FEDERAL CONTRACTS PERSPECTIVE
Federal Acquisition Developments, Guidance, and Opinions
Copyright 2021 by Panoptic Enterprises. All Rights Reserved.
Vol. XXII, No. 6
Executive Order Seeks to Improve Cybersecurity and Protect Federal Networks
New, Improved SAM.gov Unveiled
DOD Addresses Contract Closeouts, Debriefings
Increased Size Standards Proposed for Trade Industries
Executive Order Seeks to Improve Cybersecurity
and Protect Federal Networks
In response to recent incidents like those that occurred to SolarWinds (a software firm that was a victim of a cyberattack by alleged Russian hackers that allowed the hackers to spy on its clients – private firms and government agencies) and the Colonial Pipeline (a fuel pipeline firm that was the victim of a ransomware attack that crippled the southeast of the United States and cost the firm $5 million in ransom), President Biden has issued Executive Order 14028, Improving the Nation’s Cybersecurity. “The federal government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors,” asserts President Biden. “It is the policy of my administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.”
A substantial portion of the 14-page EO requires actions to be take through federal procurement. Specifically, the EO will:
- Remove barriers to threat information sharing between government and the private sector. The Office of Management and Budget (OMB), in consultation with the Departments of Defense, Justice, and Homeland Security, and the Director of National Intelligence, are to review the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) contract requirements and language for contracting with information technology (IT – systems that process information) and operational technology (OT – machinery that ensures our safety) service providers and recommend updates to such requirements and language to the FAR Council and other appropriate agencies. The recommendations are to include descriptions of contractors to be covered by the proposed contract language.
The recommended contract language and requirements are to be crafted to ensure that:
- Service providers collect and preserve data, information, and reporting relevant to cybersecurity event prevention, detection, response, and investigation on all information systems over which they have control, including systems operated on behalf of agencies, consistent with agencies’ requirements.
- Service providers share such data, information, and reporting, as they relate to cyber incidents or potential incidents relevant to any agency with which they have contracted, directly with such agency and any other agency that the OMB and the other consulted agencies deems appropriate, consistent with applicable privacy laws, regulations, and policies.
- Service providers collaborate with federal cybersecurity or investigative agencies in their investigations of and responses to incidents or potential incidents on federal information systems, including by implementing technical capabilities, such as monitoring networks for threats in collaboration with agencies they support, as needed.
- Service providers share cyber threat and incident information with agencies, doing so in industry-recognized formats for incident response and remediation.
The proposed FAR rule is to prescribe contract language that identifies:
- The nature of cyber incidents that require reporting;
- The types of information regarding cyber incidents that require reporting to facilitate effective cyber incident response and remediation;
- Appropriate and effective protections for privacy and civil liberties;
- The time periods within which contractors must report cyber incidents based on a graduated scale of severity, with reporting on the most severe cyber incidents not to exceed 3 days after initial detection;
- National Security Systems reporting requirements (the term “National Security Systems” means information systems that involve intelligence activities, cryptologic activities related to national security, command and control of military forces, equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions); and
- The type of contractors and associated service providers to be covered by the proposed contract language.
- Improve software supply chain security. The EO will use the purchasing power of the federal government to drive the market to build security into all software from the ground up. The Director of the National Institute of Standards and Technology (NIST) is directed to solicit information on identifying existing or developing new standards, tools, and best practices for complying with appropriate standards, procedures, and criteria. After receiving the recommendations, contract language will be recommended to the FAR Council that requires suppliers of software available for purchase by agencies to comply with, and attest to complying with, the adopted standards, procedures, and criteria. The FAR Council will review the recommendations and amend the FAR as appropriate. After the issuance of the final rule by the FAR Council, agencies will be required to remove software products that do not meet the requirements of the FAR from all indefinite-delivery/indefinite quantity (IDIQ) contracts, Federal Supply Schedules (FSS), government-wide acquisition contracts (GWACs); blanket purchase agreements (BPAs); and multiple award contracts (MACs).
