GOVERNMENT CONTRACTING LAW

Transcription

1 AN A.S. PRATT PUBLICATION MAY 2015 VOL. 1 NO. 2 PRATT S GOVERNMENT CONTRACTING LAW REPORT EDITOR S NOTE THE BOARD SPEAKS Steven A. Meyerowitz THE RISING TIDE OF SUSPENSIONS AND DEBARMENTS IN GOVERNMENT CONTRACTS PART I Vincent J. Napoleon and Kevin T. Saunders CONDITIONS OF PARTICIPATION IN FALSE CLAIMS ACT GOVERNMENT PROCUREMENT CASES Kyle R. Jefcoat APPLICATION OF TORT LIABILITY TO CONTRACTOR ACTIONS UNDER PERFORMANCE-BASED SERVICE CONTRACTS UPHELD BY SUPREME COURT SILENCE Stuart W. Turner FEDERAL EMPLOYMENT LAW CHANGES FOR GOVERNMENT CONTRACTORS IN 2014: WHAT EVERY CONTRACTOR SHOULD KNOW PART II Julia E. Judish and John E. Jensen GOVERNMENT CONTRACTORS FACE INCREASING CYBERSECURITY REGULATION IN 2015 Mary Beth Bosco IN THE COURTS Steven A. Meyerowitz LEGISLATIVE AND REGULATORY DEVELOPMENTS Steven A. Meyerowitz

2 PRATT S GOVERNMENT CONTRACTING LAW REPORT VOLUME 1 NUMBER 2 MAY 2015 Editor s Note The Board Speaks Steven A. Meyerowitz 37 The Rising Tide of Suspensions and Debarments in Government Contracts Part I Vincent J. Napoleon and Kevin T. Saunders 39 Conditions of Participation in False Claims Act Government Procurement Cases Kyle R. Jefcoat 47 Application of Tort Liability to Contractor Actions under Performance-Based Service Contracts Upheld by Supreme Court Silence Stuart W. Turner 53 Federal Employment Law Changes for Government Contractors in 2014: What Every Contractor Should Know Part II Julia E. Judish and John E. Jensen 58 Government Contractors Face Increasing Cybersecurity Regulation in 2015 Mary Beth Bosco 63 In the Courts Steven A. Meyerowitz 69 Legislative and Regulatory Developments Steven A. Meyerowitz 75

3 QUESTIONS ABOUT THIS PUBLICATION? For questions about the Editorial Content appearing in these volumes or reprint permission, please call: Heidi A. Litman at For assistance with replacement pages, shipments, billing or other customer service matters, please call: Customer Services Department at (800) Outside the United States and Canada, please call (518) Fax Number (518) Customer Service Web site For information on other Matthew Bender publications, please call Your account manager or (800) Outside the United States and Canada, please call (518) Library of Congress Card Number: ISBN: (print) Cite this publication as: [author name], [article title], [vol. no.] PRATT S GOVERNMENT CONTRACTING LAW REPORT [page number] (LexisNexis A.S. Pratt); Michelle E. Litteken, GAO Holds NASA Exceeded Its Discretion in Protest of FSS Task Order, 1 PRATT S GOVERNMENT CONTRACTING LAW REPORT 30 (LexisNexis A.S. Pratt) Because the section you are citing may be revised in a later release, you may wish to photocopy or print out the section for convenient future reference. This publication is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license. A.S. Pratt is a trademark of Reed Elsevier Properties SA, used under license. Copyright 2015 Reed Elsevier Properties SA, used under license by Matthew Bender & Company, Inc. All Rights Reserved. No copyright is claimed by LexisNexis, Matthew Bender & Company, Inc., or Reed Elsevier Properties SA, in the text of statutes, regulations, and excerpts from court opinions quoted within this work. Permission to copy material may be licensed for a fee from the Copyright Clearance Center, 222 Rosewood Drive, Danvers, Mass , telephone (978) An A.S. Pratt Publication Editorial Offices 630 Central Ave., New Providence, NJ (908) Mission St., San Francisco, CA (415) (2015 Pub.4938)

