1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

The shifting sands of cybersecurity: DOD’s interim rule further burdens contractors

By Phillip R. Seckman, Erin B. Sheppard, and Michael J. McGuinn, Dentons US LLP

The Department of Defense (DOD) earlier today issued an interim rule, effective immediately, that significantly increases existing cybersecurity requirements for DOD contractors. The requirements in the interim rule, available here, have broad applicability to DOD contractors at both the prime and subcontract levels, including commercial item and small business contractors. Contractors can expect these requirements to begin showing up in new DOD contracts immediately and should begin taking steps to ensure compliance.

The interim rule contains a number of new and revised DOD cybersecurity requirements. The key issues are summarized in Dentons’ advisory on this topic, available here.

Comments on the interim rule are due by October 26, 2015. Dentons lawyers will continue monitoring key developments in this area. Additionally, starting in the fall of 2015, Dentons lawyers will be presenting on behalf of the Public Contracting Institute a six-part series addressing the detailed compliance requirements and best practices relating to government contracts cybersecurity. More information about the series can be found here or by contacting the authors of this client alert.

The shifting sands of cybersecurity: DOD’s interim rule further burdens contractors

Adding a short-order cook to a crowded kitchen: OMB guidance creates a sense of urgency for cybersecurity in federal acquisitions

By Phillip R. Seckman, Erin B. Sheppard, and Michael J. McGuinn, Dentons US LLP

The Office of Management and Budget (OMB) on August 11, 2015 released proposed guidance, available here, that takes “major steps” towards – and likely accelerates – the implementation of standard cybersecurity requirements in all federal acquisitions. OMB in its guidance provides some fairly clear direction for contractors seeking to understand their future cybersecurity compliance obligations. OMB’s guidance, however, also leaves open certain key questions for contractors in this area, particularly with regard to how OMB’s requirements will be applied and harmonized with existing agency-specific cybersecurity requirements.

OMB is seeking industry feedback on its proposed guidance by September 10, 2015, in anticipation of issuing final guidance by the fall of 2015. OMB is seeking comments through the GitHub platform, and contractors should strongly consider submitting comments either independently or through industry trade associations.

Dentons attorneys will continue monitoring key developments in this area. Additionally, starting in the fall of 2015, Dentons attorneys will be presenting on behalf of the Public Contracting Institute a six-part series addressing the detailed compliance requirements and best practices relating to government contracts cybersecurity. More information about the series can be found here or by contacting the authors of this article.

For more information, see our advisory here.

Adding a short-order cook to a crowded kitchen: OMB guidance creates a sense of urgency for cybersecurity in federal acquisitions

Kevin Lombardo to Present Export Control Reform Updates and FCPA & OFAC Lessons at the AZTC Export Controls, Compliance and Enforcement Programs

This September, our colleague Kevin Lombardo will present a series of discussions on Export Control Reform. On September 15 in Tucson, and September 17 in Phoenix, Kevin will present details and updates on export control reform as part of the Arizona Technology Council (AZTC) Export Controls, Compliance and Enforcement program. He will focus on what businesses should be doing, lessons to be learned from real world case studies and enforcement actions, their practical application, and the consequences of compliance or non-compliance. He will also co-present need-to-know information on the Foreign Corrupt Practices Act and the US Department of the Treasury’s Office of Foreign Assets Control with Margrette Francisco, Export Counsel and Executive Officer of the Marvin Group. Register for the Tucson event or the Phoenix event by September 11. Download full agendas for the Tucson event and Phoenix event.

Additionally, in conjunction with the AZTC events, Kevin will co-present a free, educational discussion on export control compliance for academics, students, and researchers with John Priecko, President and Managing Partner of Trade Compliance Solutions, on September 16. This two-hour, interactive discussion will focus on the costs and consequences of non-compliance with export control reforms using real world case studies and settlements. Register for this program by emailing david.fitzgerald@phoenix.edu with your full name, title, organization, phone number, mailing address, and email address by September 14.

