Our March edition of “Government Contracts Legislative and Regulatory Update” offers a summary of the relevant changes that took place during the month of February.

Highlights this month include:

  • GSA issues final rule addressing common commercial supplier items that are unenforceable against the government
  • Cost Accounting Standards Board publishes final rule clarifying exemption
  • GSA plans to update cybersecurity requirements for contractors

This update will also be available in Contract Management Magazine, which is published monthly by the National Contract Management Association (NCMA).

Regulations

GSA issues final rule addressing common commercial supplier terms that are unenforceable against the government

On February 22, 2018, the General Services Administration (GSA) issued a final rule that addresses commercial supplier terms that are inconsistent with, or create ambiguity in relation to, federal law. The new rule states that “[s]tandard commercial supplier agreements contain terms and conditions that make sense when the purchaser is a private party but are inappropriate when the purchaser is the Federal Government.” Accordingly, the rule makes changes to avoid conflict with common commercial terms.

The GSA pursued this rule because commonly recurring conflicting or ambiguous terms and conditions found in commercial agreements require the GSA to negotiate individual agreements to address the conflicts, often at significant delays and cost to the GSA and contractors. This rule should reduce proposal and administrative costs for the GSA and contractors, and improve time efficiency for the contracting process.

Notably, the rule adds a paragraph to GSAR 552.212-4 identifying 15 common commercial terms that are unenforceable against the government. This includes a prohibition against automatic renewals and provisions conflicting with the Anti-Deficiency Act, 31 USC section 1341. The rule clarifies that federal law controls, that the government is not bound by commercial supplier terms and that the contract is subject to the Contract Disputes Act (GSAR 552.212-4(w)). (83 Fed. Reg. 7,631, 02/22/2018).

Cost Accounting Standards Board publishes final rule clarifying exemption

On February 28, 2018, the Cost Accounting Standards (CAS) Board published a final rule revising the exemption from CAS for firm-fixed-price contracts and subcontracts awarded on the basis of adequate price competition without submission of cost and pricing data. The rule clarifies that this exemption applies to firm-fixed-price agreements awarded on the basis of adequate price competition without submission of certified cost or pricing data.

When the exception was originally passed in 2000, the term “cost or pricing data” indicated certified cost or pricing data. However in 2010, a change was made to the FAR that defined the term to include cost or pricing data without certification. This new rule clarifies the intent of the exception. (83 Fed. Reg. 8,634, 02/28/2018).

Government proposes new rules in FAR Council and GSA'S Semiannual Regulatory Agenda

The government proposed new regulations regarding data breaches, cost evaluation for IDIQ contract proposals, overseas small business contracting and other areas of government contracting that will affect nearly every area of the industry. Some of the key proposed changes are as follows:

  1. The Department of Defense (DoD), GSA and National and Aeronautics and Space Administration (NASA) are proposing to amend the FAR to create contract clauses that address contractor requirements for data breach responses. The proposed rule would require contractors to use a contractually required procedure in responding to data breaches that compromise personally identifiable information. This FAR change would implement the requirements outlined in Office of Management and Budget (OMB) Memorandum, M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information. The proposed rule is expected in March 2018.
  2. The DoD, GSA and NASA are proposing to amend FAR to change the requirement to consider cost or price as a factor in evaluating proposals for IDIQ contracts. This change would provide the government discretion to evaluate cost/price during task order competition rather than evaluating the cost/price of a base IDIQ contract proposal. The proposed rule is expected in April 2018.
  3. The DoD, GSA and NASA are proposing an amendment to FAR to clarify that overseas contracting is not excluded from agency responsibilities to foster small business participation. The government would be able to use small business set-asides for overseas opportunities, rather than only work performed in the US. The proposed rule is currently in comment period.
  4. The DoD, GSA and NASA are issuing a final rule amending the FAR to require federal government contractors to provide seven days or more of paid sick leave annually for employees. The change codifies interim rule, Executive Order 13706, “Establishing Paid Sick Leave for Federal Contractors,” announced in December 2016.
  5. The DoD, GSA, and NASA are proposing to amend the FAR to implement 41 USC section 4712, Enhancement of contractor protection from reprisal for disclosure of certain information (whistleblowing). This was a pilot program enacted in 2013, and the change would make the program permanent. As such, contractor employees would be permanently protected from retaliation for whistleblowing. The proposed rule is expected in March 2018.

Many of the above proposed rules are currently in the public comment period, and contractors may submit relevant comments.

