Tag: FAR

The Cybersecurity Maturity Model Certification (CMMC) Program – Defense Contractors Must Rapidly Prepare and Implement

The Department of Defense (DoD) has officially launched the Cybersecurity Maturity Model Certification (CMMC) Program, which requires federal contractors and subcontractors across the Defense Industrial Base (DIB) to comply with strict cybersecurity standards. The CMMC program aims to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in DoD contracts from evolving cyber threats by requiring defense contractors to implement comprehensive cybersecurity controls. The CMMC Program, which must be confirmed by contracting officers, moves beyond the prior self-assessment model for many contractors to a certification-based approach verified by DoD-approved third-party assessors known as CMMC Third Party Assessor Organizations (C3PAOs).

This client alert outlines the key elements of the CMMC program, providing a detailed analysis of the new certification requirements, timelines for implementation, and practical steps contractors can take to prepare for compliance.

CMMC Overview and Purpose

The CMMC Program represents the DoD’s commitment to ensuring that companies handling FCI and CUI meet stringent cybersecurity standards. The program was developed in response to increasing cyber threats targeting the defense supply chain and is designed to verify that defense contractors and subcontractors have implemented the necessary security measures to safeguard sensitive information.

The CMMC Program consists of three levels of certification, with each level representing an increasing set of cybersecurity controls. The certification levels correspond to the type of information handled by the contractor, with higher levels required for contractors handling more sensitive information, such as CUI.

The DoD officially published the CMMC final rule on October 15, 2024, establishing the CMMC Program within federal regulations. The rule will be effective 60 days after publication, marking a significant milestone in the program’s rollout. DoD expects to publish the final rule amending the DFARS to add CMMC requirements to DoD contracts in early 2025. Contractors that fail to meet CMMC requirements will be ineligible for DoD contracts that involve FCI or CUI and could face significant penalties if they inappropriately attest to compliance.

The overall scope of the CMMC rule is relatively clear; however, some key elements are ambiguous and, in some cases, may require careful consideration. Particularly at the outset of any assessment process, a pre-risk gap assessment internal review, ideally conducted under legal privilege, is recommended to permit sufficient time to address shortfalls in technical controls or governance. The typical timeline for implementing a CMMC-type program may take many months, and we strongly recommend that clients begin this process soon if they have not already started—it is now unquestionably a requirement to do business with the DoD.

CMMC Certification Levels

The CMMC Program features three certification levels that contractors must achieve depending on the nature and sensitivity of the information they handle:

Level 1 (Self-Assessment)

Contractors at this level must meet 15 basic safeguarding requirements outlined in Federal Acquisition Regulation (FAR) 52.204-21. These requirements focus on protecting FCI, which refers to information not intended for public release but necessary for performing the contracted services. A self-assessment is sufficient to achieve certification at this level.

Level 2 (Self-Assessment or Third-Party Assessment)

Contractors handling CUI must meet 110 security controls specified in NIST Special Publication (SP) 800-171. CUI includes unclassified information that requires safeguarding or dissemination controls according to federal regulations. To achieve certification, contractors at this level can conduct a self-assessment or engage a C3PAO. Most defense contracts involving CUI will require third-party assessments to verify compliance.

Level 3 (Third-Party Assessment by DIBCAC)

Contractors supporting critical national security programs or handling highly sensitive CUI must achieve Level 3 certification. This level adds 24 security controls from NIST SP 800-172 to protect CUI from advanced persistent threats. The Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will conduct assessments for Level 3 contractors. This is the most stringent level of certification and is reserved for contractors working on the most sensitive programs.

Each certification level builds upon the previous one, with Level 3 being the most comprehensive. Certification is valid for three years, after which, contractors must be reassessed.

Certification Process and Assessment Requirements

Contractors seeking certification must undergo an assessment process that varies depending on the level of certification they are targeting. For Levels 1 and 2, contractors may conduct self-assessments. However, third-party assessments are required for most contracts at Level 2 and all contracts at Level 3. The assessment process includes several key steps:

Self-Assessment (Level 1 and Level 2 (Self))

Contractors at Level 1 or Level 2 (Self) must perform an internal assessment of their cybersecurity practices and submit their results to the Supplier Performance Risk System (SPRS). This system is the DoD’s centralized repository for contractor cybersecurity assessments. Contractors must affirm their compliance annually to maintain their certification status.

