Image is not available

The GovCon Bulletin™

Amadeo Law Firm

With CMMC Looming Now Is The Time For DoD Contractors To Examine Compliance With Existing Cybersecurity Rules

March 9, 2023

As we wait for CMMC 2.0 regulations to be published possibly in May or June, this period of relative tranquility gives Department of Defense (DoD) contractors an opportunity to examine where they stand with respect to cybersecurity requirements already in place.  This is especially important for small businesses that either have not focused on cybersecurity issues or have assumed that cybersecurity requirements do not apply to their information systems, when in fact they might.  As we discuss below, the cybersecurity safeguarding rules apply to a broad array of contract information and DoD contractors that fail to meet them risk becoming ineligible for contract awards.
DoD’s cybersecurity regulations under the Defense Federal Acquisition Regulation Supplement (DFARS) were substantially revised in 2016, and those revisions are reflected in DFARS clauses 252.204-7008 and 252.204-7012.  As revised, the DFARS cybersecurity safeguarding requirements include damage assessment, mandatory reporting, and media preservation requirements that come into play when DoD contractors become aware of a cyber incident.  They also require DoD contractors that use cloud-based services to store information to comply with FedRAMP security requirements.
Perhaps the most significant change that DoD made to its cybersecurity safeguarding regulations in 2016 was to require DoD contractors to implement the 110 security requirements that are contained in NIST SP 800-171.  A fuller explanation of NIST SP 800-171 implementation is beyond the scope of this article, but briefly, DoD has explained that contractors can demonstrate implementation by developing (i) a periodically updated system security plan that identifies which security requirements have been implemented, and (ii) plans of action for those requirements that have not been met.
A Number of DoD Contractors May Not Be In Compliance
Since DFARS clauses 252.204-7008 and 252.204-7012 are required to be incorporated in all DoD solicitations and contracts except those for commercially available off-the-shelf (COTS) items, compliance with NIST-SP 800-171 seemingly should be nearly universal among DoD contractors. In fact, however, there appears to be a distinct perception at DoD that a significant number of DoD contractors are still not in compliance with the NIST SP 800-171 implementation requirements.
Indeed, in 2020, DoD issued new DFARS clauses (at 252.204-7019 and 252.204-7020) to be included in all DoD contracts and solicitations (other than those for COTS items) that require contractors to perform at least a basic self-assessment of their compliance with those NIST SP 800-171 safeguards and then to post an assessment score with DoD.  DoD’s reason for the assessment requirement was based, in part, on a DoD Inspector General’s finding that contractors were not implementing the safeguards consistently.  More recently, in June 2022, DoD issued a memorandum reminding contracting officers of the contract remedies that are available to them if contractors do not have an implementation plan in place or fail to make progress on their plans.
DoD’s anticipated CMMC certification requirements take verification one step further by requiring contractors to undergo a certification process to demonstrate compliance with DoD’s cybersecurity standards. 
Setting aside the CMMC requirements that may apply in the near future, with respect to the cybersecurity requirements already on the books it may very well be that some DoD contractors have simply not heard of them.  It seems more likely, however, that noncompliant DoD contractors, particularly small businesses without staff dedicated to compliance issues, may be aware of the rules but mistakenly believe they do not apply to their contracts.  In fact, as we discuss below, the net cast by the DFARS safeguarding requirement is much wider than it may at first glance seem.