Industry Developments

GSA plans to update cybersecurity requirements for contractors

The GSA Semiannual Regulatory Agenda includes plans to formalize requirements in the General Services Administration Acquisition Regulation (GSAR) concerning reporting cyber incidents that potentially affect GSA or its contractors.

The GSA plans to update cybersecurity requirements in the GSAR by requiring contractors to (i) protect the confidentiality, integrity and availability of unclassified GSA information and information systems from cybersecurity threats and vulnerabilities; and (ii) report cyber incidents that could potentially affect the GSA or its customer agencies.

First, the GSA intends to propose a rule regarding Information Systems Security that updates GSAR 552-239-70, Information Technology Security Plan and Security Authorization, and GSAR 552.239-71, Security Requirements for Unclassified Information Technology Resources. As previously noted, this rule will “mandate contractors protect the confidentiality, integrity, and availability of unclassified GSA information and information systems from cybersecurity vulnerabilities and threats.” To ensure compliance, the GSA has stated that this new rule will require contracting officers (COs) to include the applicable GSA cybersecurity requirements in statements of work. In addition, the GSA also intends to expand cybersecurity requirements to a contractor’s internal systems, external systems, mobile systems and cloud systems.

Second, the GSA intends to propose a rule regarding Cyber Incident Reporting to update GSA Order CIO 9297.2 and to incorporate the order into the GSAR. The order requires contractors to report all “suspected or confirmed breaches” of personally identifiable information (PII) whether in electronic or physical form. However, this proposed rule will likely expand cyber incident reporting to situations beyond breaches involving PII. For example, this proposed rule will require contractors to report any cyber incident where the confidentiality, integrity or availability of GSA information or information systems are potentially compromised, or where the confidentiality, integrity or availability of information or information systems owned or managed by or on behalf of the US government is potentially compromised. In turn, this proposed rule would greatly expand the scope of cyber incidents requiring notification by GSA contractors. Notably, the proposed Cyber Incident Reporting rule will also likely include authority for the government to access a contractor’s information systems after an incident. Other expected requirements include:

  • That contractors preserve images of infected or breached systems.
  • The contractors train employee regarding cybersecurity.
  • A delineation of the roles and responsibilities regarding cyber incident reporting among GSA contracting officers, contractors, and the agencies ordering from a GSA contract.
  • A cyber incident reporting clause in all GSA contracts and in those orders placed against GSA multiple-award contracts.

GSA contractors should pay attention to developments on these proposed rules because they potentially will contain a number of new compliance requirements.

Senate leaders reached a bipartisan spending agreement to increase federal spending by nearly $300 billion over two years

On February 7, 2018, congressional leadership reached a bipartisan spending agreement that sets top-line funding levels for all federal agencies for the next two years, and increases spending at defense and non-defense agencies by a total of $300 billion.

Lawmakers combined the two-year spending deal with a short-term measure to keep the government operating when funding ran out on February 8. The measure was designed to keep the government open through March 23 to give lawmakers time to write longer-term spending bills.

Notably, this spending agreement suspends the federal debt ceiling until March 2019. In addition, defense spending would increase by $80 billion over current law in this fiscal year and $85 billion in the fiscal year that begins on October 1. Further, non-defense spending would rise by $63 billion this year and by $68 billion next year. Finally, the spending agreement provides disaster assistance for hurricanes and wildfires of between $80 billion and $90 billion, including funds to rebuild Puerto Rico’s hurricane-damaged electrical system.

DOJ memo eliminates reliance on agency guidance

The Department of Justice (DOJ) under the Trump administration issued a new memo limiting the use of agency guidance documents in affirmative civil enforcement cases. The memo aligns with the administration’s movement to limit agency guidance documents under its broader goal of decreasing regulation.

The memo, issued on January 25, 2018, by the Office of the Associate Attorney General, instructs the DOJ to cease its reliance on agency guidance documents to establish violations of regulations or statutes in civil enforcement cases. The memo specifically states “[g]uidance documents cannot create binding requirements that do not already exist.” While agencies under the DOJ may continue to use agency guidance documents “for proper purposes,” such as explaining or paraphrasing legal mandates from existing states/regulations, the DOJ may not “treat a party’s noncompliance with an agency guidance document as presumptively or conclusively establishing that the party violated the applicable statute or regulation.”

The effect on contractors is that they will no longer be automatically liable for noncompliance with agency guidance, reducing liability in civil enforcement cases. For example, agency guidance is sometimes used in False Claims Act suits to support the government’s argument that a contractor’s claims were false because they did not comply with agency guidance. This change will limit the government’s ability to use agency guidance in support of False Claims Act suits.