DoD Issues Targeted Class Deviation Updating Recently Adopted Cybersecurity DFARS Clauses

Last week, on October 8th, DoD issued a class deviation replacing DFARS 252.204-7012 and 252.204-2008 with revised clauses that give covered contractors up to nine (9) months (from the date of contract award or modification incorporating the new clause(s)) to satisfy the requirement for “multifactor authentication for local and network access” found in Section 3.5.3 of National Institute of Standards and Technology (NIST) Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

We previously reported on the August 26th Department of Defense (DoD) interim rule that greatly expanded the obligations imposed on defense contractors for safeguarding “covered defense information” and for reporting cybersecurity incidents involving unclassified information systems that house such information. The interim rule, which went into effect immediately, requires non-cloud contractors to comply with several new requirements, including those in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting” and DFARS 252.204-7008, “Compliance with Safeguarding Covered Defense Information Controls.”  While the class deviation is a welcomed development for contractors that may struggle to implement the NIST SP 800-171 requirements for multifactor authentication, the deviation: (1) requires contractors to notify the government if they need more time to satisfy those requirements, and (2) does not alter any other aspect of the August 26th interim rule. 

DFARS 252.204-7012 requires prime contractors and their subcontractors to employ “adequate security” measures to protect “covered defense information.” Specifically, contractors must adhere to the security requirements in the version of NIST SP 800-171 that is in effect “at the time the solicitation is issued or as authorized by the Contracting Officer,” or employ alternative security measures approved in writing by an authorized representative of the DOD Chief Information Officer. Special Publication 800-171 describes fourteen families of basic security requirements. As described in section 2.2 of 800-171, each of these fourteen families has “derived security requirements,” which provide added detail of the security controls required to protect government data. These basic requirements are based on FIPS Publication 200, which “provides the high level and fundamental security requirements” for government information systems. The derived requirements are taken from the security controls contained in NIST Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations.” Among those derived requirements is one for “multifactor authentication for local and network access.”

DoD contractors and subcontractors should be aware of what the class deviation does and does not change:

  1. Effective immediately, DoD contractors and subcontractors are required to comply with the clauses at DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DEVIATION 2016-O0001) (OCT 2015) and DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls (DEVIATION 2016-O0001) (OCT 2015), in lieu of the clauses that were issued as part of the August 26th interim rule.
  2. Under the new clauses, DoD contractors (and subcontractors, through the prime contractor) may notify the contracting officer that they need up to 9 months (from the date of award or the date of a modification incorporating the new clauses) to comply with the requirements for “multifactor authentication for local and network access” in Section 3.5.3 of NIST SP 800-171.
  3. The revised clauses apply to all DoD contracts and subcontracts, including those for the acquisition of commercial items.
  4. The class deviation only impacts non-cloud contractor information systems that are not operated on behalf of the government (e.g., contractor internal systems).
  5. DoD contractors and subcontractors that cannot meet the specific requirements of NIST 800-171, including the requirements of Section 3.5.3, may still seek authorization from DoD to use “[a]lternative but equally effective security measures.”
  6. With the exception of the targeted changes to DFARS 252.204-7012 and DFARS 252.204-7008 (i.e., affording contractors up to 9 months to comply with Section 3.5.3 of NIST 800-171, provided they notify the contracting officer), all other requirements introduced by the August 26th interim rule remain in effect.
  7. Non-cloud contractor information systems that are operated on behalf of the government remain “subject to the security requirements specified [in their contracts].”
  8. The class deviation does not impact DoD cloud computing contracts, which remain subject to DFARS 252.239-7010, Cloud Computing Services.

Ensuring Compliance With the Revised DFARS Clauses and NIST SP 800-171 Section 3.5.3

During the solicitation phase of a procurement subject to the revised DFARS clauses, DoD contractors and subcontractors should engage technical experts to determine whether they would need additional time to satisfy the NIST requirements for multifactor authentication. If a contractor determines that additional time is needed, and is later awarded a contract subject to the new requirements, then the contractor should immediately notify the contracting officer in writing and should ensure that all subsequent communications with the government are adequately documented.

