February 8, 2023

Volume XIII, Number 39


February 08, 2023

Subscribe to Latest Legal News and Analysis

February 07, 2023

Subscribe to Latest Legal News and Analysis

February 06, 2023

Subscribe to Latest Legal News and Analysis

Changes Coming to the FAR: Government Proposes New Rules on Data Breaches, Cost Evaluation of IDIQ Proposals, and Overseas Small Business Contracting

Federal contractors may be subject to a slate of new regulations in 2018, including rules that increase cyber reporting burdens, expand small business competition, and change the procedures for competitively awarding IDIQ contracts.

Among the proposed rules, announced in the Semiannual Regulatory Agenda of the FAR Council and the General Services Administration (“GSA”), are changes that would affect nearly every segment of the government contracts industry.  Although some of the rules may simplify the burdens on contractors, most come with enhanced compliance obligations, particularly with respect to data security and cyber incidents.

Some of the key proposals are summarized below.

  • Data breaches.  Under a new proposal, contractors would be required to use a contractually-specified set of procedures when responding to data breaches involving personally identifiable information (“PII”).  The new contract clauses will implement the requirements in the Office of Management and Budget’s Memorandum M-17-12.  A proposed rule is expected in March.

  • Controlled Unclassified Information.  A new rule would implement standards for safeguarding, marking, disseminating, and disposing of Controlled Unclassified Information (“CUI”).  The rule would generally ensure uniform CUI requirements across all federal contracts by adopting the rules of the National Archives and Records Administration (“NARA”) codified at 32 C.F.R. § 2002.  A proposed rule is expected in April.

  • GSA-specific cybersecurity rules.  GSA is proposing new cybersecurity requirements for internal and external contractor systems, including cloud and mobile systems.  GSA contracting officers will be required to (1) incorporate applicable cybersecurity requirements within their statements of work and (2) create uniform reporting requirements for cyber incidents that potentially compromise GSA or government information or information systems.  In addition, contractors will be required to give customer agencies “access [to] contractor systems in the event of a cyber incident.”  Proposed rules are expected in April and August.

  • No cost or price evaluation for base IDIQ awards.  When awarding multiple indefinite-delivery indefinite-quantity (“IDIQ”) contracts, the Department of Defense, Coast Guard and the National Aeronautics and Space Administration would have the option of not evaluating the cost or price of a base IDIQ contract proposal.  Instead, cost or price would be evaluated during task order competitions.  A proposed rule is expected in April.

  • Extending small business rules to overseas contracts.  Small business regulations have generally applied only to work performed within the United States.  However, under the FAR Council’s proposal, agencies would be able to use small business set-asides for overseas opportunities.  Agencies also would be given “tools authorized for providing small business opportunities for contracts awarded outside of the United States.”  It is unclear to what extent this proposal would affect small business subcontracting requirements.  A proposed rule is expected in February.

  • Expanding small business access to IDIQ contracts.  The FAR Council is finalizing a rule that would provide small businesses “greater access to multiple award contracts[.]”  This rule was initially proposed in December 2016.  A final rule is expected in March.

  • Paid sick leave for contractor employees.  The FAR Council is also finalizing a rule requiring contractors to provide up to seven days or more of paid sick leave or family-care leave.  This rule permanently codifies an interim rule announced in December 2016.  The final rule is expected in February.

  • Pre-proposal exchanges with industry.  As required by Section 887 of the National Defense Authorization Act for Fiscal Year 2016, the FAR Council is proposing a rule that would encourage “responsible and constructive exchanges with industry.”  This rule is consistent with the Office of Federal Procurement Policy’s 2011 and 2012 “Mythbuster” memoranda, which encouraged agencies to communicate with industry informally, and which generally asserted that marketing efforts should not raise conflict of interest concerns.  As noted in the May 2012 memorandum, “simply providing suggestions and comments prior to formal requirements development will not trigger an organizational conflict of interest, as long as the vendor is not then hired to develop the requirements.”  A final rule is expected in April.

  • Enhanced whistleblower protections.  The FAR Council is proposing to permanently codify a temporary rule that protects contractor and subcontractor employees from retaliation for reporting gross mismanagement, abuses of authority, or other malfeasance on a federal contract.  The proposed rule also would ensure that the prohibition on reimbursement for legal fees accrued in defense against reprisal claims applies to subcontractors, as well as contractors.  A proposed rule is expected in March.

  • Fair and reasonable pricing determination for Federal Supply Schedule orders.  Under existing regulations, agencies are generally not required to make a determination of fair and reasonable pricing when placing Federal Supply Schedule orders.  But under the FAR Council’s proposal, such determinations would be required.  A proposed rule is expected in May.

  • New definition of Information Technology.  The FAR Council is proposing to broaden the definition of “information technology” to include services such as cloud computing and to remove an exemption for IT embedded in other systems.  A proposed definition is expected in June.

Contractors should carefully monitor these proposed rules.  To the extent these rules may affect contractors’ businesses, they should consider submitting comments to the FAR Council or GSA either directly or through third parties during the relevant notice-and-comment period.

© 2023 Covington & Burling LLPNational Law Review, Volume VIII, Number 30

About this Author

Susan B. Cassidy, Government Contracts Attorney, Covington Burling, Law Firm

Susan Cassidy advises clients on the complex rules and regulations imposed on government contractors, with a special emphasis on the defense and intelligence sectors. She combines a sophisticated knowledge of the FAR and DFARS with the practical insight gained from senior in-house positions at both dedicated defense and commercial item contractors.

Ms. Cassidy conducts internal investigations for clients on wide array of government contracts and national security compliance issues. She regularly advises on FAR mandatory disclosure obligations and represents...

Evan Sherwood, Covington Burling Law Firm, Government Contracts Attorney

Mr. Sherwood helps clients solve problems arising from government contracts. He advises government contractors on a wide range of matters, such as compliance with procurement regulations, contract formation, and government investigations. Mr. Sherwood also represents clients in bringing and defending bid protests, including challenges to the terms of competitions.

Representative Matters

  • Successfully protested...