The Coalition for Government Procurement

The Coalition is excited to announce the 2015 Excellence in Partnership (EIP) Award Winners! The EIP Awards were developed 16 years ago to honor individuals and organizations in the acquisition community that have made significant contributions to the procurement system while providing best value to the taxpayer.

The EIP Lifetime Acquisition Excellence Award is the Coalition’s recognizes individuals in the procurement community who have demonstrated a long-term commitment to improving the federal acquisition system.

The 2015 EIP Lifetime Acquisition Excellence Awardees are:

Lifetime Acquisition Excellence Award

  • Geraldine Watson, General Services Administration
  • Kay Ely, General Services Administration

The Coalition for Government Procurement also honors Excellence in Partnership in four additional distinguished categories—Myth-busters, Government Savings, Green Excellence, and Best Veteran Hiring. The EIP awards in these categories highlight outstanding acquisition initiatives that result in significant cost savings for the American taxpayer and highlight exceptional public and private sector programs that promote sustainability and support veterans.

The 2015 EIP government and industry awardees in these categories are:

Myth Busters Award

  • GSA Alliant 2 Unrestricted and the Alliant 2 Small Business team
  • Mike Pullen CGI Federal

Government Savings Award

  • Randall Culpepper, United States Air Force
  • R10 FAS Professional Services Category Management Team

Green Excellence Award

  • Ricoh Americas Corporation

Best Veteran Hiring Award

  • Grainger – Promoting Opportunities
  • CACI International Inc – Continuing the Commitment
  • ManTech International Corporation – Continuing the Commitment


Finally, the Coalition’s highest honor is “The Common Sense in Government Procurement” Award. This year the Coalition is honored to present Carolyn Alston with “The Common Sense in Government Procurement” Award for a professional lifetime of outstanding work supporting common sense procurement policies, procedures and practices that drive best value for the American people.

Thank you to our 2015 EIP Award Judges, and congratulations to all of the winners as we look forward to seeing everyone at this year’s 2015 Excellence in Partnership Awards & Fall Training Conference!


Roger Waldron


A Government Shutdown . . . Again?

September 24th, 2015

As we approach the fiscal year deadline, the chances of another government shutdown have grown. The most recent federal government shutdown occurred in 2013. It lasted seventeen days, and not many people were happy with the end result. This approach to appropriations may not be the way to “run a railroad,” but FAR & Beyond will leave it to the philosophers to muse on that topic, as some already are doing. Rather, the Coalition will offer some advice to weather the potential storm.

At the outset, FAR & Beyond has one note of caution: don’t panic. Yes, there are heightened emotions over some very serious issues, and yes those emotions could play into the voting in Congress, as well as the Administration’s response to any funding legislation. Remember, however, that the dynamics now are different from those existing in 2013. For instance, controversial matters are being raised in separate bills, and so-called “clean CRs” reportedly are being drafted. Moreover, the popular backlash this time around is predictable and may not be worth any perceived benefit associated with disrupting government funding. In sum, at this point, a shutdown is not a fait accompli.

That said, over the years, the Coalition has provided members with timely information, guidance, and best practices to assist in managing contract and cost risks associated with a potential shutdown, resources from the last shutdown in 2013 can be found here. Please review the guidance, along with this checklist of key practices and questions in preparing for the potential of a shutdown:

  • Review your contract-
    • What is the contract type?  Under certain circumstances contracting officers may require continued performance fixed-price contracts may require continued performance if the contractor has already been paid or funds already have been obligated.
    • What is the funding profile? Is the contract fully or incrementally funded? Under certain circumstances funded contracts may continue.
    • Does the contract include FAR 52.242-15 which allows for the issuance of a stop-work order?
  • Reach out to your contracting officer and ask-
    • Is the work performed under the contract deemed an “essential” activity necessary to protecting life and property?
    • Should contract performance continue in the event of a shutdown?
    • Does the CO plan to issue a stop-work order?
    • Will the government facility where the work is to be performed be open to contractors, and what Federal employees are required to provide oversight for contractor performance during a shutdown?
  • Plan for additional costs-
    • Anticipate potential delays and have a plan in place for potential delays in payment
    • Determine whether payment to subcontractors may be delayed if payment from the government has not been received
    • Develop internal methods of tracking additional costs associated with shutdown and restart activities to potentially recoup these costs later
  • Communicate with your team-
    • Create a communication plan for employees and identify alternatives, if practical, for employees impacted by a client shutdown, e.g., if a stop-work order is issued
    • Reach out to your subcontractors—does the subcontract include a stop-work clause? Can delivery be deferred and what is the cost impact?
  • Meet with internal counsel beforehand to assure that your plans are sound and consistent with your obligations under the contract and the law

In homage to Yogi Berra who, sadly, passed away, although it may feel like deja vu all over again, the prudent contractor will be prepared to mitigate performance and cost risk. In the meantime, the Coalition will keep you appraised as the situation warrants.

I can’t believe we’re just over four weeks away from our 2015 Excellence in Partnership Awards & Fall Training Conference, taking place on the evening of October 21st and all day on October 22nd.  This two day event will be held at the Westin Tysons Corner in Falls Church, VA and discounted room rates are available by calling the hotel and using code TJ21AA.

We are thrilled to have the GSA Administrator, Denise Turner Roth, as our keynote speaker for our EIP Awards dinner.  Additionally, we will be honoring Carolyn Alston, our dear friend and colleague who retired from the Coalition this past July.  Carolyn’s incredible dedication, commitment, and professionalism have defined her entire career and she truly stands as an embodiment of the “Excellence in Partnership” spirit.

Prior to the Administrator’s keynote, we will have a networking reception and silent auction, where last year we raised over $10,000 for our Coalition for Government Procurement Endowed Scholarship Fund.  This scholarship fund will financially support a deserving veteran who is concentrating their studies in the field of US Government procurement at The George Washington University.  If you have a silent auction donation, please let Matt Cahill know!

The next morning we will jump right into our Fall Training Conference where we will be focused on Acquisition Reform.  We have a robust agenda that includes over 30 government speakers and numerous industry experts who will participate as keynotes, panelists, and breakout presenters.

