Earlier this month, we had the pleasure of opening the 2017 Associated General Contractors of America Federal Contractor Conference in Washington, DC with a presentation focused on the emerging issue of Cybersecurity in Federal contracting.  Data breaches are big news in the private sector, but the issue has remained somewhat under the radar for public contracts – until now.

New rules and regulations (with the imminent promise of more on the way) are setting the stage for Cybersecurity to be the next big government enforcement target under the Civil False Claims Act (which the Department of Justice used to claw back $4.7 Billion in recoveries from Federal contractors in FY 2016 alone).

The New Cybersecurity FAR Clause

A Final Rule published by the Department of Defense, NASA, and the General Services Administration in 2016 created a new Federal Acquisition Regulation subpart (4.19) and contract clause (52.204-21) that deal exclusively with Cybersecurity.

The Regulation broadly applies to “covered contractor information systems” that process, store, or transmit “Federal contract information.”  These terms are interpreted expansively to cover any information provided by or transmitted to the Federal government in connection with contract performance.  In other words, if the new clause is not included in your Federal contracts yet, it soon will be.

The Regulation imposes 15 “basic” security controls for contractors.  The controls are intended to impose minimum safeguarding measures that the government believes any responsible contractor should have in place as part of the cost of doing business.  A complete list of the security controls is available here.

The DFARS Cybersecurity Clause

Compliance with FAR clause 52.204-21 should be viewed by contractors as a baseline Cybersecurity requirement – but it does not take the place of other, more complex requirements.

For example, DoD contractors must comply with DFARS 252.204-7012 (Safeguarding Covered Defense Information & Cyber Incident Reporting).  The DFARS clause is more far-reaching than the FAR clause, and includes investigation and rapid reporting requirements for breach incidents.  It also requires compliance with NIST 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) by no later than December 31, 2017.

Other requirements related to the handling of Classified and Controlled Unclassified Information also remain in place.  And we fully expect more (and more demanding) Cybersecurity requirements to be published by the government in the coming months and years.

The Contractor’s Guide to Cybersecurity Compliance

For Federal contractors, the future is now.

Cybersecurity requirements will soon be included in almost every Federal contract, so the only question is how to achieve and maintain compliance.

The good news is that compliance with FAR 52.204-21 is a great first step.  Again, the government considers the Regulation to be a basic safeguarding requirement that every responsible contractor should have in place.  If your business does not have at least those 15 security controls covered right now, it is time to figure out why.

To track and maintain compliance with expanding requirements, we also recommend making Cybersecurity part of your Federal Business Ethics and Compliance Program.

All Federal contractors have (or should have) a written Contractor Code of Business Ethics and Conduct.  The Code should be a living document that your business routinely updates and uses in connection with internal audits and employee training.

By adding Cybersecurity to your Ethics Program and written Code, you are ensuring that it becomes a part of your company’s culture.  You are also increasing the likelihood that Cybersecurity breaches, or other instances of non-compliance, are identified by your Internal Control System – not by the government.

Cybersecurity is an emerging, complex subject – but that does not mean that the government will relax its enforcement efforts while your business gets up to speed.  In fact, we think the opposite is true.  Contractors that do not make Cybersecurity compliance a priority now will be behind the power curve and are more likely to face harsh consequences (including False Claims Act allegations, suspension, or debarment) later down the road.

 

The contractual duty of “good faith and fair dealing” is well established in private contracts.  Depending on your jurisdiction, there is very likely either a formal or an informal rule that parties to a contract must deal with each other honestly and in good faith.  This is (usually) not a written contract term – rather, the duty is implied automatically in order to reinforce the parties’ intent when entering into the agreement.

But, did you know that the same kind of duty exists in public contracts – and runs as a two-way street between contractors and the Federal government?  It is true.  And it can help your business in the pursuit of time or damages from the government as part of an REA or Claim.

Contract

Implicit in every government contract is the duty for the government to treat the contractor fairly and act in good faith.  Courts discussing this duty place both affirmative and negative obligations on the government.  In other words, the government (1) must take active steps to enable the contractor’s performance and (2) must not willfully or negligently interfere with said performance.

Allegations concerning a breach of the duty of good faith and fair dealing can arise in almost any contractual context.  For example, it is very common to see such claims in the context of delay and disruption claims.  The contractor seeks direction or guidance from the government on how to proceed with certain contract performance details – but the response from the government is delayed, unhelpful, or does not come at all.

