Secure Software Regulations and Self-Attestation Required for Federal Contractors

US Policy and Regulatory Alert

Government contractors providing software across the federal government’s supply chain will be required later this year to comply with a new Secure Software Design Framework (SSDF). The SSDF requires software vendors to attest to new security controls in the design of code used by the federal government.

Cybersecurity Compromises of Government Software on the Rise

In the aftermath of the cybersecurity compromises of significant enterprise software systems embedded in government supply chains, the federal government has increasingly prioritized reducing the vulnerability of software used within agency networks. Recognizing that most of the enterprise software that is used by the federal government is provided by a wide range of private sector contractors, the White House has been moving to impose a range of new software security regulations on both prime and subcontractors. One priority area is an effort to require government contractors to ensure that software used by federal agencies incorporates security by design. As a result, federal contractors supplying software to the government now face a new set of requirements to supply secure software code. That is, to provide software that is developed with security in mind so that flaws and vulnerabilities can be mitigated before the government buys and deploys the software.

The SSDF as A Government Response

In response, the White House issued Executive Order 14028, “Executive Order on Improving the Nation’s Cybersecurity” (EO 14028), on 12 May 2021. EO 14028 requires the National Institute of Standards and Technology (NIST) to develop standards, tools, and best practices to enhance the security of the software supply chain. NIST subsequently promulgated the SSDF in special publication NIST SP 800-218. EO 14028 also mandates that the director of the Office of Management and Budget (OMB) take appropriate steps to ensure that federal agencies comply with NIST guidance and standards regarding the SSDF. This resulted in OMB Memorandum M-22-18, “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” (M-22-18). The OMB memo provides that a federal agency may use software subject to M-22-18’s requirements only if the producer of that software has first attested to compliance with federal government-specified secure software development practices drawn from the SSDF. Meaning, if the producer of the software cannot attest to meeting the NIST requirements, it will not be able to supply software to the federal government. There are some exceptions and processes for software to gradually enter into compliance under various milestones for improvements, all of which are highly technical and subjective.

In accordance with these regulations, the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security issued a draft form for collecting the relevant attestations and associated information. CISA released the draft form on 27 April 2023 and is accepting comments until 26 June 2023.1

SSDF Implementation Deadline and Requirements for Government Suppliers

CISA initially set a deadline of 11 June 2023 for critical software and 13 September 2023 for non-critical software to comply with SSDF. Press reports indicate that these deadlines will be extended due to both the complexity of the SSDF requirements and the fact that the comment period remains open until 26 June  2023. However, CISA has not yet confirmed an extension of the deadline.

Attestation and Compliance with the SSDF

Based on what we know now, the attestation form generally requires software producers to confirm that:

  • The software was developed and built in secure environments.
  • The software producer has made a good-faith effort to maintain trusted source code supply chains.
  • The software producer maintains provenance data for internal and third-party code incorporated into the software.
  • The software producer employed automated tools or comparable processes that check for security vulnerabilities.

Software producers that must comply with SSDF should move quickly and begin reviewing their approach to software security. The SSDF requirements are complex and likely will take time to review, implement, and document. In particular, many of the requirements call for subjective analysis rather than objective evaluation against a set of quantifiable criteria, as is usually the case with such regulations. The SSDF also includes numerous ambiguities. For example, the SSDF requires versioning changes in software to have certain impacts in the security assessment, although the term “versioning” does not have a standard definition in the software sector.

Next Steps and Ricks of Noncompliance

Critically, the attestations on the new form carry risk under the civil False Claims Act for government contractors and subcontractors. Given the fact that many of the attestations require subjective analysis, contractors must take exceptional care in completing the attestation form. Contractors should carefully document their assessment that the software they produce is compliant. In particular, contractors and other interested parties should use this opportunity to share feedback and insights with CISA through the public comment process.

K&L Gates lawyers in our National Security Practice are closely tracking the implementation of these new requirements.


1 88 Fed. Reg. 25,670.

Copyright 2023 K & L Gates

Biden Administration Proposes That Federal Contractors Must Disclose GHG Emissions

Last Thursday, the Biden Administration proposed that all federal contractors (except those receiving less than $7.5 million annually in contracts) be required to, among other things, disclose their GHG emissions.  Specifically, according to the press release issued by the White House, “Federal contractors receiving more than $50 million in annual contracts would be required to publicly disclose Scope 1, Scope 2, and relevant categories of Scope 3 emissions, disclose climate-related financial risks, and set science-based emissions reduction targets” and “Federal contractors with more than $7.5 million but less than $50 million in annual contracts would be required to report Scope 1 and Scope 2 emissions.”  The Biden Administration further announced that “[t]his proposed rule leverages widely-adopted third party standards and systems . . . including the CDP environmental reporting system, the Task Force on Climate-Related Financial Disclosures (TCFD) Recommendations, and the Science Based Targets Initiative (SBTi) criteria.”  It should be noted that this proposed rule is also quite similar to the climate disclosures proposed by the SEC–an unsurprising observation, as both were proposed by the Biden Administration and relied upon the same third-party standards (e.g., the TCFD).

The significance of this proposed rule–beyond the regulatory burden imposed upon federal contractors, which is substantial–is that the Biden Administration is signaling its commitment to, and reliance upon, climate-related financial disclosures as a key tool to address the challenge of climate change.  Thus, regardless of the legal challenges that the SEC proposal (and any similar regulatory rule) will be subject to, it is clear that the impetus for these types of disclosures will continue, including through other means at the government’s disposal.  Bearing this in mind, it would be rational for companies to take steps to generate the information necessary for these sort of disclosures, and to prepare to issue them–as this regulatory pressure is unlikely to dissipate soon.

