baltimore (MD), Buffalo (NY), Chicago (IL), Columbia (MO), D.C., Montgomery County (MD), Newark (NJ), Philadelphia (PA), Prince George’s County (MD), Rochester (NY), Seattle (WA), and San Francisco (CA)—have “banned the box” for private employers (either expressly or implicitly covering government contractors).

At the federal level, the Office of Federal Contract Compliance Programs (OFCCP) also has issued a directive on criminal background checks. The Directive cautions contractors that the consideration of criminal records in hiring or other personnel decisions may have a disparate impact on racial and ethnic minorities in violation of Title VII of the Civil Rights Act of 1964.

If President Obama issues an executive order that “bans the box” for federal contractors, the executive action will add to an already growing patchwork of laws and orders restricting criminal background checks on job applicants and employees of government contractors. Stay tuned to see what the President decides.

ARTICLE BY

Connie N Bertram
Daniel L. Saperstein
Proskauer Rose LLP