The Coalition for Government Procurement

By Phillip R. Seckman, Erin B. Sheppard, and Michael J. McGuinn

Dentons US LLP

The Department of Defense (DOD) on August 26, 2015 issued an interim rule, effective immediately, that significantly increases existing cybersecurity requirements for DOD contractors. The requirements in the interim rule, available here have broad applicability to DOD contractors at both the prime and subcontract level, including commercial item and small business contractors. Contractors can expect these requirements to begin showing up in new DOD contracts immediately and should begin taking steps to ensure compliance.

The interim rule contains a number of new and revised DOD cybersecurity requirements. The key issues are summarized below.

Scope of the DOD Requirements

The interim rule significantly expands the scope of the prior UCTI clause’s safeguarding and reporting requirements. Whereas the prior UCTI clause applied only to unclassified controlled technical information, the new clause—now titled “Safeguarding Covered Defense Information and Cyber Incident Reporting”—applies more broadly to all “covered defense information.”

“Covered defense information” includes controlled technical information as well as export controlled information, critical information related to operations security, and any other information marked or otherwise identified in the contract that requires safeguarding under relevant law and policy, including private and proprietary business information. The interim rule further clarifies that the definition of “controlled technical information” does not depend, as it did under the prior UCTI definition, on whether the information “is to be marked” with applicable DOD distribution statements.

This expanded definition, coupled with the clause’s broad flowdown requirement, means that the revised clause requirements likely will apply to virtually all DOD contractors at the prime and subcontract level. The interim rule also revises DFARS Part 212 to clarify that the rule’s requirements are applicable to commercial item contracts and subcontracts.

Security Controls

Additionally, internal contractor information systems that contain covered defense information are subject to new safeguarding requirements. The interim rule removes the clause’s previously-required security controls from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53. DOD replaces those requirements with the controls from the recently-issued NIST SP 800-171, issued on June 18, 2015 and previously discussed here.

The National Archives and Records Administration (NARA) in May 2015 issued a proposed rule, discussed here that would establish a government-wide policy related to the identification and safeguarding of controlled unclassified information. NARA stated in connection with that rule that it intended to promulgate a FAR clause that would apply the requirements of NIST SP 800-171 to contractors. The Office of Management and Budget likewise recently proposed guidance seeking to require the use of these same NIST SP 800-171 controls on a government-wide basis for internal contractor information systems, discussed here. DOD’s decision to use the same NIST standards proposed by OMB and NARA is a welcome step to achieve consistency in cybersecurity standards across the federal government.

DOD in the interim rule also creates a new clause, DFARS 252.204-7008, which states that a contractor prior to contract award can provide a written explanation to the government justifying deviations from the NIST SP 800-171 controls. The prior DFARS UCTI clause had a similar provision, although not required pre-award, allowing contractors to provide this written explanation related to the NIST 800-53 controls. Under the interim rule, if seeking a deviation, a contractor must explain: (i) how the company has in place alternative security controls that “compensate for the inability to satisfy a particular requirement” of the NIST SP 800-171 standards or (ii) that a particular control is inapplicable. The new clause likewise clarifies that the contractor may either comply with the NIST SP 800-171 requirements or provide for alternative but equally effective security measures, a determination which must be approved by DOD prior to contract award.

 

Reporting Requirements

 

The interim rule also expands reporting obligations. The rule requires contractors that discover a cyber incident that affects a covered contractor information system or information contained therein to investigate and report that incident to DOD. As part of its implementation of Section 1632 of the 2015 National Defense Authorization Act, DOD also requires contractors to investigate and report a cyber incident that affects the contractor’s ability to perform “operationally critical support” functions of a contract. Subcontractors are required to report cyber incidents to both the prime contractor and the government, with lower-tier subcontractors required to report cyber incidents up the chain of privity until the prime contractor is reached.

In addition, the rule modifies DFARS 252.204-7012 to permit DOD to release certain contractor information in a number of circumstances, including “to entities with missions that may be affected by such information” and “for national security purposes.” This expands the permissible reasons for sharing included in the prior version of the clause, which had limited the government’s use of contractor information only to “authorized persons for purposes and activities consistent with [the prior UCTI] clause.” Because contractor information now may be disclosed outside the government, contractors should clearly mark information provided to DOD and carefully consider whether particular information should be disclosed in connection with a cyber incident.

The interim rule further establishes DFARS 252.204-7009, Limitation on the Use and Disclosure of Third-Party Contractor Reporting Cyber Incident Information. This clause is required in contracts that involve contractor support for government activities related to safeguarding covered defense information and cyber incident reporting. It imposes non-disclosure obligations on contractors handling reporting information and provides that a contractor’s breach of its non-disclosure obligations may be subject to criminal, civil, administrative, and contractual actions brought by the government, or, importantly, by the impacted reporting party.

Cloud Computing Requirements

And if the foregoing was not enough, the interim rule also contains a number of new requirements relating to the acquisition of cloud computing services. The interim rule adds a new DFARS subpart, 239.76, which formalizes DOD guidance in this area and mandates that DOD may only award contracts for cloud computing services to contractors that have obtained a provisional authority to operate from the Defense Information Systems Agency (DISA). The new subpart requires the inclusion of specifically enumerated government protections in any DoD cloud services purchase order.

