Helping individuals, companies, and organizations understand key legal and practical considerations for promoting compliance and making better business decisions in these types of federal, state, and local government contracting matters MORE

You might think that this could go without saying, but apparently it can’t: If you want to succeed in your dealings with the federal government, you need to timely provide information required by law, particularly when government personnel specifically ask you for it. The recent decision of the SBA’s Office of Hearings and Appeals in CVE Appeal of: David Han d/b/a Coresivity, SBA No. CVE-140, 2019 (S.B.A.), 2019 WL 5681310 provides a stark reminder that this guidance is especially true in the context of maintaining eligibility as a service-disabled, veteran-owned small business (SDVOSB) under the Veterans Small Business Regulations after changes to company’s ownership and structure.

On September 19, 2018, the U.S. Department of Veterans Affairs (VA) Center for Verification and Evaluation (CVE) verified Appellant, David Han d/b/a Coresivity, as an SDVOSB and included it in the Vendor Information Pages (VIP) database. At the time, Appellant was a sole proprietorship 100% owned by Mr. David R. Han, a service-disabled veteran. Nine months later, on June 18, 2019, Appellant notified CVE of changes in its legal structure, ownership structure, and business name. Appellant had been reorganized as an LLC and changed its name to “Coresivity LLC.” In addition, two non-veterans, Ms. Yoon K. Chung and Mr. Ryan T. Kim, had acquired ownership interests in—and become members of–the LLC. When CVE requested additional information and documentation pertaining to these changes, Appellant withdrew its change request from review.

But the proverbial cat was already out of the bag.

Within a month, CVE issued a Notice of Proposed Cancellation (NOPC), informing Appellant that CVE proposed to cancel Appellant’s verified status as an SDVOSB and allowing Appellant 30 days to respond with evidence that might cause CVE to retract the proposed cancellation. The NOPC explained that CVE needed specific information to ascertain whether Appellant remained an eligible SDVOSB, including (i) a detailed letter of explanation identifying all changes to Appellant since September 19, 2018; (ii) current resumes identifying the roles and responsibilities for each of Appellant’s apparent owners; (iii) a letter of explanation identifying the extent of the involvement of the non-veteran owners; (iv) a current signature card authenticated by the Appellant’s financial institution, identifying all authorized signatories on the Appellant’s business bank account; and (v) all applicable technical licenses and certifications for Appellant or a signed and dated detailed letter of explanation specifying that the Appellant currently has no certifications and the applicable reasons.

CVE went on to make clear that, without such information, it could not determine whether Appellant was still eligible as a SDVOSB, whether the veteran owner, Mr. Han, had maintained the required ownership, management, and control of Appellant, or whether business relationships exist with non-veterans that might prevent Mr. Han from exercising independent business judgment without great economic risk. In its communication with Appellant, CVE also noted that Appellant apparently had not registered under its new name and structure in the System for Award Management (SAM) and, therefore, was not compliant with 38 C.F.R. § 74.2(f).

Despite this, Appellant responded to the NOPC by simply submitting a letter asserting that Mr. Han had changed Appellant’s legal structure from a sole proprietorship to an LLC and later to a corporation. The response stated that Mr. Han owns 51% of Appellant and “make[s] the majority of all decisions,” Ms. Chung is Appellant’s Chief Operations Officer and owns 39% of Appellant and Mr. Kim owns 10% of Appellant and is “not involved in the day-to-day operations or management” of the company. Appellant’s response also provided a copy of its July 10, 2019 articles of incorporation for “Coresivity Inc.”, as well as an updated resume for Mr. Han and a resume for Ms. Chung. Appellant did not, however, submit a resume for Mr. Kim. Nor did it address the issue of Appellant’s SAM registration.

On September 5, 2019, CVE issued a Notice of Verified Status Cancellation (NOVSC) finding that Appellant’s response to the NOPC was “not adequate to justify overturning all of the findings listed in the NOPC” and formally cancelling Appellant’s status as a verified SDVOSB. In addition to detailing the reasons that prevented CVE from being able to determine whether Appellant still met the SDVOSB requirements, the NOVSC also noted that the SAM still did not contain any record for Coresivity, LLC or Coresivity, Inc.—so Appellant was still not compliant with 38 C.F.R. § 74.2(f).

