Federal contractors may be subject to a slate of new regulations in 2018, including rules that increase cyber reporting burdens, expand small business competition, and change the procedures for competitively awarding IDIQ contracts.

Among the proposed rules, announced in the Semiannual Regulatory Agenda of the FAR Council and the General Services Administration (“GSA”), are changes that would affect nearly every segment of the government contracts industry.  Although some of the rules may simplify the burdens on contractors, most come with enhanced compliance obligations, particularly with respect to data security and cyber incidents.

Some of the key proposals are summarized below.

  • Data breaches.  Under a new proposal, contractors would be required to use a contractually-specified set of procedures when responding to data breaches involving personally identifiable information (“PII”).  The new contract clauses will implement the requirements in the Office of Management and Budget’s Memorandum M-17-12.  A proposed rule is expected in March.
  • Controlled Unclassified Information.  A new rule would implement standards for safeguarding, marking, disseminating, and disposing of Controlled Unclassified Information (“CUI”).  The rule would generally ensure uniform CUI requirements across all federal contracts by adopting the rules of the National Archives and Records Administration (“NARA”) codified at 32 C.F.R. § 2002.  A proposed rule is expected in April.
  • GSA-specific cybersecurity rules.  GSA is proposing new cybersecurity requirements for internal and external contractor systems, including cloud and mobile systems.  GSA contracting officers will be required to (1) incorporate applicable cybersecurity requirements within their statements of work and (2) create uniform reporting requirements for cyber incidents that potentially compromise GSA or government information or information systems.  In addition, contractors will be required to give customer agencies “access [to] contractor systems in the event of a cyber incident.”  Proposed rules are expected in April and August.
  • No cost or price evaluation for base IDIQ awards.  When awarding multiple indefinite-delivery indefinite-quantity (“IDIQ”) contracts, the Department of Defense, Coast Guard and the National Aeronautics and Space Administration would have the option of not evaluating the cost or price of a base IDIQ contract proposal.  Instead, cost or price would be evaluated during task order competitions.  A proposed rule is expected in April.
  • Extending small business rules to overseas contracts.  Small business regulations have generally applied only to work performed within the United States.  However, under the FAR Council’s proposal, agencies would be able to use small business set-asides for overseas opportunities.  Agencies also would be given “tools authorized for providing small business opportunities for contracts awarded outside of the United States.”  It is unclear to what extent this proposal would affect small business subcontracting requirements.  A proposed rule is expected in February.
  • Expanding small business access to IDIQ contracts.  The FAR Council is finalizing a rule that would provide small businesses “greater access to multiple award contracts[.]”  This rule was initially proposed in December 2016.  A final rule is expected in March.
  • Paid sick leave for contractor employees.  The FAR Council is also finalizing a rule requiring contractors to provide up to seven days or more of paid sick leave or family-care leave.  This rule permanently codifies an interim rule announced in December 2016.  The final rule is expected in February.
  • Pre-proposal exchanges with industry.  As required by Section 887 of the National Defense Authorization Act for Fiscal Year 2016, the FAR Council is proposing a rule that would encourage “responsible and constructive exchanges with industry.”  This rule is consistent with the Office of Federal Procurement Policy’s 2011 and 2012 “Mythbuster” memoranda, which encouraged agencies to communicate with industry informally, and which generally asserted that marketing efforts should not raise conflict of interest concerns.  As noted in the May 2012 memorandum, “simply providing suggestions and comments prior to formal requirements development will not trigger an organizational conflict of interest, as long as the vendor is not then hired to develop the requirements.”  A final rule is expected in April.
  • Enhanced whistleblower protections.  The FAR Council is proposing to permanently codify a temporary rule that protects contractor and subcontractor employees from retaliation for reporting gross mismanagement, abuses of authority, or other malfeasance on a federal contract.  The proposed rule also would ensure that the prohibition on reimbursement for legal fees accrued in defense against reprisal claims applies to subcontractors, as well as contractors.  A proposed rule is expected in March.
  • Fair and reasonable pricing determination for Federal Supply Schedule orders.  Under existing regulations, agencies are generally not required to make a determination of fair and reasonable pricing when placing Federal Supply Schedule orders.  But under the FAR Council’s proposal, such determinations would be required.  A proposed rule is expected in May.
  • New definition of Information Technology.  The FAR Council is proposing to broaden the definition of “information technology” to include services such as cloud computing and to remove an exemption for IT embedded in other systems.  A proposed definition is expected in June.

Contractors should carefully monitor these proposed rules.  To the extent these rules may affect contractors’ businesses, they should consider submitting comments to the FAR Council or GSA either directly or through third parties during the relevant notice-and-comment period.