Today, the Biden-Harris Administration is taking historic action to address greenhouse gas emissions and protect the Federal Government’s supply chains from climate-related financial risks. In support of President Biden’s Executive Orders on Climate-Related Financial Risk and Catalyzing Clean Energy Industries and Jobs Through Federal Sustainability, the Administration is proposing the Federal Supplier Climate Risks and Resilience Rule, which would require major Federal contractors to publicly disclose their greenhouse gas emissions and climate-related financial risks and set science-based emissions reduction targets.”

For more Federal Legal News, click here to visit the National Law Review.
©1994-2022 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

The Intersection of the Bipartisan Infrastructure Law and Davis-Bacon Act Requirements for Federal Contractors and Subcontractors

On November 15, 2021, President Joe Biden signed the $1.2 trillion Infrastructure Investment and Jobs Act into law, which is popularly known as the Bipartisan Infrastructure Law (“BIL”).

The BIL is estimated to create an additional 800,000 jobs.  The United States Department of Labor (“DOL”) contends that such new jobs will “expand the middle class, revitalize our nation’s transportation, communications and utility systems and build a more resilient, reliable, and environmentally sound future.”  The White House asserts that the BIL will provide protection to “critical labor standards on construction projects,” as a substantial portion of the construction projects included in the BIL will be subject to requirements of the Davis-Bacon Act (“DBA” or the “Act”).

While the BIL provides new revenue sources and opportunities for construction projects, federal contractors and subcontractors should ensure that their businesses comply with the DBA’s prevailing wage rates and labor standards requirements.

Scope and Coverage of DBA

In its simplest form, the DBA, enacted in 1931, requires federal contractors and subcontractors to pay prevailing wage rates and fringe benefits to certain construction workers employed on certain federal contracts.  The DOL’s Wage and Hour Division (“WHD”) administers and enforces the Act’s requirements on federally funded and assisted construction projects.  The DBA applies to contracts:

  1. Which the Federal Government or the District of Columbia is a party;

  2. For the construction, alteration, or repair, such as painting and decorating, of public buildings and public works to which the Federal Government or the District of Columbia is a party;

  3. Involving the employment of mechanics, laborers, and other workers that engage in manual or physical labor (except for individuals performing administrative, clerical, professional, or management work such as superintendents, project managers, engineers, or office staff); and

  4. Which are in excess of $2,000.

With respect to the DBA applying to federal contracts above $2,000, this value threshold only applies to the initial federal contract.  If the threshold is met, however, then the DBA applies to any lower-tier subcontracts even if the value of the subcontract is less than $2,000.

Requirements for Contractors and Subcontractors

There are various requirements for federal contractors and subcontractors under the DBA, which the United States Supreme Court has described as “a minimum wage law designed for the benefit of construction workers.”  The Act was designed to protect construction workers’ wage standards from federal contractors who may base their contract bids on wage rates that are lower than the local wage level.  Under the DBA, federal contractors and subcontractors are required, among other things, to do the following:

  1. Pay covered workers who work on the work site the prevailing wage rates and fringe benefits that are listed in the applicable wage determinations, which are provided by the WHD (the prevailing wage rate consists of both the basic hourly rate of pay and any fringe benefits to bona fide third-party plans, which may include medical insurance; life and disability insurance; pensions on retirement or death; compensation for injuries or illness resulting from occupational activity; or other bona fide fringe benefits – bona fide fringe benefits, however, do not include payments made by employer contractors or subcontractors that are required by other federal, state, or local laws such as required contributions to unemployment insurance);

  2. Maintain accurate payroll records for employees that must be submitted to the contracting agency on a weekly basis (within seven days following the regular pay date for the particular workweek), which must include the following for covered employees: (i) name; (ii) classification; (iii) daily and weekly hours worked; and (iv) deductions made and actual wages paid (there are additional recordkeeping requirements for federal contractors who employ apprentices or trainees under approved DOL programs);

    • Federal contractors and subcontractors are also required to preserve the payroll records for three years following the completion of the covered work, provide accessibility to the records upon request by the DOL or its representatives, and allow the DOL or its representatives to interview employees during work hours.

    • Federal contractors and subcontractors can use the WHD’s Form WH-347 to satisfy the weekly reporting requirements.

  3. With respect to prime or general contractors, they must ensure that specific contract clauses and the applicable wage determinations are inserted into any lower-tier subcontracts (the contract clauses cover the following: (i) construction wage rate requirements; (ii) withholding of funds; (iii) payrolls and basic records; (iv) apprentices and trainees; (v) compliance with requirements under the Copeland Act; (vi) requirements for subcontracts; (vii) contract termination – debarment; (viii) compliance with construction wage rate requirements and related regulations; (ix) disputes concerning labor standards; and (x) certification of eligibility); and

  4. Post a notice of the prevailing wages as to every classification of worker and an “Employee Rights under the DBA” poster in a prominent location that is easily accessible to the covered workers at the work site.

Practical Consideration in Compliance with DBA

Federal contractors and subcontractors should ensure that covered workers are properly classified for the work such individuals perform and paid in accordance with the prevailing wage rate for their classification.

