Last Thursday, the Biden Administration proposed that all federal contractors (except those receiving less than $7.5 million annually in contracts) be required to, among other things, disclose their GHG emissions.  Specifically, according to the press release issued by the White House, “Federal contractors receiving more than $50 million in annual contracts would be required to publicly disclose Scope 1, Scope 2, and relevant categories of Scope 3 emissions, disclose climate-related financial risks, and set science-based emissions reduction targets” and “Federal contractors with more than $7.5 million but less than $50 million in annual contracts would be required to report Scope 1 and Scope 2 emissions.”  The Biden Administration further announced that “[t]his proposed rule leverages widely-adopted third party standards and systems . . . including the CDP environmental reporting system, the Task Force on Climate-Related Financial Disclosures (TCFD) Recommendations, and the Science Based Targets Initiative (SBTi) criteria.”  It should be noted that this proposed rule is also quite similar to the climate disclosures proposed by the SEC–an unsurprising observation, as both were proposed by the Biden Administration and relied upon the same third-party standards (e.g., the TCFD).

The significance of this proposed rule–beyond the regulatory burden imposed upon federal contractors, which is substantial–is that the Biden Administration is signaling its commitment to, and reliance upon, climate-related financial disclosures as a key tool to address the challenge of climate change.  Thus, regardless of the legal challenges that the SEC proposal (and any similar regulatory rule) will be subject to, it is clear that the impetus for these types of disclosures will continue, including through other means at the government’s disposal.  Bearing this in mind, it would be rational for companies to take steps to generate the information necessary for these sort of disclosures, and to prepare to issue them–as this regulatory pressure is unlikely to dissipate soon.

“Today, the Biden-Harris Administration is taking historic action to address greenhouse gas emissions and protect the Federal Government’s supply chains from climate-related financial risks. In support of President Biden’s Executive Orders on Climate-Related Financial Risk and Catalyzing Clean Energy Industries and Jobs Through Federal Sustainability, the Administration is proposing the Federal Supplier Climate Risks and Resilience Rule, which would require major Federal contractors to publicly disclose their greenhouse gas emissions and climate-related financial risks and set science-based emissions reduction targets.”

The post Biden Administration Proposes That Federal Contractors Must Disclose GHG Emissions appeared first on The National Law Forum.

The Department of Labor’s Wage and Hour Division is expected to propose new rules on independent contractor classification and overtime entitlement requirements in the coming weeks.  The proposals would alter the qualifications for certain employees to receive overtime payments under the Fair Labor Standards Act when they work in excess of 40 hours in one week.

The Fair Labor Standards Act (“FLSA”) grants the Department of Labor authority regarding overtime eligibility under the statute.  Currently and among other considerations, employees are non-exempt under the FLSA when they earn less than a guaranteed $684 per week or $35,568 per year.  If the DOL raises this salary threshold, as it is considering, an even larger swath of the workforce could be entitled to overtime payments.

The proposals follow President Biden’s withdrawal of former President Trump’s independent contractor rule in May 2021, which had not yet taken effect when President Biden took office.  However, United States District Judge Marcia A. Crone held in March 2022 that the DOL had not properly followed the requirements for withdrawal as set forth in the Administrative Procedure Act.  In so holding, Judge Crone gave the Trump administration’s independent contractor rule the effect of law as if it had gone into effect in March 2021, as scheduled. The Biden administration’s proposed changes to the existing rule will likely affect the salary basis and exemption requirements of the employee versus independent contractor misclassification analysis under the FLSA.  Employers should prepare for these upcoming changes by reviewing their employee job descriptions and time record procedures.  Employers should also engage counsel to re-examine their employee classifications at large to ensure their exempt employees are truly exempt under the current rules and that they understand that changes may need to be implemented when the new rules take effect.

The post Upcoming Proposed Changes to DOL’s Independent Contractor and Overtime Rules appeared first on The National Law Forum.

The decision most certainly will be appealed. In the meantime, contractors with employees performing in Kentucky, Ohio, or Tennessee are not required to comply with the Executive Order or FAR/DFARS clauses. Obviously, this creates a conundrum for federal contractors and subcontractors looking for a uniform way to implement the EO rules.

Background

Plaintiffs Kentucky, Ohio, and Tennessee filed suit in the U.S. District Court for the Eastern District of Kentucky on November 4, 2021, and four days later filed for a Temporary Restraining Order and Preliminary Injunction (“TRO/PI”). The TRO/PI motion asked the Court to enjoin the Government’s enforcement of EO 14042. Plaintiffs challenged the EO on 10 separate grounds, including that it violated the Federal Property and Administrative Services Act (“FPASA”), the Competition in Contracting Act (“CICA”), the Administrative Procedures Act (“APA”), and the U.S. Constitution. The Court held a conference among the parties on November 9 and a hearing on November 18.

The District Court Decision

Regardless of whether one likes the outcome or not, Judge Van Tatenhove’s decision is thoughtfully reasoned and well written. It is methodical and well cited. In sum, Judge Van Tatenhove enjoined the EO not because of the process by which the Administration implemented the mandate (i.e. not due to the lack of a meaningful notice-and-comment period or the unprecedented dynamic nature of the FAR clause), but rather because he found the Administration never had the authority to implement a vaccine mandate in the first place. In other words, the Court issued the injunction because the President of the United States purportedly lacks the statutory or constitutional authority to regulate public health via a contract clause issued pursuant to a procurement statute.

The decision, however, readily concedes that the Court’s view is the beginning, not the end, of the story. “Once again,” the Judge explained, “the Court is asked to wrestle with important constitutional values implicated in the midst of a pandemic that lingers. These questions will not be finally resolved in the shadows. Instead, the consideration will continue with the benefit of full briefing and appellate review. But right now, the enforcement of the contract provisions in this case must be paused.”

