1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

DoD announces industry day to facilitate implementation of new network penetration reporting clause

In response to a chorus of implementation questions raised by the contracting community, the US Department of Defense (DoD) has announced an industry information day, during which contractors who have questions or wish to provide feedback regarding DoD’s Network Penetration Reporting and Contracting for Cloud Services final rule can raise those questions. On April 5, 2017, DoD published a notice of meeting in the Federal Registerannouncing the “Industry Information Day” on June 23, 2017.

The public meeting will address the implementation of DFARS Case 2013-D018, and the associated DFARS clauses, including DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (Oct. 2016). The final rule, published October 21, 2016, finalized an interim rule mandating that both prime and subcontractors safeguard covered defense information, report on network penetrations, and require adequate security from external cloud computing services. We have previously analyzed these new requirements.

The industry day announcement is an important reminder to contractors of the upcoming December 31, 2017, deadline for implementing the new security requirements required under the final rule to qualify for new DoD awards. The event will be held on Friday, June 23, from 9 a.m. to 1 p.m. at the Mark Center Auditorium in Arlington, VA. Any contractors with questions or feedback about the rule’s requirements or implementation should attend. The registration deadline is June 12, 2017.  Contractors may register via email at: OSD.DIBCSIAEvents@mail.mil. DoD will accept written questions until May 1 at the same address, and contractors grappling with various implementation questions are encouraged to submit questions in advance.

For additional details regarding the Industry Information Day, registration and process for submitting questions, please consult the meeting notice.

DoD announces industry day to facilitate implementation of new network penetration reporting clause

DoD Clarifies Covered Defense Information Definition in Final Cyber Reporting Rule

The Department of Defense (DoD) on October 4, 2016, issued a rule finalizing cyber reporting regulations applicable to DoD contractors and subcontractors set forth in 32 CFR Part 236.  The rule finalizes an interim rule DoD issued on October 2, 2015 and  addresses cyber incident reporting obligations for DoD prime contractors and subcontractors.

Notably, the final rule clarifies the by now well-known definition of the term ‘covered defense information’ (“CDI”).  This same term is used in DFARS 252.204-7012.  This DFARS clause defines CDI to include four different categories: (1) covered technical information (“CTI”); (2) operations security; (3) export controlled information; and (4) any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies.

Given the similarities of this final category to the definition of controlled unclassified information (“CUI”) promulgated in connection with the National Archives and Records Administration’s (NARA)  rule, we have understood this latter category to include CUI identified by NARA pursuant to its efforts under EO 13556.  The DoD’s new final rule provides support for this understanding because it narrows the definition of CDI to only two categories:  (1) CTI and (2) CUI.  This modification accordingly appears to make clear that the “catch-all” category of CDI contained in DFARS 252.204-7012 was intended to align with NARA’s CUI efforts.

Importantly, this final rule makes no changes to the DFARS clause itself,  and it is likely that conforming changes will be made to the DFARS clause in a future revision.  The December 2015 version of the DFARS clause remains effective.  Nevertheless, in light of the final rule contractors and subcontractors seeking to understand the scope of the CDI  under the DFARS clause should include CUI in their review as they await further revision to the clause.

DoD Clarifies Covered Defense Information Definition in Final Cyber Reporting Rule

Cybersecurity and your supply chain: What you don’t know may hurt you

Recently revised cybersecurity regulations affecting US defense contractors and their subcontractors seek to address gaps in government contractor supply chains and expand the breadth of regulations in this area. In the February issue of Contract Management magazine, Dentons Partners Phillip Seckman and Erin Sheppard and Counsel Michael McGuinn provide guidance to contractors seeking to enhance subcontractor compliance under these regulations. In the attached article, entitled “Cybersecurity and your supply chain: What you don’t know may hurt you,” the authors provide a three-step approach to ensuring compliance with the updated Defense Federal Acquisition Regulation Supplement (DFARS) covered defense information regulations within a contractor’s supply chain. Please feel free to contact the authors with questions.

Cybersecurity and your supply chain: What you don’t know may hurt you

The gift of time: A second DOD interim rule grants contractors additional time to comply with cyber security requirements

The US Department of Defense (DOD) earlier today issued a second interim rule, effective immediately, that gives affected contractors until December 31, 2017, to implement fully compliant cyber security controls.

