Counterfeit Parts & Cybersecurity Regulation Changes Continue Impact Contractors
DOD Publishes Proposed Rule Regarding Detection of Counterfeit Parts.
In the last quarterly, we discussed the Department of Defense’s (“DOD”) first round of proposed rules on DFARS changes regarding counterfeit parts. On December 3, 2013, the FAR Councils published the second of three rounds of regulations laying out steps contractors must take to prevent the use of counterfeit parts in the supply chain. 78 Fed. Reg. 72,620. This regulation seeks to clarify when to use higherlevel quality standards in both solicitations and contracts. This proposed regulation primarily revises FAR 44.303, adding these higherlevel standards to the list of issues which should be considered during agency review of contractor purchasing systems. These standards must also be flowed down to subcontractors when appropriate, making this proposed rule of interest to subcontractors in the supply chain. DOD Issues Final Rule on Cybersecurity Information Sharing. On November 21, 2013, the final rule went into effect regarding the DOD Defense Industrial Base (“DIB”) Voluntary Cyber Security and Information Assurance (“CS/IA”) Activities. 78 Fed. Reg. 62,430. The program allows eligible DIB companies to receive cyber threat information from the government and share information about network intrusions that could compromise DOD programs and the government. DIB participants report cyber breaches to the Defense Cyber Crime Center's DOD-DIB Collaborative Information Sharing Environment (“DCISE”), which gathers data regarding cyber threats and develops countermeasures that the DCISE shares with participating companies. False Claims Act Recoveries Total Nearly $4 Billion in 2013. On December 20, 2013, the Department of Justice (“DOJ”) announced that for FY 2013 the federal government obtained $3.8 billion in settlements and judgments from cases involving fraud against the government. This year’s high dollar amount is surpassed only by last year’s historical $5 billion in recoveries. This total was spurred by 752 qui tam whistleblower lawsuits, 100 more than the previous record from FY 2012. Of the total, $2.6 billion came from health care fraud, which has been a high priority under the Obama administration. Additionally, $887 million came from procurement false claims, with $664 million of that coming from a judgment against United Technical Corp., the largest judgment in the history of the False Claims Act (“FCA”). That judgment is currently under appeal. US Chamber of Commerce Recommends False Claims Act Reforms. Despite the DOJ’s staggering recoveries, a recent report issued by the U.S. Chamber of Commerce (“COC”) may give contractors reason for hope. The report, titled Fixing the False Claims Act: The Case for Compliance-Focused Reforms, released October 23, 2013, states that the FCA is “simply ineffective at preventing fraud as it is currently structured and enforced.” The COC proposed numerous reforms to improve the FCA that include: (1) a reduction to a relator’s share in government recovery; (2) a bar on qui tam actions brought by former or present government employees arising out of such person’s employment; (3) a concrete definition of “false or fraudulent claim” to exclude the judiciallycreated concept of “implied false certification” liability; (4) raising the standard for proving FCA liability to “clear and convincing evidence”; (5) amending the FCA damages provision to better reflect actual government loss; (6) capping statutory damages; (7) amending the Wartime Suspension of Limitations Act to clarify that it only applies to criminal sanctions; (8) requiring the DOJ, once it receives a qui tam complaint, to notify all relevant government agencies and employees to preserve documents and that failure to do so allows for an adverse inference be drawn against the government; and (9) a bar on qui tam suits if the company had previously reported the same allegations to appropriate government authorities. The COC also recommended a voluntary compliance program in which participation would allow for lower damage multipliers. Whistleblower Rule Changes Contractor Whistleblower Protection. The FAR Councils issued an interim rule amending the FAR that will protect employees of contractors and subcontractors from whistleblowing retaliation. 78 Fed. Reg. 60,169. The changes, which are implemented in the new Counterfeit Parts Cybersecurity False Claims Act Whistleblower Protections Safeguarding Technical Information Consultant Cost Allowability Executive Compensation Legislative & Regulatory Updates Guest Article — DCAA Is Changing Its Audit Focus: Are You Ready? www.bakerlaw.com The Government Contracts Quarterly Update is published by BakerHostetler’s government contracts practice group to inform our clients of the latest developments in federal government contracting. This Quarterly Update is for informational purposes only and does not constitute specific legal advice or opinions. Such advice and opinions are provided by the firm only upon engagement with respect to specific factual situations. This communication is considered Attorney Advertising. FAR 3.908, modify the existing rule by extending application to subcontractors and expanding the type of disclosures that can be made and to whom they can be disclosed. Whistleblowing protection includes disclosures of gross mismanagement of a contract, waste of funds, abuse of authority, danger to public safety, or violations of the law. The protection does not extend, however, to disclosures relating to the intelligence community. Limiting Whistleblowing Legal Costs. The FAR Councils issued an interim rule that makes legal proceedings costs unallowable if a proceeding results in a finding of contractor liability, the imposition of a monetary penalty, or the head of an agency orders corrective action. 