Friday Flash 1.7.22

FAR & Beyond: Twenty-two Topics for 2022!

Happy New Year!  We begin the new year with twenty-two topics that will shape much of the federal acquisition landscape in 2022.  This list is not by any means exhaustive, but it does represent important personnel, policy, and program items/opportunities that government and industry will be addressing throughout the year.  These twenty-two topics provide opportunities in the federal acquisition market to accelerate the Administration’s goals.

As always, government-industry engagement is foundational to the success of the procurement system in delivering best value services and products to support customer agency missions for the American people.  Eleven years ago, Dan Gordon, then Administrator for Federal Procurement Policy, issued Myth-Busting”: Addressing Misconceptions to Improve Communication with Industry During the Acquisition Process.  Routinely cited as the “Myth-Busters” memo, it remains the leading policy statement addressing the importance of government-industry communication.  The memo debunked a host of myths and/or assumptions about government procurement, effectively citing regulation and policy supporting the benefits of early and ongoing communication between government and industry during the procurement process.

As we move into 2022, the Myth-Busters memo remains as important today as it was eleven years ago in setting expectations and identifying opportunities for positive government-industry engagement.  Here are twenty-two topics where that engagement will play a central role in improving mission support for the American people:

  • Multiple Award Schedule (MAS) price negotiations challenges and opportunities in identifying a fair and reasonable price
  • Economic Price Adjustment (EPA) clause administration and the impact of inflation
  • Administrator for Federal Procurement Policy is needed
  • Cyber Security, including the CMMC adjustments and implementation, expectations for government and industry
  • Sustainability and Federal acquisition
  • Supply Chain resilience, Buy American, Buy Allied, or buy both
  • Buy American Act versus Trade Agreements Act, particularly how new regulations will affect harmonious implementation of the two
  • The future of GSA’s e-commerce pilot
  • Services MAC versus OASIS, in particular, whether GSA looking to create a mandatory source of supply
  • The Next Generation of IT GWACs at GSA: POLARIS and the follow on to Alliant 2
  • Maximize cooperative purchasing across all of GSA’s procurement programs
  • Government efforts to implement commercial practices as a multi-cloud customer
  • Reform of the MAS cloud pricing policies
  • The role of industrial policy in procurement, including national security imperatives for technology, bio-technology, PPE, and more
  • The continued rise of OTAs, stepping outside the FAR to get things done
  • The VA’s MSPV reset/reassessment
  • Small business opportunities and the Biden Administration’s focus diversity, inclusion, and equity initiatives
  • Addressing gaps in MAS contracting officer training on price negotiations
  • The role of reverse industry days in bringing market knowledge to government acquisition professionals
  • The rollout of Transactional Data Reporting across the MAS program
  • Opportunities to enhance outcomes-based procurement and healthcare programs for pharmaceuticals
  • Commercial item contracting and the balance between government-unique requirements and access to the commercial market

This list is by no means exhaustive.  It represents a starting point of the operational and policy issues that will shape the federal market in 2022.  The Coalition looks forward to working with all stakeholders on these issues and the inevitable new challenges and opportunities that will arise in the new year.

 

Nominate an Excellence in Partnership (EIP) Awardee Today

The Coalition for Government Procurement is pleased to announce that nominations are now open for the 2021 Excellence in Partnership (EIP) Awards.  

The EIP Awards honor individuals and organizations in the acquisition community who have made significant contributions to the Federal procurement system that deliver best value and meet agency missions. Historically, these awards have recognized individuals, organizations, and contractors involved in procurement with GSA, VA, DOD, DHS, and other Federal agencies.  

We are seeking nominations from qualified candidates in the award categories below from both government and industry:  

Lifetime Acquisition Excellence Award 

Presented to an individual in the contracting community for demonstrating a life-long commitment to advancing “common sense in government procurement.” Awards will be made in the following subcategories:  

  • Department of Defense  
  • Civilian agency  
  • Industry  

 

Acquisition Excellence Award 

Presented to an organization or individual for outstanding performance over the year in meeting the mission-critical needs of a Federal agency through a government contract. Awards will be made in the following subcategories:  

  • Department of Defense  
  • Civilian agency  
  • Industry  

 

Sustainability/Green Excellence Award 

Presented to an organization or individual that has made outstanding sustainability contributions in support of the Federal government’s goal to address climate change. Awards will be made in the following subcategories:  

  • Department of Defense  
  • Civilian agency  
  • Industry  

 

Advocating for Veterans Award 

Presented to an organization or individual for promoting and executing a successful program that supports veterans. Awards will be made in the following subcategories:  

  • Department of Defense  
  • Civilian agency  
  • Industry  

 

Click here to submit your nomination for the 2021 EIP Awards before the January 31, 2022 deadline. Awardees will be named this March and recognized at our Spring Training Conference in May 2022. If you have any questions, please contact Michael Hanafin at mhanafin@thecgp.org.

 

CMMC Assessments to Resume in January

Federal Computer Week reported that assessments for the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program should resume in early 2022. During a December 20 virtual town hall, Jon Hanny, Director of Operations and Chief Security Officer for the CMMC Accreditation Body, said that procedures for certified third-party assessment organizations will start back up by the end of January. However, DoD determines the final timeline. Organizations that were in the assessment process before DoD paused implementation to make changes to the program have had their assessments rescheduled. Once organizations complete their assessments, they will be able to begin evaluating defense companies. These evaluations would be voluntary as CMMC undergoes the rulemaking process, which may take up to two years to complete.  

