As the Biden Administration implements the President’s Management Agenda (PMA), the Federal acquisition system will play a critical role in supporting the Federal workforce, delivering excellent Federal services and improved customer experience, and managing the business of Government to Build Back Better. For example, the PMA notes that improvements in the Federal acquisition system can strengthen domestic manufacturing, advance sustainable climate solutions, support American workers, and foster opportunities for underserved communities.
The tyranny of low price (TLP), that is, the obsessive focus on the price over the solution delivered, is a direct threat to the PMA’s goals. TLP ignores the value of delivering to the government solutions that are responsive and enhance mission performance and overall capabilities. By so doing, it limits access to the spectrum of commercial innovation from the private sector. This aspect of procurement dysfunction is especially challenging as America continues to emerge/recover from the pandemic while facing growing competition from near-peer adversaries. In addition, TLP serves as a barrier to entry for small businesses by imposing pricing rules unaligned with their stage of business development, thereby undermining the Administration’s focus on improving opportunities for small-disadvantaged businesses. Finally, TLP ignores economic reality, asking contractors to do more (e.g., cyber security, sustainability, domestic sourcing) at a time when, every day, we see reports of new challenges affecting the cost of doing business.
Almost a year since Federal News Network focused on “bullying tactics” by GSA regarding price negotiations under the GSA’s Multiple Award Schedule (MAS), TLP remains alive and well. Its deleterious effects are manifested in different tactics leveraged by contracting officers negotiating with MAS contractors and/or offerors. In some cases, GSA demands that MAS contractors lower contract prices to match competitive task order pricing offered in response to firm customer agency requirements. In other cases, GSA seeks price or rate reductions of 10, 20, and even 30 to 40 percent off prices that have been determined fair and reasonable.
These tactics raise the following significant policy and business issues:
- FAR 15.404-1(b) directs contracting officers to adjust prior prices paid to account for differing terms and conditions, quantities, and economic factors. There is a fundamental difference between a contract price based on a guaranteed minimum of $2,500 with the opportunity to compete for future work and a competitive task order price based on a firm customer agency commitment to buy. Yet, for years, and in multiple contexts, GSA has ignored this reality, effectively dismissing the plain language of the FAR.
- GSA is penalizing MAS contractors for competing for agency requirements. FAR 8.405 sets forth the competitive ordering procedures, including statutory competition requirements, for MAS task and delivery orders. Notwithstanding the fact that the regulations provide for a dynamic, competitive marketplace, GSA limits the ability of MAS contractors to compete by driving contract pricing levels that create significant business risk. GSA’s negotiation approach harkens back to a long-repudiated 1980’s MAS regulatory framework that limited competition and value under the program. (More on this issue in a future blog.)
- GSA is ignoring economic reality. Costs are rising, especially labor costs, as the nation emerges from the pandemic. Inflation and supply chain challenges are impacting businesses across the private sector. Yet, GSA is seeking significant price or rate reductions as a condition of exercising the MAS contract option. It makes no sense.
GSA is ignoring the fundamental dynamic of labor costs/salaries. It makes perfect sense that labor rates rise over time, especially when the nation faces the effects of devalued currency caused by the drivers of inflation. By way of example, consider that Congress has approved a 3.6 salary increase for the Federal workforce in the coming year. For the PMA to succeed and to Build Procurement Back Better, government and industry must engage in a frank dialog about the real-world economic drivers that underpin participation in the marketplace. Addressing TLP certainly is critical, but it is only a first step. With regard to the MAS program, GSA should focus on providing business training to the acquisition workforce that includes an explication on markets, reverse industry days, and business and process planning from the perspective of the firms with which it seeks to work. For instance, it is our understanding that, currently, GSA does not have an in-person class focusing on price analysis, especially the unique aspects of MAS pricing. That knowledge deficit needs to be filled.
In addition, there is no viable mechanism for contractors/offerors to raise issues/questions regarding the conduct of negotiations. On negotiation issues, contracting officers effectively are judges, juries, and executioners. There needs to be an appropriate role for GSA management in the process at impasse points, and to understand this point, think about the relationship in reverse: Were GSA contracting officials, dedicated to helping agencies meet their missions, confronting mistaken vendors representatives, the government certainly would want to approach the management chains of those representatives, especially if needed innovation were involved.
Finally, GSA needs to address its consistency of operations. FAS contracting operations/workforce activities function as stovepipes within stovepipes, where acquisition centers take different approaches to pricing, and even within acquisition centers, contracting officers take fundamentally different approaches to pricing. Coalition members do not oppose appropriate management stovepipes. Rather, we believe that FAS needs to break down the inappropriate stovepipes of practices that create inconsistency in business operations. By so doing, FAS can address its organizational structure and bring consistency and predictability to business practices and thereby improve the efficiency of contracting overall. Consolidation of the MAS program provides the foundation for addressing these stovepipes.
The acquisition system provides the GSA Administrator a channel to promote the Administration’s PMA through positive systemic change. This change can be achieved through engagement with stakeholders, particularly those vendors with whom it contracts. The Coalition, representing an expansive number of those vendors providing commercial services and products in support of agencies, welcomes the opportunity to assist in this effort.
On December 7, a preliminary injunction was issued by the U.S. District Court for the Southern District of Georgia, which blocked the enforcement of Executive Order (E.O.) 14042 nationwide. E.O. 14042 requires that contractors and subcontractors performing work on certain federal contracts ensure that their employees and others working in connection with covered federal contracts are fully vaccinated against COVID-19. In its ruling, the court determined that the vaccine mandate for federal contractors exceeded the authorization given to the President through the Federal Property and Administrative Services Act when Executive Order 14042 was issued. Following the court order, the General Services Administration (GSA) and the Department of Homeland Security (DHS) provided notices to contract holders about what the injunction means for contractors:
GSA posted an update on its COVID-19 webpage explaining that as a result of the December 7 nationwide injunction:
- Contractor and subcontractor employees do not have to meet the vaccination mandate in the Safer Federal Workforce Task Force Guidance
- Contractors will continue to be eligible for new contracts, new orders, options, and extensions even if they have not agreed to follow FAR clause 52.223-99.