Appellant immediately appealed the decision to the U.S. Small Business Administration Office of Hearings and Appeals (OHA), arguing that the cancellation was clearly erroneous and requesting that the OHA reverse the CVE’s decision. Appellant acknowledged that it did not previously provide CVE the resume of Mr. Kim, but offered that resume as an attachment to its appeal. Appellant did not allege any specific errors in CVE’s decision.

Not surprisingly, the OHA denied the appeal.

OHA’s decision first notes that VA regulations make clear that CVE may remove a concern from the VIP database if the concern “[f]ail[s] to make required submissions or responses to CVE or its agents, including a failure to make available … information requested by CVE … within 30 days of the date of request.” 38 C.F.R. § 74.21(d)(5). After explaining that Appellant bears the burden of proving, by a preponderance of the evidence, that the cancellation was based upon clear error of fact or law, 13 C.F.R. § 134.1111, the OHA found no basis to conclude that CVE improperly removed Appellant from the VIP database because Appellant clearly did not comply with CVE’s request for information. CVE’s removal of Appellant from the VIP database was undisturbed.

It’s difficult to know for sure whether Mr. Han and his partners could have structured their changed entity in a way that would maintain its SDVOSB eligibility. But there is no doubt that considering the requirements and how to meet them before making changes to the entity’s organization or operations–and taking the proper steps to document and record any changes made –would have been helpful. At the very least, it could have helped prepare the Appellant for providing effective answers to the CVE’s questions. And (it should also go without saying) developing effective answers is a prerequisite to being able to timely respond to government inquiries.

Supply chain risks are on the rise. Protecting the supply chain is a critical aspect of our national security, health and public safety. Whether parts are electronic or not, if they aren’t what they are represented to be, don’t do what they are supposed to do, or do things that they’re not supposed to do, then they pose real, tangible risks to our national security, health and safety. Unfortunately, it may be difficult to determine whether a part or supply is counterfeit or simply nonconforming. Even if it is nonconforming, if it is a critical or major nonconformance, it may raise the risk of catastrophic failure when used.

Contractors and the Department of Defense (DoD) struggle with how to best address counterfeit and nonconforming parts – to ferret them out of the supply chain and to obtain timely notice when such a part is identified in the supply chain by others. Numerous laws and regulations have been issued to try to address the situation. For example, DoD rules provide authority to eliminate contractors and their suppliers from contracts if they are determined to pose a risk to the supply chain. Other government-wide Federal Acquisition Regulation (FAR) rules prohibit specific equipment and services from being used or delivered under government contracts because they have been deemed to pose a national security risk. And still other DoD or government-wide rules require contractors to certify the conformity of their supplies, report actual or suspected counterfeits and nonconformities when found, require procurement of electronic items from the original equipment manufacturer or authorized reseller, or use a counterfeit electronic part detection and avoidance systems.

On November 22, 2019, the FAR Council issued a government-wide final rule on the Reporting of Nonconforming Items to the Government-Industry Data Exchange Program (GIDEP) to try to address some of these concerns. In the past, GIDEP has provided the Government and DoD contractors the opportunity to report on, and to find out about, identified actual or potential supply chain risks. This final rule expands the scope of GIDEP screening and reporting to contractors and subcontractors involved in contracts at DoD and other agencies across the Federal Government.

The final rule requires contractors to screen GIDEP as part of their inspection system or program to control quality, and to avoid the use and delivery of actual or suspect counterfeit items or major or critical nonconforming items to the Government. The final rule also requires contractors to report on actual or suspect counterfeit parts or parts with critical or major nonconformances to their Contracting Officer, as well as the GIDEP. Contractors must now submit a report within 60 days “of becoming aware or having reason to suspect, such as through inspection, testing, record review, or notification from another source (e.g., seller, customer, third party) that an item purchased by the contractor for delivery to, or for, the Government is ‘counterfeit or suspect counterfeit item’ or ‘a common item that has a major or critical nonconformance’.”