Thank you to General Dynamics Information Technology for being this year’s Excellence in Partnership Title Sponsor and AvKARE for being this year’s Fall Training Conference Title Sponsor!  There are still several sponsorship opportunities your company can take advantage of, both big and small, for the Excellence in Partnership Awards portion and the Fall Training Conference portion of this two day event.

Please register as soon as possible so we can have an accurate head count.  For questions regarding sponsorships or assistance with registration, please contact Matt Cahill at 202-315-1054 or

Thanks for your continued support of the Coalition – we are looking forward to your participation at our Excellence in Partnership Awards and Fall Training Conference!



As students return to school and Congress returns to Capitol Hill, there is a feeling of anticipation in the air. Some might attribute this feeling to the autumnal equinox arriving in less than two weeks, and others might associate it with the expected flurry of legislative activity surrounding the end of the government fiscal year. To observers of the acquisition landscape, however, this feeling of anticipation signals something different, specifically, the potential for wholesale change in how the government conducts business.

Earlier this year, Senate Armed Services Committee Chairman, John McCain, introduced S. 1376, the National Defense Authorization Act (NDAA) for Fiscal Year 2016. That bill, along with H.R. 1375, introduced by House Armed Services Committee Chairman, Mac Thornberry, attempts to tackle the challenges raised by what has become a slow, bureaucratic, and costly Defense acquisition system. The House and Senate are in conference on the two bills; but one thing is clear: unlike in the past, these bills move beyond simply improving processes for the sake of efficiency.

Among other things, the bills seek to reduce paperwork and reporting requirements, streamline the acquisition process, increase accountability, and promote the professional development and growth of the Department of Defense (DOD) acquisition workforce. All are potentially positive steps for a beleaguered, inefficient defense acquisition system that is sinking under the weight of overregulation, burdensome reporting requirements, and an archaic cost-based oversight regime.

Of particular note is the Senate bill’s provisions enhancing commercial item contracting and reducing barriers to entry for nontraditional commercial technology firms seeking to do business with the Department. These provisions reflect the high priority the Senate has placed on gaining access to innovative technologies and cutting-edge commercial firms. This priority appears to be shared by Secretary of Defense Ashton Carter who has voiced the Department’s strategic imperative of embracing the commercial marketplace and cutting edge innovators.   This position manifests a conviction that improving access to commercial innovation from the commercial market is vital to ensuring American military dominance over the long term. Thus, procurement reform is not only a priority for management improvement; it is a national security imperative.

That is why, as discussed in the August 13th FAR & Beyond blog, the Department proposed rule addressing access to cost and/or price data for commercial items is a curious step. The rule is a step back from commercial item contracting that is counter to the goal of gaining greater access to commercial innovation by reducing barriers to market entry.

In response to the proposed rule, Senator McCain sent a letter to Secretary Carter raising concerns regarding its negative impact on access to innovation and cutting-edge commercial firms. In part, that letter states,

This new regulation would likely deter privately held start-up companies from offering their products and services to DOD, because it would impose cumbersome and excessive bureaucratic requirements on these firms to provide detailed cost data for precisely the types of solutions that DOD needs. …

A copy of the letter can be found here.

The Armed Services Committee Chairman urged the Secretary to rescind the proposed rule “immediately.” The Coalition will continue to monitor the status of the proposed rule, and if necessary submit comments on behalf of our members. We also will continue to monitor and update you on the status of acquisition reform on the Hill.

Robert S. Metzger, Shareholder[1], Rogers Joseph O’Donnell, PC
Oliya S. Zamaray, Associate, Rogers Joseph O’Donnell, PC

On July 31, 2015, the GSA Senior Procurement Executive issued a class deviation intended to reconcile federal requirements with the terms of standard Commercial Supplier Agreements (CSAs).[2] An objective of the class deviation is to alleviate costs and delays of negotiating contract terms that federal purchasers can accept from commercial sources of information technology (IT). Although GSA published notice of a proposed class deviation on March 20, 2015 and invited comments, using a class deviation approach meant that GSA avoided rulemaking that would have included full notice-and-comment opportunity.

Now the class deviation is in effect.[3] It adds to the GSAM, at 502.101 a broad new definition of “commercial supplier agreement” that reaches “terms and conditions customarily offered to the public” by vendors of commercial supplies or services, “regardless of the format or style of the document.” This new definition identifies, as examples, Terms of Service (TOS) and End User License Agreements (EULA), and applies regardless of media or delivery mechanism used. The class deviation also creates a new GSAR clause, 552.212-4 (“Contract Terms and Conditions – Commercial Items”), reflecting the substance of the deviation, which GSA Contracting Officers are instructed to incorporate intoall contracts. The deviation also advises that a “mass modification” will be issued to “ensure that all FSS contracts” contain the new clauses.

The new GSAR 552.212-4, among other features, changes the “Order of Precedence” of the underlying FAR clause (as further discussed below), revises subparagraph (u) to clarify that CSA terms that purport to cause the Government to indemnify a contractor are unenforceable where they create an Anti-Deficiency Act violation, and add a new subparagraph (w) (“Commercial supplier agreements – unenforceable clauses”) that specifies that certain provisions often seen in CSAs will not be enforceable against or apply to the Government.

The intent of the deviation was to remove hurdles that have frustrated both Government and industry in contracting for commercial supplies and services where the vendor employs a CSA (in any form) with terms conflicting with federal law. As implemented, unfortunately, the class deviation solves some problems but creates others that may prove just as vexing. In the final deviation, GSA included a seemingly technical change, to the “Order of Precedence” clause, without any prior discussion with industry.[4] Though it has been below the radar, many contractors will find it has a painfully adverse consequence, because it will lead to just the kind of negotiations, over which CSA terms might conflict with the Commercial Items clause, that the deviation sought to avoid. GSA appears to have acted without awareness of the practical impact of the change to the Order of Precedence. GSA should be strongly encouraged to correct this error.