Information Triggering Cybersecurity Requirements May Be Broader Than Contractors Realize
One reason why some DoD contractors may not be complying with the cybersecurity regulations is that they may be under the impression that the safeguarding requirements apply only to critical military technology or only to information generated by the government that is provided to the contractor.  
Under DoD’s cybersecurity regulations, the safeguarding requirements apply to contractors that in the course of contract performance not only use or store, but also develop, “covered defense information.”  Covered defense information, in turn, generally includes unclassified information that falls into one of two sometimes overlapping categories – controlled technical information (CTI) or covered unclassified information (CUI).
Controlled technical information is defined under the DFARS cybersecurity regulations as technical data or software with a military or scientific application that is subject to controls on its access, use, modification, reproduction and disclosure.  The DFARS definition of CTI refers to DoD Instruction 5230.24, which sets out several categories of information subject to disclosure restrictions within the government, including export-controlled information, product testing and evaluation information, patentable information, and proprietary information.  As revised in January 2023, the most recent version of that DoD Instruction also identifies SBIR/STTR data as information with disclosure controls.  Moreover, any DoD contract that contains DFARS clause 252.204-7000, which generally prohibits a contractor from releasing information about the contract without DoD’s consent, likely places any information used or stored by a contractor during contract performance with a scientific or military application within the scope of what is considered CTI.
Covered unclassified information covers a much broader group of information.  Like CTI, CUI is information that is subject to controls on dissemination, but unlike CTI, CUI is not limited to technical data and software and does not have to relate to scientific or military applications.  More specifically, the DFARS regulation points to the CUI Registry maintained by the National Archives that identifies 20 groups and, within those groups, 125 categories of information that is CUI.  For example, the CUI Registry lists subcategories for information related to patents, inventions, proprietary business information, and small business research and technology.  It also lists subcategories that cover information about federal buildings, grounds or property, as well as government contract information like cost or pricing data and indirect costs and direct labor rates.
Contractors Should Review The CTI & CUI Categories To See If They Apply
Given the scope of the information that triggers the DFARS safeguarding requirements, DoD contractors should carefully examine the CTI and CUI categories described in the DoD Instruction and the CUI Registry before assuming that the DoD safeguarding rules do not apply to the information they generate, store or have access to.  Moreover, in light of the significant obligations that are triggered by CTI or CUI - including implementing the NIST SP 800-171 security requirements, performing an assessment of compliance with those requirements, and posting a score of that assessment with DoD - DoD contractors should avoid delaying this examination.  Even taking into account DoD’s explanation for what constitutes implementation of NIST SP 800-171, preparing or updating a system security plan and related plans of action that address each of the 110 security requirements is no small task and likely not something that can be left to the eve of a proposal or to the negotiation period before contract award. 
The Amadeo Law Firm anticipates providing more information covering DoD's cybersecurity regulations in the near future.