The definitions of those now reportable matters under the final rule include:

  • “Counterfeit item” is defined as “an unlawful or unauthorized reproduction, substitution, or alteration that has been knowingly mismarked, misidentified, or otherwise misrepresented to be an authentic, unmodified item from the original manufacturer, or a source with the express written authority of the original manufacturer or current design activity, including an authorized aftermarket manufacturer. Unlawful or unauthorized substitution includes used items represented as new, or the false identification of grade, serial number, lot number, date code, or performance characteristics.”
  • “Suspect counterfeit item” is defined as “an item for which credible evidence (including but not limited to, visual inspection or testing) provides reasonable doubt that the item is authentic.”
  • “Nonconforming item” for purposes of the final rule includes (i) “[a]ny items that are subject to higher-level quality standards in accordance with the clause at 52.246-11, Higher-Level Contract Quality Requirement”; (ii) “[a]ny items that the contracting officer, in consultation with the requiring activity determines to be critical items for which use of the clause is appropriate”; or (iii) “electronic parts or end items, components, parts, or materials containing electronic parts, whether or not covered [by (i) or (ii)] …” under a DoD prime or subcontract, where the acquisition is above the simplified acquisition threshold (SAT).
  • “Critical item” is defined as “an item, the failure of which is likely to result in hazardous or unsafe conditions for individuals using, maintaining, or depending upon the item; or is likely to prevent performance of a vital agency mission.”
  • “Critical nonconformance” is defined as “a nonconformance that is likely to result in hazardous or unsafe conditions for individuals using, maintaining, or depending upon the supplies or services; or is likely to prevent performance of a vital agency mission.”
  • “Major nonconformance” is defined as “a nonconformance, other than critical, that is likely to result in failure of the supplies or services, or to materially reduce the usability of the supplies or services for their intended purpose.”

The rule carves out exemptions from reporting for the following types of situations: 1) acquisition of medical devices that are subject to U.S. Food and Drug Administration reporting requirements; 2) where disclosure would impact an ongoing criminal investigation, 2) where the incident arises under a FAR part 12 commercial item contract or subcontract for commercial items, 3) where the contract or subcontract is valued below the Simplified Acquisition Threshold (SAT). What is potentially confusing about the final rule is that it still requires DoD contractors and their supply chain to report on counterfeit or suspect counterfeit electronic parts for DoD contracts and subcontracts, including commercial items, while for non-DoD agencies it “focuses on supplies that require higher-level quality standards or are determined to be critical items.”

The rulemaking on the final rule confirms that there is a limited safe harbor available for DoD contractors and subcontractors that report to GIDEP where they have “made a reasonable effort” to determine that they have an actual or suspect counterfeit part. However, the final rule does not expand that safe harbor to non-DoD contracts or reporting on major or critical nonconforming parts.

Note too that the regulatory history of the final rule indicates that a contractor’s report to GIDEP on an actual or suspected counterfeit also may be considered “credible evidence” of fraud under the FAR Mandatory Disclosure Rule and trigger a duty on the contractor to report to the Inspector General as well as the Contracting Officer under the Mandatory Disclosure Rule.

In addition to the above, the final GIDEP reporting rule does not address a number of issues that continue to plague both the Government and contractors, including such important issues as:

  • The rule does not require reporting of foreign corporations or entities that do not have an office, place of business, or paying agent in the United States. As counterfeits may come through a variety of ways into the supply chain – notably through foreign acquisitions – this carve out omits a key component of the supply chain community.
  • The rule requires the contractor to retain the part in question until provided disposition instructions by the Contracting Officer. This may raise issues of chain of custody, costs of retention, and protection of the integrity of the part. It also raises questions of what the contractor is to do under the contract to perform its obligations in the wake of its reporting.
  • The reporting obligations may provide a road map to critical or key government contractors and suppliers of covered parts for bad actors to track and trace. How to secure the supply chain and provide notice is a key issue for contractors and the Government.