The interim rule also establishes two new contract clauses, DFARS 252.239-7009, Representation of the Use of Cloud Computing, and DFARS 252.239-7010, Cloud Computing Services, for use in any acquisition for information technology services. These clauses require contractors to: (i) implement administrative, technical, and physical safeguards and controls outlined in DISA’s Cloud Computing Security Requirements guide; (ii) maintain all government data in the United States unless authorized otherwise in writing; and (iii) restrict access to government data. DFARS 252.239-7010 also mandates that contractors report all cyber incidents related to the cloud services provided under the contract and imposes reporting and compliance obligations that parallel the access and investigation cooperation requirements included in the new UCTI clause.

Comments on the interim rule are due by October 26, 2015. Dentons attorneys will continue monitoring key developments in this area. Additionally, starting in the fall of 2015, Dentons attorneys will be presenting on behalf of the Public Contracting Institute a six-part series addressing the detailed compliance requirements and best practices relating to government contracts cybersecurity.  More information about the series can be found here or by contacting the authors of this article.

 On July 31st, GSA issued a Class Deviation to “mitigate the legal risk of incorporating into GSA contracts common Commercial Supplier Agreement (CSA) terms and conditions that conflict with or are incompatible with Federal law.” As I explain below, the impacts of this deviation cannot be understated. The deviation establishes a new GSAR Clause 552.212-4, Contract Terms and Conditions—Commercial Items in lieu of standard FAR Clause 52.212-4. The class deviation is the end result of GSA’ s efforts to address the long-standing challenges surrounding the negotiation of “End User License Agreements” (EULAs) (aka Software Licenses and/or CSAs) under IT Schedule 70. As GSA has noted, however, CSAs are often used in other contexts, from travel to telecommunications, to financial services, and to building maintenance systems.

The focus of GSA’s efforts to address EULAs under IT Schedule 70 was to ensure that the contract language clearly provided that, in the event of a conflict between federal law and a commercial term, the federal law takes precedence (controls). According to GSA, without such language in the contract, each and every EULA under IT Schedule 70 would have to be reviewed in its entirety to ensure there were no conflicts with federal law. The deviation is intended to streamline the license review and negotiation process by specifically addressing potential areas of conflict.

The Coalition appreciates GSA’s open, transparent dialogue regarding the deviation. The Federal Register notice and subsequent open conversations demonstrate GSA’s commitment to engaging its industry partners on key procurement issues of common concern. Moreover, the Coalition and its members appreciate that, in cases where a license term conflicts with federal law, the federal law controls, and it welcomes the opportunity to work with GSA on developing terms and conditions that would streamline the process for all. The Coalition, however, is very concerned that the scope of the deviation goes well beyond addressing specific conflicts between federal law and commercial terms.

Specifically, the deviation changes the order of precedence, dropping commercial terms below the other paragraphs of 552.212-4 and solicitation terms, leaving it just above the SF1449. In contrast, under the standard FAR Clause 52.212-4, commercial terms are above the other paragraphs of 52.212-4 and the solicitation provisions. Here is a chart that highlights the change:

flash september pic

Though it may be minor in appearance, the potential impact of this change could be significant. For instance, as a result of this change, all commercial software terms, like title and ownership, warranties, and remedies, are subordinated to the government’s terms and conditions in the solicitation. So, rather than addressing the specific areas of conflict, as GSA intended, the deviation undoes any preference for commercial software license terms and conditions under GSA contracts. As a result, prudent contractors will be compelled to seek negotiations on each and every term in an attempt to ensure its commercial terms apply. At an operational level, this means that, rather than streamlining the negotiation process, the deviation likely will complicate and delay processing times for contracts and modifications for new software products.

More fundamentally, the scope of the deviation raises questions regarding its legality. FAR 1.402 authorizes deviations “[u]nless precluded by law, executive order or regulation… .“ The Federal Acquisition Streamlining Act of 1994 (FASA) requires the head of the agency to ensure, to the maximum extent practicable, that commercial items may be procured to fulfill agency requirements, that requirements be modified so they can be met by commercial items, that specifications be stated to enable offerors to supply commercial items, and that policies be revised to reduce the impediments to acquiring commercial items. See 41 U.S.C. 3077.

In a recent Friday Flash discussing a DoD proposed rule seeking to change the definition of “commercial item” for the purpose of gaining access to price and/or cost data, the Coalition pointed out that narrowing the definition of a commercial item

 

…could have far reaching implications for the procurement system. It risks reducing the government’s access to innovative services and solutions by creating a new, significant barrier to entry for firms already offering those services and solutions in the commercial marketplace.

 

The same is true here. The deviation essentially turns the preference for commercial items on its head, creating a significant impediment to offering and acquiring commercial items with CSAs. As a consequence, it risks foreclosing access to cutting edge technologies needed by GSA and the agencies that rely on its contract vehicles. At a time when the government is seeking greater access to innovative technologies and capabilities from the commercial market, it just does not make sense, and thus, it needs to be changed.

