Skip to Content

Friday Flash, 03.28.14

FAR and Beyond Blog

GSA’s Office of Inspector General’s recent memorandum to the FAS Commissioner continues to confirm the impracticality of contract compliance under the current MAS pricing policies.  The memorandum is the third in a series of memoranda (March 25, 2014, March 8, 2013 and September 26, 2011) regarding recurring issues identified in the preaward contract audits done by the Inspector General’s Office of Audits.

Consistent across each of the memoranda is the IG’s finding that contractors “provided information that was not current, accurate, and/or complete to support proposed prices.”  Or, as stated in the March 25, 2014 memorandum, “[c]ontractors continue to provide commercial sales practices disclosures that are not current, accurate, and/or complete to support their proposed prices.”  The IG found that over the three years covered, close to 80 percent of the audited contracts had issues regarding the currency, accuracy and completeness of the commercial sales practices information submitted to support pricing.  The chart below highlights the prevalence of the CSP issues identified by the IG across the contracts.  The chart is taken from the March 25th memorandum:

CSP Chart

The chart is a powerful statement regarding the cumbersome, confusing and impractical nature of the CSP disclosure requirements for contractors and contracting officers.  It is evident from the high degree of non-conformance that even experienced contractors struggle with the disclosure requirements.  Moreover, the oversight community’s expansive, literal interpretation of the pricing disclosure requirement increases the compliance risk for MAS contractors beyond what was ever intended under the program.  When the GSA IG Office of Audits finds over a three year period that 80 percent of contractors fail to submit current, accurate and complete CSP data, it is a compelling statement that the MAS pricing policies and procedures are impossible to comply with for contractors competing in the commercial marketplace.   This is not a new issue.  Over 20 years ago the United States Court of Appeals for the First Circuit found the Government’s reading and implementation of the MAS pricing disclosure requirements unreasonable.  As the overwhelming noncompliance noted by the IG demonstrates, the same issues are at play today.

In United States v. Data Translation Inc., 984 F2d. 1256 (1st Circ. 1992) the United States Court of Appeals addressed the practicality, or rather, the impractically of compliance with an expansive or literal reading of the MAS pricing disclosure requirements.  In a 1992 decision authored by then Chief Judge Stephen Breyer (now Supreme Court Justice Breyer) the Court of Appeals affirmed the District Court’s verdict’s denying the Government’s claim that Data Translation violated the contract terms and the federal False Claims Act (31 U.S.C. 3729 et. seq.) by failing to fully disclose the pricing discounts it gave to non-governmental customers as required by the terms.  In sum, the Government alleged that the pricing information it relied upon in negotiating the contract was not current, accurate or complete.

The Court concluded that a literal reading of the disclosure form that all pricing transactions were to be disclosed created ambiguity and incomprehensibility.  According to the Court, no reasonable person could have believed that the Government really wanted the complete and total disclosure for which the disclosure language appeared to ask. Rather, the Court concluded that a reasonable interpretation of the clause would require disclosure of similarly situated transaction pricing.  In reaching these conclusions the Court examined three sets of considerations:  (1) Business context of the compliance requirements; (2) Statutory context of the MAS program and the compliance requirements; and the (3) Negotiation context addressing the facts and expectations of the parties during the contract negotiations.  This blog will address the business context and the statutory context.

With regard to the business context, the Court observed that an ordinary business person would not interpret the disclosure form literally as the form “asks a business to shoulder a compliance burden which will often seem inordinately difficult or impossible to carry out.”  The Court used as an example the burdens a commercial firm in a competitive industry would face in tracking each and every sale across thousands of different customers, through a host of sales personnel, facing shifting competitive pressures from market to market, time to time and from one customer to another.  Tracking that would not only include price points but price-related terms and conditions.

With regard to the statutory context, the Court highlighted the legislative intent behind the MAS program.  The overarching goal in creating the MAS program was “simplification” of the procurement process through reliance of competitive commercial markets.  The Court contrasted the simplification goal with the burdensome nature of the disclosure requirement articulated in the contract stating “if the MAS properly selects its products from those sold in truly competitive commercial markets, elaborate paperwork, audits and inspections, then by significantly increasing competitive firms cost of doing federal government business, could result in the government’s being charged higher, not lower prices.”   In a statement regarding the Government’s MAS pricing policies, procedures and their interpretations that remain true today, the Court observed the following:

[A] system that lays down a literal rule with which compliance is inordinately difficult, turning nearly everyone into a rule violator, and then permits the agency to pick and choose when and where to enforce the rule, is obviously undesirable.  It destroys in practice the very hope of rationally cabining agency discretion that the rulemaking process promises in principle.

That the GSA IG has consistently found that the vast majority (four out of five) of  MAS contractors have issues with the currency, accuracy and completeness of the CSP pricing disclosures is a powerful statement regarding the impracticality/ incomprehensibility of the disclosure requirements.  Moreover, the new statutory and regulatory requirements for competition at the task and delivery order level drive pricing and value for customer agency requirements; not a pricing compliance scheme that increases costs to companies, limits their ability to compete in the private sector, and creates barriers to new, innovative solutions.