This final rule is another step in securing the Government-Industry supply chain. Contractors should be taking steps to assess their requirements and to institute procedures to address these reporting requirements in a timely and secure fashion. Further, in addition to reporting on such items, contractors should be considering whether and to what extent their contract’s costs, schedule or method of performance are being impacted, and whether these increased costs and changes can be compensated.

Lovers of consistency, rejoice! After a few years of administering two separate, yet substantially similar mentor-protégé programs, the Small Business Administration (SBA) has proposed a rulemaking to consolidate the 8(a) Business Development (BD) Mentor-Protégé Program and the All Small Mentor-Protégé Program. On November 8, 2019, SBA published the Consolidation of Mentor Protégé Programs and Other Government Contracting Amendments in the Federal Register. 84 FR 60846.

Most notably, SBA’s proposed rulemaking amends numerous rules to merge its mentor protégé programs. The 8(a) BD and All Small Mentor-Protégé Programs have the same purposes and offer similar benefits. Both are intended to allow approved mentors to enhance the capabilities of protégés by aiding the protégés in competing for government and commercial contracts. Protégés in both programs benefit from business development assistance. Further, joint ventures formed between a mentor and protégé are exempt from affiliation based on joint venturing, so that the joint venture should qualify for small business set-aside awards provided the protégé individually qualifies as small under the applicable size standard. With these big picture similarities in mind, SBA recognizes that navigating the various requirements of the current mentor protégé programs can be confusing and burdensome for both contractors and the Government.

The following highlights the noteworthy aspects of the proposed changes:

  • Eliminates the separate 8(a) BD Mentor-Protégé Program – The proposal revises the applicable rules to recognize that an 8(a) participant is just as any other small business, merging the 8(a) BD Mentor Protégé Program into the All Small Business Mentor-Protégé Program. Further, to effectuate this streamlining, SBA would eliminate the requirement that it must approve joint ventures in connection with sole source 8(a) awards, as it does not currently require prior approval of joint ventures in any other context.
  • Amends requirements for joint ventures – The current rule limits the scope and duration of joint ventures to no more than three contracts over a two year period. The revised rule would eliminate the three contract limit, allowing joint ventures to be awarded any number of contracts within two years from the date of its first contract award.
  • Considers limiting mentors based on annual revenue – SBA is considering whether to restrict the size of mentors to firms having average annual revenues of less than $100 million. While SBA is focused on advancing the business of the protégé, based on recommendations of “mid-size” firms, SBA is considering whether small businesses would be better served by having business development assistance from mentors that are size-limited in this way.
  • Ensures NAICS code of task order issued under a Multiple Award Contract (MAC) reflects order – Currently, if a MAC is assigned a NAICS code, that code flows down to each order under the MAC, even if, for example the underlying MAC’s NAICS code is for services, and the order is for supplies. Instead of merely allowing the flow down of NAICS codes from the MAC to the particular order, which can result in firms qualifying as small for a particular procurement where they shouldn’t, the proposed rule would require that the NAICS code for each task order accurately reflects the contract and order being awarded and performed.
  • Requires recertification of size and/or socioeconomic status for certain MACs – Other than for orders or Blanket Purchase Agreements issued under a Federal Supply Schedule (FSS) contract, SBA would require recertification of size status where there is an order placed under an unrestricted MAC set aside exclusively for small businesses. Further, the proposed rule requires recertification of socioeconomic status where the required status for an order differs from that of the underlying MAC.
  • Authorizes size and/or socioeconomic status protests for certain MACs – The proposed rule specifically authorizes size and/or socioeconomic eligibility protests relating to set-aside orders based on a different size and/or socioeconomic status from the underlying MAC. This change would allow protests where the set-aside is for small business and, if protesting size eligibility, the underlying MAC was awarded on an unrestricted basis. This rule allowing size and/or socioeconomic protests relating to orders would not apply to orders against Blanket Purchase Orders or Federal Supply Schedule contracts.

SBA is accepting comments on this proposed rulemaking received on or before January 17, 2020.

