Helping individuals, companies, and organizations understand key legal and practical considerations for promoting compliance and making better business decisions in these types of federal, state, and local government contracting matters MORE

Several years ago, the head of the State Department’s Director of Defense Trade Controls (DDTC) explained that, when a company engaged in substantial exporting makes no voluntary disclosures of export control violations, something is wrong. He reasoned that every company is made up of human beings—and human beings make mistakes, so every company doing lots of exporting must have at least some violations. Therefore, a lack of disclosures means either that the exporter is not catching the violations, or that it’s choosing not to disclose them. Last month, the U.S. Department of Justice (DOJ) released a revised Export Control and Sanctions Enforcement Policy for Business Organizations designed to increase voluntary self-disclosures of export controls and sanctions violations (Voluntary Self-Disclosure Policy or VSD Policy).

On December 13, 2019, the DOJ announced its updated Voluntary Self-Disclosure Policy, which builds on the guidance its National Security Division (NSD) issued in October 2016, and will be formally incorporated into the Justice Manual. According to the DOJ, “[t]his revised VSD Policy signals the Department’s continued emphasis on corporate voluntary self-disclosure, rewarding cooperating companies with a presumption in favor of a non-prosecution agreement and significant reductions in penalties.”

The DOJ’s press release emphasizes both the Department’s focus on protecting sensitive technologies and preventing transactions with sanctioned entities and the importance of private sector cooperation and with these efforts. In the DOJ’s ideal scenario, companies would voluntarily self-disclose all potentially willful violations of the statutes implementing the U.S. government’s primary export control and sanctions regimes—the Arms Export Control Act (AECA), 22 U.S.C. § 2778, the Export Control Reform Act (ECRA), 50 U.S.C. § 4801 et seq., and the International Emergency Economic Powers Act (IEEPA), 50 U.S.C. § 1705—directly to the DOJ’s NSD.

The Department’s revised VSD Policy is intended to reassure companies that the benefits of reporting violations directly to DOJ “will be concrete and significant.” To that end, the new VSD Policy makes several key changes to the 2016 policy that provide further incentives for corporations to voluntarily self-disclose violations to the DOJ.

  • The VSD Policy clarifies the benefits of voluntarily disclosing a violation, fully cooperating with NSD, and timely and appropriately remediating identifying problems. More particularly, the VSD Policy establishes a new presumption that that the company will receive a non-prosecution agreement and not be assessed a fine so long as there are no aggravating factors. Further, if aggravating circumstances warrant an enforcement action but the company satisfies all other criteria, the VSD Policy states that DOJ will recommend a fine that is at least 50 percent lower than what would otherwise be available under the alternative fine provision and will not require the imposition of a monitor. The prior guidance did not provide a presumption of any kind, and did not provide any concrete benefits to companies that met certain criteria.
  • The VSD Policy also makes clear that disclosures of potentially willful conduct made to regulatory agencies instead of to DOJ will not qualify for the benefits provided in the VSD Policy.
  • Finally, in an attempt to standardize DOJ voluntary disclosure policies to the extent possible, the VSD Policy was modified to more closely resemble existing and analogous guidance from other DOJ components. Specifically, the definitions of “Voluntary Self-Disclosure,” “Full Cooperation,” and “Timely and Appropriate Remediation” now closely mirror those provided in the Foreign Corrupt Practices Act (FCPA) Corporate Enforcement Policy.

The new VSD Policy applies only to export control and sanctions matters brought by the NSD’s Counterintelligence and Export Control Section. It does not apply to any other section in the National Security Division, any other part of the Department of Justice, or any other agency.

All companies engaged or likely to become engaged in exporting or doing international business that may implicate U.S. sanctions should familiarize themselves with the VSD Policy and prepare to take advantage of the newly-clarified benefits of making voluntary disclosures. No one should want to be the company making no disclosures—and raising red flags for enforcement agencies, especially now that the upside of coming clean about mistakes is so clear.

