On Nov. 19, 2015, OMB released the fall 2015 regulatory agenda of regulations currently under development, listing April 2016 as the target for publication of the final rule implementing the “Fair Pay and Safe Work Places” executive order. The final rule, which is likely to be challenged in court by contractors and industry trade groups, will impose significant compliance and reporting obligations on federal contractors (discussed here), causing some contractors to begin reviewing internal processes for identifying and reporting labor compliance information under the rule.
On Thursday, November 19, Crowell & Moring attorneys will discuss using contractor claims as a recovery mechanism under U.S. Government contracts on WFED radio. Listen in at 12:30 pm EST as these practitioners discuss how contractors can use claims as part of an overall strategy to ensure that both parties comply with contract terms and conditions when issues like government-directed changes and delays come up during the course of a project.
On October 20, the Armed Services Board of Contract Appeals published its FY 2015 Report of Transactions and Proceedings. The report provides statistics regarding the adjudication of appeals between contractors and the Army, Navy, Air Force, Corps of Engineers, DLA, DCMA, other Defense agencies, CIA, NASA, and the Washington Metropolitan Area Transit Authority. This year’s report reflects that the Appellant prevailed in just over half of the appeals decided in the merits (53%). It also indicates that, as usual, the Board had a high success rate in resolving matters via ADR. Of the cases that went through non-binding ADR, 93% were resolved successfully.
On October 1, the DoD IG released a report titled “Evaluation of Defense Contract Management Agency Actions on Reported DoD Contractor Business System Deficiencies,” asserting that DCMA contracting officers “repeatedly” failed to comply with DFARS requirements involving reported business system deficiencies. The report, which is similar to a report issued on June 29, 2015 regarding DCMA’s treatment of estimating system deficiencies (available here), focused its criticisms on DCMA, despite DCMA’s comments noting flaws in the IG’s logic (such as the IG’s suggestion that DCMA, rather than DCAA, is responsible for determining whether a “significant” business system deficiency exists).
On September 7, the Obama Administration issued a new executive order requiring that federal government contractors provide paid sick leave to employees, the latest in a series of EOs targeting federal contractors, which have to date resulted in 16 new regulations (previously discussed here, here and here). According to the White House, “[b]eginning with new contracts in 2017, workers will earn a minimum of one hour of paid sick leave for every 30 hours worked,” which will provide “approximately 300,000 people working on federal contracts the new ability to earn up to seven days of paid sick leave each year.”
In a recent interview with Bloomberg BNA’s Daily Labor Report, I discussed the recent deluge of Executive Orders targeting federal contractors, and the new regulations arising from those EOs (link to the article here).
While DOD’s August 26 white paper “Enhancing the Effectiveness of Independent Research and Development” explains that the intent of new requirements announced in the white paper is “not to reduce the independence of IR&D investment selection, nor to establish a bureaucratic requirement for government approval prior to initiating an IR&D project,” contactors have good reason to doubt that assertion. Most significantly for contractors, there will be a new DFARS rule under which “beginning in FY 2017, DoD will require contractors to record the name of the government party with whom, and date when, a technical interchange took place prior to IR&D project initiation and to provide this information as part of the required IR&D submissions made to [DTIC],” and DCMA and DCAA “will use these DTIC inputs when making allowability determinations for IR&D costs.”
On August 26, 2015, the DoD published an Interim Rule to implement DoD policy on the acquisition of cloud services. This Interim Rule provides a list of terms and conditions regarding cloud computing services to be used in DoD contracts for information technology services as well as introduces the requirement that offerors responding to DoD solicitations for information technology services must identify whether cloud computing services will be used in the resultant contract.
The Interim Rule adopts the policy that DoD’s cloud acquisitions should use commercial terms and conditions (such as those in End User License Agreements (EULAs) or Terms of Service (TOS)) to the extent that they are consistent with federal law and the agency’s needs. DoD’s embrace of commercial terms comes at an interesting time, given the General Services Administration’s recent class deviation that – at least in part – undermines the enforceability of certain terms in commercial supplier agreements.
The Interim Rule establishes uniform terms and conditions to be included in solicitations and contracts for information technology services. These terms and conditions cover:
- Cloud computing security requirements (including the requirement that cloud computing services providers maintain all Government data within the 50 states, the District of Columbia, or outlying areas of the United States unless otherwise authorized);
- Limitations on access to, and use and disclosure of Government data and Government-related data;
- The contractor’s obligation in the case of a cyber incident to report the incident, preserve and protect media, allow DoD with access to additional information or equipment for purposes of a forensic analysis, and provide all damage assessment information;
- Records management and facility access;
- The contractor’s obligation to notify the Contracting Officer of third party requests for access to Government data or Government-related data;
- The contractor’s obligations to address spillage in compliance with agency procedures; and
- A flowdown requirement that the substance of the clause be included in all subcontracts that involve or may involve cloud services, including subcontractors for commercial items.
The Interim Rule impacts more than just cloud service providers seeking to sell their services to DoD. The DoD has proposed that all solicitations for information technology services contain a clause that requires contractors to indicate whether the use of cloud computing is anticipated under the resulting contract or any subcontracts. Should a contractor indicate that it does not anticipate using cloud computing services in the resultant contract, the contractor would have to obtain the Contracting Officer’s approval prior to using cloud computing services.
