Secure Software Regulations and Self-Attestation Required for Federal Contractors

US Policy and Regulatory Alert

Government contractors providing software across the federal government’s supply chain will be required later this year to comply with a new Secure Software Design Framework (SSDF). The SSDF requires software vendors to attest to new security controls in the design of code used by the federal government.

Cybersecurity Compromises of Government Software on the Rise

In the aftermath of the cybersecurity compromises of significant enterprise software systems embedded in government supply chains, the federal government has increasingly prioritized reducing the vulnerability of software used within agency networks. Recognizing that most of the enterprise software that is used by the federal government is provided by a wide range of private sector contractors, the White House has been moving to impose a range of new software security regulations on both prime and subcontractors. One priority area is an effort to require government contractors to ensure that software used by federal agencies incorporates security by design. As a result, federal contractors supplying software to the government now face a new set of requirements to supply secure software code. That is, to provide software that is developed with security in mind so that flaws and vulnerabilities can be mitigated before the government buys and deploys the software.

The SSDF as A Government Response

In response, the White House issued Executive Order 14028, “Executive Order on Improving the Nation’s Cybersecurity” (EO 14028), on 12 May 2021. EO 14028 requires the National Institute of Standards and Technology (NIST) to develop standards, tools, and best practices to enhance the security of the software supply chain. NIST subsequently promulgated the SSDF in special publication NIST SP 800-218. EO 14028 also mandates that the director of the Office of Management and Budget (OMB) take appropriate steps to ensure that federal agencies comply with NIST guidance and standards regarding the SSDF. This resulted in OMB Memorandum M-22-18, “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” (M-22-18). The OMB memo provides that a federal agency may use software subject to M-22-18’s requirements only if the producer of that software has first attested to compliance with federal government-specified secure software development practices drawn from the SSDF. Meaning, if the producer of the software cannot attest to meeting the NIST requirements, it will not be able to supply software to the federal government. There are some exceptions and processes for software to gradually enter into compliance under various milestones for improvements, all of which are highly technical and subjective.

In accordance with these regulations, the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security issued a draft form for collecting the relevant attestations and associated information. CISA released the draft form on 27 April 2023 and is accepting comments until 26 June 2023.1

SSDF Implementation Deadline and Requirements for Government Suppliers

CISA initially set a deadline of 11 June 2023 for critical software and 13 September 2023 for non-critical software to comply with SSDF. Press reports indicate that these deadlines will be extended due to both the complexity of the SSDF requirements and the fact that the comment period remains open until 26 June  2023. However, CISA has not yet confirmed an extension of the deadline.

Attestation and Compliance with the SSDF

Based on what we know now, the attestation form generally requires software producers to confirm that:

  • The software was developed and built in secure environments.
  • The software producer has made a good-faith effort to maintain trusted source code supply chains.
  • The software producer maintains provenance data for internal and third-party code incorporated into the software.
  • The software producer employed automated tools or comparable processes that check for security vulnerabilities.

Software producers that must comply with SSDF should move quickly and begin reviewing their approach to software security. The SSDF requirements are complex and likely will take time to review, implement, and document. In particular, many of the requirements call for subjective analysis rather than objective evaluation against a set of quantifiable criteria, as is usually the case with such regulations. The SSDF also includes numerous ambiguities. For example, the SSDF requires versioning changes in software to have certain impacts in the security assessment, although the term “versioning” does not have a standard definition in the software sector.

Next Steps and Ricks of Noncompliance

Critically, the attestations on the new form carry risk under the civil False Claims Act for government contractors and subcontractors. Given the fact that many of the attestations require subjective analysis, contractors must take exceptional care in completing the attestation form. Contractors should carefully document their assessment that the software they produce is compliant. In particular, contractors and other interested parties should use this opportunity to share feedback and insights with CISA through the public comment process.

K&L Gates lawyers in our National Security Practice are closely tracking the implementation of these new requirements.


1 88 Fed. Reg. 25,670.

Copyright 2023 K & L Gates

What We Know And Don’t About The Federal Court Order Enjoining EO 14042

In news that will be of interest to every federal contractor, including large and small businesses, universities, banks, and the health care industry, Executive Order 14042 (along with the related Task Force Guidance and contract clauses) has been ENJOINED in the states of Kentucky, Ohio, and Tennessee. U.S. District Court Judge Gregory F. Van Tatenhove of the Eastern District of Kentucky issued an order on November 30, 2021 granting Plaintiffs’ (a group including the states of Tennessee, Kentucky, and Ohio) motion for a preliminary injunction.