Third-Party Assessment (Level 2 (C3PAO) and Level 3 (DIBCAC))

For higher-level certifications, contractors must engage a certified C3PAO to conduct an independent assessment of their compliance with the applicable security controls. For Level 3 certifications, assessments will be performed by the DIBCAC. These assessments will involve reviewing the contractor’s cybersecurity practices, examining documentation, and conducting interviews to verify that the contractor has implemented the necessary controls.

Plan of Action and Milestones (POA&M)

Contractors that do not meet all of the required security controls during their assessment may develop a POA&M. This document outlines the steps the contractor will take to address any deficiencies. Contractors have 180 days to close out their POA&M, after which they must undergo a follow-up assessment to verify that all deficiencies have been addressed. If the contractor fails to meet the requirements within the 180-day window, their conditional certification will expire, and they will be ineligible for future contract awards.

Affirmation

After completing an assessment and addressing any deficiencies, contractors must submit an affirmation of compliance to SPRS. This affirmation must be submitted annually to maintain certification, even if a third-party assessment is only required once every three years.

Integration of CMMC in DoD Contracts

The CMMC Program will be integrated into DoD contracts through a phased implementation process. The program will initially apply to a limited number of contracts, but it will eventually become a requirement for all contracts involving FCI and CUI. The implementation will occur in four phases:

Phase 1 (Early 2025)

Following the publication of the final DFARS rule, CMMC requirements will be introduced in select solicitations. Contractors bidding on these contracts must meet the required CMMC level to be eligible for contract awards.

Phase 2

One year after the start of Phase 1, additional contracts requiring CMMC certification will be released. Contractors at this stage must meet Level 2 certification if handling CUI.

Phase 3

A year after the start of Phase 2, more contracts, including those requiring Level 3 certification, will include CMMC requirements.

Phase 4 (Full Implementation)

The final phase, expected to occur by 2028, will fully implement CMMC requirements across all applicable DoD contracts. From this point forward, contractors must meet the required CMMC level as a condition of contract award, exercise of option periods, and contract extensions.

Flow-Down Requirements for Subcontractors

CMMC requirements will apply to prime contractors and their subcontractors. Prime contractors must ensure that their subcontractors meet the appropriate CMMC level. This flow-down requirement will impact the entire defense supply chain, as subcontractors handling FCI must achieve at least Level 1 certification, and those handling CUI must achieve Level 2.

Subcontractors must be certified before the prime contractor can award them subcontracts. Prime contractors will be responsible for verifying that their subcontractors hold the necessary CMMC certification.

Temporary Deficiencies and Enduring Exceptions

The CMMC Program allows for limited flexibility in cases where contractors cannot meet all of the required security controls. Two key mechanisms provide this flexibility:

Temporary Deficiencies

Contractors may temporarily fall short of compliance with specific security controls, provided they document the deficiency in a POA&M and work toward remediation. These temporary deficiencies must be addressed within 180 days to maintain certification. Failure to close out POA&Ms within the required timeframe will result in the expiration of the contractor’s conditional certification status.

Enduring Exceptions

In some cases, contractors may be granted an enduring exception for specific security controls that are not feasible to implement due to the nature of the system or equipment being used. For example, medical devices or specialized test equipment may not support all cybersecurity controls required by the CMMC Program. In these cases, contractors can document the exception in their System Security Plan (SSP) and work with the DoD to determine appropriate mitigations.

Compliance Obligations and Contractual Penalties

The DoD has made it clear that failure to comply with CMMC requirements will have serious consequences for contractors. Noncompliant contractors will be ineligible for contract awards. Moreover, the Department of Justice’s Civil Cyber-Fraud Initiative looms menacingly in the background, as it actively pursues False Claims Act actions against defense contractors for alleged failures to comply with cybersecurity requirements in the DFARS. In addition, the DoD reserves the right to investigate contractors that have achieved CMMC certification to verify their continued compliance. If an investigation reveals that a contractor has not adequately implemented the required controls, the contractor may face contract termination and other contractual remedies.

Preparing for CMMC Certification

Given the far-reaching implications of the CMMC Program, contractors and subcontractors should begin preparing for certification as soon as possible. As an initial step, an internal, confidential gap assessment is highly advisable, preferably done under legal privilege, to fully understand both past and current shortfalls in compliance with existing cybersecurity requirements that will now be more fully examined in the CMMC process. Key steps include:

Assess Current Cybersecurity Posture

Contractors should conduct an internal assessment of their current cybersecurity practices against the CMMC requirements. This will help identify any gaps and areas that need improvement before seeking certification.