A recent Court of Federal Claims decision also advises that contractors can proceed with fairly broad allegations concerning the government’s breach of good faith and fair dealing as part of an appeal.  Specifically, in response to a motion to dismiss by the government, the Court ruled that a such a claim does not need to be tied to a specific contractual obligation in order to demonstrate a violation.

The decision is a win for contractors because it recognizes that contract performance does not take place within a vacuum.  Even if there is no toehold to assert a breach tied to a specific obligation, the duty of good faith and fair dealing exists to ensure that the “reasonable expectations of the parties are respected” by both sides.

Contractors dealing with the government at almost any stage of contract performance would do well to give serious thought to the duty of good faith and fair dealing.  While it is a “big picture” concept, it can have very real implications when a dispute arises – including a meaningful impact on recoveries for claims and appeals.

I’d like to you invite you to join Fox’s Government Contracts team of Reggie Jones, Doug Hibshman and Nick Solosky at the upcoming 2017 Associated General Contractors of American Federal Contractor Conference in Washington, DC.

We will lead a presentation and discussion entitled “Updated Federal Regulations Contractors Must Know – Cyber Security, Ethics & Compliance, SBA All-Small Program & More,” from 3:30 to 5:30 p.m. on Monday, May 1, 2017.

cropped-favicon

The presentation will offer insights into the new cybersecurity requirements facing federal contractors – including unpacking the FAR and DFARS cybersecurity clauses and the steps that contractors need to get to get (and stay) compliant.  Cybersecurity is a cutting edge issue, but failing to stay ahead of the curve could land contractors in hot water.

In addition to cybersecurity, we’ll also be detailing the hot button government contracting issues of 2017.  For example, we’ll outline what all contractors – both large and small – need to know about the SBA’s “All Small” Mentor-Protégé Program (and how it could open the door to new business development opportunities for contractors).  We’ll also pull straight from the headlines by covering the new administration and the President’s “Buy American, Hire American” initiative.

If you’re unable to make it to DC or attend the presentation in person, we can still discuss cybersecurity or any other Federal contracting regulations with you.  Please feel free to contact us for more details.

A response to an RFP is the government contractor’s chance to put its best foot forward and stand out from the crowd.  Particularly when it comes to best value procurements, this is your chance to tell the contracting officer that your company does it best (whatever it is).

But, a recent bid protest decision reminds us that contractors must carefully walk the line between well-deserved boasting and playing make-believe.

The protest concerns a U.S. Department of the Navy IDIQ contract.  The RFP required contractors to submit detailed information documenting their relevant depth and breadth of experience on similar contracts.  In other words, the agency wanted the ultimate awardee to prove it has the chops to do the work required under the contract.

The agency rejected one contractor’s proposal as technically unacceptable because it lacked specific details concerning prior projects.  Instead, the contractor submitted only general information about its past work – and instead focused on hypothesizing about the stellar work that it could perform, if given the opportunity.

On review, the Court of Federal Claims sided with the Navy.  It is reasonable, the Court concluded, for an agency to require contractors to submit satisfactory evidence of qualifying past performance experience.  The contractor’s decision to submit general (not specific) information concerning its prior contract performance and focus on hypothetical statements of future potential did not meet the RFP’s requirements.

For contractors – and especially greener contractors – the Court’s decision presents and chicken-and-egg scenario.  It is difficult to win a contract award including a past performance element when your firm has limited experience.  But how can you get the experience without the award?

Two thoughtsFirst, as this case demonstrates, this is one area where you can’t “fake it till you make it.”  Focus on actual, supportable experienceSecond, if your firm’s past performance is really holding you back, consider teaming options for situations where the RFP allows you to lean on the past performance experience of a partner or subcontractor.

Government contractors must be prepared to perform their Federal contracts – even in the face of a dispute with the government over essential contract terms.  Failing to perform can have devastating consequences, including default termination.

In a recent case before the Armed Services Board of Contract Appeals, the Board considered a U.S. Army Corps of Engineers’ contract for HVAC system upgrades.  After the contract was awarded, the contractor promptly raised concerns over the Agency’s design.  The Agency acknowledged the disagreement, but directed the contractor to complete the project as originally intended.

The dispute did not end there.

Rather than accept the government’s decision and complete the project, the contractor continued to lobby the Agency to consider a re-design.  The Agency again refused – and matters only got worse.  The Agency and the contractor repeatedly butted heads over seemingly simple issues, such as the format of project submittals.  Finally, after issuing multiple Notices to Cure and receiving no response from the contractor, the Agency cut bait default terminated the contractor.

