As the Government Contract community may recall, the first phase of SAM.gov modernization by U.S. General Services Administration (“GSA”) began in 2012 with the integration of the databases Central Contractor Registration (“CCR”) Online Representations and Certifications Application (“ORCA”)  and the Excluded Parties List System (“EPLS”) into SAM.gov.  Next, GSA created beta.SAM.gov as a space to move other procurement systems as part of GSA’s Electronic Government (“eGov”) initiative.  This month, GSA will integrate the two systems, SAM.gov and beta.SAM.gov, to create a single award system of databases allowing for full contract award cradle-to-grave tracking.

On May 24, 2021, it will be just SAM.gov with all databases and functions now at one site. This means instead of going to beta.SAM.gov to view contract opportunities (formerly fbo.gov) or to download the latest regional U.S. Department of Labor Wage Determinations (formerly wdol.gov), contractors can now just go to SAM.gov to find all the requisite systems combined into one site.  Next week, SAM.gov will host all beta.SAM.gov systems as well as exclusions and registrations systems formerly found only at the SAM.gov URL.  These systems will be available from the homepage of the newly retooled SAM.gov site.  What’s more, the contractor DUNS and newly assigned SAM Unique Entity Identified (“UEI”) will be displayed together in the Entity Workspace until the phasing out of the DUNS number in April 2022.

GSA’s goal is to streamline the online award process by providing users with a one-stop site hosting the requisite procurement systems.  This consolidation will allow for ease of data input and statistical research and extraction of the data.  Ease of use is the goal with this integration of legacy platforms for accessibility across multiple mobile devices from laptops to mobile phones.  Certain systems will require second-level login such as public entity registrations and Disaster Response Registry sites.

What remains unchanged: Contract Opportunities (e.g., Solicitations, Notices), DOL WDs, Assistance Listings, Federal hierarchy,  and Contract Data Reports.  Federal users still need to enter the same information for registration or renewals. All user accounts and roles will migrate to SAM.gov.  As part of the American Rescue Plan Act of 2021, entry registrations in SAM.gov with expiration dates ranging from April 1, 2021, to September 30, 2021, will be extended by 180 days past the current registration date. No action is required by contractors to take advantage of this extension.

Finally, some Federal roles will have changes.  For instance, in the new SAM.gov, there will be a “FOUO Entity Management Data Viewer” role created for federal users needing access to an entity’s FOUO data on its registration. The federal user will need to request this role.  Also, federal users in the role of “Data Extracts User” will now need to get a system account and must have this designated role assigned by the agency administrator.  And, the former role of “Agency Hierarchy Maintainer” will be eliminated in SAM.gov as a separate role.  Most federal administrative and management roles, however, remain unchanged.  Roles can be requested through the new SAM.gov website.  

We provide a full range of legal services for government contractors currently performing government contracts or considering bidding on published solicitations.  Call or visit our website to schedule your complimentary consultation with our legal team today.

First, it serves the purpose of contributing to transparency of the federal procurement process by allowing the public to challenge the actions of government procurement officials. Through use of private “attorneys general,” unsuccessful offerors can complain about the government’s failure to comply with federal laws. Allowing the public sector to provide this check on the government’s compliance with acquisition laws and regulations provides additional oversight to compliment that provided through government internal agency audits and reviews, inspections, or inspectors general investigations.

Second, it protects the integrity of the government’s procurement system by allowing and even encouraging the public sector to challenge procurement officials’ actions by going directly to the Agency, the Government Accountability Office (GAO), and / or the U.S. Court of Federal Claims (COFC). While the interested party challenging the procurement act may primarily be seeking a personal remedy, bringing the acquisition under the review of a neutral, third-party decision-maker, who will render a publicized decision, acts as an additional incentive for contracting officials to make awards based only on proper criteria.

Third, challenging government contract awards increases competition by giving potential offerors a sense the process, while sometimes flawed, strives to be fair and open to all eligible competitors without preferential treatment. The more questionable procurement decisions are challenged and, if improper, made to be corrected, the more likely businesses will continue to invest time and money preparing offers and participating in competitions viewed as legitimate and fairly conducted.

The other source selection technique available under FAR Part 15 is one where the government is willing to trade price for a better or higher technical solution offered by industry.  This is typically the best procurement approach when the requirement is not well defined or is highly complex.  The government recognizes no amount of market research or organic expertise in the agency is a substitute for the subject-matter expertise of industry.  In addition, a source’s past performance or recognized experience also is a key nonprice factor for evaluation as to whether the government should pay a price premium for a proposed solution that meets or exceed minimum needs.  This is typically the procurement method used when the requirement is a nondevelopmental or developmental need.  The government’s work statement, whether a performance work statement (PWS) for a service or a statement of work (SOW) for an item of supply or construction project, might be sufficiently detailed in the method or outcome / end result, but the government seeks added benefits by encouraging offerors to propose additional aspects or a more technical or innovative solution for which a higher price may be justified.  And altough the PCO selects the procurement approach, in this acquisition the end user also has an interest in using a tradeoff source selection as it is agreeable to paying a higher price for the value achieved through a higher technical solution.  With this procurement method, there is an expectation the PCO will select the most highly rated offers for inclusion in a competitive range so the government can negotiate (e.g., have one-on-one discussions) with offerors leading to revised proposals from which the government can select the offer representing the best value in technical approach for the price paid.

