Our December edition of “Government Contracts Legislative and Regulatory Update” offers a summary of the relevant changes that took place during the month of November.
National Defense Authorization Act
As we noted last month, House Armed Services Committee (“HASC”) and Senate Armed Services Committee (“SASC”) staff had been conferencing the National Defense Authorization Act (“NDAA”), Congress’ annual defense policy bill, since mid-August. On November 18, 2020, the Senate and House began formal conference committee proceedings to resolve and reconcile the remaining major sticking points of the House and Senate versions of the bill.
On December 8, 2020, the House passed the reconciled version of the bill, otherwise known as the conference report, by a vote of 335-78. The Senate followed suit on December 11, 2020, passing the bill by a vote of 84-13. The President vetoed the bill on December 23, 2020 as was widely expected. The President had long threatened to veto the bill if it did not include a repeal of Section 230 of the Communications Decency Act, which prevents social media websites from being held liable for users’ comments. On December 28, 2020, the House voted 322-87 to override the President’s veto. As of this writing, the Senate is expected to hold a veto override vote as soon as December 30, 2020, but not later than before 12 p.m. Eastern Time on January 3, 2021, at which time the 117th Congress will be sworn in. The Senate is believed to have more than sufficient votes to override the President’s veto. As such, the NDAA is expected to become law for a 60th straight year before the end of the current Congress.
Back to top
Appropriations and COVID-19 Relief
The House and Senate approved a $2.4 trillion measure that combines all twelve Fiscal Year 2021 (“FY21”) appropriations bills and a $900 billion coronavirus relief bill. The omnibus appropriations bill funds the government through the remainder of FY21 (September 30, 2021). President Trump signed into law the massive government funding and pandemic stimulus package on December 27, 2020.
Back to top
Vetting of Foreign Ownership on Federal Leases
On November 17, 2020, the House passed a bipartisan bill, S. 1869, the Secure Federal Leases from Espionage and Suspicious Entanglements Act, that would require companies that lease high-security spaces to federal agencies to be vetted for foreign ownership following cybersecurity and espionage concerns related to such transactions. Specifically, this bill instructs the U.S. General Services Administration (“GSA”), the Architect of the Capitol, or any federal agency (other than the Department of Defense (“DoD”) and the intelligence community) that has independent statutory leasing authority (i.e., Federal lessee), before entering into a lease agreement or approving a novation agreement with an entity involving a change of ownership under a lease that will be used for high-security leased space, to require the entity to identify the immediate or highest-level owner of the space and disclose whether that owner is a foreign person or entity, including the country associated with the ownership entity.
The term “high-security leased space’’ means a space leased by a Federal lessee that— (A) will be occupied by Federal employees for nonmilitary activities; and (B) has a facility security level of III, IV, or V, as determined by the Federal tenant in consultation with the Interagency Security Committee, the Department of Homeland Security, 7 and the GSA. The term ‘‘highest-level owner’’ means the entity that owns or controls an immediate owner of the offeror of a lease, or that owns or controls 1 or more entities that control an immediate owner of the offeror. The term ‘‘immediate owner’’ means an entity, other than the offeror of a lease, that has direct control of the offeror, including ownership or interlocking management, identity of interests among family members, shared facilities and equipment, and the common use of employees.
A federal lessee shall require the entity to (1) provide such identification and disclosure when first submitting a proposal in response to a solicitation for offers issued by the federal lessee; and (2) update such information annually, including the list of the immediate or highest-level owners of that entity or the information required to be provided related to each such owner.
The bill further requires that GSA, in coordination with the Office of Management and Budget (“OMB”), develop a Government-wide plan for agencies for identifying all immediate, highest-level, or beneficial owners of high-security leased spaces before entering into a lease agreement with a covered entity for the accommodation of a Federal tenant in a high-security leased space. Notably, the required disclosure under Section 3 of the bill currently only requires the identification and disclosure of whether the immediate or highest-level owner of the leased space, including an entity involved in the financing thereof, is a foreign person or a foreign entity, including the country associated with the ownership entity.
The bill provides a rule requiring language in a lease agreement concerning restriction of access to high-security space between a federal lessee and an entity to accommodate an agency in a building or improvement used for high-security leased space.
The bill was presented to President Trump on December 21, 2020. As of this writing, he has not yet signed the bill into law.