Employers will often face recordkeeping challenges when they have nonexempt employees who perform covered (manual) work and non-covered (administrative) work in the same workweek.

In such instances, the employer must determine whether the employee is salaried or paid hourly.  If the employee is salaried, the employer must determine whether the employee’s salary is greater than or equal to the prevailing wage rate for the employee’s classification.  If not, the employer contractor is required to increase the employee’s pay for the week the covered work is performed.

Likewise, if the employee is paid hourly, then the employer must ensure the employee’s hourly rate is greater than or equal to the prevailing wage rate for the employee’s classification.

Federal contractors and subcontractors could face various consequences due to their failure to comply with the DBA, ranging from termination of the federal contract and debarment to a contracting agency withholding money due to the contractor to cover back wages due to employees as well as criminal prosecution.  Accordingly, federal contractors and subcontractors should consult with legal counsel to ensure they comply with the various DBA requirements for any covered contracts.

© 2022 Ward and Smith, P.A.. All Rights Reserved.

What We Know And Don’t About The Federal Court Order Enjoining EO 14042

In news that will be of interest to every federal contractor, including large and small businesses, universities, banks, and the health care industry, Executive Order 14042 (along with the related Task Force Guidance and contract clauses) has been ENJOINED in the states of Kentucky, Ohio, and Tennessee. U.S. District Court Judge Gregory F. Van Tatenhove of the Eastern District of Kentucky issued an order on November 30, 2021 granting Plaintiffs’ (a group including the states of Tennessee, Kentucky, and Ohio) motion for a preliminary injunction.

The decision most certainly will be appealed. In the meantime, contractors with employees performing in Kentucky, Ohio, or Tennessee are not required to comply with the Executive Order or FAR/DFARS clauses. Obviously, this creates a conundrum for federal contractors and subcontractors looking for a uniform way to implement the EO rules.

Background

Plaintiffs Kentucky, Ohio, and Tennessee filed suit in the U.S. District Court for the Eastern District of Kentucky on November 4, 2021, and four days later filed for a Temporary Restraining Order and Preliminary Injunction (“TRO/PI”). The TRO/PI motion asked the Court to enjoin the Government’s enforcement of EO 14042. Plaintiffs challenged the EO on 10 separate grounds, including that it violated the Federal Property and Administrative Services Act (“FPASA”), the Competition in Contracting Act (“CICA”), the Administrative Procedures Act (“APA”), and the U.S. Constitution. The Court held a conference among the parties on November 9 and a hearing on November 18.

The District Court Decision

Regardless of whether one likes the outcome or not, Judge Van Tatenhove’s decision is thoughtfully reasoned and well written. It is methodical and well cited. In sum, Judge Van Tatenhove enjoined the EO not because of the process by which the Administration implemented the mandate (i.e. not due to the lack of a meaningful notice-and-comment period or the unprecedented dynamic nature of the FAR clause), but rather because he found the Administration never had the authority to implement a vaccine mandate in the first place. In other words, the Court issued the injunction because the President of the United States purportedly lacks the statutory or constitutional authority to regulate public health via a contract clause issued pursuant to a procurement statute.

The decision, however, readily concedes that the Court’s view is the beginning, not the end, of the story. “Once again,” the Judge explained, “the Court is asked to wrestle with important constitutional values implicated in the midst of a pandemic that lingers. These questions will not be finally resolved in the shadows. Instead, the consideration will continue with the benefit of full briefing and appellate review. But right now, the enforcement of the contract provisions in this case must be paused.”

The Practical Impact (and Scope) of Kentucky v. Biden

While the Court’s decision is significant, it does NOT apply to all federal contractors. It enjoins the Government “from enforcing the vaccine mandate for federal contractors and subcontractors in all covered contracts in Kentucky, Ohio, and Tennessee.” Sadly, Judge Van Tatenhove does not explain this sentence. Does he mean to enjoin all federal contracts performed in those states, all federal contracts held by contractors operating in those states, or maybe even all federal contracts issued by agencies based in those states? It’s unclear. Adding to the confusion is his statement that the injunction “is properly limited to the parties before the Court” (i.e., the states of Kentucky, Tennessee, Ohio). Here again, we are left to guess what he means.

Subsequent to the Court’s decision, GSA took prompt steps to notify its contractors of the late breaking news. Here is GSA’s take on the scope of the injunction:

Update: On November 30, 2021, in response to a lawsuit filed in the United States District Court, Eastern District of Kentucky, a preliminary injunction was issued halting the Federal Government from enforcing the vaccine mandate for Federal contractors and subcontractors in all covered contracts in Kentucky, Ohio, and Tennessee.

GSA implemented the vaccine mandate stemming from Executive Order 14042 through Class Deviation CD-2021-13. Pursuant to the preliminary injunction, GSA will not take any action to enforce FAR clause 52.223-99 Ensuring Adequate COVID-19 Safety Protocols for Federal Contractors in all covered contracts or contract-like instruments being performed, in whole or in part, in Kentucky, Ohio and Tennessee.

While GSA’s formulation is a bit more useful than the Court’s in that it focuses on contracts “being performed . . . in” the three states, it still does not answer the key question regarding scope.

We think the most common sense interpretation of the scope of the injunction is that it applies to covered employees performing work in Kentucky, Tennessee, and Ohio. That being said, GSA’s interpretation seems to indicate the analysis should be performed at the contract level, rather than the employee level (i.e., if you have even one employee performing on a contract in one of those three states, then the entire contract is exempt from enforcement).