The Practical Impact (and Scope) of Kentucky v. Biden

While the Court’s decision is significant, it does NOT apply to all federal contractors. It enjoins the Government “from enforcing the vaccine mandate for federal contractors and subcontractors in all covered contracts in Kentucky, Ohio, and Tennessee.” Sadly, Judge Van Tatenhove does not explain this sentence. Does he mean to enjoin all federal contracts performed in those states, all federal contracts held by contractors operating in those states, or maybe even all federal contracts issued by agencies based in those states? It’s unclear. Adding to the confusion is his statement that the injunction “is properly limited to the parties before the Court” (i.e., the states of Kentucky, Tennessee, Ohio). Here again, we are left to guess what he means.

Subsequent to the Court’s decision, GSA took prompt steps to notify its contractors of the late breaking news. Here is GSA’s take on the scope of the injunction:

Update: On November 30, 2021, in response to a lawsuit filed in the United States District Court, Eastern District of Kentucky, a preliminary injunction was issued halting the Federal Government from enforcing the vaccine mandate for Federal contractors and subcontractors in all covered contracts in Kentucky, Ohio, and Tennessee.

GSA implemented the vaccine mandate stemming from Executive Order 14042 through Class Deviation CD-2021-13. Pursuant to the preliminary injunction, GSA will not take any action to enforce FAR clause 52.223-99 Ensuring Adequate COVID-19 Safety Protocols for Federal Contractors in all covered contracts or contract-like instruments being performed, in whole or in part, in Kentucky, Ohio and Tennessee.

While GSA’s formulation is a bit more useful than the Court’s in that it focuses on contracts “being performed . . . in” the three states, it still does not answer the key question regarding scope.

We think the most common sense interpretation of the scope of the injunction is that it applies to covered employees performing work in Kentucky, Tennessee, and Ohio. That being said, GSA’s interpretation seems to indicate the analysis should be performed at the contract level, rather than the employee level (i.e., if you have even one employee performing on a contract in one of those three states, then the entire contract is exempt from enforcement).

We hope to receive updated Guidance from the Task Force providing a definitive answer to this question in the near future. Until then, Federal contractors and subcontractors are stuck between the proverbial rock and a hard place – having to decide whether to continue marching ahead pursuant to the EO or navigate different rules in different states.

In reaching their own interpretive decision, contractors should keep in mind that the Court order does not prohibit compliance with the EO, it simply enjoins the Government from enforcing the EO. Before a contractor decides to continue rolling out its existing compliance approach as planned, however, it would be well advised to consider this: Now that the EO has been enjoined in Kentucky, Ohio, and Tennessee, one can make a credible (and likely correct) argument the EO requirements are no longer mandatory in those states (both vaccination and making/distancing). This transition from a mandatory to a voluntary rule creates at least two new hurdles for contractors.

• First, continuing to comply with the FAR/DFARS clauses could create state liability where a state has a law against a vaccine mandate. For example, on November 12, 2021 Tennessee passed TN HB 9077/SB 9014, which prohibits private businesses, governmental entities, schools, and local education agencies from compelling an individual, or from taking adverse action against the individual to compel them, to provide proof of vaccination. Previously, the Executive Order, as a federal law, would have trumped the conflicting state law. Now, however, the unenforceable EO no longer reigns supreme. Accordingly, continuing to impose the EO on a Tennessee workforce creates state risk.
• Second, continuing to comply with the FAR/DFARS clauses in Tennessee, Kentucky, or Ohio could create problems with a company’s collective bargaining obligations. When the vaccine requirement was a legal obligation, it probably was not required to be collectively bargained. Now that the requirement is no longer a legal obligation (at least in the three states covered by the Court order), imposing a vaccine mandate on union employees may have to be collectively bargained.

Accordingly, while marching ahead with an existing EO 14042 company-wide compliance plan may make great sense from an efficiency and consistency standpoint, it could create unintended risks in at least three states (and certainly in Tennessee).

What Should Contractors Do Now?

The EO 14042 COVID safety contracting landscape (like COVID itself) is changing every day. We are hopeful the Task Force will issue new Guidance soon to help contractors navigate the new hurdles created by the Kentucky decision. Until then, here are a few thoughts for consideration:

• If you have no employees performing in Kentucky, Ohio, or Tennessee, the Order has no impact on you. The EO still applies to your contracts in other states just as it did prior to the Court’s decision.
• If you have employees performing in Tennessee, take a close look at TN HB 9077/SB 9014 before making any decision regarding implementation of the EO.
• If you have employees performing in Kentucky or Ohio and do not have collective bargaining agreements, you may want to continue enforcing the EO to avoid having different rules in different locations. But if you have collective bargaining agreements, make sure you connect with your L&E lawyer before charting a path forward.
• Consider putting together a communication to your employees who no doubt soon will read a headline and have questions about the Order.
• For contractors with employees performing in Kentucky, Tennessee, or Ohio, update your current compliance plan.
• In the absence of further Task Force Guidance, consider staying in close communication with your contracting officer regarding your implementation approach, especially in the three states implicated by the Order.

Additionally, stay on the lookout for additional updates (including from us) on the other pending litigation challenging the EO.

What’s Next?

Speaking of the “other pending litigation,” the docket still is full of challenges to the EO. By our count, there are motions for preliminary injunction pending in cases with 24 additional states as plaintiffs:

Article by the Government Contracts Practice Group with Sheppard, Mullin, Richter & Hampton LLP.

For more about federal court orders and federal contractors visit the NLR Government Contracts Maritime & Military Law type of law page.

The post What We Know And Don’t About The Federal Court Order Enjoining EO 14042 appeared first on The National Law Forum.

The federal government’s funding is slated to deplete on September 30th, 2021. Congress is currently debating the legislation that will allow operations to continue beyond this date, but it remains to be seen whether or not the government will experience a temporary shutdown. Regardless, the Office of Management and Budget signaled for agencies to prepare for a gap in funding, and President Joe Biden’s White House is preparing for this outcome.

