Proposed Internet of Things Cybersecurity Bill May Create Hurdles for Government Contractors

The federal government dramatically has increased its spending in recent years on Internet of Things (“IoT”) devices, including biosensors that can gather medical and security data from soldiers and vehicles in the field; smart-building applications that reduce energy (such as desks that automatically power on when an employee scans his or her identification badge upon entering the building); and myriad other devices.  Despite its rapid increase in procurement of IoT devices, the government has yet to adequately address critical issues, including risk and uncertainty about privacy and security of the devices.

In response, a bipartisan group of U.S. senators recently introduced the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017” to improve the cybersecurity of internet-connected devices.  The bill seeks to impose minimum security requirements on devices purchased by the U.S. government and has widespread industry support.  Although the bill does not apply to consumer devices, industry experts anticipate the proposed legislation is a stepping stone to broader regulation of security and privacy in all IoT devices.

In co-introducing the legislation, Sen. Cory Gardner (R-Colo.) underscored the necessity for strengthening cybersecurity defenses with regard to the government’s purchase of IoT devices, stating: “As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure from malicious cyber-attacks.  This bipartisan, commonsense legislation will ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems without halting the life-changing innovations that continue to develop in the IoT space.”

The bill will require agencies to include certain contract clauses in any contract for the acquisition of internet-connected devices.  The proposed contract clauses impose a number of new responsibilities on contractors providing the U.S. government with IoT devices.  For example, vendors will be required to ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities, among other precautions.  The bill also indicates contractors will be required to comply with certain “cybersecurity coordinated disclosure requirements” and policies pursuant to agency guidelines to be prepared by the Department of Homeland Security National Protection and Programs Directorate.   

Government contractors who manufacture and/or supply IoT devices to the federal government should monitor the proposed legislation, as its passage will result in new procurement requirements and will impose new and potentially burdensome obligations on contractors.  The bill also may result in increased market competition among manufacturers on the security of their products.  Critically, contractors also should be aware that the bill broadly defines “internet-connected device” as “a physical object that (a) is capable of connecting to and is in regular connection with the Internet; and (b) has computer processing capabilities that can collect, send, or receive data.”  Such an expansive definition will subject a wide range of suppliers and manufacturers to the terms of the legislation, particularly when not only end products but also their components are considered.   

The bill has yet to be scheduled for markup or debate.  Reed Smith will continue to monitor this developing legislation.     

Senate’s Bid Protest Reforms a Step Backwards for Transparency

On July 10, 2017, the U.S. Senate placed the FY 2018 National Defense Authorization Act on its Legislative Calendar. This action means the historically must-pass legislation is now ready for amendment and debate. Just as it did last year, the Senate Armed Services Committee (“SASC”) has included two provisions focused on bid protest reform.  Given the absence of these bid protest reform provisions from the House version of the bill, and the SASC press release and summary touting the Senate bill’s strengths, these provisions are unlikely to make it through to the final version of the bill.  Nonetheless, larger government contractors should take heed of the inclusion of the proposed bid protest provisions, consider appropriately lodging their disagreement with the provisions, and work to ensure they are not included in future legislation – House or Senate.

These provisions would penalize contractors that file unsuccessful bid protests in DoD procurements. First, section 821 would require any defense contractor with revenues of greater than $100 million over the past year, which loses a protest, to pay the government’s costs of processing that protest.  Second, the proposed Senate bill would require incumbent DoD contractors that file protests to have their payments above incurred costs withheld on any bridge or temporary contracts issued, if their protest resulted in the delay requiring a bridge or temporary contract.  Such DoD contractors could then receive the withheld funding if the solicitation is cancelled by the agency or if the GAO upholds the incumbent’s protest.

Continue Reading

On the brink of protectionism? Germany tightens rules on foreign investment controls to block unwanted takeovers

On 12 July 2017, the German government adopted new provisions amending the German Foreign Trade and Payments Ordinance (Außenwirtschaftsverordnung “AWV”).

By implementing the new rules, Germany is trying to stop losing know-how to foreign countries by blocking unwanted takeovers by non-European companies. The amendments are regarded as a response to the takeover of German robotics manufacturer Kuka last year by a Chinese company, which could not be prohibited by the German government although know-how concerning key technologies was affected.

