US Policy and Regulatory Alert

Government contractors providing software across the federal government’s supply chain will be required later this year to comply with a new Secure Software Design Framework (SSDF). The SSDF requires software vendors to attest to new security controls in the design of code used by the federal government.

Cybersecurity Compromises of Government Software on the Rise

In the aftermath of the cybersecurity compromises of significant enterprise software systems embedded in government supply chains, the federal government has increasingly prioritized reducing the vulnerability of software used within agency networks. Recognizing that most of the enterprise software that is used by the federal government is provided by a wide range of private sector contractors, the White House has been moving to impose a range of new software security regulations on both prime and subcontractors. One priority area is an effort to require government contractors to ensure that software used by federal agencies incorporates security by design. As a result, federal contractors supplying software to the government now face a new set of requirements to supply secure software code. That is, to provide software that is developed with security in mind so that flaws and vulnerabilities can be mitigated before the government buys and deploys the software.

The SSDF as A Government Response

In response, the White House issued Executive Order 14028, “Executive Order on Improving the Nation’s Cybersecurity” (EO 14028), on 12 May 2021. EO 14028 requires the National Institute of Standards and Technology (NIST) to develop standards, tools, and best practices to enhance the security of the software supply chain. NIST subsequently promulgated the SSDF in special publication NIST SP 800-218. EO 14028 also mandates that the director of the Office of Management and Budget (OMB) take appropriate steps to ensure that federal agencies comply with NIST guidance and standards regarding the SSDF. This resulted in OMB Memorandum M-22-18, “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” (M-22-18). The OMB memo provides that a federal agency may use software subject to M-22-18’s requirements only if the producer of that software has first attested to compliance with federal government-specified secure software development practices drawn from the SSDF. Meaning, if the producer of the software cannot attest to meeting the NIST requirements, it will not be able to supply software to the federal government. There are some exceptions and processes for software to gradually enter into compliance under various milestones for improvements, all of which are highly technical and subjective.

In accordance with these regulations, the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security issued a draft form for collecting the relevant attestations and associated information. CISA released the draft form on 27 April 2023 and is accepting comments until 26 June 2023.¹

SSDF Implementation Deadline and Requirements for Government Suppliers

CISA initially set a deadline of 11 June 2023 for critical software and 13 September 2023 for non-critical software to comply with SSDF. Press reports indicate that these deadlines will be extended due to both the complexity of the SSDF requirements and the fact that the comment period remains open until 26 June  2023. However, CISA has not yet confirmed an extension of the deadline.

Attestation and Compliance with the SSDF

Based on what we know now, the attestation form generally requires software producers to confirm that:

• The software was developed and built in secure environments.
• The software producer has made a good-faith effort to maintain trusted source code supply chains.
• The software producer maintains provenance data for internal and third-party code incorporated into the software.
• The software producer employed automated tools or comparable processes that check for security vulnerabilities.

Software producers that must comply with SSDF should move quickly and begin reviewing their approach to software security. The SSDF requirements are complex and likely will take time to review, implement, and document. In particular, many of the requirements call for subjective analysis rather than objective evaluation against a set of quantifiable criteria, as is usually the case with such regulations. The SSDF also includes numerous ambiguities. For example, the SSDF requires versioning changes in software to have certain impacts in the security assessment, although the term “versioning” does not have a standard definition in the software sector.

Next Steps and Ricks of Noncompliance

Critically, the attestations on the new form carry risk under the civil False Claims Act for government contractors and subcontractors. Given the fact that many of the attestations require subjective analysis, contractors must take exceptional care in completing the attestation form. Contractors should carefully document their assessment that the software they produce is compliant. In particular, contractors and other interested parties should use this opportunity to share feedback and insights with CISA through the public comment process.

K&L Gates lawyers in our National Security Practice are closely tracking the implementation of these new requirements.

1 88 Fed. Reg. 25,670.

The post Secure Software Regulations and Self-Attestation Required for Federal Contractors appeared first on The National Law Forum.

The decision most certainly will be appealed. In the meantime, contractors with employees performing in Kentucky, Ohio, or Tennessee are not required to comply with the Executive Order or FAR/DFARS clauses. Obviously, this creates a conundrum for federal contractors and subcontractors looking for a uniform way to implement the EO rules.