4 Editor-in-Chief, Editor, & Board of Editors EDITOR-IN-CHIEF STEVEN A. MEYEROWITZ President, Meyerowitz Communications Inc. EDITOR VICTORIA PRUSSEN SPEARS Senior Vice President, Meyerowitz Communications Inc. BOARD OF EDITORS MARY BETH BOSCO Partner, Holland & Knight LLP DARWIN A. HINDMAN III Shareholder, Baker, Donelson, Bearman, Caldwell & Berkowitz, PC J. ANDREW HOWARD Partner, Alson & Bird LLP KYLE R. JEFCOAT Counsel, Latham & Watkins LLP JOHN E. JENSEN Partner, Pillsbury Winthrop Shaw Pittman LLP DISMAS LOCARIA Partner, Venable LLP MARCIA G. MADSEN Partner, Mayer Brown LLP KEVIN P. MULLEN Partner, Jenner & Block VINCENT J. NAPOLEON Partner, Nixon Peabody LLP STUART W. TURNER Counsel, Arnold & Porter LLP WALTER A.I. WILSON Senior Partner, Polsinelli PC PRATT S GOVERNMENT CONTRACTING LAW REPORT is published twelve times a year by Matthew Bender & Company., Inc. Copyright 2015 Reed Elsevier Properties SA., used under license by Matthew Bender & Company, Inc. All rights reserved. No part of this journal may be reproduced in any form by microfilm, xerography, or otherwise or iii

5 incorporated into any information retrieval system without the written permission of the copyright owner. For permission to photocopy or use material electronically from Pratt s Government Contracting Law Report, please access or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For subscription information and customer service, call Direct any editorial inquires and send any material for publication to Steven A. Meyerowitz, Editor-in-Chief, Meyerowitz Communications Inc., PO Box 7080, Miller Place, NY 11764, smeyerowitz@meyerowitzcommunications.com, Material for publication is welcomed articles, decisions, or other items of interest to bankers, officers of financial institutions, and their attorneys. This publication is designed to be accurate and authoritative, but neither the publisher nor the authors are rendering legal, accounting, or other professional services in this publication. If legal or other expert advice is desired, retain the services of an appropriate professional. The articles and columns reflect only the present considerations and views of the authors and do not necessarily reflect those of the firms or organizations with which they are affiliated, any of the former or present clients of the authors or their firms or organizations, or the editors or publisher. POSTMASTER: Send address changes to Pratt s Government Contracting Law Report, LexisNexis Matthew Bender, 630 Central Avenue, New Providence, NJ iv

6 GOVERNMENT CONTRACTORS FACE INCREASING CYBERSECURITY REGULATION IN 2015 Government Contractors Face Increasing Cybersecurity Regulation in 2015 By Mary Beth Bosco * Federal government contractors already face cybersecurity standards, and 2015 will bring additional regulation. Certain Department of Defense contractors are subject to mandatory breach reporting requirements, and these type of reporting requirements are likely to be extended to other companies who contract with the government. Awareness of what these obligations will look like and comparison of a company s existing cyber policies and programs to the new mandates will allow companies to be prepared for the changes. This article reviews the current state of government contractor-related cyber obligations, and previews likely Federal Acquisition Regulation amendments coming in 2015 and their expected ramifications. Cybersecurity continues its dominance of the news in the first months of Recent high-profile security breaches involving international banks and health-care companies reinforce concern about the safety of personal information. The federal government is working hard to respond: Congress already has held numerous hearings in 2015 on the issue of cybersecurity, with more scheduled. Recently, the White House convened a Cybersecurity and Consumer Protection Summit at Stanford University. The President issued an Executive Order that same day aimed at facilitating the sharing of information about cyber breaches and threats between the government and the private sector. 1 While high-profile breaches involving consumer information headline the news, the government s computer systems and those of its contractors are also subject to unrelenting cyber attacks. For example, a 2014 Senate Armed Services Committee Report found that, within a 12-month period, there were 50 successful incursions or other events involving the computer systems of contractors supporting the Army s Transportation Command ( TRANSCOM ). Of these, 20 were attributed to advanced persistent threat * Mary Beth Bosco, a member of the Board of Editors of Pratt s Government Contracting Law Report, is a partner in Holland & Knight s Government Contracts Practice Group. She specializes in regulatory compliance, including cybersecurity, investigations, and government contracts transactions. She may be contacted at marybeth.bosco@hklaw.com. 1 Executive Order Promoting Private Sector Cybersecurity Information Sharing (February 13, 2015). 63

