Government Contracts Legal Forum

DoD White Paper Takes Aim at IR&D Costs

Posted in Cost Accounting
Terry L. AlbertsonSteve McBrady

While DOD’s August 26 white paper “Enhancing the Effectiveness of Independent Research and Development” explains that the intent of new requirements announced in the white paper is “not to reduce the independence of IR&D investment selection, nor to establish a bureaucratic requirement for government approval prior to initiating an IR&D project,” contactors have good reason to doubt that assertion.  Most significantly for contractors, there will be a new DFARS rule under which “beginning in FY 2017, DoD will require contractors to record the name of the government party with whom, and date when, a technical interchange took place prior to IR&D project initiation and to provide this information as part of the required IR&D submissions made to [DTIC],” and DCMA and DCAA “will use these DTIC inputs when making allowability determinations for IR&D costs.”

 

 

DoD Releases Interim Rule on Cloud Service Acquisitions

Posted in Commercial Items
Olivia LynchPeter J. Eyre

On August 26, 2015, the DoD published an Interim Rule to implement DoD policy on the acquisition of cloud services.  This Interim Rule provides a list of terms and conditions regarding cloud computing services to be used in DoD contracts for information technology services as well as introduces the requirement that offerors responding to DoD solicitations for information technology services must identify whether cloud computing services will be used in the resultant contract.

The Interim Rule adopts the policy that DoD’s cloud acquisitions should use commercial terms and conditions (such as those in End User License Agreements (EULAs) or Terms of Service (TOS)) to the extent that they are consistent with federal law and the agency’s needs.  DoD’s embrace of commercial terms comes at an interesting time, given the General Services Administration’s recent class deviation that – at least in part – undermines the enforceability of certain terms in commercial supplier agreements.

The Interim Rule establishes uniform terms and conditions to be included in solicitations and contracts for information technology services.  These terms and conditions cover:

  • Cloud computing security requirements (including the requirement that cloud computing services providers maintain all Government data within the 50 states, the District of Columbia, or outlying areas of the United States unless otherwise authorized);
  • Limitations on access to, and use and disclosure of Government data and Government-related data;
  • The contractor’s obligation in the case of a cyber incident to report the incident, preserve and protect media, allow DoD with access to additional information or equipment for purposes of a forensic analysis, and provide all damage assessment information;
  • Records management and facility access;
  • The contractor’s obligation to notify the Contracting Officer of third party requests for access to Government data or Government-related data;
  • The contractor’s obligations to address spillage in compliance with agency procedures; and
  • A flowdown requirement that the substance of the clause be included in all subcontracts that involve or may involve cloud services, including subcontractors for commercial items.

The Interim Rule impacts more than just cloud service providers seeking to sell their services to DoD.  The DoD has proposed that all solicitations for information technology services contain a clause that requires contractors to indicate whether the use of cloud computing is anticipated under the resulting contract or any subcontracts.  Should a contractor indicate that it does not anticipate using cloud computing services in the resultant contract, the contractor would have to obtain the Contracting Officer’s approval prior to using cloud computing services.

Both new provisions – 252.239-7009, Representation of Use of Cloud Computing, and 252.239-7010, Cloud Computing Services – will be used in procurements for information technology services, including commercial item acquisitions under FAR part 12.

A brief background on DoD’s cloud computing acquisition strategy is necessary in order to place the import of this Interim Rule into context.  In June 2012, the DoD Chief Information Officer (CIO) appointed the Defense Information Systems Agency (DISA) as DoD’s Enterprise Cloud Service Broker (ECSB) and required DoD components to acquire cloud services through the ECSB or obtain a waiver.  This brokerage system was created to enable DoD components to use commercial cloud services that met FedRAMP low and moderate control levels, and make them available to other DOD components through standardized contracts and leveraged authorization packages.  In a December 15, 2014 memo, entitled “Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services,” the DoD CIO lifted the requirement that DoD components purchase through the ECSB.  DoD components are now allowed to acquire cloud services directly so long as it is done in accordance with the security requirements outlined in FedRAMP (the minimum security baseline for all DoD cloud services) and the DoD’s Cloud Computing Security Requirements Guide (SRG) (developed by DISA for more sensitive DoD unclassified data or missions and published in January 2015).  The Interim Rule implements the new policies developed within the DoD CIO’s December 15, 2014 memo as well as the SRG Version 1, Release 1 to ensure uniform application when contracting for cloud services across the DoD.

 

Comments on the Interim Rule, which separately addresses possible expansion of the DFARS Safeguarding Rule, are due on or before October 26, 2015.

 

 

Interim Rule Could Expand Already Onerous DFARS Cyber Requirements

Posted in Cybersecurity
Kate M. GrowleyMaida Oringher LernerEvan D. Wolff

Yesterday, the DoD published an Interim Rule that, if finalized as drafted, would expand the already onerous requirements of the DFARS Safeguarding Clause to a broader array of potentially 10,000 defense contractors.  Citing “recent high-profile breaches of federal information,” the DoD’s Interim Rule emphasizes the need for clear, effective, and consistent cybersecurity protections in its contracts. 