“Government shutdowns impact government contractors in significant ways. Work and payments suddenly stop, and contractors have to decide what to do with their skilled and knowledgeable workers, who suddenly have nothing to do for a company whose cash flow has taken a sudden hit,” said Guy Brenner, a partner in the labor and employment law department and head of the Government Contractor Compliance Group at Proskauer Rose LLP. “This is particularly difficult given that the length of the shutdown is difficult to predict.”

A government shutdown presents unique challenges, not only for federal agencies, but for government contractors and subcontractors as well. These challenges include (but are certainly not limited to) employee pay and overtime, unemployment benefits, the furloughing of employees and more. As a result, it’s important government contractors remain informed and prepare themselves for next steps, should the shutdown indeed take place.

What Do Government Contractors Need to Know About the Shutdown?

In years past, government shutdowns complicated pay and backordered work, and the ongoing COVID-19 pandemic adds another layer to the impending decision on September 30, 2021. With a possible shutdown approaching, government contractors should consider their options under their existing contracts. The looming possibility of a government shutdown creates an air of uncertainty, but workers can mitigate the effects with proper preparation. This includes provisions of the Worker Adjustment and Retraining Notification Act of 1988 (WARN Act) which impacts larger employers.

Typically under the WARN Act, employers must notify employees within 60 days of an upcoming large-scale layoff. The WARN Act applies if there is an “employment loss,” which includes a layoff exceeding six months, an employment termination or a 50 percent reduction in hours in each month over six months.

Another consideration for government contractors during a shutdown is furloughing employees. Often contract workers who are furloughed are not paid their owed wages until after the shutdown has ended and a spending agreement is made, sometimes taking many months before issuing the payments. In some instances, such as during the shutdown of 2018/2019, lawmakers may vote against paying contractors for their furloughed time.

Another complication begins when government contractors take a hit during the shutdown and require workers to use their paid time off (PTO) as compensation rather than back pay. And those with PTO still fare better than contractors who are considered non-essential and cannot rely on PTO. What are the options for those workers?

In addition to furlough and PTO, another potential option for government contractors and their employees during the shutdown is unemployment benefits. However, some furloughed employees may not be eligible for unemployment benefits. Government contractors should check state laws to determine eligibility. Government contractors can find additional resources from the U.S. Department of Labor, including fringe benefits, paid sick leave and pay requirements.

How Can Government Contractors Prepare for a Shutdown?

Despite the uncertainty, government contractors can prepare in advance for a government shutdown. E-Verify, the online system used by employers to check the employment eligibility of new hires, is run by the Department of Homeland Security and may be unavailable during a shutdown. To prepare for this, government contractors should complete I-9 paperwork as soon as possible if E-Verify is unavailable.

Another consideration for government contractors during a shutdown is employee benefits. Furloughed employees may have their benefits affected if a government shutdown happens for a long period of time. The longest government shutdown on record was for 34 days in 2018-2019, which was a partial shutdown, whereas the government is facing a full shutdown this time since the government hasn’t passed any funding bills.

If the government shuts down and employees’ hours are reduced, they may lose COBRA health plan coverage. If this happens, government contractors must send qualifying event notices to affected employees, and employees must be given the option to continue coverage under the plan for the duration of the furlough at the employee’s expense for the maximum COBRA continuation period.

If the government is shut down and employees are furloughed, government contractors should tell employees not to do any work. If employees work while furloughed, they must be paid a salary for the entire week. Aside from furlough, government contractors may also decide to allow employees to work a reduced number of hours, but the process needs to be analyzed carefully and managed tightly, due to requirements for exempt employees, salary requirements, local regulations for a reduction in compensation, as well as contractual obligations, overtime exemptions and any foreign work authorizations.

Government contractors should consider incorporating the cost impacts of a shutdown into their planning and allow for it in their contracts. Contractors should plan to establish a line of communication with contracting officers ahead of time to discuss what work might be halted just in case they are unavailable if the government shuts down. Additionally, small businesses that rely on government funding can also prepare by speaking with their bank before any upcoming funding deadlines to ensure they have the cash flow to stay afloat during the shutdown.

What are the Next Steps for Government Contractors?

Government contractors can start preparing now for a government shutdown by completing necessary I-9 paperwork, determining furlough and unemployment benefit eligibility, determining WARN Act eligibility as well as planning for COBRA coverage interruptions.

“When the government shuts down, contractors can feel sudden and serious economic and workflow impacts, and naturally want to react quickly. But doing so without careful thought and planning may only solve one problem while creating an even bigger and potentially more costly one,” Mr. Brenner said. “Wage and hour, immigration, benefits, unemployment insurance, and lay off laws are all issues contractors need to consider before taking action.”

The post How Government Contractors Can Prepare for a Government Shutdown appeared first on The National Law Forum.

On August 6, 2020, Trump issued two separate executive orders that will severely restrict TikTok and WeChat’s business in the United States.  For weeks, the media has reported on Trump’s desire to “ban” TikTok with speculation about the legal authority to do so.  We break down the impact of the Orders below.

The White House has been threatening for weeks to ban both apps in the interest of protecting “the national security, foreign policy, and economy of the United States.”  According to the Orders issued Thursday, the data collection practices of both entities purportedly “threaten[] to allow the Chinese Communist Party access to Americans’ personal and proprietary information — potentially allowing China to track the locations of Federal employees and contractors, build dossiers of personal information for blackmail, and conduct corporate espionage.”