The Federal Government fills many of its needs through purchases from commercial suppliers. A source of tension has been that both federal purchasers and commercial sellers want to use their CSAs rather than federally-dictated contract terms, but the CSAs often contain some provisions that conflict with federal mandates and objectives. The class deviation tries to resolve recurring areas of contention in “one fell swoop,” by declaring that fifteen terms regularly seen in CSAs are deemed unenforceable against the Federal Government even if they are stated in a CSA that is incorporated by reference in a federal purchase agreement.

This issue has broad importance to commercial sellers of supplies and services to the Federal Government. CSAs cover a wide range of transactions, including IT procurements travel, telecommunications, financial services, building maintenance systems, and even purchases below the simplified acquisition threshold. CSAs may take a variety of forms, though EULAs and TOS are particularly important for information technology services and supplies – and have proved regular sources of contention between commercial sources and GSA buyers.

Part of the problem is inherent to federal purchases from commercial sources using multiple award schedule (MAS) contracts. Following the 1994 enactment of the Federal Acquisition Streamlining Act (FASA), there has been a statutory preference for acquisition of commercial items. FAR Part 12 implements the Federal Government’s preference for the acquisition of commercial items. Nonetheless, Contracting Officers (COs) are instructed by the FAR to proceed with caution when a commercial seller wants to use its standard commercial terms. FAR 27.405-3(b), for example, advises COs purchasing commercial computer software to “exercise caution in accepting a vendor’s terms and conditions, since they may be directed to commercial sales and may not be appropriate for Government contracts.” Similarly, FAR 12.212(a) provides that commercial computer software and documentation shall be acquired under licenses customarily provided to the public but only “to the extent such licenses are consistent with federal law and otherwise satisfy the Government’s needs.”

This tension produced chronic complaints by federal schedule buyers that CSAs offered through GSA’s IT Schedule 70 were noncompliant with federal law, and persistent objections by contractors that COs were diverting from commercial norms by insisting on different terms. GSA responded by requiring review and approval of each EULA, TOS and similar agreements for all new Schedule 70 contracts. Because this legal review proved to be costly, lengthy, and frustrating, it worked against another premise of commercial source contracting – namely that purchase from commercial sources would be faster and cheaper.

Over time, both sides came to recognize a “fail list” of provisions that GSA legal consistently found to be objectionable.[5] Through the July 31 class deviation, GSA sought to resolve for all commercial purchases many of these chronic issues. The deviation deals specifically with every one of the fifteen “fail list” provisions. Conceptually, the class deviation is straightforward – but looks prove deceiving, as one appreciates upon examination of the details.

The Order of Precedence clause has been changed to establish that, should there be any inconsistencies, terms of the new commercial item clause at GSAR 552.212-4 control over terms of a CSA (including any license agreement for computer software).

All parties can agree, presumably, that the Federal Government should resort to its own required provisions where a CSA term is in actualconflict. And the added subparagraph (w) to GSAR 552.212-4 identifies and explains more than a dozen specific instances where there is such a conflict.

Unfortunately, the seemingly minor change to the hierarchy of the Order of Precedence clause goes beyond these identified clauses where actual conflict is present to put in doubt the effectivity or enforceability of many other CSA clauses – thus re-opening the door to uncertainty if not dispute that the new GSAR sought to close.

GSAR 552.212‑4 revises the Order of Precedence clause in FAR 52.212-4 to move from 4th to 6th (of nine items) the ranking of CSAs, i.e., “Addenda to this solicitation or contract, including any license agreements for computer software.” Before this change, the Order of Precedence read:

(s) Order of precedence. Any inconsistencies in this solicitation or contract shall be resolved by giving precedence in the following order: (1) the schedule of supplies/services; (2) the Assignments, Disputes, Payments, Invoice, Other Compliances, and Compliance with Laws Unique to Government Contracts paragraphs of this clause; (3) the clause at 52.212-5; (4) addenda to this solicitation or contract, including any license agreements for computer software; (5) solicitation provisions if this is a solicitation; (6) other paragraphs of this clause; (7) the Standard Form 1449; (8) other documents, exhibits, and attachments; and (9) the specification.

After the class deviation, the clause now reads:

(s) Order of precedence. Any inconsistencies in this solicitation or contract shall be resolved by giving precedence in the following order:
(1) The schedule of supplies/services.
(2) The Assignments, Disputes, Payments, Invoice, Other Compliances, Compliance with Laws Unique to Government Contracts, Unauthorized Obligations, and Commercial Supplier Agreements – Unenforceable Clauses paragraphs of this clause.
(3) The clause at 52.212-5.
(4) Solicitation provisions if this is a solicitation.
(5) Other paragraphs of this clause.
(6) Addenda to this solicitation or contract, including any license agreements for computer software.
(7) The Standard Form 1449.
(8) Other documents, exhibits and attachments.
(9) The specification.

(Emphasis added.)

As revised, five categories are more important than and control over CSAs (“Addenda,” including “any license agreements”). This is important because many commercial companies, especially those who sell information technology hardware, services and software, include in such “Addenda” and “license agreements” crucial terms intended to protect their commercially competitive position and to align their performance obligations to commercial norms. Far from being low-ranking appendages, standard commercial EULAs and TOS are routinely included as “Addenda” and/or “license agreements” accompanying federal sales orders. They are often highly nuanced, very carefully crafted and represent key business decisions on allocation of responsibility, cost and risk. Relegating these to the proverbial “back of the bus” changes transaction economics for many commercial sources and will cause some to retreat from federal markets, some to raise prices, and some to push back by insisting upon further negotiations (the avoidance of which was a central purpose of the class deviation).

How can it be that “demotion” of such “Addenda” and “license agreements” has such adverse consequences? It is because these now are behind in precedence both “solicitation provisions if this is a solicitation” and “other provisions of this clause” – where “this clause” refers to FAR 52.212-4, the lengthy “Contract Terms and Conditions – Commercial Items” clause which contains no fewer than twenty-four (24) separate categories of subjects – ranging from “Assignment” through “Unauthorized Obligations.” Apart from and in addition to the specified terms that are trumped by the new subparagraph (w) of GSAR 552.212-4, a given Contracting Officer can assert that any and all of the 24 items in FAR 52.212-4 now prevail over counterpart terms if included in a contractor’s EULA, TOS or other CSA form that is one of those lowly “Addenda” or other “license agreements.”

