Helping individuals, companies, and organizations understand key legal and practical considerations for promoting compliance and making better business decisions in these types of federal, state, and local government contracting matters MORE

Supply chain risks are on the rise. Protecting the supply chain is a critical aspect of our national security, health and public safety. Whether parts are electronic or not, if they aren’t what they are represented to be, don’t do what they are supposed to do, or do things that they’re not supposed to do, then they pose real, tangible risks to our national security, health and safety. Unfortunately, it may be difficult to determine whether a part or supply is counterfeit or simply nonconforming. Even if it is nonconforming, if it is a critical or major nonconformance, it may raise the risk of catastrophic failure when used.

Contractors and the Department of Defense (DoD) struggle with how to best address counterfeit and nonconforming parts – to ferret them out of the supply chain and to obtain timely notice when such a part is identified in the supply chain by others. Numerous laws and regulations have been issued to try to address the situation. For example, DoD rules provide authority to eliminate contractors and their suppliers from contracts if they are determined to pose a risk to the supply chain. Other government-wide Federal Acquisition Regulation (FAR) rules prohibit specific equipment and services from being used or delivered under government contracts because they have been deemed to pose a national security risk. And still other DoD or government-wide rules require contractors to certify the conformity of their supplies, report actual or suspected counterfeits and nonconformities when found, require procurement of electronic items from the original equipment manufacturer or authorized reseller, or use a counterfeit electronic part detection and avoidance systems.

On November 22, 2019, the FAR Council issued a government-wide final rule on the Reporting of Nonconforming Items to the Government-Industry Data Exchange Program (GIDEP) to try to address some of these concerns. In the past, GIDEP has provided the Government and DoD contractors the opportunity to report on, and to find out about, identified actual or potential supply chain risks. This final rule expands the scope of GIDEP screening and reporting to contractors and subcontractors involved in contracts at DoD and other agencies across the Federal Government.

The final rule requires contractors to screen GIDEP as part of their inspection system or program to control quality, and to avoid the use and delivery of actual or suspect counterfeit items or major or critical nonconforming items to the Government. The final rule also requires contractors to report on actual or suspect counterfeit parts or parts with critical or major nonconformances to their Contracting Officer, as well as the GIDEP. Contractors must now submit a report within 60 days “of becoming aware or having reason to suspect, such as through inspection, testing, record review, or notification from another source (e.g., seller, customer, third party) that an item purchased by the contractor for delivery to, or for, the Government is ‘counterfeit or suspect counterfeit item’ or ‘a common item that has a major or critical nonconformance’.”

The definitions of those now reportable matters under the final rule include:

  • “Counterfeit item” is defined as “an unlawful or unauthorized reproduction, substitution, or alteration that has been knowingly mismarked, misidentified, or otherwise misrepresented to be an authentic, unmodified item from the original manufacturer, or a source with the express written authority of the original manufacturer or current design activity, including an authorized aftermarket manufacturer. Unlawful or unauthorized substitution includes used items represented as new, or the false identification of grade, serial number, lot number, date code, or performance characteristics.”
  • “Suspect counterfeit item” is defined as “an item for which credible evidence (including but not limited to, visual inspection or testing) provides reasonable doubt that the item is authentic.”
  • “Nonconforming item” for purposes of the final rule includes (i) “[a]ny items that are subject to higher-level quality standards in accordance with the clause at 52.246-11, Higher-Level Contract Quality Requirement”; (ii) “[a]ny items that the contracting officer, in consultation with the requiring activity determines to be critical items for which use of the clause is appropriate”; or (iii) “electronic parts or end items, components, parts, or materials containing electronic parts, whether or not covered [by (i) or (ii)] …” under a DoD prime or subcontract, where the acquisition is above the simplified acquisition threshold (SAT).
  • “Critical item” is defined as “an item, the failure of which is likely to result in hazardous or unsafe conditions for individuals using, maintaining, or depending upon the item; or is likely to prevent performance of a vital agency mission.”
  • “Critical nonconformance” is defined as “a nonconformance that is likely to result in hazardous or unsafe conditions for individuals using, maintaining, or depending upon the supplies or services; or is likely to prevent performance of a vital agency mission.”
  • “Major nonconformance” is defined as “a nonconformance, other than critical, that is likely to result in failure of the supplies or services, or to materially reduce the usability of the supplies or services for their intended purpose.”