 

Could yesterday’s weather have been any better?  Joe Caggiano was certainly smiling down on us as we enjoyed a perfect day and the beautiful Whiskey Creek golf course at this week’s Third Annual Joseph P. Caggiano Memorial Golf Tournament.  As a veteran himself, Joe would have been proud that this year’s proceeds are once again going to fund a scholarship for a veteran.   We were honored to have Joe’s wife, father, and brother (Kathleen, Paul, and Mike) all join us in this year’s tournament.  Paul and Mike’s team impressively finished the day in 2nd place!

Due to our generous sponsors and participants in Joe’s tournament, I am proud to announce we will be contributing more than $25,000 to our Coalition for Government Procurement Endowed Scholarship Fund at The George Washington University, where financial support will be provided to a deserving veteran who is concentrating their studies in the field of US Government procurement and pursuing the JD or LLM degree in Government Procurement Law or the Masters of Science in Government Contracting degree (MSGC).

I would especially like to thank our two title sponsors – Integrity Consulting and CohnReznick. Your generous support means a great deal to the Coalition and we can’t thank you enough.

Additionally, thank you to our luncheon sponsor, AvKARE; our reception sponsor, The Gormley Group; and our Beverage Cart Sponsor, EY.

Thank you also to our many hole sponsors: Allen Federal Business Partners, Baker Tilly, Bloomberg, Booz Allen Hamilton, BRG, Brocade, CACI, General Dynamics Information Technology, The George Washington University, HON, Judge Group, Koniag, Raytheon, Northrop Grumman, the Rendely Family, Ricoh, SAP, Toro, and Wells Fargo!  Every hole at Whiskey Creek was fantastic and their staff once again did an excellent job in assisting with the day’s events – from the scoreboard and golf cart arrangements to the food prep and beverage services.

Thank you, the government contracting community, for coming together and raising awareness and funds for charitable and educational causes such as this one – it’s truly remarkable.  If you would like to make further donations to our scholarship fund, you may do so by visiting http://lawgwu.imodules.com/cgp.

 

Lastly, thank you to the Coalition team for a job well done.  You guys are the best!

Congratulations to all the players and companies involved – we are already looking forward to seeing you again at next year’s tournament!

Before we start planning for next year’s tournament though, I want to encourage you to attend our 2015 Excellence in Partnership Awards on the evening of October 21st and our Fall Training Conference the following morning on October 22nd.  Registration is now open and we are seeking additional sponsors to join our Title Sponsor at the EIPs – General Dynamics Information Technology – and our Title Sponsor at the Fall Conference – AvKARE.  For questions regarding sponsorships or assistance with registration, please contact Matt Cahill at 202-315-1054 or mcahill@thecgp.org.

 

Roger Waldron

President

IMG_8639

Dentons US LLP

The Office of Management and Budget (OMB) on August 11, 2015 released proposed guidance, available here, that takes “major steps” towards – and likely accelerates – the implementation of standard cybersecurity requirements in all federal acquisitions. OMB in its guidance provides some fairly clear direction for contractors seeking to understand their future cybersecurity compliance obligations. OMB’s guidance, however, also leaves open certain key questions for contractors in this area, particularly with regard to how OMB’s requirements will be applied and harmonized with existing agency-specific cybersecurity requirements.

OMB indicates its guidance will be finalized in the fall of 2015. In light of the high profile breach of the Office of Personnel Management and the National Archives and Records Administration’s (NARA) related efforts to address the identification and safeguarding of controlled unclassified information (CUI), contractors should expect OMB’s proposed guidance to be adopted in short order, with applicable cyber requirements appearing in government contracts shortly thereafter.

  1. Applicability

OMB’s proposed guidance would apply to federal acquisitions of products or services that involve creation, collection, or access to CUI. Although not directly addressed in the OMB guidance, the identification of CUI likely would be governed by NARA’s CUI registry and NARA’s proposed rule, issued on May 8, 2015, that seeks to establish a government-wide policy for designating and controlling CUI. OMB’s guidance suggests that its requirements would be broadly applicable to both prime contractor and subcontractor information systems containing CUI in connection with federal acquisitions. Contractors accordingly should expect OMB’s guidance to have broad applicability to virtually any federal contract involving CUI.

  1. Security Controls and Reporting Requirements

OMB’s guidance would impose different security controls and cyber incident reporting requirements on contractors depending on whether a contractor’s information system is: (1) a system operated on behalf of the government; or (2) an internal system used to provide a product or service for the government that processes CUI “incidental” to the product or service being provided. OMB’s guidance generally would apply more stringent requirements to contractor information systems operated on behalf of the government. It is accordingly important for contractors to understand what type of system they are operating in connection with particular contracts to avoid the over-imposition of cybersecurity requirements.

With respect to security controls, a company operating an information system involving CUI on behalf of the government would be required to comply with the security controls contained in NIST Special Publication (SP) 800-53, generally at the “moderate” baseline but subject to agency tailoring. Conversely, a company operating internal information systems involving CUI would not be subject to the NIST 800-53 controls. Instead, the contractor would be expected to comply with the recently promulgated security controls contained in NIST SP 800-171, issued in final on June 18, 2015 and previously discussed here.

