Government Contracts Legal Forum

IG Report Whacks DCMA’s Oversight of Contractors’ Business Systems

Posted in Government Contracting
Steve McBradyTerry L. AlbertsonSkye Mathieson

On October 1, the DoD IG released a report titled “Evaluation of Defense Contract Management Agency Actions on Reported DoD Contractor Business System Deficiencies,” asserting that DCMA contracting officers “repeatedly” failed to comply with DFARS requirements involving reported business system deficiencies.  The report, which is similar to a report issued on June 29, 2015 regarding DCMA’s treatment of estimating system deficiencies (available here), focused its criticisms on DCMA, despite DCMA’s comments noting flaws in the IG’s logic (such as the IG’s suggestion that DCMA, rather than DCAA, is responsible for determining whether a “significant” business system deficiency exists).


Nothing to Sneeze at: Obama Administration Issues 13th EO Targeting Federal Contractors

Posted in Employment, Government Contracting, Labor
Angela B. StylesKris D. MeadeSteve McBradyJason M. Crawford

On September 7, the Obama Administration issued a new executive order requiring that federal government contractors provide paid sick leave to employees, the latest in a series of EOs targeting federal contractors, which have to date resulted in 16 new regulations (previously discussed here, here and here).  According to the White House, “[b]eginning with new contracts in 2017, workers will earn a minimum of one hour of paid sick leave for every 30 hours worked,” which will provide “approximately 300,000 people working on federal contracts the new ability to earn up to seven days of paid sick leave each year.”

DoD White Paper Takes Aim at IR&D Costs

Posted in Cost Accounting
Terry L. AlbertsonSteve McBrady

While DOD’s August 26 white paper “Enhancing the Effectiveness of Independent Research and Development” explains that the intent of new requirements announced in the white paper is “not to reduce the independence of IR&D investment selection, nor to establish a bureaucratic requirement for government approval prior to initiating an IR&D project,” contactors have good reason to doubt that assertion.  Most significantly for contractors, there will be a new DFARS rule under which “beginning in FY 2017, DoD will require contractors to record the name of the government party with whom, and date when, a technical interchange took place prior to IR&D project initiation and to provide this information as part of the required IR&D submissions made to [DTIC],” and DCMA and DCAA “will use these DTIC inputs when making allowability determinations for IR&D costs.”



DoD Releases Interim Rule on Cloud Service Acquisitions

Posted in Commercial Items
Olivia LynchPeter J. Eyre

On August 26, 2015, the DoD published an Interim Rule to implement DoD policy on the acquisition of cloud services.  This Interim Rule provides a list of terms and conditions regarding cloud computing services to be used in DoD contracts for information technology services as well as introduces the requirement that offerors responding to DoD solicitations for information technology services must identify whether cloud computing services will be used in the resultant contract.

The Interim Rule adopts the policy that DoD’s cloud acquisitions should use commercial terms and conditions (such as those in End User License Agreements (EULAs) or Terms of Service (TOS)) to the extent that they are consistent with federal law and the agency’s needs.  DoD’s embrace of commercial terms comes at an interesting time, given the General Services Administration’s recent class deviation that – at least in part – undermines the enforceability of certain terms in commercial supplier agreements.

The Interim Rule establishes uniform terms and conditions to be included in solicitations and contracts for information technology services.  These terms and conditions cover:

  • Cloud computing security requirements (including the requirement that cloud computing services providers maintain all Government data within the 50 states, the District of Columbia, or outlying areas of the United States unless otherwise authorized);
  • Limitations on access to, and use and disclosure of Government data and Government-related data;
  • The contractor’s obligation in the case of a cyber incident to report the incident, preserve and protect media, allow DoD with access to additional information or equipment for purposes of a forensic analysis, and provide all damage assessment information;
  • Records management and facility access;
  • The contractor’s obligation to notify the Contracting Officer of third party requests for access to Government data or Government-related data;
  • The contractor’s obligations to address spillage in compliance with agency procedures; and
  • A flowdown requirement that the substance of the clause be included in all subcontracts that involve or may involve cloud services, including subcontractors for commercial items.

