As 2017 winds down, we revisit some of the most significant developments in government contracting this year. Among the highlights are an increased focus on cybersecurity and privacy protections, the NDAA for FY18, and the repeal of the controversial Fair Pay and Safe Workplaces rule.
December 31, 2017 Deadline for Defense Contractors to Comply with Cybersecurity Rules
The deadline for December 31, 2017 compliance with NIST SP 800-171 is fast approaching, and despite some recent reports, the DoD has confirmed that this deadline has not been delayed. Here are ten insights that Defense contractors need to know about compliance with NIST SP 800-171.
- NIST requires continuous monitoring and updating of controls – not “one and done.”
- System Security Plans (SSPs) have no required format or minimum content, but should include a customized self-assessment.
- No general requirement to submit an SSP to DoD or provide to the prime contractor.
- But DCMA may check to see that an SSP was prepared and the SSP may be scrutinized for adequacy in the event of a cyber incident.
- And requiring activities can request, evaluate and even “score” SSPs in a competitive acquisition process.
- Outsourcing to the cloud (or managed security service Provider) does not relieve contractors – any third party given access to Covered Defense Information must meet NIST 800-171, and DFARS too.
- Cloud Service Providers (CSPs) must meet “equivalent” FedRamp moderate controls – more rigorous than on-premises controls. Contractor must still meet NIST for on-premises systems.
- Contractor must also assure CSP agrees to incident reporting & audit rules.
- Neither the DFARS nor SP 800-171 require third party review or certification.
- DoD expects you to have your Medium Assurance Certification for reporting.
2018 National Defense Authorization Act
On December 12, 2017, President Trump signed into law the 2018 National Defense Authorization Act (NDAA). There are several provisions in the 2018 NDAA that affect Defense contractors, including two that are aimed at reducing the number of “frivolous” and speculative protests against Defense procurements filed at the U.S. Government Accountability Office (GAO).
To provide offerors with more information about the procurement process, the NDAA provides for an enhanced post-award debriefing process that would require Defense agencies to provide substantially more information to offerors in procurements for awards exceeding $100 million than what is currently required under the FAR.
Specifically, this information would include:
- the agency’s written source selection award determination, redacted if necessary to protect other offerors’ confidential and proprietary information;
- an opportunity to submit additional follow-up questions related to the debriefing within two days of the debriefing, and the debriefing would be held open until the agency responded in writing to those questions;
- access for small businesses to redacted source selection determinations for all contract awards valued at $10,000,000 or higher.
The NDAA also includes a pilot program aimed at reducing the number of “frivolous” protests that are filed at GAO. Under this program, a contractor with revenues in excess of $250 million during the previous year to pay to the DoD the costs incurred for processing a GAO protests when all elements of the protest are denied by the GAO in a written opinion. The pilot program will apply to protests filed between October 1, 2019 and September 30, 2022.
Removal of Fair Pay and Safe Workplaces Rule from the FAR
The Fair Pay and Safe Workplaces rule, which implemented a 2014 Executive Order issued by President Obama, was the subject of much discussion in the government contracting world in the last few years. The rule required contractors to disclose labor law violations as part of the bidding process, and was largely regarded by industry as costly, excessive, unnecessary, and potentially excluding companies from government contracting without appropriate due process.
A lawsuit was filed challenging the rule and the majority of its provisions were stayed by a U.S. District Court beginning in October 2016. Congress passed a resolution to repeal the rule in March 2017, and in November 2017, the FAR Council rescinded the rule.
FAR Council Issued Mandatory Privacy Training Requirements
In January 2017, the FAR Council issued a new FAR clause makes Privacy Act training mandatory and warns contractors handling Privacy Act records that its employees are subject to criminal penalties for violating the Act. Read our previous write-up of these training requirements here.
FAR Targeted Company Confidentiality Agreements Covering Up Fraud Reporting
On January 13, 2017, FAR was amended to prohibit awarding a contract to a company that requires employees or subcontractors to sign an internal confidentiality agreement that restricts such employees or subcontractors from lawfully reporting waste, fraud, or abuse to the Government. This final rule clarified its applicability in two ways. First, it applies to future internal confidentiality agreements or statements that restrict reporting of waste, fraud, or abuse related to the performance of a Government contract. Second, a contractor is required to give notice only to current employees and subcontractors that any prohibitions and restrictions of any preexisting confidentiality agreements or statements covered by the clause are no longer in effect, to the extent that such prohibitions and restrictions are in conflict with the prohibitions of the clause. See FAR Subpart 3.900, FAR 52.203-18 and 52.203-19.
SBA Regulations Facilitate 8(a) Follow-On Contracts
In January 2017, the SBA revised its 8(a) regulations. One change revised the language at FAR 19.815 regarding the release of requirements from the 8(a) program. The SBA added language to clarify that any follow-on 8(a) requirement must remain in the 8(a) program unless there is a mandatory source for the requirement pursuant to FAR 8.002 or 8.003 or SBA agrees to release the requirement for procurement outside the 8(a) program. The SBA’s Comments made an important clarification of language in FAR 19.800(e) being moved to FAR 19.800(d). The FAR language seemed to indicate a preference for 8(a) programs over all other small business programs: “the contracting officer shall consider 8(a) set-asides or sole source awards before considering small business set-asides . . . .” In Comments, the SBA said there was no preference: “The intent of the language at FAR 19.800(d) of the proposed rule is to further convey the policy established at FAR 19.203(c), i.e., for acquisitions above the simplified acquisition threshold (SAT), the contracting officer shall first consider small business socioeconomic contracting programs, such as the HUBZone program, the service-disabled veteran-owned small business (SDVOSB) program, the women-owned small business program (WOSB), and the 8(a) program, before considering a small business set-aside, thus allowing agencies to independently tailor acquisition strategies based on their small business and small business socioeconomic goaling achievements. Similar language appears in FAR subparts 19.13, 19.14, and 19.15, though it is adapted to suit the specific socioeconomic program under discussion, i.e., HUBZone, SDVOSB program, or the WOSB program.”
Berenzweig Leonard is teaming up with Red Team Consulting for a monthly newsletter featuring upcoming contracts, key protest decisions, legal updates, events, and more. This post was published in the December 2017 Monthly Insights newsletter. To sign up for Monthly Insights, please click here.
Stephanie Wilson and Terry O’Connor lead the Government Contracts practice at Berenzweig Leonard, LLP, and Steve Britt leads the firm’s Cybersecurity Law practice. Stephanie can be reached at [email protected], Terry can be reached at [email protected], and Steve can be reached at [email protected].