Image is not available

The GovCon Bulletin™

Hidden GovCon Bulletin Article Menu

DoD Pre-Releases 2018 SBIR & STTR BAA Topics!

December 1, 2017

On November 29, 2017, the U.S. Department of Defense (DoD) issued its STTR 18.A Program Broad Agency Announcement and its SBIR 18.1 Program Broad Agency Announcement, beginning the 30-day pre-release window during which small businesses can communicate directly and privately with the Technical Points of Contact who authored the BAA topics. Discussions with topic authors during the pre-release period often can be invaluable opportunities to obtain not only useful information about a particular topic, but also technical clarifications that can help companies assess how well their technologies align with technology needs reflected in the DoD topics.

Once the pre-release period is over, small businesses can obtain technical clarifications only by posting questions publicly and anonymously on the SBIR/STTR Interactive Topic Information System. Responses to questions will likewise be posted publicly. 

DoD will begin accepting proposals on January 8, 2018, which must be received by 8:00 pm on February 7, 2018.

To download the BAA's go to DoD's SBIR & STTR website here.

To learn more about the unique opportunities for small firms to develop technologies with funds awarded by the federal government under the SBIR and STTR programs, check out our GovCon webinar giving an overview of the programs, our GovCon Video Blog discussing SBIR data rights, and our podcast featuring a discussion between Mike Pansky, at InterKn, and Mark Amadeo about the SBIR and STTR programs and how small businesses can leverage SBIR and STTR data rights to protect their valuable technologies:

To read other articles from
The GovCon Bulletin™ go here.

Cybersecurity Safeguards: Ongoing Assessments & NIST's Draft SP 800-171A

December 14, 2017

As many contractors by now are aware, and as we explained in our 5-part GovCon Video Blog™ series (here) on federal government contract cybersecurity requirements, contractors that bid on and are awarded contracts with Department of Defense (DoD) agencies that are not solely for the acquisition of commercial off the shelf items have two cybersecurity obligations under DFARS clause 252.204-7012 and its implementing rule, DFARS 204.7304(c).  First, defense contractors have to provide "adequate security" for all covered contractor information systems - i.e., information systems that process, store, or transmit covered defense information.  Second, they have to submit timely cyber incident reports to DoD upon discovery of a cyber incident. 

As we explained in part one and part three of our vlog series, in order to provide "adequate security" for covered contractor information systems that are part of a defense contractor’s IT system (as opposed to a federal government IT system), defense contractors generally must implement the security requirements contained in the National Institute of Standards and Technology’s (NIST’s) Special Publication 800-171 by December 31, 2017.  As the deadline looms large, compliance with SP 800-171’s security requirements – 110 in all, spread out among 14 different categories – may at first glance seem daunting and overwhelming. However, the security requirements for the most part are stated in general terms, and many, if not most of them, are likely already in place for defense contractors that follow commercial best practices. In addition, as we explained in part three and part four, DoD has instructed that implementation of SP 800-171, for the purpose of the December 31 deadline, can be demonstrated by the development of (i) a system security plan explaining which of the security requirements have been met, and (ii) a plan of action for any unmet security requirements.

The system security plan, as we explained in part four, is required under SP 800-171 to be periodically updated.  SP 800-171 in fact requries defense contractors to monitor security controls on an ongoing basis and to make periodic assessments to determine if the security controls are effective. 

In order to assist contractors in making these assessments, late last month NIST published a draft of Special Publication 800-171A, Assessing Security Requirements for Controlled Unclassified Information.  NIST’s draft SP 800-171A lays out a table for each security requirement under SP 800-171 that sets forth the security requirement, followed by an “assessment objective” section.  The "assessment objective" section essentially breaks down each security requirement into separate components and may serve as a check list for determining if a security requirement has been met.  Each “assessment objective” section, in turn, is followed by a "potential assessment methods and objects" section that proposes methods or procedures that contractors can use to make their determinations for whether assessment objective components or requirements have been met.

Although compliance with SP 800-171A is voluntary, once the draft is final, defense contractors should find that SP 800-171A will serve as a useful tool for maintaining compliance with SP 800-171 on an ongoing basis.  Public comments on the draft may be submitted to NIST through January 15, 2018. 

To download draft SP 800-171A go here.  To read other articles from The GovCon Bulletin™ go here.

FAR Amended To Remove Fair Pay And Safe Workplaces Provisions

November 6, 2017

Over the weekend, the Department of Defense, General Services Administration and National Aeronautics and Space Administration (the “FAR Agencies”), issued a final rule (here) putting the last nail in the coffin for the Fair Pay and Safe Workplaces provisions contained in the Federal Acquisition Regulation (FAR).

As we noted in a prior bulletin (here), President Obama signed Executive Order 13673 (EO 13673), Fair Pay and Safe Workplaces, which imposed a number of requirements on federal government contractors including that they disclose their own labor law violations (referred to as the "Blacklisting" rule) and, for contracts over $500,000, that they provide wage statements to workers covered under certain federal or state wage payment laws (referred to as the "Paycheck Transparency" rule) and documents informing independent contractors of their independent contractor status.  A final FAR rule implementing EO 13673 (the FAR EO 13673 Rule) was issued on August 25, 2016 (here).

Subsequently, however, a federal court decision enjoined enforcement of EO 13673 except for the Paycheck Transparency rule.  As we wrote about here, more recently Congress passed a joint resolution signed by President Trump on March 27, 2017 making the FAR EO 13763 Rule unenforceable.  On that day, President Trump also issued an executive order revoking EO 13673 (here).

The Final Rule issued over the weekend and that takes effect November 6, 2017, now removes the FAR EO 13673 Rule entirely from the FAR, declares that all of the provisions of FAR that implemented EO 13673, including the Paycheck Transparency rule are unenforceable, and states that the FAR EO 13673 Rule shall be treated as if it had never taken effect.  Accordingly, the preamble to the latest Final Rule directs contracting officers to modify, to the maximum extent practicable, existing contracts to remove any solicitation provisions and contract clauses related to the Fair Pay and Safe Workplaces rule because they are unenforceable by law. 

To read other articles from The GovCon Bulletin™ go here.

Taking A Closer Look At The Senate's 2018 NDAA Bill

October 27, 2017

Last week, on October 17, 2017, the U.S. Senate voted to appoint members to join with House members on a conference committee to work out differences between Senate and House NDAA 2018 bills.  The Senate passed its bill on September 18, while the U.S. House of Representative passed its bill in July.  As we stated during our closer look of the House’s bill (here), examining the defense authorization bills gives government contractors an early glimpse and insight of the spending priorities supported by influential constituencies.  There is some overlap between the bills, including appropriations for military housing and construction, a prohibition against another round of base realignment activities, and heavy investments in the missile defense system, which in the Senate version includes appropriations for the Iron-Dome Short Range Rocket Defense Program, the Israeli Cooperative Missile Defense Program, development of space-based sensor architecture, and improved ground-based interceptor capability and reliability.

The differences between the bills, however, are far greater and significant and the Senate bill is every bit the complete re-write it appears to be on a side-by-side comparison.  While it remains to be seen which of the Senate's proposals will ultimately be included in a final bill that is worked out by conference committee members, below are highlights of the Senate bill that government contractors may wish to take note of now.

Changes To Procurement Process

The Senate bill includes reforms to the procurement process including provisions requiring amendments to the Defense Federal Acquisition Regulation Supplement (DFARS) that would implement procedures aimed at making “should-cost” reviews transparent and objective.  The reforms also prohibit the U.S. Department of Defense (DoD) from entering into contracts for services over $10 million based on specific personnel or labor hour requirements without first submitting a justification on why outcome-based or performance-based requirements were not used instead, and mandate a pilot program under which DoD would enter into extended multi-year contracts of up to ten years.

Some of the most significant reforms, however, are proposed changes to debriefing and bid protest rules.  Specifically, the bill requires changes to DFARS that would mandate that all required post-award debriefings must provide detailed and comprehensive statements of the agency’s rating for each evaluation criteria, as well as of the agency’s award decision. The revisions would also encourage agencies to release as part of the debriefing all information that would be releasable during a bid protest, including the agency’s written source selection award determination.  The changes would also provide an opportunity for a round of follow-up questions and answers.

As for bid protests, the Senate bill requires a losing protester with revenues over $100,000,000 to pay for DoD's costs incurred for processing the protest.  In addition, incumbent contractors who file protests are required to have all payments over the incurred costs withheld on any bridge or temporary contract extension awarded to the contractor as a result of any delay in the award that results from the protest filing. The withheld funds are, depending on the protest outcome, released to the awarded contractor, DoD, or the incumbent.