In addition, the EO will:
- Modernize and implement stronger cybersecurity standards in the federal government. The federal government will increase its adoption of security best practices, including employing a zero-trust security model (that is, do not trust any devices trying to access the system, and limit access to only what is needed and monitor for anomalous or malicious activity), accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.
- Establish a Cybersecurity Safety Review Board. The Board may convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity.
- Create a standard playbook for responding to cyber incidents. The federal government is to develop a standard set of operational procedures (“playbook”) to be used in planning and conducting cybersecurity vulnerability and incident response activities.
- Improve detection of cybersecurity incidents on federal government networks. To maximize the early detection of cybersecurity vulnerabilities and incidents on its networks, the EO directs that agencies deploy a government-wide endpoint detection and response system and improved information sharing within the federal government.
- Improve investigative and remediation capabilities. The EO creates cybersecurity event log requirements for federal departments and agencies.
New, Improved SAM.gov Unveiled
On May 24, the General Services Administration (GSA) completed its years-long merger of the beta.SAM.gov with the SAM.gov (System for Award Management) – no more “beta.” The new SAM.gov is now the system used to register to do business with the federal government, search for contract opportunities, find wage determinations, generate reports based on data in the system, and more. (NOTE: Those searching for data on a specific contract must do so at the Federal Procurement Data System [https://www.fpds.gov] , which remains the authoritative source for contract data.)
SAM.gov users can expect these changes:
- The design looks different, but the data and the search filters remain the same.
- There is a single login for all functions (must login through https://www.login.gov/).
- Users will have a centralized workspace to manage work.
- The system will have improved security.
- The system will have a stronger search functionality.
DOD Addresses Contract Closeouts, Debriefings
In May, the Department of Defense (DOD) issued two final rules that amended the Defense FAR Supplement (DFARS), two proposed rules to amend the DFARS, and one DFARS deviation, primarily to implement sections of various National Defense Authorization Acts (NDAAs).
- Expediting Contract Closeout: This finalizes, with changes, the rule that proposed adding a new contract clause, DFARS 252.204-7022, Expediting Contract Closeout, to implement an expedited contract closeout process that provides “both the government and the contractor agree to waive any entitlement that otherwise might accrue to either party in any residual dollar amount of $1,000 or less at the time of final contract closeout.”
Four respondents submitted comments on the proposed rule, and some requested clarification on how the residual amount will be determined. In response to those comments, paragraph (a) of DFARS 252.204-7022 is revised. Paragraph (a) was originally proposed to state, “Both the government and the contractor agree to waive any entitlement that otherwise might accrue to either party in any residual dollar amount of $1,000 or less at the time of final contract closeout.” The final version of paragraph (a) now states, “At the conclusion of all applicable closeout requirements of Federal Acquisition Regulation 4.804 [Closeout of Contract Files], the government and contractor shall mutually agree on the residual dollar amount remaining on the contract. Both the government and contractor agree to waive payment of any residual dollar amount of $1,000 or less to which either party may be entitled at the time of contract closeout.”
EDITOR’S NOTE: The prescription for DFARS 252.204-7022 is included in new DFARS 204.804-70, Contract Clause.
For more on the proposed rule, see “Expediting Contract Closeout” in the May 2020 Federal Contracts Perspective article “DOD Cranks Up the Non-COVID-19 Rules, Too!”
- Authorities for Minimizing the Use of Materials Containing Hexavalent Chromium: This finalizes, without changes, the rule that proposed to amend DFARS subpart 223.73, Minimizing the Use of Materials Containing Hexavalent Chromium, to remove references to revoked executive orders (EO) related to minimizing the use of materials containing hexavalent chromium. (EDITOR’S NOTE: Hexavalent chromium is used a pigment in dyes, paints, inks, and plastics; as an anticorrosive agent added to paints, primers, and other surface coatings. It is toxic and carcinogenic.)
