I recently had the opportunity to present an online CLE for LawLine on Risk Management in Government Contracting. This is my second time presenting a course for LawLine (I previously taught a course on Small Business Compliance).

Risk Management is a broad topic that can mean different things to different people. In this course, I decided to focus on practical steps that contractors can take to develop a corporate Culture of Compliance. There is little value in limiting compliance training to only the upper leadership – employees at all levels must become ethics and compliance watchdogs.

I recommend developing a compliance program in four steps (that not coincidentally track the requirements of FAR 52.203-13):

  • Implement a Contractor Code of Business Ethics and Conduct
  • Establish a Regular and Robust Training Program for All Employees
  • Institute an Internal Control System
  • Understand the Difference between Reportable and Non-Reportable Evidence

To be effective, none of these steps are “one and done.”  It will not do much good to draft a Code of Business Ethics and Conduct, only to put it in a drawer to collect dust.  Your Code should be a living document that your employees read, understand, and utilize often.

In addition to these broad strokes, the course also delves into a few hot button issues relevant to today’s enforcement environment.  Most prominently, I discussed the requirements of FAR 52.204-21 and Cybersecurity best practices.  It may not have fully hit yet – but I think firms that lag behind in this area will soon find themselves on the wrong side of government enforcement actions.

If you have any questions about this Risk Management presentation, or have other questions you’d like to discuss, I’m happy to connect with you off-line.  I’m available by phone (202-696-1460) and email (nsolosky@foxrothschild.com).


Earlier this month, we had the pleasure of opening the 2017 Associated General Contractors of America Federal Contractor Conference in Washington, DC with a presentation focused on the emerging issue of Cybersecurity in Federal contracting.  Data breaches are big news in the private sector, but the issue has remained somewhat under the radar for public contracts – until now.

New rules and regulations (with the imminent promise of more on the way) are setting the stage for Cybersecurity to be the next big government enforcement target under the Civil False Claims Act (which the Department of Justice used to claw back $4.7 Billion in recoveries from Federal contractors in FY 2016 alone).

The New Cybersecurity FAR Clause

A Final Rule published by the Department of Defense, NASA, and the General Services Administration in 2016 created a new Federal Acquisition Regulation subpart (4.19) and contract clause (52.204-21) that deal exclusively with Cybersecurity.

The Regulation broadly applies to “covered contractor information systems” that process, store, or transmit “Federal contract information.”  These terms are interpreted expansively to cover any information provided by or transmitted to the Federal government in connection with contract performance.  In other words, if the new clause is not included in your Federal contracts yet, it soon will be.

The Regulation imposes 15 “basic” security controls for contractors.  The controls are intended to impose minimum safeguarding measures that the government believes any responsible contractor should have in place as part of the cost of doing business.  A complete list of the security controls is available here.

The DFARS Cybersecurity Clause

Compliance with FAR clause 52.204-21 should be viewed by contractors as a baseline Cybersecurity requirement – but it does not take the place of other, more complex requirements.

For example, DoD contractors must comply with DFARS 252.204-7012 (Safeguarding Covered Defense Information & Cyber Incident Reporting).  The DFARS clause is more far-reaching than the FAR clause, and includes investigation and rapid reporting requirements for breach incidents.  It also requires compliance with NIST 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) by no later than December 31, 2017.

Other requirements related to the handling of Classified and Controlled Unclassified Information also remain in place.  And we fully expect more (and more demanding) Cybersecurity requirements to be published by the government in the coming months and years.

The Contractor’s Guide to Cybersecurity Compliance

For Federal contractors, the future is now.

Cybersecurity requirements will soon be included in almost every Federal contract, so the only question is how to achieve and maintain compliance.

The good news is that compliance with FAR 52.204-21 is a great first step.  Again, the government considers the Regulation to be a basic safeguarding requirement that every responsible contractor should have in place.  If your business does not have at least those 15 security controls covered right now, it is time to figure out why.

To track and maintain compliance with expanding requirements, we also recommend making Cybersecurity part of your Federal Business Ethics and Compliance Program.

All Federal contractors have (or should have) a written Contractor Code of Business Ethics and Conduct.  The Code should be a living document that your business routinely updates and uses in connection with internal audits and employee training.

By adding Cybersecurity to your Ethics Program and written Code, you are ensuring that it becomes a part of your company’s culture.  You are also increasing the likelihood that Cybersecurity breaches, or other instances of non-compliance, are identified by your Internal Control System – not by the government.