Kevin Lombardo to Present Export Control Reform Updates and FCPA & OFAC Lessons at the AZTC Export Controls, Compliance and Enforcement Programs

Jim Williams, Former Manager of the FAA Unmanned Aircraft Integration Office, Joins Dentons’ Premiere Aviation Team

James “Jim” H. Williams has joined Dentons as a Principal in the Firm’s Public Policy and Regulation Practice. Mr. Williams brings to Dentons more than 25 years of experience in the Federal Aviation Administration (“FAA”), where he most recently served as the Manager of the FAA Unmanned Aircraft Systems (“UAS”) Integration Office. Mr. Williams was instrumental in expanding unmanned military and commercial aircraft access to US airspace and served as the FAA’s spokesperson on all UAS-related issues.

During his distinguished career at the FAA, Mr. Williams led the agency’s lifecycle management of all FAA communications systems, oversaw the implementation of the Safety Management System, and managed the team that developed, procured, and installed air/ground communications systems. Before moving to the FAA, Mr. Williams began his career at NASA’s Johnson Space Center after earning his BA in Aerospace Engineering from the Georgia Institute of Technology.

The addition of Mr. Williams bolsters Dentons’ highly-regarded aviation and transportation practice as it expands capabilities in the US to serve global aviation and aerospace clients. Under the leadership of Partner Mark A. Dombroff, the aviation and transportation practice advises clients in litigation, regulatory, administrative and enforcement matters, security, employee-related issues, National Transportation Safety Board investigation, as well as emergency preparedness and response.

For more information on Mr. Williams and Dentons Aviation team, please see the Firm’s July 27 Press Release. On August 20, Dentons will host A conversation with Jim Williams, a webinar. Media are invited to attend and should contact Lisa Sachdev for more details.

Jim Williams, Former Manager of the FAA Unmanned Aircraft Integration Office, Joins Dentons’ Premiere Aviation Team

Katherine Veeder to Present Legislative and Regulatory Developments at the SAME San Antonio Post Small Business Market Research Fair

On July 21, 2015, our colleague Katherine Veeder will present at the 2015 Society of American Military Engineers (SAME) San Antonio Post Small Business Market Research Fair.  Katherine and her co-presenter, Mary Urey, Director, AFICA/SB Air Force Installation Contracting Agency, Small Business Programs Office, will discuss the federal rulemaking process and how legislation and executive orders, and their implementing regulations, will affect small business contractors.  Their presentation will address, among other things, proposed changes to:  the Small Business Administration’s (SBA) Mentor Protégé Program; the SBA’s limitations on subcontracting; and small business subcontracting requirements.  It also will cover contractors’ recent anti-human trafficking obligations and the FAR Council’s proposed Fair Pay and Safe Workplaces rule.

Katherine Veeder to Present Legislative and Regulatory Developments at the SAME San Antonio Post Small Business Market Research Fair

Jack Horan Testifies in Congress Regarding GSA’s Proposed “Transactional Data” Rule

On June 25, 2015, Partner John C. Horan testified in front of the U.S. House of Representatives Committee on Small Business, Subcommittee on Contracting and Workforce  regarding GSA’s proposed rule that would require contractors to  electronically report the price the federal government paid for an item or service bought through the GSA Federal Supply Schedule and other GSA government-wide contract vehicles.  The controversial rule, which was published on March 4, 2015, has received a great deal of opposition not only by industry, but also by the GSA Inspector General.  Mr. Horan testified that the proposed rule is problematic for contractors – particularly small business contractors – for the following reasons: (1) the rule creates a significant and unnecessary reporting burden on these contractors; and (2) the rule is subject to misuse that could result in considerable harm.  Additionally, there  is no evidence that the transactional data will improve GSA’s ability to purchase items on a more cost-effective basis.   Read more from Mr. Horan’s testimony here: Horan Committee on Small BusinessTestimony

,

Jack Horan Testifies in Congress Regarding GSA’s Proposed “Transactional Data” Rule

Supreme Court to Hear Veterans’ Preference Government Contracts Case

On Monday, June 22, the United States Supreme Court decided it would hear arguments in the dispute over whether the Department of Veterans Affairs’ set-aside restricting competition to veteran-owned small businesses is mandatory.  The case is Kingdomware Technologies, Inc. v. United States.