78 Fed. Reg. 60,173. This change, which is implemented through revisions to FAR 31.206- 47, modifies an ambiguous area of the existing rule by clarifying that reimbursement of contractor legal costs are unallowable if any kind of corrective action is ordered. Subsequently, legal costs related to a whistleblowing complaint cannot be recovered if there is an order for corrective action. DOD Issues Final Rule Mandating Higher Security and Reporting Requirements for Unclassified Technical Information On November 18, 2013, DOD issued a final DFARS regulation which enacted intensified safeguards and reporting requirements for DOD contractors who work with unclassified controlled technical information. 78 Fed. Reg. 69,273. The new rule will be implemented through DFARS 204.73 and a new clause, 252.204 -7012. The new clause is mandatory, with no exceptions for small businesses. The clause imposes two requirements: (1) providing adequate security for information systems that contain unclassified controlled technical information; and (2) reporting cyber incidents or any compromising of information systems. Contractors should consider taking steps to comply with this new requirement. First, in any system containing unclassified controlled technical information, the contractor should identify what data needs to be protected, and follow the information systems safety protocols outlined in the National Institute of Standards and Technology (“NIST”) publication identified in the DFARS clause. Otherwise, the contractor should speak to the contracting officer about how to provide adequate security. Second, the contractor should track, investigate, and report any potentially compromising cyber incidents, and conduct a damage assessment as required by the new clause. Consultant and Professional Costs are Increasingly Questioned by Auditors On December 19, 2013, the Defense Contract Audit Agency (“DCAA”) issued an audit alert regarding consulting and professional service cost audits of cost reimbursable contracts submitted with incurred cost proposals. FAR 31.205-33(e) and (f) leave the door open for inquiry by auditors by requiring vaguely described levels of evidence and documentation that is then viewed in the auditor’s potentially subjective judgment. FAR 31.205-33(e), which addresses the documentation for retainer fees, requires that retainer fees be supported by evidence that the services are necessary and customary, justified by the level of past services and “reasonable in comparison with maintaining an in-house capability to perform the covered services.” The DCAA audit alert explained that while FAR 31.205- 33(f) requires there to be an agreement between contractor and consultant, copies of invoices, and an explanation of what the consultant accomplished, the audit team should not focus on a specific set of documents. Rather, the audit team should evaluate all evidence, including contemporaneous evidence supporting an earlier claim. While the new guidance will help contractors resist auditors that claim specific types of documents are necessary, auditors still possess great discretion in determining what level of detail is sufficient to be rendered acceptable. These provisions may be especially onerous to new contractors who have not been previously audited and do not know what level of detail to maintain in their billing during the course of their contract with an agency. OMB Sets Maximum Executive Compensation On December 4, 2013, the OMB gave notice that $952,308 is the “benchmark compensation amount” for FY 2012 government contracts, an increase of nearly $190,000 over FY 2011. 78 Fed. Reg. 72,930. The amount was raised pursuant to Section 29 of the Office of Federal Procurement Policy Act, as amended (41 U.S.C. § 1127), despite disapproval by the White House. This new benchmark applies to both civilian and defense agencies. This benchmark caps the total annual amount the government will reimburse contractors for the compensation a contractor provides to each of its employees for work done on government contracts. The contractor is, of course, free to pay their employees more than the cap amount, but they will not be reimbursed for any amount over the benchmark. The cap is set by finding the median compensation level from a data field containing the five most highly paid employees in management positions at all publicly owned U.S. companies with annual sales over $50 million. DCAA Is Changing Its Audit Focus: Are You Ready? Guest authors Kellye Jennings, Bill Keating* Recently-published data on Defense Contract Audit Agency (“DCAA”) audits has identified a major shift in the focus of the agency. From FY 2011 to FY 2012, the number of DCAA audits for forward pricing, special audits and other audits decreased. However, the number of incurred cost proposal audits from 2011 to 2012 is up from 349 to 1,795. In addition, for the first five months of FY 2013, an additional 2,197 incurred cost proposal audit reports have been issued. At this rate, over 5,000 incurred cost proposal audits will be issued in FY 2013. However, this only puts a minor dent into the backlog as approximately 26,000 incurred cost proposals remained unaudited as of the end of FY 2012. An incurred cost proposal (“ICP”) is a claim by a contractor for costs reimbursable under flexibly-priced contracts. The incurred cost audit determines if costs chargeable to auditable government contracts Page 2 are allowable, allocable and reasonable in accordance with contract terms and applicable government acquisition regulations. The audit process generally involves gaining an understanding related to the basis of the costs and from where the numbers/amounts are derived. In addition, a walk-through of the submission is generally performed whereby the auditor obtains documentation of the key controls for preventing or detecting material noncompliance. The auditor will then determine if the company is high or low risk. Low risk contractors are audited every three years while high risk contractors are audited every year. The DCAA auditor may audit multiple years at one time. The following are the items that we see as being most frequently challenged: Subcontractor costs on time-and-materials (“T&M”) contracts: Billing at cost versus labor category billing rates. Excessive pass-through costs: Contracts on Schedule H of the ICP with subcontracts exceeding 70% of costs