This week’s episode covers DFARS and SBA Mentor Protégé Program news and is hosted by partner Peter Eyre. Crowell & Moring’s “Fastest 5 Minutes” is a biweekly podcast that provides a brief summary of significant government contracts legal and regulatory developments that no government contracts lawyer or executive should be without.
With 2017 firmly in the rear-view, it’s time to take stock of recent and anticipated bid protest developments. Today, we’ll look back and highlight five of the most significant trends in 2017 bid protests. In the near future, we’ll turn our gaze forward and predict the five most important protest developments to keep an eye on in 2018.
As defense contractors continue to push towards their end-of-year implementation deadline for NIST SP 800-171 under DFARS 252.204-7012, the National Institute of Standards & Technology (NIST) has given the contracting community some extra time to respond to a draft publication that outlines how they and their customers alike can assess compliance with the security standard. Initially published on November 28, NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, is now open for comment until January 15, 2018 – several weeks longer than the initial deadline of December 27.
Companies of all sizes are increasingly subject to the practical and legal implications of today’s cybersecurity environment, and contractors are no exception. On May 26, 2016, at 11:00 AM Eastern, Crowell & Moring attorneys David Bodenheimer, Evan Wolff, and Kate Growley will lead a discussion highlighting some of the past year’s most significant cyber contracting developments, what trends are worth watching for the future, and how contractors can craft a comprehensive approach to get ahead of it all. Specific topics include:
- Revisions to DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
- Publication of FAR 52.204-21, Basic Safeguarding of Contractor Information Systems
- Managing the “Internet of Things”
- Approaches to cyber lifecycle management, including compliance, supply chain risk, and information sharing
Check back in the coming days for more updates as we count down to OOPS on May 25th (in DC)! You can also check for updates on Twitter using the hashtag #cm2016oops, and at crowell.com/OOPS.
In a notice published in the Federal Register on February 8 that will almost certainly be unpopular with contractors and their customers, DoD asked for comments on its consideration of adding a requirement to the DFARS that would “require offerors to describe in detail the nature and value of prospective IR&D projects on which the offeror would rely to perform the resultant contract.” As described in the notice, that information would be used by DoD to “evaluate proposals in a manner that would take into account that reliance by adjusting the total evaluated price to the Government, for evaluation purposes only, to include the value of related future IR&D projects,” presumably by increasing the evaluated price of that offeror’s proposal to include the full value of the IR&D project.
While DOD’s August 26 white paper “Enhancing the Effectiveness of Independent Research and Development” explains that the intent of new requirements announced in the white paper is “not to reduce the independence of IR&D investment selection, nor to establish a bureaucratic requirement for government approval prior to initiating an IR&D project,” contactors have good reason to doubt that assertion. Most significantly for contractors, there will be a new DFARS rule under which “beginning in FY 2017, DoD will require contractors to record the name of the government party with whom, and date when, a technical interchange took place prior to IR&D project initiation and to provide this information as part of the required IR&D submissions made to [DTIC],” and DCMA and DCAA “will use these DTIC inputs when making allowability determinations for IR&D costs.”
On August 26, 2015, the DoD published an Interim Rule to implement DoD policy on the acquisition of cloud services. This Interim Rule provides a list of terms and conditions regarding cloud computing services to be used in DoD contracts for information technology services as well as introduces the requirement that offerors responding to DoD solicitations for information technology services must identify whether cloud computing services will be used in the resultant contract.
The Interim Rule adopts the policy that DoD’s cloud acquisitions should use commercial terms and conditions (such as those in End User License Agreements (EULAs) or Terms of Service (TOS)) to the extent that they are consistent with federal law and the agency’s needs. DoD’s embrace of commercial terms comes at an interesting time, given the General Services Administration’s recent class deviation that – at least in part – undermines the enforceability of certain terms in commercial supplier agreements.
The Interim Rule establishes uniform terms and conditions to be included in solicitations and contracts for information technology services. These terms and conditions cover:
- Cloud computing security requirements (including the requirement that cloud computing services providers maintain all Government data within the 50 states, the District of Columbia, or outlying areas of the United States unless otherwise authorized);
- Limitations on access to, and use and disclosure of Government data and Government-related data;
- The contractor’s obligation in the case of a cyber incident to report the incident, preserve and protect media, allow DoD with access to additional information or equipment for purposes of a forensic analysis, and provide all damage assessment information;
- Records management and facility access;
- The contractor’s obligation to notify the Contracting Officer of third party requests for access to Government data or Government-related data;
- The contractor’s obligations to address spillage in compliance with agency procedures; and
- A flowdown requirement that the substance of the clause be included in all subcontracts that involve or may involve cloud services, including subcontractors for commercial items.