Although overlap exists between the security controls contained in these two NIST standards, contractors operating internal information systems on which CUI may be present should seek to ensure the appropriate NIST SP 800-171 controls are included in contracts, and be prepared to push back on government attempts to impose additional security controls based on NIST SP 800-53. The notable exception to this would be DOD’s Unclassified Controlled Technical Information (UCTI) requirements, DFARS 252.204-7012, which were adopted in November 2013 and require compliance with more than fifty controls from NIST SP 800-53.

With regard to cyber incident reporting, the OMB guidance recognizes that reporting requirements for the two types of contractor information systems would be “similar.” The primary difference would be that a contractor’s reporting obligation for internal contractor information systems would be limited to incidents in which CUI is impacted, rather than to every cyber incident involving systems operated on behalf of the government.

The OMB guidance also notes that agency contract language should include “specific government remedies” if a contractor fails to report cyber incidents as required by its contract. Although OMB’s guidance does not provide insight into or specify these remedies, potential remedies may include payment withholding, award fee reductions, or negative past performance evaluations. Prescribing specific remedies would give the government an enforcement tool to ensure cyber compliance in addition to the more drastic termination, debarment, or fraud remedies.

  1. System Security Assessments and Continuous Monitoring

OMB in its guidance also states that contractor information systems will be subject to information system security assessments. OMB’s guidance suggests that agencies would have discretion to establish security assessment requirements based on the government’s risk assessment and the security categorization of the information system under Federal Information Processing Standard Publication (FIPS) 199. Contractors also would be required to explain in proposals how they would meet the requirements of NIST SP 800-171, including the NIST SP 800-171 security assessment requirements. And contractors would be required to provide the government with access to the contractor’s facilities, personnel, and systems for the purpose of conducting system assessments or to conduct investigations or audits.

OMB’s guidance does not clearly address whether the same security assessment requirements would apply to both contractor information systems operated on behalf of the government and internal contractor information systems. OMB’s guidance, moreover, does not appear to recognize the prospect of sensitive information being swept up in the course of such investigations or audits and the reasonable expectation of contractors that such information must generally be protected from disclosure. This information includes, for example, attorney-client privileged communications, trade secrets, or other confidential business information. Contractors are, understandably, very keen to ensure there are appropriate boundaries on the government’s right of access.

OMB also states that contractors will be subject to continuous monitoring requirements, a fairly significant and expensive compliance obligation for contractors. Contractors operating information systems on behalf of the government would be required to have continuous monitoring requirements in place that meet or exceed the monitoring requirements contained in OMB Memorandum M-14-03. Additionally, for those contractor systems not operated on behalf of the government, OMB notes that continuous monitoring is required under the controls contained in NIST SP 800-171. The guidance does not specifically address the administrative burdens of such requirements—an area that is ripe for comment by contractors.

  1. Due Diligence Requirements

OMB’s guidance also suggests that agencies should utilize due diligence research to assess program cyber risk. Specifically, GSA would be directed to create an information sharing service for government agencies that would include information collected from public records, publically available information, and commercial data, as well as data voluntarily reported by contractors in connection with information sharing programs. Contractors should expect that the government will utilize this due diligence information as part of acquisition planning and source selection efforts, as well as to monitor contractor security throughout contract performance.

  1. Open Questions

Finally, OMB’s proposed guidance suggests that key stakeholders would “immediately” begin working to apply the OMB guidance and that agencies also would “continuously review contract activities” to ensure compliance with OMB’s guidance. Yet OMB also states, consistent with NARA’s proposed rule, that the FAR Council will be amending the FAR to include contract clauses that implement requirements related to CUI. Accordingly, it remains an open question whether OMB’s guidance would be adopted by agencies individually on a contract-by-contract basis, or whether the guidance requirements would be implemented only after promulgation of a FAR rule. In the interim, contractors should carefully review their upcoming contract awards to assess whether the government has sought to include any new or changed obligations relating to security controls and cyber incident reporting.

It also is unclear how or if the OMB guidance requirements would be harmonized with the recommendations and implementation efforts of the DOD/GSA Joint Working Group, which issued its report in January 2014 containing six recommendations aimed at improving cybersecurity in federal acquisitions. It is similarly unclear whether or how OMB’s guidance would be reconciled with the DOD UCTI requirements, or other agency-specific cyber requirements. Absent such harmonization efforts, contractors may continue to find themselves subject to a patchwork of sometimes conflicting cyber compliance obligations in this area.

  1. What’s Next?

OMB is seeking industry feedback on its proposed guidance by September 10, 2015, in anticipation of issuing final guidance by the fall of 2015. OMB is seeking comments through the GitHub platform, and contractors should strongly consider submitting comments either independently or through industry trade associations.

Dentons attorneys will continue monitoring key developments in this area. Additionally, starting in the fall of 2015, Dentons attorneys will be presenting on behalf of the Public Contracting Institute a six-part series addressing the detailed compliance requirements and best practices relating to government contracts cybersecurity. More information about the series can be found here or by contacting the authors of this article.

On August 10, 2015, the Government Accountability Office (GAO) released Report No. GAO-15-590, FEDERAL SUPPLY SCHEDULES: More Attention Needed to Competition and Prices. The report examines (1) how and to what extent the government is using the FSS program; (2) factors influencing the degree of competition for FSS orders, and (3) the extent to which agencies examine prices to be paid for FSS orders. The language of the GAO report is both thought provoking and, in some places, perplexing.