We mentioned previously that the class deviation focused on the fifteen “fail items” that Contracting Officers regularly concluded the Federal Government could not accept because the approach of representative commercial terms would violate federal statute or regulation. Indeed, as implemented through subparagraph (w) of GSAR 552.212-4, the class deviation requires that each of these fifteen “fail items” be treated as unenforceable in any instance of a conflict with federal law, and the deviation helpfully explains the nature of the conflict and the reasons that GSA has found the term to violate to federal law. For illustration, one such term is “automatic renewals of term-limited agreements.” The class deviation treats provisions that make renewal charges due unless the customer takes action to opt out or terminate as an obligation ahead of appropriation which, in the past, were treated as a violation of the Anti-Deficiency Act. Under the class deviation, every subsequent term of term-limited products or services must be purchased separately. Contracting Officers are free to enter into agreements that incorporate CSAs knowing that such “automatic renewal” terms are rejected ab initio (for each contract) and en masse (for every contract). The treatment is similar for the fifteen “fail items,” where such CSA provisions conflict with federal law, namely (1) definition of contracting parties; (2) contract formation; (3) vendor indemnification; (4) automatic renewals of term–limited agreements; (5) future fees or penalties; (6) taxes; (7) payment terms or invoicing; (8) automatic incorporation/deemed acceptance of third-party terms; (9) state/foreign law governed contracts; (10) equitable remedies, injunctions, binding arbitration; (11) supplier’s unilateral termination of agreement; (12) supplier’s unilateral modification of supplier agreement; (13) assignment of supplier agreement or government contract by supplier; (14) confidentiality of supplier agreement terms and conditions; and (15) audits (automatic liability for payment).

These 15 “fail items” are not the problem. Rather, the sweep of issues encompassed within the FAR “Commercial Items” clause is a veritable recipe for unilateral actions by individual Contracting Officers to decide that other clauses conflict with the “Addenda” or “license agreements” and therefore should be ignored. Commercial companies cannot do business with the Government if they are at risk that Contracting Officers, on individual orders, will simply choose to treat key provisions of their EULAs or TOS as mere “surplusage” that any given CO can disregard if she or he decides that a term conflicts with some other provision of the Commercial Items clause. In the best case, the Contracting Officer will inform the seller of this position and negotiations (and delays) will follow. In the worst and all too plausible case, disputes will arise during performance, or after, when the CO chooses to ignore inconvenient or disadvantageous provisions in a EULA or TOS simply because they were contained in such “Addenda” or “License Agreements.” Proven companies may decide not to take this “wildcard” business risk.

The class deviation and the new GSAR were on track in focusing on the fifteen explicit “fail items” and resolving their status clearly. The Order of Precedence change, apparently unwittingly, exposes many other terms in CSAs to uncertainty if not controversy.

The downgrading of CSA terms is difficult to reconcile with cardinal principles governing federal procurement of commercial items. The Federal Government, as expressed at FAR 12.101(c), is to “[r]equire prime contractors and subcontractors at all tiers to incorporate, to the maximum extent practicable, commercial items or nondevelopmental items as components of items supplied to the agency.” (Emphasis added.) As concerns solicitation provisions and contract clauses for the acquisition of commercial items, FAR 12.301 again insists that, “to the maximum extent practicable,” the Federal Government shall include “only those clauses … [r]equired to implement provisions of law or executive orders applicable to the acquisition of commercial items” or those “[d]etermined to be consistent with customary commercial practice.” (Emphasis added.) The cited change to the Order of Precedence clause subverts these principles.

Compounding the problem is the interplay between the changed Order of Precedence clause and the new subparagraph (w), “Commercial supplier agreements – unenforceable clauses,” which now rates 2nd in the Order of Precedence hierarchy, four positions above the deference given to a vendor’s “Addenda” or “license agreements.” Through this subparagraph (w), GSA excludes specific commercial terms that it has found to violate federal law. The class deviation as implemented was accompanied by instructions in the form of “questions and answers.” One question GSA answered in its July 31st memorandum was whether Contracting Officers still need to review CSAs since the class deviation provides protection against inappropriate or illegal terms being incorporated to contracts.[6] The response was: “Absolutely.” It continued: “Contracting Officers should always thoroughly review CSAs (and all documents that are incorporated into any GSA contract).”[7] This is more than just a “license” for COs to review EULAs, TOS and other terms incorporated as “Addenda” or “license agreements.” It is positive encouragement that they do so. The instruction practically invites Contracting Officers to find some, a few or even many aspects of potentially complex commercial EULAs, TOS or other “Addenda” or “license agreements” that they will consider or claim are “inappropriate” or “illegal.” While Contracting Officers may seek guidance from the office of General Counsel of GSA, they are not obligated to do so. In any event the opportunity for uncertainty, disagreement or dispute certainly will restore costs, delays, and frustration that the class deviation sought to eliminate.

No law or regulation mandated this change in the Order of Precedence. GSA need not conduct rulemaking to restore the proper sequence, a proposition virtually proven by GSA’s decision that it could use the class deviation process rather than rulemaking to implement the many changes to commercial item terms effected by the deviation. The class deviation should be revised to restore “addenda in this solicitation or contract, including any license agreements or computer software” to the fourth position in the Order of Precedence.

[1] Robert S. Metzger is a shareholder and heads the D.C. office of Rogers Joseph O’Donnell, P.C. Oliya S. Zamaray is an associate in that office.

[2] The class deviation is explained in a memorandum authored by Jeffrey A. Koses, GSA Sr. Procurement Executive, Acquisition Letter MV-15-03, “Memorandum for the Acquisition Workforce: Class Deviation Addressing Commercial Supplier Agreement Terms that Conflict or Are Incompatible with Federal Law” (July 31, 2015) available at

[3] The new GSAM provisions are at

[4] We acknowledge Roger Waldron’s CGP Blog of Sept. 3, 2015, “FAR and Beyond,” which addresses this subject in less detail at

[5] GSA legal created a “Fail Chart” as part of an internal guideline for identifying “unacceptable” provisions and standards in End User License Agreements. Contractors could request a copy from their GSA Contracting Officers. See “Q1 2013 Quarterly Industry Meeting: Center for IT Schedule Program” at slide 15 (Nov. 1, 2012) available at

[6] Koses, supra note 2, at 3.