This is not a new threat.  A variety of government actions in recent years have been aimed at mitigating the national security risks associated with foreign adversaries stealing sensitive data of U.S. persons.  For example, in 2018, the Foreign Investment Risk Review Modernization Act (FIRRMA) was implemented to expand the authority of the Committee on Foreign Investment in the United States (CFIUS) to review and address national security concerns arising from foreign investment in U.S. companies, particularly where foreign parties can access the personal data of U.S. citizens.  And CFIUS has not been hesitant about exercising this authority.  Last year, CFIUS required the divestment of a Chinese investor’s stake in Grindr, the popular gay dating app, because of concerns that the Chinese investor would have access to U.S. citizens’ sensitive information which could be used for blackmail or other nefarious purposes.  That action was in the face of Grindr’s impending IPO.

In May 2019, Trump took one step further, issuing Executive Order 13873 to address a “national emergency with respect to the information and communications technology and services supply chain.”  That Order stated that foreign adversaries were taking advantage of vulnerabilities in American IT and communications services supply chain and described broad measures to address that threat.  According to these new Orders, further action is necessary to address these threats.  EO 13873 and the TikTok and WeChat Orders were all issued under the International Emergency Economic Powers Act  (IEEPA), which provides the President broad authority to regulate transactions which threaten national security during a national emergency.

Order Highlights

Both Executive Orders provide the Secretary of Commerce broad authority to prohibit transactions involving the parent companies of TikTok and WeChat, with limitations on which transactions yet to be defined.

• The TikTok EO prohibits “any transaction by any person, or with respect to any property, subject to the jurisdiction of the United States,” with ByteDance Ltd., TikTok’s parent company, “or its subsidiaries, in which any such company has any interest, as identified by the Secretary of Commerce”
• The WeChat EO prohibits “any transaction that is related to WeChat by any person, or with respect to any property, subject to the jurisdiction of the United States, with Tencent Holdings Ltd., WeChat’s parent company “or any subsidiary of that entity, as identified by the Secretary of Commerce.”
• Both Executive Orders will take effect 45 days after issuance of the order (September 20, 2020), by which time the Secretary of Commerce will have identified the transactions subject to the Orders.

Implications

Until the Secretary of Commerce identifies the scope of transactions prohibited by the Executive Orders, the ultimate ramifications of these Orders remain unclear.  However, given what we do know, we have some initial thoughts on how these new prohibitions may play out.  The following are some preliminary answers to the burning questions at the forefront of every American teenager’s (and business person’s) mind.

Q:  Do these Orders ban the use of TikTok or WeChat in the United States?

A:  While the Orders do not necessarily ban the use of TikTok or WeChat itself, the app (or any future software updates) may no longer be available for download in the Google or Apple app stores in the U.S., and U.S. companies may not be able to purchase advertising on the social media platform – effectively (if not explicitly) banning the apps from the United States.

Q:  Will all transactions with ByteDance Ltd. and Tencent Holdings Ltd. (TikTok and WeChat’s parent companies, respectively) be prohibited?

A:  Given the broad language in the Orders, it does appear that U.S. app stores, carriers, or internet service providers (ISPs) will likely not be able to continue carrying the services while TikTok and WeChat are owned by these Chinese entities.  However, it is unlikely that the goal is to prohibit all transactions with these companies as a deterrent or punishment tool – which would essentially amount to designating them as Specially Designated Nationals (SDNs) – the  Orders clearly contemplate some limitations to be imposed on the types of transactions subject to the Order by the Secretary of Commerce.  Furthermore, the national security policy rationale for such restrictions will not be present in all transactions (i.e. if the concern is the ability of Chinese entities to access personal data of U.S. citizens in a manner that could be used against the interests of the United States, then presumably transactions in which ByteDance Ltd. and Tencent Holdings Ltd. do not have access to such data should be permissible.).  So while we do not know exactly what the scope of prohibited transactions will be, it would appear that the goal is to restrict these entities’ access to U.S. data and any transactions that would facilitate or allow such access.

Q:  What does “any property, subject to the jurisdiction of the United States” mean?

A:  Normally, the idea behind such language is to limit the prohibited transactions to those with a clear nexus to the United States: any U.S. person or person within the United States, or involving property within the United States.  It is unlikely that transactions conducted wholly outside the United States by non-U.S. entities would be impacted.  From a policy perspective, it would make sense that the prohibitions be limited to transactions that would facilitate these Chinese entities getting access to U.S.-person data through the use of TikTok and WeChat.

Q:  What about the reported sale of TikTok?

A: There is a chance the restrictions outlined in the TikTok EO will become moot.  Reportedly, Microsoft is in talks with ByteDance to acquire TikTok’s business in the United States and a few other jurisdictions.  If the scope of prohibited transactions are tailored to those involving access to U.S. person data and if a U.S. company can assure that U.S. user-data will be protected, then the national security concerns of continued use of the app would be mitigated.  Unless and until such acquisition takes place, U.S. companies investing in TikTok or utilizing it for advertising such be prepared for the restrictions to take effect.  At this time, there do not appear to be any U.S. buyers in the mix for WeChat.

Q:  The WeChat EO prohibits any transaction that is “related to” WeChat…what does that mean?

A:  The WeChat prohibition is more ambiguous and could have significantly wider impact on U.S. business interests. WeChat is widely used in the United States, particularly by people of Chinese descent, to carry out business transactions, including communicating with, and making mobile payments to, various service providers.  The WeChat EO prohibits “any transaction that is related to WeChat”  with Tencent Holdings Ltd., or any of its subsidiaries.  Unlike TikTok, WeChat’s services extend beyond social media.  While the language of the ban is vague and the prohibited transactions are yet to be determined, it appears likely that using WeChat for these communications and transactions may no longer be legal. It is also unclear if the WeChat prohibition will extend to other businesses tied to Tencent, WeChat’s parent company, including major gaming companies Epic Games (publisher of the popular “Fortnite”), Riot Games (“League of Legends”), and Activision Blizzard, all in which Tencent has substantial ownership interests.  There has been some reporting that a White House official confirmed Tencent’s gaming interest are excluded from the Order as being unrelated to WeChat, but until the Secretary of Commerce specifies the prohibited transactions, the scope of the Order remains uncertain

Bottom Line

Until the Secretary of Commerce issues its list of transactions prohibited under these Executive Orders, the scope and effect of these Orders is conjectural.  This Administration’s all-in posture towards China would suggest that the prohibitions could be broad and severe.  U.S. companies utilizing WeChat or TikTok for business purposes or conducting business with the apps’ owners, should think carefully about ongoing and future transactions.  Of course, there is an election right around the corner and a new Administration may bring significant change to related foreign, trade and technology policy.  Thoughtful planning for a variety of scenarios will enable companies’ to respond appropriately as the restrictions on TikTok and WeChat are crystallized.

