Compliance Issues

This is the tenth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the secondthirdfourthfifthsixthseventheighth, and ninth blogs described the actions taken by various Government agencies to implement the EO from June 2021 through January 2022, respectively.

This blog summarizes key actions taken to implement the Cyber EO during February 2022.  As with steps taken during prior months, the actions described below reflect the implementation of the EO within the Government.  However, these activities portend further actions in March 2022 that are likely to impact government contractors, particularly those who provide software products or services to government agencies.

NIST Publishes Guidance to Federal Agencies on Practices to Enhance Supply Chain Security When Procuring Software

Section 4(e) of the Cyber EO requires the National Institute of Standards and Technology (NIST) to publish guidelines on practices for software supply security for use by U.S. Government acquisition and procurement officials.  Section 4(k) of the EO requires the Office of Management and Budget, within 30 days of the publication of this guidance (or March 4, 2022), to “take appropriate steps to require that agencies comply with such guidelines with respect to software procured after the date of the EO.  Section 4(n) of the EO states that within one year of the date of the EO (or May 12, 2023), the Secretary of Homeland Security…shall recommend to the FAR Council contract language requiring suppliers of software available for purchase by agencies to comply with, and attest to complying with, any requirements issued pursuant to subsections (g) through (k) of this section.”

NIST issued the Supply Chain Security Guidance called for by Section 4(e) of the EO on February 4, 2022.  The Supply Chain Security Guidance states that it “provides recommendations to federal agencies on ensuring that the producers of software they procure have been following a risk-based approach for secure software development throughout the software life cycle,” and that “[t]hese recommendations are intended to help federal agencies gather the information they need from software producers in a form they can use to make risk-based decisions about procuring software.”  The scope of the Supply Chain Security Guidance is expressly limited to “federal agency procurement of software, which includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.”  The Guidance further provides that “the location of the implemented software, such as on-premises or cloud-hosted, is irrelevant,” and also excludes open source software and software developed by federal agencies.  However, open-source software that is bundled, integrated, or otherwise used by software purchased by a federal agency is within the scope of the Guidance.

The Supply Chain Security Guidance defines minimum recommendations for federal agencies as they acquire software or a product containing software:

  1. Use the Secure Software Development Framework (SSDF) terminology and structure to organize communications about secure software development requirements.
  2. Require attestation to cover secure software development practices performed as part of processes and procedures throughout the software life cycle.
  3. Accept first-party attestation of conformity with SSDF practices unless a risk-based approach determines that second or third-party attestation is required.
  4. When requesting artifacts of conformance, request high-level artifacts.

Continue Reading February 2022 Developments Under President Biden’s Cybersecurity Executive Order

On December 22, 2021, the Defense Security Cooperation Agency (DSCA) announced the Fiscal Year 2021 transaction figures for the Foreign Military Sales (FMS) Program, reporting $34.8 billion in total transaction value.  FMS declined for the second consecutive year, down 31 percent from $50.8 billion dollars in transactions in FY 2020.  The 2021 figure represents the lowest volume of FMS transactions since FY 2016.

As recently as FY 2019, FMS program sales totaled $55.4 billion, with a $51 billion average transaction value from 2017-2019.  FMS transactions slipped slightly in FY 2020 to $50.8 billion but then cratered this past year.  Because FMS program sales figures fluctuate annually due to a few, high-value transactions, DSCA includes three-year rolling averages in their annual reports rather than only single year fluctuations.  For example, FMS sales declined 28 percent in FY 2016 before recouping most of those losses the next year.  Therefore, the significant 2021 decline may be an anomaly.  Even though 2021 FMS numbers may recover quickly, several notable takeaways remain.

First, the steep decline in FMS in FY 2021 may not signal a decrease in America’s commitment to its global allies.  Indeed, even though FMS declined by 31 percent, the United States increased funding to the Foreign Military Financing (FMF) program from $3.3 billion to $3.8 billion.  In addition, U.S. contributions to the Building Partner Capacity programs remained relatively steady, declining slightly from $2.69 billion to $2.34 billion.  The decrease in overall FMS figures was driven by a 36 percent fall in foreign government-funded transactions.