The contractor appealed the determination, arguing that the problems on the project were all caused by the Agency’s design errors – as well as the Agency’s failure to acknowledge and resolve those errors.  These arguments did not persuade the Board and the appeal was denied.

The Board’s decision includes some fairly detailed analysis concerning the competency of the Agency’s decision making.  Was the design defective?  Did the Agency wrongfully refuse to consider the contractors proposed alternatives?  The Board answered all of these questions in the negative.

In my opinion, however, the far more important aspect of the Board’s decision stays out of these technical weeds.  The Board explained that the contractor’s failure to continue the work during the contract dispute justified the default termination.

While the Board hinted that the contractor’s failure to perform could have been deemed “excusable” under the right set of facts, that would not be my advice.  Experience shows that government contractors very rarely come out on the winning end of a dispute when they refuse to perform.

Consider the options:

  • On one hand, a contractor that performs during a dispute has a better chance of completing a job with a satisfied customer.  And any issues of excess costs or delays resulting from the dispute can be taken up as part of a claim or REA – so a contractor that continues to perform is not releasing the ability to recover later if the government really is responsible (just be sure to read that bilateral modification or final payment form before you sign it).
  • On the other hand, a contractor that refuses to perform knows that its work is not getting done and that its customer is unhappy.  While it may ultimately prevail, will that victory be worth the damaged relationship?

Against this backdrop, government contractors should also consider the power of the performance evaluation.  A contractor that works through a dispute is far more likely to get the passing marks (or even flying colors) that will help in future past performance evaluations.  Can the same be said for the refusing contractor?  Performance ratings matter – and they tend to stick with your business – particularly when a default termination is part of the equation.

Timing and circumstances matter.  Sometimes a conflict presents an obstacle to performance so great that it cannot be overcome.  My experience shows that should be the exception to the rule.  Whenever possible, government contractors should perform through a contract dispute and simultaneously position themselves to recover those costs/time later down the line.

Government contractors need to be conscious of the paperwork they sign on Federal contracts.  Signing a waiver or release of claims at any point during a project can result in a lost opportunity to recover damages – even if the event giving rise to those damages was already discussed in detail with the Contracting Officer.

In a recent post, we discussed the hazard associated with bilateral project modifications.  Even when a modification includes requested relief (like a time extension), it also likely includes broad waiver/release language that will apply to all pending claims.  A contractor should not sign a bilateral modification without a full and complete understanding of what claims (if any) are being surrendered with the stroke of a pen.

The same logic and advice applies to requests for final payment – and really any other document executed during the course of a Federal project.

In a case before the Postal Service Board of Contract Appeals, the contractor notified the Agency that it underestimated the paving area for the project – resulting in a significant labor and materials overrun.  The contractor informally requested that the Agency share in the associated costs, arguing that the government was aware of the estimating mistake prior to award.  The Contracting Officer disagreed with the contractor’s position and referred it to the contract’s disputes clause.

As the project approached the finish line, the contractor – who still intended to pursue a cost overrun damages claim – requested final payment on the contract.  In connection with that submission, the contractor executed a “Contractor’s Release.”  The Release expressly stated that the contractor released the Agency from any further claims, without exception.

After signing the Release, the contractor proceeded to pursue its cost overrun claim.  The Agency denied the claim in full, relying on the Release language.

On appeal, the Board sided with the Agency and likewise denied the claim for damages.  Notably, the Board rejected the contractor’s position that its conversations with the Contracting Officer were sufficient to preserve the claim (in other words, the Agency was indisputably on notice of the claim).  The express language of the Contractor’s Release trumped any equitable argument.

The lesson here for contractors is an easy oneRead your paperwork and understand the consequences of a waiver/release before you sign it.  Broad releases are almost never in a contractor’s best interests, so develop a strategy in advance for preserving your right to recover what your company is lawfully owed on a contract.

Government contractors looking to identify and mitigate indications of affiliation sometimes need look no further than their own family tree.

The Small Business Administration (SBA) assumes that two businesses owned and controlled by members of the same family are affiliated based on that family relationship alone.  It is up to the family members to rebut the presumption.

The SBA’s Office of Hearings and Appeals (OHA) reaffirmed this “Familial Identity of Interest” standard in spades in a recent decision.  OHA found two businesses affiliated based on the ownership and control of two brothers.  To be clear, the brothers did not co-own the businesses – each brother owned and controlled his own business.