The cyber security requirements, contained in the National Institute of Standards and Technology (NIST) Special Publication (SP) No. 800-171, were part of a prior interim rule issued in August 2015. Sometimes referred to as the Network Penetration Rule, DOD’s first interim rule had required immediate compliance with NIST SP 800-171 at both the prime and subcontract levels. Although DOD’s second interim rule gives contractors additional time to implement the requirements of NIST SP 800-171, the rule as revised still imposes certain near-term burdens on affected contractors and subcontractors. Read the full article.

The gift of time: A second DOD interim rule grants contractors additional time to comply with cyber security requirements

DOD signals pivot away from proposed DFARS rule on evaluating price reasonableness for commercial items

The Department of Defense (DOD) published a report on the Open DFARS Cases as of December 7, 2015, which indicates that the controversial proposed rule on evaluating price reasonableness for commercial items (DFARS Case 2013-D034) was closed. As we previously reported, the proposed rule would have made significant substantive changes to what qualified as a commercial item under DOD-funded contracts and would have imposed significant data gathering burdens on prime contractors. In its place the DOD opened a new case, DFARS Case 2016-D006, Procurement of Commercial Items. The purpose of the new DFARS case is to implement the requirements of six sections of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2016, in addition to the requirements of section 831 of the NDAA for FY 2013. See National Defense Authorization Act for Fiscal Year 2016, Pub. L. No. 114-92; National Defense Authorization Act for Fiscal Year 2013, Pub. L. No. 112-239. A brief overview of some key requirements within the applicable sections of the NDAA for FY 2016 is provided below.

The DOD opened DFARS Case 2016-D006 on December 7, 2015, and has proposed a rule within the agency, which its staff is processing. We will continue to monitor the progress and will report back here with updates.

Section 851, “Procurement of Commercial Items.” This section requires the Secretary of Defense to establish a centralized capability to oversee the making of commercial item determinations for DOD procurements and to provide public access to these determinations. The section also permits contracting officers (CO) to rely on prior determinations made by a military department, Defense Agency or other component of the DOD. Notably, the section permits a CO to require a contractor to supply additional information to support the reasonableness of a price, irrespective of whether a contractor was required to provide such information in connection to a prior procurement.

Section 852, “Modification to Information Required to be Submitted by Offeror in Procurement of Major Weapon System as Commercial Item.” Under this section, an offeror must submit: (a) prices paid for the same or similar commercial items under comparable terms and conditions by both the government and commercial customers; and (b), if the information for (a) is not available, (i) prices for the same or similar items sold under different terms and conditions; (ii) prices for similar levels of work or effort on related products or services; (iii) prices for alternative solutions or approaches and (iv) other relevant information. The section also permits the CO to request additional information, such as labor costs, material costs and overhead rates.

Section 853, “Use of Recent Prices Paid by the Government in the Determination of Price Reasonableness.” This section provides that a CO, in determining whether a price is reasonable, must consider prior prices paid by the government for the same or similar commercial item if these prices are provided by an offeror and represent reasonable prices based upon the totality of the circumstances (i.e., the time elapsed, the quantities and the terms and conditions).

Section 855, “Market Research and Preference for Commercial Items.” This section requires the Under Secretary of Defense for Acquisition, Technology, and Logistics to issue guidance that: (a) prohibits an agency from contracting for noncommercial information technology products or services in excess of the simplified acquisition threshold, unless the agency determines in writing that commercial items cannot meet the agency’s needs; and (b) mandates that agencies conduct market research, where appropriate, prior to making a price reasonableness determination.

Section 856, “Limitation on Conversion of Procurements from Commercial Acquisition Procedures.” Under this section, for a CO to convert a procurement of commercial items or services valued over $1,000,000 from commercial acquisition procedures to noncommercial acquisition procedures, the CO must make a written determination that: (a) the commercial acquisition procedures were erroneously utilized or were utilized because of inadequate information; and (b) the conversion will result in cost savings. In making such a determination the CO must consider: (a) estimated research and development costs for improving future products or services; (b) transaction costs for both the DOD and contractor; (c) changes in purchase quantities and (d) potential delay costs resulting from the conversion. If the procurement is valued over $100,000,000, the head of the contracting authority must also approve the determination. The requirements in this section terminate in five years.