Previously we reported on the Department of Defense (‘DoD”) efforts to develop a Cybersecurity Maturity Model Certification (“CMMC”) program to verify the status of contractor cybersecurity and compliance. The CMMC program contemplates that third party auditors will be qualified and retained to review and certify contractors and suppliers at all tiers on their levels of compliance with the CMMC. It is anticipated that, as part of the CMMC roll out, cybersecurity requirements and evaluation criteria will be included in future procurements starting in the Fall of 2020. These CMMC certifications will be used to establish whether an entity meets the foundational level of cybersecurity required for a particular DoD procurement.

DoD still plans to issue the CMMC in final form by January 2020 and to identify third party certifiers to conduct the CMMC certifications for planned roll out of CMMC provisions in Fall 2020. DoD scheduled a CMMC Accreditation Body Kickoff meeting for interested organizations and/or individuals for November 19, following its issuance of an RFI for information on “how to define the long-term implementation, execution, sustainment and growth of the CMMC Accreditation Body.”

More than 2000 comments were submitted in response to the publication of the initial draft CMMC, Version 0.4. In lightning speed, the DoD has turned around the draft and issued the next version of the draft CMMC. Version 0.6 of the CMMC was issued on November 7, 2019. That new version of the draft CMMC covers 17 domains (Access Control, Asset Management, Audit and Accountability, Awareness and Training, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, recovery, Risk Management, Security Assessment, Situational Awareness, System and Communications Protections System and Information Integrity) and addresses the processes and practices required for levels 1 through 3. DoD advises that it is still working through the comments relating to the higher level certification processes and practices for levels 4 and 5 and that it will issue a follow-on draft addressing those additional levels in the near future.

The latest revisions to the draft CMMC, Version 0.6, make clear that each security level builds on and includes the requirements contained in the lower security level. Thus, Level 1 includes an initial set of practices and processes and Level 2 includes these Level 1 processes and procedures as well as others. Level 2 is classified as a level to assist the contractor in preparing for its transition and compliance with Level 3 requirements, the level that contains the full set of security controls, practices and processes required by NIST SP 800-171, which has been the base standard for cyber security at DoD under DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.

The draft also references prior statements that levels 4 and 5 will contain additional security controls in order to promote increased protection for critical DoD programs.

The draft CMMC does not, however, answer a number of key questions, including:

  • Will there be programs and contracts that will be subject to the limited level 1 standard? Or will this level be reserved for potential subcontractors that won’t develop or be required to have access to controlled unclassified information (CUI)?
  • Will level 2 be used for the issuance of prime contracts?
  • Will DoD require contractor certification as a foundational precondition to competing in a procurement, or will it allow a contractor to compete subject to successful certification by the start of performance?
  • Must a subcontractor be certified at the same level as that required of the prime contractor for a particular program? When does the subcontractor need to be certified?
  • Will DFARS 252.204-7008, 252.204-7009 and 252.204-7012 be modified or phased out when CMMC goes live?
  • Will there be a pilot period under which the DoD will ramp up its requirements and contractor CMMC certification?
  • How long will the process of obtaining a CMMC certification be?

There are many other questions that will need to be answered before CMMC is implemented. DoD has committed to engaging in formal rulemaking for the CMMC program. However, it has also said that it intends to move forward with an interim rule pending that process.

Given the direction and speed with which CMMC is heading our way, contractors should be looking at whether these draft CMMC processes and practices can be accomplished. Potential opportunities to comment on the draft and during the rulemaking should be considered. In addition, contractors should be taking steps now to prepare for CMMC, including examining what it will take for them to be certified and the level of readiness of their supply chains. Since the current rule indicates that NIST SP 800-171 will apply to levels 3, 4 and 5, and parts of it will apply to the lower levels, contractors might look at how they marry up with those requirements and what would be needed for them to address likely gaps in compliance. Contractors also should be thinking about what they will need from their suppliers and lower level subcontractors, and how they may be able to obtain the information needed to determine whether these supply chains will be able to meet these requirements.

Sound cybersecurity throughout the supply chain is the DoD’s goal. Stay tuned for the next round of CMMC and future rulemaking.