The need for reform of the MAS program remains clear as evidenced by the GSA IG’s memoranda.  Reform should reflect the current state of the commercial market place and the statutory and regulatory mandates for competition at the order level—competition for agency specific requirements should and does drive pricing in the MAS program. The Coalition has developed a white paper addressing the outdated, pricing policies and procedures.  The Coalition looks forward to a positive dialogue addressing the current pricing framework.  Such a dialogue provides an opportunity to increase competition, value and innovation under the MAS program.  It is time to reform the pricing policy.

Roger Waldron

President

 

Join The Coalition’s 2014 Spring Training Conference!

Spring Conference Graphic

 

Want to actively participate in discussions and hear directly from acquisition leaders at DoD, DHS, HHS, VA, and GSA? Now’s your chance!  Register for The Coalition for Government Procurement’s Spring Training Conference taking place on April 10th!

Featured Speakers include:

  • Harry Hallock, Deputy Assistant Secretary, United States Army
  • Jan Frye, Deputy Assistant Secretary, Office of Acquisition and Logistics
  • Cameron Leuthy, Senior Budget Analyst, Bloomberg Federal
  • Richard Levi, Counsel to the Inspector General, GSA
  • Maureen Regan,  Counsel to the Inspector General, VA
  • Richard Ginman, Director of Defense Procurement and Acquisition Policy, DoD
  • Jeffrey Koses, Senior Procurement Executive, GSA

Discussion Topics include:

  • The Future of Federal Acquisition – What’s on the Horizon
  • Selling in the Federal Market – Who’s Buying and Who’s Not
  • Oversight and Enforcement – The OIG Perspective
  • Maximizing the Benefits, Avoiding the Risks—The Latest in Contract Compliance and Regulatory Changes
  • Army Acquisition – Current and Future Initiatives
  • Government-wide Acquisition Summit

Breakout Sessions Include:

  • The GSA Acquisition Centers – Updates for 2014
  • The GSA Services Portfolio
  • Doing Business with DHS – New Guidelines for Acquiring Services; Eagles Update
  • Government-wide IT Acquisitions – Updates for 2014
  • Small Business Preferences – What’s Going Right and What Needs Improvement?
  • Air Force Strategic Sourcing – What’s the Current Status and What’s Next?
  • The GSA Schedule Crystal Ball – What to Expect for the Program and its Pricing Policy
  • The GSA Category Management – What Does it Mean to your Business?

View the Draft Agenda Here!

Register Here!

Interested in being a sponsor?  Check out our sponsorship opportunities here or contact Matt Cahill at mattcahill@thecgp.org.

 

Letter to GSA Administrator

The Coalition has submitted a letter to GSA Administrator Tangherlini concerning two key procurement initiatives—the pace of change in the MAS program and the implementation of strategic sourcing. The letter is posted on our website at https://thecgp.org/images/Letter-to-the-Administrator_The-Coalition-for-Government-Procurement.pdf.

 

Take the Strategic Sourcing Survey

The Coalition invites members to take the Strategic Sourcing Survey.  The results will be used as the basis for our Strategic Sourcing White Paper, which will provide feedback to the Government on the current approach to strategic sourcing and recommendations to achieve savings and increase transparency and efficiency.  We are especially interested in hearing from members impacted by current and future FSSI initiatives.

Strategic Sourcing Survey (members only)

www.surveymonkey.com/s/HPM5P8H

We sincerely appreciate your survey responses! If there is anything you think we should be asking that is not included in the survey, please let us know.  The contact is Roy Dicharry (rdicharry@thecgp.org).

 

RFI Released for Furniture FSSI

On Thursday, GSA released a Request for Information (RFI) for a potential government-wide Furniture Strategic Sourcing Initiative.  The RFI outlines a phased approach for the strategic sourcing of furniture that would involve the development of configuration standards and an acquisition solution through FY 2016.  It also includes a number of questions for industry to inform GSA’s market research.

There are two parts to the RFI: a White Paper response, and an opportunity for a One-on-One session with the Furniture Commodity Team.  There are only 25 slots for One-on-One sessions.  They are available on a first come first serve basis.  The deadline is April 25, 2014.

For more details, please read the RFI here.  Members are also encouraged to join the FSSI Furniture Community on GSA Interact at https://interact.gsa.gov/group/fssifurniture for future announcements from GSA.

 

Veteran and Disability Hiring Rules, Effective March 24

Two final rules from the U.S. Department of Labor Office of Federal Contract Compliance Programs (OFCCP) on the hiring of veterans and people with disabilities went into effect on March 24, 2014.  The two rules strengthen existing requirements for contractors and impose new recruitment and data reporting requirements.