Develop an SSP

Contractors handling CUI must develop and maintain an SSP that outlines how they will meet the security controls specified in NIST SP 800-171. This document will serve as the foundation for both internal and third-party assessments.

Engage a C3PAO

Contractors at Level 2 (C3PAO) and Level 3 must identify and engage a certified C3PAO to conduct their assessments. Given the anticipated demand for assessments, contractors should begin this process early to avoid delays.

Prepare a POA&M

For contractors that do not meet all required controls at the time of assessment, developing a POA&M will be crucial to addressing deficiencies within the required 180-day window.

Review Subcontractor Compliance

Prime contractors must review their subcontractors’ compliance with CMMC requirements and ensure they hold the appropriate certification level. This flow-down requirement will impact the entire defense supply chain.

Conclusion

The CMMC Program marks a significant shift in the oversight of how the DoD manages cybersecurity risks within its defense supply chain. While DoD contractors that handle CUI have had contractual obligations to comply with the NIST SP 800-171 requirements since January 1, 2018, the addition of third-party assessments and more stringent security controls for Level 3 contracts aim to improve the overall cybersecurity posture of contractors handling FCI and CUI. Contractors that fail to comply with CMMC requirements risk losing eligibility for DoD contracts, which could result in substantial business losses.

Given the phased implementation of the program, contractors must act now to assess their cybersecurity practices, engage with certified third-party assessors, and ensure compliance with the new requirements. Proactive planning and preparation will be key to maintaining eligibility for future DoD contracts.

Copyright 2024 K & L Gates
For more on Defense Contractors, visit the NLR Government Contracts Maritime Military section

BIOSECURE Act: Anticipated Movement, Key Provisions, and Likely Impact

Last night, the House of Representatives passed the BIOSECURE Act (BIOSECURE or the Act) by a bipartisan vote of 306 to 81.

The BIOSECURE Act prohibits federal agencies from procuring or obtaining any biotechnology equipment or service produced or provided by a biotechnology company of concern. Subject to some exceptions, it also prohibits federal agencies from contracting with a company that uses equipment or services produced or provided by a biotechnology company of concern. Further, the Act prohibits recipients of a loan or grant from a federal agency from using federal funds to purchase equipment or services from a biotechnology company of concern.

The Senate version of BIOSECURE, sponsored by Sens. Gary Peters (D-MI) and Bill Hagerty (R-TN), was voted out of the Senate Committee on Homeland Security and Governmental affairs with bipartisan support in March 2024. Given its passage in the House last night, the BIOSECURE Act is likely to be signed into law by the end of the year. The House version of BIOSECURE is likely to be the version that becomes law. President Biden is unlikely to veto the Act given its bipartisan support, his previous executive actions to support domestic biotechnology development, and his Administration’s approach towards competition with China.

The Act defines “biotechnology company of concern” as any entity that:

  • is subject to the jurisdiction, direction, control, or operates on behalf of the government of a foreign adversary (defined as China, Cuba, Iran, North Korea, and Russia);
  • is involved in the manufacturing, distribution, provision, or procurement of a biotechnology equipment or service; and
  • poses a risk to U.S. national security based on:
    • engaging in joint research with, being supported by, or being affiliated with a foreign adversary’s military, internal security forces, or intelligence agencies;
    • providing multiomic data obtained via biotechnology equipment or services to the government of a foreign adversary; or
    • obtaining human multiomic data via the biotechnology equipment or services without express and informed consent.

Somewhat unusually, the Act names specific Chinese companies as automatically qualifying as “biotechnology companies of concern”:

  • BGI (formerly known as the Beijing Genomics Institute);
  • MGI;
  • Complete Genomics;
  • WuXi AppTec; and
  • WuXi Biologics.

Both categories include any subsidiary, parent, affiliate, or successor entities of biotechnology companies of concern.

The Act also has very broad definitions of “biotechnology equipment or service.” The definition of equipment encompasses any machine, device, or subcomponent, including software that is “designed for use in the research, development, production, or analysis of biological materials.” The definition of services is similarly broad.

The BIOSECURE Act also requires the Office of Management and Budget (OMB) to publish a list of additional biotechnology companies of concern. The list is prepared by the Secretary of Defense in coordination with the Secretaries of the Departments of Health and Human Services, Justice, Commerce, Homeland Security, and State, as well as the Director of National Intelligence and National Cyber Director. This list of companies must be published by OMB within one year of BIOSECURE’s enactment and reviewed annually by OMB in consultation with the other Departments.