DoD introduced CMMC 2.0 in November 2020, which made significant changes to the program in order to streamline and simplify processes. In December, DoD published two assessment guides for level one and level two requirements. Level one is a self-assessment, and level two will require some organizations to get a third-party assessment. These two levels will cover the majority of contractors in DoD. 

DHA Opens Small Market Facility Network

Federal News Network reported on a recent development in the Defense Health Agency’s (DHA’s) transition of military healthcare treatment facilities under one market-based structure at DHA.  On December 14, DHA officially launched the Small Market and Stand Alone Military Treatment Facility Organization (SSO) during a ceremony at Joint Base San Antonio-Kelly Field, Texas. The DHA established SSO with the intent of governing a large number of smaller medical markets. SSO currently oversees “17 small medical markets and 68 standalone facilities throughout the nation.” Given the success that DHA has seen in its ability to share resources in larger market areas by its military hospitals, the agency hopes that SSO can do the same nationwide for hospitals in its network absent any geographical link. SSO Director Air Force Maj. Gen. Shanna Woyak told Federal News Network that “the goal of this is not only to integrate, and consolidate, but the idea is also to standardize so that our providers, our soldiers, sailors and airmen, can go to any facility and operate in terms of health care delivery.” Woyack also stated that DHA needs to wait and see what issues come from bringing together so many facilities in many different geographic areas, but noted that those clinics now have a network on which to rely. 

 

Supreme Court to Hear Arguments on OSHA Vaccine Mandate

Federal Computer Week reported that on January 7, the Supreme Court will be hearing oral arguments in a proceeding that will test the legal standing of the Biden Administration’s COVID-19 mandate for private businesses. The mandate issued by the Occupational Safety and Health Administration (OSHA) requires U.S. companies with 100 or more employees to be vaccinated or undergo regular COVID-19 testing. An additional mandate from the Center for Medicare and Medicaid Services (CMMS) that applies to healthcare workers in facilities that receive Federal funding will also be addressed. However, the proceeding on January 7 will not include the vaccination mandate for Federal contractors which is set to take effect on January 18. The Federal contractor vaccine mandate, which applies to those “Federal contracts and subcontracts whose value is at or above the simplified acquisition threshold of $250,000,” requires its own scheduled preceding before the Court as it presents a separate and more complicated legal question involving a president’s authority under the Federal Property and Administrative Services Act. The Federal government is not currently enforcing the contractor mandate due to a preliminary injunction issued by the US District Court for the Southern District of Georgia.

 

GSA Releases Update on Services MAC RFP

GSA posted an update about its plans to release a future draft request for proposal (RFP) for the Services Multi-Agency Contract (MAC). According to GSA, the Services MAC will be organized in domains – “functional groupings of services spanning multiple NAICS codes.” Currently, GSA anticipates awarding the following domains in phases: 

  • Management and Advisory 
  • Technical and Engineering 
  • Research and Development 
  • Intelligence Services 
  • Enterprise Solutions 
  • Environmental Services 
  • Facilities 
  • Logistics 

GSA plans to prioritize and add new domains based on assessments of need. GSA is taking the following factors into consideration while planning for the prioritization and sequencing of domains: 

  • OASIS ordering period will sunset in 2024. The next services IDIQ contract will build on the strengths of OASIS while addressing customer needs that have not been adequately met by the contract. 
  • Historic spend on services makes it necessary to execute a domain release prioritization plan that reflects anticipated spend based on market research. 
  • Availability of existing Best-in-Class IDIQs, such as HCaTS, which recently exercised its option, makes it unnecessary to duplicate services it provides early on in the new services contract’s lifecycles. 
  • Demand for complex services is expected to increase over time based on market research, which will inform the prioritization of domains according to the findings. 
  • The Administration’s priorities will inform decisions GSA makes about these domains. 

GSA plans to release additional updates in the coming months.  

 

2021 Highlights from GSA’s Office of Professional Services 

GSA’s Office of Professional Services and Human Capital (PSHC) Categories shared its highlights from 2021. They include:  

  • Launched the Services Marketplace: The purpose of the Services Marketplace is to provide a holistic approach to how GSA supports the procurement community’s need for services. The Marketplace is a series of strategic initiatives that align how the Federal Acquisition Service (FAS) rolls out new contracts and tools. Through the Marketplace, FAS services offices will collaborate and create consistency to improve the buying and selling experience for customers and industry.  
  • Development of a new Services MAC: GSA focused on developing the new Services MAC through market research such as acquisition history and spend analysis, customer and industry engagement, and two RFIs. GSA will be providing more program updates sharing sections of the draft solicitation for feedback.  
  • Expanded the Civilian Services Acquisition Workshops (CSAWs) program: PSHC supported the federal government’s goal of using performance-based contracting principles by delivering 11 CSAW workshops supporting $1.8 billion worth of acquisition across 6 agencies. CSAWs make it easier for agencies to understand PBA and, most importantly, greatly reduce acquisition cycle times.  
  • Celebrated OASIS’s 7th Birthday and HCaTS’ 5th Birthday: OASIS program highlights included: adding 731 new contracts through a major on-ramping effort; establishing a new 8(a) contract family; retaining a Best-In-Class (BIC) designation; issuing thousands of Delegation of Procurement Authorities (DPA); building industry partnerships through the OASIS Shared Interest Group; and completing more than 1,700 scope reviews. HCaTS program highlights included: on-ramping 28 new contractors to HCaTS SB Pool 1; standing up a new 8(a) contract family with 44 vendors; issuing hundreds of Delegation of Procurement Authorities (DPA); and completing more than 250 scope reviews. 
  • Provided COVID-19 support services resources and procurement support: PSHC provided a range of COVID-19 support services and procurement support to local, state and federal agencies including Creating ordering guidance and procurement resources to help agencies quickly procure Enhanced Entry Screening Services (EESS) at government facilities; Building acquisition planning packages toolkit and digital marketing research for HHS’s Centers for Disease Control and Prevention’s Immunization Program; and establishing four Basic Ordering Agreements (BOA) to provide emergency hospital support services in Alaska, Idaho, Oregon, and Washington states. 