The decision most certainly will be appealed. In the meantime, contractors with employees performing in Kentucky, Ohio, or Tennessee are not required to comply with the Executive Order or FAR/DFARS clauses. Obviously, this creates a conundrum for federal contractors and subcontractors looking for a uniform way to implement the EO rules.

Background

Plaintiffs Kentucky, Ohio, and Tennessee filed suit in the U.S. District Court for the Eastern District of Kentucky on November 4, 2021, and four days later filed for a Temporary Restraining Order and Preliminary Injunction (“TRO/PI”). The TRO/PI motion asked the Court to enjoin the Government’s enforcement of EO 14042. Plaintiffs challenged the EO on 10 separate grounds, including that it violated the Federal Property and Administrative Services Act (“FPASA”), the Competition in Contracting Act (“CICA”), the Administrative Procedures Act (“APA”), and the U.S. Constitution. The Court held a conference among the parties on November 9 and a hearing on November 18.

The District Court Decision

Regardless of whether one likes the outcome or not, Judge Van Tatenhove’s decision is thoughtfully reasoned and well written. It is methodical and well cited. In sum, Judge Van Tatenhove enjoined the EO not because of the process by which the Administration implemented the mandate (i.e. not due to the lack of a meaningful notice-and-comment period or the unprecedented dynamic nature of the FAR clause), but rather because he found the Administration never had the authority to implement a vaccine mandate in the first place. In other words, the Court issued the injunction because the President of the United States purportedly lacks the statutory or constitutional authority to regulate public health via a contract clause issued pursuant to a procurement statute.

The decision, however, readily concedes that the Court’s view is the beginning, not the end, of the story. “Once again,” the Judge explained, “the Court is asked to wrestle with important constitutional values implicated in the midst of a pandemic that lingers. These questions will not be finally resolved in the shadows. Instead, the consideration will continue with the benefit of full briefing and appellate review. But right now, the enforcement of the contract provisions in this case must be paused.”

The Practical Impact (and Scope) of Kentucky v. Biden

While the Court’s decision is significant, it does NOT apply to all federal contractors. It enjoins the Government “from enforcing the vaccine mandate for federal contractors and subcontractors in all covered contracts in Kentucky, Ohio, and Tennessee.” Sadly, Judge Van Tatenhove does not explain this sentence. Does he mean to enjoin all federal contracts performed in those states, all federal contracts held by contractors operating in those states, or maybe even all federal contracts issued by agencies based in those states? It’s unclear. Adding to the confusion is his statement that the injunction “is properly limited to the parties before the Court” (i.e., the states of Kentucky, Tennessee, Ohio). Here again, we are left to guess what he means.

Subsequent to the Court’s decision, GSA took prompt steps to notify its contractors of the late breaking news. Here is GSA’s take on the scope of the injunction:

Update: On November 30, 2021, in response to a lawsuit filed in the United States District Court, Eastern District of Kentucky, a preliminary injunction was issued halting the Federal Government from enforcing the vaccine mandate for Federal contractors and subcontractors in all covered contracts in Kentucky, Ohio, and Tennessee.

GSA implemented the vaccine mandate stemming from Executive Order 14042 through Class Deviation CD-2021-13. Pursuant to the preliminary injunction, GSA will not take any action to enforce FAR clause 52.223-99 Ensuring Adequate COVID-19 Safety Protocols for Federal Contractors in all covered contracts or contract-like instruments being performed, in whole or in part, in Kentucky, Ohio and Tennessee.

While GSA’s formulation is a bit more useful than the Court’s in that it focuses on contracts “being performed . . . in” the three states, it still does not answer the key question regarding scope.

We think the most common sense interpretation of the scope of the injunction is that it applies to covered employees performing work in Kentucky, Tennessee, and Ohio. That being said, GSA’s interpretation seems to indicate the analysis should be performed at the contract level, rather than the employee level (i.e., if you have even one employee performing on a contract in one of those three states, then the entire contract is exempt from enforcement).

We hope to receive updated Guidance from the Task Force providing a definitive answer to this question in the near future. Until then, Federal contractors and subcontractors are stuck between the proverbial rock and a hard place – having to decide whether to continue marching ahead pursuant to the EO or navigate different rules in different states.