The rule carves out exemptions from reporting for the following types of situations: 1) acquisition of medical devices that are subject to U.S. Food and Drug Administration reporting requirements; 2) where disclosure would impact an ongoing criminal investigation, 2) where the incident arises under a FAR part 12 commercial item contract or subcontract for commercial items, 3) where the contract or subcontract is valued below the Simplified Acquisition Threshold (SAT). What is potentially confusing about the final rule is that it still requires DoD contractors and their supply chain to report on counterfeit or suspect counterfeit electronic parts for DoD contracts and subcontracts, including commercial items, while for non-DoD agencies it “focuses on supplies that require higher-level quality standards or are determined to be critical items.”

The rulemaking on the final rule confirms that there is a limited safe harbor available for DoD contractors and subcontractors that report to GIDEP where they have “made a reasonable effort” to determine that they have an actual or suspect counterfeit part. However, the final rule does not expand that safe harbor to non-DoD contracts or reporting on major or critical nonconforming parts.

Note too that the regulatory history of the final rule indicates that a contractor’s report to GIDEP on an actual or suspected counterfeit also may be considered “credible evidence” of fraud under the FAR Mandatory Disclosure Rule and trigger a duty on the contractor to report to the Inspector General as well as the Contracting Officer under the Mandatory Disclosure Rule.

In addition to the above, the final GIDEP reporting rule does not address a number of issues that continue to plague both the Government and contractors, including such important issues as:

  • The rule does not require reporting of foreign corporations or entities that do not have an office, place of business, or paying agent in the United States. As counterfeits may come through a variety of ways into the supply chain – notably through foreign acquisitions – this carve out omits a key component of the supply chain community.
  • The rule requires the contractor to retain the part in question until provided disposition instructions by the Contracting Officer. This may raise issues of chain of custody, costs of retention, and protection of the integrity of the part. It also raises questions of what the contractor is to do under the contract to perform its obligations in the wake of its reporting.
  • The reporting obligations may provide a road map to critical or key government contractors and suppliers of covered parts for bad actors to track and trace. How to secure the supply chain and provide notice is a key issue for contractors and the Government.

This final rule is another step in securing the Government-Industry supply chain. Contractors should be taking steps to assess their requirements and to institute procedures to address these reporting requirements in a timely and secure fashion. Further, in addition to reporting on such items, contractors should be considering whether and to what extent their contract’s costs, schedule or method of performance are being impacted, and whether these increased costs and changes can be compensated.

Lovers of consistency, rejoice! After a few years of administering two separate, yet substantially similar mentor-protégé programs, the Small Business Administration (SBA) has proposed a rulemaking to consolidate the 8(a) Business Development (BD) Mentor-Protégé Program and the All Small Mentor-Protégé Program. On November 8, 2019, SBA published the Consolidation of Mentor Protégé Programs and Other Government Contracting Amendments in the Federal Register. 84 FR 60846.

Most notably, SBA’s proposed rulemaking amends numerous rules to merge its mentor protégé programs. The 8(a) BD and All Small Mentor-Protégé Programs have the same purposes and offer similar benefits. Both are intended to allow approved mentors to enhance the capabilities of protégés by aiding the protégés in competing for government and commercial contracts. Protégés in both programs benefit from business development assistance. Further, joint ventures formed between a mentor and protégé are exempt from affiliation based on joint venturing, so that the joint venture should qualify for small business set-aside awards provided the protégé individually qualifies as small under the applicable size standard. With these big picture similarities in mind, SBA recognizes that navigating the various requirements of the current mentor protégé programs can be confusing and burdensome for both contractors and the Government.