Second, Direct Commercial Sales (DCS) arrangements between U.S. defense contractors and foreign governments dropped 16.8 percent in FY 2021, from $124.3 billion in FY 2020 to $103.4 billion.  FMS involve the U.S. government directly procuring defense materiel or services before transferring materiel or services to a foreign defense ministry.  In contrast, DCS do not involve the U.S. as a contractual party.  The U.S. government oversees DCS, and U.S. export controls laws govern all DCS.  But, compared to its direct involvement in FMS, the U.S. government’s oversight of DCS is primarily indirect.  Therefore, the decline in DCS may indicate that the budgetary concerns of America’s allies drove the contemporaneous decline in FMS more than the Pentagon’s shifting priorities did.

Third, certain critical factors may impede FMS figures from rebounding quickly in FY 2022.  Besides the COVID-19 pandemic’s ongoing impact on national defense budgets, the country-by-country figures published by DSCA reveal areas for potential regression in FY 2022.  For example, the FY 2021 figures included approximately $1.26 billion in sales to Afghanistan, an amount that likely will decrease given the recent regime change.  The FY 2021 numbers include a $1.5 billion allocation to France, which appears to have been boosted by an unusually large $1.3 billion transaction to supply aircraft launch and recovery equipment for France’s naval carrier program.  In FY 2022, U.S. sales to France may regress closer to $220 million, the average for transactions with France from the preceding four years.  Germany also entered into an unusually large $1.7 billion FMS contract for P-8A aircraft and accompanying services and equipment.

On the other hand, the United States’ recent commitment to support Australia’s submarine program may offset decreases in U.S. arms sales to countries like Afghanistan, France, and Germany in the long term.  The 2021 agreement between the United States and the United Kingdom to deliver nuclear submarines to Australia will likely have a lasting impact on U.S. defense exports.  Still, the budgetary impact of those commitments on DSCA programs remains uncertain.
Continue Reading U.S. Foreign Military Sales Down Over Thirty Percent in FY 2021

On November 8, 2021, New York Governor Kathy Hochul signed a new electronic monitoring law (S2628) requiring New York businesses that monitor or intercept employees’ e-mails, telephone calls, or internet usage to notify employees in writing of these practices.  The new law amends the state’s civil rights law
Continue Reading New York Requires Businesses To Notify Employees of Electronic Monitoring

If there is a silver lining to most crises, the accelerated move toward digitized commerce globally and in Africa may be one positive outcome of the COVID-enforced lockdown. It is welcome news there that the South African Minister of Communications and Digital Technologies (“Minister”) published the Draft National Data and
Continue Reading Overview of South Africa’s Draft National Data and Cloud Policy

Our Africa Anti-Corruption Practice has previously outlined key considerations for handling internal investigations and remediation of compliance issues in Africa.  Here, we take a closer look at a particular aspect of remediation, the root cause analysis.  After the dust settles on an investigation identifying misconduct, a root cause analysis can
Continue Reading Africa Compliance Minute Series – Getting to the Root of the Problem: Considerations for Conducting an Effective Root Cause Analysis

Federal government contractors face many uncertainties as they implement President Biden’s COVID-19 vaccine mandate. This includes the distinct possibility of civil lawsuits arising out of their implementation of the mandate, including potential allegations of invasion of privacy, wrongful termination, lost wages, discrimination, personal injury or other common law claims
Continue Reading Are Federal Contractors Immunized From Vaccination Litigation? Mitigating The Risk Of Civil Liabilities Arising Out Of The COVID-19 Vaccine Mandate

This is the fifth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity”, issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, and fourth blogs described
Continue Reading September 2021 Developments Under President Biden’s Cybersecurity Executive Order

On September 24, the Safer Federal Workforce Task Force released guidance on workplace safety protocols for federal contractors and subcontractors related to COVID-19 (“the Guidance”).  The Guidance was issued pursuant to President Biden’s Executive Order on Ensuring Adequate COVID Safety Protocols for Federal Contractors.

As expected, the Guidance covers


Continue Reading Task Force Releases Guidance on New COVID-19 Vaccine Mandate for Federal Contractors

On September 9, the Biden Administration released a number of new details for its Path out of the Pandemic that will impact U.S. Government contractors and a number of other individuals and entities.  In addition to requiring most executive agency employees to receive COVID-19 vaccines, the Administration plans to
Continue Reading COVID-19 Vaccine Requirements for U.S. Government Contractors

On March 31, 2021, the Consumer Financial Protection Bureau (“CFPB”) rescinded a range of policy statements issued under the leadership of former Director Kathleen L. Kraninger.  These rescissions concerned one policy statement governing communications between institutions subject to CFPB supervision and their examiners, and seven policy statements issued during the


Continue Reading Rescissions of Policy Statements Illustrate Continued About-Face at CFPB