The post National Security Meets Teenage Dance Battles: Trump Issues Executive Orders Impacting TikTok and WeChat Business in the U.S. appeared first on The National Law Forum.

For information security professionals, identifying cybersecurity vulnerabilities is often part of the job.  That is no less the case when the job involves a contract or grant with the U.S. government.

Information security and data privacy requirements have become a priority at federal agencies.  These requirements extend to federal contractors because of their access to government data.  Often, cybersecurity professionals are the first to identify non-compliance with these requirements.  As high-profile data breaches have become more common, those who report violations of cybersecurity and data privacy requirements often experience retaliation and seek legal protection.

Reporting non-compliance or misconduct in the workplace can be necessary, but it can also be daunting.  It is important for cybersecurity whistleblowers to know their legal rights when disclosing such concerns to management or a federal agency.

In many cases, federal law protects cybersecurity whistleblowers who work for federal contractors or grantees.  This post provides an overview of those protections.

What cybersecurity requirements apply to federal contractors?

Federal contractors are subject to data privacy and information security requirements.

The Federal Information Security Management Act (“FISMA”) creates information security requirements for federal agencies to minimize risk to the U.S. government’s data.  FISMA also applies these requirements to state agencies administering federal programs and private business contracting with the federal government.  Federal acquisition regulations codify the cybersecurity and data privacy requirements applicable to federal contractors.  E.g., 48 C.F.R. §§ 252.204-7008, 7012 (providing for cybersecurity standards in contracts with the U.S. Department of Defense); 48 C.F.R. § 52.204-21 (outlining basic procedures for contractors to safeguard information processed, stored, or transmitted under a federal contract).  

Pursuant to the FISMA Implementation Project, the National Institute of Standards and Technology (“NIST”) produces security standards and guidelines to ensure compliance with FISMA.  Key principles of FISMA compliance include a systemic approach to the data that results in baseline controls, a risk assessment procedure to refine controls, and implementation of controls.  A security plan must document the controls.  Those managing the information must also assess the controls’ effectiveness.  NIST also focuses its standards on determining enterprise risk, information system authorization, and ongoing monitoring of security controls.

Essential standards established by NIST include FIPS 199, FIPS 200, and the NIST 800 series.  Core FISMA requirements include:

• Federal contractors must keep an inventory of all of an organization’s information systems.
• Contractors must identify the integration between information systems and other systems in the network.
• Contractors must categorize information and information systems according to risk. This prioritizes security for the most sensitive information and systems.  See “Standards for Security Categorization of Federal Information and Information Systems” FIPS 199.
• Contractors must have a current information security plan that covers controls, cybersecurity policies, and planned improvements.
• Contractors must consider an organization’s particular needs and systems and then identify, implement, and document adequate information security controls. See NIST SP 800-53 (identifying suggested cybersecurity controls).
• Contractors must assess information security risks. See NIST SP 800-30 (recommending that an organization assess risks at the organizational level, the business process level, and the information system level).
• Contractors must conduct annual reviews to ensure that information security risks are minimal.

In addition to generally-applicable standards, individual contracts may create other cybersecurity or data privacy requirements for a government contractor.  Such requirements are prevalent when the contractor provides information security products or services for the government.

What protections exist for cybersecurity whistleblowers who work for federal contractors?

Federal law contains whistleblower protection provisions that may prohibit employers from retaliating against whistleblowers who report cybersecurity or data privacy concerns.  See Defense Contractor Whistleblower Protection Act, 10 U.S.C. § 2409; False Claims Act, 31 U.S.C. § 3730(h); NDAA Whistleblower Protection Law, 41 U.S.C. § 4712.  These laws protect a broad range of conduct.

Protected conduct under these laws includes:

• Efforts to stop false claims to the government;
• Lawful acts in furtherance of an action alleging false claims to the government; and
• Disclosures of gross mismanagement, gross waste, abuse of authority, or a violation of law, rule, or regulation related to a federal contract or grant. Id.

These provisions have wide coverage.  They protect any employee of any private sector employer that is a contractor or grantee of the federal government.  In some cases, even the employer’s contractors and agents are protected.

An employer’s non-compliance with information security requirements could breach the employer’s contractual obligations to the federal government and violate federal law and regulation.  Thus, whistleblowers who report cybersecurity or data privacy concerns related to a federal contract or grant may be protected from employment retaliation.

What is the burden to establish unlawful retaliation for reporting cybersecurity concerns?

Exact requirements vary, but an employee typically establishes unlawful retaliation by proving that (1) the employee engaged in conduct that is protected by statute, and (2) the protected conduct to some degree caused a negative employment action.  See, e.g., 10 U.S.C. § 2409(c)(6) (incorporating burden of proof from 5 U.S.C. § 1221(e)); 41 U.S.C. § 4712(c)(6) (same); 31 U.S.C. § 3730(h)(1).  

Under some of the applicable protections, an employee need prove only that the protected conduct played any role whatsoever in the employer’s decision to take the challenged employment action.  See 10 U.S.C. § 2409; 41 U.S.C. § 4712.

What damages or remedies can a cybersecurity whistleblower recover for retaliation?