We hope to receive updated Guidance from the Task Force providing a definitive answer to this question in the near future. Until then, Federal contractors and subcontractors are stuck between the proverbial rock and a hard place – having to decide whether to continue marching ahead pursuant to the EO or navigate different rules in different states.

In reaching their own interpretive decision, contractors should keep in mind that the Court order does not prohibit compliance with the EO, it simply enjoins the Government from enforcing the EO. Before a contractor decides to continue rolling out its existing compliance approach as planned, however, it would be well advised to consider this: Now that the EO has been enjoined in Kentucky, Ohio, and Tennessee, one can make a credible (and likely correct) argument the EO requirements are no longer mandatory in those states (both vaccination and making/distancing). This transition from a mandatory to a voluntary rule creates at least two new hurdles for contractors.

  • First, continuing to comply with the FAR/DFARS clauses could create state liability where a state has a law against a vaccine mandate. For example, on November 12, 2021 Tennessee passed TN HB 9077/SB 9014, which prohibits private businesses, governmental entities, schools, and local education agencies from compelling an individual, or from taking adverse action against the individual to compel them, to provide proof of vaccination. Previously, the Executive Order, as a federal law, would have trumped the conflicting state law. Now, however, the unenforceable EO no longer reigns supreme. Accordingly, continuing to impose the EO on a Tennessee workforce creates state risk.
  • Second, continuing to comply with the FAR/DFARS clauses in Tennessee, Kentucky, or Ohio could create problems with a company’s collective bargaining obligations. When the vaccine requirement was a legal obligation, it probably was not required to be collectively bargained. Now that the requirement is no longer a legal obligation (at least in the three states covered by the Court order), imposing a vaccine mandate on union employees may have to be collectively bargained.

Accordingly, while marching ahead with an existing EO 14042 company-wide compliance plan may make great sense from an efficiency and consistency standpoint, it could create unintended risks in at least three states (and certainly in Tennessee).

What Should Contractors Do Now?

The EO 14042 COVID safety contracting landscape (like COVID itself) is changing every day. We are hopeful the Task Force will issue new Guidance soon to help contractors navigate the new hurdles created by the Kentucky decision. Until then, here are a few thoughts for consideration:

  • If you have no employees performing in Kentucky, Ohio, or Tennessee, the Order has no impact on you. The EO still applies to your contracts in other states just as it did prior to the Court’s decision.
  • If you have employees performing in Tennessee, take a close look at TN HB 9077/SB 9014 before making any decision regarding implementation of the EO.
  • If you have employees performing in Kentucky or Ohio and do not have collective bargaining agreements, you may want to continue enforcing the EO to avoid having different rules in different locations. But if you have collective bargaining agreements, make sure you connect with your L&E lawyer before charting a path forward.
  • Consider putting together a communication to your employees who no doubt soon will read a headline and have questions about the Order.
  • For contractors with employees performing in Kentucky, Tennessee, or Ohio, update your current compliance plan.
  • In the absence of further Task Force Guidance, consider staying in close communication with your contracting officer regarding your implementation approach, especially in the three states implicated by the Order.

Additionally, stay on the lookout for additional updates (including from us) on the other pending litigation challenging the EO.

What’s Next?

Speaking of the “other pending litigation,” the docket still is full of challenges to the EO. By our count, there are motions for preliminary injunction pending in cases with 24 additional states as plaintiffs:

 

 

 

 

 

 

 

The judges in these cases are not bound by the Kentucky decision – either on the merits or the scope of any resulting injunction. Meaning, should a judge in one of the remaining cases also strike the EO as contrary to law or the Constitution, that judge could choose to issue a nationwide injunction covering all contractors in all states (or, as the Kentucky judge chose, limit the application to the specific state(s) involved). Only time will tell. As of the publication of this Alert, three of those cases have hearings scheduled for December 3, 6, and 7. We expect decisions shortly thereafter.

Importantly, as the Kentucky decision explicitly recognizes, it’s unlikely any of these district courts will be the final arbiter of the legality of EO 14042. We think it’s only a matter of time until we get the rarely seen, yet always celebrated Supreme Court government contracts decision. Stay tuned.

For Those Wanting A Bit More Detail . . .

For those interested in the details of the Kentucky decision, here is a brief summary:

After analyzing and concluding that the plaintiffs had standing to pursue this matter on behalf of their agencies and businesses operating in their states (a contrary outcome to the U.S. District Court’s recent decision in Mississippi), Judge Van Tatenhove jumped right in to analyzing the myriad arguments raised by Plaintiff. Briefly, here is what he found:

  • FPASA. Plaintiffs argued that the President exceeded his authority under FPASA in issuing the EO. The Court agreed, reasoning that FPASA was intended to give the President procurement powers, not unlimited powers. “FPASA does not provide authority to ‘write a blank check for the President to fill in at his will. . . .” The Court found an insufficiently close nexus between the EO and the need for economy and efficiency in the procurement of goods and services, reasoning that similar logic could authorize a president to outlaw overweight contractor employees since the CDC has concluded that obesity worsens the outcomes of COVID-19. While recognizing the breadth of FPASA and how it historically has been used to promote far-reaching social labor policies (e.g., EO 11246), for this judge at least, the COVID-19 mandate was just a bridge too far.
  • CICA. CICA requires agencies to provide “full and open competition through the use of competitive procedures” in federal procurements. The Court found that the EO violates CICA. According to Judge Van Tatenhove, “contractors who ‘represent the best value to the government’ but choose not to follow the vaccine mandate would be precluded from effectively competing for government contracts.” It seems to us this reasoning does not hold up under close scrutiny. Couldn’t one say the same thing about contractors precluded from contracts where they “choose not to follow” the Trade Agreements Act, Section 889, Executive Order 11246, or any other number of gating procurement rules? In any event, the Court found the argument compelling at least “at this early stage in the litigation.”
  • Non-Delegation Doctrine. The non-delegation doctrine precludes Congress from transferring its legislative power to another branch. Plaintiffs argued that “mandating vaccination for millions of federal contractors and subcontractors is a decision that should be left to Congress (or, more appropriately, the States) and is a public health regulation as opposed to a measure aimed at providing an economical and efficient procurement system.” In evaluating Plaintiffs’ argument, the Court looked to the OSHA rule recently struck down by the Fifth Circuit. “It would be reasonable to assume that a vaccine mandate would be more appropriate in the context of an emergency standard promulgated by OSHA,” Judge Van Tatenhove noted, and then went on to note that even the OSHA ETS was struck down as a violation of the non-delegation doctrine. If the ETS couldn’t withstand a non-delegation challenge, “the Court has serious concerns about the FPASA, which is a procurement statute, being used to promulgate a vaccine mandate for all federal contractors and subcontractors.” The Court acknowledged “that only twice in American history, both in 1935, has the Supreme Court found Congressional delegation excessive.” Nonetheless, Judge Van Tatenhove seems to believe he has found the third. He mused, however, that “it may be useful for appellate courts to further develop the contours of the non-delegation doctrine, particularly in light of the pandemic.”
  • Tenth Amendment. As we all will remember from high school civics (if not from law school), the Tenth Amendment states that “powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.” The Court expressed a “serious concern that Defendants have stepped into an area traditionally reserved to the States,” and held the Tenth Amendment provides an additional reason to enjoin the EO.

In short, Judge Van Tatenhove clearly believes the Plaintiffs, in this case, are likely to prevail on multiple statutory and constitutional bases.

The decision then goes on to discuss whether the President (through his delegated officials) failed to follow applicable administrative procedures in issuing the EO and the subsequent FAR clause. Here, the President fared better than he did with Plaintiffs’ constitutional arguments. The Court concluded that the Administration, while perhaps “inartful and a bit clumsy” at times, “likely followed the procedures required by statute.” The Court also concluded that the Administration did not act arbitrarily or capriciously (as defined by the APA). “The Court finds, based on the limited record at this stage in the litigation, that Defendants have followed the appropriate procedural requirements in promulgating the vaccine mandate.” But this all is little solace to the Administration as it would have been much easier to overcome a procedural error than a constitutional one — let alone the “serious Constitutional concerns” identified by Judge Van Tatenhove.

*Sheppard Mullin partners Jonathan AronieRyan RobertsAnne Perry, and associates Nikki SnyderEmily Theriault, and Dany Alvarado participated in drafting this Alert.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.

Article by the Government Contracts Practice Group with Sheppard, Mullin, Richter & Hampton LLP.

For more about federal court orders and federal contractors visit the NLR Government Contracts Maritime & Military Law type of law page.

Cybersecurity Whistleblower Protections for Employees of Federal Contractors and Grantees

For information security professionals, identifying cybersecurity vulnerabilities is often part of the job.  That is no less the case when the job involves a contract or grant with the U.S. government.

Information security and data privacy requirements have become a priority at federal agencies.  These requirements extend to federal contractors because of their access to government data.  Often, cybersecurity professionals are the first to identify non-compliance with these requirements.  As high-profile data breaches have become more common, those who report violations of cybersecurity and data privacy requirements often experience retaliation and seek legal protection.

Reporting non-compliance or misconduct in the workplace can be necessary, but it can also be daunting.  It is important for cybersecurity whistleblowers to know their legal rights when disclosing such concerns to management or a federal agency.

In many cases, federal law protects cybersecurity whistleblowers who work for federal contractors or grantees.  This post provides an overview of those protections.

What cybersecurity requirements apply to federal contractors?

Federal contractors are subject to data privacy and information security requirements.

The Federal Information Security Management Act (“FISMA”) creates information security requirements for federal agencies to minimize risk to the U.S. government’s data.  FISMA also applies these requirements to state agencies administering federal programs and private business contracting with the federal government.  Federal acquisition regulations codify the cybersecurity and data privacy requirements applicable to federal contractors.  E.g., 48 C.F.R. §§ 252.204-7008, 7012 (providing for cybersecurity standards in contracts with the U.S. Department of Defense); 48 C.F.R. § 52.204-21 (outlining basic procedures for contractors to safeguard information processed, stored, or transmitted under a federal contract).  

Pursuant to the FISMA Implementation Project, the National Institute of Standards and Technology (“NIST”) produces security standards and guidelines to ensure compliance with FISMA.  Key principles of FISMA compliance include a systemic approach to the data that results in baseline controls, a risk assessment procedure to refine controls, and implementation of controls.  A security plan must document the controls.  Those managing the information must also assess the controls’ effectiveness.  NIST also focuses its standards on determining enterprise risk, information system authorization, and ongoing monitoring of security controls.