Read the full list of highlights here. 

 

Overview of the NDAA for FY 2022 Webinar, Jan 20

Happy New Year!  The Coalition is pleased to announce its first webinar of 2022 – Overview of the National Defense Authorization Act (NDAA) for Fiscal Year 2022 (Public Law 117-81).  Our presenter will be Moshe Schwartz, President, Etherton and Associates, Inc. and this webinar will take place on January 20th from 12:00 – 1:00 pm EST. 

The NDAA was signed into law on December 27, 2021 and Moshe will highlight trends and focus areas of the NDAA; acquisition, industrial base, and cybersecurity provisions; and how the NDAA may impact the administration’s policy goals.  Additionally, Moshe will identify potential future areas of focus and change in acquisition and industrial base policy. We look forward to your participation! 

Click here to register. 

 

Legal Corner: Georgia Federal Court Blocks Federal Contractor COVID-19 Vaccine Mandate Nationwide

Authored by Dan Kelly & Hugh Murray

McCarter & English

The Legal Corner provides the legal community with an opportunity to share insights and comments on legal issues of the day. The comments herein do not necessarily reflect the views of The Coalition for Government Procurement.

Judge R. Stan Baker of the US District Court for the Southern District of Georgia issued an order (Order) on December 7, 2021, enjoining the federal government “from enforcing the vaccine mandate for federal contractors and subcontractors in all covered contracts in any state or territory of the United States of America.” This comes on the heels of the November 30, 2021 order by a federal court in Kentucky (see our article here) blocking the federal government’s ability to enforce the obligation embedded in clauses in federal government contracts and other instruments requiring employees of federal contractors with covered contracts in Kentucky, Ohio, and Tennessee to be fully vaccinated by January 18, 2022.

The Georgia case was originally brought by the states of Georgia, Alabama, Idaho, Kansas, South Carolina, Utah, and West Virginia (and agencies within those states). Unlike the court in Kentucky, Judge Baker elected to extend the order nationwide because one of the intervening plaintiffs, Associated Builders and Contractors, Inc. (ABC), has members with covered contracts located throughout the United States Further, the court concluded that “given the breadth of ABC’s membership, the number of contracts [they] will be involved with, and the fact that EO 14042 applies to subcontractors and others, limiting the relief to only those before the Court would prove unwieldy and would only cause more confusion.”

In any request for a preliminary injunction in which the Government is the party whose actions are being enjoined, a complaining party must show a likelihood of success on the merits, irreparable injury, that the injury threatened outweighs any harm the injunction would inflict on the Government, and that the injunction would not be adverse to the public interest. In this case, Judge Baker concluded that it was likely that President Biden exceeded his authority under the broad statute (the Federal Property and Administrative Services Act) giving the executive branch the authority to procure goods and services through an “economical and efficient system.” Citing US Supreme Court precedent, the court concluded the mandate cannot stand given the lack of explicit language in the enabling statute because of the mandate’s “vast economic and political significance.” The court concluded, at least preliminarily, that the implementation of the mandate would impose an “extreme economic burden” on contractors, that it would pose an “impediment” to the ability of some contractors with recalcitrant employees to continue to perform federal work, that it would have a major impact on the economy, and that it “operates as a regulation of public health.”

In its irreparable harm finding, the court focused less on the potential loss of contracts due to employees who refuse vaccination and more on the economic costs of implementing the mandate. Relying on testimony, the court noted the “incredibly time-consuming processes…to identify the employees covered by the mandate and to implement software and technology to ensure that those employees have been fully vaccinated (or have requested and been granted an accommodation or exemption) by the deadline in January.” The court noted, perhaps incorrectly, that the burden extended to “requir[ing] that any subcontractors’ employees working on or in connection with a covered contract are in compliance.” (The operative clause (clause) and the Safer Workforce Task Force Guidance merely require the clause be flowed down to certain subcontractors—there is no enforcement mandate.) Quoting the US Court of Appeals for the Fifth Circuit’s opinion and order (BST Holdings) staying the vaccine mandate for private employers promulgated by the Occupational Health and Safety Administration (OSHA), the court concluded that the costs of complying with a regulation that is later held invalid “always produces the irreparable harm of nonrecoverable compliance.”

In balancing the harms, the court was not persuaded by the Government’s arguments that an order would delay vaccinations and permit the continued spread of COVID-19 and that the harm it and the general public would suffer far outweigh any harm the contractors would suffer. The court said that the injunction merely preserves the status quo and contractors remain free to encourage employees to get vaccinated. “In contrast, declining to issue a preliminary injunction would force [the contractors] to comply with the mandate, requiring them to make decisions which would significantly alter their ability to perform federal contract work which is critical to their operations.” The court went on: “[R]equiring compliance [with the mandate] would likely be life altering for many of the…employees as [the contractors] would be required to decide whether an employee who refused to be vaccinated can, in practicality, be reassigned to another office or another task or whether the employee instead must be terminated.”

