Transcription
PRATT’S GOVERNMENT CONTRACTING LAW REPORTAN A.S. PRATT PUBLICATIONDECEMBER 2017VOL. 3 NO. S NOTE: FALSE CLAIMS ACTVictoria Prussen SpearsUNDER WHAT CIRCUMSTANCES CAN APRIVATE QUI TAM PLAINTIFF OVERRULEGOVERNMENT AGENCY EXPERTS’ USEOF ADMINISTRATIVE DISCRETION TOFILE FALSE CLAIMS ACT ACTIONS IN THEPOST-ESCOBAR WORLD?Robert S. SalcidoDECEMBER 2017ONE POTENTIAL REMEDY FOR FALSECLAIMS ACT OVERREACH?Alex D. Tomaszczuk, Michael R. Rizzo,James J. Gallagher, and Aaron S. DyerDOD ISSUES FURTHER GUIDANCE ONIMPLEMENTATION OF DFARS CYBER RULESusan B. Cassidy and Calvin CohenDOD CLASS DEVIATION RESCINDSIR&D “TECHNICAL INTERCHANGES”REQUIREMENTMichael W. Mutek, Paul R. Hurst, andThomas P. BarlettaIN THE COURTSSteven A. MeyerowitzVOL. 3 NO. 12
0001[ST: 1] [ED: m] [REL: 17 12GT] (Beg Group)Composed: Wed Nov 15 10:54:00 EST 2017XPP 9.0C.1 SP #4 FM000150 nllp 4938 [PW 468pt PD 702pt TW 336pt TD 528pt]VER: [FM000150-Master:03 Oct 14 02:10][MX-SECNDARY: 09 Aug 17 08:28][TT-: 23 Sep 11 07:01 loc usa unit 04938-fmvol003]0PRATT’S GOVERNMENTCONTRACTING LAWREPORTVOLUME 3NUMBER 12DECEMBER 2017Editor’s Note: False Claims ActVictoria Prussen Spears411Under What Circumstances Can a Private Qui Tam PlaintiffOverrule Government Agency Experts’ Use of AdministrativeDiscretion to File False Claims Act Actions in the Post-EscobarWorld?Robert S. Salcido413One Potential Remedy for False Claims Act Overreach?Alex D. Tomaszczuk, Michael R. Rizzo, James J. Gallagher,and Aaron S. Dyer428DOD Issues Further Guidance on Implementation of DFARSCyber RuleSusan B. Cassidy and Calvin Cohen431DOD Class Deviation Rescinds IR&D “Technical Interchanges”RequirementMichael W. Mutek, Paul R. Hurst, and Thomas P. Barletta435In the CourtsSteven A. Meyerowitz438
0002[ST: 1] [ED: m] [REL: 17 12GT]Composed: Wed Nov 15 10:54:00 EST 2017XPP 9.0C.1 SP #4 FM000150 nllp 4938 [PW 468pt PD 702pt TW 336pt TD 528pt]VER: [FM000150-Master:03 Oct 14 02:10][MX-SECNDARY: 09 Aug 17 08:28][TT-: 23 Sep 11 07:01 loc usa unit 04938-fmvol003]46QUESTIONS ABOUT THIS PUBLICATION?For questions about the Editorial Content appearing in these volumes or reprint permission,please call:Heidi A. Litman at . 516-771-2169Email: . heidi.a.litman@lexisnexis.comOutside the United States and Canada, please call . . . . . . . . . . . . . . (973) 820-2000For assistance with replacement pages, shipments, billing or other customer service matters,please call:Customer Services Department at . . . . . . . . . . . . . . . . . . . . . . . . . (800) 833-9844Outside the United States and Canada, please call . . . . . . . . . . . . . . (518) 487-3385Fax Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (800) 828-8341Customer Service Website . . . . . . . . . . . . . . . . . http://www.lexisnexis.com/custserv/For information on other Matthew Bender publications, please callYour account manager or . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Outside the United States and Canada, please call . . . . . . . . . . . . . .(800) 223-1940(937) 247-0293Library of Congress Card Number:ISBN: 978-1-6328-2705-0 (print)Cite this publication as:[author name], [article title], [vol. no.] PRATT’S GOVERNMENT CONTRACTING LAWREPORT [page number] (LexisNexis A.S. Pratt);Michelle E. Litteken, GAO Holds NASA Exceeded Its Discretion in Protest of FSS TaskOrder, 1 PRATT’S GOVERNMENT CONTRACTING LAW REPORT 30 (LexisNexis A.S.Pratt)Because the section you are citing may be revised in a later release, you may wish tophotocopy or print out the section for convenient future reference.This publication is sold with the understanding that the publisher is not engaged in rendering legal,accounting, or other professional services. If legal advice or other expert assistance is required, theservices of a competent professional should be sought.LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc.,used under license. A.S. Pratt is a registered trademark of Reed Elsevier Properties SA, used underlicense.Copyright 2017 Reed Elsevier Properties SA, used under license by Matthew Bender & Company, Inc.All Rights Reserved.No copyright is claimed by LexisNexis, Matthew Bender & Company, Inc., or Reed Elsevier PropertiesSA, in the text of statutes, regulations, and excerpts from court opinions quoted within this work.Permission to copy material may be licensed for a fee from the Copyright Clearance Center, 222Rosewood Drive, Danvers, Mass. 01923, telephone (978) 750-8400.An A.S. Pratt PublicationEditorial Office230 Park Ave., 7th Floor, New York, NY 10169 (800) 543-6862www.lexisnexis.com(2017–Pub.4938)
