BLOG POST

Morgan Lewis Government Contractor Guidebook

YOUR GUIDE TO THE ISSUES THAT MATTER TO GOVERNMENT CONTRACTORS

GovCon Update: GAO Jurisdiction, DOJ Declination, CUI Rule

Recent developments in government contracting highlight important updates in bid protest jurisdiction, national security enforcement, and cybersecurity compliance. This includes a Government Accountability Office decision clarifying the limits of its protest jurisdiction, the US Department of Justice’s first National Security Division declination under its revised corporate enforcement policy, and a proposed Federal Acquisition Regulation rule that would establish governmentwide requirements for safeguarding and reporting Controlled Unclassified Information.

GAO Dismisses Protest Challenging DHS Border Barrier Task Order

The Government Accountability Office recently dismissed a protest challenging the Department of Homeland Security’s issuance of a sole-source task order for border barrier construction, concluding that it lacked jurisdiction considering the procurement was conducted pursuant to a waiver issued under the Illegal Immigration Reform and Immigrant Responsibility Act (IIRIRA).

The protester argued that the waiver did not authorize the acquisition and also raised conflict-of-interest concerns based on the awardee’s employment of a former government official. GAO rejected both arguments, holding that challenges arising from actions taken under the Secretary’s IIRIRA waiver authority fall within the exclusive jurisdiction of federal district courts. GAO also concluded that the protester’s conflict allegations were based largely on speculation rather than the “hard facts” necessary to support an organizational conflict-of-interest or bias claim.

For contractors, the decision serves as a reminder that jurisdictional issues can be just as important as the merits of a protest. Certain procurements conducted under specialized statutory authorities may fall outside GAO’s traditional bid protest jurisdiction, requiring contractors to pursue relief in different forums under different standards.

The decision also reinforces GAO’s continued insistence on concrete factual support for conflict-of-interest allegations rather than generalized concerns regarding former government employees or agency favoritism.

DOJ’s First National Security Declination Highlights Benefits of Early Self-Disclosure

The Department of Justice’s National Security Division recently issued its first declination under the department’s revised corporate enforcement policy, declining to criminally prosecute a multinational engineering and technology company for export control violations involving sales to another multinational technology company after the former voluntarily self-disclosed the conduct, cooperated extensively with the investigation, and implemented significant compliance enhancements.

While the multinational engineering and technology company did agree to pay approximately $36 million through a combination of profit disgorgement and regulatory penalties, DOJ’s decision not to pursue criminal charges is notable given the seriousness of the underlying allegations and the more than 100 alleged export control violations identified by the Bureau of Industry and Security.

The declination provides an early indication of how DOJ intends to apply its revised corporate enforcement framework in the national security and export control context. While voluntary disclosure decisions remain highly fact-specific, the resolution suggests that companies identifying potential export control or other national security compliance issues may receive meaningful credit for prompt self-disclosure, extensive cooperation, and substantial investments in compliance improvements.

For government contractors and companies operating in national security–sensitive industries, the matter reinforces DOJ’s continued emphasis on proactive compliance and early engagement with enforcement authorities.

Proposed FAR Rule Would Establish Governmentwide CUI Requirements

The Federal Acquisition Regulation Council recently issued a proposed rule as part of the latest phase of the Revolutionary FAR Overhaul that would establish standardized governmentwide requirements governing the safeguarding of Controlled Unclassified Information (CUI) and reporting of CUI incidents.

Among other changes, the proposal would:

  • Establish standardized governmentwide definitions for CUI and CUI incidents
  • Require reporting of most CUI incidents within 72 hours
  • Require subcontractors to report covered incidents directly to the government
  • Incorporate National Institute of Standards and Technology (NIST) Special Publication 800-171 Revision 3 and, where applicable, NIST Special Publication 800-172 requirements into covered contracts
  • Require cloud service providers handling CUI to meet security requirements equivalent to FedRAMP Moderate

The proposal is significant because it would create a more consistent governmentwide framework for CUI compliance while arriving against the backdrop of continued DOJ cybersecurity enforcement. It also demonstrates that, even as the administration pursues broader efforts to streamline acquisition regulations through the Revolutionary FAR Overhaul, cybersecurity and protection of sensitive information remain areas where more prescriptive contractor requirements are expected.

Contractors that handle CUI should consider using the comment period and the time before any final rule is issued to evaluate current security controls, incident response procedures, subcontractor flowdown provisions, and documentation supporting compliance with applicable NIST requirements.

Looking Ahead

These latest developments underscore continued government focus on procurement integrity, national security enforcement, and cybersecurity compliance.

Contractors should continue monitoring evolving jurisdictional issues in bid protests, evaluate voluntary disclosure considerations as national security enforcement evolves, and prepare for potentially significant changes to governmentwide CUI safeguarding and reporting requirements.