Inside DOJ’s New Cyber-Fraud InitiativeThe Department of Justice (DOJ) recently announced the launch of the Civil Cyber-Fraud Initiative, which will utilize the False Claims Act (FCA) to pursue cybersecurity-related fraud by government contractors and grant recipients. Key features of and takeaways from this new initiative are discussed below.

Key Features 

  • The initiative aims to hold accountable entities or individuals that put U.S. information or systems at risk by (1) knowingly providing deficient cybersecurity products or services, (2) knowingly misrepresenting their cybersecurity practices or protocols, or (3) knowingly violating obligations to monitor and report cybersecurity incidents and breaches.
  • The initiative will utilize the FCA — which “is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations” — to pursue cybersecurity-related fraud by government contractors and grant recipients. The FCA includes a unique whistleblower provision that “allows private parties to assist the government in identifying and pursing fraudulent conduct and to share in any recovery and protects whistleblowers . . . from retaliation.”
  • The creation of the initiative “is a direct result of the department’s ongoing comprehensive cyber review, ordered by Deputy Attorney General Monaco this past May.” The review is “aimed at developing actionable recommendations to enhance and expand” DOJ’s efforts against cyber threats.
  • The initiative will be led by the DOJ Civil Division’s Commercial Litigation Branch, Fraud Section, but DOJ will work closely on the initiative with other federal agencies, subject matter experts and its law enforcement partners throughout the government.

Key Takeaways

In 2019, a federal district court signaled for the first time that cybersecurity compliance by government contractors could be the subject of an FCA lawsuit (see United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc.). In December of 2020 and February of 2021, DOJ officials remarked publicly that cybersecurity-related fraud is an area where we could see enhanced FCA activity in the near future. In hindsight, these events and remarks foretold DOJ’s formation of the Civil Cyber-Fraud Initiative, which is perhaps the most significant development to date pertaining to DOJ’s increased focus on cybersecurity-related fraud.

This new initiative strongly suggests that DOJ will initiate, and intervene in, more FCA lawsuits involving allegations that government contractors and grant recipients failed to fulfill contractual and other legal requirements relating to cybersecurity. Accordingly, government contractors and grant recipients would be wise to review and strengthen their practices with respect to cybersecurity compliance, education, and reporting.

If you have any questions about this significant development or any related issues, please do not hesitate to contact Aron Beezley or Nathaniel Greeson.

WOSB/EDWOSB Amendments to the FAR Are HereThe Department of Defense (DoD), the General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA) recently proposed a series of noteworthy amendments to the Federal Acquisition Regulation (FAR) that impact Women-Owned Small Business (WOSB) concerns and Economically Disadvantaged Women-Owned Small Business (EDWOSB) concerns. The key proposed amendments to the FAR — which pertain to such things as status protests, proposals while a firm is awaiting certification, and sole-source awards — are discussed below.

Background

Section 825(a)(1) of the Carl Levin and Howard P. “Buck” McKeon National Defense Authorization Act for Fiscal Year 2015 (15 U.S.C. § 637(m)), Public Law 113–291, requires WOSB and EDWOSB concerns to be certified by the Small Business Administration (SBA), a federal agency, a state government, or a national certifying entity approved by the SBA in the WOSB Program to be eligible for set-aside or sole-source awards. On May 11, 2020, the SBA issued a final rule to implement section 825(a)(1) by amending 13 CFR part 127.

Key Proposed Changes to the FAR

To implement the final rule published by the SBA on May 11, 2020, DoD, GSA, and NASA are proposing to make a series of amendments to the FAR, including the following:

  • Changes are proposed to FAR 2.101, Definitions, to update the definition of EDWOSB and WOSB concern eligible under the WOSB Program to add that the concern is certified by the SBA or an approved third-party certifier in accordance with 13 CFR 127.300.
  • Changes are proposed to FAR 19.308(d), Protesting a firm’s status as an EDWOSB concern or WOSB concern eligible under the WOSB Program, to:
    • Require a protest to be submitted by email to the SBA at wosbprotest@sba.gov.
    • Propose deletion of text requiring the SBA to consider protests by contracting officers when the apparent successful offeror has failed to provide all of the required documents, as set forth in FAR 19.1503(c).
  • Changes are also proposed to FAR 19.308 to add the requirement that the protest present evidence that the concern is not at least 51% owned and controlled by one or more economically disadvantaged women “who are United States citizens,” based on the requirements of 13 CFR part 127. The addition of “United States citizens” aligns the FAR text with the SBA’s regulations.
  • FAR 19.1501, Definition, is revised to delete the definition of WOSB Program Repository since the WOSB Program Repository is no longer the source for WOSB Program eligibility as of October 15, 2020.
  • FAR 19.1503, Status, is amended to add the requirement for the contracting officer to verify the designation as a certified WOSB or EDWOSB small business in the Dynamic Small Business Search.
  • FAR 19.1504, Exclusions, is amended at paragraph (b) to replace Federal Prison Industries, Inc., and AbilityOne with “mandatory Government sources (see section 8.002),” since both entities are referenced at FAR 8.002, Priorities for use of mandatory government sources.
  • FAR 19.1505, Set-aside procedures, is amended to allow an offeror to submit an offer while awaiting certification under the WOSB Program. In this regard, the proposed amendments to the FAR also provide that:
    • Within 15 days from the date of the contracting officer’s notification, the SBA will make a determination regarding the offeror’s status as an EDWOSB or WOSB eligible under the WOSB Program.
    • If the contracting officer does not receive a determination from the SBA within 15 days, the contracting officer, at his or her discretion, may provide the SBA additional time to make a determination, or may proceed with award to the next highest evaluated offeror.
    • The contracting officer shall not make award to an offeror who is not a certified EDWOSB or WOSB concern eligible under the WOSB Program.
  • FAR 19.1506, Women-Owned Small Business Program sole-source awards, is amended to:
    • Instruct a contracting officer that a sole-source award can only be made to a concern that has been certified pursuant to 13 CFR 127.300 as an EDWOSB or WOSB eligible under the WOSB Program.
    • Notify contracting officers that they shall not request an eligibility determination from SBA on pending certification applications for EDWOSB or WOSB sole-source awards.

Conclusion

Comments on the proposed amendments to the FAR are due by December 6, 2021.

Bradley will continue to monitor this noteworthy development.  If you have any questions about the topics discussed in this article, please feel free to contact Aron Beezley or Sarah Osborne.

Uncle Sam Wants You! (To Get Vaccinated, If You’re a Federal Contractor): Updated COVID-19 Workplace Safety Guidelines Are HereAs promised, on September 24, 2021, the Safer Federal Workforce Task Force issued Guidance for Federal Contractors and Subcontractors about the implementation of President Biden’s Executive Order 14042, which imposed a vaccine mandate on many federal contractors. Bottom line up front, as the military likes to say, Uncle Sam wants its federal contractors to get vaccinated and, generally speaking, that requirement includes contractor employees not even working on government contracts, if they work close to contractor employees who do.

Background

As we reported in August, the task force issued Model Safety Principles for federal agencies, which required federal contractors who were not vaccinated against COVID-19, or those declining to provide their vaccination status, to wear masks and social-distance inside federal buildings, regardless of community transmission levels. There was also a testing requirement. Fully vaccinated contractors were largely exempt from these requirements, although they still had to wear masks in federal buildings in areas of high or substantial transmission.

Then, on September 9, 2021, President Biden issued the Executive Order, which directed federal agencies to begin amending solicitations and contracts to include a COVID-19 vaccination requirement for federal contractors and subcontractors. The Executive Order applies broadly to services, construction, leasehold interest, or concessions contracts performed in the United States and its outlying areas, and valued above the simplified acquisition threshold, now generally set at $250,000. The Executive Order is silent as to whether it applies to contracts solely for products. Subcontracts solely for the provision of products are, however, specifically excluded. The new contract clause mandated by the Executive Order, which is not yet written, will require contractors to comply with task force guidance and “shall apply to any workplace locations . . . in which an individual is working on or in connection with a Federal Government contract or contract-like instrument.” The term “contract-like instruments” encompasses a broad array of contract types, as defined in a July 2021 Department of Labor Proposed Rule to raise federal contractor minimum wages.

The Executive Order directs the task force to provide guidance regarding “definitions of relevant terms for contractors and subcontractors, explanations of protocols required of contractors and subcontractors to comply with workplace safety guidance, and any exceptions” to that guidance. That guidance is now here.

What does the guidance say?

The guidance is broad and states that workplace safety protocols “will apply to all covered contractor employees, including contractor or subcontractor employees in covered contractor workplaces who are not working on a Federal Government contract or contract-like instrument” (emphasis added).

One provision of the guidance that is getting substantial media attention is the requirement that “[c]overed contractor employees must be fully vaccinated no later than December 8, 2021,” but, as discussed below, the definition of “covered contract” may make this deadline more flexible for some contractors.