0003[ST: 1] [ED: m] [REL: 17 12GT]Composed: Wed Nov 15 10:54:00 EST 2017XPP 9.0C.1 SP #4 FM000150 nllp 4938 [PW 468pt PD 702pt TW 336pt TD 528pt]VER: [FM000150-Master:03 Oct 14 02:10][MX-SECNDARY: 09 Aug 17 08:28][TT-: 23 Sep 11 07:01 loc usa unit 04938-fmvol003]46Editor-in-Chief, Editor & Boardof EditorsEDITOR-IN-CHIEFSTEVEN A. MEYEROWITZPresident, Meyerowitz Communications Inc.EDITORVICTORIA PRUSSEN SPEARSSenior Vice President, Meyerowitz Communications Inc.BOARD OF EDITORSMARY BETH BOSCOPartner, Holland & Knight LLPDARWIN A. HINDMAN IIIShareholder, Baker, Donelson, Bearman, Caldwell & Berkowitz, PCJ. ANDREW HOWARDPartner, Alston & Bird LLPKYLE R. JEFCOATCounsel, Latham & Watkins LLPJOHN E. JENSENPartner, Pillsbury Winthrop Shaw Pittman LLPDISMAS LOCARIAPartner, Venable LLPMARCIA G. MADSENPartner, Mayer Brown LLPKEVIN P. MULLENPartner, Morrison & Foerster LLPVINCENT J. NAPOLEONPartner, Nixon Peabody LLPSTUART W. TURNERCounsel, Arnold & Porter LLPWALTER A.I. WILSONSenior Partner, Polsinelli PCiii
0004[ST: 1] [ED: m] [REL: 17 12GT]Composed: Wed Nov 15 10:54:00 EST 2017XPP 9.0C.1 SP #4 FM000150 nllp 4938 [PW 468pt PD 702pt TW 336pt TD 528pt]VER: [FM000150-Master:03 Oct 14 02:10][MX-SECNDARY: 09 Aug 17 08:28][TT-: 23 Sep 11 07:01 loc usa unit 04938-fmvol003]24PRATT’S GOVERNMENT CONTRACTING LAW REPORT is published twelve times ayear by Matthew Bender & Company, Inc. Copyright 2017 Reed Elsevier Properties SA.,used under license by Matthew Bender & Company, Inc. All rights reserved. No part of thisjournal may be reproduced in any form—by microfilm, xerography, or otherwise—orincorporated into any information retrieval system without the written permission of thecopyright owner. For permission to photocopy or use material electronically from Pratt’sGovernment Contracting Law Report, please access www.copyright.com or contact theCopyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923,978-750-8400. CCC is a not-for-profit organization that provides licenses and registration fora variety of users. For subscription information and customer service, call 1-800-833-9844.Direct any editorial inquires and send any material for publication to Steven A. Meyerowitz,Editor-in-Chief, Meyerowitz Communications Inc., 26910 Grand Central Parkway Suite 18R,Floral Park, New York 11005, 258. Material for publication is welcomed—articles, decisions, or other items ofinterest to government contractors, attorneys and law firms, in-house counsel, governmentlawyers, and senior business executives. This publication is designed to be accurate andauthoritative, but neither the publisher nor the authors are rendering legal, accounting, orother professional services in this publication. If legal or other expert advice is desired, retainthe services of an appropriate professional. The articles and columns reflect only the presentconsiderations and views of the authors and do not necessarily reflect those of the firms ororganizations with which they are affiliated, any of the former or present clients of the authorsor their firms or organizations, or the editors or publisher. POSTMASTER: Send addresschanges to Pratt’s Government Contracting Law Report, LexisNexis Matthew Bender, 630Central Avenue, New Providence, NJ 07974.iv
0021[ST: 411] [ED: 100000] [REL: 17 12GT]Composed: Mon Nov 27 09:23:12 EST 2017XPP 9.0C.1 SP #4 SC 00052 nllp 4938 [PW 468pt PD 702pt TW 336pt TD 528pt]VER: [SC 00052-Local:05 Apr 17 15:56][MX-SECNDARY: 09 Aug 17 08:28][TT-: 23 Sep 11 07:01 loc usa unit 04938-ch0133]0IMPLEMENTATIONOFDFARS CYBER RULEDOD Issues Further Guidance onImplementation of DFARS Cyber RuleBy Susan B. Cassidy and Calvin Cohen*The Director of the Defense Pricing/Defense Procurement and AcquisitionPolicy recently issued guidance to Department of Defense acquisitionpersonnel in anticipation of the December 31, 2017 date for contractors toimplement the security controls of National Institute of Standards