Essential standards established by NIST include FIPS 199, FIPS 200, and the NIST 800 series.  Core FISMA requirements include:

  • Federal contractors must keep an inventory of all of an organization’s information systems.
  • Contractors must identify the integration between information systems and other systems in the network.
  • Contractors must categorize information and information systems according to risk. This prioritizes security for the most sensitive information and systems.  See “Standards for Security Categorization of Federal Information and Information Systems” FIPS 199.
  • Contractors must have a current information security plan that covers controls, cybersecurity policies, and planned improvements.
  • Contractors must consider an organization’s particular needs and systems and then identify, implement, and document adequate information security controls. See NIST SP 800-53 (identifying suggested cybersecurity controls).
  • Contractors must assess information security risks. See NIST SP 800-30 (recommending that an organization assess risks at the organizational level, the business process level, and the information system level).
  • Contractors must conduct annual reviews to ensure that information security risks are minimal.

In addition to generally-applicable standards, individual contracts may create other cybersecurity or data privacy requirements for a government contractor.  Such requirements are prevalent when the contractor provides information security products or services for the government.

What protections exist for cybersecurity whistleblowers who work for federal contractors?

Federal law contains whistleblower protection provisions that may prohibit employers from retaliating against whistleblowers who report cybersecurity or data privacy concerns.  See Defense Contractor Whistleblower Protection Act, 10 U.S.C. § 2409; False Claims Act, 31 U.S.C. § 3730(h); NDAA Whistleblower Protection Law, 41 U.S.C. § 4712.  These laws protect a broad range of conduct.

Protected conduct under these laws includes:

  • Efforts to stop false claims to the government;
  • Lawful acts in furtherance of an action alleging false claims to the government; and
  • Disclosures of gross mismanagement, gross waste, abuse of authority, or a violation of law, rule, or regulation related to a federal contract or grant. Id.

These provisions have wide coverage.  They protect any employee of any private sector employer that is a contractor or grantee of the federal government.  In some cases, even the employer’s contractors and agents are protected.

An employer’s non-compliance with information security requirements could breach the employer’s contractual obligations to the federal government and violate federal law and regulation.  Thus, whistleblowers who report cybersecurity or data privacy concerns related to a federal contract or grant may be protected from employment retaliation.

What is the burden to establish unlawful retaliation for reporting cybersecurity concerns?

Exact requirements vary, but an employee typically establishes unlawful retaliation by proving that (1) the employee engaged in conduct that is protected by statute, and (2) the protected conduct to some degree caused a negative employment action.  See, e.g., 10 U.S.C. § 2409(c)(6) (incorporating burden of proof from 5 U.S.C. § 1221(e)); 41 U.S.C. § 4712(c)(6) (same); 31 U.S.C. § 3730(h)(1).  

Under some of the applicable protections, an employee need prove only that the protected conduct played any role whatsoever in the employer’s decision to take the challenged employment action.  See 10 U.S.C. § 2409; 41 U.S.C. § 4712.

What damages or remedies can a cybersecurity whistleblower recover for retaliation?

The relief available depends on which laws apply to the particular case.  Remedies may include an amount equal to double an employee’s lost wages, as well as reinstatement or front pay.  In some cases, a whistleblower may also recover uncapped compensatory damages for harms like emotional distress and reputational damage.  Additionally, a prevailing plaintiff can recover reasonable attorneys’ fees and costs.

Recently, a jury awarded a defense contractor whistleblower $1 million in compensatory damages.  The whistleblower proved that the employer more than likely retaliated by demoting him after he reported issues with tests related to a federal contract, according to the jury.  Specifically, the whistleblower alleged he reported and opposed management’s directive to misrepresent the completion status of testing procedures.

In a recent case under the False Claims Act, a whistleblower received more than $2.5 million for retaliation she suffered after internally reporting off-label promotion for a drug outside its FDA-approved use.  The False Claims Act protects employees from retaliation who blow the whistle on fraud against the government, including those who blow the whistle internally to a government contractor or grantee.

Do any court cases address whether cybersecurity whistleblowers are protected?

Yes.  Judges and juries have applied these laws to protect cybersecurity whistleblowers.

For example, in United States ex rel. Glenn v. Cisco Systems, Inc., defendant Cisco Systems settled for $8.6 million in what is likely the first successful cybersecurity case brought under the False Claims Act.  The plaintiff/relator James Glenn worked for Cisco and internally reported serious cybersecurity deficiencies in a video surveillance system, soon after which he was fired.  Cisco had sold the surveillance systems to various federal government entities, including the Department of Homeland Security, FEMA, the Secret Service, NASA, and all branches of the military.  After monitoring Cisco’s public pronouncements regarding the system and confirming the company had not solved the problems or reported vulnerabilities to customers, Glenn contacted the FBI.  Multiple states joined in the complaint and brought claims under state laws.

While the case did not proceed to litigation, Glenn received nearly $2 million of the settlement, and the federal government’s attention to the issue proves that cybersecurity and data privacy are of utmost importance.

Surely, as more of our lives and businesses move online, the government will place increased importance on contractors and grantees following data security and privacy requirements and disclosing known vulnerabilities.  Cybersecurity whistleblowers working for government contractors play an important part in revealing these vulnerabilities and keeping the federal government secure.  Still, these whistleblowers may experience retaliation after blowing the whistle internally at their place of work.

How can employees enforce these protections from retaliation?