Back to top
Internet of Things (IoT) Cybersecurity
On November 18, 2020, the Senate passed Internet of Things (“IoT”) Cybersecurity Improvement Act of 2020, H.R. 1668. The House previously approved this bill in September. This bill requires the National Institute of Standards and Technology (NIST) and the OMB to take specified steps to increase cybersecurity for IoT devices. The bill establishes a 90-day deadline from the passage of the Act for NIST to develop and publish standards and guidelines for the Federal Government on the appropriate use and management by agencies of IoT devices owned or controlled by an agency and connected to information systems owned or controlled by an agency. The bill also requires that NIST address minimum information security requirements for managing cybersecurity risks associated with such devices. Within 180 days of passage, the Director of OMB is required to review agency information security policies and principles on the basis of the standards and guidelines published by NIST. In addition, NIST, within 180 days of the Act’s passage, is also required to develop guidelines on the disclosure process for security vulnerabilities relating to federal agency information systems, including IoT devices.
The bill further prohibits agency from acquiring IoT devices from contractors, including contracts below the simplified acquisition threshold, if the Chief Information Officer of the agency determines during a review of the contract pursuant 40 U.S.C. 11319(b)(1)(C) that use of an IoT device prevents compliance with the standards and guidelines issued by NIST regarding (i) agency use and management of IoT devices; and (ii) the guidelines concerning disclosure of security vulnerabilities. 40 U.S.C. 11319(b)(1)(C) provides in relevant part that covered agencies are not permitted to enter into a contract or other agreement for information technology or information technology services, unless the contract or other agreement has been reviewed and approved by the Chief Information Officer of the agency.
This bill was signed into law on December 4, 2020 (P.L. 116-207).
Back to top
DoD Issues Proposed Rule Regarding Commercial Item Determinations
On November 23, 2020, the DoD issued a proposed rule to amend the Defense Federal Acquisition Regulation Supplement (“DFARS”) by implementing section 848 of the NDAA for FY 2018. Section 848 modifies 10 U.S.C. § 2380(b) which provides that a contract for an item under FAR Part 12 commercial item procedures shall serve as a prior commercial item determination unless a relevant official determines in writing that the prior determination was improper or that the item should not be acquired using Federal Acquisition Regulation (“FAR”) Part 12 procedures. The rule also proposes to remove procedures at DFARS subpart 212.70, Limitation on Conversion of Procurement from Commercial Acquisition Procedures regarding the $1 million dollar threshold that applied to whether DoD should accept a prior commercial item determination. DoD explained that this threshold sought to avoid burdensome requirements on lower dollar acquisitions. However, DoD further explained that these acquisitions can form the basis for larger acquisitions in subsequent buys, therefore, DoD proposes that the same standards shall apply.
Comments on the proposed rule are due by January 22, 2021. (85 Fed. Reg. 74636 (Nov. 23, 2020) ).
Back to top
DoD Proposes Rule to Amend the DFARS to Remove References to Revoked Executive Orders
On November 23, 2020, the DoD published a proposed rule amending the DFARS to remove references to revoked Executive Orders related to minimizing the use of materials containing hexavalent chromium. Removal of these references will not impact the substance of DoD’s policy and procedures for minimizing the use of hexavalent chromium, a known carcinogen. The policy related to minimizing the use of materials containing hexavalent chromium is implemented in DFARS subpart 223.73. The rule proposes to remove references to E.O. 13423 and E.O. 13514 contained in DFARS 223.7302, in addition to other references. These changes will not impact contracting officers or contractors.
Comments on the proposed rule are due by January 22, 2021. (85 Fed. Reg. 74,639 , Nov. 23, 2020).
Back to top
DoD Issues Class Deviation On Executive Order Combating Race and Sex Stereotyping
On November 20, 2020 the Department of Defense (“DoD”) published Class Deviation 2021-O0001 addressing Executive Order 13950, Combating Race and Sex Stereotyping. Pursuant to the Class Deviation, effective immediately, contracts that include the clause FAR 52.222-26, Equal Opportunity, must also incorporate the Deviation’s Clause 252.222-7999, Combating Race and Sex Stereotyping (DEVIATION 2021-O0001). Tracking the E.O., the clause prohibits federal contractors and subcontractors from providing any workplace training that inculcates in its employees any form of race or sex stereotyping or any form of race or sex scapegoating. The Class Deviation will remain in effect until incorporated into the FAR, or until otherwise rescinded.