The case was filed by a service-disabled veteran-owned small business (SDVOSB).  The business, Kingdomware, originally filed multiple bid protests with the Government Accountability Office (GAO) over the Department of Veteran Affairs’ (VA) failure to apply the so-called “Rule of Two” on Federal Supply Schedule (FSS) procurements.  The GAO sustained Kingdomware’s protests but the VA refused to comply with GAO’s recommendation.1

Following the VA’s refusal, Kingdomware brought an action in the Court of Federal Claims.  The Court of Federal Claims granted summary judgment to the VA.  Kingdomware then appealed to the Court of Appeals for the Federal Circuit (Federal Circuit).  The Federal Circuit affirmed the Court of Federal Claims’ decision, taking up the VA’s position over a vigorous dissent.

The principal dispute is over the meaning of the word “shall” in Congress’ legislative mandate that the VA use a “rule of two” in procurements when it decides whether to award contracts to veteran-owned small businesses.  The law—the Veterans Benefits, Health Care, and Information Technology Act of 2006—provides that VA contracting officers “shall award” contracts on the basis of competition restricted to small businesses owned by veterans whenever there is a “reasonable expectation” that two or more such businesses will bid for the contract at “a fair and reasonable price that offers best value to the United States.”  38 U.S.C. § 8127(d).

Kingdomware’s argument is that the law gives the VA no discretion and that the VA must conduct market research, and if there are at least two eligible firms, then it must pick the firm that can perform the contract at a fair and reasonable price.  The VA’s interpretation of the law is that the word “shall” only applies to the achievement of goals set regarding levels of awards to veteran-owned small businesses and argues that the VA has regularly met these goals.

The case will be argued in the Supreme Court’s October 2015 Term, which commences on September 28, 2015.  This is the only government contracts case currently scheduled during this term.   We will continue to monitor these developments and will report back here with updates.


1Matter of Kingdomware Techs., 2012 WL 1942256, at *2 (Comp. Gen. May 30, 2012).

Supreme Court to Hear Veterans’ Preference Government Contracts Case

COMMERCIAL ITEMS – Changes on the Horizon

Since the acquisition reforms of the 1990s—i.e., the Federal Acquisition Streamlining Act, the Federal Acquisition Reform Act, and Clinger-Cohen—the federal government’s oversight and audit communities have periodically criticized the perceived manipulation and abuse of commercial item status.  The claim is that contracting officers too often incorrectly determine something is a commercial item or fail to adequately justify the prices paid are fair and reasonable, the latter being most recently reflected in a series of DODIG reports on certain spare parts acquisitions.

In reaction to this type of criticism, commercial item acquisitions are facing increasing scrutiny and the potential for regulatory and legislative changes.  Presently, these changes come in the form of policy initiatives and guidance out of DOD as well as certain proposals being exchanged between the United States Senate and House of Representatives relating to the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2016.

Developments to watch for in the coming months include DFARS Case No. 2013-D034.  When issued, this DFARS rule will implement Section 831 from the 2013 NDAA, which directed the Office of the Under Secretary of Defense for Acquisition, Technology and Logistics to issue guidance on DOD pricing policy regarding evaluating price reasonableness for commercial items.

In the meantime, on February 4, 2015, the Office of Defense Pricing issued a memorandum partially addressing Section 831.  In that memorandum, the Director of Defense Pricing stated the commercial item determinations (“CIDs”), generally, should be completed within 10 business days.  Regardless of that determination, however, the key question that contracting officers must answer is, “Am I paying a fair and reasonable price?”  To aid contracting officers in that inquiry, DOD is establishing centers of excellence and a cadre of personnel with a particular focus on these issues.

Additionally, under Better Buying Power (BBP) 3.0, the Office of Defense Pricing has further indicated that it will issue a legislative proposal to revise the definition of the term “commercial item,” potentially eliminating items and services which are merely offered for sale, lease, or license.  This change could narrow the current definition of “commercial item” in ways similar to a 2012 DOD legislative proposal that was, at that time, unsuccessful.  While such a change is specifically called for in BBP 3.0, it is seemingly at odds with one of the overall goals of BBP 3.0:  removing barriers to commercial technology utilization.  These changes are expected by September 2015.

