Fourth Quarter 2023 Government Contracts Policy and Regulatory Review

At a Glance

• On October 25, 2023, the Office of Management and Budget (OMB) issued M-24-02 to further guide federal agencies in implementing the Build America, Buy America Act (BABA) and understanding the applicability of BABA to federal financial assistance programs.
• The FAR Council proposed two new rules to heighten cybersecurity requirements for contractors.
• The DoD published a final rule limiting the FAR and DFARS clauses that can be flowed down in subcontracts for commercial items.

A busy fourth quarter of 2023 gave government contractors plenty to think about as the calendar flips to 2024. We review some of these key developments below.

The Small Business Administration and Affirmative Action, Continued

Litigation continues over the Small Business Administration’s (SBA) 8(a) Business Development program in the U.S. District Court for the Eastern District of Tennessee. We summarized the Tennessee court’s July 2023 decision striking down the program’s rebuttable presumption of social disadvantage as unconstitutional in Ultima Servs. Corp. v. U.S. Dep’t of Agric. here. The SBA responded to that decision with a press release and updated guidance, emphasizing that the program would continue. Plaintiff Ultima Services Corporation has since filed a motion asking the court to enjoin the federal government from using the 8(a) program in the administrative and technical support industry and to also enjoin the federal government from awarding, completing, modifying or exercising options on any 8(a) contracts involving 8(a) entities who entered the program based on the rebuttable presumption, among other things. The federal government filed a response opposing Ultima’s motion, arguing that Ultima is not entitled to an injunction eliminating a program that does not use a race-based presumption and that Ultima does not suffer any cognizable harm from the presumption-free 8(a) program.

The Tennessee court has yet to issue its ruling on the motion. Faegre Drinker is available to discuss this case and its ongoing implications and will cover the court’s decision once it is issued.

Office of Management and Budget Issues Additional Build America, Buy America Guidance

On October 25, 2023, the Office of Management and Budget (OMB) issued M-24-02 to further guide federal agencies in implementing the Build America, Buy America Act (BABA) and understanding the applicability of BABA to federal financial assistance programs. Most notably, M-24-02 “rescinds and replaces” OMB’s initial BABA guidance (OMB Memorandum M-22-11) and makes clear that agencies should instead refer to the guidance codified at 2 CFR Part 184. We summarized the key points included in that guidance in “OMB Issues Final Guidance on BABA Domestic Sourcing Requirements.” 

M-24-02 also provides additional guidance on the issuance of BABA waivers. M-24-02 makes clear that every waiver, including public interest waivers, nonavailability waivers and unreasonable cost waivers, must be reviewed by the Made in America Office (MIAO) and details the categories of information that must be included in a waiver request. The point of including this information, M-24-02 provides, “is to demonstrate the agency’s due diligence, and provide MIAO with sufficient information to determine whether the proposed waiver is consistent with law and policy.” Contractors asking the awarding agency to seek such a waiver should consider including some of this information in their request. For example, a contractor seeking a nonavailability waiver should include a description of the efforts it made to source Buy America compliant types of iron, steel, manufactured products or construction materials in an attempt to avoid the need for a waiver. The Faegre Drinker team can help contractors assess their potential eligibility for BABA waivers and assist contractors in seeking a waiver.

Federal Acquisition Regulation Council Issues Rule Requiring Supply Chain Review

On October 5, 2023, the Federal Acquisition Regulation (FAR) Council issued an interim rule requiring contractors to review their supply chains and ensure that no companies, products or services that they are providing to the federal government or otherwise using in the performance of a contract have been excluded by the Federal Acquisition Security Council (FASC). This interim rule went into effect on December 4, 2023, and creates several new FAR clauses. 

For example, FAR 52.204-28 applies to federal supply schedules, government-wide acquisition contracts and multiagency contracts, and requires contractors to comply with any Federal Acquisition Supply Chain Security Act (FASCSA) exclusion order and to also remove any company, product or service from their supply chain if directed to do so by the contracting officer. FAR 52.204-29 applies to all contracts not covered by FAR 52.204-28, and generally prohibits contractors from utilizing or providing a prohibited product or service. Contractors that want to provide or use a prohibited product or service must disclose the name of the prohibited product or service and its reasons for using it so that the contracting officer can decide whether to pursue a waiver. FAR 52.204-30 applies to all solicitations and contracts and prohibits the use or provision of a product or service if an applicable FASCSA exclusion order applies. This clause requires contractors to search for exclusion orders in SAM and to disclose if they intend to use or provide products or services that may be impacted by one of these orders. FAR 52.204-30 also requires contractors to review SAM once every three months during contract performance to determine whether a new exclusion order has been issued and, if so, make a reasonable inquiry to determine whether that exclusion order impacts the existing contract. The Faegre Drinker team is staying tuned to see how these new requirements will be enforced and is available to help contractors navigate these new regulations in the new year.

A Brave New World: White House and OMB Publish Artificial Intelligence Guidance

The fourth quarter brought two key developments regarding government use of artificial intelligence (AI) technology. First, on October 30, 2023, the White House issued its “Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.” The fact sheet accompanying the Executive Order explains that the Order “establishes new standards for AI safety and security, protects Americans’ privacy, advances equity and civil rights, stands up for consumers and workers, promotes innovation and competition, advances American leadership around the world, and more.” The Order specifically directs the Secretary of Labor to “publish guidance for federal contractors regarding nondiscrimination in hiring involving AI and other technology-based hiring systems.” But the impacts of AI on government contractors are sure to be further reaching. The second key development — OMB’s issuance of a “Proposed Memorandum for the Heads of Executive Departments and Agencies” on November 1 — directs “agencies to advance AI governance and innovation while managing risks from the use of AI, particularly those affecting the safety and rights of the public.” The Memorandum lists “a series of recommendations for managing AI risks in the context of Federal procurement,” including recommendations for transparency and performance improvement, for promoting competition in the procurement of AI, and for responsibly procuring generative AI. Faegre Drinker anticipates that OMB will release more detailed guidance on these efforts to incorporate AI into federal procurement in 2024. In the meantime, contractors curious to hear more about AI can reach out to Faegre Drinker’s artificial intelligence, algorithmic decision-making and big data (AI-X) team.

Proposed Cybersecurity Rules Signal Heightened Compliance Requirements

October 2023 was a landmark month for contractors and cybersecurity, as the FAR Council proposed two new cybersecurity rules. The first proposed rule addresses cyber threat reporting and information sharing and would require the inclusion of a new FAR clause, FAR 52.239-ZZ, in all prime contracts and subcontracts that use “information and communications technology” (ICT). ICT would be defined as “information technology and other equipment, systems, technologies, or processes, for which the principal function is the creation, manipulation, storage, display, receipt, or transmission of electronic data and information, as well as any associated content.” Because approximately 75% of contracts awarded use ICT, the impact of this new clause could be far reaching. FAR 52.239-ZZ would require contractors to:

• “Immediately and thoroughly investigate all indicators that a security incident may have occurred” and report a security incident through a Cybersecurity and Infrastructure Security Agency (CISA) portal within eight hours of discovering the incident
• Collect and preserve all available data relevant to the security incident
• Maintain “an up-to-date collection of customizations that differ from manufacturer defaults on devices, computer software, applications, and services”
• Maintain a software bill of materials for any software used in the performance of the contract
• Assist the contracting agency and federal investigators with investigating a cyber security incident
• Subscribe to CISA’s Automated Indicator Sharing program where the contractor would be required to share cyber threat indicators and defensive measures
• Implement IPv6 if using “internet protocols”

Together with the CISA reporting requirement, contractors must notify the applicable contracting officer for the contract, and any contracting officers or ordering officers of any agency that placed an affected order under a contract for which an incident report has been submitted to CISA. The rule does not identify a timeline for reporting the potential incident to the affected contracting officers. However, under the rule, CISA must share the information reported “with any contracting agency potentially affected by the incident or by a vulnerability revealed by the incident,” as well as law enforcement.

The second proposed rule is an attempt to standardize contractual cybersecurity requirements across federal agencies and would create two new FAR clauses, FAR 52.239-YY, “Federal Information Systems Using Non-Cloud Computing Services,” and FAR 52.239-XX, “Federal Information Systems Using Cloud Computing Services.” The two clauses are similar in their requirements, the only real difference being that the former would have to be included in contracts acquiring federal information systems (FIS) services that include or may use non-cloud computing services during contract performance, while the later would have to be included in contracts acquiring FIS services that include or may use cloud computing services during contract performance. Both would require contractors to indemnify the government from “any liability that arises out of the performance of the contract and is incurred because of the contractor’s introduction of certain information or matter into government data or the contractor’s unauthorized disclosure of certain information or material,” and would also require contractors to “waive any and all defenses that may be asserted for its benefit.” Under either clause, contractors would also be required to allow for timely and full access to their data for purposes of audit and investigation, to maintain a system security plan, to apply National Institute of Standards and Technology (NIST) guidance when managing certain activities related to FIS, among other things.