In addition, DHS posted a notice on SAM.gov from the Chief Procurement Officer stating that:
“DHS will take no action to enforce this clause in contracts, task orders, delivery orders or other contract-like instruments that will be performed, in whole or in part, in the states of Kentucky, Ohio, Tennessee, or any other state subject to future court order, absent further written notice from the agency. In contracts and contract-like instruments in those states where the clause has not yet been included, Government efforts to insert the clause are suspended. Furthermore, future solicitations and contracts for work performed in whole or in part in those states will include a notice of non-enforcement.”
“Feeling a Little Vaccine Mandate Whiplash?” Webinar, Dec. 17
First, there was the President’s speech hinting at a vaccination mandate for federal contractors. That was followed quickly by an EO alluding to forthcoming Guidance and contract clauses. Then a clause appeared with a “dynamic” self-updating twist, and a December compliance deadline (which then was changed to a January 4th deadline, and then was clarified to be a January 18th deadline). Then a court in Kentucky enjoined enforcement of the EO – but only in three states. And now a court in Georgia has enjoined enforcement of the EO nationwide. Feeling a little whiplash? Join the club. Fortunately, our friends from Sheppard Mullin have offered to walk us all through the recent changes and what they mean for contractors.
On Friday, December 17 from 11 am – 12:30 pm ET, please join a webinar presented by Jonathan Aronie, Ryan Roberts, and Keeley McCarty of the Sheppard Mullin Government Contracts team. The webinar will focus on EO 14042, but also will touch on the OSHA ETS (which has been enjoined) and the CMS rule (which itself has been subject to conflicting rulings). Jonathan and team will cover the basic requirements of each rule, their current enforcement status, and compliance best practices in light of the various court rulings. The event is free to Coalition members. Non-members can join for a modest fee, so please feel free to pass along this information to your industry peers.
DoD Provides Update on CMMC 2.0
Recently, the Department of Defense (DoD) released updated Level 1 and Level 2 Scoping Guidance for Cybersecurity Maturity Model Certification (CMMC) 2.0. In both Level 1 and 2, the Scoping Guidance discusses what contractors should be covering in the CMMC self-assessment. In the Level 2 update, DoD removes 20 unique CMMC controls that were in Level 3 of CMMC 1.0. This limits Level 2 to the 110 controls in NIST SP 800-171. This update comes after the release of the new model on November 4.
NDAA Text Agreed to by SASC and HASC
The Senate Armed Services Committee (SASC) and House Armed Services Committee (HASC) have released an agreed-upon text for the National Defense Authorization Act (NDAA) for FY 2022. Among key elements of the agreement:
- no formal establishment of the FEDRAMP program in statute;
- an assessment for, and briefing to, the Armed Services Committees from the Comptroller General (CG) about Federal Prison Industries (FPI) to understand how DoD identifies opportunities to purchase from FPI, the vehicles for those purchases, compliance oversight, and any issues the CG deems relevant; and
- a provision that would direct the Administrator of General Services to begin testing other e-commerce portal models and report its findings to congressional defense committees, as well as to the Senate Committee on Homeland Security and Governmental Affairs and the House Committee on Oversight and Reform.
The agreed to text appears here, and the House/Senate Joint Explanatory Statement appears here. The agreed language passed the House last Tuesday and is expected to pass the Senate shortly.
Federal News Network reported that the Department of Veteran Affairs (VA) is moving forward with deploying its Electronic Health Record (EHR) Modernization to its second site following the release of a “progress report” that details the steps that the department has taken to try to improve on the challenges identified this past summer from its strategic review. The VA is targeting March 5, 2022 as its go-live date for the facility in Columbus, Ohio, followed by a third go-live deployment two weeks later at a facility in Walla Walla, Washington. The department will then be moving forward with deployment within Veterans Integrated Service Network (VISN) 20 in the Pacific Northwest next summer. The following is a tentative timeline for future deployments in the coming years.
In addition to addressing the challenges that the VA faced with its initial EHR deployment, the department is also making changes to the EHR’s organizational and management structure. VA announced that it created a new Program Executive Director role to oversee the day-to-day EHR operations. The department has chosen Dr. Terry Admir to serve within that role. In addition, the VA plans to “strengthen the role of the VHA “functional champion” for the EHR project, which is supposed to ensure clinicians’ concerns and feedback are heard and incorporated into the health record and its associated workflows.” Additionally, VA is creating a new Deputy Chief Information Officer position to focus primarily on EHR modernization. The updated management structure can be seen below:
DHA Cybersecurity Summit for Medical Devices, Jan. 13
The Coalition for Government Procurement and the AMSUS-SM Technology Working Group are partnering to host a summit with the Defense Health Agency Office of the Chief Information Officer. The topic will be DHA’s Risk Management Framework (RMF) and how to achieve an Authority To Operate (ATO) which is a cybersecurity requirement for Military Treatment Facilities to purchase certain medical equipment.
The virtual meeting will be Thursday, January 13 from 10:30am- 12:30pm EST. During the meeting, members will be briefed by DHA technology experts on the cybersecurity requirements and how vendors can effectively achieve ATO certification. RSVP today by emailing Aubrey Woolley at firstname.lastname@example.org. We will send the log-in information to all members who RSVP. If you have any questions, please contact Aubrey Woolley at email@example.com or (703) 999-6372.
On December 8, the President signed Executive Order (EO) Catalyzing America’s Clean Energy Economy Through Federal Sustainability. The EO focuses on the growth of America’s clean energy and clean technology industries with the support of the Federal government. The Administration plans to harness the buying power of the Federal government to achieve many of its objectives, including:
- 100 percent zero-emission vehicle acquisitions by 2035, including 100 percent zero-emission light-duty vehicle acquisitions by 2027;
- a net-zero emissions building portfolio by 2045, including a 50 percent emissions reduction by 2032;
- a 65 percent reduction in scope 1 and 2 greenhouse gas emissions, as defined by the Federal Greenhouse Gas (GHG) Accounting and Reporting Guidance, from Federal operations by 2030 from 2008 levels; and
- net-zero emissions from Federal procurement no later than 2050, including a Buy Clean policy to promote use of construction materials with lower embodied emissions
The Administration aims to utilize its portfolio of 300,000 buildings, fleet of 600,000 cars and trucks, and annual purchasing power of $650 billion in goods and services to achieve these goals. In addition, its specific procurement objectives include:
- incentivizing markets for sustainable products and services by prioritizing products that can be reused, refurbished, or recycled;
- maximizing environmental benefits and cost savings through use of full lifecycle cost methodologies;
- purchasing products that contain recycled content, are biobased, or are energy and water efficient, in accordance with relevant statutory requirements; and,
- to the maximum extent practicable, purchasing sustainable products and services identified or recommended by the Environmental Protection Agency.