Although not highlighted by GAO, the report actually contains some good news regarding competition rates for orders under the Federal Supply Schedule (FSS) program. According to GAO, significant competition was achieved for orders under the FSS program; in fact, based on another GAO report issued earlier this year, FSS program competition rates appear to have exceeded the competition rates under the contract vehicles of other agencies. Specifically, GAO found that 75 percent of the FSS task orders were competitive. This finding is a tremendous good news story for government-wide procurement, the FSS program, and GSA. To its credit, over the years GSA has made significant investments in training and electronic tools to enhance competition at the task order level. In particular, GSA’s electronic quote tool, eBuy, has increased competition and transparency for customer agencies and FSS contractors. The GAO Report notes the effective use of eBuy to achieve competition for agency tasks.

At the same time it highlights this good news regarding overall FSS competition rates, however, the GAO report states that “[m]ost FSS obligations were competed in fiscal year 2014, but only 40 percent of obligations were on orders for which the government received three or more quotes—a number frequently mentioned in the Federal Acquisition Regulations (FAR).” This statement is where the report is perplexing. It appears to establish or imply a new standard for competition, namely the receipt of three offers. Such a purported standard is inconsistent with statute and regulation.

Under the statutory and regulatory requirement for competition for orders exceeding the simplified acquisition threshold (SAT), a contracting activity must provide notice to all FSS contractors capable of meeting the requirement or, alternatively, provide notice to as many FSS contractors as practicable to reasonably ensure receipt of three offers. When notice is provided to all of those contractors, there is no requirement for receipt of three offers. When notice is provided to less than all of those contractors, there still is no requirement for receipt of three offers. Rather, contracting officers must document the file addressing their efforts to obtain three quotes and that no additional contractors capable of meeting the requirement could be identified despite reasonable efforts to do so.

In light of these requirements, then, it is difficult to understand the point of the GAO’s observation about obligations involving three or more quotes. As the report states, “three or more quotes” is “a number frequently mentioned in the … FAR.” It is not a statutory or regulatory mandate, nor should it be necessarily, as the decision not to offer, itself, may be a competitive decision. In any case, the key finding is that, overall, competition was achieved on 75%of the FSS task orders.

With regard to pricing, the GAO report also states that contracting officers did not consistently seek discounts (i.e., price reductions) from schedule prices, even in situations where they were required. The most perceptive assessment of this issue in the GAO report, however, came from certain contracting officials, who noted that by competing the order, they met the requirement to seek a discount. The fundamental goal of competition, including task order competition under the FSS program, is to obtain the best deal (e.g. lower price, better terms, or increased performance/value).  Thus, by seeking/soliciting competition from all FSS contractors through the issuance of a Request for Quotes (RFQ) or other communication, those contracting official effectively did seek a price discount. It stands to reason, then, because the GAO report identified an overall competition rate of 75 percent for the FSS program, at least 75 percent of the time contracting officers sought price reductions. In drawing its conclusion, GAO appears to be focusing on the failure to include the words “price reduction or discount” in an RFQ.

In sum, GSA should feel good about GAO’s identification of strong competition rates for the FSS program. Although GAO identified some points of contention, GSA should stay focused on the 75% of the glass that remains full.

 

By: Phil Seckman, Partner, Dentons

On Monday, August 3, 2015, the Department of Defense (DOD) issued a long-awaited proposed rule that could have a significant impact on how the DOD and prime contractors procure commercial items.  80 Fed. Reg. 45918 (Aug. 3, 2015) (amending 48 CFR Parts 202, 212, 215, and 252) (the “Proposed Rule”).  The Proposed Rule is said to merely implement Section 831(a) of the Fiscal Year 2013 National Defense Authorization Act (NDAA), but goes much further, proposing significant substantive changes to what qualifies as a commercial item under DOD-funded contracts and imposing significant burdens on prime contractors to gather data from their commercial item subcontractors.

Section 831 directed DOD to, among other things, issue guidance including “standards for determining whether information on the prices at which the same or similar items have previously been sold is adequate for evaluating the reasonableness of prices.”  10 U.S.C. § 2306; National Defense Authorization Act for Fiscal Year 2013, Pub. L. No. 112-239; FAR § 52.215-20.  Section 831 was, in part, a response to DOD’s recent efforts to narrow the broad commercial item paradigm created by Congress in the 1990s, including a 2012 DOD legislative proposal to change the statutory and regulatory definition of “commercial item.”  S. Rep. No. 112-73, at 143-44 (2012).  Specifically, DOD requested legislation to grant DOD greater access to cost or pricing data associated with commercial items and sought to change the definition of commercial items to exclude items that are merely “offered for sale” or “of a type” offered for sale in the marketplace.  Congress declined to make those changes, recognizing the Federal Acquisition Streamlining Act (FASA) purposefully includes a broad definition of commercial items in order to ensure that the federal government has access to products available in the commercial marketplace.