Back to top
CASB, OFPP, and OMB Issues an Advance Notice of Proposed Rulemaking to Address the Potential Conformance of the CAS to GAAP for Operating Revenue and Lease Accounting
On November 5, 2020, the Cost Account Standards Board (“CASB”), Office Federal Procurement Policy (“OFPP”), and the Office of Management and Budget (“OMB”) released an Advance Notice of Proposed Rulemaking (“ANPRM”) addressing potential modifications to the Cost Accounting Standards (“CAS”) that conform to the changes to the Generally Accepted Accounting Principles (“GAAP”) that occurred after a related CAS was promulgated. The ANPRM is issued in accordance with 41 U.S.C. § 1502(c), giving notice to interested persons concerning the advantages, disadvantages, and improvements anticipated in the pricing and administration of government contracts as a result of the adoption of a proposed standard prior to the promulgation of any new or revised CAS. On March 13, 2019, the CASB published a Staff Discussion Paper (“SDP”) to solicit information and viewpoints on how to implement the CASB’s statutory requirement to review and conform CAS to GAAP. Respondents urged the CASB to give the highest priority in the CAS-GAAP conformance initiative to issues regarding the changes in GAAP for operating revenue and lease accounting rules that occurred after the promulgation of the CAS. The respondents’ concerns focused upon the potential inconsistencies between GAAP and CAS following changes to GAAP may cause inadvertent CAS violations, confusion over CAS requirements, inconsistent treatment among contractors, and additional costs to maintain separate accounting practices for GAAP and CAS.
In an effort to take timely action to resolve the potential confusion on the interpretation of CAS as a result of GAAP changes, this ANPRM requests public comment on the proposed revisions under consideration that (i) align CAS with GAAP on the handling of operating revenue and (ii) clarify CAS definitions to make clear that GAAP changes on lease accounting are not recognized for CAS purposes. The CASB encourages respondents to identify the burdens they believe would be added or reduced for contractors by relying solely on the GAAP definition of operating revenue and deleting the more detailed CAS definition. Additionally, the CASB requests feedback regarding any burden that is expected to be created or reduced for contractors by making clear that property formerly classified as operating leases and reclassified as right-of-use assets should be excluded from treatment as intangible capital assets and tangible capital assets for CAS.
Comments on the proposed rule are due by January 4, 2021. (85 Fed. Reg. 70,572 , Nov. 5, 2020).
Back to top
OMB Memorandum Provides Guidance for Federal Agency Reports Required Under Executive Order 13940, Aligning Federal Contracting and Hiring Practices With the Interests of American Workers
On November 19, 2020, OMB issued Memorandum M-21-08 entitled, Review of Federal Contracting and Hiring Practices Under Executive Order 13940, that bolsters a series of executive actions taken by the Trump Administration to strengthen the Administration’s policy to buy American and hire American. Memorandum M-21-08 references the relevant sections of the President’s August 3, 2020 Executive Order (“E.O.”), Aligning Federal Contracting and Hiring Practices With the Interests of American Workers, which was intended to create opportunities for U.S. workers to compete for jobs, including those under Federal contracts. E.O. 13940 specifically requires Federal agencies to review their contractors’ use of temporary foreign labor or offshoring practices, review whether their Federal hiring practices are compliant with U.S. citizenship requirements, and submit a report to OMB summarizing the results of the reviews as well as any planned follow-up actions and recommendations for executive or other action. The Memorandum notes that particular consideration should be given to recommendations that address any negative impact of temporary foreign labor hiring practices or offshoring practices. The recent OMB Memorandum provides guidance for Federal agencies to conduct reviews and develop the reports due on December 31, 2020 (with the possibility of an extension).
With regard to contract hiring practices, the Memorandum refers to the requirement in E.O. 13940 for Federal agencies to review contracts performance in FY 2018 and FY 2019 to determine whether federal contractors’ use of temporary foreign labor or offshoring performance of contracts actions have negative consequences. The Memorandum explains that, in order to enable a timely understanding of the impacts, Federal agencies should prioritize reviewing the practices of contractors on which they rely upon most. To this end, the Memorandum directs Federal agencies to evaluate, at a minimum, service contracts for work to be performed in the U.S. from the 25 contractors with which they have made the most obligations during FY 2018 and FY 2019, or such number of contractors to cover at least 10 percent of the agency obligations for services during this period, whichever is less.