The following highlights the noteworthy aspects of the proposed changes:

  • Eliminates the separate 8(a) BD Mentor-Protégé Program – The proposal revises the applicable rules to recognize that an 8(a) participant is just as any other small business, merging the 8(a) BD Mentor Protégé Program into the All Small Business Mentor-Protégé Program. Further, to effectuate this streamlining, SBA would eliminate the requirement that it must approve joint ventures in connection with sole source 8(a) awards, as it does not currently require prior approval of joint ventures in any other context.
  • Amends requirements for joint ventures – The current rule limits the scope and duration of joint ventures to no more than three contracts over a two year period. The revised rule would eliminate the three contract limit, allowing joint ventures to be awarded any number of contracts within two years from the date of its first contract award.
  • Considers limiting mentors based on annual revenue – SBA is considering whether to restrict the size of mentors to firms having average annual revenues of less than $100 million. While SBA is focused on advancing the business of the protégé, based on recommendations of “mid-size” firms, SBA is considering whether small businesses would be better served by having business development assistance from mentors that are size-limited in this way.
  • Ensures NAICS code of task order issued under a Multiple Award Contract (MAC) reflects order – Currently, if a MAC is assigned a NAICS code, that code flows down to each order under the MAC, even if, for example the underlying MAC’s NAICS code is for services, and the order is for supplies. Instead of merely allowing the flow down of NAICS codes from the MAC to the particular order, which can result in firms qualifying as small for a particular procurement where they shouldn’t, the proposed rule would require that the NAICS code for each task order accurately reflects the contract and order being awarded and performed.
  • Requires recertification of size and/or socioeconomic status for certain MACs – Other than for orders or Blanket Purchase Agreements issued under a Federal Supply Schedule (FSS) contract, SBA would require recertification of size status where there is an order placed under an unrestricted MAC set aside exclusively for small businesses. Further, the proposed rule requires recertification of socioeconomic status where the required status for an order differs from that of the underlying MAC.
  • Authorizes size and/or socioeconomic status protests for certain MACs – The proposed rule specifically authorizes size and/or socioeconomic eligibility protests relating to set-aside orders based on a different size and/or socioeconomic status from the underlying MAC. This change would allow protests where the set-aside is for small business and, if protesting size eligibility, the underlying MAC was awarded on an unrestricted basis. This rule allowing size and/or socioeconomic protests relating to orders would not apply to orders against Blanket Purchase Orders or Federal Supply Schedule contracts.

SBA is accepting comments on this proposed rulemaking received on or before January 17, 2020.

Previously we reported on the Department of Defense (‘DoD”) efforts to develop a Cybersecurity Maturity Model Certification (“CMMC”) program to verify the status of contractor cybersecurity and compliance. The CMMC program contemplates that third party auditors will be qualified and retained to review and certify contractors and suppliers at all tiers on their levels of compliance with the CMMC. It is anticipated that, as part of the CMMC roll out, cybersecurity requirements and evaluation criteria will be included in future procurements starting in the Fall of 2020. These CMMC certifications will be used to establish whether an entity meets the foundational level of cybersecurity required for a particular DoD procurement.

DoD still plans to issue the CMMC in final form by January 2020 and to identify third party certifiers to conduct the CMMC certifications for planned roll out of CMMC provisions in Fall 2020. DoD scheduled a CMMC Accreditation Body Kickoff meeting for interested organizations and/or individuals for November 19, following its issuance of an RFI for information on “how to define the long-term implementation, execution, sustainment and growth of the CMMC Accreditation Body.”

More than 2000 comments were submitted in response to the publication of the initial draft CMMC, Version 0.4. In lightning speed, the DoD has turned around the draft and issued the next version of the draft CMMC. Version 0.6 of the CMMC was issued on November 7, 2019. That new version of the draft CMMC covers 17 domains (Access Control, Asset Management, Audit and Accountability, Awareness and Training, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, recovery, Risk Management, Security Assessment, Situational Awareness, System and Communications Protections System and Information Integrity) and addresses the processes and practices required for levels 1 through 3. DoD advises that it is still working through the comments relating to the higher level certification processes and practices for levels 4 and 5 and that it will issue a follow-on draft addressing those additional levels in the near future.