The EO also tasks the GSA Administrator with tracking GHG emission disclosures, emissions reduction targets, climate risk, and other sustainability-related actions from major Federal suppliers.
For more details, the White House released a Federal sustainability plan of its vision for the future for Federal sustainability. The Coalition is continuing to review the EO and will provide additional information for members through the Green Committee and in the Flash. If you would like to join the Green Committee, please contact Aubrey Woolley at firstname.lastname@example.org.
GSA to Issue MAS Refresh #9 in December
GSA is planning to release a MAS refresh and associated MAS mod to all existing contractors in December. On November 29, GSA hosted a webinar to discuss Multiple Award Schedule (MAS) Solicitation 47QSMD20R001 and the upcoming MAS modification. On December 7, GSA released the presentation and Q&A from the webinar. The MAS refresh is scheduled for December 17, 2021. The MAS refresh will include:
- Various changes to SCP-FSS-001;
- MAS Solicitation Table of Contents update;
- Implement various changes to the Offer and Modification Price Proposal Templates (PPTs);and
- Incorporate clause and provision updates, as necessary, through Federal Acquisition Circular (FAC) 2021-07 and GSAR Change 140.
Additional details and documents related to MAS Refresh #9 are posted on Interact here.
GSA’s Vendor Education Center Retiring in December
In a recent Interact post, GSA reminded contractors of its plans to update its new vendor training and retire the Vendor Education Center (VEC). On December 17, the VEC will be officially retired and removed from MAS contract language in MAS Refresh #9. All required new offeror training will be moved to the gsa.gov MAS Roadmap, and will eventually be accessible in the new Vendor Support Center. Once it is retired, new contractors will no longer need a VEC log in.
GSA Delays Release of Polaris RFP
On December 3, Fedscoop reported that GSA has pushed back the publication of a final Request for Proposal (RFP) for the Polaris IT contract in response to feedback from an October industry survey. The RFP was originally scheduled to be released by December 21. GSA stated that the solicitations for the small business and woman owned small business (WOSB) pools are now planned for January 2022 due to the holidays. They added that “the HUBZone and service-disabled veteran owned small business (SDVOSB) solicitations will follow.” The Polaris contract looks to support the Administration’s priority of equity within Federal procurement and replaces the Alliant 2 Small Business contract. The vehicle has an expected $15 billion ceiling and consists of the following seven categories of services: cloud services, cybersecurity, data management, information and communication technologies, IT operations and maintenance, software development, and system design. GSA issued a draft solicitation in December 2020 and has been collecting feedback from Federal IT contractors on the contract’s structure.
GAO’s CIO-SP4 Protest Decision
On November 23, 2021, the Government Accountability Office (GAO) sustained in part a protest challenging the requirements of the CIO-SP4 RFP issued by the National Institutes of Health’s (NIH) Information Technology Acquisition and Assessment Center (NITAAC). GAO agreed that the CIO-SP4 solicitation unduly restricted competition by limiting the number of experience examples that mentor-protégé joint venture (JV) offerors could submit from large business mentors—a limitation not applied to JVs with small business mentors. GAO found that NIH does not reasonably explain why mentor-protégé JV’s with large business mentors are treated differently. See Coalitions Executive Summary that covers the details of GAO’s decision, the impact of the decision, and key takeaways for NIH and contractors.
McCarter & English
The Legal Corner provides the legal community with an opportunity to share insights and comments on legal issues of the day. The comments herein do not necessarily reflect the views of The Coalition for Government Procurement.
Judge R. Stan Baker of the US District Court for the Southern District of Georgia issued an order (Order) on December 7, 2021, enjoining the federal government “from enforcing the vaccine mandate for federal contractors and subcontractors in all covered contracts in any state or territory of the United States of America.” This comes on the heels of the November 30, 2021 order by a federal court in Kentucky (see our article here) blocking the federal government’s ability to enforce the obligation embedded in clauses in federal government contracts and other instruments requiring employees of federal contractors with covered contracts in Kentucky, Ohio, and Tennessee to be fully vaccinated by January 18, 2022.
The Georgia case was originally brought by the states of Georgia, Alabama, Idaho, Kansas, South Carolina, Utah, and West Virginia (and agencies within those states). Unlike the court in Kentucky, Judge Baker elected to extend the order nationwide because one of the intervening plaintiffs, Associated Builders and Contractors, Inc. (ABC), has members with covered contracts located throughout the United States Further, the court concluded that “given the breadth of ABC’s membership, the number of contracts [they] will be involved with, and the fact that EO 14042 applies to subcontractors and others, limiting the relief to only those before the Court would prove unwieldy and would only cause more confusion.”
In any request for a preliminary injunction in which the Government is the party whose actions are being enjoined, a complaining party must show a likelihood of success on the merits, irreparable injury, that the injury threatened outweighs any harm the injunction would inflict on the Government, and that the injunction would not be adverse to the public interest. In this case, Judge Baker concluded that it was likely that President Biden exceeded his authority under the broad statute (the Federal Property and Administrative Services Act) giving the executive branch the authority to procure goods and services through an “economical and efficient system.” Citing US Supreme Court precedent, the court concluded the mandate cannot stand given the lack of explicit language in the enabling statute because of the mandate’s “vast economic and political significance.” The court concluded, at least preliminarily, that the implementation of the mandate would impose an “extreme economic burden” on contractors, that it would pose an “impediment” to the ability of some contractors with recalcitrant employees to continue to perform federal work, that it would have a major impact on the economy, and that it “operates as a regulation of public health.”
