On October 30, 2015, the Department of Defense (“DoD” or the “Department”) issued a Final Rule amending the Defense Federal Acquisition Regulation Supplement (“DFARS”) and clarifying the scope of the DoD’s ability to evaluate and exclude contractors that represent “supply chain risks” in solicitations and contracts involving the development or delivery of IT products and services related to National Security Systems (“NSS”). The Final Rule clarifies that the DoD’s exclusion authority is limited to procurement of NSS, explains that decisions apply on a procurement-by-procurement basis, and removes the flow down requirement that was present in the Interim Rule. The Final Rule also encourages contracting officers to consider imposing a Government consent requirement for all subcontracts.  Our in-depth analysis of the Final Rule is available here.

As we previously discussed when the DoD issued its Interim Rule, these amendments are significant because they provide the DoD with authority to undertake a Section 806 Action to exclude IT contractors from contract participation or withhold consent to subcontract if the Department determines that a contractor or subcontractor presents a supply chain risk.  Notably, the DoD may implement this tool without providing pre- or post-exclusion notice to or engaging in dialogue with contractors.  Further, the Final Rule states that Section 806 Actions are not reviewable in a bid protest before the Government Accountability Office or in any Federal court.  The lack of procedural protections led commentators to the Interim Rule to suggest that contractors could be effectively excluded from DoD procurements without advance notice or an opportunity to object.  The DoD attempted to address this de facto debarment concern by clarifying that each Section 806 decision to exclude is done on a procurement-by-procurement basis. Nevertheless, multiple exclusions without an opportunity to object or address the Government’s concerns could effectively result in a blanket exclusion.

In addition to outlining the DoD’s authority under Section 806 Actions, the Final Rule allows the Department to use an evaluation factor to assess supply chain risk when making procurement decisions and imposes on contractors an ongoing obligation to “mitigate supply chain risk.”  However, the DoD declined to provide guidance in the Final Rule regarding the manner in which the evaluation factor will be applied or the appropriate means of mitigating supply chain risk.

In short, under the Final Rule, contractors may be excluded from certain DoD IT procurements without (1) notice or an opportunity to be heard, (2) an impartial review of the DoD’s decision, or (3) an opportunity to take corrective action.  In addition, contractors must address a new supply chain risk evaluation factor and satisfy an ongoing obligation to “mitigate supply chain risk.”  Given the potentially significant impact of the Final Rule, contractors would be well advised to closely monitor the DoD’s implementation of these amendments.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.