The latest revisions to the draft CMMC, Version 0.6, make clear that each security level builds on and includes the requirements contained in the lower security level. Thus, Level 1 includes an initial set of practices and processes and Level 2 includes these Level 1 processes and procedures as well as others. Level 2 is classified as a level to assist the contractor in preparing for its transition and compliance with Level 3 requirements, the level that contains the full set of security controls, practices and processes required by NIST SP 800-171, which has been the base standard for cyber security at DoD under DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.

The draft also references prior statements that levels 4 and 5 will contain additional security controls in order to promote increased protection for critical DoD programs.

The draft CMMC does not, however, answer a number of key questions, including:

  • Will there be programs and contracts that will be subject to the limited level 1 standard? Or will this level be reserved for potential subcontractors that won’t develop or be required to have access to controlled unclassified information (CUI)?
  • Will level 2 be used for the issuance of prime contracts?
  • Will DoD require contractor certification as a foundational precondition to competing in a procurement, or will it allow a contractor to compete subject to successful certification by the start of performance?
  • Must a subcontractor be certified at the same level as that required of the prime contractor for a particular program? When does the subcontractor need to be certified?
  • Will DFARS 252.204-7008, 252.204-7009 and 252.204-7012 be modified or phased out when CMMC goes live?
  • Will there be a pilot period under which the DoD will ramp up its requirements and contractor CMMC certification?
  • How long will the process of obtaining a CMMC certification be?

There are many other questions that will need to be answered before CMMC is implemented. DoD has committed to engaging in formal rulemaking for the CMMC program. However, it has also said that it intends to move forward with an interim rule pending that process.

Given the direction and speed with which CMMC is heading our way, contractors should be looking at whether these draft CMMC processes and practices can be accomplished. Potential opportunities to comment on the draft and during the rulemaking should be considered. In addition, contractors should be taking steps now to prepare for CMMC, including examining what it will take for them to be certified and the level of readiness of their supply chains. Since the current rule indicates that NIST SP 800-171 will apply to levels 3, 4 and 5, and parts of it will apply to the lower levels, contractors might look at how they marry up with those requirements and what would be needed for them to address likely gaps in compliance. Contractors also should be thinking about what they will need from their suppliers and lower level subcontractors, and how they may be able to obtain the information needed to determine whether these supply chains will be able to meet these requirements.

Sound cybersecurity throughout the supply chain is the DoD’s goal. Stay tuned for the next round of CMMC and future rulemaking.

When the FY2017 National Defense Authorization Act (NDAA) was enacted, the prohibition in Section 813(c) against the use of lowest price technically acceptable (LPTA) source selection criteria seemed fairly cut and dry. As time passes and procuring agencies adopt new evaluation schemes, however, the parameters of the prohibition are being tested. The recent Government Accountability Office (GAO) decision in Inserso Corporation, B-417791, B-417791.3 (November 4, 2019) is a case in point.

The matter involved the terms of a Request for Quotations (RFQ) issued by the Department of the Air Force for information technology (IT) and cybersecurity services. Under the RFQ, quotations were to be evaluated using technical acceptability, past performance, and price factors. The RFQ provided that the agency would first rank quotations according to price, from lowest to highest, then evaluate the five lowest-priced quotations as either technically acceptable or unacceptable. Only technically acceptable quotations would proceed to be rated under the past performance factor and a performance confidence assessment rating would be assigned to each. Then the agency would make an award decision based upon a price/past performance best value trade-off. Only quotes deemed to be technically acceptable would be eligible for award.

Inserso Corporation protested the RFQ, asserting that the agency was using lowest-priced, technically acceptable (LPTA) award criteria in violation of Section 813(c) of the FY 2017 NDAA, which states that, “To the maximum extent practicable, the use of [LPTA] source selection criteria shall be avoided in the case of a procurement that is predominately for the acquisition of [among other things] information technology services, cybersecurity services, . . . or other knowledge-based professional services.” According to Inserso, the agency would use LPTA criteria in the solicitation because the RFQ fails to provide for a tradeoff between price and technical factors. Inserso interprets the RFQ evaluation criteria to require an agency—in procurements for IT services—to affirmatively use a tradeoff between price and technical factors as the basis for award and not eliminate offers without making a tradeoff between technical factors and price. In other words, ranking offerors by price and evaluating the five lowest-priced offerors for technical acceptability, as the agency planned to do here, should be deemed to be an improper use of LPTA criteria under Inserso’s approach.