Moving from regulatory and policy changes, there are potential legislative changes relating to commercial items that appear to run contrary to the trend coming out of DOD.  Specifically, both the Senate and House bills would confirm the ability of contracting officers and contractors to look to and rely upon prior CIDs.  In our experience, contracting officers have recently been reluctant to utilize prior CIDs, preferring to revisit the threshold question of commercial item status.

Below we briefly identify the current Senate and House sections in the 2016 NDAA relating to commercial items that are under consideration.

Senate Provisions:

  • Section 863 would permit contracting officers to presume that prior commercial item determinations are valid for subsequent procurements of the same commercial item, paralleling H.R. 1735 Section 804, discussed below.
  • Section 862 would require that DoD issue guidance to ensure full compliance with 10 U.S.C. § 2377.  At a minimum, the guidance must:  (1) provide that the head of an agency may not enter into a contract in excess of the simplified acquisition threshold for information technology products or services that are not commercial items unless the head of the agency determines in writing that no commercial items are suitable to meet the agency’s needs based on market research as provided in 10 U.S.C. § 2377(c)(2); and (2) ensure that such market research is used, where appropriate, to inform price reasonableness determinations.

House Provision:

  • Section 804 would require that DOD establish and maintain a centralized capability with the requisite necessary expertise and resources to oversee the making of commercial item determinations.
  • Permit contracting officers to presume that prior commercial item determinations, made by a military department or DoD agency, are valid for subsequent procurements of the same commercial item.
  • Provide public access to DoD commercial item determinations for the purposes of DoD procurements.

Despite the passage of 20 years since the commercial item reforms of the mid-1990s, the federal government is not yet satisfied with the balance between streamlined acquisition that ensures access to cutting-edge technologies on the one hand, and detailed cost insight and analysis and all the regulatory burden that comes with it on the other.  We will continue to monitor these developments and will report back here with updates.

COMMERCIAL ITEMS – Changes on the Horizon

FMS — A DoD interim rule would alter indirect offset cost reasonableness evaluations

The Department of Defense (DoD) issued an interim rule Tuesday amending DFARS 225.7303-2 to instruct contracting officers to accept all indirect offset costs imposed in Foreign Military Sales (FMS) acquisitions as reasonable without performing a cost reasonableness analysis. This new rule should reduce transaction costs for contractors, as it removes some DoD oversight from FMS offset agreements and, therefore, obviates the need for data calls and other effort that contractors provide as support for the contracting officer’s reasonableness evaluation.

Many governments require foreign defense contractors to “offset” the value of a procurement through any number of transactions intended to turn at least some of that value back around to benefit domestic economic activity. These transactions may directly support the overall defense project, or they may be “indirect offsets” wholly unrelated to the underlying procurement. Though the United States does not impose offset requirements in its own contracts, it allows foreign nations to request through the FMS program both direct and indirect offset requirements by including them in the FMS Letter of Offer and Acceptance (LOA) and related DoD contract.

Until now, U.S. contracting officers were required by FAR parts 15 and 31 to determine price reasonableness regarding all aspects of FMS contracts, including indirect offset costs. Recognizing that these contracting officers have little or no insight into the pricing of indirect offsets – which are negotiated directly between the contractor and the foreign government – the interim rule eliminates this price reasonableness determination. Now, contracting officers are to deem reasonable “all offset costs that involve benefits provided by the U.S. defense contractor to the FMS customer that are unrelated to the item being purchased under the LOA,” so long as the contractor submits a signed offset agreement or other documentation showing that an indirect offset of a certain dollar value is a condition of the FMS acquisition. Contractors must remember that the interim rule applies only to indirect offsets, and contracting officers will continue to scrutinize direct offset costs for reasonableness in accordance with FAR part 31.