Finally, the court found the public interest was served by the injunction. Again quoting BST Holdings, the court found “From economic uncertainty to workplace strife, the mere specter of [EO 14042] has contributed to untold economic upheaval in recent months” and “the principles at stake when it comes to [EO 14042] are not reducible to dollars and cents.”

Key Takeaways:

  • This is a preliminary injunction and not a final adjudication. By its nature, it is temporary and could be revoked by a later order or by an appellate court (in this case, the Eleventh Circuit Court of Appeals). However, it is probably here to stay for at least weeks if not months.
  • The Order does not invalidate the clause or enjoin the Government or prime contractors from including the clause in contracts and subcontracts. The remaining provisions of the clause—i.e., the workplace safety restrictions—are not affected by the Order, and covered contractors are still bound by them.
  • The Order undoubtedly covers subcontractors in addition to prime contractors, although the Government has no privity with subcontractors. Although the Order enjoins the Government from enforcing the vaccine mandate, it specifically speaks of the vaccine mandate as it applies to both “federal contractors and subcontractors.” Should a prime attempt to force a subcontractor to comply with the mandate, it is almost a certainty that the subcontractor would be able to take refuge in the Order on the theory that in this case the prime is acting as the agent of the Government, and is similarly enjoined.
  • Contractors are not constrained from voluntarily encouraging employees to get vaccinated. Moreover, except in states where employers are prohibited from requiring their employees to get vaccinated (e.g., Texas and Florida), employers can establish human resources policies requiring vaccination against COVID-19 as a condition of employment as long as they allow for a medical or a religious exception consistent with established law.

 

 

Legal Corner 2: Executive Order 14042 Update 12.0: U.S. District Court Issues Nationwide Injunction

Authored by:

Sheppard Mullin

The Legal Corner provides the legal community with an opportunity to share insights and comments on legal issues of the day. The comments herein do not necessarily reflect the views of The Coalition for Government Procurement.

Federal contractors and subcontractors across the country now may press the pause button on their EO 14042 COVID-safety efforts, as earlier today the U.S. District Court for the Southern District of Georgia enjoined enforcement of the EO nationwide. The Order goes well beyond the prior federal court injunction that covered only federal contracts in Kentucky, Ohio, and Tennessee.

The Georgia decision (formally captioned The State of Georgia v. Joseph Biden, 1:21-cv-163) is the result of a complaint filed by the states of Georgia, Alabama, Idaho, Kansas, South Carolina, Utah, and West Virginia. Subsequently, the court permitted a nationwide trade association (Associated Builders and Contractors, Inc., or ABC) to intervene as a plaintiff as well. The decision to permit ABC to intervene proved particularly impactful in that the court relied on the national membership of ABC as the basis for applying the injunction nationwide.

The Immediate Impact of Georgia v. Biden

Before getting to the details of the decision, let’s focus on the impact.

In short, as of this afternoon, the Government may not enforce either the Executive Order or the contract clauses issued pursuant to the Executive Order in any U.S. state or territory. While the injunction does not prohibit contractors from voluntarily continuing to follow the Guidance of the Safety Task Force – or from mandating vaccines for their employees – as we noted in our prior Alert, contractors in states that prohibit vaccine mandates (or prohibit employers from requesting proof of vaccination or enforcing mask mandates) do so at great risk. Now that the EO is unenforceable (at least for the time being), the EO no longer preempts contrary state laws. Thus, mandating vaccination in Tennessee or Montana, for example, now will run afoul of state law, whereas, previously, Federal contractors could mandate vaccination under the EO.

Similarly, and also as we discussed in our prior alert, unionized companies likewise will need to think twice before continuing voluntarily to adhere to the Task Force Guidance, even if permitted under state law. While a mandatory compliance obligation likely is not required to be collectively bargained, a voluntary decision to enforce safety guidance probably is.

Against this background, on the eve of the original compliance deadline (12/8/21), Federal contractors now must recalibrate their compliance plans. For contractors with employees nationwide looking for a uniform policy, suspending rollout of your EO 14042 action plan is the only realistic option at this point. For those that wish to continue processing vaccine cards, you must do so carefully and in accordance with state law (e.g., Tennessee prohibits employers from taking an “adverse employment action” against anyone who refuses to provide proof of vaccination). Once a revised plan is developed, contractors should communicate the new plan to employees – and quickly. Contractors also should consider sending a similar communication to subcontractors, or, at least, putting a pause on incorporating the new FAR/DFARS clause into subcontracts.

We know a number of clients have been working their way through a significant number of religious/medical exemption requests. There is no prohibition against continuing to process such requests, but be sure not to take any action that violates state law (remember, unlike the EO, some states require you permit exemption requests based on “personal conscience” or other non-religious/medical bases).

Finally, a number of you are in possession of solicitations, proposals, quotes, modifications, or other “contract-like instruments” incorporating the new FAR/DFARS clause. Given the injunction, you are well within your rights to take exception to incorporation of the clause, either in a proposal in response to a pending solicitation or by refusing to accept a modification incorporating the clause. Shortly after the Kentucky decision, Federal agencies released guidance stating they would no longer incorporate the mandate in contracts with performance occurring in those three states. Given today’s decision, we expect similar nationwide guidance shortly.