1. Hiring Veterans

The Department of Labor has made changes to the Vietnam Era Veteran’s Readjustment Assistance Act (VEVRAA) at 41 CFR Part 60-300.  The final rule strengthens existing affirmative action provisions in VEVRAA and also requires that contractors:

  • Establish annual hiring benchmarks for protected veterans
  • Document the number of veterans who apply for jobs and the number of veterans hired
  • Invite applicants to self-identify as veterans
  • Incorporate the equal opportunity clause in subcontracts
  • Follow certain job listing requirements
  • Allow OFCCP access to documentation showing contractor compliance

2. Hiring Individuals with Disabilities

The Department of Labor has also updated regulations in Section 503 of the Rehabilitation Act of 1973, as amended at 41 CFR Part 60-741.  The final rule strengthens existing affirmative action requirements for contractors to improve the hiring and recruitment of individuals with disabilities.  Specifically, the rule requires contractors to:

  • Apply a 7% utilization goal for qualified individuals with disabilities to each of their job groups, or to their entire workforce if there are fewer than 100 employees
  • Document the number of people with disabilities who apply for jobs versus the number hired
  • Invite applicants to self-identify as having a disability
  • Incorporate the equal opportunity clause in subcontracts
  • Follow certain job listing requirements
  • Allow OFCCP access to documentation showing contractor compliance

While both rules go into effect March 24, 2014, the OFCCP has stated that current contractors with a written affirmative action program (AAP) already in place on the effective date have additional time to come into compliance with the AAP requirements. The compliance structure seeks to provide contractors the opportunity to maintain their current AAP cycle.

The Department of Labor’s OFCCP has materials available to assist contractors with complying with the two rules, including:

  1. Training Webinars
  2. Fact Sheets
    1. Veterans
    2. Individuals with Disabilities
    3. Side by Side Charts of New vs Previous Regulations
      1. Veterans
      2. Individuals with Disabilities
      3. Benchmarking Guidance for Veterans Hiring Compliance
      4. EEOC opinion on Disability Voluntary Self Identification
      5. Self Identification Form

 

Get Involved! GSA IAE Webcast and Focus Group

GSA has reached out to the Coalition to invite members to contribute to the future vision of the Integrated Award Environment (IAE).  There are two upcoming opportunities for members to participate.

1.  Join the IAE Target Technical Architecture Webcast

GSA will host a webcast on the new IAE target technical architecture on April 7th, intended for a technical audience considering possible implementations that may meet GSA’s future needs. This follows the December 2013 Industry Day on IAE’s architectural principles and overall high-level architecture, a key part of which is the establishment of a Common Services platform.  To view the invitation to industry, click here.

 2. Participate in the IAE Focus Group

GSA has asked the Coalition to nominate up to five members for the IAE Focus Group that will identify issues around subaward reporting. The information gathered will be used to increase the usability, function, and relevance of future IAE subaward reporting system capabilities. Each potential participant will be asked to contribute 8-12 hours starting April 2014 by participating in multiple sessions over the course of three months. If you are interested in this opportunity, please contact Aubrey Woolley at awoolley@thecgp.org by COB April 7th.

 

Compliance Lessons from the Office of Inspector General

By: Jack Horan, Partner, McKenna Long & Aldridge LLP

Effective and compliant contract administration should be a primary goal for all government contractors, including, of course, contractors with the Department of Veterans Affairs (VA).  As with any other business goal, compliance should be attained efficiently.  Within the web of statutory, regulatory, and contractual requirements, VA contractors should understand the areas where noncompliance creates the greatest risk and exposure, and spend their resources accordingly.

As with the Offices of Inspectors General throughout the government, the VA Office of Inspector General (OIG) is a central player in the oversight of contracts, enforcing compliance with all major VA statutory, regulatory, and contractual requirements, and redressing compliance failures.  As part of its responsibilities, the VA OIG reports to Congress twice annually on the audits, reviews, and investigations it conducts.[1]  Although intended for other purposes, these reports can assist VA contractors in identifying the requirements that are of the most importance to the VA, and should be most important to the contractor.  In short, VA OIG’s actions over the prior year serve as a lesson to contractors on where to spend their time and money (and the effect of noncompliance).

The VA OIG has “a nationwide staff of auditors, investigators, health care inspectors, and support personnel” in six major component “offices” that conduct “independent oversight reviews to improve the economy, efficiency, and effectiveness of VA programs, and to prevent and detect criminal activity, waste, abuse, and fraud.”  For a VA contractor, the three component offices that are of most importance are:  (1) the Immediate Office of the IG; (2) the Office of Counselor to the IG; and (3) Office of Investigations.[2]

The Immediate Office of the IG is top-tier management, with the Deputy Inspector General operating as the “Chief Operating Officer.”  In addition to planning, directing and monitoring all [IG] operations,” the Immediate Office establishes investigative priorities for the Office, and identifies and promotes legislative initiatives to Congress.

The new year should bring a new IG to the VA.  On November 6, 2013, GeorgeOpfer announced his retirement as IG after more than 44 years of government service.  Mr.Opfer assumed responsibility as Inspector General on November 17, 2005, after being nominated by President GeorgeW.Bush.  Although President Obama has not nominated a replacement, Mr.Opfer’s long-time Deputy, RichardGriffin, is currently serving as Acting Inspector General.  Mr.Griffin has been a Deputy Inspector General since November 23, 2008, and previously served as Inspector General from November 1997 to June 2005.