In its irreparable harm finding, the court focused less on the potential loss of contracts due to employees who refuse vaccination and more on the economic costs of implementing the mandate. Relying on testimony, the court noted the “incredibly time-consuming processes…to identify the employees covered by the mandate and to implement software and technology to ensure that those employees have been fully vaccinated (or have requested and been granted an accommodation or exemption) by the deadline in January.” The court noted, perhaps incorrectly, that the burden extended to “requir[ing] that any subcontractors’ employees working on or in connection with a covered contract are in compliance.” (The operative clause (clause) and the Safer Workforce Task Force Guidance merely require the clause be flowed down to certain subcontractors—there is no enforcement mandate.) Quoting the US Court of Appeals for the Fifth Circuit’s opinion and order (BST Holdings) staying the vaccine mandate for private employers promulgated by the Occupational Health and Safety Administration (OSHA), the court concluded that the costs of complying with a regulation that is later held invalid “always produces the irreparable harm of nonrecoverable compliance.”
In balancing the harms, the court was not persuaded by the Government’s arguments that an order would delay vaccinations and permit the continued spread of COVID-19 and that the harm it and the general public would suffer far outweigh any harm the contractors would suffer. The court said that the injunction merely preserves the status quo and contractors remain free to encourage employees to get vaccinated. “In contrast, declining to issue a preliminary injunction would force [the contractors] to comply with the mandate, requiring them to make decisions which would significantly alter their ability to perform federal contract work which is critical to their operations.” The court went on: “[R]equiring compliance [with the mandate] would likely be life altering for many of the…employees as [the contractors] would be required to decide whether an employee who refused to be vaccinated can, in practicality, be reassigned to another office or another task or whether the employee instead must be terminated.”
Finally, the court found the public interest was served by the injunction. Again quoting BST Holdings, the court found “From economic uncertainty to workplace strife, the mere specter of [EO 14042] has contributed to untold economic upheaval in recent months” and “the principles at stake when it comes to [EO 14042] are not reducible to dollars and cents.”
- This is a preliminary injunction and not a final adjudication. By its nature, it is temporary and could be revoked by a later order or by an appellate court (in this case, the Eleventh Circuit Court of Appeals). However, it is probably here to stay for at least weeks if not months.
- The Order does not invalidate the clause or enjoin the Government or prime contractors from including the clause in contracts and subcontracts. The remaining provisions of the clause—i.e., the workplace safety restrictions—are not affected by the Order, and covered contractors are still bound by them.
- The Order undoubtedly covers subcontractors in addition to prime contractors, although the Government has no privity with subcontractors. Although the Order enjoins the Government from enforcing the vaccine mandate, it specifically speaks of the vaccine mandate as it applies to both “federal contractors and subcontractors.” Should a prime attempt to force a subcontractor to comply with the mandate, it is almost a certainty that the subcontractor would be able to take refuge in the Order on the theory that in this case the prime is acting as the agent of the Government, and is similarly enjoined.
- Contractors are not constrained from voluntarily encouraging employees to get vaccinated. Moreover, except in states where employers are prohibited from requiring their employees to get vaccinated (e.g., Texas and Florida), employers can establish human resources policies requiring vaccination against COVID-19 as a condition of employment as long as they allow for a medical or a religious exception consistent with established law.
The Legal Corner provides the legal community with an opportunity to share insights and comments on legal issues of the day. The comments herein do not necessarily reflect the views of The Coalition for Government Procurement.
Federal contractors and subcontractors across the country now may press the pause button on their EO 14042 COVID-safety efforts, as earlier today the U.S. District Court for the Southern District of Georgia enjoined enforcement of the EO nationwide. The Order goes well beyond the prior federal court injunction that covered only federal contracts in Kentucky, Ohio, and Tennessee.
The Georgia decision (formally captioned The State of Georgia v. Joseph Biden, 1:21-cv-163) is the result of a complaint filed by the states of Georgia, Alabama, Idaho, Kansas, South Carolina, Utah, and West Virginia. Subsequently, the court permitted a nationwide trade association (Associated Builders and Contractors, Inc., or ABC) to intervene as a plaintiff as well. The decision to permit ABC to intervene proved particularly impactful in that the court relied on the national membership of ABC as the basis for applying the injunction nationwide.
The Immediate Impact of Georgia v. Biden
Before getting to the details of the decision, let’s focus on the impact.
In short, as of this afternoon, the Government may not enforce either the Executive Order or the contract clauses issued pursuant to the Executive Order in any U.S. state or territory. While the injunction does not prohibit contractors from voluntarily continuing to follow the Guidance of the Safety Task Force – or from mandating vaccines for their employees – as we noted in our prior Alert, contractors in states that prohibit vaccine mandates (or prohibit employers from requesting proof of vaccination or enforcing mask mandates) do so at great risk. Now that the EO is unenforceable (at least for the time being), the EO no longer preempts contrary state laws. Thus, mandating vaccination in Tennessee or Montana, for example, now will run afoul of state law, whereas, previously, Federal contractors could mandate vaccination under the EO.
Similarly, and also as we discussed in our prior alert, unionized companies likewise will need to think twice before continuing voluntarily to adhere to the Task Force Guidance, even if permitted under state law. While a mandatory compliance obligation likely is not required to be collectively bargained, a voluntary decision to enforce safety guidance probably is.
Against this background, on the eve of the original compliance deadline (12/8/21), Federal contractors now must recalibrate their compliance plans. For contractors with employees nationwide looking for a uniform policy, suspending rollout of your EO 14042 action plan is the only realistic option at this point. For those that wish to continue processing vaccine cards, you must do so carefully and in accordance with state law (e.g., Tennessee prohibits employers from taking an “adverse employment action” against anyone who refuses to provide proof of vaccination). Once a revised plan is developed, contractors should communicate the new plan to employees – and quickly. Contractors also should consider sending a similar communication to subcontractors, or, at least, putting a pause on incorporating the new FAR/DFARS clause into subcontracts.
We know a number of clients have been working their way through a significant number of religious/medical exemption requests. There is no prohibition against continuing to process such requests, but be sure not to take any action that violates state law (remember, unlike the EO, some states require you permit exemption requests based on “personal conscience” or other non-religious/medical bases).