Background

Plaintiffs Kentucky, Ohio, and Tennessee filed suit in the U.S. District Court for the Eastern District of Kentucky on November 4, 2021, and four days later filed for a Temporary Restraining Order and Preliminary Injunction (“TRO/PI”). The TRO/PI motion asked the Court to enjoin the Government’s enforcement of EO 14042. Plaintiffs challenged the EO on 10 separate grounds, including that it violated the Federal Property and Administrative Services Act (“FPASA”), the Competition in Contracting Act (“CICA”), the Administrative Procedures Act (“APA”), and the U.S. Constitution. The Court held a conference among the parties on November 9 and a hearing on November 18.

The District Court Decision

Regardless of whether one likes the outcome or not, Judge Van Tatenhove’s decision is thoughtfully reasoned and well written. It is methodical and well cited. In sum, Judge Van Tatenhove enjoined the EO not because of the process by which the Administration implemented the mandate (i.e. not due to the lack of a meaningful notice-and-comment period or the unprecedented dynamic nature of the FAR clause), but rather because he found the Administration never had the authority to implement a vaccine mandate in the first place. In other words, the Court issued the injunction because the President of the United States purportedly lacks the statutory or constitutional authority to regulate public health via a contract clause issued pursuant to a procurement statute.

The decision, however, readily concedes that the Court’s view is the beginning, not the end, of the story. “Once again,” the Judge explained, “the Court is asked to wrestle with important constitutional values implicated in the midst of a pandemic that lingers. These questions will not be finally resolved in the shadows. Instead, the consideration will continue with the benefit of full briefing and appellate review. But right now, the enforcement of the contract provisions in this case must be paused.”

The Practical Impact (and Scope) of Kentucky v. Biden

While the Court’s decision is significant, it does NOT apply to all federal contractors. It enjoins the Government “from enforcing the vaccine mandate for federal contractors and subcontractors in all covered contracts in Kentucky, Ohio, and Tennessee.” Sadly, Judge Van Tatenhove does not explain this sentence. Does he mean to enjoin all federal contracts performed in those states, all federal contracts held by contractors operating in those states, or maybe even all federal contracts issued by agencies based in those states? It’s unclear. Adding to the confusion is his statement that the injunction “is properly limited to the parties before the Court” (i.e., the states of Kentucky, Tennessee, Ohio). Here again, we are left to guess what he means.

Subsequent to the Court’s decision, GSA took prompt steps to notify its contractors of the late breaking news. Here is GSA’s take on the scope of the injunction:

Update: On November 30, 2021, in response to a lawsuit filed in the United States District Court, Eastern District of Kentucky, a preliminary injunction was issued halting the Federal Government from enforcing the vaccine mandate for Federal contractors and subcontractors in all covered contracts in Kentucky, Ohio, and Tennessee.

GSA implemented the vaccine mandate stemming from Executive Order 14042 through Class Deviation CD-2021-13. Pursuant to the preliminary injunction, GSA will not take any action to enforce FAR clause 52.223-99 Ensuring Adequate COVID-19 Safety Protocols for Federal Contractors in all covered contracts or contract-like instruments being performed, in whole or in part, in Kentucky, Ohio and Tennessee.

While GSA’s formulation is a bit more useful than the Court’s in that it focuses on contracts “being performed . . . in” the three states, it still does not answer the key question regarding scope.

We think the most common sense interpretation of the scope of the injunction is that it applies to covered employees performing work in Kentucky, Tennessee, and Ohio. That being said, GSA’s interpretation seems to indicate the analysis should be performed at the contract level, rather than the employee level (i.e., if you have even one employee performing on a contract in one of those three states, then the entire contract is exempt from enforcement).

We hope to receive updated Guidance from the Task Force providing a definitive answer to this question in the near future. Until then, Federal contractors and subcontractors are stuck between the proverbial rock and a hard place – having to decide whether to continue marching ahead pursuant to the EO or navigate different rules in different states.

In reaching their own interpretive decision, contractors should keep in mind that the Court order does not prohibit compliance with the EO, it simply enjoins the Government from enforcing the EO. Before a contractor decides to continue rolling out its existing compliance approach as planned, however, it would be well advised to consider this: Now that the EO has been enjoined in Kentucky, Ohio, and Tennessee, one can make a credible (and likely correct) argument the EO requirements are no longer mandatory in those states (both vaccination and making/distancing). This transition from a mandatory to a voluntary rule creates at least two new hurdles for contractors.