A change in Inspector General can have a significant effect on the priorities, policies, and procedures of an office – as demonstrated by the GSA’s OIG under the direction of the current IG, Brian Miller.  Given his status as Acting Inspector General and his long service under Mr.Opfer, it would be surprising if Mr.Griffin made dramatic changes to the VA OIG’s policies or procedures.  Significant changes will likely come, if at all, under the next IG.

The Office of Counselor provides counsel to the OIG on False Claims Act cases affecting the VA and serves as liaison to the Department of Justice on False Claims Act cases.  The Office of Counselor also manages the Office of Contract Review, which  provides pre-award and post-award audits of contractors’ proposals and contracts under an agreement with VA’s Office of Acquisition, Logistics and Construction (OALC).[3]  The majority of pre-award audits of proposals for contracts or modifications under the VA’s Federal Supply Schedule (FSS) program.  The Office automatically reviews the pricing for all proposals when the estimated contract or modification exceeds $5,000,000 under Schedule 65IB, Drugs, Pharmaceuticals, and Hematology Related Products, and $3,000,000 for the other VA Schedules.  The Office of Contract Review also reviews pharmaceutical manufacturers’ compliance with the pricing requirements of the Veterans Health Care Act.  Thus, the Office of Contract Review reviews pricing for major VA contracts and ensures the pricing is compliant with contractual, regulatory, and statutory requirements, and provides a recommendation to the contracting officer on the prices the VA should pay for items on large FSS contracts.

So how did the pricing proposed by potential contractors fare with Office of Contract Review?  During fiscal year 2013, the Office conducted 83 pre-award audits of proposals of all types, and identified $655,056,285 in cost savings, or an average of $7.9 million in cost savings per audit.[4]  It’s safe to say that the Office did not routinely accept pricing as proposed by the contractors.

How about proposals for FSS awards, renewals or modifications?  Forty-six of the 83 pre-award audits were of proposals for awards, renewals or modifications under the FSS program[5] – 32 for initial award, ten for renewals, and four for modifications to add products.[6]  The Office recommended a price reduction for 72% (23 of 32) of the audited proposals for initial award.  The Office recommended a total of $470,428,110 in price reductions, with an average of $14.7 million per audit (including all 32 audits).  Thus, offerors submitting proposals for an initial award of an FSS contract fared worse than the average contractor subject to pre-award audits.

With pricing established by the existing contracts, one would expect that the contractor would fare better in pre-award audits for contract renewals.  Contractors did fare better but the Office frequently challenged the proposed pricing.  The Office recommended a total of $18,577,827 in price reductions, with an average of $1,857,783 per audit.  The OIG recommended a price reduction for 60% (six of ten) renewal proposals.

Contractors seeking product additions fared the best over the past year with the OIG recommending price reductions in only 25% (one of four) of its audits.  The one price reduction was a significant one though — $8,615,256.

So, here are the lessons learned from the pre-award audits:

  • Most obviously, the OIG takes a hard look at proposed pricing, in the past year rejecting 72% of pricing proposed for initial award, 60% for renewals, and 25% for modifications.
  • A contractor needs to be prepared to support its pricing not only when it is seeking the initial FSS contract, but also at renewal and for each modification.

Now let’s look at post award audits – audits conducted to determine whether a contractor is complying with its pricing obligations.  The Office reported 33 post-award audits in fiscal year 2013, which resulted in the VA recovering contract overcharges totaling over $17.6 million.  According to the OIG, approximately $11.7 million of that recovery resulted from Veterans Health Care Act compliance with pricing requirements, recalculation of Federal ceiling prices, and appropriate classification of pharmaceutical products.

Fourteen of the post-award audits were of voluntary disclosures.  The Office claimed more than offered by the contractor in nine of 14 voluntary disclosures.  The average recovery to the VA from voluntary disclosures was $1,157,117.[7]

The VA recovered 100 percent of recommended recoveries for post-award audits.

Lessons learned from post-award audits:

  • Pay close attention to your Veterans Health Care Act pricing – it is a major compliance area for the OIG, comprising the largest recovery area.
  • Be prepared to support your accounting and rationale for any voluntary disclosures.  The disclosure is likely to be audited and the proposed repayment amount is likely to be challenged.
  • Your opportunity to affect the government’s view of your liability is through negotiations with the OIG.  The Office has an excellent record – 100% of the time – of recovering what it determines the VA is due.

Now, a look at the focus of the Office of Investigations over the past fiscal year.  The Office of Investigations (OI) investigates crimes committed against programs and operations of the VA.  Within the OI, the Criminal Investigations division investigates all types of crimes (including criminal fraud as well as rape and murder) and civil fraud.  For fiscal year 2013, the OI reported opening 45 cases, making 11 arrests, and obtaining more than $564.1 million[8] in fines, restitution, penalties, and civil judgments “in the area of procurement practices.”

