On January 31, 2018, the Department of Defense (“DoD” or the “Department”) published a final rule regarding commercial item purchasing requirements.  Among other key amendments, the final rule modifies the Defense Federal Acquisition Regulation Supplement (“DFARS”) by:  (i) formalizing a presumption of commerciality for items that DoD previously treated as commercial; (ii) providing commercial item treatment to goods and services offered by nontraditional defense contractors; and (iii) prioritizing the types of information that the contracting officer (“CO”) can consider when determining price reasonableness in the absence of adequate competition.

The final rule adopts much of DoD’s August 2016 proposed rule, which itself was a revised version of a retracted August 2015 proposed version.  We discussed the August 2016 proposed rule on this subject (and linked to an article regarding the August 2015 version) in a prior post.  Despite receiving repeated input from industry and Congress, DoD’s final rule still provides little concrete guidance, and although these changes were made with the stated purpose of promoting consistency across purchasing components, it appears likely that inconsistencies will persist.  In particular, the final rule continues to leave the door open for individual contracting officers to make potentially burdensome requests for information to support the proposed pricing of commercial items.
Continue Reading Third Time Around: Inconsistencies Persist with Final DFARS Commercial Items Rule

[The referenced article was originally published in Law360.]

Since August 2015, defense contractors have been on notice that they were required to implement the security controls in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 no later than December 31, 2017 on covered contractor information systems. Although the focus has been

Federal contractors who require employees to sign confidentiality agreements—including those selling only commercial products or in small quantities—need to examine their agreements closely. For the last two years, the government has sought to prohibit confidentiality agreements that restrict employees’ ability to report fraud, waste, or abuse to “designated investigative or law enforcement representative[s]” for federal agencies authorized to receive that information.”[1]  Most recently, the Department of Defense issued a new class deviation on November 14, 2016 prohibiting DoD from using funds from recent appropriations to contract with companies using overbroad confidentiality agreements.[2]  While these restrictions may not be new, the deviation’s broad application and significant consequences mean that contractors should give close scrutiny to ensure any agreements with employees comply with the prohibition.

Continue Reading Confidentiality Agreements Continue To Pose Potential Compliance Trap for Contractors

On October 21, 2016, the Department of Defense (DoD) issued its long-awaited Final Rule—effective immediately—imposing safeguarding and cyber incident reporting obligations on defense contractors whose information systems process, store, or transmit covered defense information (CDI). The Final Rule has been years in the making and is the culmination of an initial rule issued in November 2013, two interim rules published in August 2015 and December 2015, and years of comments and experience by DoD and its contractors.  The new Rule materially alters the predecessor rule in a number of respects and clarifies several important issues relating to contracting for cloud computing services.

Continue Reading Cybersecurity Update: DoD Releases Long-Awaited Final Rule

On June 16, 2016, the Department of Defense (DoD) issued a proposed rule to implement Section 815 of the National Defense Authorization Act for Fiscal Year 2012, which was originally enacted in December 2011.  Under the proposed rule, DoD would be given additional flexibility to release technical data or computer software to third parties (including competitors) if the data qualify as “segregation or reintegration” data.  Although the data would include limited-rights data or restricted-rights software, the recipient would be permitted to use the data or software only for segregation or reintegration, and must destroy the data or software at the “completion of authorized activities.”  The rule also permits, among other changes, the DOD to require delivery, without any time limits, of various technical data and software that either have been generated or merely “utilized” in the performance of a contract.  Four years in the making, this proposed rule attempts to implement and clarify statutory changes introduced in section 815 of the National Defense Authorization Act for Fiscal Year 2012 (the “2012 NDAA”).  Despite the attempt to clarify, the proposed regulations still leave open significant questions for contractors with respect to technical data rights.

Continue Reading DoD Finally Issues Proposed Rule Addressing 2012 NDAA Changes to Technical Data Rights

The Department of Defense (DoD) will require contractors to disclose more information about their Independent Research & Development (IR&D) projects before the Government will reimburse IR&D costs, the Pentagon said in a proposed rule issued earlier this week.  The proposed rule, which was previewed in an August 2015 white paper, is the latest sign that DoD is poised to overhaul the regulatory framework that applies to IR&D performed by defense contractors.  Indeed, just last week, DoD issued yet another proposed rule that would change the way proposed IR&D projects are evaluated in DoD procurements.
Continue Reading Defense Contractors Must Share (Even More) Information About Their IR&D Projects Before DoD Will Reimburse IR&D Costs

On February 25, 2015, the Office of the Secretary of Defense (AT&L) issued a memorandum containing an agency “Scorecard” for the implementation of the DFARS clause on safeguarding Unclassified Controlled Technical Information (“UCTI”).  The final UCTI rule was published on November 18, 2013 and required the new DFARS clause 252.204-7012−which imposes requirements for (1) safeguarding UCTI that is “resident on or transiting through contractor unclassified information systems,” and (2) reporting cyber incidents and UCTI compromises−to be included in all solicitations and contracts, including those for commercial items.  The Defense Procurement and Acquisition Policy (“DPAP”) office reviewed contract clause compliance data for the first quarter of 2015 and found that DFARS clause 252.240-7012 was included in only 65% of new awards.
Continue Reading DoD Memo Reveals Poor Scorecard for Agency’s Inclusion of the UCTI DFARS Clause in New Contracts

The National Defense Authorization Act for Fiscal Year 2015 (“NDAA FY 15”) was passed by the House of Representatives on December 4, 2014, and is expected to pass in the Senate.  Among NDAA FY 15’s cybersecurity and acquisition provisions are directions for the Secretary of Defense to establish rapid reporting requirements for “operationally critical contractors.”

Operationally Critical Contractors Rapid Reporting Regulations

Section 1632 of NDAA FY 15 requires the Secretary of Defense to establish within 90 days procedures to designate “operationally critical contractors” and the rapid reporting of cyber incidents affecting such contractors.  An “operationally critical contractor” is defined as a contractor determined to be a “critical source of supply for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.”

Designated and notified operationally critical contractors will be required to “rapidly” report each cyber incident on any of its networks or information systems.   For purposes of rapid reporting, a cyber incident is broadly defined as “actions taken through the use of computer networks that result in an actual or potential adverse effect on an information system or the information residing therein.”  Reports must include:

  • The contractor’s assessment of the effect of the cyber incident on its ability to meet its contractual obligations to the Department of Defense (“DoD”);
  • The technique or method utilized in the cyber incident;
  • Samples of any malicious software used in the incident, if discovered and isolated; and
  • A summary of the compromised information.

The Secretary’s procedures are also required to include mechanisms allowing DoD personnel to assist operationally critical contractors in detecting and mitigating penetrations.

Continue Reading DoD to Impose Yet Another Form of Rapid Reporting Requirements