Court Decision A Reminder To Government Contractors: Register Joint Venture In SAM Before Submitting Bids

February 28, 2023

Now, what was that thing again?
I know it’s something I said I need to get done at some point.
But what was THAT THING??
What was that…ahh, I can't remember now but I’m sure it will come back to me at some point.
Who hasn’t said or thought this at one time or another?  And in the mad dash to get a proposal submitted under the deadline, there can be a number of “that things” that need to get done.
The number of “that things,” both big and little, can be compounded even further when multiple companies are scrambling together in order to submit a proposal as a joint venture.  For example, for mentor-protégé joint venturers in the SBA's Mentor-Protégé program, one of the big things they may have to do is obtain approval of their mentor-protégé agreements by the SBA before they submit their offers if they want to avoid affiliation rules. 
And one of the seemingly little things that all joint venture partners have to do is register the joint venture separately in the System for Award Management (SAM).  As two companies recently learned, however, it’s a little thing…until it isn’t.
Thalle/Nicholson Joint Venture v U.S.
In Thalle/Nicholson Joint Venture v U.S., the U.S. Army Corps of Engineers (USACE) ultimately excluded from consideration a proposal by the Thalle/Nicholson Joint Venture because the joint venture failed to comply with FAR clause 52.204-7(b)(1), which states that an offeror is required to be registered in SAM when submitting an offer. 
USACE apparently didn’t catch the omission until after it had completed its discussions with all of the offerors, including the Thalle/Nicholson Joint Venture, over the deficiencies in their proposals.  In fact, the Thalle/Nicholson Joint Venture was permitted to submit a final revised proposal that was subsequently reviewed by the USACE evaluation board.  However, USACE eventually discovered and received confirmation that, although the joint venture partners were registered, the joint venture itself was not registered with SAM by the time it submitted its bid.  The agency, thus, went on to award its contract to another bidder. 
The Thalle/Nicholson Joint Venture protested the award to the Court of Federal Claims, which upheld USACE’s award to the competitor. 
In its ruling, published on February 15, 2023, the Court gives no indication why the joint venture partners did not register the joint venture in SAM.  Perhaps it was an oversight.  Or perhaps they believed only joint venture partners were required to register.
But as the Court noted, both FAR clause 52.204-7(b) and FAR 4.1102 require offerors to be registered in SAM when submitting offers, and neither excludes joint ventures from this requirement.  Indeed, when the FAR Council last updated FAR 52.204-7 in 2018, it rejected the idea of creating an exception to the SAM registration requirement for joint ventures in which the JV partners were registered.
Earlier Decisions And The SBA's Instructions
The Thalle/Nicholson decision is no less than the fourth since January 2022 in which the Court of Federal Claims has found that the SAM registration requirement in 52.204-7(b) applies separately to joint ventures and not just the joint venture partners.  In two separate cases decided in 2022 - Top Guard, Inc. and CGS-ASP Security JV LLC - GAO, similarly, rejected protests that were filed after a government agency excluded proposals from consideration because the bidding joint ventures were not registered in SAM by the time their proposals were submitted.  Moreover, the SBA, for its part, has posted online guidance informing contractors that a joint venture wishing to submit an offer as a small business must be separately identified in SAM under its own name with its own CAGE code and Unique Entity Identifier, with individual partners listed as the immediate owners.
Thalle/Nicholson, therefore, is just the latest reminder to government contractors that they should register their joint ventures separately in SAM before they submit their bids.  Contractors should consider seriously submitting all of their registration information as early as possible, well in advance of any proposal deadlines, because under FAR 52.204-7(b) a business is not considered to be registered in SAM until its taxpayer identification number is validated with the IRS and the SAM registration is marked “active” - all of which may take at least five weeks to be completed.
Why Remembering The Little Things Matters
As we noted in our white paper on joint ventures, Using Joint Ventures To Capture Federal Government Contracting Opportunities,  joint ventures offer government contractors an array of benefits, including opportunities to (i) bid on set-aside contracts they might not otherwise qualify for on their own; (ii) avoid affiliation rules, and (iii) leverage the past performance, capacity, financial resources and expertise of their joint venture partners.  But in order to give themselves the best chance of obtaining these benefits, government contractors need to make sure they get the big and little things done that will enable them to be eligible to submit their bids on behalf of their joint venture.
Indeed, as we see in Thalle/Nicholson, the cost of not getting a seemingly little thing done like getting a joint venture registered in SAM is not limited simply to the time, resources and energy spent on a lost bid.  As the Court observed in that case, the administrative record showed that the agency, in fact, was prepared to award what turned out to be a $76 million contract to the Thalle/Nicholson Joint Venture…until it discovered that the joint venture was not registered in SAM.

Commercial Solutions Opening (CSO) - Four Things Government Contractors Should Know About DoD's Streamlined Acquisition Process