The OI specifically identified twelve criminal cases involving procurement violations by contractors – all twelve involved service-disabled, veteran-owned small business fraud.  In those cases, the SDVOSB business either misrepresented the eligibility of its owner, or the true ownership of the business.

Lessons learned from the OI:

  • Exposure under the False Claims Act for VA contracts can be very significant – reaching over $500 million in 2013.
  • People get arrested and go to jail for defrauding the VA.
  • If you tell the VA that you are a serviced-disabled veteran and own and operate a SDVOSB, you better be a service-disabled veteran and own and operate the SDVOSB.

Finally, one other lesson learned – this one from the structure of the VA OIG.  Contact by the Office of Contract Review and the Office of Investigations can both lead to civil or even criminal liability, but there is a significant difference.  If the contact comes from the Office of Investigations, the issue has already likely been determined to be a potential civil fraud or criminal violation.  There is no doubt that it is time to call your lawyer.


[1] See Semiannual Report to Congress, Issue 69, (October 1, 2012 – March 31, 2013),VA OIG; Semiannual Report to Congress, Issue 70 (April 1 – September 30, 2013), VA OIG.

[2] The three other component offices are the following: (1) the Office of Audits and Evaluations, which audits and evaluates the effectiveness of the Veterans Health Administration programs and Veterans Benefits Administration programs; (2) the Office of Healthcare Inspections, which monitors the healthcare provided to the veterans; and (3) the Office of Management and Administration, which provides comprehensive support services to the VA OIG, and administers the VA OIG Hotline.

[3] The Office of Counselor also supervises the Release of Information Office, which primarily processes Freedom of Information Act and Privacy Act requests for OIG records, as well as other requests for information.

[4] The reports describe the pre-award audits results as “potential cost savings” and “savings and cost avoidance” so it is not clear whether these amounts include audit recommendations ultimately rejected by the contractors.

[5] To provide some perspective, the VA estimates that there are currently 1900 contract holders under its FSS program.

[6] The categorization of the pre-award and post-award audits in this article are based on the description of the audits in Appendix A of the reports.

[7] The OIG’s reports labeled eleven post-award reviews as involving voluntary disclosures with a total recovery to the VA of $12,728,288.

[8] This amount includes a $500 million fine resulting from a False Claims Act case against a large pharmaceutical company.

 

Legal Corner 

Cybersecurity Takes The Pole Position in 2014 In Federal Acquisitions 

By: Tom Barletta, Partner, Steptoe & Johnson LLP; Andy Irwin, Partner, Steptoe & Johnson LLP; & George Leris, Associate, Steptoe & Johnson LLP [1]

The Obama Administration has been placing greater emphasis on cybersecurity, including enhancing cybersecurity in the acquisition process.  Three of the Administration’s more recent acquisition related cybersecurity initiatives are discussed below.

Background

On November 18, 2013, the DoD issued a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to impose requirements on contractors for safeguarding unclassified controlled technical information and reporting cyber incidents.  On the same day, the DoD also issued an interim rule amending the DFARS to address supply chain security in defense contracts.

More recently, DoD and GSA issued a DoD/GSA Final Report on Improving Cybersecurity through Acquisition (“Final Report”) on January 23, 2014, containing recommendations for incorporating cybersecurity standards into the acquisition planning and contract administration process.  Those recommendations include instituting baseline cybersecurity requirements; improving cybersecurity training; developing common cybersecurity definitions; instituting a federal cyber risk management strategy; purchasing from trusted sources; and increasing government accountability for cyber risk management.

Safeguarding Unclassified Controlled Technical Information and Cyber-Reporting

The DoD final rule and implementing contract clause require a contractor who has access to or stores specific types of unclassified “controlled technical information” (UCTI) to implement certain security standards on its computer network and to report certain “cyber incidents” to DoD.  See DFARS 304.734 & 252.204-7012; see also DFARS 204.703 & 212.301 (regarding solicitations and contracts for commercial items).

The final rule focuses on “controlled technical information” — technical data or computer software, as defined in DFARS 252.227-7013, with a “military or space application” that is subject to restrictions on access, release, and disclosure.  In that regard, the final rule references DoD Directive 5230.24, Distribution Statements on Technical Documents, and (in the preamble) DoD Directive 5230.25, Withholding of Unclassified Technical Data from Public Disclosure.  Those Directives generally deal with sensitive but unclassified information that is subject to marking or release restrictions under U.S. government programs.  Much of this information is likely to be subject to US export control laws and regulations, such as the International Traffic in Arms Regulations (ITAR).  

The final rule imposes three requirements on covered contractors.  First, the contractor must implement certain National Institute of Standards and Technology (NIST) information systems security procedures in its project, enterprise, or company-wide unclassified information technology (IT) systems to safeguard any UCTI transiting through or residing in its systems.  These procedures, drawn from NIST Special Publication 800-53, Revision 4, cover fourteen areas of information security: access control; awareness and training; accountability; configuration management; contingency planning; identification and authentication; incident response; maintenance; media protection; physical and environmental protection; program management; risk assessment; system and communications protection; and system and information integrity.  Alternate methods of protection may be proposed to the contracting officer, and additional security measures beyond the NIST procedures may be required if warranted by risk/vulnerability assessments.  (In assessing the security of their information systems, contractors may also want to consult NIST’s more recent, February 12, 2014 Framework for Improving Infrastructure Cybersecurity, which sets out guidelines and processes for cybersecurity activities.)