The Interim Rule impacts more than just cloud service providers seeking to sell their services to DoD.  The DoD has proposed that all solicitations for information technology services contain a clause that requires contractors to indicate whether the use of cloud computing is anticipated under the resulting contract or any subcontracts.  Should a contractor indicate that it does not anticipate using cloud computing services in the resultant contract, the contractor would have to obtain the Contracting Officer’s approval prior to using cloud computing services.

Both new provisions – 252.239-7009, Representation of Use of Cloud Computing, and 252.239-7010, Cloud Computing Services – will be used in procurements for information technology services, including commercial item acquisitions under FAR part 12.

A brief background on DoD’s cloud computing acquisition strategy is necessary in order to place the import of this Interim Rule into context.  In June 2012, the DoD Chief Information Officer (CIO) appointed the Defense Information Systems Agency (DISA) as DoD’s Enterprise Cloud Service Broker (ECSB) and required DoD components to acquire cloud services through the ECSB or obtain a waiver.  This brokerage system was created to enable DoD components to use commercial cloud services that met FedRAMP low and moderate control levels, and make them available to other DOD components through standardized contracts and leveraged authorization packages.  In a December 15, 2014 memo, entitled “Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services,” the DoD CIO lifted the requirement that DoD components purchase through the ECSB.  DoD components are now allowed to acquire cloud services directly so long as it is done in accordance with the security requirements outlined in FedRAMP (the minimum security baseline for all DoD cloud services) and the DoD’s Cloud Computing Security Requirements Guide (SRG) (developed by DISA for more sensitive DoD unclassified data or missions and published in January 2015).  The Interim Rule implements the new policies developed within the DoD CIO’s December 15, 2014 memo as well as the SRG Version 1, Release 1 to ensure uniform application when contracting for cloud services across the DoD.


Comments on the Interim Rule, which separately addresses possible expansion of the DFARS Safeguarding Rule, are due on or before October 26, 2015.



Interim Rule Could Expand Already Onerous DFARS Cyber Requirements

Posted in Cybersecurity
Kate M. GrowleyMaida Oringher LernerEvan D. Wolff

Yesterday, the DoD published an Interim Rule that, if finalized as drafted, would expand the already onerous requirements of the DFARS Safeguarding Clause to a broader array of potentially 10,000 defense contractors.  Citing “recent high-profile breaches of federal information,” the DoD’s Interim Rule emphasizes the need for clear, effective, and consistent cybersecurity protections in its contracts. 

It seeks to do so primarily by expanding the application of the DFARS Safeguarding Clause, which was once itself a heated point of debate.  Currently, the DFARS Safeguarding Clause imposes two sets of requirements on covered defense contractors.  First, they must implement “adequate security” on certain information systems, typically by implementing dozens of specified security controls.  Second, they must report various cyber incidents to the DoD within 72 hours of their discovery.  These requirements, however, apply only to information systems housing “unclassified controlled technical information” (UCTI), which is generally defined as controlled technical or scientific information that has a military or space application. 

The Interim Rule would expand that application to information systems that possess, store, or transmit “covered defense information” (CDI).  CDI would encompass UCTI, meaning that most contractors subject to the DFARS Safeguarding Clause would remain subject to the Interim Rule.  But CDI goes beyond the DFARS Safeguarding Clause by also including information critical to operational security, export controlled information, and “any other information,  marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government policies.”  Significantly, the Interim Rule lists “privacy” and “proprietary business information” as examples of the latter, leaving many covered contractors to wonder exactly how far the definition of “covered defense information” goes.  To keep up with its new application, the Interim Rule would change the name of Clause 252.204-7012 from “Safeguarding Unclassified Controlled Technical Information” to “Safeguarding Covered Defense Information and Cyber Incident Reporting.” 

Another notable point of expansion would affect subcontractors.  Under the current DFARS Safeguarding Clause, subcontractors suffering a cyber incident must report to the pertinent prime contractor, who then submits the required report to the DoD.  Subcontractors do not report directly to the DoD under the current rule.  The Interim Rule would continue to require subcontractors to report cyber incidents to their primes, but it would also require subs to submit the required report directly to the DoD, creating the potential for inconsistent reports from the prime and sub regarding the same cyber incident.