As part of its years-long project to update and revise the International Traffic in Arms Regulations (ITAR) and better align them with the Export Control Regulations, the Department of State (DoS) recently amended the ITAR with an interim rule to address another group of amendments first proposed in June of 2015. The new rule defines a new term, ‘‘activities that are not exports, reexports, retransfers, or temporary imports,’’ by combining existing text from the regulations with new text regarding secured unclassified technical data. It also amends the ITAR to create a definition of ‘‘access information’’ and revise the definition of ‘‘release’’ to address the provision of access information to an unauthorized foreign person.

Activities that are not exports, reexports, retransfers, or temporary imports

The interim rule adds §120.54 to the ITAR to define “activities that are not exports, reexports, retransfers, or temporary imports” and do not require authorization from the DoS. The five types of activities that fall within this category—and are not controlled events requiring DoS authorization—include:

  • Launching items into space. This activity is already excluded from the definition of an export in ITAR § 120.17(a)(6) and by statute, see 51 U.S.C. 50919(f), but in the interest of clarity the provision has been moved to § 120.54(a)(1), and the language has been simplified.
  • Transferring or transmitting technical data to a U.S. person in the United States from a person in the United States. Again, while public comments suggested that it may not have been clear under the ITAR before, § 120.54(a)(2) makes clear that such an activity is unequivocally not a controlled event. (Any release to a foreign person in the United States remains a controlled event.)
  • Transmitting or otherwise transferring within the same foreign country technical data between or among only U.S. persons, so long as the transmission or transfer does not result in a release to a foreign person or transfer to a person prohibited from receiving the technical data. Like those within the United States, transmissions or transfers of technical data between and among only U.S. persons in the same foreign country do not constitute controlled events, provided that they do not result in a release to a foreign person or transfer to a person prohibited from receiving the technical data (e.g., a debarred person). § 120.54(a)(3).
  • Shipping, moving, or transferring defense articles between or among the United States as defined in ITAR § 120.13. Under § 120.54(a)(4) it is not a controlled event to move a defense article between the states, possessions, and territories of the United States. Note that the ITAR definition of ‘‘United States’’ in § 120.13 applies and includes the states, the District of Columbia, and the territories and possessions of the United States.
  • Sending, taking, or storing technical data that is: (i) Unclassified; (ii) Secured using end-to-end encryption; (iii) Secured using FIPS 140-2-compliant cryptographic modules (hardware or software) supplemented by NIST-compliant procedures and controls, or by other cryptographic means that provide security strength that is at least comparable to the minimum 128 bits of security strength achieved by AES– 128; (iv) Not intentionally sent to a person in or stored in a country proscribed in § 126.1 of this subchapter or the Russian Federation (data in-transit via the internet is not deemed to be stored); and (v) Not sent from a country proscribed in § 126.1 of this subchapter or the Russian Federation. DoS summarizes § 120.54(a)(5) as providing “that it is not a controlled event to send, take, or store unclassified technical data when it is effectively encrypted using end-to-end encryption.” In this regard, § 120.54(b)(1) defines “end-to-end encryption” as: (i) The provision of cryptographic protection of data, such that the data is not in an unencrypted form, between an originator (or the originator’s in-country security boundary) and an intended recipient (or the recipient’s in-country security boundary); and (ii) The means of decryption are not provided to any third party. In other words, properly secured (by end-to-end encryption) electronic transmission or storage of unclassified technical data via foreign communications infrastructure does not constitute an export, reexport, retransfer, or temporary import requiring DoS authorization. Note, however, that even properly encrypted technical data cannot be intentionally sent to a person in or stored in a § 126.1 country or the Russian Federation.

As noted above, where these provisions are being moved from elsewhere in the ITAR, those other provisions have also been amended to reflect the change.

Defining “access information” and “release”

The new rule also adds a new § 120.55 to define ‘‘access information” as information that allows access to encrypted technical data in an unencrypted form. Examples include decryption keys, network access codes, and passwords. The release of technical data through access information requires DoS authorization to the same extent that such authorization is required to export unencrypted technical data.