Second, the final rule requires a contractor to report to DoD any cyber incident affecting UCTI information within 72 hours of the incident.  The definition of “cyber incident” in the final rule suggests that the term refers to a deliberate use of a computer network (e.g., “hacking”) that has an adverse effect on a contractor’s IT system or the controlled information residing therein.  However, the final rule may have a broader reach, as a “cyber incident” potentially includes “an adverse release” of controlled information (as set forth in DFARS 252.304-7012(d)(1)(xi)), or “any other activities … that allow unauthorized access to the Contractor’s unclassified information system” (as set forth in DFARS 252.204-7012(d)(2)(ii)).  The final rule also requires contractors to further investigate any cyber incidents after making the initial report and to cooperate in any DoD damage assessment activities, including responding to requests for information.  The reporting requirement also presents difficult parallel export control considerations for contractors, as they may need to consider whether they should file parallel self-disclosures with the export control regulatory agencies.

Third, the final rule’s implementing contract clause includes contains a mandatory flow down to all tiers of subcontractors, including to subcontracts for commercial items.  The final rule does not have a separate definition of “subcontractor” and vendors that may not consider themselves subcontractors may therefore be subject to the new rule.  For example, the preamble to the final rule states that the requirements can apply to Internet service providers (ISPs) and cloud computing vendors.  Furthermore, if a subcontractor experiences a cyber incident, the final rule requires reporting to the Government through the prime contractor.

Interim Rule on Supply Chain Security

This interim DFARS rule grants “pilot” authority to the DoD (to expire on September 30, 2018) to place certain restrictions on IT supply chains in procurements related to “national security systems” (NSS) (as defined in 44 U.S.C. § 3542(b) and including contractor NSS) in order to address supply chain risks.  Specifically, the interim rule authorizes certain DoD officials to exclude a source for IT, whether acquired as a service or a supply, based on certain qualification standards and evaluation procedures.  It also authorizes them to withhold consent to a subcontract with a particular source or to direct a contractor to exclude a particular source from consideration for a subcontract.

The interim rule includes a new solicitation provision and a new contract clause to be included in all solicitations and contracts for the development or delivery of information technology that are subject to the DFARS (i.e. not just for contracts for NSS).  Those provisions give notice that DoD may use its exclusionary authority to manage supply chain risk.  Contractors are required to flow the clause down to “all subcontracts involving the development or delivery of any information technology, whether acquired as a service or supply.”  (Emphasis supplied).

The interim rule includes required procedures for taking exclusion actions and indicates that those actions should only be taken where there is a significant supply chain risk to a particular NSS.  However, the interim rule does not define what qualification standards or evaluation factors DoD officials will use in considering supply chain risks and excluding supply sources.  Furthermore, the interim rule gives DoD authority to limit disclosure of information relating to an exclusion decisions and provides that exclusion actions are not reviewable in a bid protest.

DoD/GSA Final Report on Improving Cybersecurity through Acquisition

The Final Report aims to establish a unified framework to address federal cyber risk management and acquisition processes, and, in particular, cyber risk in the acquisition of commercial information and communications technology.  (The report essentially indicates that it does not apply to acquisition practices applicable to NSS.)

The Final Report identifies several important cyber risk related issues affecting federal acquisitions, and provides joint DoD/GSA recommendations on mitigating them at the federal level.  At the top of the list are intentional or unintentional vulnerabilities that may come from inside or outside the supply chain, but which increase acquisition risk.  The risk of counterfeit, “grey market,” or other nonconforming information and communications technology (ICT) components entering the supply chain also adds to the risk in supply chain management.  Finally, the operations, maintenance, and disposal stages of ICT present significant risks when supervised and/or implemented improperly.  The Final Report indicates that a well-functioning and unified federal acquisition approach to such issues is likely to reduce cybersecurity threats to the supply chain.

To that end, the Final Report lays out six recommendations which aim to reduce exposure to cyber risks in commercial ICT federal acquisition.  First, it recommends establishing “baseline cybersecurity requirements” as a condition to awarding a contract.  These requirements encompass basic protections (e.g., up-to-date virus protection and software patches; multiple-factor logical access; and methods ensuring data confidentiality).  These elements should be expressed as technical requirements, and include performance measures and be clearly described in the relevant contract language.  Importantly, the Final Report recommends that these requirements should be harmonized with other FAR/DFARS rule making actions, including the final rule discussed above on safeguarding UCTI in contractor IT systems.

Second, the Final Report recommends increasing the cybersecurity awareness of employees and entities working in federal acquisitions.  It suggests that additional education and training opportunities for employees involved with procurements will lead to improved cyber risk management, including avoiding over-specifying and under-specifying cybersecurity requirements.  It also proposes a government-sponsored cybersecurity outreach campaign targeting stakeholders to familiarize them with the government’s changing approach to cybersecurity.