Section 857, “Treatment of Goods and Services Provided by Nontraditional Defense Contractors as Commercial Items.” This section permits the head of an agency to treat the items and services provided by nontraditional defense contractors as commercial items.

As previously stated, DFARS Case 2015-D006 will also implement section 831 of NDAA for FY 2013, which directed DOD to, among other things, issue guidance including “standards for determining whether information on the prices at which the same or similar items have previously been sold is adequate for evaluating the reasonableness of prices.” National Defense Authorization Act for Fiscal Year 2013, Pub. L. No. 112-239.

DOD signals pivot away from proposed DFARS rule on evaluating price reasonableness for commercial items

Department of Defense seeks to clarify contractor cybersecurity obligations

Earlier this year, we reported on the Department of Defense’s (DOD) imposition of new and revised cybersecurity requirements on DOD prime and subcontractors. The new requirements reflected in DOD’s interim rule, among other things, expanded the clause governing unclassified controlled technical information to cover all “covered defense information,” replaced old safeguarding requirements, and expanded contractors’ reporting obligations in the event of a cyber incident. Since DOD released these new and revised requirements, which took effect immediately, contractors have been hustling to understand the requirements and to ensure full compliance.

Just last week, likely in an attempt to address some of the confusion surrounding the new and revised requirements in the interim rule, DOD released (1) updated Defense Federal Acquisition Regulation Supplement (DFARS) Procedures, Guidance and Information (PGI), and (2) Frequently Asked Questions (FAQs) covering network penetration reporting, safeguarding covered defense information, and cloud services. These two documents shed light on the manner in which DOD is implementing the cybersecurity requirements. For example, together the FAQs and the PGI:

• Explain why DOD replaced the security protections from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 with the NIST SP 800-171;

• Provide DOD’s interpretation of the security controls outlined in NIST SP 800-171;

• Describe how covered defense information and operationally critical support will be identified;

• Provide examples of operationally critical support;

• Clarify that the DOD Cyber Crime Center is the “operational focal point” for receiving reports of cyber threats and cyber incidents; and

• Dictate the roles and responsibilities of the Contracting Officer and/or the requiring activity in, among other things, identifying and marking unclassified controlled technical information, handling a reported cyber incident, and conducting damage assessment activities.

Contractors struggling with how, precisely, to implement DOD’s cybersecurity requirements should look to this issued guidance to see if it addresses the questions they have and use it in formulating their own compliance plans. Additionally, contractors should consider attending DOD’s recently-announced “Industry Implementation Information Day” on December 14, 2015, wherein the department will present a briefing regarding DOD’s new and revised cybersecurity requirements. Information on the industry day, including registration information, can be found here.

Dentons lawyers will continue to monitor key developments in this area and will be providing more information about contractors’ compliance obligations and best practices as part of the Public Contracting Institute’s series on government contracts cybersecurity. More information on the series can be found here.

Department of Defense seeks to clarify contractor cybersecurity obligations

Extension of comment period and public meeting announced for proposed DFARS rule on counterfeit electronic parts

The Department Acquisition Regulation Systems, Department of Defense (DOD), announced today that it has extended the public comment period for the proposed rule Detection and Avoidance of Counterfeit Electronic Parts–Further Implementation, 80 Fed. Reg. 56,939 (Sept. 21, 2015) (Proposed Rule). The Proposed Rule, which was published in the Federal Register on September 21, 2015, amends the Department of Defense FAR Supplement (DFARS) to further implement Section 818 of the National Defense Authorization Act for Fiscal Year 2012 regarding counterfeit electronic parts. The public may now submit comments on the Proposed Rule until December 11, 2015.

Additionally, DOD announced that it will host a public meeting on November 13, 2015 to obtain feedback from experts and other interested parties in the public and private sector on the contents of the Proposed Rule. Registration for the public meeting must be completed by November 9, 2015, and more information about the meeting is available here.