In particular, the amendments will allow the government to block takeovers of domestic companies by foreign investors if this could endanger critical infrastructure. In addition, the period for review of potential acquisitions by the German Ministry for Economic Affairs and Energy (“the Ministry”), as the competent authority dealing with foreign investment controls, was extended. Ultimately, rules to prevent the circumvention of relevant laws have been tightened.

Foreign investment controls in Germany come in the form of either ‘sector-specific reviews’ or ‘cross-sector reviews’. Continue Reading

What a New ‘Space Corps’ Military Branch Could Mean for Government Contractors

The House and Senate Armed Services Committees recently completed their respective markups of the 2018 National Defense Authorization Act (NDAA). The House version requires the Pentagon to establish the “U.S. Space Corps” – the first new military branch in 70 years – by January 1, 2019. The proposed Space Corps would fall under the secretary of the U.S. Air Force, but would have a separate and equal member of the Joint Chiefs of Staff, similar to how the Marine Corps is organized under the Department of the Navy.

Supporters of the bill argue that a military branch devoted to space is a necessary response to the United States’ heavy dependence upon satellites for military operations and intelligence. The tracking and defense of U.S. satellites and assets in space is critical, as countries like China and Russia have become increasingly competitive in their space capabilities.

Continue Reading

GAO Makes Rare Finding of Error in Past Performance Evaluation, and Underscores Incumbents Are Not Automatically Entitled to Highest Technical Rating

The GAO recently sustained a protest challenging the U.S. Coast Guard’s evaluation of past performance in a task order competition to obtain information technology support services under a multiple-award IDIQ enterprise acquisition gateway for leading edge solutions (EAGLE II) contract. Despite being decided in April, the decision was released recently to the public. SITEC Consulting, LLC, B-413526.4-.7 (April 3, 2017).

The RFQ advised offerors that the government would evaluate “relevant past performance.” The RFQ defined “relevant” as “similar to the IT services in the PWS and similar in nature, scope, size and complexity to the required services.” The RFQ provided an evaluation scheme for past performance that included the following adjectival ratings: “little confidence,” “neutral,” “confidence,” and “significant confidence.” The agency assigned a “confidence” rating to all four offerors’ past performance. Following a tradeoff analysis, the agency awarded the contract to Computer World Services Corporation (CWS).

Continue Reading

Your Contract Requires You To Be Named as an Additional Insured: Are You?

Last week, New York joined the ranks of several states that may limit a government contractor’s access to insurance coverage despite being added, as set forth in the contract, as an “additional insured” under a prime or subcontractor’s insurance policy. Generally, it is within the purview of a government contractor to add its prime or subcontractors, or a particular government agency, to its insurance policy as additional insureds, to cover injury resulting from contract performance. In last week’s ruling, New York’s highest court limited the practical effect of such coverage. Although contractors may be added as additional insureds to cover injury sustained during contract performance, insurance companies may restrict coverage to the additional insured for its acts or omissions, unless the primary policyholders are also found to be negligent for the injury. See Burlington Ins. Co. v. NYC Transit Auth., No. 57, 2017 WL 2427300 (N.Y. June 6, 2017).

In Burlington, a government contractor, Breaking Solutions, Inc. (“BSI”), contracted with the NYC Transit Authority to provide tunnel excavation work on a subway project in New York City. As required by its government contract, BSI added the NYC Transit Authority and MTA New York City Transit as additional insureds to its commercial general liability (“CGL”) insurance. After a BSI employee was injured on-site, he sought damages from BSI and the NYC Transit Authority. The NYC Transit Authority attempted to exercise its right to coverage as an additional insured under BSI’s insurance policy. The New York Court of Appeals, however, denied the extension of coverage to the NYC Transit Authority under BSI policy on the grounds that the acts and omissions of NYC Transit Authority, not BSI, caused the injury. Consequently, the insurer denied coverage on the grounds that coverage only extended to additional insureds when the primary policyholder was also found to be negligent. In particular, the court considered language in BSI’s policy, adopted from the standard form language drafted by the Insurance Services Office (“ISO”), which limited coverage for additional insured injury “caused, in whole or in part by: 1. [the primary policyholder’s] acts or omissions; or 2. The acts or omissions of those acting on [the primary policyholder’s] behalf.” The court interpreted this language to limit coverage for additional insureds to incidents proximately (legally) caused in whole or in part, by the primary policyholder’s acts or omissions. The court also rejected arguments that a mere causal link between the actions of the primary policyholder and the injury (“but for” causation) was sufficient for coverage to attach. Instead, relying on the language in the policy, the court explained that the parties could have negotiated language that would have allocated risk between the primary policyholder and additional insured parties, but as written, it did not allow coverage if the primary policyholder was not also legally negligent for the injury.