Guidance and Regulatory Authorities

OMB is also tasked with developing guidance and has 120 days from enactment of the statute to do so for the named companies. For the list of biotechnology companies of concern, OMB’s guidance must be established within 180 days after the development of the list.

Beyond OMB, the Act requires the Federal Acquisition Regulatory Council to revise the Federal Acquisition Regulation (FAR) to incorporate its prohibitions. The FAR regulations must be issued within one year of when OMB establishes its guidance.

For named companies the Act’s prohibitions are effective 60 days after the issuance of the FAR regulations. For companies placed on the biotechnology company of concern list, the effective date for the Act’s prohibitions is 80 days after the issuance of FAR regulations.

Impact on Existing Business Relationships

In response to stakeholder concerns about disrupting existing commercial relationships and triggering delays in drug development, the House version of the BIOSECURE Act provides a five-year unwinding period for contracts and agreements entered into before the Act’s effective dates. Contracts entered into after the Act’s effective dates do not qualify for the five year unwinding period.

Process for Designating Companies

BIOSECURE specifies the process for designating a biotechnology company of concern. Critically, the Act does not require OMB to notify a company prior to the Department of Defense making the designation. Rather, a company will receive notice that it is being designated and placed on the biotechnology company of concern list. Moreover, the criteria for listing will only be provided “to the extent consistent with national security and law enforcement interests.” Thus, companies may face a circumstance where they are not provided the evidence supporting their designation.

Once a company receives the notice, it will have 90 days to submit information and arguments opposing the listing. The Act does not require a hearing or any formal administrative process. If practicable, the notice may also include steps the company could take to avoid being listed, but it is not required.

Safe Harbor, Waivers and Exceptions

The Act only has one safe harbor for biotechnology equipment or services that were formerly but no longer provided or produced by a biotechnology company of concern. This safe harbor seems intended to allow a biotechnology company of concern to sell their ownership of a product or service to another company without prohibitions applying to the new owner.

Agency heads may waive the Act’s prohibitions on a case-by-case basis, but only with the approval of OMB acting “in coordination with the Secretary of Defense.” Waivers must be reported to Congress within 30 days of being granted. The waiver may last for up to a year with an additional “one time” extension of 180 days allowed if an agency head determines it is “in the national security interests of the United States.” The 180-day extension must be approved by OMB and the agency head must notify and submit a justification to Congress within 10 days of the waiver being granted.

The Act has only two exceptions. First, its prohibitions do not apply to intelligence activities. Second, the prohibitions do not apply to health care services provided to federal employees, members of the armed services, and government contractors who are stationed in a foreign country or on official foreign travel.

Impact and Considerations for Clients

1. Increased Risk of Partnerships with Chinese Companies and Researchers:

Pharmaceutical and biotechnology companies that receive federal funding or contract with federal agencies should be prepared to wind down business ties to biotechnology companies in China. Impacted companies need to begin evaluating the risk to their supply chains, manufacturing capacity, and R&D pipelines in the event a business partner is listed.

Universities in the United States and other research institutes that receive federal funding will also need to undertake a similar assessment of their research partners and collaborators based in China.

2. Loss of CDMO capacity:

Wuxi App Tec is a large, global provider of contract development and manufacturing (CDMO) services to the life sciences industry. According to the New York Times “[b]y one estimate Wuxi has been involved in developing one-fourth of the drugs used in the United States.” BIOSECURE would effectively ban Wuxi from conducting business in the United States, and if passed, risks causing delays, shortages, and cost increases as companies seek to transition to other CDMOs. It will likely take years for competitors to replace the lost CDMO capacity.

3. Fate of Wuxi U.S. Facilities:

Wuxi has a large presence in the United States. It operates 12 facilities and employs almost 2,000 people. Normally, Wuxi would be expected to sell its U.S.-based facilities. However, based on Tiktok’s experience, it is unclear if the Government of China will permit Wuxi to sell its facilities as opposed to dismantling and/or relocating facilities outside of the United States.

4. OMB’s Management of Biotechnology Companies of Concern List

OMB does not typically manage processes like the one envisioned by BIOSECURE. How OMB interprets the broad criteria for listing companies will be critical. Which Departments, beyond the Department of Defense, will have the greatest influence on OMB’s decision making and how open OMB is to evidence from companies seeking to avoid listing will also need to be watched closely. Until OMB starts preparing its guidance and the FAR regulations are proposed, it is hard to anticipate the rate at which new companies will be added to the list. How the process established by BIOSECURE will interact with or leverage existing entity lists will be another development to closely monitor.