The relief available depends on which laws apply to the particular case.  Remedies may include an amount equal to double an employee’s lost wages, as well as reinstatement or front pay.  In some cases, a whistleblower may also recover uncapped compensatory damages for harms like emotional distress and reputational damage.  Additionally, a prevailing plaintiff can recover reasonable attorneys’ fees and costs.

Recently, a jury awarded a defense contractor whistleblower $1 million in compensatory damages.  The whistleblower proved that the employer more than likely retaliated by demoting him after he reported issues with tests related to a federal contract, according to the jury.  Specifically, the whistleblower alleged he reported and opposed management’s directive to misrepresent the completion status of testing procedures.

In a recent case under the False Claims Act, a whistleblower received more than $2.5 million for retaliation she suffered after internally reporting off-label promotion for a drug outside its FDA-approved use.  The False Claims Act protects employees from retaliation who blow the whistle on fraud against the government, including those who blow the whistle internally to a government contractor or grantee.

Do any court cases address whether cybersecurity whistleblowers are protected?

Yes.  Judges and juries have applied these laws to protect cybersecurity whistleblowers.

For example, in United States ex rel. Glenn v. Cisco Systems, Inc., defendant Cisco Systems settled for $8.6 million in what is likely the first successful cybersecurity case brought under the False Claims Act.  The plaintiff/relator James Glenn worked for Cisco and internally reported serious cybersecurity deficiencies in a video surveillance system, soon after which he was fired.  Cisco had sold the surveillance systems to various federal government entities, including the Department of Homeland Security, FEMA, the Secret Service, NASA, and all branches of the military.  After monitoring Cisco’s public pronouncements regarding the system and confirming the company had not solved the problems or reported vulnerabilities to customers, Glenn contacted the FBI.  Multiple states joined in the complaint and brought claims under state laws.

While the case did not proceed to litigation, Glenn received nearly $2 million of the settlement, and the federal government’s attention to the issue proves that cybersecurity and data privacy are of utmost importance.

Surely, as more of our lives and businesses move online, the government will place increased importance on contractors and grantees following data security and privacy requirements and disclosing known vulnerabilities.  Cybersecurity whistleblowers working for government contractors play an important part in revealing these vulnerabilities and keeping the federal government secure.  Still, these whistleblowers may experience retaliation after blowing the whistle internally at their place of work.

How can employees enforce these protections from retaliation?

Employees generally have the right to bring claims of unlawful retaliation for cybersecurity or data privacy whistleblowing in federal court.  However, some claims limit that right to whistleblowers who first exhaust all their administrative remedies.  For example, in some cases whistleblowers will first need to pursue relief from the Office of Inspector General of the relevant federal agency.  Additionally, cybersecurity whistleblower claims are subject to strict deadlines.  See, e.g., 31 U.S. Code § 3730; 10 U.S.C. § 2409; 41 U.S.C. § 4712.

The post Cybersecurity Whistleblower Protections for Employees of Federal Contractors and Grantees appeared first on The National Law Forum.

In December 2019, an entire class of West Virginia prison guard trainees was reportedly fired for giving the Nazi salute in their graduation photo.

The incident is not only a chilling display of a detestable symbol of genocide. It is also a crystal-clear example of the problem of the passive bystander. But modern training methods, based on current research on the science of bystandership, can help prevent such abuses before they occur. Such programs are being successfully adopted by law enforcement agencies and other organizations around the country.

What happened in West Virginia: Several news outlets have published the November graduation photo showing a class of over 30 prison guard cadets displaying the Nazi salute. According to published reports, the gesture was one cadet’s idea of a tribute to the group’s training officer. An internal investigation of the incident found that the training officer, Karrie Byrd, “saw nothing wrong with the gesture and allowed it to continue.” Several class members objected to the gesture, but went along out of fear of retaliation. Two other instructors saw the gesture and spoke out, thinking their duty to object was fulfilled. A corrections department Captain, Annette Daniels-Watts, reportedly recognized that the picture would cause the Department embarrassment, but allowed the photo to be printed and distributed with graduation materials. The Department’s subsequent internal investigation concluded that the entire class (and several of the instructors) should be fired. Acting on the recommendation, West Virginia Governor Jim Justice fired the entire class on New Year’s Eve.

Multiple opportunities to intervene: As goes the adage often attributed to Edmund Burke, the only thing necessary for the triumph of evil is that good people do nothing. We don’t know if there were any actual Nazis in the West Virginia cadet class, but it is safe to assume not all were. Many participants in the incident had opportunities to intervene, but none did. The instigator of the incident reportedly said he was honoring the instructor with the gesture. To classmates who objected, he assured them that since there was no racial motivation behind it, the gesture was acceptable. Two other instructors witnessed the gesture being made during training exercises and informed the class of the inappropriateness of the gesture. Those instructors reportedly thought their comments stopped the inappropriate behavior. Yet multiple instructors later saw the graduation photograph and did nothing to stop its publication. And the Captain in charge of cadet basic training, when shown the photograph by a secretary responsible for assembling the graduation materials, reportedly told the secretary, “oh, I should just pull it, but since you have them all already printed you might as well go ahead and stuff them into the packets.” At each of these moments, a bystander could have helped stop the activity. But the bystanders didn’t have the tools they needed to act effectively.

Inhibitors to action: Why do people fail to effectively intervene against a behavior they know is wrong? We all do it. The answer is that the tactics and strategies for successful intervention are not innate. We need to be trained to overcome factors that inhibit action in the face of bad behavior. The West Virginia investigation report concludes as follows:

1. There is “no dispute” that the gesture and photograph were highly offensive.
2. The investigation did not reveal any overt motivation or intent of discrimination “towards any racial, religious, or ethnic group.”
3. Rather, the report identifies the factors behind the incident as “poor judgment, ignorance, peer pressure, and fear of reprisal.”