Continue Reading

What VA Contractors Can Expect from Proposed Amendments to VA Acquisition Regulations

In efforts to bring the VA Acquisition Regulation (VAAR) “in line” with Federal Acquisition Regulation (FAR), the US Department of Veterans Affairs (“VA”) has proposed amendments to its acquisition regulation.  The VA proposes to eliminate any procedural guidance from the VAAR that is internal to the VA, to incorporate new regulations and policies, and to revise or remove any policy that has been superseded by changes in the FAR.

The Agency’s proposed rule and procurement reform should be of particular interest for federal health care contractors providing supplies and/or services to the VA, such as health care products, medical devices, pharmaceuticals, or nursing home care services.  The proposed changes may require modifications to contractors’ internal procurement policies and practices when doing business with the VA.  For example, the VA proposes clarifications to the calculation of overtime wages for contractors providing nursing home care to veterans.  Other suggested changes include a prohibition from making reference to VA contracts in commercial advertising, updating policies on improper business practices and personal conflicts of interest, and revamping sealed bidding procedures.

Federal health care contractors impacted by the proposed changes should submit public comments on the proposed rule on or before July 17, 2017 for the Agency’s consideration in formulating the final rule.  To learn more about the proposed amendments to VAAR, click here.

The European Commission Publishes Final Report on E-commerce Inquiry – What it Means for Brand Owners

On 10 May 2017, the European Commission published its final report on its two-year e-commerce sector inquiry (the Final Report).  Many of the conclusions in the Final Report closely follow the Commission’s preliminary report, which were analysed and summarised in our last client alert on the e-commerce inquiry, and were also featured in our webinar on the subject last April.

The Final Report reviews the use of territorial restrictions, geoblocking, restrictions on resellers’ use of online marketplaces, Google AdWords and price comparison sites, provides some warnings on resale price maintenance and some analysis of the current regime of licensing of rights to digital platforms like Netflix and Spotify.  The Commission continues to slowly chip away at e-commerce constrictions across the EU, in its ongoing desire to perfect and liberalise the European internal market.  To learn about the key takeaways from the report, click here.

On-Time Bid Proposals—Not a Second Too Late

Submitting your company’s bid proposal close to the deadline can be risky and have grave consequences. The government has repeatedly rejected proposals submitted before, but received after, the deadline because of technical glitches.  In submitting a proposal for a government contract, the onus is on the contractor to ensure that its proposal is received prior to the exact time specified for receipt of proposals.  The deadlines set forth in the solicitation are strictly enforced unless: the agency receives the proposal before the contract is awarded, the contracting officer determines that accepting the late proposal would not unduly delay the acquisition, and: (i) the proposal was submitted electronically and received at “the initial point of entry to the Government infrastructure not later not later than 5:00 p.m. one working day prior to the date specified for the receipt of proposals,” (ii) the proposal was “received at the Government installation” and was “under the Government’s control” before the solicitation deadline, or (iii) it was the only proposal that the Government received.  FAR 15.208(b)(1)(i)-(iii).  This applies not only to defense and IT contractors, but also to health care companies competing for government contracts. See FAR 15.208(b)(1) (“Any proposal, modification, or revision, that is received at the designated Government office after the exact time specified for receipt of proposals is ‘late” and will not be considered.”); see also FAR 52.212-1(f)(2) (“offer, modification, revision, or withdrawal of an offer received at the Government’s office designated in the solicitation after the exact time specified for receipt of offers is ‘late’ and will not be considered” ). Continue Reading

Online sales restrictions continue to be top enforcement priority in EU

The European Commission recently published its long-awaited final report on its E-commerce Sector Inquiry launched two years ago. Therein, the Commission identifies that pricing limitations, dual pricing (i.e., charging different prices according to the channel through which a product is sold) and platform bans are among the most widespread vertical competition restraints in e-commerce implemented particularly often in distribution agreements between manufacturers and retailers in Germany. The report contains some helpful guidance on the competition assessment of the individual online sales restrictions. It comes as a warning, when the Commission indicates in the report that it intends to conduct a targeted enforcement in the e-commerce sector in the near future aimed at those business practices with the greatest potential to harm competition…read more.

LexBlog