Scope: Vaccination Mandate, Masking/Distancing, or Both?

Unlike the Kentucky court order, the Georgia order leaves no confusion as to the geographic scope of this order – it applies to “all covered contracts in any state or territory of the United States of America.” In yet another example of a court making our lives more difficult than need be, however, the order is surprisingly imprecise as to what specifically was enjoined.

The most frequent question we received this afternoon was whether the injunction applies just to the vaccination mandate, or whether it applies to the EO as a whole (including the masking/distancing requirements). The order enjoined the Government from “enforcing the vaccine mandate for federal contractors and subcontractors in all covered contracts.” The order did not expressly enjoin enforcement of EO 14042, FAR 52.223-99, or DFARS 252.223-7999. Thus, we are left to guess as to the proper interpretation of the scope of the injunction – particularly, whether the injunction applies only to the vaccination mandate or more broadly to EO 14042 and the implementing contract clauses.

Our take – the injunction applies not only to the vaccination requirement, but also to the masking/physical distancing requirements of the EO and contract clauses. We think this for three reasons.

  • First, the plaintiffs requested an injunction of the “Contractor Mandate,” which the one plaintiff that chose to define the term defined as “Executive Order 14042 and its implementing regulations.” (Emphasis ours.) The court granted this motion, and therefore, despite the inexact language, we believe enjoined all aspects of EO 14042.
  • Second, it stands to reason that if the President lacks the authority to use the Procurement Act to issue a vaccination mandate, he probably also lacks the authority to issue a mask/distancing mandate. (Although, we concede, there certainly is an argument that the Balancing of the Harms and Public Interest prongs of the TRO/PI standard may not come out the same absent a vaccination mandate.)
  • Third, practically, it would make little sense for the Government to try to enforce the masking/physical distancing requirements with the vaccination mandate on hold, particularly because various Government entities stated, repeatedly, that they will not be actively enforcing compliance with EO 14042, at least in the near future.

So, we think the entire EO is on hold, and contractors now should follow all applicable non-EO 14042 guidance on masking and distancing (e.g., state, local, CMS). But, we are hopeful the Task Force updates the official Guidance very soon to provide a definitive answer.

The Decision

Judge Baker began his decision by quoting his Kentucky colleague Judge Van Tatenhove: “This case is not about whether vaccines are effective. They are.” “However,” he went on, “even in times of crisis this Court must preserve the rule of law and ensure that all branches of government act within the bounds of their constitutionally granted authorities.” To preserve the rule of law here, Judge Baker found it necessary to grant plaintiffs’ motion for a preliminary injunction.

Finding that the plaintiff States and the ABC all had standing to bring their challenge to the EO, Judge Baker, like Judge Van Tatenhove, focused his decision on the likelihood of success on the merits prong of the TRO/PI standard. Noting that plaintiffs “need only show a substantial likelihood of success on the merits on one claim” (emphasis added), he went about immediately examining the plaintiffs’ contention that the EO exceeded the authority granted to the President by the Procurement Act (more formally known as the Federal Property and Administrative Services Act, 40 U.S.C. §101).

The standard under which Judge Baker reviewed the EO was key to his ultimate decision. The question, according to Judge Baker, was whether Congress “clearly” authorized the President to use the Procurement Act to issue the directives contained in EO 14042. Finding the actual purpose of the EO to be the “regulation of public health,” Judge Baker answered that question in the negative.

Judge Baker explained (correctly) that the purpose of the Procurement Act is to promote economy and efficiency in the procurement process. While recognizing the Procurement Act gives the President significant deference to achieve this goal, Judge Baker noted the Act does not give him unfettered powers. “[T]hat deference was expressly not intended to operate as a ‘blank check for the President to fill in at his will.’” Finding an insufficient nexus between the Procurement Act and the EO, Judge Baker concluded that the Procurement Act “did not clearly authorize the President to issue the kind of mandate contained in EO 14042, as EO 14042 goes far beyond addressing administrative and management issues in order to promote efficiency and economy in procurement and contracting, and instead, in application, works as a regulation of public health, which is not clearly authorized under the Procurement Act.”

Unlike Judge Van Tatenhove, Judge Baker did not resolve (one way or the other) the other challenges raised by the plaintiffs – specifically, arguments centered on the Administrative Procedure Act and the non-delegation doctrine. One basis for enjoining an Executive Order was enough for him.

Beyond the likelihood of success on the merits prong of the TRO/PI standard, Judge Baker found that plaintiffs were likely to be irreparably harmed if the EO was permitted to continue in force, and also found that the balancing of the harms favors plaintiffs over defendants. Judge Baker’s decision no doubt was driven, in part at least, by his finding that plaintiffs would have a “laborious undertaking” to comply with the EO.

The most notable difference between the Kentucky order and the Georgia order is the scope of the injunctive relief. You will recall Judge Van Tatenhove limited the scope of his order to contracts in Kentucky, Ohio, and Tennessee. He included a very thoughtful discussion explaining his decision in that regard. In contrast, Judge Baker applied his injunction nationwide. According to Judge Baker, plaintiff ABC has members “all over the country.” Having let ABC intervene, he then used ABC’s involvement to justify the nationwide scope of the injunction. “On the unique facts before it,” he wrote, “the Court finds it necessary, in order to truly afford injunctive relief to the parties before it, to issue an injunction with nationwide applicability.”