Third, the Final Report recommends adopting common cybersecurity definitions for federal acquisitions.  It acknowledges that use of unclear and inconsistently defined terms in the acquisition process (e.g., “cyber incident”) can lead to “suboptimal outcomes for both cybersecurity and efficiency” (e.g., changes, terminations, and disputes).  The Final Report suggests that a having common definitions will reduce problems with, inter alia, cost estimates, solicitations, and award and performance of contracts.

Fourth, the Final Report recommends the creation of an interagency “federal acquisition cyber risk management strategy,” which would identify a unified hierarchy of cyber risks. It would also develop “overlays” – i.e., sets of flexible, risk-based security requirements and supplemental guidance – that an agency would tailor to its specific needs for specific products.  These overlays would, for example, identify different security controls depending on the type of acquisition.  As the Final Report highlights, different acquisitions present different risks and warrant different cybersecurity responses.  Applying standardized but flexible overlays across markets segments and similar types of procurement will, according to the report, reduce the costs and duration associated with an acquisition.

Fifth, the Final Report emphasizes that federal agencies must ensure that the goods they acquire are authentic, as any sub-par goods drastically increase cyber risks (e.g., they may arrive with outdated security updates, or built to different specifications).  Accordingly, it recommends identifying “trusted sources” – manufacturers, suppliers, or resellers, and taking other steps, appropriate to the particular acquisition, to qualify vendors as a means of reducing cyber risks. Further, the Final Report indicates that in cases involving the greatest risk, it may be appropriate for government personnel to determine whether a vendor is a “trusted source,” while in other less risky cases, attestation of company conformance to external standards may be appropriate.

Finally, the Final Report recommends increasing government accountability for cyber risk management.  It details a four-step process for holding key personnel accountable for upholding cyber standards.  Specifically, such personnel should: 1) address cyber risks when a requirement is being defined and a solution is being analyzed; 2) certify that the solicitation includes the appropriate cybersecurity requirements; 3) participate in the proposal evaluation process and provide for consideration of cybersecurity in best value decisions; and 4) continue to monitor post-award performance to the extent relevant to cybersecurity.

Conclusion

The three actions discussed above reflect the increased emphasis on cybersecurity in the acquisition process and indicate that cybersecurity will be an important issue for the acquisition community going forward.


[1] Tom Barletta is a partner in the Washington D.C. office of Steptoe & Johnson LLP and head of the Government Contracts group.   Andy Irwin is a partner in its International Regulation & Compliance and Government Contracts group. George Leris is an attorney in Steptoe’s Privacy and Cybersecurity practice.

 

Army Takes Steps to Streamline IT

According to an article in C4ISR & Networks, the Army has initiated efforts to better understand its hardware and software investments in order to centralize and streamline the way it uses IT worldwide. According to Army CIO Robert Ferrell, the first step in this effort is to consolidate, virtualize and put everyone on one platform when it comes to hardware. The second step is to look at how the Army standardizes the software required for the services provided to soldiers. These steps are part of a broader IT effort across the Defense Department, including the move to the Joint Information Environment and access to various technologies through a single source. According to Ferrell, the Army must move toward an environment where different types of hardware and software could be bought by components under a uniform standard. The goal is “the same capabilities available to all soldiers when it comes to a common baseline for hardware and software,” he said.  The Army is currently working with the Defense Information Systems Agency (DISA) to identify what that service entails.

 

Webinar Recap – GSA on Changes Ahead for Contractor Assistance Visits

This Wednesday the Coalition hosted a webinar featuring the Director of GSA’s Supplier Management Division, Tom Brady. He spoke to webinar attendees on proposed changes to the Contractor Assistance Visit (CAV) program executed by Industrial Operations Analysts (IOAs). The Coalition would like to thank Tom Brady for providing attendees with important information about the proposed changes and a lengthy question and answer session that offered an engaging dialogue! Some of the information that Tom provided can be found in the Spring 2014 edition of GSA’s STEPS publication, available here. The Coalition looks forward to engaging with Tom Brady and the Supplier Management Division as updates are made to the CAV program in the coming months.

 

Upcoming CIO-CS Contract

The Office of Management and Budget (OMB) is in the process of approving the National Institutes of Health (NIH) Information Technology Acquisition and Assessment Center’s (NITAAC) Chief Information Officer –Commodity Solutions (CIO-CS) contract, a new GWAC valued at up to $10 billion. A blog in Federal Times describes the new vehicle as a GWAC that will replace the Electronic Commodity Store (ECS III) contract, which has recently-extended contracts that are anticipated to expire in November 2014. With the addition of a range of cloud offerings, CIO-CS will provide IT commodities and solutions government-wide that support health and life sciences and IT operations like security, infrastructure, telecommunications and desktop applications. There are nine commodity and solution categories identified in the draft RFP.

Industry expects that there will be 10 to 15 awards under NAICS code 334111, and 30 to 40 awards under NAICS 541519. Market intelligence on the vehicle also suggests that approximately half of the awards will go to small businesses.