DFARS 223.7301, Policy, and DFARS 223.7302, Authorities, cited two EOs as authority for DFARS subpart 223.73: EO 13423, Strengthening Federal Environmental, Energy, and Transportation Management, and EO 13514, Federal Leadership in Environmental, Energy, and Economic Performance. Both EOs were revoked by EO 13693, Planning for Federal Sustainability in the Next Decade, which itself was subsequently revoked by EO 13834, Efficient Federal Operations.
The proposed rule would remove DFARS 223.7302 and revise DFARS 223.7301 to read as follows: “In accordance with the DOD policy memorandum of April 8, 2009, Minimizing the Use of Hexavalent Chromium, it is DOD policy to minimize hexavalent chromium (an anti-corrosive) in items acquired by DOD (deliverables and construction material), due to the serious human health and environmental risks related to its use.” (EDITOR’S NOTE: The April 8, 2009, DOD policy memorandum is currently cited in DFARS 223.7305, Authorization and Approval.)
One respondent submitted a comment that was outside the scope of the rule, so the rule is finalized without change. For more on the proposed rule, see “Authorities for Minimizing the Use of Materials Containing Hexavalent Chromium” in the December 2020 Federal Contracts Perspective article “DOD Tidies Things Up a Bit.”
- Postaward Debriefings: This rule proposes to implement the NDAA for Fiscal Year (FY) 2018 (Public Law 115-91), Section 818, Enhanced Post-Award Debriefing Rights, which enhances postaward debriefing rights for competitive negotiated contracts, task orders, and delivery orders that exceed $10,000,000, and provides offerors the opportunity to submit follow-up questions related to the postaward debriefing and to receive agency responses.
The following are the DFARS changes being proposed to implement Section 818:
- To DFARS 215.506, Postaward Debriefing of Offerors, would be added the following paragraphs:
- Paragraph (b) would state that “Notwithstanding FAR 15.506(b) [“Debriefings of successful and unsuccessful offerors may be done orally, in writing, or by any other method acceptable to the contracting officer”], when requested, a written or oral debriefing is required when awarding a contract valued at $10 million or more...”
- Paragraph (d) would require that (1) debriefings for awards in excess of $10 million and not in excess of $100 million with a small business or nontraditional defense contractor must permit the small business or nontraditional defense contractor to request disclosure of the agency’s written source selection decision document, redacted to protect the confidential and proprietary information of other offerors for the contract award; and (2) debriefings for awards in excess of $100 million must disclose the agency’s written source selection decision document, redacted to protect the confidential and proprietary information of other offerors for the contract award.
- Paragraph (S-70) would require that contracting officers provide an opportunity to submit additional written questions related to the required debriefing within two business days after receiving the debriefing. The agency must respond in writing within five business days after receipt of the questions.
- DFARS 215.570, Solicitation Provision, would be added to require the use of new DFARS 252.215-70XX, Notification to Offerors – Postaward Debriefings, in competitive negotiated solicitations, including solicitations using the procedures in FAR part 12, Acquisition of Commercial Items. (EDITOR’S NOTE: The provision would also be listed in DFARS 212.301, Solicitation Provisions and Contract Clauses for the Acquisition of Commercial Items, for use in the acquisition of commercial items.)
- Paragraph (b)(6) of DFARS 216.505, Ordering, would be amended to require contracting officers to follow the debriefing procedures in DFARS 215.506 when placing task orders and delivery orders valued at $10 million or higher.
- Paragraph (S-71) would be added to DFARS 216.506, Solicitation Provisions and Contract Clauses, to require the use of new DFARS 252.215-70YY, Postaward Debriefings for Task Orders and Delivery Orders, in solicitations and contracts using the procedures in FAR part 12, Acquisition of Commercial Items, when a multiple-award contract is contemplated. (EDITOR’S NOTE: The provision would also be listed in DFARS 212.301, Solicitation Provisions and Contract Clauses for the Acquisition of Commercial Items, for use in the acquisition of commercial items.)