The review of temporary foreign labor requires Federal agencies to (i) determine whether contractors in the review pool have policies in place to recruit U.S. or permanent residents before hiring temporary labor, (ii) document relevant information for contracts that involved any temporary foreign labor, and (iii) coordinate with the contractor to gather relevant information from first-tier subcontractors. In addition, the review of offshoring activities requires a determination and documentation of whether contractors engaged in offshoring in the performance of any service contract it either received, performed in FY 2018 and FY 2019, or announced plans during this period to offshore work prior to contract completion. As explained by the Memorandum, offshoring refers to the reassignment of any work activities, i.e. directly supporting performance of the contract or overhead activities, previously performed at a company’s U.S. operations to a location outside the U.S. Further, in accordance with Section 2(c) of E.O. 13940, Federal agencies must also review their employment policies to assess compliance with E.O. 11935, Citizenship Requirements for Federal Equipment, and section 704 of the Consolidated Appropriations Act 2020, Public Law 116-93, by the report submission date.
Back to top
DoD Memorandum Overviews Interim Defense Federal Acquisition Regulation Supplement Rule, 2019-D041, Assessing Contract Implementation of Cybersecurity Requirements, and Related CMMC Framework
On November 25, 2020, the DoD issued a Memorandum with the subject Interim Defense Federal Acquisition Regulation Supplement Rule, 2019-D041, Assessing Contract Implementation of Cybersecurity Requirements, to ensure workforce awareness and understanding of the requirements of the new interim DFARS rule that went into effect on November 30, 2020. As explained in the Memorandum, DFARS 2019-D041 implements the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 DoD Assessment Methodology and the Cybersecurity Maturity Model Certification (“CMMC”) Framework. The DoD Memorandum also requires that contracting officers take specific actions prior to awarding contracts, task/delivery orders, or exercising an option on and after the new rule’s effective date. Attached to the Memorandum are the following documents: (1) an executive summary of the interim DFARS rule, and (2) an August 4, 2020 DoD Memorandum discussing the implementation of the CMMC.
According to the executive summary of the interim DFARS rule, on and after November 30, 2020, contracting officers shall verify that the summary level score of a current NIST SP 800-171 DoD Assessment (not more than 3 years old, unless a lesser time is specific in the solicitation) is posted in the Supplier Performance Risk System (“SPRS”) for each covered contractor information system that is relevant to an offer, contract, or task/delivery order. This verification must occur prior to initiating the above-mentioned contract actions with an offeror or contractor that is required to implement NIST SP 800-171 in accordance with DFARS 252.204-7012 (Safeguarding covered defense information and cyber incident reporting). In addition, when a requiring activity identifies a requirement for a contract or task or delivery order to include a specific CMMC level, the contracting officer shall not make an award to an offeror that does not have a CMMC certificate in SPRS at the level required.
For the purposes of the actions described above, contracting officers are directed to use the new provision at DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements, in all solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial items, except for solicitations solely for the acquisition of COTS items. In addition, the new clause at DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, will be used in all solicitations, contracts, and task and delivery orders, including those using FAR part 12 procedures for the acquisition of commercial items, except for those that are solely for the acquisition of COTS items. The clause is required to be flowed down to all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial items (except COTS items).
According to the attached DoD Memorandum on CMMC Implementation, DoD released CMMC version 1.0 (available at the CMMC website here) on January 31, 2020. Version 1.0 consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references. The model also encompasses the basic safeguarding requirements for Controlled Unclassified Information specified in NIST SP 800-171 set forth in DFARS 252.204-7012. The CMMC Implementation Memorandum also explains that CMMC will be implemented using a phased approach. For FY 2021, DoD intends to limit the number of solicitations specifying a CMMC requirement to no more than 15 prime contracts, which will constitute CMMC pilot program efforts. All program managers and contracting officers are directed to avoid including CMMC as a requirement in Requests for Information and Requests for Proposals unless coordinated through the nomination process set forth within the Memorandum. For subsequent FYs, DoD intends to incorporate CMMC Levels 4 and 5, while increasing the quantity of acquisitions that include a CMMC requirement. The phase-in targets are as follows: Year 2 - 75 new acquisitions; Year 3 - 250 new acquisitions; Year 4 - 325 new acquisitions; Year 5 - 475 new acquisitions; and Year 6 and beyond - all new acquisitions and other transactions issued pursuant to 10 U.S.C. 2371(b).