Upon providing such notice, contractors will have up to nine months (from the date of contract award or modification incorporating the revised clauses) to comply with Section 3.5.3 of NIST SP 800-171, which requires contractors to: “Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.” See NIST SP 800-171, Section 3.5.3 (emphasis added). Section 3.5.3 is a derived requirement of the basic security requirement in section 3.5 for identification and authentication. Section 3.5.3 of NIST SP 800-171 notes that:

  • “Multifactor authentication” requires two or more different factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic device, token); or (iii) something you are (e.g., biometric). The requirement for multifactor authentication does not require the use of a federal Personal Identification Verification (PIV) card or Department of Defense Common Access Card (CAC)-like solutions. Rather, “[a] variety of multifactor solutions (including those with replay resistance) using tokens and biometrics are commercially available. Such solutions may employ hard tokes (e.g., smartcards, key fobs, or dongles) or soft tokens to store user credentials. See id., n. 22.
  • “Local access” is any access to an information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.

“Network access” is any access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).

What’s New Out There? A Trade and Business Regulatory Update

Sheppard Mullin 2012Proposed DoD Rule: Detection and Avoidance of Counterfeit Electronic Parts (DFARS Case 2012-D-005)

On May 16, 2013, the Department of Defense (“DoD”) issued a proposed rule that would amend the Defense Federal Acquisition Regulation Supplement (“DFARS”) relating to the detection and avoidance of counterfeit parts, in partial implementation of the National Defense Authorization Act (“NDAA”) for Fiscal Year (“FY”) 2012 (Pub. L. 112-81) and the NDAA for FY 2013 (Pub. L. 112-239). 78 Fed. Reg. 28780 (May 16, 2013). The proposed rule would impose new obligations for detecting and protecting against the inclusion of counterfeit parts in their products. Public comments in response to the proposed amendment are due by July 15, 2013.

The proposed rule, titled Detection and Avoidance of Counterfeit Electronic Parts (DFARS Case 2012-D-005), partially implements Section 818 of the NDAA for FY 2012 requiring the issuance of regulations addressing the responsibility of contractors (a) to detect and avoid the use or inclusion of counterfeit – or suspect counterfeit – electronic parts, (b) to use trusted suppliers, and (c) to report counterfeit and suspect counterfeit electronic parts. Pub. L. 112-81,§ 818(c). Section 818(c) also requires DoD to revise the DFARS to make unallowable the costs of re-work or other actions necessary to deal with the use or suspected use of counterfeit electronic parts. Id. The new rule also proposes the following in order to implement the requirements defined in Section 818.

  • Definitions: Adds definitions to DFARS 202.101 for the terms “counterfeit part,” “electronic part,” “legally authorized source,” and “suspect counterfeit part.”
  • Cost Principles and Procedures: Adds DFARS section 231.205-71, which would apply to contractors covered by the Cost Accounting Standards (“CAS”) who supply electronic parts, and would make unallowable the costs of counterfeit or suspect counterfeit electronic parts and the costs of rework or corrective action that may be required to remedy the use or inclusion of such parts. This section provides a narrow exception where (1) the contractor has an operational system to detect and avoid counterfeit parts that has been reviewed and approved by DoD pursuant to DFARS 244.303; (2) the counterfeit or suspect counterfeit electronic parts are government furnished property defined in FAR 45.101; and (3) the covered contractor provides timely notice to the Government.
  • Avoidance and Detection System: Requires contractors to establish and maintain an acceptable counterfeit avoidance detection system that addresses, at a minimum, the following areas: training personnel; inspection and testing; processes to abolish counterfeit parts proliferation; traceability of parts to suppliers; use and qualification of trusted suppliers; reporting and quarantining counterfeit and suspect counterfeit parts; systems to detect and avoid counterfeit electronic parts; and the flow down of avoidance and detection requirements to subcontractors.