- DFARS 252.215-70XX, Notification to Offerors – Postaward Debriefings, would be added for use in competitive negotiated solicitations, including solicitations using FAR part 12 procedures. It would inform offerors of the new postaward debriefing requirements for contracts valued at $10 million or higher. The prescription for the provision would be added to DFARS 212.301 and included in new DFARS 215.570.
- DFARS 252.216-70YY, Postaward Debriefings for Task Orders and Delivery Orders, would be added for use in multiple-award contracts. The clause informs multiple-award contractors of the new enhanced postaward debriefing requirements for task orders and delivery orders. The prescription for the clause would be added to DFARS 212.301 and DFARS 216.506.
Comments on this proposed rule must be submitted by July 19, 2021, identified as “DFARS Case 2018-D009,” by any of the following methods: (1) through the Federal eRulemaking portal at https://www.regulations.gov; (2) by email to: firstname.lastname@example.org; or (3) by mail to: Defense Acquisition Regulations System, Attn: Kimberly Ziegler, OUSD(A&S)DPC/DARS, Room 3B938, 3060 Defense Pentagon, Washington, DC 20301-3060.
- Past Performance of Subcontractors and Joint Venture Partners: This rule proposes to amend DFARS subpart 242.15, Contractor Performance Information, to implement the NDAA for FY 2019 (Public Law 115-232), Section 823, Inclusion of Best Available Information Regarding Past Performance of Subcontractors and Joint Venture Partners, which requires performance evaluations for individual partners of joint ventures for construction and architect-engineer (A&E) services contracts with an estimated value in excess of $750,000, and for first-tier subcontractors performing a portion of a construction or A&E services contract exceeding $750,000 or 20% of the value of the prime contract, whichever is higher.
The following are the DFARS changes being proposed to implement Section 823:
- DFARS 242.1501-70, Definitions, would be added. It would include definitions for “first-tier subcontractor” [“a subcontractor awarded a contract directly by the prime contractor for the purpose of acquiring supplies or services (including construction) for performance of a prime contract. It does not include the contractor’s supplier agreements with vendors...”] and “subcontractor” [taken directly from FAR 44.101, Definitions: “any supplier, distributor, vendor, or firm that furnishes supplies or services to or for a prime contractor or another subcontractor”].
- To DFARS 242.1502, Policy, would be added paragraph (e) and paragraph (f). Paragraph (e) would require past performance evaluations to be performed for first-tier subcontractors and partners of a joint venture for construction contracts, and paragraph (f) would require past performance evaluations to be performed for first-tier subcontractors and partners of a joint venture for A&E services contracts. Specifically, past performance evaluations would be required for first-tier subcontractors performing a portion of construction or A&E services contracts or orders that are valued at or above the threshold specified in paragraph (e) of FAR 42.1502, Policy, (currently $750,000) or 20% of the value of the prime contract, whichever is higher. Past performance evaluations would be required for individual partners of a joint venture awarded a construction or A&E services contract or order valued at or above the threshold specified in FAR 42.1502(e).
Contracting officers would be required to consider an offeror’s past performance as a first-tier subcontractor or individual partner of a joint venture under construction and/or A&E services contracts. In reviewing first-tier subcontractor and joint venture partner past performance evaluations, contracting officers would strive to ensure the following: consistency between prime and first-tier subcontractor rating information; successful completion of applicable contracts; the same opportunity for each joint venture partner to submit comments, rebutting statements, or additional information; and clear identification, in the rating, of the responsibilities of each partner for discrete elements of the work where the partners are not jointly and severally responsible for the project.
Finally, paragraphs (e) and (f) would provide guidance to contracting officers for providing an exception when the submission of annual past performance ratings would not provide the best representation of the performance of a prime contractor, subcontractor, or joint venture partners.