The Air Force countered that its solicitation does not violate Section 813(c) because it does not utilize lowest-priced, technically acceptable source selection criteria (as defined in FAR 15.101-2) as the basis for award—and because it is performing a best-value tradeoff, but that tradeoff is between price and past performance instead of price and technical factors.

In response to Inserso’s multiple supporting citations and arguments, the GAO found Inserso’s interpretation of Section 813 reasonable. However, although there was no dispute that the Air Force was conducting the procurement using technical acceptability and price as elements in a price versus past performance tradeoff, the GAO still concluded that the agency did not violate Section 813(c) of the FY 2017 NDAA. The GAO’s analysis continues the established precedent to afford the agency broad discretion so long as its interpretation is reasonable and based on a permissible construction of the statute. Where, as here, an agency’s statutory interpretation is found reasonable, the fact that there are alternative interpretations of the statute is irrelevant, even if these alternative interpretations are also reasonable.

The GAO noted that the protester had not identified anything in Section 813 or in regulations that specifically preclude the RFQ’s selection criteria. As a result, it held that the RFQ’s evaluation scheme, which uses a price/past performance tradeoff as the basis of source selection, does not violate procurement law. Going forward, offerors should expect to see more creative uses of evaluation criteria by agencies—and to have less opportunity to challenge them as violating Section 813 of the FY2017 NDAA.

Disappointed offerors sometimes attempt to challenge contract awards by arguing that the agency did not properly take into account a particular aspect of their proposals. As the recent Government Accountability Office (GAO) decision in Red River Science & Technology, LLC, B-417798.2 (October 24, 2019) makes clear, however, protesters need to make sure that their proposal supports their argument in the context of the solicitation. The GAO will likely not reward a challenge that attempts to “rewrite” the proposal to support the asserted protest grounds.

The procurement involved the issuance of an order by the Department of the Army, Army Materiel Command for maintenance, supply, and transportation logistics support services at Fort Jackson, South Carolina. The underlying solicitation stated that the Army would make award based on three factors: (1) technical acceptability; (2) past performance; and (3) cost/price. Under the solicitation, the Army was to first evaluate proposals for technical acceptability on a pass/fail basis, then evaluate the three lowest-priced offerors under the past performance factor. The past performance evaluation was to entail “a qualitative assessment of the past performance of recent and relevant contracts performed by the offeror, and by any subcontractors proposed to perform 20 percent or more of the total proposed cost/price.” The Army would then assign the three lowest-priced, technically acceptable offerors a past performance confidence rating, the highest of which was “substantial confidence,” and identify the lowest-priced firm with a past performance rating of substantial confidence. If none of the technically acceptable offerors received a substantial confidence rating, the solicitation required the Army to conduct a best-value tradeoff based on all the factors.

In evaluating past performance, the agency would consider both examples of recent and relevant past contract efforts submitted by offerors and information it obtained about the offerors from other sources. “Recent contracts” were those performed within three years of the solicitation’s closing date. “Relevant contracts” were those reflecting similar experience, magnitude and complexity. In order to demonstrate similar experience, a past performance example had to reflect the performance of work in one of three functional areas required by the solicitation–maintenance, supply, or transportation. For magnitude and complexity, the solicitation established minimum average annual dollar value thresholds for past performance examples to be considered relevant. The solicitation also provided that the past performance record of offerors that proposed to use subcontractors would “be assessed in its totality to determine the Offeror’s past performance rating” and explained that the Army evaluators would take into account “the specific functional areas the offeror and its proposed subcontractors have performed, the areas each is proposed to perform, and the overall percentage of participation proposed for the offeror and any subcontractors.”