Other key provisions of the DFARS Safeguarding Clause, however, would remain same.  For example, the Interim Rule would continue to apply to all solicitations and contracts, including those for commercial items.  The government would also remain required to protect any proprietary information that contractor reports pursuant to the Interim Rule.  The reporting timeline of 72 hours would also remain the same, which the Interim Rule dubs “rapid reporting.”  Additionally, and importantly, the Interim Rule would continue to recognize the probability that even information systems with “adequate security” may still suffer a cyber incident.  That is, the Interim Rule would explicitly state that the fact that a contractor has suffered a cyber incident and submitted a corresponding report would not necessarily mean that the contractor had failed to comply with the Clause’s broader cybersecurity requirements.

The Interim Rule likely does not come as a surprise to many.  Congress passed provisions to the National Defense Authorization Acts of 2013 and 2015 that called for the regulations that the Interim Rule now seeks to implement.  The Interim Rule has thus been a long time coming, but that the DoD chose to publish it now seems appropriate.  The executive branch has been implementing a whirlwind of cyber regulations specific to federal contractors, all in an effort to stem the nation’s cyber vulnerabilities.  Just last week, the Office of Management & Budget released proposed cybersecurity guidance that could lead to further amendments to the Federal Acquisition Regulation (FAR).  


Comments on the Interim Rule, which separately addresses cloud computer services and is discussed here, are due on or before October 26, 2015.



Partner David Bodenheimer Recognized as Co-Chair of ABA PCL “Committee of the Year”

Posted in Uncategorized
Kate M. Growley

Crowell & Moring is proud to announce that the ABA Public Contract Law Section has recognized Partner David Bodenheimer, along with Maureen Kelly of Northrop Grumman and Annejanette Pickens of General Dynamics, for their exceptional efforts as co-chairs of the Section’s Committee on Cybersecurity, Privacy, and Data Protection.  The Section recently presented the Committee with the prestigious “Committee of the Year Award” and praised the co-chairs’ “significant contributions to attorney development, Section programming, and the practice of public contract law.”  Congratulations on a well-deserved honor!


New Zealand Companies Out of the “Chillybin”

Posted in GSA Schedule, International Contracting
Steve McBradyLorraine M. CamposAlan W. H. GourleyAdelicia R. Cliffe

By notice published in the Federal Register, the U.S. Trade Representative has confirmed that New Zealand has acceded to the WTO Agreement on Government Procurement and thereby, effective August 12, 2015, has become a “designated country” under the Trade Agreements Act.  Accordingly, products and services from New Zealand are now eligible to be procured under all contracts subject to the TAA, including GSA Schedule contracts.

Under Siege: Trade Associations Rap White House for Flood of EOs Targeting Contractors

Posted in Compliance, Government Contracting, Labor
Steve McBradyMark RiesAngela B. Styles

In an August 3 letter to the White House, four trade associations (the AIA, PSC, NDIA, and ITIC) requested “on behalf of the thousands of companies … that no further presidential directives primarily focused on government contractors be issued for the foreseeable future.”  The letter (linked here) cited a dozen recent executive orders related to procurement that have resulted in a significant increase in the cost of doing business with the government, including the recent one on “Fair Pay and Safe Workplaces” (discussed here), and urged the Administration to address the “impacts, inefficiencies, and in many cases, unintended consequences” created by the recent deluge of EOs directed at government contractors.

VIDEO: FCA Litigation — Determining Damages, Whistleblower Employees, and Tricky Issues

Posted in Employment, False Claims, Labor
Mark R. Troy

Partner Mark Troy, in this three-part video series, provides an overview of the trends in False Claims Act litigation that are likely to affect companies in the coming year, including the proper measure of damages and how to deal with whistleblower employees and enforce contractual releases.

All three videos are embedded below for viewing. For a complete transcript, please click here to visit

Additional video alerts from Crowell & Moring on a range of topics affecting the legal industry can be found on our YouTube channel.