andTechnology Special Publication 800-171. The authors of this article discussthe guidance, which represents a forward leaning approach to addressingindustry concerns and questions with regard to the Defense FederalAcquisition Regulation Supplement Cyber Rule.The Director of the Defense Pricing/Defense Procurement and AcquisitionPolicy (“DPAP”) recently issued guidance1 to Department of Defense (“DOD”)acquisition personnel in anticipation of the December 31, 2017 date forcontractors to implement the security controls of National Institute ofStandards and Technology (“NIST”) Special Publication (“SP”) 800-171. Theguidance outlines (i) ways in which a contractor may use a System Security Plan(“SSP”) to document implementation of NIST SP 800-171; and (ii) providesexamples of how DOD organizations could leverage a contractor’s SSP andrelated Plan of Action and Milestones (“POA&M”) in the contract formation,administration, and source selection processes.COVERED DEFENSE INFORMATION (“CDI”)The guidance states that DOD “must mark, or otherwise identify in thecontract, any covered defense information that is provided to the contractor,and must ensure that the contract includes the requirement for the contractorto mark covered defense information developed in performance of thecontract.” Although the requirement for DOD to mark data provided to thecontractor during performance is clear, the guidance is less clear as toinformation developed in performance of the contract. In particular, noting a“requirement for the contractor to mark” information developed duringperformance, without specifying which information needs to be marked (i.e.,*Susan B. Cassidy is a partner at Covington & Burling LLP advising clients on the rules andregulations imposed on government contractors, with a special emphasis on the defense andintelligence sectors. Calvin Cohen is an associate in the firm’s Government Contracts and DataPrivacy and Cyber Security practice groups. The authors may be reached at scassidy@cov.comand ccohen@cov.com, olicyvault/USA002829-17-DPAP.pdf.431
0022[ST: 411] [ED: 100000] [REL: 17 12GT]Composed: Mon Nov 27 09:23:12 EST 2017XPP 9.0C.1 SP #4 SC 00052 nllp 4938 [PW 468pt PD 702pt TW 336pt TD 528pt]VER: [SC 00052-Local:05 Apr 17 15:56][MX-SECNDARY: 09 Aug 17 08:28][TT-: 23 Sep 11 07:01 loc usa unit 04938-ch0133]0GOVERNMENT CONTRACTING LAW REPORTspecifying a particular Contract Data Requirements List (“CDRL”) presents acompliance challenge and increases the opportunity for miscommunicationsbetween DOD and its contractors. The DOD’s slides and statements at theJune 2017 Industry Day were more explicit, noting that the DOD must[d]ocument in the contract (e.g., Statement of Work, CDRLs)information, including covered defense information, that is required tobe developed for performance of the contract, and specify requirementsfor the contractor to mark, as appropriate, information to be deliveredto DoD. (see, e.g., MIL-Handbook 245D, and Contract DataRequirements List (CDRL) (DD Form 1423)).2Contractors may see additional clarification of this point in the FrequentlyAsked Questions that DOD is expected to issue soon. Otherwise, contractingpersonnel may take a narrow view of their responsibilities to identify CDI thatwill be developed during performance.IMPLEMENTATION OF NIST 800-171 SECURITY CONTROLSThe guidance recognizes that NIST SP 800-171 provides latitude tocontractors for how they choose to implement applicable security controls andfor how contractors assess their own compliance with those requirements.DOD recognizes that compliance with NIST SP 800-171 involves bothpolicy/procedures and technical controls. To the extent that a contractor seeksadditional clarification as to the interpretation of NIST SP 800-171 securitycontrols, the guidance points contractors to the corresponding NIST SP800-53 security controls, as well as the 800-53 Supplemental Guidance.DOCUMENTING COMPLIANCE WITH AN SSPUnder 252.204-7012(b)(2)(ii)(A), contractors “shall implement 800-171, assoon as practical, but not later than December 31, 2017.” Key to thatimplementation is the 110th security control, which was added in Revision 1to NIST SP 800-171. This control requires contractors to create an SSP, which“describe[s] the boundary of [a contractor’s] information system; the operational environment for the system; how the security requirements are implemented; and the relationships with or connections to other systems.”At the June 23, 2017 Industry Day, DOD clarified that if a contractor is notin compliance with all 110 security controls by December 31, 2017, but has anSSP and POA&M that accurately reflect the status of its compliance with those2See Cybersecurity Challenges, Protecting DoD’s Unclassified Information, June 23, 2017Industry Day at Slide 27, available at icMeeting-Jun 23 2017 Final.pdf?ver 2017-06-25-022504-940.432