Additionally, the DoS has amended ITAR § 120.50 in order to clarify what constitutes a “release” of technical data, a controlled event requiring authorization from the DoS, and the provision of access information that may result in the release of technical data. More particularly, the “release” of technical data includes: (i) using access information to cause or enable a foreign person to access, view, or possess technical data in unencrypted form § 120.50(a)(3); or (ii) using access information in a foreign country to cause technical data to be in unencrypted form, including when such actions are taken by U.S. persons abroad. In addition, the new § 120.50(b) clarifies that, while the provision of access information to a foreign person is not itself a controlled event for which the access information provider must get DoS authorization, an authorization for a release of technical data to a foreign person must be obtained before the access information may be provided to that foreign person, if that access information can cause or enable access, viewing, or possession of the unencrypted technical data.

The interim final rule takes effect on March 25, 2020, but, in light of the rule’s potential impact, DoS is providing another opportunity for the public to submit comments. Interested parties may submit comments by January 27, 2020.

While, generally speaking, updating the ITAR to address concerns about the release of unclassified technical data and ensure better consistency with the EAR is a laudable effort, the devil is, as always, in the details. It remains to be seen whether, even if this rule achieves better alignment between the ITAR and the EAR, the new ITAR provisions will aid or interfere with the current and evolving cybersecurity requirements that government contractors must meet.

If you have questions about the ITAR and government contracts, contact Eric Whytsell or your Stinson counsel.

 

Being a small business can have its advantages. Federal procurement rules provide that certain contracting opportunities may be set-aside for small business competition. Small businesses also may be exempt from certain procurement provisions, such as subcontracting plan requirements and coverage under Federal Cost Accounting Standards (CAS). Prime and higher-tier subcontractors also are incentivized to use small businesses to meet their small business subcontracting goals under their required subcontracting plans.

However, small businesses only remain small to the extent that they are considered small under applicable North American Industrial Classification Standards (NAICS). Generally, size is calculated based on the size standard applicable to the business’s industry code – average annual gross receipts or average annual number of employees.

Congress passed the Small Business Administration (SBA) Runway Extension Act, Pub. L. No. 115-324, to provide small businesses subject to the average gross receipts size standard a longer runway before they would graduate from their small business status. Prior to the Act, small business rules provided that a small business receipts-based size standard would be calculated based on the business’s three-year average of annual gross receipts. To provide small businesses more time to get ready to graduate from the small business program, the Act provides for a five-year runway. The SBA issued a final rule on January 6, 2020 to implement this part of the Act. Under the rule, there will now be a five-year average of gross receipts standard for all industries that are subject to a receipts-based standard – extending the runway in which a small business can still be considered small so that they have “more time to develop capabilities, strengthen and diversify experience, and build resources,” so that they can compete successfully in unrestricted competitions.

The SBA final rule provides a transitional period, from now until January 6, 2022, during which a small business can choose to calculate its receipts-based size based on a three-year or five-year averaging period. This flexibility is being provided to better assist small businesses in the middle market – growing in revenue, but not yet large – as well as the Federal government which will benefit from the expanded pool of competitors. Excluded from this rule, and subject to future rulemaking, are SBA’s small business loan programs. The SBA also did not address calculation period for the employee-based size standard.

The final SBA rule also addresses the former affiliate rule – the situation in which a small business sells or acquires a segregable division. Under this rule, the gross receipts of the division being sold remain the receipts of the selling concern and do not become the receipts of the acquiring concern. However, where an entity is being sold to a small business, the revenues of that entity are considered part of the small business acquiring the entity for purposes of calculating size.