- DFARS 242.1504-70, Solicitation Provision and Contract Clauses, would be added. It would provide prescriptions for one new provision and two new clauses: (1) DFARS 252.242-70XX, Identification of Joint Venture Partners for Past Performance – Construction and Architect-Engineer Services, which would require offerors to identify, as part of an offer, all partners in the joint venture, and that they all be registered in the System for Award Management (SAM – http://www.sam.gov [see previous article]); (2) DFARS 252.242-70YY, Past Performance of Joint Venture Partners – Construction and Architect-Engineer Services, which would inform the contractor that past performance evaluations are required for joint ventures awarded a construction or A&E services contract at or exceeding the threshold in FAR 42.1502(e) (currently $750,000); and (3) DFARS 252.242-70ZZ, Past Performance of Subcontractors – Construction and Architect-Engineer Services, which would instruct contractors to prepare past performance evaluations for first-tier subcontractors performing a portion of a construction or an A&E services contract with an estimated value at or exceeding the threshold in FAR 42.1502(e) or 20% of the value of the prime contract, whichever is higher.
Comments on this proposed rule must be submitted by July 19, 2021, identified as “DFARS Case 2018-D055,” by any of the following methods: (1) through the Federal eRulemaking portal at https://www.regulations.gov; (2) by email to: email@example.com; or (3) by mail to: Defense Acquisition Regulations System, Attn: Barbara Trujillo, OUSD(A&S)DPC/DARS, Room 3B938, 3060 Defense Pentagon, Washington, DC 20301-3060.
- Deviation Repealing Requirement to Use Firm-Fixed-Price Contracts for Foreign Military Sales (FMS): This deviation repeals the requirement to use firm-fixed-price contracts for foreign military sales as specified in paragraph (a) of DFARS 225.7301-1, Requirement to Use Firm-Fixed-Price Contracts [for FMS]. The NDAA for FY 2017 (Public Law 114-328), Section 830, Requirement to Use Firm-Fixed-Price Contracts for Foreign Military Sales, instituted this requirement, and DFARS 225.7301-1 implemented Section 830 (see “Use of Fixed-Price Contracts” in the December 2019 Federal Contracts Perspective article “DOD Takes It Easy”). The NDAA for FY 2021 (Public Law 116-283), Section 888, Revision to Requirement to Use Firm-Fixed-Price Contracts for Foreign Military Sales, repealed Section 830, so this deviation repeals DFARS 225.7301-1(a).
In addition, Section 830 provided a waiver to the FMS firm-fixed price contract requirement if the chief of the contracting office determined that a different contract type was in the best interest of the United States. Because the DFARS 225.7301-1(a) requirement is repealed, there is no need for a waiver, so DFARS 225.7301-1(b), which contains the waiver procedure, is also repealed.
Increased Size Standards Proposed for Trade Industries
The Small Business Administration (SBA) is proposing to increase its receipts-based and employee-based small business size definitions (commonly referred to as “size standards”) for North American Industry Classification System (NAICS) sectors related to wholesale trade (14 of 71 industries in NAICS Sector 42) and retail trade (35 of 66 industries in NAICS Sector 44-45). The SBA’s size standards are in Title 13 of the Code of Federal Regulations (CFR), Part 121, Section 121.201, What size standards has SBA identified by North American Industry Classification System codes? (13 CFR 121.201).
SBA is seeking comments on its proposed changes to these size standards and the data sources it evaluated to develop the proposed size standards. Comments on this proposed rule must be submitted by July 26, 2021, identified as “RIN 3245-AH10” and submitted by either of the following methods: (1) Federal eRulemaking Portal: https://www.regulations.gov; or (2) mail/hand delivery/courier to: Khem R. Sharma, Ph.D., Chief, Office of Size Standards, 409 Third Street SW, Mail Code 6530, Washington, DC 20416.
Return to the Newsletters Library.
Return to the Main Page.