On January 21, 2025, President Trump issued an Executive Order revoking Executive Order 11246, which imposes anti-discrimination and affirmative action requirements on federal government contractors and subcontractors. This action, part of the new administration’s broader assault on DEI efforts in the federal government and private sector, may eliminate a significant compliance obligation for federal contractors. However, much remains uncertain about the going forward status of affirmative action requirements in federal contracting.  The new Executive Order requires the Office of Federal Contract Compliance Programs (OFCCP), which administers Executive Order 11246 among other laws, to immediately cease promoting diversity, stop federal contractors and subcontractors from taking affirmative action and end workforce balancing by federal contractors based on race, color sex, sexual preference, religion or national origin. The Executive Order also states that federal contractors shall not consider race, color, sexual preference, religion or national origin “in ways that violate the Nation’s civil rights laws” when making employment, procurement and contracting decisions. The Executive Order states that federal contractors may continue to comply with the regulatory scheme required by Executive Order 11246 until April 20, 2025. OFCCP did not immediately issue guidance on how the new Executive Order impacts contractors’ obligations. Given that OFCCP’s regulations provide that affirmative action goals are not quotas or set-asides, do not supersede merit selection and do not justify making employment decisions in a discriminatory manner, it is unclear how they conflict or would interact with the Executive Order’s prohibition of illegal discrimination and workplace balancing.  With that said, the now-revoked Executive Order 11246 is the source of those OFCCP regulations and contractor race and gender affirmative action obligations. It does not appear that the Executive Order would affect veteran affirmative action plan obligations under the Vietnam Era Veterans’ Readjustment Assistance Act of 1974 (VEVRAA) or disability affirmative action plan obligations under Section 503 of the Rehabilitation Act, given the statutory basis for those requirements. In addition to eliminating Executive Order 11246, the new Executive Order requires that every federal contract or grant award must now include a term certifying that the contractor or award recipient will not operate any programs promoting DEI that violate federal anti-discrimination laws, and a term requiring compliance “in all respects with all applicable Federal anti-discrimination laws.” The Executive Order states that this term is material to the government’s payment decision. This raises the specter of potential whistleblower actions under the False Claims Act against contractors operating allegedly discriminatory programs. The revocation of Executive Order 11246 underlines the extent to which DEI efforts are in the Trump administration’s crosshairs. On the same day as the new Executive Order, the Office of Personnel Management issued a memorandum immediately suspending with pay all federal employees working in agency DEI offices. As other agencies continue to take actions based upon President Trump’s DEI-related executive orders, companies that do business with the federal government will need to pay close attention. While much remains unclear, the new Executive Order will undoubtedly be a sea of change for federal contractors and subcontractors. Polsinelli is available to assist contractors in navigating the changing landscape surrounding affirmative action and other DEI requirements.

In an attempt to contain the continuing COVID-19 pandemic, President Biden issued two Executive Orders on September 9, 2021 that mandate COVID-19 vaccines for federal government employees and employees of federal government contractors. Although key details of these vaccine mandates have yet to be defined, the new measures appear to build on the administration’s recent mandate for vaccination or testing of contractor employees who work on-site at federal locations.  As a result of these new mandates, federal government contractors will soon be presented with complex and risk-laden decisions as employees seek exemptions, to the extent available, from the vaccine mandate. The Basics of the Executive Orders The first executive order is applicable to federal government employees, and requires the Safer Federal Workforce Task Force (Task Force) to issue guidance requiring a vaccine mandate for federal agency employees.  Federal agencies are then required to implement the Task Force’s guidance “with exceptions only as required by applicable law.”  The second executive order is applicable to federal government contractors, and provides that new government contracts and contract-like instruments must include a clause requiring the contractor and “any subcontractors (at any tier)” to comply with “all guidance” issued by the Task Force.  