Rule Adds Requirements for Reporting Cyber Incidents, Cloud Services

The Department of Defense has issued an interim rule amending the Defense Federal Acquisition Regulation Supplement to add requirements for contractors to report network penetrations. The rule requires contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system, or on a contractor’s ability to provide operationally critical support. The rule is intended to streamline the reporting process for DoD contractors and to minimize duplicative reporting processes. Cyber incidents involving classified information on classified contractor systems will continue to be reported in accordance with the National Industrial Security Program Operating Manual (see DoD–M 5220.22).

The clause at DFARS 252.204–7012 is renamed ‘‘Safeguarding Covered Defense Information and Cyber Incident Reporting’’ and the scope of the clause is expanded to cover the safeguarding of covered defense information and require contractors to report cyber incidents involving this new class of information as well as any cyber incident that may affect the ability to provide operationally critical support. The rule also adds a new provision at DFARS 252.204–7008, “Compliance with Safeguarding Covered Defense Information Controls,” to ensure that offerors are aware of the requirements of clause DFARS 252.204–7012, and a new clause at DFARS 252.204–7009, “Limitations on the Use and Disclosure of Third-Party Contractor Reported Cyber Incident Information,” to protect information submitted to DoD in response to a cyber incident.

In addition, the rule implements DoD policies and procedures for contracting for cloud computing services. The DoD Chief Information Officer issued a memo on December 15, 2014, entitled ‘‘Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services’’ to clarify DoD guidance when acquiring commercial cloud services. The DoD CIO also released a Cloud Computing Security Requirements Guide Version 1, Release 1 on January 13, 2015, for cloud service providers to comply with when providing DoD with cloud services.

The rule implements these new policies in the DFARS to ensure uniform application when contracting for cloud services. Specifically, the rule adds a new subpart at DFARS 239.76, “Cloud Computing,” as well as a new provision, at DFARS 252.239–7009, “Representation of Use of Cloud Computing,” and a new clause, DFARS 252.239–7010, “Cloud Computing Services,” to provide standard contract language for the acquisition of cloud computing services, including access, security and reporting requirements. Comments on this interim rule, identified by DFARS Case 2013-D018, are due by October 26, 2015.

GSA Proposes New Reporting Requirements for FSS and GWAC Vendors

A proposed rule would amend the General Services Administration Acquisition Regulation to add clauses requiring vendors to report transactional data from orders and prices paid by ordering activities.

Under a new clause, vendors would be required to report, through an online system, contract sales, including orders placed against Federal Supply Schedule contracts, Governmentwide Acquisition Contracts, and Governmentwide Indefinite-Delivery, Indefinite-Quantity contracts.

The report would include transactional data elements such as unit measure, quantity of item sold, universal product code, prices paid per unit, and total price. For FSS vehicles, the clause would be introduced in phases, beginning with a pilot for select products and commoditized services.

GSA is creating a Common Acquisition Platform, which will identify best-in-class contracts issued by GSA or other agencies, best practices, and other information agencies need to reduce the proliferation of duplicative contract vehicles. The platform will track the prices paid by other government buyers for a similar product or service under comparable terms and conditions. Government buyers will be able to use the data, and other relevant information, such as customer satisfaction, to determine fair and reasonable pricing as part of a best value solution.

According to GSA, the current lack of transparency on prices paid by government customers has led to significant price variation—sometimes 300 percent or more—for identical purchases by federal agencies from the same commercial vendors, and unnecessary duplication of contract vehicles.

GSA issued the rule in connection with an Office of Federal Procurement Policy initiative addressing category management.

Comments on the proposed rule referencing GSAR Case 2013-G504 are due May 4, 2015.  For more information, see the text of the proposed rule.

Executive Order Targets Labor Law Violators

The White House has announced President Obama’s intent to sign an Executive Order that takes aim at government contractors that violate labor laws. According to an investigative report by the Senate Health, Education, Labor and Pensions committee, “in 2012 alone, taxpayers provided more than $80 billion in contracts to companies that had committed significant violations of our basic labor laws, which are designed to ensure workers are paid fairly and are safe on the job.” According to Department of Labor estimates, there are about 24,000 businesses with federal contracts, employing about 28 million workers. A July 31 White House fact sheet explains the soon-to-be issued Fair Pay and Safe Workplaces EO will require prospective contractors to disclose labor law violations and will give agencies more guidance on how to consider labor violations when awarding contracts. It will also place restrictions on certain mandatory arbitration agreements.