Accordingly, Judge Baker ordered the United States enjoined “during the pendency of this action or until further order of this Court, from enforcing the vaccine mandate for federal contractors and subcontractors in all covered contracts in any state or territory of the United States of America.”

What’s Next

The decision, like the Kentucky decision, will be appealed. But, as we noted in Update 11.0, we think the Supreme Court ultimately will decide the fate of EO 14042.

Until then, you should:

  • Reevaluate your compliance plans and give serious consideration to pausing all EO 14042 compliance efforts;
  • Research the laws applicable in the states where your employees work to ensure you do not run afoul of those prohibitions, whatever your updated compliance plans may be;
  • Consider sending a communication to employees providing an updated status on your company’s updated policy; and
  • Consider pausing efforts to incorporate the FAR/DFARS clause throughout your supply chain.

We’ll keep you posted as these decisions make their way through the appeals process. Stay tuned for additional updates. In the interim, we’ll update our Survival Guide as soon as possible.

 

Legal Corner 3: CMMC 2.0 Simplifies Requirements But Raises Risks for Government Contractors

Authored by Shardul Desai,  Eric S. Crusius , and  Kelsey M. Hayes

Holland & Knight

The Legal Corner provides the legal community with an opportunity to share insights and comments on legal issues of the day. The comments herein do not necessarily reflect the views of The Coalition for Government Procurement.

With the announcement of a revamped Cybersecurity Maturity Model Certification (known as CMMC 2.0),1 for the third time in five years, the U.S. Department of Defense (DOD) announced new, comprehensive cybersecurity standards for government contractors and subcontractors to ensure the protection of sensitive unclassified information, that is, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). By referring to the new cybersecurity standard as CMMC 2.0, the DOD implicitly recognizes the likelihood of future versions at an unknown cost to the Defense Industrial Base (DIB).

Nevertheless, version 2.0, which was released after a seven-month review by the Biden Administration, reflects the DOD’s assessment of the DIB’s concerns and reflects the DOD’s efforts to streamline and improve upon its earlier version after criticisms aimed at its cost and complexity. Specifically, CMMC 2.0 collapses CMMC 1.0’s five tiers to three simplified tiers that are based on the cybersecurity framework implemented and that are devoid of additional CMMC-unique practices and processes. CMMC 2.0 also will allow “annual self-assessment with an annual affirmation by DIB company leadership” for Level 1 and part of the new bifurcated Level 2 (formerly Level 3). Otherwise, an independent third-party assessment or government-led assessment will be required.2

Besides CMMC 2.0, contractors with CUI are also required to comply with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7019 and 252.204-7020. Collectively, these clauses require contractors to enter their compliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 into DOD’s Supplier Performance Risk System (SPRS). DOD will identify medium- and high-risk contracts and perform independent assessments of contractor compliance with NIST SP 800-171 and whether a contractor’s compliance matches what it inputted into SPRS. Contractors should also be mindful as to whether these disclosures match their prior acceptance of contracts with DFARS 252.204-7012, which required full compliance with NIST SP 800-171.

The return of self-assessment, which was the bedrock of the first DOD cybersecurity standards set out in DFARS 252.204-7012 and whose failure led to the development of CMMC 1.0., creates substantial risks to DIB companies and their leadership. The U.S. Department of Justice (DOJ) recently announced a new Civil Cyber-Fraud Initiative that emphasized the use of the False Claims Act (FCA), 31 U.S.C. § 3729 et. seq., to bring civil action against government contractors who knowingly misrepresented their cybersecurity practices and protocols.3 The FCA allows the government to recover treble damages and permits qui tam suits,4 which allow whistleblowers to receive a portion of the monies recovered by the government. In addition, other regulatory agencies have brought enforcement actions for alleged false certifications concerning compliance with agency-required cybersecurity standards.5 Thus, the risk of a DOJ investigation or a qui tam suit connected with a DIB company’s self-assessment affirmation is very real, and this announcement – coupled with self-certification options in CMMC 2.0 – should not been seen as a coincidence. Nevertheless, companies can reduce such risks with appropriate cybersecurity policies and a culture of compliance.

Evolution of DOD’s Cybersecurity Regulations

In October 2016, the DOD issued comprehensive cybersecurity regulations through DFARS. See 48 CFR §§ 204.7302, 204.7304, and 252.204-7012. The 2016 cybersecurity regulations required contractors and subcontractors to provide “adequate security” over their information systems and implement cybersecurity protocols and procedures that, at a minimum, complied with NIST SP 800-171 for “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”6 These regulations, however, only required contractors to self-assess that they were in compliance with NIST SP 800-171.

The initial cybersecurity framework did not succeed, in part, due to the self-assessment requirement. In July 2019, the DOD Inspector General (IG) issued a report finding that government contractors did not consistently implement NIST SP 800-171 as required and DOD agencies and contracting officers did not develop and implement processes to verify contractors’ compliance.7 The IG report “recommended that DOD take steps to assess a contractor’s ability to protect this [CUI] information.”8

In response, in September 2020, the DOD issued interim rules of its second comprehensive cybersecurity regulations, which developed CMMC 1.0.9 CMMC 1.0 classified contractors into five tiers. Level one required compliance with basic safeguarding requirements of the Federal Acquisition Regulations (FAR) clause 52.204-21. Level 2 required compliance with 65 security requirements within NIST 800-171, along with additional CMMC practices and processes. Level 3 through Level 5 required complete compliance with NIST 800-171 and varying additional CMMC practices and processes. CMMC level assessments would be conducted by CMMC Third Party Assessment Organizations (C3PAOs), which would be accredited by an independent CMMC Accreditation Body (AB). All DOD solicitation and contracts would identify the required CMMC level necessary for said solicitation or contract, though it was unclear how it would be enforced down the supply chain.

