In January, the OMB implemented the following new policies designed to strengthen the federal contracting system.
On January 10, 2023, the OMB issued a memorandum on the subject of Strengthening Support for Federal Contract Labor Practices. The memorandum addresses a regulatory gap: FAR 22.001 defines the role of “agency labor advisor,” but “there is no government-wide guidance addressing the designation of these individuals.” Moving forward, however, all Chief Financial Officer Act agencies “shall” designate an agency labor advisor, and all other agencies “should” do the same. These names are to be reported to the Department of Labor (DOL), which will publicize the names on its own website and on SAM.gov. The memorandum also establishes the Contract Labor Advisor Group (CLAG), to be managed by DOL and OMB. Of note, one of the responsibilities of the CLAG will be to advise the FAR Council on labor-related rules. Given that nearly all federal contractors are required to have some interface with contract labor law requirements to varying degrees, the long-term impact of this new policy may be broad, if indirect.
On January 19, the OMB also issued a memorandum regarding Federal Acquisition Certification in Contracting (FAC-C) Modernization, which updates the FAC-C certification to the FAC-C (Professional). The FAC-C has existed since 2006 and was last updated in 2014. This latest iteration to the FAC-C (Professional) is designed to achieve parity with the DoD’s Defense Acquisition Workforce Improvement Act (DAWIA) certification. Because the certification revamp makes the certifications of DoD and civilian contracting professionals equivalent, this policy change has the ultimate goal of fostering mobility across the federal government. Like the new labor advisor policy, this doesn’t impact contractors directly, but contractors can hope that their counterparts on the government side will benefit from better training and greater knowledge.
Contractors who work with the Department of Veteran’s Affairs (VA) should pay close attention to the agency’s new cybersecurity rules. On January 25, 2023, VA published its final rules. FAR 52.204-21 has long been the baseline cybersecurity contract clause in federal contracts, but individual agencies—most notably DOD—have enacted additional rules. VA joins that group with a number of new contract clauses. The rules create a new subpart, VAAR 804.19, that states all “[c]ontractors, subcontractors, business associates, and their employees who are users of VA information or information systems, or have access to VA information and VA sensitive information” must comply with the rules. VAAR 804.1970. Given the broad definitions of these terms, these new rules would apply to nearly any VA contractor that requires a computer to perform. Other notable aspects of the new rules include:
- Imposition of liquidated damages for a data breach involving “VA sensitive personal information.” VAAR Subpart 811.5.
- Application of VA Directive 6500, VA Cybersecurity Program, VA Handbook 6500.6, Contract Security, and National Institute of Standards and Technology guidelines to ensure adequate security controls. VAAR Subpart 839.1.
- Inclusion in many contracts of the Information and Information Systems Security clause. VAAR 852.204-71. This lengthy clause imposes the controls in VA Directive 6500, requires Business Associate Agreements between prime and subcontractors to ensure protection of protected health information (PHI), reporting requirements for cybersecurity incidents, training, data destruction, inspection rights, and a number of other topics.
These are only the highlights. In short, the new VA cybersecurity rules are extensive, and any current or prospective VA contractors should take a close look to ensure that they are compliant. The new rules take effect on February 24, 2023.
Effective January 10, 2023, SBA took over certification of SDVOSBs and VOSBs from VA. This is a significant change in the certification rules, and all existing or prospective SDVOSBs and VOSBs should take note. The first change is that there is no more self-certification for SDVOSBs. Second, the timeline to expiration of existing certifications depends on whether the firm was VA-certified or self-certified. SBA’s new VetCert webpage states that SDVOSB and VOSB certifications already issued by VA will remain in place through the end of their eligibility period, but will also receive “a one-time, one-year extension of certification” that will tack on an additional year “to the existing eligibility period of a current participant.” For self-certified SDVOSBs, there is a grace period for eligibility that lasts until January 1, 2024, during which the firm must apply for certification by SBA. The grace period will last beyond January 1, 2024, until a final eligibility decision is reached, as long as the application for SDVOSB certification is filed with SBA prior to that date.
The Biden administration released its fall 2022 regulatory agenda. The agenda is comprehensive, covering dozens of agencies and hundreds of proposed and pending regulations. While many of these affect contractors, several related to cybersecurity are of particular interest:
- The agenda reveals that DoD intends to release a notice of proposed rulemaking for its long-touted Cybersecurity Maturity Model Certification (CMMC) Framework in May 2023. DoD proposes a rule “to help assess a Defense Industrial Base (DIB) contractor’s compliance with and implementation of cybersecurity requirements to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) transiting non-federal systems and mitigate the threats posed by Advanced Persistent Threats.” This new rule comes on the heels of a major revision to the framework after a 2021 internal review and will likely delay full implementation of CMMC until 2024.