The Interim Rule impacts more than just cloud service providers seeking to sell their services to DoD. The DoD has proposed that all solicitations for information technology services contain a clause that requires contractors to indicate whether the use of cloud computing is anticipated under the resulting contract or any subcontracts. Should a contractor indicate that it does not anticipate using cloud computing services in the resultant contract, the contractor would have to obtain the Contracting Officer’s approval prior to using cloud computing services.
Both new provisions – 252.239-7009, Representation of Use of Cloud Computing, and 252.239-7010, Cloud Computing Services – will be used in procurements for information technology services, including commercial item acquisitions under FAR part 12.
A brief background on DoD’s cloud computing acquisition strategy is necessary in order to place the import of this Interim Rule into context. In June 2012, the DoD Chief Information Officer (CIO) appointed the Defense Information Systems Agency (DISA) as DoD’s Enterprise Cloud Service Broker (ECSB) and required DoD components to acquire cloud services through the ECSB or obtain a waiver. This brokerage system was created to enable DoD components to use commercial cloud services that met FedRAMP low and moderate control levels, and make them available to other DOD components through standardized contracts and leveraged authorization packages. In a December 15, 2014 memo, entitled “Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services,” the DoD CIO lifted the requirement that DoD components purchase through the ECSB. DoD components are now allowed to acquire cloud services directly so long as it is done in accordance with the security requirements outlined in FedRAMP (the minimum security baseline for all DoD cloud services) and the DoD’s Cloud Computing Security Requirements Guide (SRG) (developed by DISA for more sensitive DoD unclassified data or missions and published in January 2015). The Interim Rule implements the new policies developed within the DoD CIO’s December 15, 2014 memo as well as the SRG Version 1, Release 1 to ensure uniform application when contracting for cloud services across the DoD.
Comments on the Interim Rule, which separately addresses possible expansion of the DFARS Safeguarding Rule, are due on or before October 26, 2015.
Yesterday, the DoD published an Interim Rule that, if finalized as drafted, would expand the already onerous requirements of the DFARS Safeguarding Clause to a broader array of potentially 10,000 defense contractors. Citing “recent high-profile breaches of federal information,” the DoD’s Interim Rule emphasizes the need for clear, effective, and consistent cybersecurity protections in its contracts.
It seeks to do so primarily by expanding the application of the DFARS Safeguarding Clause, which was once itself a heated point of debate. Currently, the DFARS Safeguarding Clause imposes two sets of requirements on covered defense contractors. First, they must implement “adequate security” on certain information systems, typically by implementing dozens of specified security controls. Second, they must report various cyber incidents to the DoD within 72 hours of their discovery. These requirements, however, apply only to information systems housing “unclassified controlled technical information” (UCTI), which is generally defined as controlled technical or scientific information that has a military or space application.
The Interim Rule would expand that application to information systems that possess, store, or transmit “covered defense information” (CDI). CDI would encompass UCTI, meaning that most contractors subject to the DFARS Safeguarding Clause would remain subject to the Interim Rule. But CDI goes beyond the DFARS Safeguarding Clause by also including information critical to operational security, export controlled information, and “any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government policies.” Significantly, the Interim Rule lists “privacy” and “proprietary business information” as examples of the latter, leaving many covered contractors to wonder exactly how far the definition of “covered defense information” goes. To keep up with its new application, the Interim Rule would change the name of Clause 252.204-7012 from “Safeguarding Unclassified Controlled Technical Information” to “Safeguarding Covered Defense Information and Cyber Incident Reporting.”
Another notable point of expansion would affect subcontractors. Under the current DFARS Safeguarding Clause, subcontractors suffering a cyber incident must report to the pertinent prime contractor, who then submits the required report to the DoD. Subcontractors do not report directly to the DoD under the current rule. The Interim Rule would continue to require subcontractors to report cyber incidents to their primes, but it would also require subs to submit the required report directly to the DoD, creating the potential for inconsistent reports from the prime and sub regarding the same cyber incident.