DIB companies expressed concerns with this lack of clarity and the additional bespoke CMMC requirements. Besides these issues, concerns were raised about the cost to small businesses, just as DOD has been contending, with an ever-shrinking pool of contractors willing to do business with it. That was, in part, because a third-party assessment was required at all levels. CMMC 2.0 attempts to address these various concerns with the following changes to version 1.0:

  • Level 1 remains the same and still requires basic safeguarding requirements consistent with FAR 52.204-21. Instead of a third-party assessment, Level 1 will require a company leader to certify compliance with requirements on an annual basis.
  • Level 2 has been eliminated.
  • Level 3 (now known as Level 2) maintains full NIST 800-171 compliance but eliminates the bespoke CMMC requirements. Further, some contractors will be able to self-certify instead of utilizing a third-party assessment, although it is unclear what that dividing line will be.
  • Level 4 has been eliminated.
  • Level 5 (now known as Level 3) will require full compliance with 800-171 and at least partial compliance with NIST SP 800-172 for “Enhanced Security Requirements for Protecting Unclassified Information.” DOD is still determining what NIST SP 800-172 standards will be required. Contractors seeking a certification within this level will first need to be certified by a third-party assessor under Level 2 and then seek a government assessment under this level (presumably for the additional NIST SP 800-172 requirements).

Even though the implementation of CMMC 2.0 is anywhere from nine months to two years away, DOD is seeking ways to incentivize adoption. For instance, DOD may utilize cybersecurity compliance as an evaluation factor in procurements.10

Risk of Costly and Time-Consuming Investigations and Litigations

Viewing cybersecurity risks as both a national security risk and an investment risk, government regulators have increased enforcement actions against U.S. companies for deficient cybersecurity standards. This past year, the U.S. Securities and Exchange Commission (SEC) announced its first-ever enforcement actions against a public company for deficient disclosure controls concerning cybersecurity risks.11 The New York Department of Financial Services (NYDFS) has brought enforcement actions against regulated institutions for alleged failure to comply with its recently enacted NYDFS Cybersecurity Regulations,  including action against insurance companies, in part, for the alleged false certification of its compliance with the NYDFS Cybersecurity Regulations.12

These actions preceded the DOJ’s announcement on Oct. 6, 2021, of the new Civil Cyber-Fraud Initiative.13 (See Holland & Knight’s previous blog post, “False Claims Act Meets Cybersecurity: DOJ New Civil Cyber-Fraud Unit,” Oct. 8, 2021.) Therein, Deputy Attorney General Lisa Monaco stated that the DOJ “will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards.”14 Particularly relevant to CMMC 2.0’s self-assessment affirmations, the Civil Cyber-Fraud Initiative will use the FCA to prosecute entities and individuals who knowingly provide deficient cybersecurity products or services and/or knowingly misrepresent their cybersecurity practices or protocols.15

The FCA “was originally aimed principally at stopping the massive frauds perpetrated by large contractors during the Civil War.”16 The act was enacted in 1863 “following a series of sensational congressional investigations” where “[t]estimony before…Congress painted a sordid picture of how the United States had been billed for nonexistent or worthless goods, charged exorbitant prices for goods delivered, and generally robbed in purchasing the necessities of war.”17

Today, the FCA lists seven types of conduct that create civil liability. Predominantly, the FCA provides that any person (i.e., entity or individual) who knowingly submits, or causes another to submit, a false or fraudulent claim to the government or knowingly makes a false record or statement to get a false claim paid by the government is liable for three times the government’s damages plus a civil penalty, which accounting for inflation, is not less than $11,181 and not more than $22,363 per claim.18 The FCA also permits whistleblowers to file qui tam suits against any person who allegedly violates the FCA. If the qui tam suit is successful, the whistleblower may receive a portion of the government’s recovery. As such, FCA and qui tam suits have become quite lucrative for the government and the whistleblower. For instance, in fiscal year (FY) 2020, the DOJ recovered over $2.2 billion from FCA cases and paid out $309 million to whistleblowers.

Under the FCA, a person acts knowingly when the person 1) has actual knowledge of the information,19 2) acts in deliberate ignorance of the truth or falsity of the information or 3) acts in reckless disregard of the truth or falsity of the information.20 Moreover, the person need not have any specific intent to defraud the government.21 Thus, as it relates to the CMMC 2.0’s self-assessment affirmations, if the affirmation is incorrect, the DIB company could be liable under the FCA even though its leadership did not intend to defraud the government and did not have actual knowledge that its affirmation was incorrect. Instead, a DIB company could be found to be “in reckless disregard of the truth” by failing to conduct a sufficient investigation of its cybersecurity practices and procedures prior to its affirmation,22 which would subject the company to treble damages and civil monetary penalties.