Finally, a number of you are in possession of solicitations, proposals, quotes, modifications, or other “contract-like instruments” incorporating the new FAR/DFARS clause. Given the injunction, you are well within your rights to take exception to incorporation of the clause, either in a proposal in response to a pending solicitation or by refusing to accept a modification incorporating the clause. Shortly after the Kentucky decision, Federal agencies released guidance stating they would no longer incorporate the mandate in contracts with performance occurring in those three states. Given today’s decision, we expect similar nationwide guidance shortly.
Scope: Vaccination Mandate, Masking/Distancing, or Both?
Unlike the Kentucky court order, the Georgia order leaves no confusion as to the geographic scope of this order – it applies to “all covered contracts in any state or territory of the United States of America.” In yet another example of a court making our lives more difficult than need be, however, the order is surprisingly imprecise as to what specifically was enjoined.
The most frequent question we received this afternoon was whether the injunction applies just to the vaccination mandate, or whether it applies to the EO as a whole (including the masking/distancing requirements). The order enjoined the Government from “enforcing the vaccine mandate for federal contractors and subcontractors in all covered contracts.” The order did not expressly enjoin enforcement of EO 14042, FAR 52.223-99, or DFARS 252.223-7999. Thus, we are left to guess as to the proper interpretation of the scope of the injunction – particularly, whether the injunction applies only to the vaccination mandate or more broadly to EO 14042 and the implementing contract clauses.
Our take – the injunction applies not only to the vaccination requirement, but also to the masking/physical distancing requirements of the EO and contract clauses. We think this for three reasons.
- First, the plaintiffs requested an injunction of the “Contractor Mandate,” which the one plaintiff that chose to define the term defined as “Executive Order 14042 and its implementing regulations.” (Emphasis ours.) The court granted this motion, and therefore, despite the inexact language, we believe enjoined all aspects of EO 14042.
- Second, it stands to reason that if the President lacks the authority to use the Procurement Act to issue a vaccination mandate, he probably also lacks the authority to issue a mask/distancing mandate. (Although, we concede, there certainly is an argument that the Balancing of the Harms and Public Interest prongs of the TRO/PI standard may not come out the same absent a vaccination mandate.)
- Third, practically, it would make little sense for the Government to try to enforce the masking/physical distancing requirements with the vaccination mandate on hold, particularly because various Government entities stated, repeatedly, that they will not be actively enforcing compliance with EO 14042, at least in the near future.
So, we think the entire EO is on hold, and contractors now should follow all applicable non-EO 14042 guidance on masking and distancing (e.g., state, local, CMS). But, we are hopeful the Task Force updates the official Guidance very soon to provide a definitive answer.
Judge Baker began his decision by quoting his Kentucky colleague Judge Van Tatenhove: “This case is not about whether vaccines are effective. They are.” “However,” he went on, “even in times of crisis this Court must preserve the rule of law and ensure that all branches of government act within the bounds of their constitutionally granted authorities.” To preserve the rule of law here, Judge Baker found it necessary to grant plaintiffs’ motion for a preliminary injunction.
Finding that the plaintiff States and the ABC all had standing to bring their challenge to the EO, Judge Baker, like Judge Van Tatenhove, focused his decision on the likelihood of success on the merits prong of the TRO/PI standard. Noting that plaintiffs “need only show a substantial likelihood of success on the merits on one claim” (emphasis added), he went about immediately examining the plaintiffs’ contention that the EO exceeded the authority granted to the President by the Procurement Act (more formally known as the Federal Property and Administrative Services Act, 40 U.S.C. §101).
The standard under which Judge Baker reviewed the EO was key to his ultimate decision. The question, according to Judge Baker, was whether Congress “clearly” authorized the President to use the Procurement Act to issue the directives contained in EO 14042. Finding the actual purpose of the EO to be the “regulation of public health,” Judge Baker answered that question in the negative.
Judge Baker explained (correctly) that the purpose of the Procurement Act is to promote economy and efficiency in the procurement process. While recognizing the Procurement Act gives the President significant deference to achieve this goal, Judge Baker noted the Act does not give him unfettered powers. “[T]hat deference was expressly not intended to operate as a ‘blank check for the President to fill in at his will.’” Finding an insufficient nexus between the Procurement Act and the EO, Judge Baker concluded that the Procurement Act “did not clearly authorize the President to issue the kind of mandate contained in EO 14042, as EO 14042 goes far beyond addressing administrative and management issues in order to promote efficiency and economy in procurement and contracting, and instead, in application, works as a regulation of public health, which is not clearly authorized under the Procurement Act.”
Unlike Judge Van Tatenhove, Judge Baker did not resolve (one way or the other) the other challenges raised by the plaintiffs – specifically, arguments centered on the Administrative Procedure Act and the non-delegation doctrine. One basis for enjoining an Executive Order was enough for him.
Beyond the likelihood of success on the merits prong of the TRO/PI standard, Judge Baker found that plaintiffs were likely to be irreparably harmed if the EO was permitted to continue in force, and also found that the balancing of the harms favors plaintiffs over defendants. Judge Baker’s decision no doubt was driven, in part at least, by his finding that plaintiffs would have a “laborious undertaking” to comply with the EO.
The most notable difference between the Kentucky order and the Georgia order is the scope of the injunctive relief. You will recall Judge Van Tatenhove limited the scope of his order to contracts in Kentucky, Ohio, and Tennessee. He included a very thoughtful discussion explaining his decision in that regard. In contrast, Judge Baker applied his injunction nationwide. According to Judge Baker, plaintiff ABC has members “all over the country.” Having let ABC intervene, he then used ABC’s involvement to justify the nationwide scope of the injunction. “On the unique facts before it,” he wrote, “the Court finds it necessary, in order to truly afford injunctive relief to the parties before it, to issue an injunction with nationwide applicability.”
Accordingly, Judge Baker ordered the United States enjoined “during the pendency of this action or until further order of this Court, from enforcing the vaccine mandate for federal contractors and subcontractors in all covered contracts in any state or territory of the United States of America.”
The decision, like the Kentucky decision, will be appealed. But, as we noted in Update 11.0, we think the Supreme Court ultimately will decide the fate of EO 14042.
