Changes Coming to the FAR: Government Proposes New Rules on Data Breaches, Cost Evaluation of IDIQ Proposals, and Overseas Small Business Contracting
Tuesday, January 30, 2018
government contract, keyboard
Print Mail Download i

Federal contractors may be subject to a slate of new regulations in 2018, including rules that increase cyber reporting burdens, expand small business competition, and change the procedures for competitively awarding IDIQ contracts.

Among the proposed rules, announced in the Semiannual Regulatory Agenda of the FAR Council and the General Services Administration (“GSA”), are changes that would affect nearly every segment of the government contracts industry.  Although some of the rules may simplify the burdens on contractors, most come with enhanced compliance obligations, particularly with respect to data security and cyber incidents.

Some of the key proposals are summarized below.

  • Data breaches.  Under a new proposal, contractors would be required to use a contractually-specified set of procedures when responding to data breaches involving personally identifiable information (“PII”).  The new contract clauses will implement the requirements in the Office of Management and Budget’s Memorandum M-17-12.  A proposed rule is expected in March.

  • Controlled Unclassified Information.  A new rule would implement standards for safeguarding, marking, disseminating, and disposing of Controlled Unclassified Information (“CUI”).  The rule would generally ensure uniform CUI requirements across all federal contracts by adopting the rules of the National Archives and Records Administration (“NARA”) codified at 32 C.F.R. § 2002.  A proposed rule is expected in April.

  • GSA-specific cybersecurity rules.  GSA is proposing new cybersecurity requirements for internal and external contractor systems, including cloud and mobile systems.  GSA contracting officers will be required to (1) incorporate applicable cybersecurity requirements within their statements of work and (2) create uniform reporting requirements for cyber incidents that potentially compromise GSA or government information or information systems.  In addition, contractors will be required to give customer agencies “access [to] contractor systems in the event of a cyber incident.”  Proposed rules are expected in April and August.

  • No cost or price evaluation for base IDIQ awards.  When awarding multiple indefinite-delivery indefinite-quantity (“IDIQ”) contracts, the Department of Defense, Coast Guard and the National Aeronautics and Space Administration would have the option of not evaluating the cost or price of a base IDIQ contract proposal.  Instead, cost or price would be evaluated during task order competitions.  A proposed rule is expected in April.

  • Extending small business rules to overseas contracts.  Small business regulations have generally applied only to work performed within the United States.  However, under the FAR Council’s proposal, agencies would be able to use small business set-asides for overseas opportunities.  Agencies also would be given “tools authorized for providing small business opportunities for contracts awarded outside of the United States.”  It is unclear to what extent this proposal would affect small business subcontracting requirements.  A proposed rule is expected in February.

  • Expanding small business access to IDIQ contracts.  The FAR Council is finalizing a rule that would provide small businesses “greater access to multiple award contracts[.]”  This rule was initially proposed in December 2016.  A final rule is expected in March.

  • Paid sick leave for contractor employees.  The FAR Council is also finalizing a rule requiring contractors to provide up to seven days or more of paid sick leave or family-care leave.  This rule permanently codifies an interim rule announced in December 2016.  The final rule is expected in February.

  • Pre-proposal exchanges with industry.  As required by Section 887 of the National Defense Authorization Act for Fiscal Year 2016, the FAR Council is proposing a rule that would encourage “responsible and constructive exchanges with industry.”  This rule is consistent with the Office of Federal Procurement Policy’s 2011 and 2012 “Mythbuster” memoranda, which encouraged agencies to communicate with industry informally, and which generally asserted that marketing efforts should not raise conflict of interest concerns.  As noted in the May 2012 memorandum, “simply providing suggestions and comments prior to formal requirements development will not trigger an organizational conflict of interest, as long as the vendor is not then hired to develop the requirements.”  A final rule is expected in April.

  • Enhanced whistleblower protections.  The FAR Council is proposing to permanently codify a temporary rule that protects contractor and subcontractor employees from retaliation for reporting gross mismanagement, abuses of authority, or other malfeasance on a federal contract.  The proposed rule also would ensure that the prohibition on reimbursement for legal fees accrued in defense against reprisal claims applies to subcontractors, as well as contractors.  A proposed rule is expected in March.

  • Fair and reasonable pricing determination for Federal Supply Schedule orders.  Under existing regulations, agencies are generally not required to make a determination of fair and reasonable pricing when placing Federal Supply Schedule orders.  But under the FAR Council’s proposal, such determinations would be required.  A proposed rule is expected in May.

  • New definition of Information Technology.  The FAR Council is proposing to broaden the definition of “information technology” to include services such as cloud computing and to remove an exemption for IT embedded in other systems.  A proposed definition is expected in June.

Contractors should carefully monitor these proposed rules.  To the extent these rules may affect contractors’ businesses, they should consider submitting comments to the FAR Council or GSA either directly or through third parties during the relevant notice-and-comment period.

© 2024 Covington & Burling LLP

Current Legal Analysis

More from Covington & Burling LLP

Standing Issues in Data Breach Litigation: An Overview
by: Priscilla Fasoro , Lauren Wiseman
Financial Agencies Release Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing
by: Lucille C. Bartholomew
Senate Confirms Kraninger as BCFP Director
by: Luis Urbina
FTC Solicits Public Comment on Identity Theft Detection Rules
by: S. Burr Eckstut
Significant FDA Digital Health Policy Development for Prescription Drug Sponsors
by: Mingham Ji , Christina G. Kuhn
First Significant Pay-to-Play Legislation for the District of Columbia Approved by D.C. Council
by: Kevin Glandon
FTC Settles with PR Firm and Publisher Over Social Media Endorsements
by: Inside Privacy Blog at Covington and Burling
Senate Testimony Highlights Tensions in BSA/AML Reform Efforts as Lawmakers Consider Bipartisan Legislation
by: Sam Adriance
Reprieve in U.S.-China Trade Tensions: U.S. Tariffs on $200 Billion in Chinese Imports to Stay at 10 Percent for 90 Days; China to Purchase U.S. Goods
by: Christopher Adams , John Veroneau
AI Update: FCC Hosts Inaugural Forum on Artificial Intelligence
by: Thomas Parisi

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins