The FAR Council issued a proposed rule that would amend the several FAR provisions and add new clauses to provide guidance on the safe handling of CUI. Public comments on the proposed rule are being accepted until March 17, 2025. The FAR Council intends to provide guidance to contractors on the requirements to mark, safeguard, disseminate, decontrol, and dispose of CUI (“CUI safeguarding”) for every executive branch agency.
The increased concern about ransomware incidents from both quantitative and severity standpoints, spurred the White House to urge corporate business leaders to improve their defenses and resilience posture against ransomware attacks. In a June 2, 2021 open letter to Corporate Executives and Business Leaders (the Letter), Anne Neuberger, the White House Deputy National Security Advisor for Cyber and Emergency Technology, appealed for business leaders to act following on the heels of the President’s directives to federal agencies and contractors.
On December 4, 2020 the President signed into law the IoT Cybersecurity Improvement Act of 2020, Pub. L. No. 116-207 (the “IoT Act”). The legislative purpose behind the new law is to ensure the highest level of cybersecurity at federal agencies by working collaboratively within government, industry and academia. Pub. L. No. 116-207 § 2.
The IoT Act mandates specific actions by the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) regarding: (i) standards and guidelines for IoT devices, (ii) determining whether federal agencies adhere to those standards, (iii)implementing guidelines to disclose security vulnerabilities to contractors and report the resolution of those vulnerabilities.
The 1996 Congressional Review Act has been getting a lot of use since President Trump’s inauguration. On March 27, 2017, President Trump signed House Joint Resolution 37, revoking the “blacklisting regulations” put in place following former President Obama’s July 2014 Executive Order on Fair Pay and Safe Workplaces (EO 13673). As we discussed in an earlier post, the EO and the regulations implementing it directed federal agencies to take into account an employer’s workplace safety and other labor law violations as part of the their procurement decisions.
The CRA is an obscure legislative tool that can rescind recent executive actions, and thereby limit agency authority. Under the CRA, Congress has 60 legislative days (which are counted differently than calendar or business days) to pass a “joint resolution of disapproval” in the House and Senate. Joint resolutions of disapproval cannot be filibustered. A simple majority in both houses of Congress can overturn agency rules and regulations if the president signs the joint resolution.
There were significant questions regarding due process concerns with the blacklisting regulations. Industry strongly criticized the regulations because they allowed agencies to exclude contractors based on mere accusations, such as safety citations that had not yet gone through any adjudicatory proceedings.
Revoking the blacklisting regulations was the first of several actions President Trump and his allies in Congress intend to pursue to reduce the administrative/regulatory burdens on employers.
According to Shakespeare, “What’s done cannot be undone.” This may not be true with respect to many of the regulations implementing President Obama’s Executive Orders.
Let’s look at the fate of the rules implementing Executive Order 13673 (July 2014), formally called “Fair Pay and Safe Workplaces.” The DOL guidance and the FAR provisions implementing this Order were commonly referred to as “the blacklisting rules.”
The final blacklisting rules were published on August 25, 2016. Industry moved quickly to challenge them. An October 24, 2016 preliminary injunction issued by United States District Judge Marcia Crone stopped most of them from going into effect. Judge Crone’s order cites two constitutional problems with the blacklisting rules. First, they likely violate contractors’ due process rights because they require contractors to report mere allegations of labor law violations without the benefit of judicial or quasi-judicial safeguards to contest them. Second, they likely violate contractors’ First Amendment rights because they require contractors to “to report that they have violated one or more labor laws and to identify publicly the ‘labor law violated’ along with the case number and agency that has allegedly so found” even when there had been no adjudication.
The FAR Council and the Department of Labor have published the final versions of their respective final rule and DOL guidance implementing the President’s July 2014 Executive Order entitled “Fair Pay and Safe Workplaces”—EO 13673.
Detractors frequently refer to EO 13673 as the “Blacklisting” or “Bad Actors” Executive Order. The order and the new regulations purport to promote efficiency in government procurement by ensuring that federal agencies contract only with “responsible” contractors that comply with federal and state workplace protection laws.
This objective is already a well-established requirement of the government’s procurement rules. The regulations impose additional administrative burdens on current and future contractors, adding an element of uncertainty to future contract award decisions, but only achieving marginal improvements in workplace law compliance.