Until then, you should:
- Reevaluate your compliance plans and give serious consideration to pausing all EO 14042 compliance efforts;
- Research the laws applicable in the states where your employees work to ensure you do not run afoul of those prohibitions, whatever your updated compliance plans may be;
- Consider sending a communication to employees providing an updated status on your company’s updated policy; and
- Consider pausing efforts to incorporate the FAR/DFARS clause throughout your supply chain.
We’ll keep you posted as these decisions make their way through the appeals process. Stay tuned for additional updates. In the interim, we’ll update our Survival Guide as soon as possible.
Holland & Knight
The Legal Corner provides the legal community with an opportunity to share insights and comments on legal issues of the day. The comments herein do not necessarily reflect the views of The Coalition for Government Procurement.
With the announcement of a revamped Cybersecurity Maturity Model Certification (known as CMMC 2.0),1 for the third time in five years, the U.S. Department of Defense (DOD) announced new, comprehensive cybersecurity standards for government contractors and subcontractors to ensure the protection of sensitive unclassified information, that is, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). By referring to the new cybersecurity standard as CMMC 2.0, the DOD implicitly recognizes the likelihood of future versions at an unknown cost to the Defense Industrial Base (DIB).
Nevertheless, version 2.0, which was released after a seven-month review by the Biden Administration, reflects the DOD’s assessment of the DIB’s concerns and reflects the DOD’s efforts to streamline and improve upon its earlier version after criticisms aimed at its cost and complexity. Specifically, CMMC 2.0 collapses CMMC 1.0’s five tiers to three simplified tiers that are based on the cybersecurity framework implemented and that are devoid of additional CMMC-unique practices and processes. CMMC 2.0 also will allow “annual self-assessment with an annual affirmation by DIB company leadership” for Level 1 and part of the new bifurcated Level 2 (formerly Level 3). Otherwise, an independent third-party assessment or government-led assessment will be required.2
Besides CMMC 2.0, contractors with CUI are also required to comply with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7019 and 252.204-7020. Collectively, these clauses require contractors to enter their compliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 into DOD’s Supplier Performance Risk System (SPRS). DOD will identify medium- and high-risk contracts and perform independent assessments of contractor compliance with NIST SP 800-171 and whether a contractor’s compliance matches what it inputted into SPRS. Contractors should also be mindful as to whether these disclosures match their prior acceptance of contracts with DFARS 252.204-7012, which required full compliance with NIST SP 800-171.
The return of self-assessment, which was the bedrock of the first DOD cybersecurity standards set out in DFARS 252.204-7012 and whose failure led to the development of CMMC 1.0., creates substantial risks to DIB companies and their leadership. The U.S. Department of Justice (DOJ) recently announced a new Civil Cyber-Fraud Initiative that emphasized the use of the False Claims Act (FCA), 31 U.S.C. § 3729 et. seq., to bring civil action against government contractors who knowingly misrepresented their cybersecurity practices and protocols.3 The FCA allows the government to recover treble damages and permits qui tam suits,4 which allow whistleblowers to receive a portion of the monies recovered by the government. In addition, other regulatory agencies have brought enforcement actions for alleged false certifications concerning compliance with agency-required cybersecurity standards.5 Thus, the risk of a DOJ investigation or a qui tam suit connected with a DIB company’s self-assessment affirmation is very real, and this announcement – coupled with self-certification options in CMMC 2.0 – should not been seen as a coincidence. Nevertheless, companies can reduce such risks with appropriate cybersecurity policies and a culture of compliance.
Evolution of DOD’s Cybersecurity Regulations
In October 2016, the DOD issued comprehensive cybersecurity regulations through DFARS. See 48 CFR §§ 204.7302, 204.7304, and 252.204-7012. The 2016 cybersecurity regulations required contractors and subcontractors to provide “adequate security” over their information systems and implement cybersecurity protocols and procedures that, at a minimum, complied with NIST SP 800-171 for “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”6 These regulations, however, only required contractors to self-assess that they were in compliance with NIST SP 800-171.
The initial cybersecurity framework did not succeed, in part, due to the self-assessment requirement. In July 2019, the DOD Inspector General (IG) issued a report finding that government contractors did not consistently implement NIST SP 800-171 as required and DOD agencies and contracting officers did not develop and implement processes to verify contractors’ compliance.7 The IG report “recommended that DOD take steps to assess a contractor’s ability to protect this [CUI] information.”8
In response, in September 2020, the DOD issued interim rules of its second comprehensive cybersecurity regulations, which developed CMMC 1.0.9 CMMC 1.0 classified contractors into five tiers. Level one required compliance with basic safeguarding requirements of the Federal Acquisition Regulations (FAR) clause 52.204-21. Level 2 required compliance with 65 security requirements within NIST 800-171, along with additional CMMC practices and processes. Level 3 through Level 5 required complete compliance with NIST 800-171 and varying additional CMMC practices and processes. CMMC level assessments would be conducted by CMMC Third Party Assessment Organizations (C3PAOs), which would be accredited by an independent CMMC Accreditation Body (AB). All DOD solicitation and contracts would identify the required CMMC level necessary for said solicitation or contract, though it was unclear how it would be enforced down the supply chain.
DIB companies expressed concerns with this lack of clarity and the additional bespoke CMMC requirements. Besides these issues, concerns were raised about the cost to small businesses, just as DOD has been contending, with an ever-shrinking pool of contractors willing to do business with it. That was, in part, because a third-party assessment was required at all levels. CMMC 2.0 attempts to address these various concerns with the following changes to version 1.0:
- Level 1 remains the same and still requires basic safeguarding requirements consistent with FAR 52.204-21. Instead of a third-party assessment, Level 1 will require a company leader to certify compliance with requirements on an annual basis.
- Level 2 has been eliminated.
- Level 3 (now known as Level 2) maintains full NIST 800-171 compliance but eliminates the bespoke CMMC requirements. Further, some contractors will be able to self-certify instead of utilizing a third-party assessment, although it is unclear what that dividing line will be.
- Level 4 has been eliminated.