Employees generally have the right to bring claims of unlawful retaliation for cybersecurity or data privacy whistleblowing in federal court.  However, some claims limit that right to whistleblowers who first exhaust all their administrative remedies.  For example, in some cases whistleblowers will first need to pursue relief from the Office of Inspector General of the relevant federal agency.  Additionally, cybersecurity whistleblower claims are subject to strict deadlines.  See, e.g., 31 U.S. Code § 3730; 10 U.S.C. § 2409; 41 U.S.C. § 4712.


© 2020 Zuckerman Law

EEOC Proposes Rule Requiring Employers to Disclose Pay Data on EEO-1 Forms and Key Recent Pro-Employee Changes in New York State’s and New York City’s Employment Laws and Regulations

EEOC EEO-1 Form Pay Data Requirement Raises Risks for Management

In a proposed regulation announced on January 29, 2015, the U.S. Equal Employment Opportunity Commission set forth changes that would require federal contractors and all other private-sector employers throughout the nation of more than 100 employees to report wage and salary data on their annual EEO-1 Forms. This new rule would mandate that such employers disclose compensation ranges and hours worked on their EEO-1 Forms, which already must contain data on employees’ gender, ethnicity, and race.

The Commission’s plans to require management to submit this data is part of the Obama Administration’s aggressive efforts to enforce the federal Equal Pay Act and other fair employment statutes and to promote pay equity in the workplace. Complying with the new regulation would require employers to spend substantial additional time and resources in gathering compensation information, which often involves many variables, and then organizing it into the format that the EEOC will mandate. Reporting this data to the EEOC would give the U.S. Government data without context and may lead to burdensome Commission investigations and enforcement actions based on misunderstandings of incomplete compensation information. Further, even though EEO-1 data enjoys some protections, the confidential status of employers’compensation information will now be vulnerable either to Freedom of Information Act requests or to kind of hacking attacks to which the federal government, with its antiquated IT systems in agencies such as the EEOC, has already suffered.

In sum, employers in New Jersey, New York, and around the country would become subject to higher EEOC scrutiny of their payroll practices, would face more Commission inquiries and litigations, would have to expend additional resources to complete EEO-1 Forms, and would need to live with a higher risk that their competitors will be able to obtain the confidential compensation data that the new rule would require management to submit each year to the EEOC.

Key Pro-Employee Changes in New York State and New York City Employment Laws and Regulations

New York State and New York City made significant changes in their labor and employment laws and regulations last year and this month. The NYS Legislature enacted, and Governor Cuomo signed, key revisions to laws that affect management throughout New York State. Mayor de Blasio and the City Council expanded local laws that further burden employers in the City. These important developments include:

A. New York State Women’s Equality Agenda

The Women’s Equality Agenda that went into effect on January 19, 2016 significantly amended New York State’s sex discrimination, sexual harassment, and equal pay laws to afford women greater protection in the workplace. These new statutes promoting gender equality in New York State include provisions that:

1. Amend New York State’s Equal Pay Act to require that an employer which pays lower wages to women than to men, for a job of equal skill, effort, and responsibility, demonstrate that such disparity is due to a bona fide factor other than sex, such as education, training, or experience, and that the difference in pay is job related and consistent with business necessity.

2. Make it unlawful for employers, in general, to prohibit employees from discussing or disclosing their wages — a new provision which affects both women and men.

3. Significantly increase the penalties for New York State Equal Pay Act violations by allowing employees to recover liquidated damages of three times (300%) the unlawfully unpaid wages, in addition to making the employee whole by requiring payment of the unpaid wages.

4. Allow a court to award attorneys’ fees to a prevailing plaintiff in sexual harassment and other sex discrimination actions.

5. Add familial status as a protected class under the New York State Human Rights Law. This new provision applies equally to men and women who are parents or guardians.

6. Expand the New York State Human Rights Law’s coverage of sexual harassment claims to all employers, including employers of from one to three employees who were not previously covered.

7. Require employers to provide reasonable accommodation for pregnancy-related medical conditions.

B. New NYS and NYC Protections for Transgender Individuals

1. Earlier this month, the New York State Division of Human Rights adopted regulations that make discrimination on the basis of a person being transgender unlawful under the New York State Human Rights Law. These regulations also prohibit harassment of transgender persons and require New York employers to reasonably accommodate employees who have been diagnosed with a “gender dysphoria” medical condition.

2. On December 21, 2015, the New York City Commission on Human Rights issued new enforcement guidelines on discrimination against transgender individuals, which the New York City Human Rights Law prohibits. The guidelines provide for penalties of up to $250,000 for violations that are found to be willful, wanton, or malicious.

C. New NYC Protections for Caregivers

1. The New York City Council has amended the New York City Human Rights Law to include caregiver as a protected class. The new local legislation, which Mayor de Blasio signed on January 5, 2016, defines caregivers as persons who provide direct and ongoing care for a minor child or a care recipient, such as a relative or individual with a disability who resides in the caregiver’s household. This amendment will go into effect on May 4, 2016.

© Copyright 2016 Sills Cummis & Gross P.C.

President Obama Urged to “Ban the Box” for Federal Contractors

Proskauer Rose LLP, Law Firm

In a letter this past week, nearly 200 interest groups urged President Obama to issue an executive order “banning the box” for federal contractors and to implement other “fair chance” hiring reforms protecting ex-offenders. “Ban the box” refers to a movement that has swept across state and local legislatures in recent years requiring contractors (and employers more broadly) to remove the check box from job applications asking whether prospective employees have a criminal history.