Pursuant to the terms of the contractor Executive Order, the clause’s requirements are applicable to “any workplace locations (as specified by the Task Force Guidance) in which an individual is working on or in connection with a Federal Government contract or contract-like instrument.”  The Executive Order applicable to federal contractors provides that the Task Force will issue its guidance by September 24, 2021, and outline “definitions of relevant terms,” “explanations of protocols required of contractors and subcontractors,” and “any exceptions” to the vaccination mandate. What Types of Federal Contracts Trigger the Vaccine Mandate? The vaccine mandate is applicable to any contract or contract-like instrument that is entered into, extended, renewed, or has an option exercised on or after October 15, 2021. However, the Executive Order is effective immediately and agencies are “strongly encouraged, to the extent permitted by law” to extend the vaccine mandate to existing contracts not otherwise subject to the Executive Order.  The Executive Order adopts the definition of “contract or contract-like instrument” from the Department of Labor’s minimum wage regulations, and thus presumably excludes procurement contracts excluded from the Davis-Bacon Act and service contracts excluded from the Service Contract Act.  The Executive Order explicitly excludes federal grants, contracts with Indian Tribes, employees who perform work outside of the United States, contracts equal or less than the simplified acquisition threshold (generally $250,000), and subcontracts solely for the provision of products. Which Employees are Covered By the Mandate? The new contract clause will “apply to any workplace locations (as specified by the Task Force Guidance) in which an individual is working on or in connection with a Federal Government contract or contract-like instrument.”  The “on or in connection with” standard is borrowed from the federal contractor minimum wage requirement.  Employees perform services “on” a contract when they perform the work required by the contract, and perform “in connection with” a federal contract when they perform services that are not required by the contract, but are necessary to the performance of the contract’s services, such as custodial, security, or maintenance services at facilities that perform both commercial and government work.  The executive order applies to “any workplace locations . . . in which an individual is working on or in connection” with a contract.  On its face, this would apply the vaccine mandate to full-time remote workers who do not interact in-person with any other co-workers. The Executive Order is ambiguous about several important issues, which will need to be fleshed out by the Task Force’s guidance.  First, in the context of the federal contractor minimum wage requirement, employees who work only “in connection with” a contact are not covered unless more than 20% of their work time is spent performing contract-related services.  Will the same 20% threshold apply to the vaccine mandate?  Second, the Executive Order is phrased to apply to “any workplace locations” where contract work is performed, rather than to employees performing the work.  Arguably, the mandate may cover workers performing only commercial work if there is also government contract work performed at the employee’s “workplace location,” which is itself a potentially ambiguous term pending further guidance from the Task Force. What Exemptions are Applicable? The Executive Order provides that the Task Force should permit only exceptions “required by applicable law.”  Presumably, this would include disability, religious, and pregnancy accommodations that are required by federal statutes. To date, many employers implementing vaccine mandates have struggled with these accommodation requirements, which present complex and nuanced legal issues.  To the extent the Task Force’s guidance regarding exemptions is different than generally-applicable federal law, it will only add to the complexity. Moreover, state law may impose different or additional requirements, including laws in some states protecting workers against mandatory vaccine mandates, which may conflict with the mandate required by the Executive Order.  To the extent there is ambiguity as to which employees are actually covered by the Executive Order, the potentially conflicting obligations under the Executive Order and state laws may pose challenging dilemmas for employers. COVID-19 vaccine mandates present complex legal issues for employers, especially when employees claim a right to religious, disability, pregnancy, or other accommodations. Federal contractors should begin working with counsel now to prepare for the new mandate required by the executive orders, including implementing procedures to communicate with employees regarding the mandate, ascertain employees’ vaccination statuses, and process and address requests for accommodations.

