Scrubbing the FAR

The Federal Register Publications requests comments on the following three proposed Federal Acquisition Regulation (FAR) rules:

  1. FAR Case 2015-002 – the rule proposes to amend the FAR to require electronic submission of DD Form 254, Contract Security Classification Specification. This form is used to communicate security requirements to contractors when the performance of contract requirements requires access to classified information and the form acts to automate processes and workflows. (This form is also used by prime contractors to communicate in the same manner to subcontractors.) Comments should be submitted by September 10, 2019, via the Federal eRulemaking portal. (Acquisition.gov)
  2. FAR Case 2018-007 – the rule proposes to amend the FAR  by revising thresholds subject to inflation adjustments so that the periodic inflation adjustments will apply to existing contracts and subcontracts that contain the revised clauses. The next rule raising thresholds for inflation is planned to go into effect, October 2020. Comments are due by August 23rd, via the Federal eRulemaking portal. (Acquisition.gov)
  3. FAR Case 2018-003 – the rule proposed by NASA, GSA, and DOD is to amend the FAR to implement section 1614 of the National Defense Authorization Act for the Fiscal year 2014 and regulatory changes made by the Small Business Administration (SBA). (Section 1614 addresses credit for lower-tier small business subcontracting.) (ibid) 

Additionally, the following are up for review.

  • Section 1614 of the NDAA for FY 2014 amended the Small Business Act when a prime contractor has an individual subcontracting plan for a contract with a single executive agency, the prime contractor receives credit towards its subcontracting goals for awards made to small business concerns at any tier by subcontractors with individual subcontracting plans. Additionally,  section 1614 provides new assurances for offerors relating to activities to be performed by the contractor to monitor the performance of subcontractors subcontracting plans, and by subcontractors to monitor the performance of their subcontractors subcontracting plans. Section 1614 requires the contractor to demonstrate procedures established to ensure subcontractors at all tiers comply with their subcontracting plans. Section 1614 also revised the definition of “subcontract” in the Small Business Act. (Acquisition.gov)
  • Per SBA’s final rule, the prime contractor’s performance under an individual subcontracting plan will be evaluated based on its combined performance under the first-tier and lower-tier goals. Additionally, the final rule implements the statutory requirements related to the new assurances and written statement to be included in subcontracting plans. Comments are due by August 26th via the Federal eRulemaking portal. (regulations.gov)

Working through how these FAR changes will affect your current contract, or future bidding/contracts? Give us a call and we can explain.

Are you practicing “safe cybersecurity”?

The Department of Defense (DoD) is working to extend its own cybersecurity expertise and infrastructure to small and medium-sized businesses. Their current plan is to build a “secure cloud” for company data instead of leaving it to the responsibility of the contractor. (Federal News Network, March 25, 2019)

DoD plans to use their 2020 research and development budget for the Defense Industrial Base (DIB) Secure Cloud Managed Services Pilot. The project will start by making the cloud service available to a specified number of small and medium companies that support prioritized, critical DoD missions/programs. (ibid)

Ellen Lord, the undersecretary for acquisition and sustainment said, “In contract terms, the Department would treat the secure cloud as Government Furnished Equipment (GFE).” She believes larger companies are already quite savvy and have the funds to create a hardened environment. Ms. Lord is most concerned with small, innovative companies. She said, “we sit down and talk to them about cybersecurity, and sometimes we hear – no kidding, ‘my nephew does my cybersecurity.’ That gets us a little bit worried. And we know that we will either put these small companies out of business, or we will drive them away from the Department of Defense if we give them very, very onerous regulations to meet.” (ibid)

In 2017 DoD began inserting clauses into contracts that require firms to implement the security controls in NIST Special Publication 800-171. Prime contractors are required to impose the same requirements on their subcontractors as they are expected to meet when coming in contact with sensitive, unclassified information. (ibid)

It does not appear as though verification of a company’s compliance with the standards has been accomplished, thus far. However, going forward, spot checks are likely to take place with the hope of getting to a point where DoD certifies third-party cybersecurity examiners to help verify contractors systems meet the existing requirements and that their systems are adequately protected. Currently, about 800,000 systems should be regularly audited. (ibid)

We do know that information is being stolen; but classification levels make it hard to investigate in a reasonable time frame. The details of any individual data theft are classified, making specifics about nature and volume difficult to determine. We also know that sufficient cybersecurity capabilities to protect information must be in place sooner rather than later in order for small and medium-sized businesses to remain contractors to DoD.

Call us with any questions regarding this project at 301-913-5000.