On March 18, 2020, the President issued an Executive Order on Prioritizing and Allocating Health and Medical Resources to Respond to the Spread of COVID-19 (the “EO”). The EO was issued pursuant to the Defense Production Act of 1950 (50 U.S.C. §4501 et seq.) (“DPA”), which allows the President to invoke special Federal Contracting powers to address shortages in medical resources needed to respond to the COVID-19 pandemic. The EO specifically mentions personal protective equipment and ventilators as necessary to curb the spread of COVID-19, but also delegates authority to the Secretary of Health and Human Services (“HHS”) to identify additional necessary health and medical resources such as drugs, medical devices, health supplies, and health services and equipment.
Continue Reading Presidential Executive Order Calls on HHS to Issue Priority Contracts and Allocate Scarce Medical Resources

Reprinted from The Government Contractor, with permission of Thomson Reuters. Copyright © 2017. Further use without the permission of West is prohibited. For further information about this publication, please visit http://legalsolutions.thomsonreuters.com, or call 800.328.9352.

The Department of Defense final rule for safeguarding covered defense information requires contractors to implement the security controls in National Institute of Standards and Technology Special Publication 800-171 by December 31. See 81 Fed. Reg. 72986; Chierichella, Bourne and Biancuzzo, Feature Comment, “Achieving Cyber-Fitness In 2017: Part 1—Planning For Compliance,” 59 GC ¶ 25. In enacting the final rule, the drafters created “[n]o new oversight paradigm” or certification requirement. 81 Fed. Reg. 72990. More recently, in response to questions from industry on compliance with NIST SP 800-171, DOD stated,

The rule does not require “certification” of any kind, either by DoD or any other firm professing to provide compliance, assessment, or certification services for DoD or Federal contractors. Nor will DoD give any credence to 3rd party assessments or certifications—by signing the contract, the contractor agrees to comply with the terms of the contract. It is up to the contractor to determine that their systems meet the requirements.

Some companies with limited cybersecurity expertise may choose to seek outside assistance in determining how best to meet and implement the NIST SP 800-171 requirements in their company. But, once the company has implemented the requirements, there is no need to have a separate entity assess or certify that the company is compliant with NIST SP 800-171.
Continue Reading Achieving Cyber-Fitness in 2017: Part 3—Proving Compliance and the Role of Third-Party Auditors