In reaching their own interpretive decision, contractors should keep in mind that the Court order does not prohibit compliance with the EO, it simply enjoins the Government from enforcing the EO. Before a contractor decides to continue rolling out its existing compliance approach as planned, however, it would be well advised to consider this: Now that the EO has been enjoined in Kentucky, Ohio, and Tennessee, one can make a credible (and likely correct) argument the EO requirements are no longer mandatory in those states (both vaccination and making/distancing). This transition from a mandatory to a voluntary rule creates at least two new hurdles for contractors.

  • First, continuing to comply with the FAR/DFARS clauses could create state liability where a state has a law against a vaccine mandate. For example, on November 12, 2021 Tennessee passed TN HB 9077/SB 9014, which prohibits private businesses, governmental entities, schools, and local education agencies from compelling an individual, or from taking adverse action against the individual to compel them, to provide proof of vaccination. Previously, the Executive Order, as a federal law, would have trumped the conflicting state law. Now, however, the unenforceable EO no longer reigns supreme. Accordingly, continuing to impose the EO on a Tennessee workforce creates state risk.
  • Second, continuing to comply with the FAR/DFARS clauses in Tennessee, Kentucky, or Ohio could create problems with a company’s collective bargaining obligations. When the vaccine requirement was a legal obligation, it probably was not required to be collectively bargained. Now that the requirement is no longer a legal obligation (at least in the three states covered by the Court order), imposing a vaccine mandate on union employees may have to be collectively bargained.

Accordingly, while marching ahead with an existing EO 14042 company-wide compliance plan may make great sense from an efficiency and consistency standpoint, it could create unintended risks in at least three states (and certainly in Tennessee).

What Should Contractors Do Now?

The EO 14042 COVID safety contracting landscape (like COVID itself) is changing every day. We are hopeful the Task Force will issue new Guidance soon to help contractors navigate the new hurdles created by the Kentucky decision. Until then, here are a few thoughts for consideration:

  • If you have no employees performing in Kentucky, Ohio, or Tennessee, the Order has no impact on you. The EO still applies to your contracts in other states just as it did prior to the Court’s decision.
  • If you have employees performing in Tennessee, take a close look at TN HB 9077/SB 9014 before making any decision regarding implementation of the EO.
  • If you have employees performing in Kentucky or Ohio and do not have collective bargaining agreements, you may want to continue enforcing the EO to avoid having different rules in different locations. But if you have collective bargaining agreements, make sure you connect with your L&E lawyer before charting a path forward.
  • Consider putting together a communication to your employees who no doubt soon will read a headline and have questions about the Order.
  • For contractors with employees performing in Kentucky, Tennessee, or Ohio, update your current compliance plan.
  • In the absence of further Task Force Guidance, consider staying in close communication with your contracting officer regarding your implementation approach, especially in the three states implicated by the Order.

Additionally, stay on the lookout for additional updates (including from us) on the other pending litigation challenging the EO.

What’s Next?

Speaking of the “other pending litigation,” the docket still is full of challenges to the EO. By our count, there are motions for preliminary injunction pending in cases with 24 additional states as plaintiffs:

 

 

 

 

 

 

 

The judges in these cases are not bound by the Kentucky decision – either on the merits or the scope of any resulting injunction. Meaning, should a judge in one of the remaining cases also strike the EO as contrary to law or the Constitution, that judge could choose to issue a nationwide injunction covering all contractors in all states (or, as the Kentucky judge chose, limit the application to the specific state(s) involved). Only time will tell. As of the publication of this Alert, three of those cases have hearings scheduled for December 3, 6, and 7. We expect decisions shortly thereafter.

Importantly, as the Kentucky decision explicitly recognizes, it’s unlikely any of these district courts will be the final arbiter of the legality of EO 14042. We think it’s only a matter of time until we get the rarely seen, yet always celebrated Supreme Court government contracts decision. Stay tuned.

For Those Wanting A Bit More Detail . . .

