National Defense Authorization Act

As part of an ongoing Department of Defense (“DoD”) effort to increase its energy efficiency,  late last month the U.S. Army committed to develop its largest renewable energy project to date — a 65MW  wind and solar  project at Fort Hood.  This ambitious project will need to comply with the latest DoD rules regarding sourcing requirements for photovoltaic (“PV”) devices.  We previously analyzed the proposed rule issued by DoD in May 2015 that placed stricter sourcing requirements on PV devices.  Toward the end of last year, DoD issued a final rule implementing the requirements of the proposed rule with relatively minimal, but still notable, changes.  The solicitation for the Fort Hood project was amended to add the updated DFARS clause implementing this final rule.  The final rule tightens the sourcing restrictions for PV devices and may raise some compliance challenges for contractors.
Continue Reading Strict DoD Sourcing Requirements for PV Devices

On October 22, 2015, President Obama vetoed the National Defense Authorization Act (“NDAA”) for Fiscal Year 2016.  In so doing, the President cited concerns over provisions keeping in place the sequester, preventing reforms to modernize the military, and making it more difficult to close Guantanamo Bay.  As a result, the acquisition provisions of the 2016 NDAA are likely to remain unchanged in the version of the bill that is ultimately passed.  Those provisions will have a significant impact on government contractors.  This post addresses some of the key cybersecurity aspects of the bill.
Continue Reading NDAA — Vetoed for Now — Includes New Cybersecurity Provisions for Contractors

There are currently three major cybersecurity-related bills pending in the 114th Congress that address information sharing among private entities and between private entities and the federal government: the Protecting Cyber Networks Act (PCNA), H.R. 1560, the National Cybersecurity Protection Advancement Act of 2015 (NCPAA), H.R. 1731, and the Cyber Security Information Act of 2015 (CISA), S. 754. Some of the key issues that need to be resolved across these bills include: which agency will be designated as the lead as a clearinghouse for cyber threat information, what liability protections will be granted to those companies that do share information, and whether the structures established under any of these bills will also facilitate greater sharing of government threat information with the private sector. Although the bills all provide that existing reporting requirements will not be disturbed, such as those for Department of Defense “(DOD”) contractors, it remains unclear how these different reporting schemes will interact. Similarly, these bills do not address a provision in the House version of the 2016 National Defense Authorization Act that would provide liability protection to certain DOD contractors for properly reporting cyber incidents on their networks and information systems.

Restrictions on the sharing of cyber threat and vulnerability information are often raised as significant barriers to effective cybersecurity. But the sharing of such information is not without risk. In particular, private entities have raised concerns about how the government would use this information and whether such disclosures could result in antitrust, privacy or other legal complications. These bills look to increase incentives for cooperation between the government and the private sector in fending off cyber-attacks by encouraging private companies to voluntarily share information about the particular traits of cyber-attacks—what the bills refer to as “cyber threat indicators”—that they have previously encountered. In response to some of the concerns previously voiced by industry, these bills provide civil suit immunity for private entities that elect to share their information with each other and with the government. The bills also contain liability protection for contractors who monitor government computer systems. What follows is a brief comparison of all three major bills and why their different approaches may or may not benefit government contractors.Continue Reading Competing Bills Focus on Cybersecurity Information Sharing But Final Language and Ultimate Passage Remain Unknown

Over the past decade, Congress has focused on eliminating excessive “pass-through” charges—charges defined as overhead costs or profits passed to the Government by contractors adding negligible value over work done by lower-tier contractors.  The efforts began with the Post-Katrina Emergency Management Reform Act of 2006, which introduced limitations on tiered subcontracts after allegations that the Government grossly overpaid for goods and services provided largely by lower-tier subcontractors in the reconstruction following Hurricane Katrina.  However, until the passage of the instant rule to be implemented in FAR 15.404-1(h) effective June 8, 2015, such efforts have had little impact on agencies’ procurement processes.  This latest rule has the potential to significantly reduce the appetite for such contracts, and impact proposal and bid protest strategies.
Continue Reading Contracting Officers Must Soon Separately Justify Awards to Offerors Proposing High-Percentage or “Pass-Through” Subcontracting

During markup of the 2016 National Defense Authorization Act (“NDAA FY 2016”) on April 27, House Armed Services Committee Chairman Mac Thornberry (R-TX) proposed an amendment that would provide liability protection to certain Department of Defense (“DoD”) contractors for properly reporting cyber incidents on their networks and information systems.