The OHA decision is significant because it reaffirms the presumption of affiliation in such cases.  The businesses argued that they should not be considered affiliated because there is no evidence that either brother could control the other’s business.  OHA rejected this argument as immaterial.  There is no need for a finding of affirmative control when it comes to family relationships – the relationship alone is sufficient to create a presumption of identical interests.

So how do family members rebut the presumption of affiliation?

There are two generally recognized ways.  The first is to show that the family members are estranged.  Family members that are not in contact with each other are not presumed to share identical interests.  Obviously, this is a subjective question that will require at least some actual evidence to support the claim.

The second way to rebut the familial identity of interest is to show that there is no – or at least very little – involvement between the family businesses.  In the case under review here, the brothers shared some fairly significant overlap in their businesses, including ownership interests, contracts/subcontracts, and a common NAICS code.  OHA concluded that these shared interests went beyond the minimal contacts allowed in earlier decisions.

The bottom line:  Government contractors with close family members that own a business – particularly a business in the same general field on industry – need to proceed with caution.  The best practice is to conduct zero business between the two entities and document affirmative efforts to wall off any actual or perceived shared interest.  Even a small amount of interaction can start to tip the scale towards a finding of affiliation.

One of the primary risks facing construction contractors is subsurface or unexpected physical conditions discovered after the work begins (commonly known as a Differing Site Condition).  When such conditions are encountered on a federal government project, contractors need to: (1) properly document the condition, (2) notify the government, and (3) preserve the right to bring a Request for Equitable Adjustment or Certified Claim.

Typically, any Differing Site Condition inquiry begins at Federal Acquisition Regulation 52.236-2.  The regulation defines a Type I differing site condition as a subsurface or latent physical condition at the site that differs materially from those indicated in the contract.  A Type II condition is defined as an unknown condition, unusual in nature, that differs materially from the conditions ordinarily encountered or typically expected of the work provided in the contract.

These definitions seem straightforward – either the conditions encountered align with the contract, or they do not.  However, contractors should not take documenting or proving Differing Site Conditions lightly.  There is still much room for disagreement.

One area where contractors and the government commonly diverge is whether the disputed site conditions were “reasonably foreseeable.”  That is, should the contractor have anticipated the conditions based on all of the information available to the contractor when it bid the project.

This particular issue was recently litigated before the Armed Services Board of Contract Appeals (ASBCA) in a dispute over an Army Aviation Support Facility construction contract.  In a nutshell, the contractor and the government disagreed about whether the soft, saturated soils encountered during excavation for the project constituted a Type I Differing Site Condition.

In discussing the issue of reasonable foreseeability, the Board specifically considered the government’s claim that the contractor had access to the site (during a pre-bid site visit) and, therefore, the ability to discover the condition.  The Board disagreed.  The site visit included a visual inspection only – no invasive investigation was permitted.  While Type I Differing Site Conditions do not literally need to be below ground, that made a difference in this case.

The ASBCA concluded that the contractor proved – by a preponderance of the evidence – that the soil conditions at the site were unsuitable for construction.  As a result, it awarded the contractor damages associated with the unexpected soil remediation costs.

Thinking specifically about Type I Differing Site Conditions, contractors should keep the following elements in mind:

  • Is the condition encountered materially different from that indicated in the contract?
  • Is the condition encountered reasonably unforeseeable based on the information provided by the government at the time of bidding
  • Did your firm reasonably interpret the contract and the related documents provided by the government? and
  • Did your firm incur actual damages due to the difference between the expected condition and the condition actually encountered?

If you can answer all of these questions in the affirmative, then your firm is likely entitled to an upward contract adjustment from the government.

Contractors seeking to avoid affiliation under the Ostensible Subcontractor Rule know the soundbite:  Your firm must self-perform the “primary and vital” contract requirements.

A small business prime contractor must zero in on the essential objective of its contract and make sure to perform those requirements with its own employees.  If those requirements are subcontracted out to others, the SBA will have all the ammunition it needs to find affiliation.

While the “primary and vital” requirements test is the most commonly cited metric for the Ostensible Subcontractor Rule, a recent Small Business Administration Office of Hearings & Appeals decision reminds us that there is another factor to consider.  Namely, affiliation can also arise under the Ostensible Subcontractor if the small business prime contractor is unusually reliant on its subcontractor.