The Fair Pay and Safe Workplaces Executive Order will govern new procurement contracts valued at more than $500,000 and is expected to be implemented on new contracts in stages, on a prioritized basis, during 2016. The fact sheet provides further detail on the following key provisions of the anticipated EO:

  • Agencies will require prospective contractors to disclose labor law violations from the past three years before they can be awarded a contract.
  • Contracting officers will take into account only the most egregious violations, and each agency will designate a senior official as a Labor Compliance Advisor to provide consistent guidance on whether contractors’ actions rise to the level of a lack of integrity or business ethics.
  • Contractors with workplace violations are more likely to encounter performance problems, so the EO will also improve the efficiency of federal contracting and result in greater returns on tax dollars.
  • The EO is intended to protect the contractors that have clean records. The DOL estimates that the overwhelming majority of companies with federal contracts have had no workplace violations in the past three years.
  • The goal of the process created by the EO is to help more contractors come into compliance with workplace protections, not to deny contracts to contractors. Companies with labor law violations will be offered the opportunity to receive early guidance on whether those violations are potentially problematic and remedy any problems. Contracting officers will take these steps into account before awarding a contract.
  • The EO will prohibit companies with contracts of $1 million or more from requiring employees to enter into pre-dispute arbitration agreements for disputes arising out of Title VII or from torts related to sexual assault or harassment (except when valid contracts already exist).
  • The EO will require contractors to give their employees information concerning their hours worked, overtime hours, pay, and any additions to or deductions made from their pay, so workers can be sure they are receiving what they are owed.
  • The EO will direct the General Services Administration to develop a single website for contractors to meet their reporting requirements for this order and for other contractor reporting.

Proposed FAR Rule Expands Reporting Requirements for Nonconforming Items

The Department of Defense, General Services Administration, and National Aeronautics and Space Administration are proposing to amend the Federal Acquisition Regulation to require expanded reporting of nonconforming items.

The June 10, 2014, proposed rule would revise the quality assurance coverage at FAR Subpart 46.1 to require contractors to use the Government-Industry Data Exchange Program database to report nonconforming items and to screen GIDEP reports to avoid the use of nonconforming items.

For the reporting requirement to apply, the item must be a counterfeit or suspect counterfeit item (as defined in proposed FAR 46.101), or it must contain a major or critical nonconformance that is a common item and constitutes a quality escape (also defined in proposed FAR 46.101), from a lower-level subcontractor or supplier that resulted in the release of nonconforming items to more than one customer.

In addition to the GIDEP reporting the requirements, the rule would impose contracting officer reporting requirements. If the contractor identifies a major or critical nonconformance but corrects the problem prior to delivery, it would not have to notify the CO. However, the contractor must notify the CO when a counterfeit or suspect counterfeit item is identified, without regard to whether the contractor intends to deliver the product containing the counterfeit or suspect counterfeit items.

These requirements would be added in a new clause at FAR 52.246-XX, Reporting Nonconforming Items, which would also require the contractor to retain in its possession any items suspected or confirmed as counterfeit items. A flowdown requirement directs the contractor to add the substance of the clause in all subcontracts at any tier for supplies, or services that include supplies.

Comments referencing FAR Case 2013-002 are due August 11, 2014. For more information, see the Federal Register notice.

Two New Clauses Add Requirements for Service Contract Reporting

Federal Acquisition Circular 2005-72 contains a final rule (FAR Case 2010-010), effective January 30, that amends the Federal Acquisition Regulation to require service contractors for executive agencies to submit information annually in support of agency-level inventories for service contracts. The requirement does not apply if the Department of Defense fully funds the contract or order.

Inventory of Activities. The rule implements Section 743(a) of Division C of the Consolidated Appropriations Act, 2010 (PL 111–117), which requires executive agencies covered by the Federal Activities Inventory Reform Act (PL 105-270), except DoD, to submit to the Office of Management and Budget annually an inventory of activities performed by service contractors. The public will be able to access the information reported. The rule creates a new FAR Subpart 4.17, Service Contracts Inventory, and adds two contract clauses, FAR 52.204-14, Service Contract Reporting Requirements, and FAR 52.204-15, Service Contract Reporting Requirements for Indefinite-Delivery Contracts.

New Requirements. FAR 4.1703 sets out the reporting requirements as follows:

  • Contract types (e.g., cost reimbursement, time-and-materials, and labor-hour contracts), which already require contractors to track labor hours closely in order to invoice the government, will have lower dollar thresholds than fixed-price contracts. Contractors will now be required to report on all cost-reimbursement, time-and-materials, and labor-hour contracts and orders above the simplified acquisition threshold.
  • Contractors will be required to report on new fixed-price definite-delivery contracts at or above $2.5 million in fiscal year 2014, $1 million in FY 2015; and $500,000 in FY 2016 onwards.
  • For indefinite-delivery contracts including, but not limited to, indefinite-delivery indefinite-quantity contracts, Federal Supply Schedule contracts, governmentwide acquisition contracts, and multi-agency contracts, reporting requirements will be determined based on the expected dollar amount and type of the orders issued under the contracts.
  • First-tier subcontracts for services will be reported using the phase-in thresholds.
  • Existing indefinite-delivery contracts will be bilaterally modified within 6 months of the effective date of the final rule if sufficient time and value remain on the base contract, which is defined as a performance period that extends beyond October 1, 2013, and $2.5 million or more remaining to be obligated to the indefinite-delivery contract.

Effective Date. These new requirements apply to solicitations issued and contracts awarded on or after January 30, 2014. Here is a listing of all the regulations impacted by this rule: FAR 1.106, FAR 4.1700 through FAR 4.1705, FAR 8.404, FAR 17.504, FAR 37.103, FAR 52.204-14, FAR 52.204-15, and FAR 52.212-5.