Both new provisions – 252.239-7009, Representation of Use of Cloud Computing, and 252.239-7010, Cloud Computing Services – will be used in procurements for information technology services, including commercial item acquisitions under FAR part 12.
A brief background on DoD’s cloud computing acquisition strategy is necessary in order to place the import of this Interim Rule into context. In June 2012, the DoD Chief Information Officer (CIO) appointed the Defense Information Systems Agency (DISA) as DoD’s Enterprise Cloud Service Broker (ECSB) and required DoD components to acquire cloud services through the ECSB or obtain a waiver. This brokerage system was created to enable DoD components to use commercial cloud services that met FedRAMP low and moderate control levels, and make them available to other DOD components through standardized contracts and leveraged authorization packages. In a December 15, 2014 memo, entitled “Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services,” the DoD CIO lifted the requirement that DoD components purchase through the ECSB. DoD components are now allowed to acquire cloud services directly so long as it is done in accordance with the security requirements outlined in FedRAMP (the minimum security baseline for all DoD cloud services) and the DoD’s Cloud Computing Security Requirements Guide (SRG) (developed by DISA for more sensitive DoD unclassified data or missions and published in January 2015). The Interim Rule implements the new policies developed within the DoD CIO’s December 15, 2014 memo as well as the SRG Version 1, Release 1 to ensure uniform application when contracting for cloud services across the DoD.
Comments on the Interim Rule, which separately addresses possible expansion of the DFARS Safeguarding Rule, are due on or before October 26, 2015.
Yesterday, the DoD published an Interim Rule that, if finalized as drafted, would expand the already onerous requirements of the DFARS Safeguarding Clause to a broader array of potentially 10,000 defense contractors. Citing “recent high-profile breaches of federal information,” the DoD’s Interim Rule emphasizes the need for clear, effective, and consistent cybersecurity protections in its contracts.
It seeks to do so primarily by expanding the application of the DFARS Safeguarding Clause, which was once itself a heated point of debate. Currently, the DFARS Safeguarding Clause imposes two sets of requirements on covered defense contractors. First, they must implement “adequate security” on certain information systems, typically by implementing dozens of specified security controls. Second, they must report various cyber incidents to the DoD within 72 hours of their discovery. These requirements, however, apply only to information systems housing “unclassified controlled technical information” (UCTI), which is generally defined as controlled technical or scientific information that has a military or space application.
The Interim Rule would expand that application to information systems that possess, store, or transmit “covered defense information” (CDI). CDI would encompass UCTI, meaning that most contractors subject to the DFARS Safeguarding Clause would remain subject to the Interim Rule. But CDI goes beyond the DFARS Safeguarding Clause by also including information critical to operational security, export controlled information, and “any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government policies.” Significantly, the Interim Rule lists “privacy” and “proprietary business information” as examples of the latter, leaving many covered contractors to wonder exactly how far the definition of “covered defense information” goes. To keep up with its new application, the Interim Rule would change the name of Clause 252.204-7012 from “Safeguarding Unclassified Controlled Technical Information” to “Safeguarding Covered Defense Information and Cyber Incident Reporting.”
Another notable point of expansion would affect subcontractors. Under the current DFARS Safeguarding Clause, subcontractors suffering a cyber incident must report to the pertinent prime contractor, who then submits the required report to the DoD. Subcontractors do not report directly to the DoD under the current rule. The Interim Rule would continue to require subcontractors to report cyber incidents to their primes, but it would also require subs to submit the required report directly to the DoD, creating the potential for inconsistent reports from the prime and sub regarding the same cyber incident.
Other key provisions of the DFARS Safeguarding Clause, however, would remain same. For example, the Interim Rule would continue to apply to all solicitations and contracts, including those for commercial items. The government would also remain required to protect any proprietary information that contractor reports pursuant to the Interim Rule. The reporting timeline of 72 hours would also remain the same, which the Interim Rule dubs “rapid reporting.” Additionally, and importantly, the Interim Rule would continue to recognize the probability that even information systems with “adequate security” may still suffer a cyber incident. That is, the Interim Rule would explicitly state that the fact that a contractor has suffered a cyber incident and submitted a corresponding report would not necessarily mean that the contractor had failed to comply with the Clause’s broader cybersecurity requirements.
The Interim Rule likely does not come as a surprise to many. Congress passed provisions to the National Defense Authorization Acts of 2013 and 2015 that called for the regulations that the Interim Rule now seeks to implement. The Interim Rule has thus been a long time coming, but that the DoD chose to publish it now seems appropriate. The executive branch has been implementing a whirlwind of cyber regulations specific to federal contractors, all in an effort to stem the nation’s cyber vulnerabilities. Just last week, the Office of Management & Budget released proposed cybersecurity guidance that could lead to further amendments to the Federal Acquisition Regulation (FAR).
Comments on the Interim Rule, which separately addresses cloud computer services and is discussed here, are due on or before October 26, 2015.
Crowell & Moring is proud to announce that the ABA Public Contract Law Section has recognized Partner David Bodenheimer, along with Maureen Kelly of Northrop Grumman and Annejanette Pickens of General Dynamics, for their exceptional efforts as co-chairs of the Section’s Committee on Cybersecurity, Privacy, and Data Protection. The Section recently presented the Committee with the prestigious “Committee of the Year Award” and praised the co-chairs’ “significant contributions to attorney development, Section programming, and the practice of public contract law.” Congratulations on a well-deserved honor!