Potential Impacts on Contractors and Subcontractors

Although the rule is designed constructively to combat the problem of counterfeit parts in the military supply chain, it imposes additional obligations and related liabilities on contractors and subcontractors alike.

  • The proposed rule shifts the burden of protecting against counterfeit electronic parts to contractors, thus increasing contractor costs and potential contractor liability in this area.
  • Under the proposed rule, contractors would need to take steps to establish avoidance and detection systems in order to monitor for and protect against potential counterfeit electronic parts, also increasing the financial and temporal impact on contractors.
  • Avoidance and detection system requirements will need to be flowed down to subcontractors, increasing subcontractors’ responsibility – and thus liability – for counterfeit parts.
  • The proposed rule would also make unallowable the costs incurred to remove and replace counterfeit parts, which could have a significant financial impact on contractors – even under cost type contracts.
  • As it currently stands, the narrow exception regarding the allowability of such costs applies only where the contractor meets all three requirements of the exception, which likely would be a rare occurrence.

Interim SBA Rule: Expansion of WOSB Program, RIN 3245-AG55

On May 7, 2013, the Small Business Administration (“SBA”) issued an interim final rule implementing Section 1697 of the NDAA for FY 2013, removing the statutory dollar amount for contracts set aside for Women-Owned Small Business (“WOSB”) under the Women-Owned Small Business Program. 78 Fed. Reg. 26504 (May 7, 2013). Comments are due by June 6, 2013.

The new rule would amend SBA 127.503 to permit Contracting Officers (“COs”) to set aside contracts for WOSBs and Economically Disadvantaged WOSBs (“EDWOSBs”) at any dollar amount if there is a reasonable expectation of competition among WOSBs as follows: (1) in industries where WOSBs are underrepresented, the CO may set aside the procurement where two or more EDWOSBs will submit offers for the contract and the CO finds that the contract will be awarded at a fair and reasonable price; or (2) in industries where WOSBs are substantially underrepresented, the CO may set aside the procurement if two or more WOSBs will submit offers for the contract, and the CO finds that the contract will be awarded at a fair and reasonable price.

The new rule would amend SBA 127.503 to permit Contracting Officers (“COs”) to set aside contracts for WOSBs and Economically Disadvantaged WOSBs (“EDWOSBs”) at any dollar amount if there is a reasonable expectation of competition among WOSBs as follows: (1) in industries where WOSBs are underrepresented, the CO may set aside the procurement where two or more EDWOSBs will submit offers for the contract and the CO finds that the contract will be awarded at a fair and reasonable price; or (2) in industries where WOSBs are substantially underrepresented, the CO may set aside the procurement if two or more WOSBs will submit offers for the contract, and the CO finds that the contract will be awarded at a fair and reasonable price.

Article By:

 of

Protesting at ODRA?: Learning the Lay of the Land

Recently posted in the National Law Review an article by Marko W. Kipa and Ryan E. Roberts of Sheppard Mullin Richter & Hampton LLP regarding filing with the Office of Dispute Resolution for Acquisition when the FAA makes an award.

 

Your company submitted a proposal to the Federal Aviation Administration (“FAA”) to provide widgets and related services. The opportunity had corporate visibility and was critical to your sector’s bottom line. After several agonizing months of waiting for an award decision, you learn that the FAA made an award to your competitor. You immediately accept the first debriefing date offered by the Agency. As that date approaches, you begin to strategize and weigh your options – should you file the bid protest at the Government Accountability Office (“GAO”) or the Court of Federal Claims? The answer – neither. When the FAA makes an award, any protest must be filed with the Office of Dispute Resolution for Acquisition – otherwise known as ODRA. There are several similarities and differences between, on the one hand, the GAO and the Court of Federal Claims, and, on the other hand, ODRA.