Undeterred, DOD issued the Proposed Rule which would amend the Defense Federal Acquisition Regulation Supplement (DFARS) to add new definitions, instructions, solicitation provisions and clauses.  If issued as a final rule, these changes will:  (1) commonly require the submission of certified cost or pricing data or pricing data other than certified cost or pricing data; (2) add new clauses in place of FAR § 52.215-20 when “it is reasonably certain” that certified (or uncertified) cost or pricing data may be required to be submitted; and (3) require offerors to “obtain from subcontractors whatever information is necessary to support a determination of price reasonableness,” including “cost data to support a commerciality determination, cost realism analysis, should-cost review, or any other type of analysis addressed by FAR part 15 and DFARS part 215.”

The new definitions will be located in DFARS §§ 202.1 and 215.401 and include definitions for “nongovernment sales,” “relevant sales data,” and “uncertified cost data.”  The two most notable definitions are “market-based pricing” and “sufficient government sales to establish reasonableness of price.”  “Market-based pricing” is defined as “pricing that results when nongovernmental buyers drive the price in a commercial marketplace” and there is a “strong likelihood the pricing is market based” when nongovernmental buyers account for at least 50% of sales by volume of a particular item.  “Sufficient government sales to establish reasonableness of price” are found when the data reflect “market-based pricing” and “are made available to the contracting officer to review and contains enough information to make adjustments covered by FAR 15.404 1(b)(2)(ii)(B).”

As a consequence of the definition of market-based pricing being pegged to actual sales, the term “offered for sale” is arguably read out of the statutory and regulatory definition of commercial item.  “Offered for sale” is an important concept that occurs frequently in services sales because customized offerings are frequently made and it is impracticable, if not impossible in some cases, for offerors to show that at least 50 percent of sales of that particular service are to nongovernment buyers.  Again, this isn’t the first time that DOD has tried to remove “offered for sale” from the commercial item definition.  In essence, DOD is attempting to unilaterally accomplish through a rule change what Congress declined to do through legislation.  There are also inconsistencies between DOD’s Proposed Rule and other legislative proposals currently in conference for the 2016 NDAA.  It remains to be seen how or if Congress will react as DOD continues working to narrow Congress’ commercial item definition.

In addition to the substantive narrowing of the commercial item definition, the Proposed Rule would impact how prime contractors procure commercial items from subcontractors.  Specifically, the Proposed Rule would require primes to obtain “whatever information is necessary” from subcontractors to support price reasonableness determinations.  Such information would include “cost data to support a commerciality determination, cost realism analysis, should-cost review, or any other type” of FAR Part 15 or DFARS Part 215 analysis.  Because DOD’s view that cost data is somehow relevant to whether a commercial market exists for a particular item is nonsensical and wrong, this requirement is likely to create disputes between primes and subs regarding the types of information necessary to support a subcontractor’s commercial item assertion.  These requirements would affect subcontractors at all tiers.  Importantly, this broad and poorly defined data collection requirement would give the government greater ability to effectively challenge the prime contractor’s costs incurred under cost-type contracts for commercial item subcontracts and provide fodder for challenging the adequacy of a prime contractor’s purchasing system.

As we previously discussed, the federal government, and DOD in particular, is continuing to add requirements—and their associated costs—to what is said to be a streamlined acquisition process that was, originally, intended to move away from detailed cost insight and analysis.  Contractors should keep abreast of these changes and ensure they are prepared to comply with the new requirements should they become effective.  Comments on the Proposed Rule are due by October 2, 2015 and we fully anticipate there will be strong interest and reaction to this rule from industry and other organizations.  Stay tuned!

 

In policy pronouncements and public statements over the last year, the Department of Defense (DoD) emphasized, as a strategic imperative, gaining access to, and leveraging, innovative commercial technologies. For instance, on April 9th of this year, DoD issued Better Buying Power 3.0 – Achieving Dominant Capabilities through Technical Excellence and Innovation, and among the new focus areas it identified were cybersecurity, commercial technology, and global technology. Further, in a recent speech in California, DoD Secretary Ash Carter highlighted DoD’s desire and need to gain access to Silicon Valley’s innovative technology companies.

Fundamental to DoD’s efforts to gain access to innovative, cutting edge technologies are streamlining the processes and reducing the risks for firms producing those technologies to participate in the government market. Streamlining and risk reduction is achieved by eliminating, to the maximum extent practicable, government unique requirements that are inconsistent with the commercial practices that those firms encounter in the normal course of their business. Unfortunately, over the last decade, the procurement community has seen the erosion of commercial item contracting, not in law, but in practice. Specifically, the government has re-layered onto the commercial item contracting process government unique requirements that have increased costs and raised barriers to entry into the federal marketplace.

Now comes the latest assault on commercial item contracting. On August 3rd, DoD issued a proposed rule addressing the procurement of commercial items. The proposed rule essentially makes significant changes in the definition of “commercial item” for purposes of gaining access to price and/or cost data. This week’s Friday Flash includes a Legal Corner article highlighting the proposed rule’s fundamental changes in the definition of commercial item, and I recommend it to you for serious study.

The proposed rule includes a new definition that will be used as the standard for determining whether additional price or cost data can/may be requested for commercial items. It identifies this new standard as Market-based pricing and defines it as follows:

Market-based pricing means pricing that results when nongovernmental buyers drive the price in a commercial marketplace. When nongovernmental buyers in a commercial marketplace account for a preponderance (50 percent or more) of sales volume of a particular item, there is a strong likelihood the pricing is market-based pricing.