February 24, 2023

Last month, on January 31, 2023, the Department of Defense (DoD) issued a Proposed Rule that takes a further step in making the Commercial Solutions Opening a permanent contracting option for DoD agencies.  A Commercial Solutions Opening (CSO) is a streamlined acquisition process that enables DoD agencies to quickly acquire “innovative” commercial products, technologies and services through fixed-price contracts (including fixed-price incentive contracts).  DoD anticipates that the simplified solicitation, evaluation, and award procedures will encourage small businesses to contract with DoD.
A lack of familiarity with CSO’s, therefore, might cause contractors that have never heard of them to ignore or pass on CSO opportunities.  So below are four things government contractors should know about CSO’s.
Thing One - CSO’s Are Already Being Utilized By DoD
The first thing government contractors should know is that CSO’s are already being utilized by DoD.  The Proposed Rule simply codifies in DFARS existing procedures that DoD agencies currently use when they issue and contract under CSO’s.  Contractors, therefore, should not wait until the Proposed Rule becomes final to familiarize themselves with CSO’s or they risk missing opportunities under CSO’s that may continue to be issued by DoD while the DFARS regulations are being finalized. 
The streamlined CSO procedures were first implemented under a DoD pilot program that was authorized by the National Defense Authorization Act for Fiscal Year 2017 (NDAA 2017).  NDAA 2017 had a sunset provision that ended the DoD pilot program on September 30, 2022, but National Defense Authorization Act for Fiscal Year 2022 (NDAA 22) extended the DoD program indefinitely by giving DoD permanent authority to use CSO’s to acquire innovative commercial products and services. 
Interestingly, NDAA 2017 also gave the Department of Homeland Security (DHS) and the General Services Administration (GSA) authority for their own pilot programs to acquire innovative commercial items as well.  NDAA 2017 also included a September 2022 sunset for those programs, but the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 (NDAA 2023) extended authorization for the programs until September 2027.
Thing Two - The Acquisition Process Is Intended To Be Streamlined
The second thing government contractors should know is that the CSO acquisition process is intended to be streamlined, with solicitations that are similar to broad agency announcements (BAA’s).
To be clear, the instructions by Congress to DoD in NDAA 2017 and again in NDAA 2022 were not particularly detailed.  They simply said that DoD could acquire innovative commercial items, technologies, and services using a process with two requirements.  The acquisition must include (1) a competitive selection of proposals in response to a general solicitation, and (2) a peer review of the proposals. 
NDAA 2017 required DoD to issue guidance to implement this acquisition process.  In a memorandum, first issued in the wake of NDAA 2017 and then updated after NDAA 2022 was passed, DoD provided a class deviation which supplements the NDAA procedural requirements by providing a basic framework that DoD contracting officers should use to acquire innovative commercial items, technologies or services.  As with the NDAA’s that authorized them, the actual requirements under DoD’s basic framework are minimal and include the following:
  • DoD contracting officers must use a general solicitation and call it a Commercial Solutions Opening.
  • The CSO should be similar to a broad agency announcement and must include basic information like the agency’s area of interest, the selection criteria and method of evaluation, the dates of the proposal submission period, and instructions for proposal preparation and submissions.
  • Acquisitions for research and development must also use procedures under FAR part 35 for R&D contracting.
  • Once proposals are received, DoD must make its selection based on a review by scientific, technological or subject matter expert peers.
To date, DoD agencies have been flexible in how they have implemented CSO’s.  Some, like the Department of Air Force, have issued SBIR/STTR solicitations as CSO’s, and often CSO’s incorporate only a handful of FAR provisions.  However, that may change to some degree in the future if the Proposed Rule is finalized.
Although the Proposed Rule simply incorporates into DFARS the basic framework that DoD sets forth in its class deviation memorandum, the preamble to the Proposed Rule explains that DoD expects all contracts awarded under CSO’s to be FAR Part 12 contracts.  FAR Part 12 describes the policies and procedures that contracting officers must use to acquire commercial products and commercial services.  Other than explaining that CSO’s should be used in conjunction with a FAR Part 12 contract, the preamble does not explicitly state that all of the FAR Part 12 procedures are expected to apply to CSO’s.  Even if they are expected to apply, the procedures under FAR Part 12 are themselves simplified from procedures that apply to the federal government’s acquisitions of non-commercial items.
Thing Three - Price Is Not A Primary Evaluation Factor
A third thing government contractors should know is that price should not be used by a DoD contracting officer as a primary evaluation factor.  Under DoD’s class deviation memorandum, the primary evaluation factors for award selection must be (i) technical; (ii) importance to agency programs, and (iii) funds availability.  The Proposed Rule shortens the list of primary evaluation factors to (i) technical and (ii) important to agency programs.
Under the DoD’s memorandum and the Proposed Rule, price should be considered to the extent appropriate but, at a minimum, to determine if price is fair and reasonable.  Moreover, although DoD contracting officers are required to prepare written evaluation reports, they are instructed that proposals do not need to be evaluated against each other since they are not submitted in response to a common performance of work statement or statement of work. 
In sum, a proposal submitted in response to a CSO is evaluated on its own merits with a primary focus on how closely it meets the agency’s need and technical requirements.
Thing Four - The Commercial Products, Technologies, or Services Must Be New
The fourth thing government contractors should know is that CSO’s are reserved for the acquisition of commercial products, technologies or services that are new.
Specifically, CSO’s can be used to acquire “innovative” commercial products and services.  Both the DoD class deviation memorandum and the Proposed DFARS Rule define “innovative” as:

  • Any technology, process, or method, including research and development, that is new as of the date of submission of a proposal; or
  • Any application that is new as of the date of submission of a proposal of a technology, process, or method existing as of such date.
Comments to the Proposed Rule are due by April 3, 2023, and government contractors - particularly small businesses and technology companies - should take the opportunity to submit comments and request clarifications. 
The Amadeo Law Firm anticipates providing additional information on CSO's in the near future. 

Final FAR Rule Requires Accelerated Payments To Small Businesses And Their Prime Contractors

February 16, 2023

On February 14, 2023, the Department of Defense (DOD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA), published a Final Rule requiring federal agencies to make accelerated payments to small businesses and prime contractors that subcontract to small businesses.  As we wrote about in a prior GovCon Bulletin article, the rule change accelerating government contractor payments was first proposed in September 2021.  The Final Rule now becomes effective on March 16, 2023, and government contractors should prepare themselves to take advantage of the accelerated payment requirement.
Fast Payments
Under the Final Rule, as long as a specific payment date is not established under a government contract, civilian agencies (agencies other than DoD), must provide accelerated payments with a goal of 15 days after receipt of a proper invoice and all other required documents to the following contractors:
  • Small business contractors; and

  • Prime contractors that subcontract with a small business if the prime contractor agrees to make payments to the small business subcontractor within 15 days of receiving the accelerated payment from the government without any further consideration from, or fees charged to, the subcontractor.
As for DoD, the Final Rule imposes the same accelerated payment requirement as it imposes on civilian agencies, except DoD agencies are bound by the requirement regardless of whether a payment date is specified under the contract.
Things Contractors Should Do
Any rule changes that result in faster payments from federal agencies to contractors should be welcomed.  But small businesses and prime contractors should keep a few points in mind.
The Final Rule only sets a 15-day payment turnaround from federal agencies as a "goal" and does not impose a hard deadline that agencies have to meet.  The Final Rule does not even make any changes to existing FAR or DFARS clauses that govern agency payments, such as the Prompt Payment clause at FAR 52.232-25, in order to reflect the soft 15-day deadline
In fact, the only FAR clause that is changed to reflect an accelerated payment deadline is the subcontractor flow-down clause at FAR 52.232-40, Providing Accelerated Payments to Small Business Subcontractors.  As amended by the Final Rule, that FAR clause now requires a prime contractor, to the maximum extent practicable, to make payments to its small business subcontractors within 15-days after receipt of “accelerated payments” from the government.
Contractors that use FAR and DFARS clauses to frame their negotiations with federal agencies or to set up payment schedules should, therefore, familiarize themselves with the Final Rule and take note of the accelerated payment obligations imposed on federal agencies as of March 16, 2023, since the soft 15-day accelerated payment goal will not be specified in any FAR or DFARS clause.
Small business contractors and their prime contractors should also make it a point to address accelerated payments during contract negotiations, particularly negotiations with civilian agencies since under the Final Rule civilian agencies are not required to meet the accelerated payment goal if the contract specifies payment dates.
Small businesses and prime contractors that subcontract with small businesses that are already under contract also may wish to circle back with their agencies to request modifications to contract payment terms that might be required for them to become eligible for accelerated payments under the Final Rule.

Lastly, prime contractors - including small businesses that are, themselves, prime contractors - should examine their subcontractor payment systems to determine if they are capable of making accelerated payments to their small business subcontractors so that they are both eligible to receive accelerated payments from the government and able to fulfill subcontractor payment requirements under the revised FAR clause 52.232-40.