5. Retaliation by China

BIOSECURE’s passage is likely to trigger a response from the Government of China. Responses could range from imposing its own export controls to using the country’s sweeping national security laws to harass United States businesses and their employees. Companies doing business in China, particularly those in the pharmaceutical or biotech industries need to be prepared.

© 2024 Foley & Lardner LLP
For more on Biotechnology, visit the NLR Biotech Food Drug section

FAR Council Issues Final Rule, DOL Issues Final Guidance on Fair Pay and Safe Workplaces (“Blacklisting”) Executive Order, Effective October 25, 2016

fair pay and safe workplacesYesterday, the Federal Acquisition Regulations Council (“FAR Council”) and the U.S. Department of Labor (“DOL”) issued its Final Rule and Guidance implementing the Fair Pay and Safe Workplaces Executive Order (the “Order”), commonly referred to as the “blacklisting” rule.  In total, the Final Rule, Guidance, and accompanying commentary totaled nearly 900 pages, responding to nearly 20,000 comments on the Proposed Rule and Guidance released earlier this year.  Some of our previous posts on the Order and the Proposed Rule and Guidance can be found here and here.  This post will highlight the notable changes and clarifications made in the Final Rule and Guidance as well as key takeaways for federal government contractors.

Effective Date

The Final Rule is effective on October 25, 2016.  This is earlier than anticipated and dramatically shortens the time for contractors to prepare to comply with the Order and its implementing regulations.  That being said, as discussed below, the Final Rule also phases in a number of the disclosure and compliance obligations, lessening the initial burden of the implementation.

Phase-In of Labor Violation Disclosure Requirements

One of the overarching concerns raised during the notice and comment period was the enormous burden the Order would place on the contracting community.  In an effort to lessen that burden, the Final Rule and Guidance announced a phased implementation of the disclosure obligations.  The phase-in has two key components.

First, the Order and the Proposed Rule contain a three-year look back for covered violations.  Recognizing that contractors have not been cataloging covered labor violations prior to the issuance of the Order, the Final Rule only requires contractors to look back one year for reportable violations when the rule becomes effective.  The look-back period will increase each year by one year until October 2018, when it will become a three-year look back.

Second, the Final Rule also limits which contractors must make labor law violation disclosures in the first six months following the effective date.  Contractors will not be required to disclose labor law violations until April 24, 2017, unless the contractor is responding to a solicitation for a contract valued at $50 million or more after the effective date of the Final Rule.  For most contractors, this provides an additional six-month window to prepare for the implementation of the disclosure obligations.

The phase-in of disclosure obligations does not just impact prime contractors.  The Final Rule also included a lengthier phase-in for subcontractor disclosure obligations.  Subcontractors must begin disclosing labor violations for solicitations issued after October 25, 2017, one year after the effective date.

A Pause on The Disclosure of “State Law Equivalent” Violations

When the Proposed Rule was released, the Proposed Guidance stated that a supplement would follow containing a list of which state-law equivalents for the 14 enumerated federal laws require disclosures of violations under the Order.  To date, no list has been released.  The Final Rule and Guidance acknowledge this and state that the DOL will release a comprehensive list of state laws that are covered by the Order.  This listing will be subject to notice and comment before it becomes effective.  In the meantime, only the 14 federal labor laws listed in the Proposed Rule and in the Order, along with state OSHA plans, are covered by the rule.

Minor Clarifications on Scope of Violations

Overall, despite numerous comments and criticisms, the DOL declined to substantively modify its list of covered labor violations in the Final Guidance.  Thus, the list of administrative merits determinations, arbitral awards, and civil judgments remain exceptionally broad and sweeping.

Although the DOL declined to narrow its definition of a violation, the Final Guidance does contain some minor modifications that broaden the definition of a violation.  For example, the definition of administrative merits determination in the Proposed Guidance did not include violations of the anti-retaliation provisions of the Occupational Safety and Health Act (“OSHA”) or the Fair Labor Standards Act (“FLSA”).  The final rule clarifies that these were unintentionally omitted from the Proposed Guidance and are now included in the Final Guidance.  Additionally, the Proposed Guidance limited “determination letters” from the DOL Wage and Hour Division to letters outlining violations of Sections 6 and 7 of the FLSA (minimum wage and overtime).  In the Final Guidance, the DOL has clarified that this was unintentionally narrow, and that the Final Guidance includes determination letters finding any FLSA violation.