First, you are entitled to an automatic stay of performance if you timely file your protest at the GAO (unless the stay is overridden by the Agency).  To obtain a stay of performance at the Court of Federal Claims, you will most likely need to prevail on a motion for a temporary restraining order or a preliminary injunction. It is very difficult, however, to obtain a stay of performance at the ODRA. ODRA presumes that performance will continue pending resolution of the protest, and a protestor must separately brief the issue of whether a stay should be granted.  Unless the protester can demonstrate “a compelling reason to suspend or delay all or part of the procurement activities,” ODRA will allow performance to continue. 14 C.F.R. § 17.13(g); 14 C.F.R. § 17.15(d).  A review of ODRA’s suspension decisions shows that stays of performance are rarely granted. In other words, you should expect that ODRA will not grant a stay of performance.

Second, FAA procurements are not governed by the Federal Acquisition Regulation (“FAR”). Rather, the FAA is subject to the Acquisition Management System (“AMS”), which “establishes the policies, guiding principles, and internal procedures for the FAA’s acquisition system.” 14 C.F.R. § 17.3(c). While the FAR and the AMS share some overlapping concepts, there are notable differences between the two. For example, the AMS does not recognize the FAR’s distinction between “discussions” and “clarifications,” and instead categorizes all exchanges as “communications.” Furthermore, the AMS encourages communications with potential offerors, including one-on-one communications, stating that they “should take place throughout the source selection process” to “ensure that there are mutual understandings between the FAA and the offerors about all aspects of the procurement, including the offerors’ submittals/proposals.”   AMS § 3.2.2.3.1.2.2. ODRA has routinely denied protests where a disappointed offeror has claimed to have been the subject of unfair treatment when the FAA only communicated with one offeror. See, e.g.Consolidated Protests of Consecutive Weather, Eye Weather Windsor Enterprises, and IBEX Group, Inc., 02-ODRA-00254.

Third, ODRA has a robust alternative dispute resolution (“ADR”) program that is central to its resolution of bid protests. ODRA makes a variety of ADR techniques available to the parties, including mediation, neutral evaluation and mini-trials. 14 C.F.R. § 17.31(b). Additionally, ODRA’s rules were amended recently to place an even greater emphasis on ADR. The new rule officially instructs parties to use ADR as the primary means for settling protests and disputes, and allows parties to file “predisputes” so that they may engage in nonbinding, confidential discussions. 76 Fed. Reg. 55217 (Sept. 7, 2011) (to be codified at 14 C.F.R. Part 17). Although you can decline to participate in ODRA’s ADR program, it is well-worth your time and resources to consider pursuing this option.

Fourth, you should be aware of the various procedural rules at ODRA, as they differ from those of the GAO. Most notably, ODRA spurns the GAO standard of calendar days for business days (thereby excluding weekends and federal holidays). In this regard, a party must file its post-award protest within (i) 7 business days of when it knew or should have known of the basis for its protest, or (ii) not later than 5 business days from the date of the debriefing. 14 C.F.R. § 17.15(a)(3). Once filed, a contractor should be prepared to act – the FAA’s response to the protest is due 10 business days after the initial status conference, and the contractor’s comments on the FAA’s response are due five business days later. 14 C.F.R. § 17.17(e); 14 C.F.R. § 17.37(c). Contractors can also expect ODRA to issue a decision relatively quickly, as the ODRA Dispute Resolution Officer assigned to the case must issue a decision within 30 business days of the FAA’s response to the protest. 14 C.F.R. § 17.37(a),(i).

In conclusion, ODRA differs markedly from the GAO and COFC as a bid protest forum. An understanding of those differences is critical to the preservation and pursuit of your bid protest rights. Since ADR at ODRA has resulted in some form of agency corrective action in roughly 40% of the cases filed at the ODRA from 1997-2007, a failure to appreciate the differences in the rules and the consequent forfeiture of your protest rights can be highly prejudicial. See here.

Copyright © 2011, Sheppard Mullin Richter & Hampton LLP.