In an attempt to contain the continuing COVID-19 pandemic, President Biden issued two Executive Orders on September 9, 2021 that mandate COVID-19 vaccines for federal government employees and employees of federal government contractors. Although key details of these vaccine mandates have yet to be defined, the new measures appear to build on the administration’s recent mandate for vaccination or testing of contractor employees who work on-site at federal locations.  As a result of these new mandates, federal government contractors will soon be presented with complex and risk-laden decisions as employees seek exemptions, to the extent available, from the vaccine mandate. The Basics of the Executive Orders The first executive order is applicable to federal government employees, and requires the Safer Federal Workforce Task Force (Task Force) to issue guidance requiring a vaccine mandate for federal agency employees.  Federal agencies are then required to implement the Task Force’s guidance “with exceptions only as required by applicable law.”  The second executive order is applicable to federal government contractors, and provides that new government contracts and contract-like instruments must include a clause requiring the contractor and “any subcontractors (at any tier)” to comply with “all guidance” issued by the Task Force.  Pursuant to the terms of the contractor Executive Order, the clause’s requirements are applicable to “any workplace locations (as specified by the Task Force Guidance) in which an individual is working on or in connection with a Federal Government contract or contract-like instrument.”  The Executive Order applicable to federal contractors provides that the Task Force will issue its guidance by September 24, 2021, and outline “definitions of relevant terms,” “explanations of protocols required of contractors and subcontractors,” and “any exceptions” to the vaccination mandate. What Types of Federal Contracts Trigger the Vaccine Mandate? The vaccine mandate is applicable to any contract or contract-like instrument that is entered into, extended, renewed, or has an option exercised on or after October 15, 2021. However, the Executive Order is effective immediately and agencies are “strongly encouraged, to the extent permitted by law” to extend the vaccine mandate to existing contracts not otherwise subject to the Executive Order.  The Executive Order adopts the definition of “contract or contract-like instrument” from the Department of Labor’s minimum wage regulations, and thus presumably excludes procurement contracts excluded from the Davis-Bacon Act and service contracts excluded from the Service Contract Act.  The Executive Order explicitly excludes federal grants, contracts with Indian Tribes, employees who perform work outside of the United States, contracts equal or less than the simplified acquisition threshold (generally $250,000), and subcontracts solely for the provision of products. Which Employees are Covered By the Mandate? The new contract clause will “apply to any workplace locations (as specified by the Task Force Guidance) in which an individual is working on or in connection with a Federal Government contract or contract-like instrument.”  The “on or in connection with” standard is borrowed from the federal contractor minimum wage requirement.  Employees perform services “on” a contract when they perform the work required by the contract, and perform “in connection with” a federal contract when they perform services that are not required by the contract, but are necessary to the performance of the contract’s services, such as custodial, security, or maintenance services at facilities that perform both commercial and government work.  The executive order applies to “any workplace locations . . . in which an individual is working on or in connection” with a contract.  On its face, this would apply the vaccine mandate to full-time remote workers who do not interact in-person with any other co-workers. The Executive Order is ambiguous about several important issues, which will need to be fleshed out by the Task Force’s guidance.  First, in the context of the federal contractor minimum wage requirement, employees who work only “in connection with” a contact are not covered unless more than 20% of their work time is spent performing contract-related services.  Will the same 20% threshold apply to the vaccine mandate?  Second, the Executive Order is phrased to apply to “any workplace locations” where contract work is performed, rather than to employees performing the work.  Arguably, the mandate may cover workers performing only commercial work if there is also government contract work performed at the employee’s “workplace location,” which is itself a potentially ambiguous term pending further guidance from the Task Force. What Exemptions are Applicable? The Executive Order provides that the Task Force should permit only exceptions “required by applicable law.”  Presumably, this would include disability, religious, and pregnancy accommodations that are required by federal statutes. To date, many employers implementing vaccine mandates have struggled with these accommodation requirements, which present complex and nuanced legal issues.  To the extent the Task Force’s guidance regarding exemptions is different than generally-applicable federal law, it will only add to the complexity. Moreover, state law may impose different or additional requirements, including laws in some states protecting workers against mandatory vaccine mandates, which may conflict with the mandate required by the Executive Order.  To the extent there is ambiguity as to which employees are actually covered by the Executive Order, the potentially conflicting obligations under the Executive Order and state laws may pose challenging dilemmas for employers. COVID-19 vaccine mandates present complex legal issues for employers, especially when employees claim a right to religious, disability, pregnancy, or other accommodations. Federal contractors should begin working with counsel now to prepare for the new mandate required by the executive orders, including implementing procedures to communicate with employees regarding the mandate, ascertain employees’ vaccination statuses, and process and address requests for accommodations.