- Level 5 (now known as Level 3) will require full compliance with 800-171 and at least partial compliance with NIST SP 800-172 for “Enhanced Security Requirements for Protecting Unclassified Information.” DOD is still determining what NIST SP 800-172 standards will be required. Contractors seeking a certification within this level will first need to be certified by a third-party assessor under Level 2 and then seek a government assessment under this level (presumably for the additional NIST SP 800-172 requirements).
Even though the implementation of CMMC 2.0 is anywhere from nine months to two years away, DOD is seeking ways to incentivize adoption. For instance, DOD may utilize cybersecurity compliance as an evaluation factor in procurements.10
Risk of Costly and Time-Consuming Investigations and Litigations
Viewing cybersecurity risks as both a national security risk and an investment risk, government regulators have increased enforcement actions against U.S. companies for deficient cybersecurity standards. This past year, the U.S. Securities and Exchange Commission (SEC) announced its first-ever enforcement actions against a public company for deficient disclosure controls concerning cybersecurity risks.11 The New York Department of Financial Services (NYDFS) has brought enforcement actions against regulated institutions for alleged failure to comply with its recently enacted NYDFS Cybersecurity Regulations, including action against insurance companies, in part, for the alleged false certification of its compliance with the NYDFS Cybersecurity Regulations.12
These actions preceded the DOJ’s announcement on Oct. 6, 2021, of the new Civil Cyber-Fraud Initiative.13 (See Holland & Knight’s previous blog post, “False Claims Act Meets Cybersecurity: DOJ New Civil Cyber-Fraud Unit,” Oct. 8, 2021.) Therein, Deputy Attorney General Lisa Monaco stated that the DOJ “will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards.”14 Particularly relevant to CMMC 2.0’s self-assessment affirmations, the Civil Cyber-Fraud Initiative will use the FCA to prosecute entities and individuals who knowingly provide deficient cybersecurity products or services and/or knowingly misrepresent their cybersecurity practices or protocols.15
The FCA “was originally aimed principally at stopping the massive frauds perpetrated by large contractors during the Civil War.”16 The act was enacted in 1863 “following a series of sensational congressional investigations” where “[t]estimony before…Congress painted a sordid picture of how the United States had been billed for nonexistent or worthless goods, charged exorbitant prices for goods delivered, and generally robbed in purchasing the necessities of war.”17
Today, the FCA lists seven types of conduct that create civil liability. Predominantly, the FCA provides that any person (i.e., entity or individual) who knowingly submits, or causes another to submit, a false or fraudulent claim to the government or knowingly makes a false record or statement to get a false claim paid by the government is liable for three times the government’s damages plus a civil penalty, which accounting for inflation, is not less than $11,181 and not more than $22,363 per claim.18 The FCA also permits whistleblowers to file qui tam suits against any person who allegedly violates the FCA. If the qui tam suit is successful, the whistleblower may receive a portion of the government’s recovery. As such, FCA and qui tam suits have become quite lucrative for the government and the whistleblower. For instance, in fiscal year (FY) 2020, the DOJ recovered over $2.2 billion from FCA cases and paid out $309 million to whistleblowers.
Under the FCA, a person acts knowingly when the person 1) has actual knowledge of the information,19 2) acts in deliberate ignorance of the truth or falsity of the information or 3) acts in reckless disregard of the truth or falsity of the information.20 Moreover, the person need not have any specific intent to defraud the government.21 Thus, as it relates to the CMMC 2.0’s self-assessment affirmations, if the affirmation is incorrect, the DIB company could be liable under the FCA even though its leadership did not intend to defraud the government and did not have actual knowledge that its affirmation was incorrect. Instead, a DIB company could be found to be “in reckless disregard of the truth” by failing to conduct a sufficient investigation of its cybersecurity practices and procedures prior to its affirmation,22 which would subject the company to treble damages and civil monetary penalties.
Additionally, although 2016 cybersecurity regulations have required DIB companies to report cyber incidents to the DOD within 72 hours, Congress has been debating the inclusion of a cyber-reporting bill as part of the National Defense Authorization Act (NDAA) FY 2022, which would require critical infrastructure owners and operator as well as federal contractors, not just DOD contractors and subcontractors, to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) and, potentially, to provide that information to the FBI.23 If cyber incidents are to be provided to the DOJ, it may potentially fuel this Civil Cyber-Fraud Initiative. Even if such reporting is not required, each cyber incident presents the possibility of an employee or former employee filing a qui tam suit alleging that the self-assessment assertions were false and violated the FCA. Thus, although self-certifications programs create significant flexibility and cost savings within the CMMC 2.0 framework, it creates substantial litigation and investigation risks.
The threat of cybersecurity-based FCA action against DIB companies is not simply theoretical. As illustrated by Briggs v. Quantitech, and similar cases,24 “[t]here has been an uptick in cybersecurity-based FCA actions in recent years, predominantly qui tam actions filed by former employees that ‘blew the whistle’ on their company’s deficient cybersecurity standards and practices.”25
For DIB companies that will provide annual self-assessment affirmations within the CMMC 2.0 framework, steps can be taken to reduce the risk of future DOJ investigations and qui tam suits.
- First, DIB companies should implement and maintain written cybersecurity policies that are consistent with the basic safeguarding requirements of the FAR clause 52.204-21 and, if applicable, DFARS 252.204-7012. Because these policies will provide significant defenses against allegations of falsity and knowledge in any FCA litigation, they should be written in coordination with counsel and reviewed by multifunctional teams.
- Second, Deputy Attorney General Lisa Monaco recently emphasized that the DOJ will evaluate a company’s history of compliance issues in future enforcement actions.26 Thus, DIB companies should develop and foster a culture of compliance throughout its organization, including employee training, internal disclosure controls and/or board oversight on leadership’s management.
- Finally, contractors should consider a CMMC certification to give themselves a competitive advantage and minimize the risk of other DIB companies not wanting to do business with them because of the cybersecurity risks they pose. This will help address concerns about the constantly evolving nature of cyberattacks and cybersecurity risks.