This definition, as well as other language in the rule, essentially seeks to revise the underlying statutory definition of “commercial item” by eliminating the statutory language “offered for sale” and “of a type.”

Indeed, the definition appears to use as an analog for price analysis the government-nongovernment distinction used in defining a commercial item. That approach, however, is flawed. For a commercial item, the government-nongovernment distinction addresses the features, use, and ubiquity that distinguish an item’s commercial character. All things being equal, price equilibrium in the commercial marketplace is driven by supply and demand and thus is virtually customer agnostic.

This attempt to narrow the definition of a commercial item could have far reaching implications for the procurement system. It risks reducing the government’s access to innovative services and solutions by creating a new, significant barrier to entry for firms already offering those services and solutions in the commercial marketplace. In essence, the proposed rule is an “anti-innovation” approach arising at a time when DoD has expressed a critical need to access innovation to “achieve dominant capabilities through technical excellence and innovation.” It begs the question: Can DoD have it both ways?

Alliant 2 RFI

August 6th, 2015

On July 14th GSA issued an Request for Information (RFI) seeking feedback on a revised list of Leading Edge Technologies (LETS) for the Alliant 2 Unrestricted and Small Business Set-Aside procurements. The RFI indicated that GSA is considering reducing the 17 LETS identified in the original draft Request for Proposal (RFP) to ten. The RFI asked the public for comments, suggestions or questions concerning the definitions of the revised LETS. The due date for responses was July 28th.

The Coalition applauds GSA’s Alliant acquisition team for their proactive engagement with industry on Alliant 2. Throughout the pre-solicitation planning process GSA has been open, transparent and engaging with regard to its acquisition strategy and efforts to seek input from all stakeholders. The LETS RFI is just another positive example.

The RFI also serves a very useful purpose in highlighting the fundamental role LETS appear to be playing in Alliant 2. The change from 17 to ten LETS highlights the difficulty in identifying and defining leading technologies in the commercial marketplace. Moreover, the change in number of LETS and the RFI’s focus on definitions reflect the objective nature of the LETS evaluation. Points are awarded purely on the basis of whether an offeror has an LETS example or not. The quality of the LETS work and importance to the customer agency mission are not considered or scored.

Moreover, given the current evaluation methodology and overall point values for each evaluation category, the weight given to LETS will make them the key discriminator in determining awardees. This raises some key questions that GSA should consider as it moves forward with Alliant 2:

  • What role should the quality of LET performance play in the evaluation?
  • Is it important to assess the LET’s performance as it relates to the customer agency mission?
  • How do the current LETS relate to customer requirements and contract scope under Alliant and what is anticipated under Alliant 2?
  • Is the relative importance (12,000 points) of LETS overstated?
  • How does the evaluation of LETS further the core mission of Alliant?

The Coalition encourages GSA to continue the dialogue on LETS and the entire Alliant 2 approach through the issuance of a second draft RFP for comment. The use of a second draft RFP would provide both customer agencies and contractors with an opportunity to assess changes and provide feedback in a thoughtful, fulsome exchange. Everyone shares the goal of executing a high value, efficient and effective Alliant 2 that meets customer agency needs! The use of a second draft RFP also will allow further dialogue around LETS. It will provide a Myth-Busters opportunity for collective refinement and continued improvement in the overall RFP to ensure best value solutions across the spectrum of customer information technology needs. A further return on investment (ROI) to GSA in issuing the second draft RFP is a reduction in proposal submission and evaluation times. We are all in this together!

Golf, Excellence in Partnership Awards, and Fall Training Conference

The heat and humidity are here, but the good news is that also means we are gearing up for our 3rd Annual Joseph P. Caggiano Memorial Golf Tournament!  This year’s tournament will once again be taking place at the beautiful Whiskey Creek Golf Club in Ijamsville, MD on August 26th and will be played as a four-man scramble (best ball on each shot).  This charity tournament is to honor our good friend and colleague, Joe Caggiano, who was a 23-year veteran of the federal contracting marketplace and a naval veteran as well.  Last year, in honor of the Coalition’s 35th anniversary, and in conjunction with The George Washington University, we created a scholarship/fellowship to provide financial support to a deserving veteran concentrating their studies in the field of US Government procurement and pursuing their JD or Masters at GWU.  Once again, 100% of this year’s tournament proceeds will be applied towards the Coalition for Government Procurement Endowed Government Procurement Scholarship/Fellowship Fund!  To add additional excitement, Lockheed Martin has generously donated an entire suite to a Washington Caps game that will be auctioned off!

I want to thank our two title sponsors – Integrity Consulting and CohnReznick – for your early support of this fun and meaningful event.  We still have several sponsorships still available including beverage cart sponsors and hole sponsors, and we of course want to ensure all 144 spots are filled for an enthusiastic shot gun start at 11:00.  If you haven’t already, start organizing your foursome (individual golfers are great, too!) and get registered or contact Matt Cahill at mcahill@thecgp.org.

Want to support this great cause, but golf isn’t your game?  Join us at our 16th Annual Excellence in Partnership Awards on the evening of October 21st at The Westin Tysons Corner, where we will be holding a silent auction to raise funds for the same endowment while we honor acquisition officials who have made significant strides in promoting and utilizing multiple award contracting vehicles.  Awards are given to individuals, organizations, and contractors involved in procurement with GSA, VA, DoD, DHS, and other government agencies.  Nominations will be accepted until September 18th.