Click here for a complete article discussing the Proposed Rule.

Extension of comment period and public meeting announced for proposed DFARS rule on counterfeit electronic parts

Updated NASA Grant and Cooperative Agreement Regulations Become Final

Last week, the National Aeronautics and Space Administration (NASA) adopted as final its new regulatory framework implementing the “Uniform Administrative Requirements, Cost Principles and Audit Requirements for Federal Awards,” referred to by many as the “Super” or “Omni” Circular. The Office of Management and Budget (OMB) issued the Super Circular in late December 2013 – in its own words, “[t]o deliver on the promise of a 21st-Century government that is more efficient, effective and transparent” – and shook up the world of grants and cooperative agreements by replacing the cobweb of cross-referencing OMB Circulars that governed grant management. NASA, along with many other federal agencies, issued its updated regulations implementing the Super Circular in December 2014 as an interim rule and requested comments from the public. It received none, and last Friday, after undergoing some internal clerical revisions, NASA’s new regulatory framework became final. Below are some brief takeaways:

The regulatory framework governing grants and cooperative agreements now more closely mirrors the structure of federal contract regulations under the Federal Acquisition Regulation (FAR) and FAR supplements. Emulating the federal contracts regulatory framework, under which agencies generally follow the FAR and supplement where necessary with agency specific regulations (e.g., NASA FAR Supplement (NFS)), the Super Circular consolidates generally applicable grant and cooperative agreement regulations into Title 2, Part 200, of the Code of Federal Regulations, which agencies then supplement in their respective Parts under Title 2 (e.g., Part 1800, for NASA).

Grantees and cooperative agreement awardees must carefully review the certifications that are now required at award. In another similarity to the federal contracts framework, the new NASA grants regulations require grant and cooperative agreement recipients to make a number of certifications and assurances on award. Awardees must certify compliance with federal nondiscrimination laws, agree to report lobbying activities, and certify that neither they nor their principals are debarred, suspended, or recently convicted of civil fraud in connection with public funds or antitrust violations. Awardees must further certify on award that they have not, within the last three years, had a federal, state or local transaction terminated for cause or default.

Grants and cooperative agreements are now audited for cost accounting compliance, much like federal contracts. Subparts E and F of the Super Circular provide a cost accounting and auditing framework that will be familiar to those who have performed federal contracts in the past. For example, under the cost principles laid out in Subpart E, costs are allowable under federal grant awards if they are: (1) reasonable, (2) allocable, (3) consistent with generally accepted accounting principles and the awardee’s uniform accounting policies and procedures, (4) consistent with any other limitations in the regulations, and (5) adequately documented. Subpart F mandates audits for Awardees expending $750,000 or more in federal grant or cooperative agreement awards in a year. For-profit organizations, who may have previously established practices to comply with federal cost accounting requirements, are not required to establish a new system for grants and cooperative agreements; instead, awards received by these commercial organizations are still governed by FAR Parts 30 and 31 and the Cost Accounting Standards in 48 C.F.R. part 99. However, non-profit organizations seeking grants or cooperative agreements with NASA must familiarize themselves with the full extent of the new cost accounting requirements and establish appropriate accounting procedures.

Patent rights for small businesses that develop intellectual property under NASA grants or cooperative agreements are still governed by existing Bayh-Dole Act regulations, while other commercial firms are subject to a complex, NASA-specific “New Technology” clause. Over six columns in the federal register publication of the new NASA grant regulations are devoted to the “New Technology” clause, which is to be inserted into all awards with commercial firms that are not classified as small businesses. Such awardees must establish procedures to identify inventions and discoveries made through performance of the grant or cooperative agreement, and they must report these inventions and discoveries at regular intervals throughout performance. NASA presumptively takes title to any reported patentable invention, though the awardee may submit a written statement providing evidence supporting its claim to title instead.

Rights in data developed under grants and cooperative agreements may be specifically tailored by the parties to fit the circumstances and the awardee’s need to protect proprietary information. The new NASA grant regulations provide a “Rights in Data” clause that is to be included in all awards, including those with large commercial organizations. However, the language prescribing this clause states that the grant officer may revise the language to fit the particular circumstances of the program and the recipient, so long the relevant NASA Center’s Patent Counsel concurs. If left unaltered, the clause provides the government a royalty-free, nonexclusive and irrevocable license to use, reproduce, and distribute the data to the public.