0023[ST: 411] [ED: 100000] [REL: 17 12GT]Composed: Mon Nov 27 09:23:12 EST 2017XPP 9.0C.1 SP #4 SC 00052 nllp 4938 [PW 468pt PD 702pt TW 336pt TD 528pt]VER: [SC 00052-Local:05 Apr 17 15:56][MX-SECNDARY: 09 Aug 17 08:28][TT-: 23 Sep 11 07:01 loc usa unit 04938-ch0133]0IMPLEMENTATIONOFDFARS CYBER RULEcontrols, that contractor has “implemented” 800-171 for purposes of the 7012clause.3 In the guidance, DOD further noted that in addition to a POA&M,the SSP should “describe how and when any unimplemented security requirements will be met, how any planned mitigations will be implemented, and howand when they will correct deficiencies and reduce or eliminate vulnerabilitiesin the systems.” DOD again noted that there is no required format for an SSPand that it may be separate or combined documents.ROLE OF THE SSP AND POA&M IN CONTRACT FORMULATION,ADMINISTRATION, AND SOURCE SELECTIONRevision 1 to NIST SP 800-171 provides that federal agencies may considera contractor’s SSP and POA&Ms as “critical inputs to an overall riskmanagement decision to process, store or transmit CUI [controlled unclassifiedinformation]” on a contractor’s internal networks. Although not mandatory,agencies will be permitted to use implementation of NIST SP 800-171 as anevaluation criteria. The guidance notes the following examples: “Using proposal instructions and corresponding evaluation specifics” asto the implementation of NIST SP 800-171 to permit DOD todetermine “whether it is an acceptable or unacceptable risk to process,store, or transmit” CDI on a contractor’s system; “Establishing compliance with [Defense Federal Acquisition RegulationSupplement (“DFARS”)] 252.204-7012 as a separate technical evaluation factor”;Identifying any NIST SP 800-171 security requirements not implemented at the time of the award and including associated POA&Msimplementation; and/or “Identifying in the solicitation that all security requirements in NISTSP 800-171 must be implemented at the time of award.”Because contractors have objected that SSPs contain highly sensitive dataabout their networks, the guidance suggests that contracting officers incorporate the SSPs by reference as part of the contract. Thus, the accuracy of the SSPsand compliance with the POA&Ms are crucial because by incorporating thesedocuments, DOD would make compliance with those documents a contractualobligation. This contractual obligation is further exacerbated by DFARS252.204-7008, which provides that by submitting the offer, a contractor isrepresenting that it has implemented the 800-171 security controls, includingthe requirement for an SSP.3See, id., Cybersecurity Challenges, Protecting DoD’s Unclassified Information, June 23,2017 Industry Day at Slide 46.433
0024[ST: 411] [ED: 100000] [REL: 17 12GT]Composed: Mon Nov 27 09:23:12 EST 2017XPP 9.0C.1 SP #4 SC 00052 nllp 4938 [PW 468pt PD 702pt TW 336pt TD 528pt]VER: [SC 00052-Local:05 Apr 17 15:56][MX-SECNDARY: 09 Aug 17 08:28][TT-: 23 Sep 11 07:01 loc usa unit 04938-ch0133]0GOVERNMENT CONTRACTING LAW REPORTThis guidance represents DOD’s forward leaning approach to addressingindustry concerns and questions with regard to the DFARS Cyber Rule. Thenext iteration of Frequently Asked Questions is expected soon and shouldprovide further guidance to contractors.434
Order, 1 PRATT'S GOVERNMENT CONTRACTING LAW REPORT 30 (LexisNexis A.S. Pratt) Because the section you are citing may be revised in a later release, you may wish to photocopy or print out the section for convenient future reference. This publication is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If legal advice .