It seeks to do so primarily by expanding the application of the DFARS Safeguarding Clause, which was once itself a heated point of debate.  Currently, the DFARS Safeguarding Clause imposes two sets of requirements on covered defense contractors.  First, they must implement “adequate security” on certain information systems, typically by implementing dozens of specified security controls.  Second, they must report various cyber incidents to the DoD within 72 hours of their discovery.  These requirements, however, apply only to information systems housing “unclassified controlled technical information” (UCTI), which is generally defined as controlled technical or scientific information that has a military or space application. 

The Interim Rule would expand that application to information systems that possess, store, or transmit “covered defense information” (CDI).  CDI would encompass UCTI, meaning that most contractors subject to the DFARS Safeguarding Clause would remain subject to the Interim Rule.  But CDI goes beyond the DFARS Safeguarding Clause by also including information critical to operational security, export controlled information, and “any other information,  marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government policies.”  Significantly, the Interim Rule lists “privacy” and “proprietary business information” as examples of the latter, leaving many covered contractors to wonder exactly how far the definition of “covered defense information” goes.  To keep up with its new application, the Interim Rule would change the name of Clause 2525.204-7012 from “Safeguarding Unclassified Controlled Technical Information” to “Safeguarding Covered Defense Information and Cyber Incident Reporting.” 

Another notable point of expansion would affect subcontractors.  Under the current DFARS Safeguarding Clause, subcontractors suffering a cyber incident must report to the pertinent prime contractor, who then submits the required report to the DoD.  Subcontractors do not report directly to the DoD under the current rule.  The Interim Rule would continue to require subcontractors to report cyber incidents to their primes, but it would also require subs to submit the required report directly to the DoD, creating the potential for inconsistent reports from the prime and sub regarding the same cyber incident.

Other key provisions of the DFARS Safeguarding Clause, however, would remain same.  For example, the Interim Rule would continue to apply to all solicitations and contracts, including those for commercial items.  The government would also remain required to protect any proprietary information that contractor reports pursuant to the Interim Rule.  The reporting timeline of 72 hours would also remain the same, which the Interim Rule dubs “rapid reporting.”  Additionally, and importantly, the Interim Rule would continue to recognize the probability that even information systems with “adequate security” may still suffer a cyber incident.  That is, the Interim Rule would explicitly state that the fact that a contractor has suffered a cyber incident and submitted a corresponding report would not necessarily mean that the contractor had failed to comply with the Clause’s broader cybersecurity requirements.

The Interim Rule likely does not come as a surprise to many.  Congress passed provisions to the National Defense Authorization Acts of 2013 and 2015 that called for the regulations that the Interim Rule now seeks to implement.  The Interim Rule has thus been a long time coming, but that the DoD chose to publish it now seems appropriate.  The executive branch has been implementing a whirlwind of cyber regulations specific to federal contractors, all in an effort to stem the nation’s cyber vulnerabilities.  Just last week, the Office of Management & Budget released proposed cybersecurity guidance that could lead to further amendments to the Federal Acquisition Regulation (FAR).  

 

Comments on the Interim Rule, which separately addresses cloud computer services and is discussed here, are due on or before October 26, 2015.

 

 

Partner David Bodenheimer Recognized as Co-Chair of ABA PCL “Committee of the Year”

Posted in Uncategorized
Kate M. Growley

Crowell & Moring is proud to announce that the ABA Public Contract Law Section has recognized Partner David Bodenheimer, along with Maureen Kelly of Northrop Grumman and Annejanette Pickens of General Dynamics, for their exceptional efforts as co-chairs of the Section’s Committee on Cybersecurity, Privacy, and Data Protection.  The Section recently presented the Committee with the prestigious “Committee of the Year Award” and praised the co-chairs’ “significant contributions to attorney development, Section programming, and the practice of public contract law.”  Congratulations on a well-deserved honor!

 

New Zealand Companies Out of the “Chillybin”

Posted in GSA Schedule, International Contracting
Steve McBradyLorraine M. CamposAlan W. H. GourleyAdelicia R. Cliffe

By notice published in the Federal Register, the U.S. Trade Representative has confirmed that New Zealand has acceded to the WTO Agreement on Government Procurement and thereby, effective August 12, 2015, has become a “designated country” under the Trade Agreements Act.  Accordingly, products and services from New Zealand are now eligible to be procured under all contracts subject to the TAA, including GSA Schedule contracts.

Under Siege: Trade Associations Rap White House for Flood of EOs Targeting Contractors

Posted in Compliance, Government Contracting, Labor
Steve McBradyMark RiesAngela B. Styles

In an August 3 letter to the White House, four trade associations (the AIA, PSC, NDIA, and ITIC) requested “on behalf of the thousands of companies … that no further presidential directives primarily focused on government contractors be issued for the foreseeable future.”  The letter (linked here) cited a dozen recent executive orders related to procurement that have resulted in a significant increase in the cost of doing business with the government, including the recent one on “Fair Pay and Safe Workplaces” (discussed here), and urged the Administration to address the “impacts, inefficiencies, and in many cases, unintended consequences” created by the recent deluge of EOs directed at government contractors.