The SBA considered a General Services Administration custodial, landscaping, and grounds maintenance services contract set aside for small businesses.  On the facts presented in the appeal, it appears that the small business prime contractor would meet the requirement to perform the contract’s primary and vital requirements by, among other things, providing custodial services and controlling all contract management activities

Digging deeper, however, the SBA determined that the primary and vital issue was irrelevant to the final analysis.

According to the SBA, the Ostensible Subcontractor Rule is “disjunctive” – which is to say that the contractor must perform the primary and vital requirements AND cannot be unduly reliant on its subcontractor.  The inquiries are totally independent and a black mark on either is enough to tip the scales towards affiliation.

So, getting back to the appeal, the SBA looked at the small business’s relationship with its subcontractor and found a textbook example of over-reliance:

  • The subcontractor was the incumbent contractor on the project, but ineligible to submit its own proposal on the restricted set-aside contract
  • The small business prime planned to staff its part of the contract almost entirely with the subcontractor’s former employees
  • The proposed project manager previously served with the subcontractor on the incumbent contract, and
  • The small business prime lacked its own experience and needed the subcontractor to successfully perform (including a stated intent to sub-out 49% percent of the work to one entity)

Cumulatively, these factors were enough for the SBA to find affiliation based on the Ostensible Subcontractor Rule (and, specifically, the prohibition against undue reliance).  No further inquiry into performance of the primary and vital requirements was necessary.

Winning bid protests all share one common theme – the government erred somewhere in the procurement process and the contractor was unfairly prejudiced as a result.  It is then up to the contractor to expend the time, effort, and resources necessary just to return to the status quo of basic fairness.

Fortunately for contractors, the burden of pursuing a meritorious protest can (sometimes) be lifted.

By law, the GAO has authority to recommend the reimbursement of protest costs (including attorneys’ fees) when it determines that the agency’s actions violated a procurement statute or regulation.  This type of recommendation is most commonly seen when the agency (unsuccessfully) contests a contractor’s protest all the way to a GAO final decision.

The GAO can also make a recommendation for the agency to reimburse protest costs even when the agency elects to take corrective action prior to a final decision.  However, in order to do so, the GAO must find that the agency “unduly delayed” taking action in response to a “clearly meritorious” protest (thus causing the contractor to expend unnecessary time and resources).

Two recent GAO decisions – one granting costs and the other denying costs – help to shed more light on vague standards like undue delay and clearly meritorious.

In the first decision, the GAO recommended the reimbursement of protests costs by the Air Force in connection with a protest over multiple award construction contracts.  The protest challenged the contract awards, arguing that the agency waived solicitation requirements for certain contractors, but not others (a classic “unequal treatment” argument).

The agency did not take corrective action in response to the protest – instead electing to submit an agency report.  After it became apparently that the agency’s own materials actually bolstered the protester’s claim of disparate treatment among offerors, the agency finally decided to take corrective action by canceling the solicitation and terminating the awards.

Following corrective action, the contractor requested reimbursement of its protest costs and GAO agreed.  Specifically, GAO found the protest allegations concerning unequal treatment “clearly meritorious” – noting that the plain language of the RFP and the protest allegations should have alerted the agency to the problem.  In short, GAO determined that the Agency’s position, from the outset, was “not legally defensible.”

On the flipside, the second GAO decision denied a claim for costs where it determined that the agency offered a reasonable rebuttal to the protest allegations.

The decision arises out of a protest over a DLA health support services contract.  The protester argued that the agency should have found the LPTA awardee technically unacceptable due to alleged proposal defects.  The protester also later filed a supplemental protest arguing that the agency engaged in misleading discussions during the evaluation period, relied on information from outside offerors’ proposals, and changed RFP requirements after proposals were submitted.

Following receipt of the protester’s supplement, the agency elected to take corrective action.  The protester promptly requested reimbursement of its fees – but this time, GAO denied the request.

If both of the cases under review ended with corrective action, why did the GAO recommend reimbursement in only one?

The key lies in the timing of the second case.  The GAO concluded that the agency had a reasonable rebuttal to the grounds raised in the initial protest.  However, when the protester filed its supplement, the agency dropped the challenge and promptly took corrective action.  The GAO therefore concluded that there was no undue delay in response to the clearly meritorious (supplemental) protest.

The Takeaway

Bid protests are all about the cost-benefit analysis.  The opportunity to claim what rightfully should have been a lucrative contract award is usually enough to justify the expenditure of time and resources.  However, when the government ignores its own procurement errors and forces a contractor through unnecessary paces, it is good to know that there is a way to claw back those costs.