[7] Id. (emphasis added).

By Phillip R. Seckman, Erin B. Sheppard, and Michael J. McGuinn

Dentons US LLP

The Department of Defense (DOD) on August 26, 2015 issued an interim rule, effective immediately, that significantly increases existing cybersecurity requirements for DOD contractors. The requirements in the interim rule, available here have broad applicability to DOD contractors at both the prime and subcontract level, including commercial item and small business contractors. Contractors can expect these requirements to begin showing up in new DOD contracts immediately and should begin taking steps to ensure compliance.

The interim rule contains a number of new and revised DOD cybersecurity requirements. The key issues are summarized below.

Scope of the DOD Requirements

The interim rule significantly expands the scope of the prior UCTI clause’s safeguarding and reporting requirements. Whereas the prior UCTI clause applied only to unclassified controlled technical information, the new clause—now titled “Safeguarding Covered Defense Information and Cyber Incident Reporting”—applies more broadly to all “covered defense information.”

“Covered defense information” includes controlled technical information as well as export controlled information, critical information related to operations security, and any other information marked or otherwise identified in the contract that requires safeguarding under relevant law and policy, including private and proprietary business information. The interim rule further clarifies that the definition of “controlled technical information” does not depend, as it did under the prior UCTI definition, on whether the information “is to be marked” with applicable DOD distribution statements.

This expanded definition, coupled with the clause’s broad flowdown requirement, means that the revised clause requirements likely will apply to virtually all DOD contractors at the prime and subcontract level. The interim rule also revises DFARS Part 212 to clarify that the rule’s requirements are applicable to commercial item contracts and subcontracts.

Security Controls

Additionally, internal contractor information systems that contain covered defense information are subject to new safeguarding requirements. The interim rule removes the clause’s previously-required security controls from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53. DOD replaces those requirements with the controls from the recently-issued NIST SP 800-171, issued on June 18, 2015 and previously discussed here.

The National Archives and Records Administration (NARA) in May 2015 issued a proposed rule, discussed here that would establish a government-wide policy related to the identification and safeguarding of controlled unclassified information. NARA stated in connection with that rule that it intended to promulgate a FAR clause that would apply the requirements of NIST SP 800-171 to contractors. The Office of Management and Budget likewise recently proposed guidance seeking to require the use of these same NIST SP 800-171 controls on a government-wide basis for internal contractor information systems, discussed here. DOD’s decision to use the same NIST standards proposed by OMB and NARA is a welcome step to achieve consistency in cybersecurity standards across the federal government.

DOD in the interim rule also creates a new clause, DFARS 252.204-7008, which states that a contractor prior to contract award can provide a written explanation to the government justifying deviations from the NIST SP 800-171 controls. The prior DFARS UCTI clause had a similar provision, although not required pre-award, allowing contractors to provide this written explanation related to the NIST 800-53 controls. Under the interim rule, if seeking a deviation, a contractor must explain: (i) how the company has in place alternative security controls that “compensate for the inability to satisfy a particular requirement” of the NIST SP 800-171 standards or (ii) that a particular control is inapplicable. The new clause likewise clarifies that the contractor may either comply with the NIST SP 800-171 requirements or provide for alternative but equally effective security measures, a determination which must be approved by DOD prior to contract award.


Reporting Requirements


The interim rule also expands reporting obligations. The rule requires contractors that discover a cyber incident that affects a covered contractor information system or information contained therein to investigate and report that incident to DOD. As part of its implementation of Section 1632 of the 2015 National Defense Authorization Act, DOD also requires contractors to investigate and report a cyber incident that affects the contractor’s ability to perform “operationally critical support” functions of a contract. Subcontractors are required to report cyber incidents to both the prime contractor and the government, with lower-tier subcontractors required to report cyber incidents up the chain of privity until the prime contractor is reached.

In addition, the rule modifies DFARS 252.204-7012 to permit DOD to release certain contractor information in a number of circumstances, including “to entities with missions that may be affected by such information” and “for national security purposes.” This expands the permissible reasons for sharing included in the prior version of the clause, which had limited the government’s use of contractor information only to “authorized persons for purposes and activities consistent with [the prior UCTI] clause.” Because contractor information now may be disclosed outside the government, contractors should clearly mark information provided to DOD and carefully consider whether particular information should be disclosed in connection with a cyber incident.

The interim rule further establishes DFARS 252.204-7009, Limitation on the Use and Disclosure of Third-Party Contractor Reporting Cyber Incident Information. This clause is required in contracts that involve contractor support for government activities related to safeguarding covered defense information and cyber incident reporting. It imposes non-disclosure obligations on contractors handling reporting information and provides that a contractor’s breach of its non-disclosure obligations may be subject to criminal, civil, administrative, and contractual actions brought by the government, or, importantly, by the impacted reporting party.

Cloud Computing Requirements

And if the foregoing was not enough, the interim rule also contains a number of new requirements relating to the acquisition of cloud computing services. The interim rule adds a new DFARS subpart, 239.76, which formalizes DOD guidance in this area and mandates that DOD may only award contracts for cloud computing services to contractors that have obtained a provisional authority to operate from the Defense Information Systems Agency (DISA). The new subpart requires the inclusion of specifically enumerated government protections in any DoD cloud services purchase order.

The interim rule also establishes two new contract clauses, DFARS 252.239-7009, Representation of the Use of Cloud Computing, and DFARS 252.239-7010, Cloud Computing Services, for use in any acquisition for information technology services. These clauses require contractors to: (i) implement administrative, technical, and physical safeguards and controls outlined in DISA’s Cloud Computing Security Requirements guide; (ii) maintain all government data in the United States unless authorized otherwise in writing; and (iii) restrict access to government data. DFARS 252.239-7010 also mandates that contractors report all cyber incidents related to the cloud services provided under the contract and imposes reporting and compliance obligations that parallel the access and investigation cooperation requirements included in the new UCTI clause.

Comments on the interim rule are due by October 26, 2015. Dentons attorneys will continue monitoring key developments in this area. Additionally, starting in the fall of 2015, Dentons attorneys will be presenting on behalf of the Public Contracting Institute a six-part series addressing the detailed compliance requirements and best practices relating to government contracts cybersecurity.  More information about the series can be found here or by contacting the authors of this article.

 On July 31st, GSA issued a Class Deviation to “mitigate the legal risk of incorporating into GSA contracts common Commercial Supplier Agreement (CSA) terms and conditions that conflict with or are incompatible with Federal law.” As I explain below, the impacts of this deviation cannot be understated. The deviation establishes a new GSAR Clause 552.212-4, Contract Terms and Conditions—Commercial Items in lieu of standard FAR Clause 52.212-4. The class deviation is the end result of GSA’ s efforts to address the long-standing challenges surrounding the negotiation of “End User License Agreements” (EULAs) (aka Software Licenses and/or CSAs) under IT Schedule 70. As GSA has noted, however, CSAs are often used in other contexts, from travel to telecommunications, to financial services, and to building maintenance systems.

The focus of GSA’s efforts to address EULAs under IT Schedule 70 was to ensure that the contract language clearly provided that, in the event of a conflict between federal law and a commercial term, the federal law takes precedence (controls). According to GSA, without such language in the contract, each and every EULA under IT Schedule 70 would have to be reviewed in its entirety to ensure there were no conflicts with federal law. The deviation is intended to streamline the license review and negotiation process by specifically addressing potential areas of conflict.

The Coalition appreciates GSA’s open, transparent dialogue regarding the deviation. The Federal Register notice and subsequent open conversations demonstrate GSA’s commitment to engaging its industry partners on key procurement issues of common concern. Moreover, the Coalition and its members appreciate that, in cases where a license term conflicts with federal law, the federal law controls, and it welcomes the opportunity to work with GSA on developing terms and conditions that would streamline the process for all. The Coalition, however, is very concerned that the scope of the deviation goes well beyond addressing specific conflicts between federal law and commercial terms.

Specifically, the deviation changes the order of precedence, dropping commercial terms below the other paragraphs of 552.212-4 and solicitation terms, leaving it just above the SF1449. In contrast, under the standard FAR Clause 52.212-4, commercial terms are above the other paragraphs of 52.212-4 and the solicitation provisions. Here is a chart that highlights the change:

flash september pic

Though it may be minor in appearance, the potential impact of this change could be significant. For instance, as a result of this change, all commercial software terms, like title and ownership, warranties, and remedies, are subordinated to the government’s terms and conditions in the solicitation. So, rather than addressing the specific areas of conflict, as GSA intended, the deviation undoes any preference for commercial software license terms and conditions under GSA contracts. As a result, prudent contractors will be compelled to seek negotiations on each and every term in an attempt to ensure its commercial terms apply. At an operational level, this means that, rather than streamlining the negotiation process, the deviation likely will complicate and delay processing times for contracts and modifications for new software products.

More fundamentally, the scope of the deviation raises questions regarding its legality. FAR 1.402 authorizes deviations “[u]nless precluded by law, executive order or regulation… .“ The Federal Acquisition Streamlining Act of 1994 (FASA) requires the head of the agency to ensure, to the maximum extent practicable, that commercial items may be procured to fulfill agency requirements, that requirements be modified so they can be met by commercial items, that specifications be stated to enable offerors to supply commercial items, and that policies be revised to reduce the impediments to acquiring commercial items. See 41 U.S.C. 3077.

In a recent Friday Flash discussing a DoD proposed rule seeking to change the definition of “commercial item” for the purpose of gaining access to price and/or cost data, the Coalition pointed out that narrowing the definition of a commercial item


…could have far reaching implications for the procurement system. It risks reducing the government’s access to innovative services and solutions by creating a new, significant barrier to entry for firms already offering those services and solutions in the commercial marketplace.


The same is true here. The deviation essentially turns the preference for commercial items on its head, creating a significant impediment to offering and acquiring commercial items with CSAs. As a consequence, it risks foreclosing access to cutting edge technologies needed by GSA and the agencies that rely on its contract vehicles. At a time when the government is seeking greater access to innovative technologies and capabilities from the commercial market, it just does not make sense, and thus, it needs to be changed.


Could yesterday’s weather have been any better?  Joe Caggiano was certainly smiling down on us as we enjoyed a perfect day and the beautiful Whiskey Creek golf course at this week’s Third Annual Joseph P. Caggiano Memorial Golf Tournament.  As a veteran himself, Joe would have been proud that this year’s proceeds are once again going to fund a scholarship for a veteran.   We were honored to have Joe’s wife, father, and brother (Kathleen, Paul, and Mike) all join us in this year’s tournament.  Paul and Mike’s team impressively finished the day in 2nd place!

Due to our generous sponsors and participants in Joe’s tournament, I am proud to announce we will be contributing more than $25,000 to our Coalition for Government Procurement Endowed Scholarship Fund at The George Washington University, where financial support will be provided to a deserving veteran who is concentrating their studies in the field of US Government procurement and pursuing the JD or LLM degree in Government Procurement Law or the Masters of Science in Government Contracting degree (MSGC).

I would especially like to thank our two title sponsors – Integrity Consulting and CohnReznick. Your generous support means a great deal to the Coalition and we can’t thank you enough.

Additionally, thank you to our luncheon sponsor, AvKARE; our reception sponsor, The Gormley Group; and our Beverage Cart Sponsor, EY.

Thank you also to our many hole sponsors: Allen Federal Business Partners, Baker Tilly, Bloomberg, Booz Allen Hamilton, BRG, Brocade, CACI, General Dynamics Information Technology, The George Washington University, HON, Judge Group, Koniag, Raytheon, Northrop Grumman, the Rendely Family, Ricoh, SAP, Toro, and Wells Fargo!  Every hole at Whiskey Creek was fantastic and their staff once again did an excellent job in assisting with the day’s events – from the scoreboard and golf cart arrangements to the food prep and beverage services.

