Federal contractors may be subject to a slate of new regulations in 2018, including rules that increase cyber reporting burdens, expand small business competition, and change the procedures for competitively awarding IDIQ contracts.

Among the proposed rules, announced in the Semiannual Regulatory Agenda of the FAR Council and the General Services Administration (“GSA”), are changes that would affect nearly every segment of the government contracts industry.  Although some of the rules may simplify the burdens on contractors, most come with enhanced compliance obligations, particularly with respect to data security and cyber incidents.

Some of the key proposals are summarized below.

  • Data breaches.  Under a new proposal, contractors would be required to use a contractually-specified set of procedures when responding to data breaches involving personally identifiable information (“PII”).  The new contract clauses will implement the requirements in the Office of Management and Budget’s Memorandum M-17-12.  A proposed rule is expected in March.
  • Controlled Unclassified Information.  A new rule would implement standards for safeguarding, marking, disseminating, and disposing of Controlled Unclassified Information (“CUI”).  The rule would generally ensure uniform CUI requirements across all federal contracts by adopting the rules of the National Archives and Records Administration (“NARA”) codified at 32 C.F.R. § 2002.  A proposed rule is expected in April.
  • GSA-specific cybersecurity rules.  GSA is proposing new cybersecurity requirements for internal and external contractor systems, including cloud and mobile systems.  GSA contracting officers will be required to (1) incorporate applicable cybersecurity requirements within their statements of work and (2) create uniform reporting requirements for cyber incidents that potentially compromise GSA or government information or information systems.  In addition, contractors will be required to give customer agencies “access [to] contractor systems in the event of a cyber incident.”  Proposed rules are expected in April and August.
  • No cost or price evaluation for base IDIQ awards.  When awarding multiple indefinite-delivery indefinite-quantity (“IDIQ”) contracts, the Department of Defense, Coast Guard and the National Aeronautics and Space Administration would have the option of not evaluating the cost or price of a base IDIQ contract proposal.  Instead, cost or price would be evaluated during task order competitions.  A proposed rule is expected in April.
  • Extending small business rules to overseas contracts.  Small business regulations have generally applied only to work performed within the United States.  However, under the FAR Council’s proposal, agencies would be able to use small business set-asides for overseas opportunities.  Agencies also would be given “tools authorized for providing small business opportunities for contracts awarded outside of the United States.”  It is unclear to what extent this proposal would affect small business subcontracting requirements.  A proposed rule is expected in February.
  • Expanding small business access to IDIQ contracts.  The FAR Council is finalizing a rule that would provide small businesses “greater access to multiple award contracts[.]”  This rule was initially proposed in December 2016.  A final rule is expected in March.
  • Paid sick leave for contractor employees.  The FAR Council is also finalizing a rule requiring contractors to provide up to seven days or more of paid sick leave or family-care leave.  This rule permanently codifies an interim rule announced in December 2016.  The final rule is expected in February.
  • Pre-proposal exchanges with industry.  As required by Section 887 of the National Defense Authorization Act for Fiscal Year 2016, the FAR Council is proposing a rule that would encourage “responsible and constructive exchanges with industry.”  This rule is consistent with the Office of Federal Procurement Policy’s 2011 and 2012 “Mythbuster” memoranda, which encouraged agencies to communicate with industry informally, and which generally asserted that marketing efforts should not raise conflict of interest concerns.  As noted in the May 2012 memorandum, “simply providing suggestions and comments prior to formal requirements development will not trigger an organizational conflict of interest, as long as the vendor is not then hired to develop the requirements.”  A final rule is expected in April.
  • Enhanced whistleblower protections.  The FAR Council is proposing to permanently codify a temporary rule that protects contractor and subcontractor employees from retaliation for reporting gross mismanagement, abuses of authority, or other malfeasance on a federal contract.  The proposed rule also would ensure that the prohibition on reimbursement for legal fees accrued in defense against reprisal claims applies to subcontractors, as well as contractors.  A proposed rule is expected in March.
  • Fair and reasonable pricing determination for Federal Supply Schedule orders.  Under existing regulations, agencies are generally not required to make a determination of fair and reasonable pricing when placing Federal Supply Schedule orders.  But under the FAR Council’s proposal, such determinations would be required.  A proposed rule is expected in May.
  • New definition of Information Technology.  The FAR Council is proposing to broaden the definition of “information technology” to include services such as cloud computing and to remove an exemption for IT embedded in other systems.  A proposed definition is expected in June.

Contractors should carefully monitor these proposed rules.  To the extent these rules may affect contractors’ businesses, they should consider submitting comments to the FAR Council or GSA either directly or through third parties during the relevant notice-and-comment period.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.

Photo of Evan R. Sherwood Evan R. Sherwood

Evan Sherwood counsels federal contractors on Contract Disputes Act (CDA) claims, the cost accounting standards (CAS), cost allowability, requests for equitable adjustment (REAs), contract terminations for convenience/default, and related audits, litigations, and investigations. He also advises on contract compliance and formation issues, including TINA/defective pricing…

Evan Sherwood counsels federal contractors on Contract Disputes Act (CDA) claims, the cost accounting standards (CAS), cost allowability, requests for equitable adjustment (REAs), contract terminations for convenience/default, and related audits, litigations, and investigations. He also advises on contract compliance and formation issues, including TINA/defective pricing, data rights, mandatory disclosure rules, ethics, conflicts of interest, teaming arrangements, and other transaction agreements (OTAs). He has litigated matters before the Court of Federal Claims, the Armed Services Board of Contract Appeals, the Government Accountability Office, and the Federal District Courts.

In his work for defense and civilian agency contractors, Evan:

  • Prepares CDA claims and REAs;
  • Litigates matters involving CAS compliance, cost accounting practice changes, and cost allowability under the FAR and grant rules;
  • Defends contractors during audits and investigations involving the Defense Contract Audit Agency (DCAA), Defense Contract Management Agency (DCMA), and the Office of the Inspector General (OIG);
  • Advises on constructive changes, work delays, defective specifications, stop-work orders, government-furnished property, CPARS, warranty matters, data rights, and quality controls;
  • Counsels on disputes between primes and subcontractors, including teaming disputes; and
  • Conducts internal investigations and defends clients in federal investigations involving whistleblower allegations and retaliation claims.

Evan is a Vice Chair of the ABA Public Contract Law Section’s Contract Claims & Disputes Resolution Committee. He routinely writes and speaks about legal issues in federal contracting.