For those interested in the details of the Kentucky decision, here is a brief summary:

After analyzing and concluding that the plaintiffs had standing to pursue this matter on behalf of their agencies and businesses operating in their states (a contrary outcome to the U.S. District Court’s recent decision in Mississippi), Judge Van Tatenhove jumped right in to analyzing the myriad arguments raised by Plaintiff. Briefly, here is what he found:

  • FPASA. Plaintiffs argued that the President exceeded his authority under FPASA in issuing the EO. The Court agreed, reasoning that FPASA was intended to give the President procurement powers, not unlimited powers. “FPASA does not provide authority to ‘write a blank check for the President to fill in at his will. . . .” The Court found an insufficiently close nexus between the EO and the need for economy and efficiency in the procurement of goods and services, reasoning that similar logic could authorize a president to outlaw overweight contractor employees since the CDC has concluded that obesity worsens the outcomes of COVID-19. While recognizing the breadth of FPASA and how it historically has been used to promote far-reaching social labor policies (e.g., EO 11246), for this judge at least, the COVID-19 mandate was just a bridge too far.
  • CICA. CICA requires agencies to provide “full and open competition through the use of competitive procedures” in federal procurements. The Court found that the EO violates CICA. According to Judge Van Tatenhove, “contractors who ‘represent the best value to the government’ but choose not to follow the vaccine mandate would be precluded from effectively competing for government contracts.” It seems to us this reasoning does not hold up under close scrutiny. Couldn’t one say the same thing about contractors precluded from contracts where they “choose not to follow” the Trade Agreements Act, Section 889, Executive Order 11246, or any other number of gating procurement rules? In any event, the Court found the argument compelling at least “at this early stage in the litigation.”
  • Non-Delegation Doctrine. The non-delegation doctrine precludes Congress from transferring its legislative power to another branch. Plaintiffs argued that “mandating vaccination for millions of federal contractors and subcontractors is a decision that should be left to Congress (or, more appropriately, the States) and is a public health regulation as opposed to a measure aimed at providing an economical and efficient procurement system.” In evaluating Plaintiffs’ argument, the Court looked to the OSHA rule recently struck down by the Fifth Circuit. “It would be reasonable to assume that a vaccine mandate would be more appropriate in the context of an emergency standard promulgated by OSHA,” Judge Van Tatenhove noted, and then went on to note that even the OSHA ETS was struck down as a violation of the non-delegation doctrine. If the ETS couldn’t withstand a non-delegation challenge, “the Court has serious concerns about the FPASA, which is a procurement statute, being used to promulgate a vaccine mandate for all federal contractors and subcontractors.” The Court acknowledged “that only twice in American history, both in 1935, has the Supreme Court found Congressional delegation excessive.” Nonetheless, Judge Van Tatenhove seems to believe he has found the third. He mused, however, that “it may be useful for appellate courts to further develop the contours of the non-delegation doctrine, particularly in light of the pandemic.”
  • Tenth Amendment. As we all will remember from high school civics (if not from law school), the Tenth Amendment states that “powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.” The Court expressed a “serious concern that Defendants have stepped into an area traditionally reserved to the States,” and held the Tenth Amendment provides an additional reason to enjoin the EO.

In short, Judge Van Tatenhove clearly believes the Plaintiffs, in this case, are likely to prevail on multiple statutory and constitutional bases.

The decision then goes on to discuss whether the President (through his delegated officials) failed to follow applicable administrative procedures in issuing the EO and the subsequent FAR clause. Here, the President fared better than he did with Plaintiffs’ constitutional arguments. The Court concluded that the Administration, while perhaps “inartful and a bit clumsy” at times, “likely followed the procedures required by statute.” The Court also concluded that the Administration did not act arbitrarily or capriciously (as defined by the APA). “The Court finds, based on the limited record at this stage in the litigation, that Defendants have followed the appropriate procedural requirements in promulgating the vaccine mandate.” But this all is little solace to the Administration as it would have been much easier to overcome a procedural error than a constitutional one — let alone the “serious Constitutional concerns” identified by Judge Van Tatenhove.

*Sheppard Mullin partners Jonathan AronieRyan RobertsAnne Perry, and associates Nikki SnyderEmily Theriault, and Dany Alvarado participated in drafting this Alert.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.

Article by the Government Contracts Practice Group with Sheppard, Mullin, Richter & Hampton LLP.

For more about federal court orders and federal contractors visit the NLR Government Contracts Maritime & Military Law type of law page.

GovCon Fraud Grounded: Whistleblower Receives Reward for Reporting Aviation Equipment Government Contracting Fraud

The United States Department of Justice settled a case against aviation equipment defense contractor Airbus Defense and Space Inc. (ADSI) for charging improper fees on government contracts. Under the terms of the settlement, the defense contractor paid $1,043,475 to resolve False Claims Act allegations. A former employee of the government contractor reported these improper fees and will receive $157,220 of the government’s recovery.

