Photo of Payal Nanavati

Admitted in New York only; practicing under the supervision of DC Bar members

Adding to the Defense Contract Management Agency’s (DCMA) new cybersecurity responsibilities, the Department of Defense (DoD) Under Secretary of Defense for Acquisition and Sustainment (USDAS) recently issued a memorandum titled Strategically Implementing Cybersecurity Contract Clauses that increases DCMA’s role.  The memorandum tasks DCMA with implementing a process to perform company-wide assessments of contractors’ compliance with the DFARS Safeguarding Clause and the related solicitation provision, DFARS 252.204-7008 Compliance with Safeguarding Covered Defense Information, in lieu of the current contract-by-contract assessment of the Clause and Provision requirements.

Specifically, the memorandum addresses the inefficiencies caused by DFARS 252.204-7008, which requires contractors to self-certify on a contract-specific basis implementation of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 as required by the Safeguarding Clause.  USDAS notes that this approach impedes the effective implementation of requirements to protect the DoD’s Controlled Unclassified Information (CUI).  To resolve these issues, the memorandum directs DCMA to develop a proposed path to issue no-cost bilateral block modifications to contracts administered by DCMA and recommend to the USDAS a set of business strategies to:

  • obtain and assess contractor system security plans (SSPs) and associated plans of action and milestones (POAMs) at a strategic level as an alternative to the contract-by-contract review;
  • propose a methodology to determine contractors’ cybersecurity readiness at a strategic level and assign levels of confidence for contractors’ readiness assessment at the corporate, business sector or facility level; and
  • propose how to communicate contractors’ cybersecurity readiness and confidence level to DoD components.

Of note, DCMA is further instructed to engage industry to discuss methods to oversee the implementation of the DFARS Safeguarding Clause and NIST SP 800-171.  It is possible that this industry engagement may occur through another DoD Industry Day, since the last DFARS Safeguarding Clause-related Industry Day occurred almost two years ago.

Industry will once again take a “wait and see” approach to the DoD’s policy implementation since the DCMA is directed to take action after March 1, 2019.

On Monday, August 13, 2018, President Trump signed into law the H.R. 5515, the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (FY 2019 NDAA), the earliest an NDAA has been signed in over a decade.  The FY 2019 NDAA includes several provisions relevant to contractors, including replacing the definition of “commercial item” with “commercial product” and “commercial services,” discouraging the use of lowest price technically acceptable contracting, and a clause designed to accelerate payments to small businesses.

Continue Reading FY 2019 NDAA

In AlliantCorps, LLC, B-415744.2, the Government Accountability Office (GAO) denied a protest by AlliantCorps, LLC (Alliant) alleging violations of the Procurement Integrity Act (PIA) by the Department of the Navy (Navy) following Alliant’s prior protest of a task order award to DKW Communications, Inc. (DKW).  Alliant asserted that DKW improperly received Alliant’s bid and proposal information when its proposed subcontractor’s labor rates were furnished to DKW “at the direction of the Navy.”  GAO found that the facts asserted could not form the basis of a PIA violation because the employees voluntarily disclosed their salary information to DKW.

The Navy initially awarded the task order seeking software maintenance services to DKW.  As part of its transition effort, DKW sent an email to Navy personnel providing a link to DKW’s employment application website.  After the Navy provided Alliant with its debriefing, Navy personnel forwarded DKW’s email soliciting employment applications to personnel working on the incumbent contract for Alliant’s proposed subcontractor.  Alliant subsequently protested the evaluation underlying the award challenging the Navy’s past performance evaluation and discussions, which prompted the Navy to take corrective action to clarify the solicitation and make a new source selection decision.

Continue Reading Incumbent Employees’ Self-Disclosure of Salaries is Not a Procurement Integrity Act Violation

The National Institute of Standards and Technology (NIST) recently published a draft special publication titled Systems Security Engineering: Resiliency Considerations for the Engineering of Trustworthy Secure Systems (Volume 2), which provides guidance to professionals responsible for the activities and tasks related to the system life cycle processes in NIST’s flagship publication, NIST Special Publication 800-160 Volume 1 (Volume 1).  Volume 2 is the first in a series of systems security engineering publications supplementing Volume 1, and describes how to apply cyber resiliency concepts, constructs, and engineering practices, as part of systems security engineering.

Volume 1 built upon well-established international standards for systems and software engineering to describe the actions necessary to develop more defensible and survivable systems.  Volume 2 describes cyber resiliency principles that organizations can select and apply to their own systems based on the organization’s threat environment.   These principles help organizations address certain types of advanced cyber-threats that have the capability to breach critical systems, establish a presence within those systems often undetected, and inflict immediate and long-term damage to economic and security interests.  Among other things, developers could look to the draft publication for guidance on how to increase the security of older legacy systems in order to limit potential hackers’ access in the event of a data breach.   NIST is accepting public comments until May 18, 2018.

On April 2, 2018, the Government Accountability Office (GAO) published Final Rule 83 FR 13817, amending its bid protest regulations to implement the Electronic Protest Docketing System, make administrative and clerical changes, and “streamline the bid protest process.”

This Final Rule goes into effect on May 1, 2018.  We detail below some key changes it implements to the protest process.

Continue Reading GAO Implements Changes to Bid Protest Process with New Regulations

In the face of an actual or potential organizational conflict of interest (OCI), the potential solutions are often limited. There are several options for contractors and the government that are broadly categorized as mitigation, avoidance, neutralization, limitations on future contracting, and exclusion. Although used sparingly, the FAR also provides that the government can “waive” actual or potential OCIs. Specifically, FAR 9.503 states: “The agency head or a designee may waive any general rule or procedure of this subpart by determining that its application in a particular situation would not be in the Government’s interest.”

A recent GAO decision sheds light on how contractors and agencies should think about OCI waivers. CACI, Inc.-Federal; General Dynamics One Source, LLC, B-413860.4, et al., Jan. 5, 2018.

Continue Reading GAO Lets Stand an Agency’s OCI Waivers in Face of a Multi-Prong Challenge