Sparked by a “recent and foreseeable trend” of increasingly complex indirect offsets desired by FMS customers, this rule will go into effect immediately to “allow DoD contracting officers to finalize pending negotiations for FMS contracts to support U.S. allies and partners, and maintain bilateral relationships.” However, the Defense Acquisition Regulations System is accepting comments until August 3, 2015 before issuing a final rule.

FMS — A DoD interim rule would alter indirect offset cost reasonableness evaluations

BIS Issues New Proposed Rule on Cybersecurity Items

Proposed Measure Would Add New Categories and Licensing Requirements; Move Some Items From Encryption Controls to New ECCNs

Amid a flurry of reports about someone claiming to have hacked a passenger plane through its entertainment system, BIS has issued an uncannily well-timed proposed rule (available here) that would control certain cybersecurity items.  The new rule implements certain 2013 changes to the Wassenaar Arrangement.  There is a comment period ending July 20.  Companies whose products and services may be affected by this proposed rule should review it carefully and consider whether comments would be appropriate.

Broadly speaking, the proposed rule would do the following:

  • Create new ECCNs (4A005, 4D004) and amend others (4D001 and 4E001) to control several items, software and technology relating to “intrusion software” (a new defined term – see below).  Specifically, the new ECCNs would control items and software specially designed for the generation, operation or delivery of, or communication with, “intrusion software.”  The revised ECCNs would control software and technology related to the newly added ECCNs.
  • Create new ECCN 5A001.j, which would control IP network communications surveillance systems (and certain related items) that intercept and analyze messages to produce “personal, human and social information from the communications traffic.”  Associated test equipment, software and technology for such items would become controlled under 5B001, 5D001, and 5E001, respectively.  This proposed category is intended to control systems that perform the indicated functions in connection with security and would exclude items used for marketing, quality of service, or quality of experience purposes.
  • Subject cybersecurity items to control for Regional Stability (RS) reasons, but establish a favorable licensing policy for several types of recipients, including foreign subsidiaries not located in Country Groups D:1 and E:1, certain foreign commercial partners, and certain favored government end-users.
  • Define “intrusion software” as software specially designed or modified to avoid detection by ‘monitoring tools’ (such as antivirus/intrusion detection products and firewalls) or to defeat ‘protective countermeasures’ (such as sandboxing or execution prevention) of a computer or network-capable device that also extracts or modifies data, or modifies the standard execution path of a program or process to allow execution of externally provided instructions.  This new definition expressly excludes hypervisors, debuggers, reverse engineering tools, digital rights management software, or certain software designed for asset tracking and recovery.
  • Clarify that “cybersecurity items,” including those defined in the new ECCNs, are not controlled under encryption ECCNs (and hence are ineligible for exception ENC) even if they use encryption.  However, if they do use encryption, they must also satisfy the registration, review and reporting requirements applicable to encryption items.  Furthermore, license applications for such items will also be subjected to a “focused” EI control review.
  • Remove certain license exceptions from eligibility for use for these ECCNs and items (e.g., STA, TSU).
  • Require certain information to be submitted with license applications for cybersecurity items.  This would take the form of a letter of explanation addressing, among other subjects, a detailed technical description of the cybersecurity functionality of the item.

BIS seeks comment specifically on the additional compliance burdens the proposed rule would create, as well as to what extent it would affect companies’ legitimate cybersecurity efforts.  The proposed rule appears to at least have the potential to significantly impact both areas.  Others have noted that the Wassenaar definition of “intrusion software,” on which the new EAR definition is based, is so broad that it includes “the primary known means through which research and engineering progress has been made” in security software.1  In addition, BIS states that it has attempted to offset the impact of additional controls with a favorable licensing policy for certain items.  However, the continuing application of certain encryption control requirements and the requirement to provide a detailed letter of explanation in support of licensing requests for cybersecurity items could present significant compliance burdens.  In light of these potentially important changes, industry attention and engagement with BIS is critical at this juncture.

1 Why Wassenaar Arrangement’s Definitions of “Intrusion Software” and “Controlled Items” Put Security Research and Defense At Risk, Sergey Bratus, Michael Locasto, Anna Shubina, July 23, 2014

BIS Issues New Proposed Rule on Cybersecurity Items