Thank you, the government contracting community, for coming together and raising awareness and funds for charitable and educational causes such as this one – it’s truly remarkable.  If you would like to make further donations to our scholarship fund, you may do so by visiting


Lastly, thank you to the Coalition team for a job well done.  You guys are the best!

Congratulations to all the players and companies involved – we are already looking forward to seeing you again at next year’s tournament!

Before we start planning for next year’s tournament though, I want to encourage you to attend our 2015 Excellence in Partnership Awards on the evening of October 21st and our Fall Training Conference the following morning on October 22nd.  Registration is now open and we are seeking additional sponsors to join our Title Sponsor at the EIPs – General Dynamics Information Technology – and our Title Sponsor at the Fall Conference – AvKARE.  For questions regarding sponsorships or assistance with registration, please contact Matt Cahill at 202-315-1054 or


Roger Waldron



Dentons US LLP

The Office of Management and Budget (OMB) on August 11, 2015 released proposed guidance, available here, that takes “major steps” towards – and likely accelerates – the implementation of standard cybersecurity requirements in all federal acquisitions. OMB in its guidance provides some fairly clear direction for contractors seeking to understand their future cybersecurity compliance obligations. OMB’s guidance, however, also leaves open certain key questions for contractors in this area, particularly with regard to how OMB’s requirements will be applied and harmonized with existing agency-specific cybersecurity requirements.

OMB indicates its guidance will be finalized in the fall of 2015. In light of the high profile breach of the Office of Personnel Management and the National Archives and Records Administration’s (NARA) related efforts to address the identification and safeguarding of controlled unclassified information (CUI), contractors should expect OMB’s proposed guidance to be adopted in short order, with applicable cyber requirements appearing in government contracts shortly thereafter.

  1. Applicability

OMB’s proposed guidance would apply to federal acquisitions of products or services that involve creation, collection, or access to CUI. Although not directly addressed in the OMB guidance, the identification of CUI likely would be governed by NARA’s CUI registry and NARA’s proposed rule, issued on May 8, 2015, that seeks to establish a government-wide policy for designating and controlling CUI. OMB’s guidance suggests that its requirements would be broadly applicable to both prime contractor and subcontractor information systems containing CUI in connection with federal acquisitions. Contractors accordingly should expect OMB’s guidance to have broad applicability to virtually any federal contract involving CUI.

  1. Security Controls and Reporting Requirements

OMB’s guidance would impose different security controls and cyber incident reporting requirements on contractors depending on whether a contractor’s information system is: (1) a system operated on behalf of the government; or (2) an internal system used to provide a product or service for the government that processes CUI “incidental” to the product or service being provided. OMB’s guidance generally would apply more stringent requirements to contractor information systems operated on behalf of the government. It is accordingly important for contractors to understand what type of system they are operating in connection with particular contracts to avoid the over-imposition of cybersecurity requirements.

With respect to security controls, a company operating an information system involving CUI on behalf of the government would be required to comply with the security controls contained in NIST Special Publication (SP) 800-53, generally at the “moderate” baseline but subject to agency tailoring. Conversely, a company operating internal information systems involving CUI would not be subject to the NIST 800-53 controls. Instead, the contractor would be expected to comply with the recently promulgated security controls contained in NIST SP 800-171, issued in final on June 18, 2015 and previously discussed here.

Although overlap exists between the security controls contained in these two NIST standards, contractors operating internal information systems on which CUI may be present should seek to ensure the appropriate NIST SP 800-171 controls are included in contracts, and be prepared to push back on government attempts to impose additional security controls based on NIST SP 800-53. The notable exception to this would be DOD’s Unclassified Controlled Technical Information (UCTI) requirements, DFARS 252.204-7012, which were adopted in November 2013 and require compliance with more than fifty controls from NIST SP 800-53.

With regard to cyber incident reporting, the OMB guidance recognizes that reporting requirements for the two types of contractor information systems would be “similar.” The primary difference would be that a contractor’s reporting obligation for internal contractor information systems would be limited to incidents in which CUI is impacted, rather than to every cyber incident involving systems operated on behalf of the government.

The OMB guidance also notes that agency contract language should include “specific government remedies” if a contractor fails to report cyber incidents as required by its contract. Although OMB’s guidance does not provide insight into or specify these remedies, potential remedies may include payment withholding, award fee reductions, or negative past performance evaluations. Prescribing specific remedies would give the government an enforcement tool to ensure cyber compliance in addition to the more drastic termination, debarment, or fraud remedies.

  1. System Security Assessments and Continuous Monitoring

OMB in its guidance also states that contractor information systems will be subject to information system security assessments. OMB’s guidance suggests that agencies would have discretion to establish security assessment requirements based on the government’s risk assessment and the security categorization of the information system under Federal Information Processing Standard Publication (FIPS) 199. Contractors also would be required to explain in proposals how they would meet the requirements of NIST SP 800-171, including the NIST SP 800-171 security assessment requirements. And contractors would be required to provide the government with access to the contractor’s facilities, personnel, and systems for the purpose of conducting system assessments or to conduct investigations or audits.

OMB’s guidance does not clearly address whether the same security assessment requirements would apply to both contractor information systems operated on behalf of the government and internal contractor information systems. OMB’s guidance, moreover, does not appear to recognize the prospect of sensitive information being swept up in the course of such investigations or audits and the reasonable expectation of contractors that such information must generally be protected from disclosure. This information includes, for example, attorney-client privileged communications, trade secrets, or other confidential business information. Contractors are, understandably, very keen to ensure there are appropriate boundaries on the government’s right of access.

OMB also states that contractors will be subject to continuous monitoring requirements, a fairly significant and expensive compliance obligation for contractors. Contractors operating information systems on behalf of the government would be required to have continuous monitoring requirements in place that meet or exceed the monitoring requirements contained in OMB Memorandum M-14-03. Additionally, for those contractor systems not operated on behalf of the government, OMB notes that continuous monitoring is required under the controls contained in NIST SP 800-171. The guidance does not specifically address the administrative burdens of such requirements—an area that is ripe for comment by contractors.