• First, continuing to comply with the FAR/DFARS clauses could create state liability where a state has a law against a vaccine mandate. For example, on November 12, 2021 Tennessee passed TN HB 9077/SB 9014, which prohibits private businesses, governmental entities, schools, and local education agencies from compelling an individual, or from taking adverse action against the individual to compel them, to provide proof of vaccination. Previously, the Executive Order, as a federal law, would have trumped the conflicting state law. Now, however, the unenforceable EO no longer reigns supreme. Accordingly, continuing to impose the EO on a Tennessee workforce creates state risk.
• Second, continuing to comply with the FAR/DFARS clauses in Tennessee, Kentucky, or Ohio could create problems with a company’s collective bargaining obligations. When the vaccine requirement was a legal obligation, it probably was not required to be collectively bargained. Now that the requirement is no longer a legal obligation (at least in the three states covered by the Court order), imposing a vaccine mandate on union employees may have to be collectively bargained.

Accordingly, while marching ahead with an existing EO 14042 company-wide compliance plan may make great sense from an efficiency and consistency standpoint, it could create unintended risks in at least three states (and certainly in Tennessee).

What Should Contractors Do Now?

The EO 14042 COVID safety contracting landscape (like COVID itself) is changing every day. We are hopeful the Task Force will issue new Guidance soon to help contractors navigate the new hurdles created by the Kentucky decision. Until then, here are a few thoughts for consideration:

• If you have no employees performing in Kentucky, Ohio, or Tennessee, the Order has no impact on you. The EO still applies to your contracts in other states just as it did prior to the Court’s decision.
• If you have employees performing in Tennessee, take a close look at TN HB 9077/SB 9014 before making any decision regarding implementation of the EO.
• If you have employees performing in Kentucky or Ohio and do not have collective bargaining agreements, you may want to continue enforcing the EO to avoid having different rules in different locations. But if you have collective bargaining agreements, make sure you connect with your L&E lawyer before charting a path forward.
• Consider putting together a communication to your employees who no doubt soon will read a headline and have questions about the Order.
• For contractors with employees performing in Kentucky, Tennessee, or Ohio, update your current compliance plan.
• In the absence of further Task Force Guidance, consider staying in close communication with your contracting officer regarding your implementation approach, especially in the three states implicated by the Order.

Additionally, stay on the lookout for additional updates (including from us) on the other pending litigation challenging the EO.

What’s Next?

Speaking of the “other pending litigation,” the docket still is full of challenges to the EO. By our count, there are motions for preliminary injunction pending in cases with 24 additional states as plaintiffs:

Article by the Government Contracts Practice Group with Sheppard, Mullin, Richter & Hampton LLP.

For more about federal court orders and federal contractors visit the NLR Government Contracts Maritime & Military Law type of law page.

The post What We Know And Don’t About The Federal Court Order Enjoining EO 14042 appeared first on The National Law Forum.

The United States Department of Justice settled a case against aviation equipment defense contractor Airbus Defense and Space Inc. (ADSI) for charging improper fees on government contracts. Under the terms of the settlement, the defense contractor paid $1,043,475 to resolve False Claims Act allegations. A former employee of the government contractor reported these improper fees and will receive $157,220 of the government’s recovery.

According to the allegations, the contractor included an unapproved cost rate on contracts, did not accurately disclose fees, and worked out a storage overbilling scheme with a third-party contractor, causing the government to pay more for storage than necessary. To disguise an additional and sometimes undisclosed indirect cost rate, the contractor added what they called an “Orlando Factor” to various price proposals for 62 contracts. Indirect cost rates are a complex portion of government contracting arrangements whereby a contractor attempts to obtain reimbursement for their company’s operational costs. From 2016-2017, this aviation equipment contractor’s “Orlando Factor” was applied in addition to their indirect cost rate approved by the federal agencies with which they were contracting.

The allegations further describe additional fees the contractor tacked onto equipment acquisitions in violation of federal acquisition regulations. Moreover, the contractor listed an unverified affiliate fee on its proposals. Finally, the contractor inflated storage costs by a factor of 10, resulting in General Dynamics passing on $80,000 in storage fees to the U.S. Navy instead of $8,000 in fees.

Defense contracting fraud harms taxpayers; inflating the cost of obtaining equipment can make defense budgets spiral out of control. This particular contractor seems to have found multiple ways to hide costs and pad proposals so as to turn a profit above and beyond their cost of doing business.

A former employee of ASDI reported these fraudulent practices and is being rewarded for speaking up, including receiving funds to pay for their expenses, attorneys’ fees, and costs. The Department of Justice needs whistleblowers to report government contracts fraud. Last year, only 35 defense fraud cases were filed by whistleblowers. With $720 billion spent, more fraud is out there.

The post GovCon Fraud Grounded: Whistleblower Receives Reward for Reporting Aviation Equipment Government Contracting Fraud appeared first on The National Law Forum.

The post The ABC’s of Government Contract Claims – 10 Ways to Maximize Your Chance of Success appeared first on The National Law Forum.