1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Cybersecurity and your supply chain: What you don’t know may hurt you

Recently revised cybersecurity regulations affecting US defense contractors and their subcontractors seek to address gaps in government contractor supply chains and expand the breadth of regulations in this area. In the February issue of Contract Management magazine, Dentons Partners Phillip Seckman and Erin Sheppard and Counsel Michael McGuinn provide guidance to contractors seeking to enhance subcontractor compliance under these regulations. In the attached article, entitled “Cybersecurity and your supply chain: What you don’t know may hurt you,” the authors provide a three-step approach to ensuring compliance with the updated Defense Federal Acquisition Regulation Supplement (DFARS) covered defense information regulations within a contractor’s supply chain. Please feel free to contact the authors with questions.

Cybersecurity and your supply chain: What you don’t know may hurt you

Jack Horan Testifies in Congress Regarding GSA’s Proposed “Transactional Data” Rule

On June 25, 2015, Partner John C. Horan testified in front of the U.S. House of Representatives Committee on Small Business, Subcommittee on Contracting and Workforce  regarding GSA’s proposed rule that would require contractors to  electronically report the price the federal government paid for an item or service bought through the GSA Federal Supply Schedule and other GSA government-wide contract vehicles.  The controversial rule, which was published on March 4, 2015, has received a great deal of opposition not only by industry, but also by the GSA Inspector General.  Mr. Horan testified that the proposed rule is problematic for contractors – particularly small business contractors – for the following reasons: (1) the rule creates a significant and unnecessary reporting burden on these contractors; and (2) the rule is subject to misuse that could result in considerable harm.  Additionally, there  is no evidence that the transactional data will improve GSA’s ability to purchase items on a more cost-effective basis.   Read more from Mr. Horan’s testimony here: Horan Committee on Small BusinessTestimony

,

Jack Horan Testifies in Congress Regarding GSA’s Proposed “Transactional Data” Rule

DOD Class Deviation Further Complicates FSS Ordering

On March 13, 2014, the Director of Defense Procurement and Acquisition Policy issued a Class Deviation that alters the way DOD will utilize Federal Supply Schedule contracts.  Effective immediately, prior to awarding an order against an FSS contract, DOD ordering activity contracting officers must independently make a determination that the FSS order price is fair and reasonable.  This requirement applies regardless of whether the order is for supplies, fixed-price services, or services requiring a statement of work.  One might read the class deviation to signal DOD’s lack of confidence that GSA is securing fair and reasonable pricing when negotiating and awarding schedule contracts.

The class deviation comes on the heels of other changes to the FSS ordering requirements in FAR 8.4.  Specifically, a final rule issued on March 2, 2012, increased competition requirements for certain schedule orders.  Those changes were reminiscent of the DOD specific changes required by the 2002 NDAA (Pub. L. 107-107 § 803).  Thus, it is possible that the DOD deviation is a harbinger of broader changes to FSS ordering requirements in the FAR.  The class deviation certainly further complicates FSS ordering for DOD COs and, so, runs contrary to one of the FSS Program’s fundamental tenets.  Namely, that the schedules are to provide federal agencies with a simplified process of acquiring commonly used supplies and services.

As a result, contractors that sell to DOD through FSS contracts should be prepared to repeatedly justify their FSS order prices as fair and reasonable.  For example, FSS contractors frequently may be asked to respond to requests for other than cost or pricing data, all to support the CO’s price analysis under FAR 15.404-1.  Time will tell how this class deviation, which may ultimately be issued as a change to the DFARS, will impact FSS contractors.  As a practical matter, this deviation is likely to increase the administrative costs of holding a schedule contract and those with substantial DOD sales should be considering strategies to minimize the likely increased administrative burden.

DOD Class Deviation Further Complicates FSS Ordering

Final DFARS Rule Mandates New Security and Reporting Obligations to Protect Unclassified Controlled Technical Information

Earlier today, the DOD issued its final DFARS Rule imposing heightened security safeguards and mandatory reporting requirements on DOD contractors handling unclassified controlled technical information. 78 Fed. Reg. 69273 (Nov. 18, 2013).  The rule specifically imposes two significant compliance obligations for contractors and subcontractors handling unclassified controlled technical information: (1) safeguarding information systems containing any unclassified controlled technical information; and (2) reporting and investigation of cyber incidents.  These requirements are imposed through a new DFARS clause, DFARS 252.204-7012, Safeguarding of Unclassified Controlled Technical Information, which is mandatory for all DOD prime contracts and subcontracts.

Given the breadth of this rule, contractors at all levels in the DOD supply chain must be prepared to comply with this rule.  Specifically, DOD contractors should:

  • Determine where unclassified controlled technical information resides on (or transits through) contractor and subcontractor information systems.
  • Assess compliance of relevant information systems using the National Institute of Standards and Technology (“NIST”) security controls incorporated into the rule.  If non-compliant with the rule’s standards, contractors should be prepared to explain why particular standards do not apply or why other protections provide adequate security.  Contractors must also assess risks and vulnerabilities and, if warranted, ensure additional protections are in place to address those risks.
  • Immediately assess possible system compromise events to determine whether a cyber incident has occurred and whether it is reportable.  Contractors should ensure policies are in place to address the timely and adequate reporting of cyber incidents to DOD and to preserve evidence of cyber incidents.  Contractor investigations of possibly reportable incidents should be detailed and thorough, and, as with all other internal investigations, contractors should consider the use of outside counsel (with outside technical experts as necessary), to ensure that the investigation is independent, transparent, and protected by the attorney client privilege.
  • Assess supply chain compliance with the rule’s requirements.  Contractors should update terms and conditions to include the DFARS clause and to address the consequences of a supplier noncompliance.  Failure to properly flow down the DFARS clause and ensure supply chain compliance could result in purchasing system disapproval and payment withholding under the DOD business system rule.
Final DFARS Rule Mandates New Security and Reporting Obligations to Protect Unclassified Controlled Technical Information