DoD Seeks Input on Implementation of NDAA FY 2018 in DFARS

A Department of Defense notice announces an early engagement opportunity regarding implementation of the National Defense Authorization Act for Fiscal Year 2018 (PL 115-91) within the Defense Federal Acquisition Regulation Supplement. The public is invited to submit early inputs on sections of the NDAA for FY 2018 via the Defense Acquisition Regulations System website at http://www.acq.osd.mil/dpap/dars/index.html. The website will be updated when early inputs will no longer be accepted. This venue does not replace or circumvent the rulemaking process. DoD will engage in formal rulemaking, in accordance with 41 USC 1303, when it determines that rulemaking is required to implement a section of the NDAA for FY 2018 within the DFARS. The text of the notice appears at 83 FR 9501.

DoD Seeks Comments on Removal of DFARS Contract Clauses

The Department of Defense is seeking input on Defense Federal Acquisition Regulation Supplement solicitation provisions and contract clauses that may be appropriate for repeal, replacement, or modification.

Executive Order 13777, Enforcing the Regulatory Reform Agenda, issued February 24, 2017, directed agencies to establish a regulatory reform task force. The task forces are instructed to evaluate existing regulations and “make recommendations to the agency head regarding their repeal, replacement, or modification.”

Further, the task forces are instructed to identify regulations that: eliminate jobs, or inhibit job creation; are outdated, unnecessary, or ineffective; impose costs that exceed benefits; or interfere with regulatory reform initiatives and policies.

Pursuant to section 3(e) of E.O. 13777, which calls on the task forces to “seek input and other assistance, as permitted by law, from entities significantly affected by [f]ederal regulations,” the DFARS Subgroup to the DoD Regulatory Reform Task Force is seeking public input on the DFARS Part 252 solicitation provisions and contract clauses.

DoD will not respond to each individual comment, but it may follow-up with respondents to clarify comments.

Submit comments referencing “DFARS-RRTF-2017-01” by August 21, 2017.

For the text of the notice, see 82 FR 28041.

DFARS Rule Clarifies Allowability of Costs Related to Counterfeit Electronic Parts

The Department of Defense has finalized its proposed rule addressing the allowability of costs of counterfeit electronic parts or suspect counterfeit electronic parts and the cost of rework or corrective action.

The final rule in DFARS Case 2016-D004 amends the Defense Federal Acquisition Regulation Supplement at DFARS 231.205-71 to provide that these costs may be allowable if the parts were obtained by the contractor/subcontractor in accordance with the clause at DFARS 252.246-7008, Sources of Electronic Parts.

More specifically, DFARS 231.205-71 now provides that the costs of counterfeit electronic parts and suspect parts, and the costs of rework or corrective action, are unallowable unless:

  • the contractor has a DoD-approved system (see DFARS 244.303(b)) to detect and avoid counterfeit electronic parts and suspect counterfeit electronic parts;
  • the parts are government-furnished property, as defined in FAR 45.101, or were obtained by the contractor in accordance with DFARS 252.246-7008;
  • the contractor becomes aware of the counterfeit parts through inspection, testing, and authentication efforts through a Government Industry Data Exchange Program alert, or by other means; and
  • the contractor provides timely notice to the cognizant contracting officer and GIDEP.

The proposed version of the rule did not include the notice requirement.

The effective date of the rule is August 30, 2016. For the text of the rule, see 81 FR 59510.

Rule Adds Requirements for Reporting Cyber Incidents, Cloud Services

The Department of Defense has issued an interim rule amending the Defense Federal Acquisition Regulation Supplement to add requirements for contractors to report network penetrations. The rule requires contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system, or on a contractor’s ability to provide operationally critical support. The rule is intended to streamline the reporting process for DoD contractors and to minimize duplicative reporting processes. Cyber incidents involving classified information on classified contractor systems will continue to be reported in accordance with the National Industrial Security Program Operating Manual (see DoD–M 5220.22).

The clause at DFARS 252.204–7012 is renamed ‘‘Safeguarding Covered Defense Information and Cyber Incident Reporting’’ and the scope of the clause is expanded to cover the safeguarding of covered defense information and require contractors to report cyber incidents involving this new class of information as well as any cyber incident that may affect the ability to provide operationally critical support. The rule also adds a new provision at DFARS 252.204–7008, “Compliance with Safeguarding Covered Defense Information Controls,” to ensure that offerors are aware of the requirements of clause DFARS 252.204–7012, and a new clause at DFARS 252.204–7009, “Limitations on the Use and Disclosure of Third-Party Contractor Reported Cyber Incident Information,” to protect information submitted to DoD in response to a cyber incident.

In addition, the rule implements DoD policies and procedures for contracting for cloud computing services. The DoD Chief Information Officer issued a memo on December 15, 2014, entitled ‘‘Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services’’ to clarify DoD guidance when acquiring commercial cloud services. The DoD CIO also released a Cloud Computing Security Requirements Guide Version 1, Release 1 on January 13, 2015, for cloud service providers to comply with when providing DoD with cloud services.

The rule implements these new policies in the DFARS to ensure uniform application when contracting for cloud services. Specifically, the rule adds a new subpart at DFARS 239.76, “Cloud Computing,” as well as a new provision, at DFARS 252.239–7009, “Representation of Use of Cloud Computing,” and a new clause, DFARS 252.239–7010, “Cloud Computing Services,” to provide standard contract language for the acquisition of cloud computing services, including access, security and reporting requirements. Comments on this interim rule, identified by DFARS Case 2013-D018, are due by October 26, 2015.