This amendment relates back to two Legislative efforts to impose data breach notification requirements on DoD contractors:

  • NDAA FY 2013 Section 941, which requires “cleared contractors” private entities granted clearance by DoD to “access, receive, or store classified information” for contractual purposes to report “successful penetrations” of their networks or information systems.
  • NDAA FY 2015 Section 1632 (10 U.S.C. § 391), which requires DoD-designated “operationally critical contractors” those contractors determined to be critical sources of supply or support essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation to “rapidly” report each cyber incident on any of its networks or information systems.

Continue Reading Potential Relief for Contractors Subject to Rapid Reporting Requirements

On April 30, 2015, the House Armed Services Committee passed H.R. 1735, the National Defense Authorization Act for Fiscal Year (“FY”) 2016, with an amendment (Log #325rl) that could shape how the Department of Defense (“DoD”) acquires audit and audit readiness services for its Financial Improvement and Audit Readiness (“FIAR”) Plan. Under the FIAR Plan, DoD must validate the audit readiness of its financial statements by September 30, 2017, and it must submit to Congress an audit of its FY 2018 financial books by March 31, 2019. The amendment states that, for DoD to meet these deadlines, “it is imperative that [DoD] not sacrifice contracts with firms who have the proper credentials and expertise” to provide DoD with audit and audit readiness services. Hence, the amendment bars the use of a lowest-price, technically-acceptable (“LPTA”) evaluation method to procure such services unless DoD (1) establishes “the values and metrics for the services being procured, including domain expertise and experience, size and scope of [an] offeror’s team, personnel qualifications and certifications, technology, and tools”; and (2) considers offerors’ past performance history.
Continue Reading An Acceptable Proposal: Set Appropriately High, Clear Standards for DoD’s Auditors and LPTA Competitions

A major piece of IT acquisition reform legislation called the Federal Information Technology Acquisition Reform Act (“FITARA”), on which we have previously reported, was included in version of the National Defense Authorization Act for Fiscal Year 2015 (“NDAA FY 15”) passed by the House on December 4, 2014, along with other significant IT reform provisions related to open systems requirements for the Department of Defense (“DoD”).

The FITARA portion of the bill includes provisions that would require the federal government to:

  • empower Chief Information Officers (“CIOs”) and prevent the CIO from delegating the duty of reviewing IT contracts before the agency enters into the contract;
  • provide a publicly available list for each major information technology investment, both new and existing, that lists information specified in forthcoming investment evaluation guidance;
  • engage in a detailed review of high-risk information technology investments to identify problems;
  • inventory all information technology;
  • implement a federal data center consolidation initiative, which will include publicized goals regarding cost savings and optimization improvements to be achieved as a result of the initiative, and must be performed consistent with federal guidelines on cloud computing and cybersecurity such as FedRAMP and NIST guidelines;
  • expand the use of specialized IT acquisition experts;
  • develop a federal strategic sourcing initiative to be developed by GSA, which will allow for the use of governmentwide user license agreements.

Additional provisions require the use of open and modular strategies by the DoD, including the following requirements
Continue Reading Federal Information Technology Reform Act Included in the House-Passed NDAA FY 15

The National Defense Authorization Act for Fiscal Year 2015 (“NDAA FY 15”) was passed by the House of Representatives on December 4, 2014, and is expected to pass in the Senate.  Among NDAA FY 15’s cybersecurity and acquisition provisions are directions for the Secretary of Defense to establish rapid reporting requirements for “operationally critical contractors.”

Operationally Critical Contractors Rapid Reporting Regulations

Section 1632 of NDAA FY 15 requires the Secretary of Defense to establish within 90 days procedures to designate “operationally critical contractors” and the rapid reporting of cyber incidents affecting such contractors.  An “operationally critical contractor” is defined as a contractor determined to be a “critical source of supply for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.”

Designated and notified operationally critical contractors will be required to “rapidly” report each cyber incident on any of its networks or information systems.   For purposes of rapid reporting, a cyber incident is broadly defined as “actions taken through the use of computer networks that result in an actual or potential adverse effect on an information system or the information residing therein.”  Reports must include:

  • The contractor’s assessment of the effect of the cyber incident on its ability to meet its contractual obligations to the Department of Defense (“DoD”);
  • The technique or method utilized in the cyber incident;
  • Samples of any malicious software used in the incident, if discovered and isolated; and
  • A summary of the compromised information.

The Secretary’s procedures are also required to include mechanisms allowing DoD personnel to assist operationally critical contractors in detecting and mitigating penetrations.Continue Reading DoD to Impose Yet Another Form of Rapid Reporting Requirements

The Department of Defense (“DOD”) has once again delayed the promulgation of regulations requiring DOD contractors to rapidly report data breaches and allowing DOD to access the contractor’s equipment to conduct a forensic analysis.  The National Defense Authorization Act for Fiscal Year 2013 originally required an ad hoc committee to provide a report to the