  1. Due Diligence Requirements

OMB’s guidance also suggests that agencies should utilize due diligence research to assess program cyber risk. Specifically, GSA would be directed to create an information sharing service for government agencies that would include information collected from public records, publically available information, and commercial data, as well as data voluntarily reported by contractors in connection with information sharing programs. Contractors should expect that the government will utilize this due diligence information as part of acquisition planning and source selection efforts, as well as to monitor contractor security throughout contract performance.

  1. Open Questions

Finally, OMB’s proposed guidance suggests that key stakeholders would “immediately” begin working to apply the OMB guidance and that agencies also would “continuously review contract activities” to ensure compliance with OMB’s guidance. Yet OMB also states, consistent with NARA’s proposed rule, that the FAR Council will be amending the FAR to include contract clauses that implement requirements related to CUI. Accordingly, it remains an open question whether OMB’s guidance would be adopted by agencies individually on a contract-by-contract basis, or whether the guidance requirements would be implemented only after promulgation of a FAR rule. In the interim, contractors should carefully review their upcoming contract awards to assess whether the government has sought to include any new or changed obligations relating to security controls and cyber incident reporting.

It also is unclear how or if the OMB guidance requirements would be harmonized with the recommendations and implementation efforts of the DOD/GSA Joint Working Group, which issued its report in January 2014 containing six recommendations aimed at improving cybersecurity in federal acquisitions. It is similarly unclear whether or how OMB’s guidance would be reconciled with the DOD UCTI requirements, or other agency-specific cyber requirements. Absent such harmonization efforts, contractors may continue to find themselves subject to a patchwork of sometimes conflicting cyber compliance obligations in this area.

  1. What’s Next?

OMB is seeking industry feedback on its proposed guidance by September 10, 2015, in anticipation of issuing final guidance by the fall of 2015. OMB is seeking comments through the GitHub platform, and contractors should strongly consider submitting comments either independently or through industry trade associations.

Dentons attorneys will continue monitoring key developments in this area. Additionally, starting in the fall of 2015, Dentons attorneys will be presenting on behalf of the Public Contracting Institute a six-part series addressing the detailed compliance requirements and best practices relating to government contracts cybersecurity. More information about the series can be found here or by contacting the authors of this article.

On August 10, 2015, the Government Accountability Office (GAO) released Report No. GAO-15-590, FEDERAL SUPPLY SCHEDULES: More Attention Needed to Competition and Prices. The report examines (1) how and to what extent the government is using the FSS program; (2) factors influencing the degree of competition for FSS orders, and (3) the extent to which agencies examine prices to be paid for FSS orders. The language of the GAO report is both thought provoking and, in some places, perplexing.

Although not highlighted by GAO, the report actually contains some good news regarding competition rates for orders under the Federal Supply Schedule (FSS) program. According to GAO, significant competition was achieved for orders under the FSS program; in fact, based on another GAO report issued earlier this year, FSS program competition rates appear to have exceeded the competition rates under the contract vehicles of other agencies. Specifically, GAO found that 75 percent of the FSS task orders were competitive. This finding is a tremendous good news story for government-wide procurement, the FSS program, and GSA. To its credit, over the years GSA has made significant investments in training and electronic tools to enhance competition at the task order level. In particular, GSA’s electronic quote tool, eBuy, has increased competition and transparency for customer agencies and FSS contractors. The GAO Report notes the effective use of eBuy to achieve competition for agency tasks.

At the same time it highlights this good news regarding overall FSS competition rates, however, the GAO report states that “[m]ost FSS obligations were competed in fiscal year 2014, but only 40 percent of obligations were on orders for which the government received three or more quotes—a number frequently mentioned in the Federal Acquisition Regulations (FAR).” This statement is where the report is perplexing. It appears to establish or imply a new standard for competition, namely the receipt of three offers. Such a purported standard is inconsistent with statute and regulation.

Under the statutory and regulatory requirement for competition for orders exceeding the simplified acquisition threshold (SAT), a contracting activity must provide notice to all FSS contractors capable of meeting the requirement or, alternatively, provide notice to as many FSS contractors as practicable to reasonably ensure receipt of three offers. When notice is provided to all of those contractors, there is no requirement for receipt of three offers. When notice is provided to less than all of those contractors, there still is no requirement for receipt of three offers. Rather, contracting officers must document the file addressing their efforts to obtain three quotes and that no additional contractors capable of meeting the requirement could be identified despite reasonable efforts to do so.

In light of these requirements, then, it is difficult to understand the point of the GAO’s observation about obligations involving three or more quotes. As the report states, “three or more quotes” is “a number frequently mentioned in the … FAR.” It is not a statutory or regulatory mandate, nor should it be necessarily, as the decision not to offer, itself, may be a competitive decision. In any case, the key finding is that, overall, competition was achieved on 75%of the FSS task orders.

With regard to pricing, the GAO report also states that contracting officers did not consistently seek discounts (i.e., price reductions) from schedule prices, even in situations where they were required. The most perceptive assessment of this issue in the GAO report, however, came from certain contracting officials, who noted that by competing the order, they met the requirement to seek a discount. The fundamental goal of competition, including task order competition under the FSS program, is to obtain the best deal (e.g. lower price, better terms, or increased performance/value).  Thus, by seeking/soliciting competition from all FSS contractors through the issuance of a Request for Quotes (RFQ) or other communication, those contracting official effectively did seek a price discount. It stands to reason, then, because the GAO report identified an overall competition rate of 75 percent for the FSS program, at least 75 percent of the time contracting officers sought price reductions. In drawing its conclusion, GAO appears to be focusing on the failure to include the words “price reduction or discount” in an RFQ.

In sum, GSA should feel good about GAO’s identification of strong competition rates for the FSS program. Although GAO identified some points of contention, GSA should stay focused on the 75% of the glass that remains full.

Recent Posts



© Copyright 2005-2011| 1990 M Street NW, Ste 450 | Washington, DC 20036 | 202.331.0975
Site by Web Weaving.
Linked InFollow Us on FacebookJoin Us on TwitterView Our Flickr Pics!Subscribe to Our RSS Feed