7 PRATT S GOVERNMENT CONTRACTING LAW REPORT entities. Yet, according to the Report, the Army was aware of only two of the system intrusions. 2 Despite reports like this, and the obvious value of government information resident in contractor computer systems, there currently is no uniform set of cybersecurity regulations governing government contractors and no widespread breach reporting requirements. This regulatory gap, however, will change in 2015 for both civilian and defense contractors. In November of last year, the National Institute of Standards and Technology ( NIST ) signaled a coming change to the Federal Acquisition Regulation ( FAR ) that will set standards for every aspect of computer system and information management. The Department of Defense ( DoD ) will also issue new cybersecurity requirements for its transportation and logistical contractors this year. This article first reviews the current state of government contractor-related cyber obligations. Its second section previews likely FAR amendments coming in 2015 and their expected ramifications. Finally, as summarized below, while cybersecurity is an emerging issue for many contractors, it is fundamentally a compliance matter that should be viewed through the lens of a company s overall compliance and internal controls program. CURRENT CYBERSECURITY REGULATIONS APPLICABLE TO GOVERNMENT CONTRACTORS Department of Defense s Regulations DoD contractors currently face the most specific cyber protection requirements for unclassified information, and the 2015 National Defense Authorization Act ( NDAA ) added a new category of contractors subject to cybersecurity requirements. DoD Regulations Protecting Unclassified Controlled Technical Information In 2014, DoD issued regulations and an associated contract clause to protect unclassified controlled technical information, or UCTI. 3 UCTI includes items such as export-controlled information, critical technology, foreign government information, operations security information, or proprietary infor- 2 Inquiry Into Cyber Intrusions Affecting U.S. Transportation Command Contractors, A Report of the Senate Armed Services Committee, 113th Cong., 2nd Sess. (September 24, 2014), at pp. v vi. 3 Defense Federal Acquisition Regulation Supplement Section ; Clause

8 GOVERNMENT CONTRACTORS FACE INCREASING CYBERSECURITY REGULATION IN 2015 mation. 4 DoD s UCTI regulations include a very specific reporting mandate: Contractors must report any cyber incident affecting UCTI resident on or transiting through their systems within 72 hours of discovering the incident. Following the report, the affected contractor must conduct a more thorough review of the incident in order to identify, among other things, the specific UCTI information that may have been compromised. The regulations also obligate a contractor experiencing a breach involving UCTI to preserve affected information systems and all relevant monitoring and backup data for at least 90 days. If DoD conducts its own damage assessment, the regulations require the contractor to provide DoD with access to its systems and information. Another significant aspect of DoD s UCTI provisions is the requirement that contractors impose controls meeting the standards of NIST Special Publication r4, Security and Privacy Controls for Federal Information Systems and Organizations, or provide either an explanation as to why a particular control is not applicable or a justification for use of an alternate method. NIST Special Publication sets forth a process for risk assessment and security control selection, and provides a catalog of essential security controls. DoD contractors handling UCTI must therefore be familiar with the NIST security control assessment and selection process, and must be prepared to demonstrate how their policies and procedures meet the NIST security risk assessment process and control requirements. Counterfeit Electronic Parts In addition to the UCTI rules, DoD s May 2014 counterfeit electronic parts regulations encompass cyber threats posed by hardware. The associated DFARS clause defines electronic parts to include integrated circuits, electronic components, circuit assemblies and any embedded software or firmware. 5 The rules obligate contractors subject to the Cost Accounting Standards ( CAS ) and their subcontractors that supply electronic parts (regardless of whether the subcontractor is CAS-covered) to establish and maintain an acceptable counterfeit electronic part detection and avoidance system. An acceptable program must include common compliance practices such as training, monitoring, inspection, reporting, and auditability or traceability. The regulations supplement the more typical compliance activities, however, by imposing requirements for monitoring industry and other pertinent information. Covered companies must implement processes for keeping up 4 DoD Instruction , Distribution Statements on Technical Documents (August 23, 2012). 5 DFARS (a). 65