Assessing A Subcontractor’s Responsibility – Removing The Burden From The Prime

One highly controversial aspect of the Proposed Rule was the burden placed on the prime contractor to perform the same type of responsibility determination of covered subcontractors’ labor violations that the government will perform on prime contractors.  In response to numerous comments, the Final Rule has modified the process for assessing a subcontractor’s violations, largely removing the burden from the prime contractor.

Instead, starting October 25, 2017, under the Final Rule, covered subcontractors will submit their list of labor violations to the Agency Labor Compliance Advisor (“ALCA”).  The ALCA will then perform an assessment of the disclosed violations and make a recommendation.  The prime contractor must make the ultimate decision as to responsibility.  If the subcontractor disagrees with the finding of the ALCA, it can raise the dispute with the prime contractor.

Clarification of Assessment Process of The Labor Compliance Advisors

The Proposed Rule and Guidance introduced a new government official into the contracting process, the ALCA.  There was substantial controversy surrounding this new role, particularly the potential disparate application of the Order between agencies and perhaps even within agencies.  The Final Rule and Guidance provides additional details regarding the process by which federal agencies and departments will assess a contractor’s labor violations.  Moreover, the Final Rule and Guidance recognizes the need for guidelines and training for the ALCAs.

The Final Rule and Guidance states that the ALCA will have three days to assess labor violations disclosed by a contractor.  Although the contracting officer is permitted to give the ALCA additional time, the contracting officer may make his or her own assessment of responsibility without the recommendation of the ALCA.  The ultimate responsibility for making a responsibility determination will remain with the contracting officer, not the ALCA.  The ALCA’s role is to “assesses the nature of the violations and provide[] analysis and advice.”

The Final Guidance also clarifies the process the ALCA will follow during his or her assessment.  The ALCA will first review all of the violations to determine if any are “serious, repeated, willful, and/or pervasive.”  Then, the ALCA “weighs any serious, repeated, willful, and/or pervasive violations in light of the totality of the circumstances, including the severity of the violation(s), the size of the contractor, and any mitigating factors that are present.”  Finally, the ALCA provides written analysis to the contracting officer.

Public Dissemination of Disclosures

The Proposed Rule and Guidance noted that information submitted to the contracting agency would be publicly disseminated.  Despite numerous comments criticizing this proposed provision, the Final Rule and Guidance declined to remove this requirement.  However, the Final Rule and Guidance provided clarification as to how this public dissemination will work in practice.  Pursuant to the Final Rule, the following information will be publicly disclosed based upon the contractor’s violation submissions:  (1) the law violated; (2) the case identification number or docket number; (3) the date of the decision finding a violation; and (4) the name of the body issuing the judgment.

The contractor will input this information into the System for Award Management (“SAM”).  From SAM, the information will be made available to the public through the Federal Awardee Performance and Integrity Information System (“FAPIIS”).  The Final Rule clarified that while the four enumerated data points must be made public, the contractor has the choice as to whether any additional documents provided by the contractor to demonstrate its responsibility and mitigation efforts shall be made public.

Key Takeaways

With the Final Rules and Guidance published, it is more important than ever that contractors begin preparing for the implementation of the Order and its regulations.  Contractors have two months before the effective date of the Final Rule, and while certain obligations will be phased-in, contractors will need time to prepare for compliance.

Contractors should start cataloging any violations during the past six months that constitute covered violations as well as any evidence of mitigation efforts taken as a consequence of the violations.  Because complaints and charges alleging violations of the 14 federal laws covered by the Order, a central official of office should be designated to coordinate the collection of this information (concerning both past and future violations) and a central repository for it.  Contractors should view the ability quickly to provide a comprehensive list to the contracting officer as a competitive advantage, as competitors may not be prepared to do so in a timely manner.

Additionally, if the ALCA makes an inquiry concerning the disclosed violations, contractors should be prepared to advocate, with appropriate evidence, why certain violations are not willful, repeated, pervasive or severe.  For instance, the contractor could point to its size or the number of employees in the organization.  It can also identify measures taken by the contractor to address the issues raised in the violation.  It will be important that these disclosures be vetted by a central authority within the organization.

In addition to preparing to report labor violations, contractors should also work internally to reduce and mitigate the risk of future violations.  This can be achieved by: (1) developing and implementing effective policies and training; (2) auditing compliance; (3) adopting a robust internal complaint mechanism; (4) developing alternative dispute resolution processes; and (5) undertaking early case assessment and management. Taking these proactive measures can help lessen the impact of future compliance by reducing the number of violations that must be reported.