All the factors identified in the report are well-documented inhibitors to active bystandership. Importantly, good peer intervention techniques are proven to address such inhibitors. The program instituted by the New Orleans Police Department is one such program. The program is known as “Ethical Policing is Courageous,” or EPIC. It was implemented by the men and women of the NOPD with the support and guidance of several outside experts, including the Department’s judicially-appointed monitors. Since then, the EPIC program has been brought to other municipal police departments, and at least one university police department.

In law enforcement organizations, one of the main inhibitors to intervention is peer pressure, particularly when officers fear ostracism or retaliation from fellow officers. This effect is sometimes referred to as the “blue wall of silence.” That wall of silence is rooted in the value of protecting fellow officers from harm, but becomes pernicious when it suppresses intervention against bad acts.

Some corrective actions may miss the mark. According to some reports, West Virginia plans to begin training its corrections department staff about the Holocaust as a result of the cadet graduation photo incident. Surely a better understanding of the Holocaust would help the cadets see that the Nazi gesture is offensive. But it might not be a complete solution. It doesn’t address the inhibitors to intervention that are present in all such situations, and which are especially pervasive in law enforcement environments.

Active bystandership makes us all better. Good peer intervention training programs work precisely because they can break the wall of silence. For example, the EPIC program ties positive, early intervention to the value of protecting fellow officers. Instead of relying on ethics training, discipline, or negative reinforcement, the program emphasizes that stepping in to prevent misconduct can help save a fellow officer’s life, safety, or career. Intervention skills are taught as a learnable skill, on the same level as learning to operate the radio, use a firearm, or apply handcuffs. When active intervention skills become pervasive, problems can be prevented before a crisis occurs. The EPIC program has garnered positive reviews from many quarters.

The West Virginia government has rightly been praised for its transparent and thorough response to this incident, but crisis management is difficult and traumatic. If objectionable behavior can be stopped earlier, the need for an expensive crisis response can be avoided. More importantly, officers can learn to be better through the intervention of a peer. Aronie reports that “many officers will recount with gratitude” throughout their careers the story of a partner or sergeant who prevented a mistake or misconduct through active and early intervention.

Peer intervention can help prevent officer misconduct, but it can also have other positive effects, including to increase the effectiveness of enforcement methods, improve officer and inmate safety, increase community engagement, and prevent excessive use of force. There are some indications that it may also help reduce officer suicides. More broadly, active bystandership has the potential to make us all better in the face of evil. Ervin Staub is a prominent scholar of the psychology of peace and violence. In the preface to his book on bystander intervention, The Roots of Goodness and Resistance to Evil, Staub recounts stories of bystanders who resisted the Nazi persecution of Jews during WWII. In some cases, resistance changed the behavior of the perpetrators, and lives were saved. Among the lives saved were those of Staub and his family, who were protected by Christian bystanders in Hungary in the summer of 1944.

In the end, not all offensive conduct can be stopped. But we can do better with proper awareness, and we will be better for it. The West Virginia incident provides an excellent example of how better intervention could have helped a whole community. As New Orleans civil rights attorney Mary Howell has said, Staub’s work on peer intervention challenges us “to think about how to be better people and how to not be silent.”

The post How an Entire Class of Prison Guard Trainees Could Have Been Saved by a Simple Bystander Intervention Program appeared first on The National Law Forum.

On November 8, 2019, OFCCP released its Corporate Scheduling Announcement List (“CSAL”) Supplement.  The list identifies 500 establishments selected for the new VEVRAA focused review compliance evaluation.  In 2018, OFCCP announced that it would be conducting focused reviews during which it would target its analysis on contractors’ compliance with  Executive Order 11246 (the “EO”) (equal employment opportunity regardless of race, color, religion, sex, sexual orientation, gender identity, or national origin); Section 503 of the Rehabilitation Act (“Section 503”) (equal employment for individuals with disabilities), or the Vietnam Era Veterans’ Readjustment Assistance Act (“VEVRAA”) (equal employment for protected veterans).

OFCCP has already commenced Section 503 focused reviews, but this is the first time the agency has scheduled VEVRAA focused reviews.  In its November 8, 2019 announcement, OFCCP also shared that it has created a VEVRAA focused review webpage “[t]o help contractors prepare for the upcoming reviews.”  The agency touts the resource as providing “best practices, protected veteran resources, answers to frequently asked questions, and other compliance assistance resources.”

Contractors are advised to review the Supplemental CSAL (available online) to see if they have been selected for a VEVRAA Focused Review and, if so, review the current and proposed VEVRAA Focused Review scheduling letters to prepare for their upcoming compliance evaluation, and consult with counsel as necessary.

The post OFCCP Issues Supplemental CSAL – Were You Selected For A New VEVRAA Focused Review? appeared first on The National Law Forum.

The Department of Justice (DOJ), Civil Rights Division, announced on August 29, 2018, its civil settlement with the international law firm, Clifford Chance US LLP, for violations of the Immigration and Nationality Act (INA), 8 U.S.C. 1324b, attributable to Clifford Chance’s overly restrictive interpretation of who can work on projects involving data controlled by the International Traffic in Arms Regulations (ITAR).

Clifford Chance, for purposes of conducting a large scale document review involving ITAR controlled data, restricted the project to U.S. Citizens only, based on its good faith belief that only U.S. Citizens could work on ITAR projects. But the ITAR generally allows U.S. Persons to have access to ITAR controlled data, and defines a (natural) “U.S. Person” as “a lawful permanent resident as defined by 8 U.S.C. 1101(a)(20)” or “a protected individual as defined by 8 U.S.C. 1324b(a)(3).” See 22 C.F.R. 120.15. Thus the ITAR does not restrict access to U.S. citizens only, but also generally allows access by non-U.S. citizens who fall within the following classes, among others:

• Nationals of the U.S. (i.e., those born in the “outlaying” possessions of the U.S. meeting specified requirements, or individuals born of a parent who meet specified requirements);
• Aliens lawfully admitted for permanent residence (i.e., “green card” holders);
• Certain refugees; and
• Certain asylum seekers.