- Somewhat related is a notice of proposed rulemaking for DIB Cybersecurity (CS) Activities, set for release in April 2023. This proposed rule “would allow all defense contractors who process, store, develop, or transit DoD controlled unclassified information to be eligible for the program and to receive cyber threat information.” Under current regulations, cyber threat information is provided only to cleared defense contractors.
DoD extended the Section 890 Pilot Program to Accelerate Contracting and Pricing Processes. The program was authorized in Section 890 of the 2019 NDAA, and this new class deviation rescinds and supersedes the previous one. The pilot program is designed to allow “price reasonableness determinations to be based on actual cost and pricing data for purchases of the same or similar products for the DoD, and a reduction of the cost and pricing data to be submitted in accordance with FAR 15.403-4.” It is aimed toward contract actions “of a recurring nature” and for which there is a history of reliable “actual cost data.” The class deviation remains in effect until January 2, 2024.
Effective January 1–June 30, 2023, the interest rate on late payments under the Contract Disputes Act and the Prompt Payment Act has been raised to 4.625% per annum. This is an increase of nearly 20% over the July–December 2022 rate and keeps the interest rate at the highest rate in more than a decade.
As explained in greater detail by Venable in this alert, the U.S. Court of Appeals for the Federal Circuit further clarified U.S. Court of Federal Claims’ jurisdiction over task or delivery order awards. In 22nd Century Technologies, Inc. v. United States, No. 2022-1275, the Federal Circuit held that the Court of Federal Claims has no bid protest jurisdiction over appeals of size protests arising from the award of a task or delivery order. Under the Federal Acquisition Streamlining Act (FASA) of 1994, the Court of Federal Claims is generally barred from hearing bid protests in connection with task or delivery orders. Here, the protest originated before SBA’s Office of Hearings and Appeals (OHA) as a size protest. OHA determined that 22nd Century was other than small, resulting in the Army terminating its task order. Typically, the Court of Federal Claims has jurisdiction over appeals of size protests from OHA—here, 22nd Century filed a bid protest challenging both the size determination and the termination of the task order, but the court dismissed for lack of jurisdiction under FASA. On appeal, the Federal Circuit affirmed the trial court decision, holding that FASA bars the claims court’s jurisdiction over size protests that are connected with the issue of a task or delivery order. In addition, the Federal Circuit held that the Contract Disputes Act (CDA) does not give jurisdiction to the Court of Federal Claims to enjoin termination of a contract.
In Kentucky v. Biden, No. 21-6147, the U.S. Court of Appeals for the Sixth Circuit affirmed a District of Kentucky decision that enjoined the government from enforcing its contractor vaccine mandate in Kentucky, Ohio, and Tennessee. The history of this case dates to EO 14042, issued on September 9, 2021, that required nearly all employees of federal contractors to be vaccinated against COVID-19. This is the third federal circuit court to enjoin enforcement of the vaccine mandate—the Fifth and Eleventh Circuits issued similar opinions in 2022. Enforcement of EO 14042 is still on hold, and it looks increasingly like the order will never be enforced. However, contractors are encouraged to pay close attention to other federal, state, and local guidance and requirements, their own contracts, and the Safer Federal Workforce website for additional information regarding the coronavirus.
In contrast, in Arizona v. Walsh, No. CV-22-00213-PHX-JJT, the U.S. Federal Court for the District of Arizona dismissed a suit seeking to enjoin EO 14026 and its accompanying final rule, issued by President Biden, which increased the minimum wage for federal contractors. In that case, the plaintiff brought a number of counts, including that the executive order exceeded the President’s authority under the Federal Property and Administrative Services Act (FPASA) of 1949, that the rule was arbitrary and capricious in violation of the Administrative Procedure Act, that the FPASA itself violated the non-delegation doctrine, and that the executive order and final rule were unconstitutional. The court disagreed on all points and dismissed the case. No appeal has been filed as of this date; however, a similar case out of the District of Colorado denying a preliminary injunction against the wage increase is currently on appeal to the U.S. Court of Appeals for the Tenth Circuit.