2019 has been a year of pivotal developments for defense contractors in the realm of cybersecurity compliance. The Department of Defense (DoD) issued six guidance memoranda to assist its acquisition personnel in developing “effective cybersecurity strategies to enhance existing protection requirements,” including a mandate for the Defense Contract Management Agency to include cybersecurity compliance as a part of a contractor’s purchasing system audit and approval. 2019 also saw the first False Claims Act whistleblower litigation related to contractors’ compliance with DoD cybersecurity contracting provisions. Beyond merely focusing on enforcement of existing compliance obligations, the DoD upped the ante in June 2019 with its announcement of its forthcoming Cybersecurity Maturity Model Certification (CMMC). CMMC is the next step in the DoD’s efforts to protect the government’s sensitive, unclassified information against data exfiltration, and once it goes into effect CMMC will be a mandatory, third-party certification for allDoD contractors and subcontractors. While there remain many unanswered questions surrounding the details and implementation of CMMC, the DoD has made clear that CMMC is coming and the defense contracting community must be ready to implement these requirements in order to continue receiving defense contracts, subcontracts and other DoD-funded agreements. What Will CMMC Require? As currently drafted, CMMC will require all defense contractors and subcontractors to undergo a third party assessment of their internal cybersecurity technical practices and process maturity against published standards. This assessment will result in certification at one of five levels – 1 being the lowest and 5 the highest – or no certification. Each subsequent level is cumulative, meaning a company must meet the requirements of all lower levels to qualify for a higher level of certification. In addition, an organization must satisfy boththe defined practices and process maturity criteria within a given level across all areas of the model to achieve certification at that level (e.g., having a Level 3 assessment on technical practices and Level 2 on process maturity results in an overall Level 2 certification). The DoD expects contractor CMMC assessments to begin in early June 2020. CMMC requirements will start appearing in DoD Requests for Information around this same time, and they become mandatory in all DoD solicitations beginning fall 2020. Once implemented, each DoD solicitation will identify the minimum required CMMC level a company must have to be eligible for that contract award. On December 6, 2019, the DoD released Version 0.7 of the draft CMMC framework. This update refines the technical practice requirements for Levels 1-5 and provides further guidance regarding process maturity expectations. Level 1 identifies 17 basic requirements, mostly consistent with existing general government contractor cybersecurity requirements, while Level 3 aligns with full NIST SP 800-171 Rev 1 compliance. Levels 4 and 5 require “proactive” and “progressive” cybersecurity programs, respectively, and impose additional practices derived from Draft NIST SP 800-171B and other heightened cyber standards. These top two levels are expected to be reserved for companies handling information related to critical technologies. The CMMC model will not be static, however: it will be adapted and revised whenever and however needed as the DoD identifies new threat vectors. While a company’s certification is generally expected to last for  three years, including interim spot checks, model revisions could necessitate earlier reassessment. Who Is Affected by the Upcoming CMMC Requirements? The DoD states that all contractors and subcontractors – including commercial item subcontractors – at any level of the defense supply chain will need to be certified at a minimum of Level 1 in order to be eligible to receive DoD-funded contracts and agreements. The DoD has also left open the possibility that the CMMC qualification requirements may apply to other types of contractual agreements, including DoD-funded grants, cooperative agreements, and other transactions. A company may meet a specific CMMC level across its entire enterprise network or particular segment(s) or enclave(s). At the subcontractor level, the DoD anticipates limiting CMMC application to companies providing products and services in direct support of a defense program, thereby excluding ‘back office’ products and personnel supporting general corporate overhead functions from these requirements. If performance of a contract or subcontract necessitates access to any Controlled Unclassified Information (CUI), a Level 3 minimum certification will be required. CUI includes export controlled information, “For Official Use Only” information, and other information created or possessed by a contractor that is subject to government-mandated safeguarding or dissemination controls. The DoD is still drafting a formal CUI baseline definition to clarify the specific types of information that must be protected, as well as guidance regarding how the government will assign CMMC levels to individual procurement. How Does This Differ from Today’s DoD Cybersecurity Requirements? DoD contractors and subcontractors are currently required in every procurement contract to self-certify their compliance with DFARS 252.204-7012. This DFARS clause mandates that contractors provide “adequate security” – generally equivalent to full compliance with NIST SP 800-171 Rev 1 – on all of its unclassified information systems that process, store or transmit Covered