To date, several state and local jurisdictions have “banned the box” for contractors, including California (for construction contractors), Compton (CA), Richmond (CA), Hartford (CT), New Haven (CT), Indianapolis (IN), Louisville (KY), Boston (MA), Cambridge (MA), Worcester, (MA), Detroit (MI), Atlantic City (NJ), New York City (NY) (for human services contractors), Pittsburgh (PA), and Syracuse (NY). Delaware and Madison (WI) have “encouraged” the same.

In addition, six states—Hawaii, Illinois, Massachusetts, Minnesota, New Jersey, and Rhode Island—and twelve localities— Baltimore (MD), Buffalo (NY), Chicago (IL), Columbia (MO), D.C., Montgomery County (MD), Newark (NJ), Philadelphia (PA), Prince George’s County (MD), Rochester (NY), Seattle (WA), and San Francisco (CA)—have “banned the box” for private employers (either expressly or implicitly covering government contractors).

At the federal level, the Office of Federal Contract Compliance Programs (OFCCP) also has issued a directive on criminal background checks. The Directive cautions contractors that the consideration of criminal records in hiring or other personnel decisions may have a disparate impact on racial and ethnic minorities in violation of Title VII of the Civil Rights Act of 1964.

If President Obama issues an executive order that “bans the box” for federal contractors, the executive action will add to an already growing patchwork of laws and orders restricting criminal background checks on job applicants and employees of government contractors. Stay tuned to see what the President decides.

ARTICLE BY

E-Verify: North Carolina and Federal Requirements

An article by Jennifer G. Parser of Poyner Spruill LLP regarding E-Verify appeared recently in The National Law Review:

North Carolina’s Rule

Last June, 2011, North Carolina joined the ranks of an increasing number of states requiring the use of E-Verify.  E-Verify is a free internet-based system that allows employers to determine employment authorization by checking an employee’s documentation against Department of Homeland Security (DHS) and Social Security Administration (SSA) databases.  It applies to certain federal contractors, but also is being adopted by states, regardless of federal contracts being involved.

North Carolina counties, cities and public universities were required to register and participate in E-Verify by October 1, 2011. Private sector employers’ participation in E-Verify is phased in more slowly, according to the employer’s size:

  • Employers with 500 or more employees will be required to participate by October 1, 2012;
  • Employers with 100 or more employees will be required to participate by January 1, 2013; and
  • Employers with 25 or more employees will be required to participate by July 1, 2013.

Federal E-Verify Rule

Private businesses in North Carolina are required to verify the employment eligibility of current employees regardless of the above phased-in legislation if the employer has been awarded a federal contract on or after September 8, 2009 that contains the Federal Acquisition Regulation (FAR) E-Verify clause. Such federal contractors must enroll in E-Verify within 30 days of the contract award date regardless of the business’ size. After enrollment, the federal contractor has 90 days to use E-Verify.  The federal contractor must then use E-Verify for new hires within 3 business days of the employee’s start date.

E-Verify must also used for existing employees assigned to work on the  federal contract within 90 days of the federal contract being awarded or within 30 days of the employee’s assignment to work on the federal contract, whichever is later. For existing employees to be required to be  run through E-Verify, the employee must perform substantial work under the federal contract which does not include administrative or clerical functions.  E-Verify does not apply to work that is performed outside the US, if the term of the federal contract lasts less 120 days, or if the federal contract pertains to commercially available off the shelf items.  A “commercially available off the shelf item”, known COTS, is something generally sold in substantial quantities in the open market.  A few examples are computer software, computer hardware and construction materials.  Also, industries that hire agricultural workers for 90 days or less in a 12 month period are exempt from enrolling in Federal E-Verify.

Unless the subcontractor is a supplier and not subject to the E-Verify federal contractor rule, a federal contractor must also ensure that its subcontractors enroll in and use E-Verify if:

  • The prime contract includes the Far E-Verify clause,
  • The subcontract is for commercial or noncommercial services or construction,
  • The subcontract has a value of more than $3,000, or
  • The subcontract includes work performed in the United States.

A Few Important Rules for Any Business Enrolled in E-Verify 

  • Post the notices that the business is now enrolled in E-Verify alongside antidiscrimination notices by the Office of Special Counsel for Immigration-Related Unfair Employment Practices
  • When completing the I-9 form, the employee’s choice of a List B document must contain a photograph in order to be run through E-Verify
  • Do not use E-Verify selectively
  • Do not use E-Verify to pre-screen job applicants; it is used post-hiring
  • Do not ask for additional documentation in the event of a “Tentative Nonconfirmation” by E-Verify: allow the employee time to correct any error by visiting the local SSA office
  • Do not terminate or take adverse action against an employee  who receives a tentative nonconfirmation: allow them time to correct the error

Penalties, Federal- and State-Imposed

There have been substantial fines levied for immigration-related offenses by Immigration and Customs Enforcement (ICE) against employers enrolled in E-Verify, proving enrollment in E-Verify will not save an employer from potential violations.

Civil penalties for violations of  North Carolina’s E-Verify law are assessed by the NC Commissioner of Labor and range from $1,000 to $10,000.

E-Verify Link

Unless already enrolled in E-Verify as a federal contractor or subcontractor or having elected to do so on a voluntary basis, North Carolina employers with 25 or more employees would do well to visit the E-Verify website.  Click here.  At this point, there is time to become acquainted with E-Verify and its enrollment procedures before registration becomes mandatory.

© 2012 Poyner Spruill LLP