According to DOJ, Clifford Chance unlawfully discriminated against persons based on their citizenship by excluding eligible non-U.S. citizens from its ITAR project. DOJ rejected Clifford Chance’s argument that it should be absolved of liability because it acted in good faith (there’s no good faith exception to the prohibition against discrimination under 1324b), and Clifford Chance agreed to pay a $132,000 civil penalty, implement various corrective actions, and allow DOJ oversight for a two-year period.

What does that mean for you? If you hire or contract with U.S. Citizens only for purposes of fulfilling your ITAR obligations, you may be violating the INA. You should review your hiring and contracting processes to make sure that you do not limit hiring or outsourcing to U.S. Citizens only, when ITAR compliance is your justification for denying job opportunities based on citizenship or national origin.

The post Hiring US Citizens Only for ITAR Compliance Can Violate the Immigration and Nationality Act appeared first on The National Law Forum.

The United States military is the most powerful warfighting force in world history.

But Secretary of Defense Jim Mattis made a stark observation in the 2017 National Defense Strategy:

Without sustained and predictable investment to restore readiness and modernize our military to make it fit for our time, we will rapidly lose our military advantage, resulting in a Joint Force that has legacy systems irrelevant to the defense of our people.

The problem, in summary, is a lack of readiness.

But the Future is “BIG”

Readiness is not as exciting as futuristic weapons systems or as dramatic as battle. Instead, readiness focuses on the military’s more mundane, but essential, ability to train, house troops, repair equipment, and plan for mobilization.  Readiness undergirds the core ability of the military to defend the United States.  We are seeing a new emphasis on readiness.  Significantly, the current President and Congress are actively increasing the military’s budget to purchase goods and services, especially those related to the construction of military facilities.

This new construction is required because readiness demands it. For example, many structures at MCAS Cherry Point used for aviator and aircraft ground-support training, repair, and deployment are over 70 years old.  Many structures were built for World War II and the Cold War.  We now face different enemies, technologies, and strategies.  Combat aircraft fleet facility upgrades are essential to meet the raised readiness standard.

In addition, the new F-35 Joint Strike Fighter adds significantly increased technology, infrastructure, and security demands that cannot be met with the current facilities at MCAS Cherry Point and its tenant command, Fleet Readiness Center East (“FRC East”). MCAS Cherry Point will be home for probably 94 F-35 jet fighters.  FRC East’s role in servicing Air Force, Navy, and Marine Corps variants of the Joint Strike Fighter is essential to achieving the overwhelming lethality required for proper military readiness.

But MCAS Cherry Point and FRC East cannot fulfill their obligations to the readiness standard without new construction. The President has asked Congress to fund the following major construction projects for the federal fiscal year beginning in October 2018:

• $133,970,000 for a new hangar that will house F-35B Lightning II Joint Strike Fighters for the Marine Corps’ Second Marine Air Wing, which is headquartered at MCAS Cherry Point.
• $106,860,000 to modernize flight line infrastructure such-as electrical, water, and technology services as well as new access points and loading areas for the new hangar.

That’s about $180,000,000 more than MCAS Cherry Point has seen in a single fiscal year for at least the last 20 years. But this new funding is only the beginning of a rapidly accelerating plan to rebuild Cherry Point’s aging facilities, roads, and infrastructure.  We also expect the following projects to be funded over the next 10 years:

• New streets, parking, security enhancements, and F-35 hangars at MCAS Cherry Point at a cost of around $600 million.
• New repair hangars, test facilities, and improved facilities at FRC East at of a cost of around $400 million.

Overall, we expect to see around $1.2 billion in new construction and facility upgrades at MCAS Cherry Point and FRC East over the next 15 years.

A Place for Private Contractors

Successful construction needs more than just funding. It also needs private contractors who can build, install, and maintain the facilities and infrastructure.

The federal procurement process for construction of Defense Department facilities is a complex undertaking. Once a company enters the procurement process, there are special rules unique to federal contracting that the contractor must understand.  Therefore, companies should become familiar with the federal procurement rules before pursuing their first contract.  While a comprehensive primer on these rules is beyond the scope of this article, our attorneys handling government contracts are seeing an increase in the use of small business preferences and teaming arrangements.  These programs allow small businesses to benefit both from their size status and the competitive advantage of teaming with a larger or more sophisticated company.

Incentives: Federal Small Business Preferences

We have seen a marked increase in contractors interested in qualifying for the small business “set-aside” and other programs available in federal procurements. At the same time, the Defense Department itself is, at least in theory, promoting the set-aside programs.  Opportunity abounds for companies who qualify for small business programs.

Unlike most private sector commercial contracts, federal government contracts are used to support certain socio-economic goals.  Many of these programs favor small or disadvantaged businesses. The federal government has a specific goal every year for the percentage of contracts given to small and disadvantaged businesses.  The following programs are currently the most active for participation and promotion:

• Woman-owned small businesses
• Historically underutilized businesses in certain geographical areas (“HUBZone businesses”)
• Veteran-owned small businesses (especially service-disabled veterans)
• Mentor-protégé joint ventures and teaming agreements between large and small businesses, especially those teaming with Section 8(a) disadvantaged businesses.

Construction companies and other contractors who are ready for this wave of new projects will benefit from the increased attention to readiness upgrades. Unprepared companies will lose out on these opportunities.  This may not seem a big problem while the economy is strong, but in our experience, contractors who planned for federal work survived and even thrived during the recent Great Recession.

Conclusion

Fortunately, with proper planning, a good business plan, and sound legal advice, there is no reason to be discouraged from beginning or expanding your federal government contracts. Although entering and working within the federal contracting arena can be daunting, several programs assist small and innovative companies with getting and keeping federal contracts.

The post Focus on Military Readiness Means More Construction Work on Military Bases: Are Contractors Ready to Compete and Perform? appeared first on The National Law Forum.