Takeaways

  • If you are a small business you should be considering the impact of this new rule on your size status. Small businesses with revenues approaching their size standard caps may be able to extend their small business status depending on the calculation of their size using a three- or five-year period.
  • If you are a prime or higher-tier subcontractor that must comply with small business subcontracting rules, you should seek confirmation of the size status of your applicable or potential subcontractors.
  • There have been any number of protests relating to the size of potential bidders, offerors, and awardees. Competitors may be sizing up the competition to see if a challenge to the size of their competition is in order. Where a size challenge may be raised, properly and promptly addressing the matter is essential.
  • Stay tuned for future rulemaking on the SBA loan program, and potentially on employee size standard calculations. It is clear that SBA will address loan program matters soon. And, having a three-year period for employee-based size standards and a five-year period for revenue-based standards has an appearance of being unequal. Comments were raised in this area and they may yet be reconsidered.

If you have questions about small business size regulations or potential size challenges, contact Susan Warshaw Ebner or your Stinson counsel.

It’s not unusual for defeated protesters to feel as though the explanation for their defeat short changes their arguments. Indeed, this might be the case for every defeated protester (or intervenor, or agency). The Government Accountability Office (GAO) decision in Analytical Solutions by Kline, LLC (ASK), B-417161.3 (July 11, 2019), published on GAO’s website on December 11, 2019, provides a glimpse into what GAO looks for when considering requests for reconsideration.

In its underlying protest, ASK protested the terms of the Social Security Administration (SSA) request for proposals (RFP) for information technology support services. As background, the solicitation’s terms provided that SSA would evaluate proposals under four phases: (1) SSA accessibility requirements and required quality certification, (2) relevant experience requirements, (3) detailed corporate experience, and (4) past performance. Phases 1 and 2 were to be evaluated using a pass/fail method. Under phase 1, offerors were required to include either a capability maturity model/capability maturity model integration (CMM/CMMi) certification or an international organization for standardization (ISO) certification. Further, offerors, under phases 2 through 4, were limited to providing only three references relating to their experience even though a number of requirements were bundled together in the procurement.

In its initial protest, ASK argued that the solicitation unduly restricted competition in requiring CMMi certification and references demonstrating relevant experience, as well as by limiting the number of past performance references. Further, after reviewing the agency report, ASK filed a supplemental protest, arguing that the agency improperly bundled dissimilar requirements, which was also unduly restrictive. For various reasons, ASK’s protest was denied in part and dismissed in part in GAO’s March 12, 2019 decision.

GAO’s Bid Protest Regulations state that a successful request for reconsideration requires that the requesting party, who could be the protester, intervenor, or agency involved in the protest, “show that GAO’s prior decision contains errors of either fact or law, or . . . present information not previously considered that warrants reversal or modification of the decision.” 4 C.F.R. 21.14 (a), (c).

In its request for reconsideration, ASK argued that GAO’s decision included three errors of law and failed to consider information that warranted reconsideration.

First, ASK argued that GAO erroneously dismissed its protest as it related to the unduly restrictive certification requirement, maintaining that it had also included a challenge to the alternative ISO certification. According to ASK, it protested the purpose of the certification requirement generally, and merely used the CMMi certification as an example. GAO was unconvinced and did not find support for ASK’s contention that its protest encompassed the ISO certification as well as the CMMi certification finding that: ASK had a section under its “Basis of Protest” entitled “CMMI / CERTIFICATION,” did not discuss any specific concerns with the ISO certification, and only mentioned ISO certifications in its restatement of potential offerors’ questions.

Second, ASK argued that GAO erroneously dismissed its supplemental protest pertaining to improper bundling as untimely, claiming that it had raised the bundling issue in its initial protest and not merely in the supplemental protest filed after the agency submitted its report. Here too, ASK indicated that it had included references to “bundling” in its initial protest. However, GAO noted that ASK’s initial protest referenced bundling only as it related to allowing three references for the wide range of work under the solicitation. GAO found that the bundling requirement identified in ASK’s supplemental protest was fundamentally different – that later bundling assertion related to improper consolidation of requirements that were previously separately solicited, not the three reference limitation.