 

GAO Report: More Oversight of Noncompetitive Contracts

According to a Government Accountability Office (GAO) report released this week, additional oversight of noncompetitive contracts is needed to ensure data accuracy and regulatory compliance. In accordance with the conference report for the National Defense Authorization Act of Fiscal Year 2013, GAO examined the use of the urgency exception to justify the award of noncompetitive contracts for the Department of Defense (DoD), the Department of State, and USAID. The exception is used when requirements are of such an unusual and compelling urgency that the government would suffer serious financial or other injury. Concerning the use of this exception, GAO assessed the pattern of use, the reasons agencies awarded urgent noncompetitive contracts and the extent to which justifications met FAR requirements.

GAO analyzed federal procurement data, interviewed contracting officials, and analyzed a sample of 62 contracts with a mix of obligation levels and types of goods and services procured across the three agencies. During the review, the GAO found that some relevant documents lacked necessary signatures, included ambiguous explanations regarding risk management, or were not signed in time to meet the Federal Acquisition Regulation (FAR) requirement to make them publicly available within 30 days of award.

GAO recommends that DoD, State and USAID provide guidance to improve data reliability and oversight for contracts awarded using the urgency exception. GAO also recommends that the Office of Federal Procurement Policy (OFPP) provide clarifying guidance to ensure more consistent implementation of the regulations governing noncompetitive contracts.

 

DPAP Class Deviation Issued

Defense Procurement and Acquisition Policy Director Richard Ginman issued a class deviation on March 20 prohibiting the use of FY 2014 appropriated funds to contract with entities that have been listed in the Excluded Parties List System (EPLS) or System for Award Management (SAM) as having been convicted of fraud against the Federal Government. The contracting officer shall review the exclusion information in SAM and note the application of the Cause and Treatment (CT) Code associated with the exclusion. To view the class deviation, visit www.acq.osd.mil/dpap/policy/policyvault/USA001543-14-DPAP.pdf.

 

Bloomberg and the Coalition  MACs Webinar

How are multiple award contracts (MACs) changing the government acquisition landscape?

Join Bloomberg Government, in partnership with The Coalition for Government Procurement, for a webinar on Wednesday, April 9 at 2:00pm EDT. Industry experts will be on hand to offer their exclusive analysis of major contracting trends and discuss how MACs will impact the way companies do business with the government.

IN THIS WEBINAR, YOU WILL LEARN:

  • The top MAC opportunities broken down by industry
  • Major contracting trends including vehicle consolidation and a shift away from single awards to multiple award contracts
  • The competitive landscape for contracting including task order and bidding details and incumbency trends
  • How small businesses have been performing on MACs
  • The top MACs to watch over the next year

SPEAKERS:

  • Roger Waldron, President, The Coalition for Government Procurement
  • Miguel Garrido, Quantitative Analyst, Bloomberg Government
  • Brian Friel, Government Spending Analyst, Bloomberg Industries

 

Cyber Forum Coming in May!

Myth-Busters Forum on Cyber:  “The New Guidance on Cybersecurity Acquisition—What Contracting Professionals Must Know”

This half-day forum and workshop will provide an overview and update on:

  • The Status of Proposed and Pending legislation
  • The President’s Executive Order, EO 13636 (February 12, 2013)
  • Improving Cybersecurity and Resilience through Acquisition—Final Report of the Department of Defense and General Services Administration (January 23, 2014)—where do we go from here?
  • Framework for Improving Critical Infrastructure Cybersecurity, the National Institute of Standards and Technology (NIST) (February 12, 2014)
  • The DFARS Final Rule on enhanced safeguards for unclassified CTI (controlled technical information) (November 18, 2013)

Subject matter experts from across government and industry will participate in panel discussions addressing these topics and more.  The event will be held the third week of May at the Tower Club in Tysons. Keep your eyes on the Friday Flash for more information in the coming weeks.

 

Feedback Requested: PSCs for Alliant II and Alliant II SB

Last week, the Alliant II and Alliant II Small Business team posted to GSA Interact, a new question concerning Product Service Codes (PSC). According to the post, PSCs are used by the United States government to record the products, services, and research and development purchased by the government. The codes indicate what was bought for each contract action reported in the Federal Procurement Data System (FPDS). GSA is interested in feedback from industry on the following questions regarding PSCs:

  • Does this list of Product Service Codes adequately represent the work experience you have seen through the current Alliant and Alliant Small Business GWACs and other agency information technology contracts?
  • Are we missing any other Product Service Codes aligned to Information Technology (IT) services?
  • Are there Product Service Codes listed that should not be listed?
  • What advantages do you see in a contract that provides a list of Product Service Codes that would help in the market research and procurement of IT services?
  • What types of innovative solutions (i.e. PSC dashboard, apps, research tools, etc.) could be derived by collecting and sharing Product Service Codes?

To respond, please visit the Alliant II and Alliant II SB community on GSA Interact at https://interact.gsa.gov/group/alliant-ii-alliant-small-business-ii-gwacs.

Back to top