 

carolyn

Also important to this year’s EIP Awards, we invite you to come share your appreciation and offer best wishes as Carolyn Alston, our dear friend and colleague, begins her retirement!  We’ve been lucky enough to have her with us at the Coalition for Government Procurement as our Executive Vice President & General Counsel for the past three years.  Carolyn has had a distinguished career in industry and with GSA where she was a senior attorney in the Office of General Counsel and was the acquisition official leading the development of GSA’s MAS policy. She also served as GSA’s Assistant Commissioner for Acquisition, responsible for the MAS program.  Carolyn’s incredible dedication, commitment, and professionalism have defined her entire career. She truly stands as an embodiment of the “Excellence in Partnership” spirit, working patiently and respectfully with all parties to deliver common sense acquisition policies and procedures to the federal marketplace. The ultimate professional, but also a friend, Carolyn will be deeply missed by all and we wish her well!   We look forward to honoring Carolyn and all of EIP Awardees and tables will fill up quickly, so please don’t delay and register today!  A big thank you to our title sponsor –  General Dynamics Information Technology!

The following day (October 22nd) at the same location, we will be having our 2015 Fall Training Conference titled Acquisition Reform: Assessing the Impact on Business Opportunities and Liabilities.  Thank you to this year’s Fall Training Conference title sponsor – AvKARE!  Speakers will be discussing the status of legislation, acquisition reform, business outlooks, and more.  During lunch, Francis Rose from WTOP will be facilitating a rousing discussion and brainstorming on Generating an Industry Response.  Afterwards, we will be holding our much anticipated afternoon breakout sessions, which will offer a unique opportunity to get the latest information on the most significant contracts in federal government.  These Myth-buster sessions will include:

 

  • Doing Business with the VA
  • Doing Business with DHS
  • DOD Update
  • Alliant Update
  • GSA Schedules Modernization
  • The GSA Acquisition Centers
  • Update on Government-wide IT Acquisitions

 

Check out our incredible lineup of panelist and the entire day’s agenda and don’t forget to register!

 

If your company is interested in being a sponsor for any of the events listed above, please contact Matt Cahill at mcahill@thecgp.org or 202-315-1054.

 

Last week the Coalition hosted a Regulatory Compliance Training Forum, Labor Contract Compliances: The world according the Department of Labor. The training event covered the Service Contract Act, the Davis Bacon Act, Equal Employment Opportunity and Affirmative Action Plans and the latest information regarding the proposed Fair Pay and Safe Workplaces Executive Order and implementing regulations. The content, presentation and overall instruction were outstanding!! The Coalition thanks Jennifer Flickinger and Jeff Clayton, Principals at Baker Tilly and Trina Fairley Barlow, Partner at Crowell & Moring LLP, who served as our instructors.   I would also like to thank Baker Tilly for hosting the event at the Fairfax Chamber of Commerce offices in Tysons.

Given the positive reaction from the attendees and the highly complex nature of the topic, the Coalition is making this training part of our regular training series joining our MAS Basic Training and GSA Schedule Contracting for In-House Counsel courses. These training events reflect a key component of the Coalition’s mission: our commitment to provide member firms with the latest information, and highest quality training on procurement programs, policies and initiatives.  Much of this work is done through our committees where we focus on operational initiatives and issues as well as key procurement programs. Over the last year alone committee meetings have addressed strategic sourcing, Evergreen contracting, MAS pricing policy cycle times for mods and offers, Professional Services Schedule Consolidation, OASIS and Alliant 2. In addition, member working groups have developed white papers on MAS pricing and are currently finalizing a paper on VA MAS pricing.

The new Pricing and Regulatory Compliance Oversight (PRCO) Committee is designed to address cross-cutting pricing, audit and regulatory compliance issues that have arisen throughout our committees. The PRCO will be a forum to address compliance best practices, update members on changes in compliance requirements and pricing regulations and audits. It is also not limited to purely commercial item contracting. We look forward to expanding our of member services to include guidance and information, as appropriate, on cost-reimbursement contracting related issues.   We also look forward to reaching out to the oversight community to engage in a Myth-Busters dialogue on key compliance challenges across the procurement system. The PRCO will meet quarterly, with the first regular meeting tentatively scheduled for November 2015. Over the next month the Coalition will be reaching out to you with a survey seeking your input on the PRCO including issues, topics and speakers. Respondents to the survey will be added to the email list for committee communications.

In addition, members can contact Jason Baccus at (202) 331-0975 or jasonbaccus@thecgp.org to be added to the PRCO list. All are welcome! Especially in-house counsel, compliance officers, financial officers, and, of course, contract managers!   We look forward to serving your compliance needs through the PRCO!

Subscribe to Our Blog

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Recent Posts

Categories

Archives

© Copyright 2005-2011| 1990 M Street NW, Ste 450 | Washington, DC 20036 | 202.331.0975
Site by Web Weaving.
Linked InFollow Us on FacebookJoin Us on TwitterView Our Flickr Pics!Subscribe to Our RSS Feed