A contractor designated as a moderate or high FIPS PUB 199 impact level must also perform, at least yearly, cyber threat hunting and vulnerability assessments to investigate for cybersecurity risks, vulnerabilities and indicators of compromise. Contractors must present the contracting officer with the results of both assessments, including any proposed improvements or risk mitigations identified for the FIS.

The deadline for comment submission is February 2, 2024. That means these two rules likely won’t be finalized until at least mid-2024. In the meantime, contractors should review their own cybersecurity practices to prepare to comply with these heightened requirements.

New Flow Down Rules for Department of Defense Commercial Items Contracts

In November 2023, the Department of Defense (DoD) published a Final Rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to limit the FAR and DFARS clauses that can be flowed down in subcontracts for commercial items. Specifically, DFARS 252.244-7000 now provides:

The Contractor shall not include the terms of any Federal Acquisition Regulation (FAR) clause or Defense Federal Acquisition Regulation Supplement (DFARS) clause in subcontracts for commercial products or commercial services at any tier under this contract, unless 

(1) For DFARS clauses, it is so specified in the particular clause; or

(2) For FAR clauses, the clause is listed at FAR 12.301(d) or it is so specified in paragraph (e)(1) of the clause at FAR 52.212-5 or paragraph (b)(1) of the clause at FAR 52.244-6, as applicable. (Section 847(b)(1)(B), Pub. L. 114-328)

This revised provision removes any discretion that prime contractors may have had to flow down additional terms to commercial subcontractors. The Final Rule also amends DFARS 212.301(f) to say that “the contracting officer shall not use other FAR or DFARS provisions and clauses unless required by the FAR or DFARS or consistent with customary commercial practices.” Similar to the revisions made to DFARS 252.244-7000, this revision limits a contracting officer’s discretion to flow down additional terms to commercial subcontractors. This Final Rule applies to all DoD commercial item contracts and solicitations made after November 17, 2023, and is sure to have significant impacts on prime contractors and subcontractors alike.

This year may finally bring defense contractors a definition of “subcontract” and “subcontractors.” In the same Final Rule, DoD explained that it had initiated a separate case dedicated to arriving at a definition of “subcontract” and “subcontractors” consistent with the proposed FAR definition. A streamlined definition will (hopefully) clarify the distinction between subcontractors and vendors or suppliers for defense contractors, making it easier to navigate flow down clauses and other related compliance requirements. 

Faegre Drinker is available to assist both prime contractors and subcontractors in assessing what clauses may flow down to their commercial item contracts under this new rule.

The Office of Management and Budget Completes its Review of the Uniform Guidance

In October 2023, the OMB completed its once every-five-years review of the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards. These requirements — commonly referred to as the “Uniform Guidance” — are codified at 2 C.F.R. § 200 and apply to nearly all federal financial assistance programs. OMB’s proposed revisions to the Uniform Guidance are extensive and include changes to basic definitions, mandatory disclosure requirements, prior approval requirements, and indirect cost rates and negotiations. Contractors interested in learning how these proposed revisions may affect their businesses should contact a member of the Faegre Drinker team.

Updates to the Davis-Bacon and Related Acts Faces Legal Challenges

In August 2023, the Department of Labor (DOL) announced new regulations designed to update and modernize the Davis-Bacon and Related Acts (DBRA). Those regulations went into effect on October 23, 2023, and were immediately met with legal challenges from industry groups like Associated Builders and Contractors. These challenges allege that the regulations “improperly” depart from “authoritative judicial interpretations of the Davis-Bacon Act” and seek “unlawfully to expand the Act’s coverage and enforcement provisions,” while also rewriting DOL’s “longstanding policies in an arbitrary and capricious manner.” At this point, it is unclear how these lawsuits may impact the rollout of DOL’s new regulations, but the Faegre Drinker team will continue to provide updates as litigation progresses.

Looking Ahead in 2024

Contractors should expect sustainable procurement to remain a point of emphasis in 2024. For example, at the direction of the White House, in 2024, agencies will start to consider the Social Cost of Greenhouse Gases (SC-GHG) — a measurement of the known damages that greenhouse gas emissions from a particular project will cause across society — in their procurement processes. Contractors should start thinking about ways to include SC-GHG measurements in their proposals.