Third, and finally, ASK argued that GAO erroneously failed to address ASK’s challenge to the “vague and poorly defined pass/fail methodology for phase 1 and phase 2.” Here, GAO relied on its well-established maxim: just because something is not discussed in the GAO decision does not mean that GAO did not consider it in making its decision. GAO maintained that it considered all of the issues raised by ASK and that not addressing each in turn in its initial decision was not indicative of lack of due consideration, but rather furthered the interests of “inexpensive and expeditious resolution of protests.”

A request for reconsideration may be a last resort for protesters taking exception to an agency’s procurement action. The ASK decision makes clear that a protest of the terms of a solicitation must clearly state the bases for objection/concern. It also makes clear that initial protest grounds must be set forth clearly and unambiguously. Vague statements or mere references to a term without tying it to the assertion of a specific protest ground will not establish a cognizable protest ground. Further, in seeking reconsideration, specificity is critical. The requester must cite to specific facts in the original protest to support an assertion that GAO missed or failed to address something.

Last month we reported on the Department of Defense’s (DoD’s) issuance of Version 0.6 of its draft Cybersecurity Maturity Model Certification (CMMC) standard. That draft included DoD updates and revisions to CMMC’s domains, capabilities and practices for Levels 1 through 3. It deferred revisions to those parts of CMMC covering Levels 4 and 5. On December 6, 2019, DoD issued Version 0.7 of the draft CMMC standard, covering all domains, capabilities and practices for Levels 1 through 5. With this version of the draft CMMC, we are approaching what is expected to be the issuance of the final CMMC Version 1.0 in January 2020.

The revised CMMC Version 0.7 modifies some of the processes and practices in Levels 1 through 3, and includes a reduced number of requirements under Levels 4 and 5. Level 1 still addresses basic cyber hygiene, and it addresses Federal Contract Information (FCI) handling, applying the designation of the data to be protected and the rules in Federal Acquisition Regulation (FAR) 52.204-21 that are to apply. This rule applies to all contractors at all levels, and draft Version 0.7 identifies it as a “foundation for the higher levels of the model and [something that] must be completed by all certified organizations.” It is a performance requirement. Other levels starting with Level 2 address process maturity. While Level 2 still addresses data that is FCI, it, like Level 1, will be a foundation for achieving Level 3. Level 3 addresses compliance with NIST SP 800-171 and DFARS 252.204-7012 requirements. This level includes “the basic ability to protect and sustain an organization’s assets and CUI [Controlled Unclassified Information]”. Levels 4 and 5 will apply to more sensitive data and require the contractor to be able to demonstrate compliance with requirements for a substantial and proactive cybersecurity program.

Notably, Levels 4 and 5 presently do not require compliance with all 33 additional controls that were proposed in the draft NIST SP 800-171B. 15 of these controls are identified as excluded.

DoD continues to indicate that it expects to issue CMMC in final version in January 2020, and that it is working on establishment of the third party certifier organization and certifiers to certify contractors compliance with the CMMC levels. DoD FAQs now state that, once released, the CMMC Version 1.0 will be used for training the certifiers and that CMMC requirements will be included in Requests for Information starting in June 2020. Our understanding is that CMMC requirements are still expected to begin roll out in Requests for Proposals in the Fall. Recent clarification to the release indicates that “Contractors will be required to meet the certification level at time of award. The Prime contractors must flow down the appropriate CMMC requirement to sub-contractors. Unless a higher level is specified, all contractors and sub-contractors must meet at a minimum CMMC Level 1.”

For contractors and subcontractors at all tiers – the above puts you on notice that you need to be working on your compliance now. Given the foibles of procurements, as well as the timing and limited number of certifiers that will likely be in place in the first year, you should be working your way through the steps to being compliant so that there will be time to go through the third party certification process before award. Even though CMMC has not been finalized, there can be little doubt that the requirements of FAR 52.204-21 are a minimum for any procurement – they continue to be referenced in all versions of the CMMC, and DFARS 252.204-7012 will be a required set of standards even if the standards change at the higher levels – they too continue to be referenced in the CMMC. Having a system that addresses the requirements will take time to put in place.