According to the allegations, the contractor included an unapproved cost rate on contracts, did not accurately disclose fees, and worked out a storage overbilling scheme with a third-party contractor, causing the government to pay more for storage than necessary. To disguise an additional and sometimes undisclosed indirect cost rate, the contractor added what they called an “Orlando Factor” to various price proposals for 62 contracts. Indirect cost rates are a complex portion of government contracting arrangements whereby a contractor attempts to obtain reimbursement for their company’s operational costs. From 2016-2017, this aviation equipment contractor’s “Orlando Factor” was applied in addition to their indirect cost rate approved by the federal agencies with which they were contracting.

The allegations further describe additional fees the contractor tacked onto equipment acquisitions in violation of federal acquisition regulations. Moreover, the contractor listed an unverified affiliate fee on its proposals. Finally, the contractor inflated storage costs by a factor of 10, resulting in General Dynamics passing on $80,000 in storage fees to the U.S. Navy instead of $8,000 in fees.

Defense contracting fraud harms taxpayers; inflating the cost of obtaining equipment can make defense budgets spiral out of control. This particular contractor seems to have found multiple ways to hide costs and pad proposals so as to turn a profit above and beyond their cost of doing business.

A former employee of ASDI reported these fraudulent practices and is being rewarded for speaking up, including receiving funds to pay for their expenses, attorneys’ fees, and costs. The Department of Justice needs whistleblowers to report government contracts fraud. Last year, only 35 defense fraud cases were filed by whistleblowers. With $720 billion spent, more fraud is out there.

© 2021 by Tycko & Zavareei LLP

For more articles on Government Contracts, visit the NLR

Government Contracts, Maritime & Military Law type of law section.

The ABC’s of Government Contract Claims – 10 Ways to Maximize Your Chance of Success

Sheppard Mullin 2012

1. Understand the Basic Contract Requirement – Every contract lawyer will begin an assessment with a very simple, fundamental question, i.e., “What does the contract say?” Your obligation is to perform to the contract; nothing more; nothing less.

2. Identify Variances Between What the Contract Says and What You Actually Are Doing – If you are doing something other than what the contract actually says, you may be entitled to relief.

3. Ask Yourself “Why Am I Doing This?” –You cannot blame Uncle Sam for your or (generally) your suppliers’ inefficiencies and delinquencies, but there are many Government acts or omissions that might entitle you to relief, e.g., Government direction, a defective specification, an acceleration order, late or defective GFP/GFE/GFI, and Government delinquencies relating to contractually prescribed review periods.

4. Do a Disciplined “Root Cause” Analysis – You perform these kinds of analyses in reporting on discrepancies to the Government. Require no less when analyzing a possible claim. Do not accept the easy answer, e.g., “We missed it.” If that is the response, probe – “What did you miss exactly?” “Show me where it was.” “Let me see the documentation you missed.”

5. Notify the Contracting Officer – Tell the PCO, in writing, of the circumstance that you believe gives rise to a change. Deprive the PCO of the ability to claim, later on, “If only I had known, I would have told you to stop doing that.”

6. Accept No Substitutes – No one but the Contracting Officer has the authority to change the contract. COTR’s, contracting specialists, Program Managers, general officers – they all love to issue orders and they will jawbone you to follow them. Don’t. Report the order to the PCO and ask the PCO to confirm the order to you in writing.

7. Trust But Verify – This one is simple. Never act on an oral direction. Send a letter to the PCO asking for confirmation. 8. Read Your “Changes” and “Notification of Changes” Clause(s) – They impose time limits for notification of a change. Failure to comply can be overcome in many cases, but why take that chance?

9. Use Change Order Accounting – A valid changes claim is only as good as your ability to prove quantum. Establish separate job numbers to collect the costs of the changed work.

10. Earn Interest – An REA can linger without closure for months, and years. If there is no progress, transform the REA into a certified claim and start the accrual of interest. And remember, the statute of limitations for submission of a certified claim is six years from the date of its accrual.

And for those of you who read this far, here is your bonus eleventh tip:

11. Read Those Unilaterally Issued Change Orders – They invariably say the work is not a change and ask you to sign. Don’t.

Copyright © 2013, Sheppard Mullin Richter & Hampton LLP