Defense Information (“CDI,” the current DoD-equivalent of CUI). The clause also imposes reporting and cooperation requirements in the event of defined “cyber incidents.” Importantly, the DFARS clause, while mandatory in all contracts, does not apply if no processing, storing, or transmitting of CDI occurs within a contractor’s information system. In addition, in practice, the DoD has allowed companies that have not yet but are working to achieve full compliance with the NIST standards to receive contracts and subcontracts, so long as the contractor can demonstrate it has an acceptable System Security Plan and Plan of Action and Milestones (POAM) in place to achieve full compliance. While NIST SP 800-171 Rev 1 continues to form the substantial baseline for CMMC compliance up to Level 3, the above three key hallmarks of DFARS 252.204-7012 – self-certification, applicability caveats, and flexibility for in-process compliance – are effectively eliminated under CMMC. An independent third party assessment and certification process will replace self-certification, allDoD contractors and subcontractors must be certified at least at Level 1 in order to qualify for award, and the CMMC approach as currently drafted does not include a waiver or deviation process for individual control gaps. In addition, as previously noted, CMMC imposes additional requirements over and above those mandated by NIST SP 800-171 for Level 4 and 5 critical technology contracts, and certification may also become mandatory for research, prototype, and other non-procurement instruments. What Are My Recommended Next Steps to Prepare for CMMC? The DoD has not yet published draft regulations implementing CMMC and many details remain unclear.  Despite this, the agency continues to state that the final CMMC framework (version 1.0) will be published in late January 2020, and its requirements will begin to appear in Requests for Information beginning in June. The DoD has also indicated that it expects to issue an interim rule to accelerate implementation. Companies should begin preparing for the new accreditation system by ensuring compliance with the appropriate NIST SP 800-171 Rev 1 requirements, depending on the level of CUI they expect to handle: Determine if your company receives federal funds from the Department of Defense either directly as a prime contractor or indirectly via subcontracts, purchase orders, or other contractual agreements.  If so, you should be prepared to obtain at least a Level 1 or 2 certification. Determine whether your company currently or in the future expects to electronically process, store, or transmit Controlled Unclassified Information in the performance of its defense contracts. If so, you should be prepared to obtain at least a Level 3 certification. If you are a subcontractor, consider reaching out to your major higher-tier contractor customers to understand how they are preparing to implement CMMC across their supply base. Review your company’s current NIST SP 800-171 Rev 1 compliance level against your expected certification level requirements. If you currently have a POAM in place or identify additional concerns, dedicate appropriate resources to ensure that progress is being made to close any gaps as quickly as possible. CLICK HERE to subscribe to receive new blogs, event information and industry updates directly to your email inbox.

Companies that bid on government contracts should take note of a new federal enforcement initiative. Earlier this month, the Department of Justice’s Antitrust Division announced the formation of an interagency “Strike Force” dedicated to detecting and prosecuting “bid rigging” and other antitrust crimes involving public procurement—an area of the economy that DOJ has described as “particularly vulnerable to collusion.” The Strike Force will combine the resources of the Antitrust Division and 13 U.S. Attorneys’ Offices, as well as investigators from the FBI, Department of Defense Office of Inspector General, the U.S. Postal Service Office of Inspector General and the General Services Administration Office of Inspector General. The Strike Force will focus on prosecuting procurement crimes at all levels of government, including federal, state and local. In a speech last month, Deputy Assistant Attorney General Richard A. Powers explained that the public procurement space is “uniquely” and “particularly” vulnerable to collusion because of the “sheer monetary value of government projects.” Enforcers have also faced monitoring challenges as a result of the rapid growth of government spending in recent years, which has made it difficult for enforcers to catch up, he explained. The new Strike Force will build upon DOJ’s already active antitrust enforcement in the public procurement space. The Antitrust Division has led numerous bid-rigging prosecutions involving public procurement in recent years, including prosecutions in the construction and defense industries, among others. At present, “more than one third of the Antitrust Division’s 100-plus open investigations relate to public procurement or otherwise involve the government being victimized by criminal conduct,” said Assistant Attorney General Makan Delrahim, who heads the Antitrust Division. Outreach and training to “key constituencies” will be a core part of the Strike Force’s work. To facilitate the detection of antitrust violations, the Strike Force “will conduct outreach to federal, state and local government procurement officials to educate them on how to identify potential indicators, or ‘red flags,’ of collusion.” There will also be outreach to government contractors, their