9 PRATT S GOVERNMENT CONTRACTING LAW REPORT with information about current counterfeiting information and trends and for screening the Government-Industry Data Exchange Program reports and other credible sources of counterfeiting information. In addition, the regulations limit contractors supply sources by restricting sources of parts to original manufacturers, sources with the written authorization of the original manufacturer or current design activity, authorized aftermarket manufacturers, or suppliers that obtain parts from one of these sources. Thus, companies supplying electronic parts to DoD must be able to track the source of the parts and must be able to demonstrate a familiarity with trending risks to secure electronic parts supply Requirements for Transportation and Logistics Contractors Finally, certain DoD contractors should expect another set of cyber regulations in The Carl Levin and Howard P. Buck McKeon National Defense Authorization Act for Fiscal Year 2015 ( NDAA ) creates a new cyber breach reporting requirement affecting DoD contractors supporting transportation and logistics in connection with contingency operations. This new provision was prompted by the Senate Armed Services Committee Report on TRANSCOM discussed earlier in this article. The Act requires DoD to establish procedures for reporting cyber incidents experienced by operationally critical contractors within 90 days of the Act s December 19, 2014 signature date. An operationally critical contractor is defined as a critical source of supply for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation. The new procedures must contain an explanation of how DoD will identify operationally critical contractors and how it will notify them of their designation. Once identified by DoD, an operationally critical contractor must rapidly report all cyber incidents affecting its networks or systems. Under the forthcoming regulations, contractors will be able to request that DoD assist them to detect and mitigate cyber incursions. It is not clear from the Act s language whether DoD will choose to issue the new procedures as an interim final rule, or first propose them and allow for comment from industry. In either case, it is clear that private transportation companies such as airlines or rail or motor carriers supporting DoD may soon find themselves subject to cyber breach reporting and response requirements. One means for these companies to anticipate or prepare for these new obligations would be to analyze the UCTI regulations and compare their provisions to those utilized by the companies. Current Non-DoD Cybersecurity Requirements Agencies other than DoD impose various cyber requirements, but the 66

10 GOVERNMENT CONTRACTORS FACE INCREASING CYBERSECURITY REGULATION IN 2015 majority of the civilian agencies do not yet have mandatory data breach reporting requirements. By way of example, the General Services Administration, the State Department, the Department of Health and Human Services, the Department of Transportation, the Department of Housing and Urban Development, and the Department of Commerce all have contract clauses requiring some form of a cybersecurity plan. None of these clauses, however, requires contractors to report cyber breaches. This current state of agency-specific cyber regulation is, as discussed below, about to change. The coming year should bring new FAR regulations that will standardize cyber reporting requirements and offer a uniform set of standards to guide contractor compliance. These new provisions will also likely contain a breach reporting requirement. ANTICIPATED FAR REGULATIONS In 2012, the FAR Council proposed a set of very general cyber standards for computer access control, voice and fax transmission, intrusion protection, hardware disposal, and information sharing with subcontractors. 6 The proposal contained a broad mandate for contractor systems, requiring them to use the best level of security and privacy available, given facilities, conditions, and threat level. Two and a half years later, these proposed rules are not final. Instead, a much more comprehensive set of cybersecurity standards may be incorporated into the FAR this year. In November 2014, NIST issued Draft Special Publication , Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. This publication is part of an effort to streamline classification and handling of controlled unclassified information. In addition to the NIST publication, the National Archives and Records Administration ( NARA ) has prepared a proposal to streamline the categories of controlled information that is not classified. The NIST standards are projected to become final in June of They are then to be incorporated into the FAR. The NIST standard is significant in its comprehension. Even in draft form, it provides contractors with a best practices standard against which to measure their own information security policies and practices. NIST Special Publication identifies 14 cyber-related activities, such as access control, configuration management, and incident response. For each of the 14 categories, the publication designates a Basic Security Requirement and then more specific Derived Requirements. For example, for the configuration management category, the publication states that the Basic Security Requirement is to 6 77 Fed. Reg (Aug. 24, 2012). 67

11 PRATT S GOVERNMENT CONTRACTING LAW REPORT establish and maintain baseline configurations and inventories of equipment. The Derived Requirements amplify this base standard, breaking down specific action items, including the requirement to analyze the security impacts of all system changes before implementation and the need to disable all nonessential system functions, ports, protocols and services. Thus, the NIST Special Publication represents a roadmap for government contractors. It provides a general standard for each facet of a company s cyber policies and practices to meet. It then identifies specific actions a company can take to satisfy the general standard, given its size and the nature of its work. It is a useful tool against which a company can evaluate its own cyber policy and program and prepare for the FAR amendments. CONCLUSION For federal government contractors, cybersecurity regulation is becoming more and more of a reality. DoD has already imposed cyber requirements on some of its contractors, and will add regulations for transportation and logistics contractors in FAR amendments are also very likely to be issued in the next 12 months. The path for preparation and compliance should not be a mystery for government contractors who are already subject to multiple and varied compliance requirements. While the headline and risks may be new and ever-changing, cybersecurity should be viewed through the same basic lens as other compliance functions. For example, the first step for companies is to review their existing written policies and procedures, and to consider what training programs might be in order. Are additional internal controls warranted? Are the right internal resources involved and do they have adequate support? Who has ultimate responsibility for information security? Do thirdparty agreements and employment agreements need to be updated? Contractors can measure their responses to these and similar questions against the November NIST Special Publication, and begin the process of anticipating the new requirements and even gaining a competitive edge through early adoption. 68