CISA to Establish Automated Cybersecurity Metrics for Agencies
Fedscoop reported that the Cybersecurity and Infrastructure Security Agency (CISA) has been tasked with establishing a strategy for automating the collection of Federal agencies’ cybersecurity metrics by April 2022. CISA will receive help from the Office of Management and Budget (OMB) and the National Institute of Standards (NIST) on the project. The strategy must include “a set of metrics based on NIST standards for controls that can be reported in an automated manner.” Also included will be machine-readable automatic cybersecurity incident reporting. In Federal Information Security Management Act (FISMA) guidance published on December 6, OMB ordered CISA to set timelines for collecting the data. OMB is aiming to start grading agencies with a compliance scorecard based on the data by December 2022. The strategy is part of an effort to improve the transparency of agencies’ cybersecurity practices and increase the speed of incident reporting in accordance with the Cybersecurity Executive Order released in May 2021.
On December 6, OMB released a memo, FY 2021-2022 Guidance on Federal Information Security and Privacy management Requirements. The memo provides Federal agencies with reporting guidance and deadlines as required by the 2014 Federal Information Security Modernization Act (FISMA). The guidance has been updated to advance implementation of the May 2021 Cybersecurity Executive Order which requires agencies to make certain cyber defense investments and to move to a Zero Trust architecture.
The following are the annual and quarterly FISMA reporting deadlines provided by OMB.
This memo rescinds the following memos:
- M-21-02, Fiscal Year 2020-2021 Guidance on Federal Information Security and Privacy Management Requirements
- M-17-25, Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Infrastructure
In addition, OMB is basing its reform of activities under FISM on the following four tenets:
- Moving to a Zero Trust architecture. Agencies need to implement specific Zero Trust security goals by the end of Fiscal Year (FY) 2024, organized around five pillars:
- Identity: Agency staff use an enterprise-wide identity to access the applications they use in their work. Phishing-resistant Multi-Factor Authentication (MFA) protects those personnel from sophisticated online attacks.
- Devices: The Federal Government has a complete inventory of every device it operates and authorizes for government use, and can prevent, detect and respond to incidents on those devices.
- Networks: Agencies encrypt all Domain Name System (DNS) requests and HTTP traffic within their environment, and begin executing a plan to break down their perimeters into isolated environments.
- Applications and Workloads: Agencies treat all applications as internet-connected, routinely subject their applications to rigorous testing, and welcome external vulnerability reports.
- Data: Agencies are on a clear, shared path to deploy protections that make use of thorough data categorization. Agencies are taking advantage of cloud security services to monitor access to their sensitive data, and have implemented enterprise-wide logging and information sharing.
- Ground truth testing. Traditionally, we have relied heavily on self-attestation of security control implementation, and there is a need to accelerate efforts to validate and verify those attestations. The Federal Government must rely more on methods that empirically validate security and find weaknesses, such as manual and automated penetration testing and red team exercises. The FY 2022 metrics released alongside this memorandum include a series of questions aimed at measuring the Federal Government’s ability to conduct tested security.
- Observable security outcomes. FISMA certifications have continued to rely on compliance-based processes in which agencies and inspectors general (IGs) rely on a checklist of controls whose implementation status is used to determine the sufficiency of a system’s security. This leads to an assessment of specifically scoped control implementation successes and failures. FISMA assessments must evolve to focus on risk-based processes that will provide agencies with sufficient information to consider threat, capability, and impact. That information will enable agencies to prioritize their efforts and orient towards the greatest threats facing the nation, as well as the individual risks faced by each agency. The FY 2022 CIO metrics released alongside this memorandum include a series of questions that focus on measuring outcomes.
- Automation. FISMA data collection has long remained an overly manual process that often leads agencies to create complicated spreadsheets and internal processes to respond to questions. As the Federal information security apparatus matures, so should its reporting mechanisms. OMB is emphasizing automation and the use of machine-readable data to speed up reporting, reduce agency burden, and improve outcomes. This memorandum directs development of a strategy to enable agencies to report performance and incident data in an automated and machine-readable manner.
On December 2, GAO published a report, Cybersecurity: Federal Actions Urgently Needed to Better Protect the Nation’s Critical Infrastructure. Previously in 2018, GAO had reported that the Government needed to address four major challenges:
- Establishing a comprehensive cybersecurity strategy and performing effective oversight;
- Securing Federal systems and information;
- Protecting cyber critical infrastructure; and
- Protecting privacy and sensitive data.
These four challenges include 10 actions to successfully deal with the cybersecurity threats facing the nation (see figure below).
GAO was asked to testify on the Government’s efforts to address critical infrastructure cybersecurity.
GAO reported that it has found in recent investigations that in order to address critical infrastructure cybersecurity, the Government must develop and execute a comprehensive national cyber strategy and strengthen the Federal role in protecting the cybersecurity of critical infrastructure.
OSHA Vaccine Mandate Comment Period Extended
On December 3, the Occupational Safety and Health Administration (OSHA) extended the comment period for its Emergency Temporary Standard (ETS) on mandatory “COVID-19 Vaccination and Testing” to January 19, 2022. This is a 45-day extension, opposed to the 60-day extension requested by most stakeholders. The ETS requires all employees are vaccinated if their employer has more than 99 employees unless the employee is covered by an exception.
Comment Period Extended for Climate Risk in Acquisition ANPR
The Federal Acquisition Regulatory Council (FAR) announced that the comment period for seeking public input on a potential FAR amendment to implement section 5(b)(ii) of Executive Order 14030, Climate-Related Financial Risk will be extended to January 13. The comment period was extended to allow additional time for interested parties to submit comments in response to the questions posed in the advance notice of proposed rulemaking. On October 15, the FAR Council issued a proposed rule providing notice to contractors about plans to amend the FAR to ensure that major Federal procurements minimize the risk of climate change. On May 20, President Biden signed Executive Order (EO) 14030, Climate-Related Financial Risk. The EO states that the Federal Government should manage climate-related financial risk within its procurement activity. This proposed rule looks to ensure that Federal procurements minimize the risk of climate change by requiring the social cost of greenhouse gas emissions to be considered in procurement decisions, and by giving preference to bids and proposals from suppliers with a lower social cost of greenhouse gas emissions. The social cost is an estimate of monetized damage from increases in greenhouse gas emissions.
The FAR Council is seeking public comments on a list of questions in the proposed rule such as “how can greenhouse gas emissions, including the social cost of greenhouse gases, best be qualitatively and quantitatively considered in Federal procurement decisions?”