would likely be scrutinized. Labor category conformance issues: Determine if employee qualifications (i.e., education and experience) comply with contract provisions. Reasonableness of executive compensation: An area of on-going scrutiny as a high level of judgment is often involved. Directly associated costs: Costs that would otherwise be allowable that are associated with unallowable costs (e.g., payroll taxes on unallowable compensation costs). Inadequate documentation: Another judgment call in many cases. Missing records: If items cannot be substantiated with records, then they are going to be disallowed. In addition, DCAA is actively enforcing the provision for penalties on expressly unallowable costs. Such penalties are equal to the amount of the disallowed cost. As several years of ICPs are open for many government contractors, the ICP audit process may raise practical issues for many companies. For example, many companies may encounter difficulties related to accessibility to systems reports. If the systems records have been archived or the system has been replaced or updated, it may be difficult to run reports that would be needed to provide information to DCAA. Access to source documents may also pose an issue, as many companies have retention policies that might result in records being archived or disposed of before the ICP audit occurs. Finally, turnover in accounting or finance personnel could lead to a loss of continuity in the audit process. If there are judgmental areas involved in the ICP, the new team may not have the historical information to respond to any questions that might arise regarding these areas. When DCAA does contact you, it is a good idea to keep in mind the following “best practices” in dealing with a DCAA audit: Understand what is being audited. The notification letter should clearly indicate what type of audit is being conducted. It could be an incurred cost audit, a preaward audit, a post-award audit or some other type of special audit. Be prepared. Understand the programs that the auditor will be using. It is much easier to respond to questions and requests when you understand the context and objective of the questions and have time to think through them before responding to them. The DCAA programs are public information and can be found at www.dcaa.mil/cam.html. Note that the DCAA audit guidance for incurred cost audits is located in Chapter 6. Establish an audit liaison. It is important to assign a “point person” to coordinate the information flow between the company and the DCAA auditor to help control and track the information that is being requested and reviewed. Insist on an entrance and an exit conference. It is easier to manage the audit process if you understand how long DCAA will be on site, how many people will be on site as well as the length of time the audit is expected to take. This information is normally communicated in an entrance conference. Once DCAA is wrapping up and is in the process of leaving your site, an exit conference is important as it gives you the opportunity to respond to the remaining questions by having a face-to-face dialogue. Once the auditor leaves the field, it is difficult to make sure that he or she has the correct information and facts. Request periodic status meetings for extended audits. Such meetings enable the contractor to monitor the government auditor’s activities and provide a forum for responding to ongoing questions and issues that the government auditor has preliminarily identified. Be prompt in your responses and diligent about meeting deadlines. Once auditors have drafted their reports, they are under pressure to have the reports finalized. If you do not respond within the requested period or within a reasonable period of time, the draft report could become finalized. At this point, it is very difficult to deal with factually incorrect or incomplete findings. Understand that not all government auditors are the same. As with every profession, each auditor has a different level of expertise and tenure. It is in the best interest of your company to be patient with them and explain things clearly based on their level of experience and proficiency. While DCAA’s renewed push to clear out its backlog of ICP audits may pose a new challenge for your company, there is still time to prepare. Putting in the time up front to understand what the audit entails and ensure there are systems in place to handle it will save time and headaches down the road. * Guest Authors: Ms. Jennings is a partner and Mr. Keating is a managing director with BDO USA, LLP, a professional services firm providing assurance, tax, financial advisory and consulting services to a wide range of publicly traded and privately held companies. Page 3 Code Number Agency Regulation Description Last Action Effective Date 48 CFR Parts 212, 215, 225, and 252 DoD To amend the DFARS to further implement DOD policy relating to competitive acquisitions in which only one offer is received, providing additional exceptions, and further addressing requests for data other than certified cost or pricing data from the Canadian Commercial Corporation Final Rule 10/31/13 48 CFR Parts 204, 208, 212 DoD To amend the DFARS to allow the DOD to consider the impact of supply chain risk in specified types of procurements related to national security systems Interim Rule 11/18/13 48 CFR Parts 204, 212, and 252 DoD To amend the DFARS to add a new subpart and associated contract clause to address requirements for safeguarding unclassified controlled technical information Final Rule 11/18/13 48 CFR Parts 44, 46, and 52 DoD, GSA, NASA To amend the FAR to clarify when to use higher-level quality standards in solicitations and contracts, and to update the examples of higher-level quality standards by revising obsolete standards and adding two new industry standards that pertain to quality assurance for avoidance of counterfeit items Proposed Rule 12/3/13 48 CFR Parts 211, 212, 218, 246, 252 DoD To amend the DFARS to update and clarify requirements for unique identification and valuation of items delivered under DOD contracts Final Rule 12/16/13