The Army received seven timely proposals, including those of Red River and the awardee, Bowhead Operations & Maintenance Solutions, LLC, which were both among the three proposals evaluated as technically acceptable. Of the three, Red River had the lowest price.

In its proposal, Red River made clear that it would perform the transportation functional area and a portion of the supply functional area itself, totaling approximately 54 percent of its proposed price. The remaining 46% of the price was attributed to its subcontractor, The Logistics Company (TLC), which was to perform all of the work under the maintenance functional area and a portion of the supply functional area. In other words, Red River proposed only its own personnel to perform work for the transportation functional area. But during evaluation the Army found that only half of its eight past performance examples involved transportation work, and none of those four met the solicitation’s minimum dollar thresholds to be considered similar in magnitude and complexity. In contrast, the Army found that TLC had very positive, recent and relevant past performance in all three functional areas, including transportation.

Despite TLC’s demonstrated favorable performance in all three functional areas, Red River’s lack of relevant past performance in the transportation functional area created “some uncertainty about its ability to perform the Ft. Jackson effort.” In this regard, the Army concluded that TLC’s ability to perform the transportation functional area had “no impact” on the evaluation because Red River did not propose TLC to perform that work but instead proposed itself, with TLC performing work in the other functional areas. Because of the uncertainty about Red River’s handling the transportation functional area, the evaluators ultimately gave its proposal a past performance rating of satisfactory confidence.

Even though its price was higher, Bowhead was awarded the order because it had the lowest-price offer receiving a past performance rating of substantial confidence. Following a debriefing, Red River filed the subject protest, challenging the Army’s evaluation of its past performance as only acceptable, arguing that the agency failed to reasonably consider the past performance of its proposed subcontractor as required by the terms of the solicitation.

More particularly, Red River argued that the agency should have considered TLC’s demonstrated relevant past performance in the transportation area even though Red River’s proposal did not identify TLC as performing the transportation work. It pointed to the repeated references “throughout its proposal” to TLC as its “teammate” and maintained that it “could have received TLC’s assistance in the transportation functional area.” Red River also asserted that the solicitation required the Army to base its past performance rating on the combined performance record of itself and TLC without regard to the areas of work for which TLC was proposed.

The GAO rejected both arguments.

First, with respect to the notion that the Army should have given Red River credit for TLC’s past performance because they were teammates and TLC could have assisted in the transportation functional area, the GAO held that the agency reasonably considered only Red River’s transportation experience because Red River’s proposal (organization chart, staffing plan, etc.) specified that Red River would self-perform the transportation work itself, and gave no indication that TLC would provide assistance of any kind. In other words, there was no reason for the Army to have considered TLC’s past performance in that area and the satisfactory confidence rating was reasonable.

Red River’s contention that the solicitation required the Army to base its past performance rating on the combined performance record of itself and TLC without regard to the areas of work for which TLC was proposed fared no better. Red River relied on the solicitation language stating that “[i]f an Offeror proposes the use of Subcontractors the Offeror’s past performance record will be assessed in its totality to determine the Offeror’s past performance rating.” In response, the GAO pointed out that immediately following that sentence the solicitation established that the Army may consider the specific functional areas previously performed by an offeror and its subcontractor(s), the specific functional areas an offeror and its subcontractor(s) were proposed to perform, and the offeror and its subcontractor(s)’ overall percentage of participation for the requirement. Reading the solicitation in its entirety and in a manner that gives effect to all its provisions, as the GAO does in such cases, the GAO found nothing objectionable about the agency’s consideration of the anticipated division of work between Red River and TLC in its past performance evaluation.

While the facts and arguments in this matter may have presented a much closer case (we’ll likely never know), the decision casts Red River as a protester that got tripped up by a proposal that did not say what the proposal needed to say to support its protest arguments. In order to avoid similar problems, offerors should carefully review solicitation requirements, conduct an honest self-evaluation of their (and their team’s) strengths and weaknesses, and, to the extent possible tailor their proposals to address any weaknesses or gaps they find. That way, even if the agency makes what you consider to be a bad award decision, you’ll have more ammunition to fight it.