Additionally, although 2016 cybersecurity regulations have required DIB companies to report cyber incidents to the DOD within 72 hours, Congress has been debating the inclusion of a cyber-reporting bill as part of the National Defense Authorization Act (NDAA) FY 2022, which would require critical infrastructure owners and operator as well as federal contractors, not just DOD contractors and subcontractors, to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) and, potentially, to provide that information to the FBI.23 If cyber incidents are to be provided to the DOJ, it may potentially fuel this Civil Cyber-Fraud Initiative. Even if such reporting is not required, each cyber incident presents the possibility of an employee or former employee filing a qui tam suit alleging that the self-assessment assertions were false and violated the FCA. Thus, although self-certifications programs create significant flexibility and cost savings within the CMMC 2.0 framework, it creates substantial litigation and investigation risks.

The threat of cybersecurity-based FCA action against DIB companies is not simply theoretical. As illustrated by Briggs v. Quantitech, and similar cases,24 “[t]here has been an uptick in cybersecurity-based FCA actions in recent years, predominantly qui tam actions filed by former employees that ‘blew the whistle’ on their company’s deficient cybersecurity standards and practices.”25

Key Takeaways

For DIB companies that will provide annual self-assessment affirmations within the CMMC 2.0 framework, steps can be taken to reduce the risk of future DOJ investigations and qui tam suits.

  • First, DIB companies should implement and maintain written cybersecurity policies that are consistent with the basic safeguarding requirements of the FAR clause 52.204-21 and, if applicable, DFARS 252.204-7012. Because these policies will provide significant defenses against allegations of falsity and knowledge in any FCA litigation, they should be written in coordination with counsel and reviewed by multifunctional teams.
  • Second, Deputy Attorney General Lisa Monaco recently emphasized that the DOJ will evaluate a company’s history of compliance issues in future enforcement actions.26 Thus, DIB companies should develop and foster a culture of compliance throughout its organization, including employee training, internal disclosure controls and/or board oversight on leadership’s management.
  • Finally, contractors should consider a CMMC certification to give themselves a competitive advantage and minimize the risk of other DIB companies not wanting to do business with them because of the cybersecurity risks they pose. This will help address concerns about the constantly evolving nature of cyberattacks and cybersecurity risks.

DoD Encourages Maximum Telework until February  

On December 28, DoD published a memo implementing additional mitigation in response to the increase in COVID-19 cases. DoD is encouraging the workforce to maximize telework through the end of January. The Pentagon Reservation will be closed to all unofficial visitors in January, and official visitors will be limited to the minimum required for mission critical meetings. Additionally, organizations are expected to maintain occupancy rates at less than 40 percent than usual. DoD is strongly encouraging all personnel to receive the booster dose of the COVID-19 vaccine. The guidance memo from the Director of Administration & Management can be read here.

 

DHA Cybersecurity Summit for Medical Devices, Jan. 13 

The Coalition for Government Procurement and the AMSUS-SM Technology Working Group are partnering to host a summit with the Defense Health Agency’s (DHA) Office of the Chief Information Officer. The topic will be DHA’s Risk Management Framework (RMF) and how to achieve an Authority To Operate (ATO), which is a cybersecurity requirement for Military Treatment Facilities to purchase certain medical equipment.  

The virtual meeting will be on Thursday, January 13 from 10:30 am- 12:30 pm EST. During the meeting, members will be briefed by DHA technology experts on the cybersecurity requirements and how vendors can effectively achieve ATO certification.   

To attend, please RSVP to Aubrey Woolley at awoolley@thecgp.org by COB Tuesday, January 11. We will send the log-in information to all members who have RSVP’d early next week. If you have any questions, please contact Aubrey Woolley at awoolley@thecgp.org or (703) 999-6372.  

 

Register Today – AFCEA Bethesda’s 2022 Health IT | Advancing the Mission!

The Coalition is proud to sponsor AFCEA Bethesda’s 14th Annual Health IT Advancing the Mission program, three weeks of agency focused panels that will be held virtually every Tuesday & Thursday from February 1 – 15th! Every day is a unique opportunity to learn, engage, and connect with key government agencies including HHS, CMS, DHA, VA, NIH, CDC, and FDA on the most important healthcare IT challenges facing government and industry today.

The series will kick off on February 1st with the CXO Panel, where federal Health IT leaders will provide a high-level overview of the acquisition, technology, policy, and workforce strategies that make transformation possible. Next, leaders from Health and Human Services (HHS) will share how the President’s Management Agenda is enhancing and securing government information technology as a vital support function and critical catalyst for mission delivery. Attendees will have the chance to ask questions of the panelists in small group breakouts during the Post-Panel Discussion. Coalition members can save 40% when you register for a Series Event Pass with access to all five events! Register here.

 

GSA Announces PSHC January Webinars

On January 3, GSA’s Office of PSHC announced their January webinars. The upcoming webinars include:  

  • Industry Partner Briefing: Increased Opportunities in the Financial and Management Services Marketplace; 
  • OASIS DPA Training; 
  • Office Hours: Evaluation Factors: How to Evaluate Proposals; 
  • Multiple Award Schedule (MAS) Sales Reporting Portal (SRP) Training; and 
  • OASIS Contract Payment Reporting Module (CPRM) Training. 

To find out more and register for the webinars, go to GSA’s Interact announcement here. 

 

 MAS Roadmap Platform hosts GSA’s Offeror Training

GSA announced on December 9, 2021 that the Vendor Education Center would retire on December 17, 2021. Vendors will now access training through the MAS Roadmap. The trainings are updated to be consistent with the consolidated schedules program. Find out more about the new platform on GSA Interact post.