Debriefings provide disappointed offerors an invaluable opportunity to hear from agencies directly as to why contract award decisions came out the way they did. Debriefings can also extend the deadlines to file a timely protest in the Government Accountability Office and to file a protest entitled to an automatic stay of the awarded contract’s performance under the Competition in Contracting Act. But debriefings are not without their traps for the unwary. The Federal Acquisition Regulation sets forth specific rules as to when and how a debriefing must be requested, as well as when and how the aforementioned deadline extensions are triggered. These rules continue to evolve, with the National Defense Authorization Act for Fiscal Year 2018 representing a significant example of recent changes to the debriefing process. Failure to abide by the regulatory scheme governing debriefings could mean not only losing the right to be debriefed but forfeiting rights to protest and obtain an automatic stay of performance.
Continue Reading So Your Proposal Lost – Now What? Understanding Debriefings

In response to widespread interest in allowing more small business participation in opportunities involving cloud computing, the Small Business Administration (“SBA”) has decided to exclude cloud computing from the limitation
Continue Reading Small Business Subcontracting for Cloud Computing Gets Easier

The United States District Court of the Eastern District of Pennsylvania recently issued a decision unsealing a False Claims Act case over the objections of the government, the relator and the defendant.[1] In United States ex. Rel. Brasher v. Pentec Health, Inc. No. 13-05745, 2018 WL 5003474 (E.D.P.A. Oct. 16, 2018), a case initially filed five years ago, the government filed a motion to continue the seal – which happened to be its eleventh such motion – arguing that additional time was necessary, in part, to finalize its decision whether to intervene in the action, as well as to pursue settlement options. The Court disagreed.
Continue Reading District Court Determines that the Eleventh Time is NOT the Charm

On June 12, 2018, the Department of Defense (“DoD”), the General Services Administration, and NASA proposed a new rule that would limit the “adequate price competition” exception to certified cost or pricing data requirements on all DoD, NASA, and Coast Guard procurements. Currently, FAR 15.403-1 prohibits contracting officers from requiring contractors to submit certified cost or pricing data to support a contract action when the contracting officer determines that the prices agreed upon are based on “adequate price competition,” which the regulation defines in one of three ways:
Continue Reading Proposed Rule Would Create a Separate, More Restrictive Standard for “Adequate Price Competition” for the DoD, NASA, and the Coast Guard

After nearly four years of planning and comments, DoD, GSA, and NASA issued a final rule today amending the Federal Acquisition Regulations (“FAR”) with a new Subpart 4-19 and a new contract clause 52.204-21 addressing the basic safeguarding of contractor information systems.  Applicable to all acquisitions, including commercial items other than commercial off-the-shelf items (“COTS”), the Final Rule applies to any contractor information system that may contain “Federal contract information,” meaning “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.”  See FAR 4.1901.  The term expressly excludes information provided by the Government to the public (e.g., on public-facing web sites) or simple transactional information, “such as that necessary to process payments.”
Continue Reading It’s Arrived! FAR Final Rule Addressing “Basic Safeguarding of Contractor Information Systems”

“If our country is to successfully defend our right to live the American way, it needs every one of you, and requires you in the best possible condition. Any [company] who willfully, or through neglect fails to maintain [their systems] in this condition is a ‘shirker’ who is throwing an extra burden on his comrades by requiring them to do his work as well as their own.”

It’s kind of apropos how easily you can adapt this introduction to a 1940s War Department venereal disease training film into a lesson addressing the 21st Century problems of cyberattacks and malware.  After all, certain computer attacks are called “virus” for a reason, businesses often find themselves in a virtual “war” with hackers and nation states on digital shores all around the world, and, perhaps most telling, the sordid details of both are things we really don’t like to discuss in “open and polite society.”  (I’ll stop there so as not to offend, but the list can go on.) So it comes as no surprise that it is the Department of Defense that is pulling back the curtain to openly address cyber-hygiene and, with the recent update and “open release” of the DoD Cybersecurity Discipline Implementation Plan, providing federal contractors and commercial companies alike with insight on the computer security prophylactics the Department is directing its units use.
Continue Reading DoD Reveals its Cybersecurity Discipline Implementation Plan (or How 1940s War Department VD Training Can Help Your 21st Century Cyber Hygiene)

In response to industry concerns and comments, on December 30, 2015, the Department of Defense issued a new interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity rules promulgated in August.  Specifically focusing on provision 252.204–7008, Compliance with Safeguarding Covered Defense Information Controls, and DFARS 252.204–7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, under this second interim rule contractors have until December 31, 2017 to implement the security control requirements specified by National Institute of Standards and Technology Special Publication 800-171 (SP 800-171).  As the prior interim rule had no grace period for implementing the new cybersecurity controls, this a fortunate change for DoD contractors.  This welcome extension, however, is not without conditions.  Contractors, in line with the notification outlined in DoD’s class deviation addressing “multifactor authentication for local and network access,” now have 30 days to inform the DoD Chief Information Officer (CIO) if any of the SP 800–171 security requirements are not implemented at the time of contract award.  Absent that notice, DoD will presume contractors are meeting all of the NIST-established controls.  As the new interim rule describes, this 30-day period will allow DoD the opportunity to monitor progress across its government contractors to identify and address any problems with the implementation of the NIST security controls.
Continue Reading Department of Defense Provides Government Contractors a Grace Period for Compliance with Key Cybersecurity Requirements