Skip to content Skip to left sidebar Skip to right sidebar Skip to footer

Tag: supply chain risk management

BAA TAA SBA Huh?

It appears the Buy American Act (BAA) and the Trade Agreements Act (TAA) may, under certain instances, actually reduce the federal market accessibility for US manufacturers. (Federal News Network, October 28, 2019)

In order to be considered for a small-business set-aside, end-items must be manufactured in the U.S. Or the company can qualify as a non-manufacturer (13 CFR 121.406) if:

  • The company is principally engaged in the retail or wholesale  of the product and normally sells the type of product being supplied
  • The company takes ownership of the item with its personnel, equipment or facilities consistent with industry practice and
  • The company supplies the end item of a small business manufacturer, processor or producer made in the U.S. or obtains a waiver of the requirement. (ibid)

Non-manufacturers may receive an individual waiver if the Small Business Administration (SBA) accepts the contracting officer’s determination that no small business manufacturer “reasonably can be expected to offer a product meeting the solicitation specifications.” Additionally, the SBA Administrator may provide a class waiver if she determines that no small business manufacturer “product or class of products is available to participate in the Federal procurement market.”

Of course, TAA restricts product acquisition to manufacturers in the U.S. and certain “designated countries,” (those companies that have a Free Trade Agreement with the U.S. or participate in the World Trade Organization Government Procurement Agreement (WTO GPA)). Therefore, products from non-signatory countries such as China are ineligible for award.  Per FAR 25.101(a), BAA restricts the purchase of non-domestic end-products as well. Some exceptions provide more access to foreign end-products than under the TAA; for instance, BAA makes exceptions where the domestic offer is not the low offer (FAR 25.103) as well as in certain instances of public interest for non-availability in the U.S., and at an unreasonable cost. (ibid)

TAA does not apply to small business set-asides, FAR 25.401, leaving the BAA in place. The waiver of the non-manufacturer rule for a set-aside gives a somewhat illogical result. This makes the TAA inapplicable to set-asides, and the BAA applicable to set-asides where the non-manufacturer rule has been waived. This might result in the Government purchasing an item, such as a medical/surgical product, manufactured in a non-designated country that has subsidized its price to assure the product’s selection. Therefore, the intended law restricting non-domestic products actually facilitates more access to those products. This includes products of manufacturers from non-designated countries, rather than providing controlled access over non-domestic end-products. (ibid)

Ultimately, this could harm small and non-small manufacturers producing domestically. This may also open up small business set-asides to products made in China that would otherwise be ineligible for purchase if the TAA applied. A good deal more statutory guidance and analysis are warranted. (ibid)

Do you have questions about your compliance obligations under an upcoming proposal or current contract? Give us a call.

Line Item: Cybersecurity

We knew it would eventually happen. DoD is finally looking to permit cybersecurity costs as “allowable” on certain types of government contracts. (Federal News Network, June 2019)

Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD, recently spoke at the Professional Services Council (PSC) gathering in Virginia. Ms. Arrington is the lead for the DoD effort to develop and institutionalize the new Cybersecurity Maturity Model Certification (CMMC) standard for vendors. She told attendees that she wants to enact a legitimate standard for cybersecurity allowable costs. (ibid)

During a recent webinar, Arrington spoke about cyber attacks and the need for the defense industrial base to defend themselves against nation-state attacks. DoD is aiming at not just it’s 200,000 prime contractors but all vendors (approximately 300,000) that comprise the DoD supply chain. (ibid)

Arrington is working with the Johns Hopkins University Applied Physics Lab and Carnegie Mellon University’s Software Engineering Institute to generate initial requirements. The draft will require DoD vendors to be certified through third-party assessment organizations. The standard incorporates existing requirements from NIST, the Federal Risk Authorization Management Program (FedRAMP), and other models.  (ibid)

Arrington expects DoD to carry out 12 webinars across the country over the summer. She aims to receive feedback from industry experts with a draft standard by the end of summer and third-party assessors to start certifying vendors in January. (CMMC requirements will be added to requests for information by June of 2020 and become a standard in solicitations by September 2020.) (ibid)

According to Alan Chvotkin, senior vice president and general counsel for PSC, the certification of contractors will be a very competitive discriminator in the marketplace. His main concern is whether DoD will only certify the big six contractors and what is going to take place for the prime and a subcontractor. (ibid)

Congress recognizes that risks to the supply chain need to be reduced. The Senate version of the 2020 National Defense Authorization Act, includes a provision requiring DoD to move to a broader cybersecurity standard with its contractors. Currently, DoD mandates defense contractors meet the requirements of NIST Special Publication 800-171; however, there is no current audit for compliance. Oversight of subcontractors by prime contractors is also a reasonable concern as is the lack of information available on subcontractors. The committee feels prime contractors should be held responsible and accountable for securing DoD technology and sensitive information and ultimately delivering uncompromised products and capabilities. This is seen as a first step in securing the supply chain. (ibid)

The Senate Armed Services Committee (SASC) believes DoD should provide direct technical assistance to contractors, based on risk, and in such a way as to not harm the industrial base while at the same time providing incentives/penalties for non-compliance of vendors’ cyber performance. DoD is being asked to provide the SASC with a briefing by March of 2020 and quarterly briefings on how the standard is being implemented by both vendors and the DoD. (ibid)

Although security has always been an allowable overhead cost, it will now be used as an incentive to get vendors to more quickly align themselves to the CMMC standard. The incentive doesn’t force companies to trade off security for other expenses. It appears the government will offer some reimbursement for some share of the cost, hopefully bringing all vendors up to the same level. (Firm-fixed-price contracts do not fall under the allowable cost umbrella in the same manner, as cyber is counted as general overhead in the final cost to the government.) (ibid)

Eager to learn a little more about the cyber standard and how it might affect your current contract or an upcoming bid? Give us a call at 301-913-5000.