A “covered contract,” as defined in the guidance, is one “that includes the clause” required by the Executive Order. The Executive Order, however, states that the requirement will apply to new solicitations and new contracts entered into on or after October 15, 2021. It will also apply to contracts that will be extended, renewed, or have an option exercised on or after that date. Because of the breadth of the definition of “contract-like instrument[s],” federal agencies may view the issuance of task or delivery orders under multiple-award indefinite delivery, indefinite quantity (IDIQ) contracts as triggering the requirement.

The guidance states that agencies must incorporate the contract clause into contracts awarded on or after November 14, 2021, and are encouraged, but not generally required, to include the contract clause in contracts awarded between October 15 and November 14, 2021. For existing contracts and for solicitations issued before the effective dates of the Executive Order, agencies are “strongly encouraged” to ensure that the safety protocols required are consistent with the requirements of the Executive Order. While the guidance is unclear on precisely what action is required by agencies on such contracts, contractors working on an existing contract may not face an implementation requirement unless and until the contracting agency amends the contract in some way. Contractors with awards after November 14, 2021, on the other hand, will.

A “covered contractor employee” is defined as “any full-time or part-time employee of a covered contractor working on or in connection with a covered contract or working at a covered contractor workplace. This includes employees of covered contractors who are not themselves working on or in connection with a covered contract” (emphasis added).

A “covered contractor workplace” is defined as “a location controlled by a covered contractor at which any employee of a covered contractor working on or in connection with a covered contract is likely to be present during the period of performance for a covered contract” (emphasis added). An employee’s residence is specifically excluded from the definition.

So, for contractors with existing contracts and solicitations that do not meet the definition of a “covered contract,” the December 8, 2021, vaccination deadline should not apply until such time as the contractor enters into a “covered contract” or has an existing contract amended, which will include the contract clause. However, it is unclear whether a contractor will be permitted to bid a “covered contract” after December 8, 2021, without achieving vaccine compliance, so ignoring the deadline may have consequences to securing future work. Additionally, as you can see, the definition of what is “covered” by the Executive Order is broad and somewhat ambiguous (and is subject to change as the Labor Department’s Proposed Rule on Federal Contractor minimum wages becomes a Final Rule), so to avoid allegations of non-compliance, federal contractors may be wise to take a strict approach to satisfying the new vaccine requirements.

The FAQs section

The guidance also helpfully includes FAQs. We summarize the most relevant ones here:

  • Remote employees – While a covered contractor employee who works at home need not wear a mask or social-distance, that employee must still comply with the vaccination requirements.
  • Workplaces with a mix of employees If a covered contractor employee works at a building or site where non-covered employees work, the entire building and/or site is considered a covered contractor workplace, which means that all the employees in the building are considered covered contractor employees and, thus, subject to the vaccination requirement — “unless a covered contractor can affirmatively determine that none of its employees in or at one building, site, or facility will come into contact with a covered contractor employee during the period of performance of a covered contract.” According to the guidance, this “would include affirmatively determining that there will be no interactions between covered contractor employees and non-covered contractor employees in those locations during the period of performance on a covered contract, including interactions through use of common areas such as lobbies, security clearance areas, elevators, stairwells, meeting rooms, kitchens, dining areas, and parking garages.”
  • Work “in connection with” a covered contract – An employee is a covered contractor employee, and thus subject to the vaccination requirement, even if not working on a covered contract when that person performs “duties necessary to the performance of the covered contract, but [is] not directly engaged in performing the specific work called for by the covered contract, such as human resources, billing, and legal review” because that work is “in connection with” a covered contract.
  • The guidance applies to outdoor work locations.
  • The contract clause supersedes contrary state or local rules.

What is the takeaway?

The federal government obviously wants to get as many people in the country vaccinated as possible and is using the broad reach of federal contracting to help achieve that goal. Given the contentious nature of the current political debate over COVID-19 vaccines and public health requirements, contractors will likely face a challenge with implementing the requirements of the Executive Order when its requirements are added to their contracts, because failure to implement the requirement could result in a government claim for breach or worse, if a qui tam relator brings a False Claims Act action that alleges a violation of an implied certification of compliance with regulations. Perhaps more frustrating, because the Executive Order states that the contract clause will require adherence to task force guidance, and the guidance may change over time, the exact requirements are likely to evolve. Compliance will, therefore, require continuous attention to this issue.

In the near term, implementation will focus on new contracts and solicitations first, so contractors should likewise focus their compliance efforts on this area. Bradley will continue to monitor this issue and provide further updates as appropriate. If you have any questions about this article, please feel free to contact Patrick Quigley or Aron Beezley.