VIDEO: FCA Litigation — Determining Damages, Whistleblower Employees, and Tricky Issues

Posted in Employment, False Claims, Labor
Mark R. Troy

Partner Mark Troy, in this three-part video series, provides an overview of the trends in False Claims Act litigation that are likely to affect companies in the coming year, including the proper measure of damages and how to deal with whistleblower employees and enforce contractual releases.

All three videos are embedded below for viewing. For a complete transcript, please click here to visit Crowell.com.

Additional video alerts from Crowell & Moring on a range of topics affecting the legal industry can be found on our YouTube channel.

 

Hiring a Former Government Official? Obtain and Hold On to the Ethics Letter

Posted in Employment, Ethics & Compliance
Peter J. EyreJames G. PeysterRob Sneckenberg

The Department of Defense (DoD) Office of Inspector General (IG) recently released a July 6, 2015 Memorandum announcing that it will “immediately” begin the field work for its assessment of DoD compliance with Section 847 of the 2008 National Defense Authorization Act (NDAA), “Requirements for Senior Defense Officials Seeking Employment with Defense Contractors.”

Section 847 mandated that, before a defense contractor may hire a “covered” current or former government official (generally, an official who has participated “personally and substantially” in the procurement or management of a DoD contract or program valued in excess of $10 million), the official must seek, and the contractor must review, “a written opinion from the appropriate ethics counselor regarding the applicability of post-employment restrictions to the activities that the former official is expected to undertake on behalf of the contractor.”  See 2008 NDAA § 847(a); see also DFARS § 203.171 (implementing § 847).  Section 847 also tasked the DoD IG with conducting periodic reviews to ensure that these written opinions (commonly known as “Designated Agency Ethics Official (DAEO) Letters” or simply “Ethics Letters”) are being provided and retained by DoD in a “central database or repository.”  See, e.g., Report No. DODIG-2014-050 (Mar. 31, 2014).

Although the recent Memorandum addresses only the Government’s responsibilities under Section 847 (specifically the DoD IG’s objectives for its upcoming assessment), it is a good reminder that contractors, as well, should make the collection and retention of Ethics Letters a priority.  Hiring a former government official is often an effective way for a contractor to gain insight into a particular government program, or to simply bring a fresh perspective to the contractor’s operations.  However, such hiring decisions implicate a wide variety of statutory and regulatory provisions, and can expose contractors to substantial risk.  For example:

  • DFARS § 252.203-7000, which is included in DoD solicitations and contracts, prohibits a contractor from providing compensation to a covered current or former DoD official without first determining that the official has sought and received the appropriate Ethics Letter. Subsection (c) of that regulation provides that a contractor’s failure to abide by this prohibition may subject the contractor to rescission of its contract, suspension, or debarment in accordance with the Procurement Integrity Act (which also contains its own prohibitions on the compensation of specified current or former government officials, as well as civil, administrative, and even criminal penalties for “knowing” violations—see 41 U.S.C. §§ 2104, 2105).
  • Similarly, DFARS § 252.203-7005, which is included in DoD solicitations, requires a contractor to certify that: “all covered DoD officials employed by or otherwise receiving compensation from the [contractor], and who are expected to undertake activities on behalf of the [contractor] for any resulting contract, are presently in compliance with [a variety of post-employment restrictions].” This certification should not be taken lightly, as qui tam relators and some courts increasingly have taken an expansive approach to assessing False Claims Act liability based on theories of fraudulent inducement and false implied certifications.
  • Also, the Government Accountability Office has held that when a former government official participates in a contractor’s effort to obtain a contract, he/she is presumed to use any competitively useful non-public information to which he/she had access as a government employee. See, e.g., Health Net Fed. Servs., LLC, B-401652.3, Nov. 4, 2009, 2009 CPD ¶ 220 (sustaining protest based on awardee’s unfair competitive advantage stemming from employment of former government official).

These are just a few of the many potential risks when a contractor hires a former government official. However, in each case, the contractor may be able to avoid potential problems up front, or to defend against particular challenges on the back end, where it obtains and keeps handy a well-reasoned and supported Ethics Letter. While the Ethics Letter will not always be dispositive (and does not cover non-statutory issues, such as unfair competitive advantage and organizational conflicts of interest), and should be but one element among many in a contractor’s due diligence review in any hiring process, it is an element that should not be overlooked.

Comment Period for “Fair Pay and Safe Workplaces” Extended Again

Posted in Employment, Labor
Angela B. StylesSteve McBradyKris D. MeadeJason M. Crawford

In an August 3 letter to eight committee and subcommittee chairs, the FAR Council and the Department of Labor indicated that the comment period for the “Fair Pay Safe Workplaces” proposed FAR Rule and related DOL Guidance would be extended to August 26 (from the current date of August 11, 2015).  On July 15, as previously discussed here, the chairs of the House committees of jurisdiction sent a letter to Labor Secretary Perez and OFPP Administrator Rung citing procedural and substantive flaws with the rulemaking (explained in more detail on our government contracts blog) and requesting that the agencies withdraw it, or, at a minimum, extend the public comment period an additional 90 days.