Increased Threshold Limits

The Senate bill also proposes to raise several threshold limits. For example, the bill raises the simplified acquisition threshold for the DoD acquisitions to $250,000.  In addition, the threshold for requiring contractors to submit cost or pricing data – when such submission is required – is raised from $500,000 to $1,000,000, while the micro-purchase threshold has been raised from $3,000 to $10,000.

Space Based Initiatives

While the Senate bill does not take up the House’s proposed Space Corps, it does make several proposals targeting the nation’s space based defense systems.  First, the Senate bill repeatedly pronounces that space is a “warfighting,” “contested,” or “combat” domain, and places the National Space Defense Center at the center of efforts to protect U.S. assets in space and to detect, assess and react to evolving space threats.  It also requires the Commander of the Air Force Space and Missile Systems Center to maintain a watch list of contractors with a history of poor performance on space-related contracts.  And, although not grouped in with, or categorized as, space defense weapons, hypersonic weapons (featured in this Popular Mechanics article ) receive significant support in the Senate bill, which points specifically to technological breakthroughs that have made the pursuit of hypersonic glide weapons feasible from a budgetary standpoint.  According to the bill, although hypersonic weapons “present a radical change in warfare,” other countries (including Russia and China) “are aggressively pursuing hypersonic weapons at an alarming rate that threatens to outpace the United States if the United States does not more aggressively pursue development.”


Another area that received significant, if not the most, attention is not surprisingly cybersecurity. The Senate bill declares a U.S. policy to use “all instruments of power” to deter, and respond to, any and all cyber attacks that target U.S. interests.  The bill includes numerous DoD mandates, a few of which include:

  • Requiring DoD to conduct a comprehensive review of U.S. cyber posture for the next 5 to 10 years and submit a report to Congress;
  • Requiring DoD to incorporate cybersecurity of election systems as a component of its Cyber Guard Exercise;
  • Requiring DoD to submit to Congress a plan to meet the increased demand for cyberspace careers in the armed reserves;
  • Mandating the establishment of the DoD Cybersecurity Scholarship Program;
  • Requiring an annual assessment of “cyber resiliency” of the nuclear command and control system, including its ability to operate through a cyber attack from Russia and China;
  • Requiring DoD to submit a congressional report on the training infrastructure of cyber forces;
  • Requiring Army to report on the cyber capability and readiness shortfalls of its Army Combat Training Centers;
  • Requiring DoD to report on significant security risks to defense-critical electric infrastructure posed by significant malicious cyber-enabled activity;
  • Requiring the Comptroller General of the United States to submit a report to congressional committees of any critical telecommunications equipment, technologies or services obtained by DoD, or its contractors or subcontractors, manufactured directly or indirectly by a foreign supplier closely linked to a leading cyber-threat actor;
  • Requiring DoD to submit to appropriate congressional committees a report on the potential offensive and defensive applications of “blockchain” technology and other distributed database technologies;
  • Requiring DoD to establish a cross-functional task force that will integrate across organizations that are responsible for information operations, military deception, public affairs, electronic warfare, and cyber operations;
  • Requiring DoD to establish a “Strategic Cybersecurity Program” that will continuously assess information assurance and overall effectiveness of offensive cyber systems, long-range strike systems, nuclear deterrent systems, national security systems, and DoD’s critical infrastructure; and
  • Requiring an evaluation by the Commander of U.S. Cyber Command of alternative methods for developing, acquiring, and maintaining software-based cyber tools and applications that must include agile software development, agile acquisition, and other best practices of commercial industry. 

On this last point, the Senate bill expressly requires the Commander to consult with commercial software companies, but it seems likely that many of the other evaluations and reports mandated under the bill will require commercial or contractor consultation.

In addition, in order to make secure work spaces available to small and nontraditional businesses, the bill also requires DoD to establish procedures to build and maintain certifications for multi-use sensitive compartmented information facilities where multiple companies can work on multiple projects at different security levels and not tied to any single contract.

Lastly, the bill also prohibits any U.S. government department, agency or organization from using, directly or indirectly, any hardware, software or services developed by Kaspersky Lab or any entity in which Kaspersky Lab has majority ownership.

