Last April, we wrote about proposed changes to Department of Defense ("DoD") reporting requirements for independent research and development ("IR&D"), raising concerns about how the proposed change would tie recoverability of IR&D costs to new reporting and disclosure requirements. Recently, Defense Federal Acquisition Regulation Supplement ("DFARS") 231.205-18(c) was finalized, with changes. See 77 Fed. Reg. 4632 (Jan. 30, 2012). This final rule is a mixed bag that got some things right, but also leaves some of the most serious issues unresolved.
First – three things that DoD got right.
- Elimination of the $50,000 Threshold. The proposed rule required IR&D reports from all major contractors generating more than $50,000 annually in IR&D costs. However, the regulations define "major contractors" as contractors whose covered segments are allocated more than $11,000,000 in total IR&D costs during the preceding fiscal year. The two different dollar thresholds created confusion as to who should be reporting and what projects should be included in these reports. The final rule removed the redundant $50,000 threshold, clarifying that all "major contractors" with more than $11,000,000 in allocable IR&D costs must submit reports on all of their IR&D projects, regardless of the dollar value of a specific project. Other non-major contractors, the final rule noted, are welcome to submit reports voluntarily.
- Clarification Regarding Classified IR&D Projects. The proposed rule would have established a broad-ranging disclosure requirement for all IR&D projects, without regard to whether a project was classified. The final rule clarified that only unclassified projects should be submitted through the DoD's Defense Technical Information Center ("DTIC") website (www.dtic.mil/ird/dticdb/index.html).
- Reiterating that Submissions Will Be Protected as Proprietary. The proposed rule required general descriptions of IR&D projects, with no guidance on what should be submitted and no assurances of how the information would be handled within the government. The final rule made clear that information reported through the DTIC website would be considered proprietary under the Freedom of Information Act ("FOIA"), 5 U.S.C. § 552(b)(4), and that it would not be subject to public disclosure. Furthermore, DoD clarified that companies are in control of the level of specificity to be included in the reports.
But – there are at least three things that DoD simply failed to address in any meaningful manner:
- Adequacy of Controls at the DTIC Website? The American Bar Association, Section of Public Contract Law, pointed out that the security of the DTIC website was questionable, to which DoD merely assured that "adequate controls are in place" and that "sufficient measures are being employed." We were hoping for more than an assertion of "adequate assurances." It does a company no good to have its data treated as proprietary under FOIA, where the underlying data source remains at risk.
- Role of DCAA in Auditing and Evaluating Reports? The final rule acknowledged concerns over tying the allowability of IR&D costs (audited by the Defense Contract Audit Agency ("DCAA")) to the submission of these technical reports, but DoD addressed these concerns only obliquely. While the final rule states that contracting personnel will retain authority to determine whether IR&D projects are "of potential interest" to the DoD, it also reinforces the fact that collaboration between the technical team and audit team must take place. "[W]hen specialized expertise is required, contracting officers are expected to consult with auditors and other individuals with specialized experience, as necessary, to ensure a full understanding of issues." This perplexing statement only serves to raise additional questions: When will expertise be required? When will consultation be necessary? What issues will auditors and experts help to resolve? And why are cost auditors involved in an evaluation of a technical project in the first place?
- What Information Will Be Required in These Reports? The final rule states that companies are in control of the level of specificity to be included in the reports, including the types of proprietary information to be included. In fact, the instructions prepared by DTIC for submitting the IR&D reports identify the information to be entered in the various data fields (project title, project number, status/readiness level, anticipated expenditures, targeted DoD organization, etc.), calling for "a 1-2 sentence summary" of the IR&D project and a brief project description, not to exceed 10,000 alpha numeric characters (about three typed pages). While we appreciate that DoD hopes to limit the overall reporting requirement (a reporting requirement that the proposed rule estimated would take only 30 minutes for each report), we wonder whether DCAA auditors will insist on "more" information when evaluating the quality of the IR&D reports, especially given that DCAA has a long history of over-reaching and of invasive audit demands into areas in which they have no functional expertise. Somehow, we doubt that DCAA will be willing to show much restraint.
Whether requiring these reports is a good idea is now a moot point – the rule is final and all major contractors are required to report so that the DoD can regain greater visibility into IR&D funding and better evaluate whether the funded projects have a discernible technological purpose that benefits DoD. But, beyond the increased audit scrutiny, we think that this new reporting requirement reflects a continuing shift in DoD's overall policy approach to IR&D, with DoD hungry for more rights and more visibility into research and development projects that, by regulation, must remain independent. Given the high value that is inevitably associated with this incessant search for more, we are quite sure that companies would rest easier if their concerns were actually addressed in the final rule in a substantive manner.