Arguments for and against using LPTA.  

     Generally, negotiated procurements under FAR Part 15 have a longer procurement timeline and involve more government resources than those under FAR Parts 13 (Simplified Acquisition Procedures) or 14 (Sealed Bidding).  Depending upon the estimated value of the procurement, acquisition planning can begin a year or more in advance as the PCO may use market research conducted as much as 18 months prior to award.  If the need is “well-defined,” such as one that is repeatedly procured on a cyclic basis, is a commercial item, is not highly complex or offering increased risk based upon a number of performance unknowns, the technical quality or aspects of the proposal should not require extensive, subjective evaluation.  As such, it is highly likely the government has sufficient organic resources to evaluate the technical proposals using easily understood and applied objective evaluation criteria.  Moreover, based upon the requirement, once it is determined to meet the minimum needs of the government, the award can be made quickly because best value is expected to be achieved by selecting the lowest price, found to be fair and reasonable.

     A negative aspect of the LPTA procurement method is that where a solution is offered that exceeds the government’s minimum needs and it would be worth a higher price premium, the government cannot select it.  Otherwise, it would have to articulate a reasonable basis for cancelling the solicitation and re-soliciting using a different source selection technique, here, tradeoff.  This could subject the government to protest by offerors, which would result in a lengthened procurement timeline and a longer wait for the end user.  Another undesirable aspect of LPTA is the negative connotation associated with this process when it is referred to as a “lowest bid” contracting process. In this case, there is the assumption that technical considerations do not come into play in awarding the contract.  This is not accurate but is likely the result of hasty or careless LPTA procurements where the lowest priced offer was selected only to result in performance or other quality issues during contract administration.

Examples of when it might or might not be appropriate to use the LPTA approach.

     If the requirement is for a service that is needed annually or on some cyclic basis and it is a commercial item with well-defined, industry standards of performance, LPTA is an appropriate procurement approach saving both the government and offeror time and resources.  For instance, federal military installations need contracted janitorial and custodial services for its dining facilities because military cooks cannot perform such tasks.  There are industry-recognized uniform standards and government-generated performance metrics set forth in recognized and accepted technical resources.  A source selection evaluation board can use clear evaluation worksheets to record its technical review of proposals against clear technical specifications set forth in the PWS and any solicitation attachments provided by the requiring activity (the government experts for this need).  Once the proposal is evaluated against the minimum requirements set forth in the solicitation and found to be acceptable, and the past performance is found to be recent, relevant, and satisfactory for past efforts of a similar type, there is no need in paying more because innovation or a higher technical solution is not necessary to meet the government’s need for cleaning the dining facility daily.

Specifically, Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting (DEC 2019), mandates a defense contractor’s (and its subcontractor’s) IT system provide “adequate security” when it processes, stores, or transmits covered defense information (CDI) in performance of a defense contract.  CDI is defined and distinguished by an extensive list of categories available at https://www.archives.gov/cui/registry/category-list.  The DoD must mark or identify in the contract any CDI provided to the contractor.  Compliance with the clause, which is not applicable in contracts for commercial-off-the-shelf purchases, requires implementation of security requirements for protection of CUI under the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 current at the time of the solicitation.  The NIST lists 110 IT security controls many defense contractors find difficult to attain despite the mandate.  Primes must flow down this clause to its subcontractors if performance will involve CDI.  Further, DFARS 252.204-7008 provides a contractor’s submission of an offer serves as its representation of compliance with DFARS 252.204-7012 (and the NIST).  Currently, the DoD does not monitor a contractor’s compliance with the clause; rather, contractors self-regulate compliance with the clause and the NIST’s 110 controls.  This will all change very soon.

In an effort to strengthen and provide basic, uniform safeguard standards for government CUI and FCI (the latter as specified in FAR 52.204-21) in the hands of defense contractors while prompting improvements to their IT systems’ cybersecurity, DoD developed the Cybersecurity Maturity Model Certification (CMMC) program.  Collaboratively created by stakeholders consisting of the DoD and the Defense Industrial Base (DIB), among others, the CMMC is aimed at building upon the existing cybersecurity mandates in DFARS 252.204-7012 and NIST SP 800-171 rev. 2, while combining the 15 less restrictive requirements in FAR 52.204-21.  Simply put, the “CMMC is designed to provide increased assurance to the DoD that a DIB contractor can adequately protect CUI at a level commensurate with the risk, accounting for information flow down to its subcontracts in a multi-tier supply chain.”  Last month, DoD released CMMC Version 1.02, which sets forth its framework for five certification levels of cybersecurity health to protect FCI and CUI.  The certification verifies a contractor has implemented appropriate processes and practices commensurate with the requisite cybersecurity maturity level.  The five-level maturity certifications rate a contractor’s existing cyber hygiene program to reduce risk of certain diverse cyber threats and attacks against a contractor’s IT system vulnerabilities.  Each higher level is cumulative such that the contractor must demonstrate the requisite processes and practices for a specified CMMC level and the preceding lower levels to support its current certification level.