Other Integration of Agile Methods

The Senate bill contemplates a much broader integration of agile software and methods that goes far beyond application to cyber threats described above.  For example, the bill requires DoD to identify one major program per military service and one defense-wide program for tailoring into a smaller increment.  Each program must be either a major defense acquisition or formerly a major automated information system.  In addition, DoD is required to conduct a comprehensive assessment of investments in between four and eight defense business systems and priorities for realignment and restructuring into smaller increments and incorporation of agile acquisition methods.  DoD is also required to identify between four and eight software development activities to be developed using modern agile acquisition methods and without incorporating requirements that typically may otherwise apply such as (1) earned value management or EVM-like reporting; (2) development of integrated master schedule; (3) development of integrated master plan; (4) development of a technical requirement document; (5) development of systems requirement documents; (6) use of information technology infrastructure library agreements; or (7) use of software development life cycle (methodology).

Open Source Requirement and Changes to Technical Data Rights

Perhaps more controversially, the bill requires all unclassified custom-developed software and related technical data that is not a defense article regulated by the Arms Export Control Act but that is developed under a DoD contract award to be managed as open source software unless specifically waived by a service acquisition executive.  Thus, DoD must require contractors to release source code and related technical data in a DoD approved public repository subject to a license through which the copyright holder provides the rights to use, study, reuse, modify, enhance, and distribute the software to anyone and for any purpose.  Moreover, with regard to existing custom-developed computer software, DoD must, where appropriate, seek to negotiate open source licenses with contractors that developed it, and release related source code and technical data in a DoD approved repository.  Lastly, DoD must task the Defense Advanced Research Program Agency with a project to identify and reverse engineer custom-developed computer software and related technical data for which source code is unavailable.

As we have noted in our white paper on computer software and data rights (here) and in our GovCon Video Blog™ series on software and data rights (see here), the government’s rights that are designated as “unlimited” are broad and expansive, but it is clear that the Senate’s bill intends for the government to aggressively make full use of those unlimited rights.

Indeed, the bill requires changes to definition of “technical data,” which currently is simply and broadly defined under 10 U.S.C. 2302 as “recorded information (regardless of the form or method of the recording) of a scientific or technical nature (including computer software documentation) relating to supplies procured by an agency.”  Under the bill, the definition now explicitly includes "everything required to reproduce, build/recompile, test, and deploy working system binaries on system hardware, including all source code, revision histories, build scripts, build/compilation/modification instructions/procedures, documentation, test cases, expected test results, compilers, interpreters, test harnesses, specialized build and test hardware, connectors, cables, and library dependencies."

Moreover, the bill amends the data rights provisions in 10 U.S.C. 2320 to require, with respect to any software delivered to the government, (i) delivery in native format; (ii) builds that are not dependent on predefined build directories; and (iii) in the case of licensing restrictions that do not allow library dependent inclusion, documentation and verified accessible repositories and revision history.

If the Senate proposals are adopted, therefore, government contractors developing custom-software or integrating proprietary software into custom solutions will have to take particular attention to their data rights assertions to ensure that unlimited rights are properly confined to the particular software or data to which they apply.


The bill also proposes several important changes to the SBIIR and STTR Programs. First, the bill amends the portion of the Small Business Act relating to Phase III awards. In particular, Section 9(r)(4) of the Small Business Act (10 U.S.C. 638(r)(4)) currently states that to “the greatest extent practicable” government agencies and prime contractors must issue Phase III awards related to technology to the SBIR and STTR award recipients that developed the technology.  Although the Senate bill does not eliminate the wiggle room requiring Phase III awards to the technology developers only to the “greatest extent practicable,” it does now add a provision that explicitly states that agencies and prime contractors must construe any prior Phase I or Phase II award as satisfying any “full and open” or other competition requirements, and that a Phase III award can be made without further justification.  In addition, the bill Senate proposes to implement a pilot program under which DoD shall award multiple award contracts to small businesses in order to purchase technologies, supplies or services that were developed under the STTR and SBIR programs.  Similarly here, DoD is authorized to establish procedures to waive the competition in contracting requirements for any such purchases. 

To download a copy of the Senate bill go here, and to read other articles from The GovCon Bulletin™ go here.