These are just a sample of the many provisions included in the new NASA grant regulations codified in 2 C.F.R. part 1800. With the federal government providing over $600 billion annually in federal grants, cooperative agreements, and other assistance payments, administrative and cost management regulation have become a focal point of recent attempts to reign in excess spending. The Super Circular and supplemental regulations place federal grantees under the microscope of award oversight, and organizations pursuing or performing federal grants with NASA and other agencies must carefully review the new regulations to fully understand their obligations and rights under federal awards.

Updated NASA Grant and Cooperative Agreement Regulations Become Final

Senator John McCain Calls for the Rescission of Proposed DFARS Rule on Commercial Item Procurements

In a letter to Secretary of Defense Ashton Carter on September 8, 2015, Senator John McCain called for the immediate rescission of the Department of Defense’s (DOD) proposed rule on evaluating price reasonableness for commercial items (DFARS Case 2013-D034). The proposed rule, which was published on August 3, 2015, would result in significant, substantive changes to commercial item acquisitions under DOD-funded contracts, including requiring the use of market-based pricing that is based on actual, nongovernmental sales in the absence of adequate price competition. Prime contractors would also be required under the proposed rule to obtain cost data to support commerciality determinations for subcontractors. Other key elements of the proposed rule are summarized in Dentons’ advisory, available here.

In the letter, Senator McCain stated that the proposed rule’s “cumbersome and excessively bureaucratic requirements” to provide cost data for commercial item procurements “could effectively preclude any significant participation by commercial firms in defense programs.” Senator McCain recognized that the requirements in the proposed rule would, in effect, require commercial item contractors to create new accounting systems before conducting business with the DOD. He further stressed that commercial item contractors are likely to exit the government procurement market rather than undertake these significant regulatory obligations, depriving the DOD of the opportunity to procure vital, cutting-edge technologies.

Moreover, the increased regulatory burdens for commercial item procurements in the proposed rule, according to Senator McCain, are directly contrary to the DOD’s ongoing efforts to engage more high-tech commercial firms in the government procurement market and serve as “a signal that DOD has little interest in realistic commercial acquisition practices.”

Comments on the proposed rule must be submitted to DOD on or before October 2, 2015. Dentons will continue to monitor developments associated with the proposed rule and provide updates here.

Senator John McCain Calls for the Rescission of Proposed DFARS Rule on Commercial Item Procurements

Kevin Lombardo to Present Export Control Reform Updates and FCPA & OFAC Lessons at the AZTC Export Controls, Compliance and Enforcement Programs

This September, our colleague Kevin Lombardo will present a series of discussions on Export Control Reform. On September 15 in Tucson, and September 17 in Phoenix, Kevin will present details and updates on export control reform as part of the Arizona Technology Council (AZTC) Export Controls, Compliance and Enforcement program. He will focus on what businesses should be doing, lessons to be learned from real world case studies and enforcement actions, their practical application, and the consequences of compliance or non-compliance. He will also co-present need-to-know information on the Foreign Corrupt Practices Act and the US Department of the Treasury’s Office of Foreign Assets Control with Margrette Francisco, Export Counsel and Executive Officer of the Marvin Group. Register for the Tucson event or the Phoenix event by September 11. Download full agendas for the Tucson event and Phoenix event.

Additionally, in conjunction with the AZTC events, Kevin will co-present a free, educational discussion on export control compliance for academics, students, and researchers with John Priecko, President and Managing Partner of Trade Compliance Solutions, on September 16. This two-hour, interactive discussion will focus on the costs and consequences of non-compliance with export control reforms using real world case studies and settlements. Register for this program by emailing david.fitzgerald@phoenix.edu with your full name, title, organization, phone number, mailing address, and email address by September 14.

Kevin Lombardo to Present Export Control Reform Updates and FCPA & OFAC Lessons at the AZTC Export Controls, Compliance and Enforcement Programs