The CMMC model consists of 17 security-related “domains,” such as system “access control,” “risk management,” or “physical protection.”  Each domain consists of certain processes and capabilities that span the five certification levels.  In total, there are 43 capabilities associated with the 17 domains, and a total of 171 practices (i.e., controls) also span across the five certification levels.  For instance, Level 1 certification is achieved when a contractor’s IT system demonstrates basic cyber hygiene by meeting 17 practices.  It serves to satisfy all the safeguarding requirements in FAR 52.204-21 for FCI.  Most federal subcontractors will need at least a Level 1 certification to perform a government contract and protect FCI.  If the DoD contract involves CUI, however, the contractor, and possibly its subcontractor, will need to be certified at CMMC Level 3.  This certification level demonstrates “Good Cyber Hygiene” through implementation of 130 cybersecurity practices including all controls in NIST SP 800-171, revision 1, plus 20 more good cyber hygiene practices.  Level 2 merely serves as a transition step between levels 1 and 3, but for certification at levels 4 (Proactive) and 5 (Advanced / Progressive), the prime contractor and subcontractor must demonstrate protection of CUI and practices that reduce risk of Advanced Persistent Threats.  Certification at these levels will require the contractor’s IT system implement from 156 to 171 cybersecurity practices.

A third-party nonprofit selected by the DoD will serve as the accreditation body that develops the standards for assessing a contractor’s certification.  Certification actually will be bestowed by assessors from “Certified Third-Party Assessment Organizations” or C3PAOs approved by the CMMC accreditation body. These assessors will evaluate a contractor’s IT system and provide the certification level, which will be valid for three years.  Certification will be prospective and not retroactive for current contracts.  In June 2020, the DoD plans to issue requests for information for its first contracts requiring contractors meet CMMC certification by award.  In September 2020, the DoD hopes to publish requests for proposal (RFPs) for these contracts.

It remains to be seen how DoD’s CMMC process will evolve over time from these initial RFPs and awards.  What is certain is more information is required on how DoD will implement and administer the CMMC Program, how contractors will be assessed for initial certification, and how this will be integrated in the procurement process from formation to administration.  Defense contractors would be wise to review internal cybersecurity system protocols now against the requirements of FAR 52.204-21, DFARS 252.204-7012, the current NIST SP 800-171, and the proposed CMMC certification levels and to determine what is required to achieve the minimum CMMC level to remain competitive for DoD procurement opportunities in the future.  For more information on the DoD CMMC see https://www.acq.osd.mil/cmmc/draft.html.

]]> https://polarislawgroupak.com/department-of-defense-class-deviation-dars-2020-o0013-implementing-cares-act-section-3610-federal-contractor-authority/ Fri, 10 Apr 2020 21:22:51 +0000 http://polarislawgroupak.com/?p=1106 As predicted, on April 8, 2020, the DOD issued a class deviation with implementing instructions to contracting officers regarding section 3610 of the CARES Act.  Section 3610 allows appropriated funds to be used to modify the terms and conditions of existing contracts to reimburse contractors for allowable costs incurred keeping its work force in a “ready state” despite COVID-19 restrictions due to work site closures, personnel quarantines, and state and/or local movement restrictions.  Specifically, Sec. 3610 allows a contractor to request reimbursement “at the minimum applicable contract billing rates not to exceed an average of 40 hours per week” for costs incurred from January 31, 2020, through September 30, 2020, for paid annual and sick leave provided to its employees or its subcontractors to keep them mission-ready and protect the life and safety of government and contract employees due to the COVID-19 public health emergency.

The deviation from certain subparts of FAR Part 31 and DFARS Part 231 mandates use of the prescription at “DFARS 231.205-79 CARES Act Section 3610 – Implementation,” which sets forth a cost principle allowing reimbursement of special leave expenses incurred only as a result of COVID-19. These allowable cost can be treated as indirect costs to multiple costs objectives or, as appropriate, direct costs chargeable to the contract as the only cost objective.  Costs incurred for paid leave not related to COVID-19 remain subject to the applicable cost principles of FAR Part 31 and DFARS Part 231.  Contractors seeking this relief must ensure records property segregate and identify these costs to provide a “sufficient audit trail” and adequate support for the request.  Further, a contractor must be careful to disclose any other relief obtained under any other part of the CARES Act, the Families First Coronavirus Response Act, or any other law “specifically identifiable with the public health emergency declared on January 31, 2020 for COVID-19.”  As such, the contract payment will be reduced by any amount the contractor “is eligible to receive” under any other remedy available under laws related to the COVID-19 public health emergency. 

For more information, see https://www.acq.osd.mil/dpap/policy/policyvault/Class_Deviation_2020-O0013.pdf

For other DOD Deviations related to COVID-19, see https://www.acq.osd.mil/dpap/dars/class_deviations.html