trade associations and public contract lawyers to deter violations going forward. To improve detection, the Strike Force will work on using “data analytics” technology to identify possible collusion based on pricing data and other market information. “Many investigative agencies individually have made great strides on this front, and the [Strike Force] will serve to facilitate collaboration and the sharing of best practices between these agencies,” said Delrahim. Takeaways for Companies in the Public Procurement Space The new enforcement initiative presents new risks to companies in the public procurement space. To minimize these risks, companies in the public procurement space should take a fresh look at their antitrust compliance efforts. Having a robust antitrust compliance program in place can prevent violations from happening in the first place and may give companies the opportunity to minimize or even avoid criminal sanctions, if a violation occurs. According to DOJ’s recent guidance on antitrust compliance programs, an “effective” compliance program should be tailored to each company’s risk profile. Antitrust counsel can help conduct a risk assessment to allocate compliance resources to each company’s highest-risk activities. DOJ has urged companies to include regular antitrust compliance training for employees in high-risk positions, such as those responsible for setting the terms of competitive bids. Companies should also consider setting up a mechanism that allows employees to report antitrust concerns to the company. The new initiative is also notable for its planned use of technology to monitor public procurement markets for evidence of antitrust violations. Some companies may benefit from proactively monitoring procurement markets in which they are involved for bidding and pricing trends that are suggestive of antitrust problems.

On January 22, 2019, a new rule went into effect providing much-needed guidance on the definition of “recruitment fees” under the FAR human trafficking prohibition.  Many government contractors may be surprised to learn that a wide range of seemingly-innocent policies requiring employees or applicants to pay (whether upfront, through deduction, or in any other way) the employer for costs relating to hiring, recruitment, or training may now qualify as impermissible “human trafficking” and subject the contractor to potentially rigorous penalties under the FAR. Since March 2015, all federal government contracts and solicitations have included a clause prohibiting human trafficking pursuant to FAR 22.1705 and 52.222-50.  One of the proscribed forms of trafficking-related conduct is charging “recruitment fees” to employees or potential employees.  While “recruitment fees” were previously undefined in the FAR, the new rule makes clear that the term has a sweeping definition, encompassing “fees of any type” that are “associated with the recruiting process.” The rule takes a functional approach and makes clear that the manner, form, or timing of the payment is not relevant.  Charges can be recruitment fees if they are paid up front by the employee or potential employee, deducted from the person’s wages, or even if they are collected by a third-party such as a labor broker, recruiter, staffing firm, or agent.  The rule and its agency commentary are clear, however, that contractors may require employees or applicants to incur charges themselves in connection with the recruiting process, so long as the payment is not made to the contractor or any of its agents. The new rule lists several categories of exemplary recruitment fees, including fees for: Soliciting, identifying, considering, interviewing, referring, retaining, transferring, selecting, training, providing orientation to, skills testing, recommending, or placing employees or potential employees; Advertising; Obtaining labor certifications, visas, or processing applications or petitions; Acquiring photographs and identity or immigration documents, such as passports; Medical examinations and immunizations; Background, reference, and security clearance checks and examinations; The employer’s recruiters, agents, or attorneys; Language interpretation or translation; Government-mandated fees such as border crossing fees, levies, or worker welfare funds; Transportation and subsistence costs; Security deposits, bonds, and insurance; and Equipment charges. Contractors should note that the listed categories are only examples, and other charges “associated with the recruiting process” qualify even if the specific type of charge is not listed. Because every federal government contract prohibits contractors from charging these fees and some require annual certifications and compliance plans, contractors should review their hiring processes to ensure that no such fees are being charged to employees or potential employees, including applicants.  The penalties for non-compliance with the human trafficking clause can range from the suspension of contract payments to contract or subcontract termination or even debarment. Because contractors are responsible under the rule for fees charged by agents like recruiters (or even sub-recruiters), contractors should ensure that their contracts with recruiters, staffing agencies, or others prohibit passing along any recruitment costs to employees or applicants. The need to audit the recruitment process is only the tip of the iceberg of new issues created by the new rule.  In a subsequent blog, Polsinelli will analyze some potential contractor responses to the new, broad definition of “recruitment fees” and other, less obvious implications of the rule.