Other key provisions of the DFARS Safeguarding Clause, however, would remain same. For example, the Interim Rule would continue to apply to all solicitations and contracts, including those for commercial items. The government would also remain required to protect any proprietary information that contractor reports pursuant to the Interim Rule. The reporting timeline of 72 hours would also remain the same, which the Interim Rule dubs “rapid reporting.” Additionally, and importantly, the Interim Rule would continue to recognize the probability that even information systems with “adequate security” may still suffer a cyber incident. That is, the Interim Rule would explicitly state that the fact that a contractor has suffered a cyber incident and submitted a corresponding report would not necessarily mean that the contractor had failed to comply with the Clause’s broader cybersecurity requirements.
The Interim Rule likely does not come as a surprise to many. Congress passed provisions to the National Defense Authorization Acts of 2013 and 2015 that called for the regulations that the Interim Rule now seeks to implement. The Interim Rule has thus been a long time coming, but that the DoD chose to publish it now seems appropriate. The executive branch has been implementing a whirlwind of cyber regulations specific to federal contractors, all in an effort to stem the nation’s cyber vulnerabilities. Just last week, the Office of Management & Budget released proposed cybersecurity guidance that could lead to further amendments to the Federal Acquisition Regulation (FAR).
Comments on the Interim Rule, which separately addresses cloud computer services and is discussed here, are due on or before October 26, 2015.
Following the release of GAO and Congressional reports detailing counterfeit electronic parts in the Department of Defense (“DoD”) supply chain, Congress and the executive branch have made DoD supply chain security a priority. As part of the Government’s comprehensive approach to improving supply chain security for DoD, previously blogged about here and here, Congress passed legislation containing new reporting requirements for contractors who discover counterfeit or suspected counterfeit parts. The Government – Industry Data Exchange Program, or “GIDEP,” is a joint U.S. – Canadian program, funded by both governments, is currently DoD’s designated reporting organization for counterfeit parts. Continue Reading Reporting Counterfeit Parts to GIDEP Under the Proposed DoD Rule
On Monday, DoD issued a final rule in a continuing effort to reduce the potentially inappropriate use of commercial item contracts. DFARS: Commercial Determination Approval, 77 Fed. Reg. 14,480, (Mar. 12, 2012) (to be codified at 48 C.F.R. pt. 212). The rule, most notably, modifies DFARS subpart 212.102 to require approval at the level above the contracting officer (CO) for many commercial item purchases exceeding $1 million.
The final rule responds to the Panel on Contracting Integrity’s 2009 Report to Congress recommendation for superior compliance with commercial item documentation requirements as found in PGI 212.102, a companion resource to the DFARs. Because of limited documentation, the Panel expressed concern regarding the CO’s establishment of “fair and reasonable” pricing for “of a type” and “offered for sale” commercial items. 2009 Report to Cong., Panel on Contracting Integrity, DoD Office of the Under Sec. of Def. (AT&L), at 20-1. The Panel did not discuss commercial services.
With Monday’s final rule, however, DoD may have impacted the future purchase of commercial services in an unintended way. Targeting “of a type” and “offered for sale” commercial items (as recommended by the Panel’s 2009 Report), DoD now requires higher-level approval of commercial item determinations that rely on subsections (1)(ii), (3), (4), or (6) of the commercial item definition at FAR 2.101. DFARS pt. 212.102(a)(i)(C). Subsection (6) concerns services “of a type offered and sold competitively in substantial quantities in the commercial marketing place” that have established prices for specific tasks or outcomes and are provided under standard commercial terms and conditions. The final rule also arguably reaches “ancillary” commercial services (such as installation, maintenance, repair, and training) through subsection (4), which identifies commercial items purchased in combinations. Most “ancillary” commercial services are likely to be purchased alongside another commercial item. Requiring higher-level approval for most commercial services over $1 million is an increased burden that may cause COs to avoid identifying service contracts as commercial item contracts.
Increased rigor regarding the appropriate use of commercial item contracts for “of a type” and “offered for sale” items is not surprising – the Panel on Contracting Integrity specifically recommended targeting such items. However, increased scrutiny over most commercial services does not appear to have been a clear target of the Panel or DoD, and results in a significant change to commercial item contracting procedures without opportunity for comment. Indeed, DoD appears to have failed to recognize the potential impact on commercial services as it proceeded directly to final rulemaking, stating “this rule does not have a significant effect beyond the internal operating procedures of DoD and does not have a significant cost or administrative impact on contractors or offerors.” Whether the effect of the final rule on commercial services proves significant will be seen.