Cybersecurity is an emerging, complex subject – but that does not mean that the government will relax its enforcement efforts while your business gets up to speed.  In fact, we think the opposite is true.  Contractors that do not make Cybersecurity compliance a priority now will be behind the power curve and are more likely to face harsh consequences (including False Claims Act allegations, suspension, or debarment) later down the road.


The U.S. Department of Justice is maintaining its momentum in the prosecution of alleged government contracting fraud.  DOJ had its third largest year ever in terms of civil False Claims Act recoveries in Fiscal Year 2016, clawing back $4.7 billion from government contractors accused of misconduct.  And the latest trends for 2017 show that individual corporate executives (not just the companies themselves) should be on high alert in the year ahead.

On December 28, 2016, the U.S. Attorney’s Office in Baltimore announced a $4.535 million settlement with Advanced C4 Solutions, Inc. (Advanced C4).  The settlement resolved claims that the SBA 8(a) small business contractor submitted inflated invoices from its subcontractor, Superior Communications Solutions, Inc. (Superior Communications), under a project management and labor services contract for work at Andrews Air Force Base (Joint Base Andrews).  The contract required Advanced C4 to design, construct, and implement computer technology upgrades in support of the U.S. Air Force personnel working at Joint Base Andrews. The U.S. Navy’s Space and Warfare Systems Command (Navy) awarded and administered the contract.

Under the terms of the contract, Advanced C4 was required to bill its labor costs, as well as those of its subcontractors, according to certain job classifications and the number of hours worked at each classification.  Collectively, the Justice Department, the Air Force’s Office of Special Investigations, DCIS, and the SBA investigated and determined that Advanced C4, and its project manager and vice president Andrew Bennett, passed false invoices from its subcontractor, Superior Communications, (and potentially others) through to the government.

The invoices allegedly charged for hours that were not worked and charged higher rates for personnel that did not meet the job classification requirements. The government paid the invoices, opening the door for False civil False Claims Act charges.

The Justice Department ultimately indicated three people, including Mr. Bennett, as well as a retired Navy contracting official, James T. Shank and John Wilkerson.  Mr. Wilkerson owned Superior Communications.  The Air Force also issued a memorandum in support of proposed debarment for all three companies.

The indictments strongly indicate that the Justice Department is following the directive provided by Deputy Attorney General, Sally Quillian Yates in her September 9, 2015 memorandum (The Yates Memo) that directed Department of Justice attorneys to focus on individuals and not just their employers.  According to the Yates Memo, “[o]ne of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing.”

In this case, while the settlement resolved the allegations that Advanced C4’s employee submitted fraudulent invoices, Mr. Bennett and Mr. Shank previously pled guilty to conspiracy to commit wire fraud for their actions on the contract. Mr. Wilkerson is scheduled for trial beginning on January 30, 2017.

Contractors interested in learning more about avoiding False Claims Act liability and establishing a culture of corporate compliance should check out our previous posts about implementing a FAR-complaint Business Ethics and Conduct Program.

As I’ve covered extensively on this blog, the U.S. government is conducting a wide-spread and on-going crackdown on contracting fraud.  Under the Civil False Claims Act alone, the government clawed back $3.5 billion in 2015.  And 2016 is poised to be another banner year.

One of the hot topics in fraud prevention of late is small business contracting fraud.  The government is investing heavily in making sure that there are optimum opportunities for small businesses to receive federal contracting dollars (for example, through small business set-aside contracts and socio-economic contracting programs).  IG offices are on alert to make sure that those contracting dollars actually reach small and disadvantaged business owners.

Recently in the news is the latest example of a contractor paying hefty penalties in connection with a small business contracting scam.  This time, the government revealed that a small business and a large business colluded to obtain over $70 million in small business set-aside contracts, but (illegally) have the large business perform all of the work on the contracts.

All federal contractors need to be aware of the uptick in fraud investigations – but they should not be lulled to sleep by this latest example.  This case was an easy one for the government – what I like to refer to as “old school fraud.”  The guilty parties acted intentionally with the hope of beating the system and making an easy dollar for as long as possible.

Fortunately (or unfortunately), these kinds of cases are the exception, not the rule.  My experience shows that most contractors investigated for fraud are far less culpable than this extreme example.  In fact, I’ve seen plenty of fraud cases based on a failure to know the rules – which is particularly troubling given how fast those rules are changing today’s environment.  Contractors are also facing fraud investigations based mistakes made by lower level employees – not the top brass.

So how do you avoid getting caught up in the IG’s net?  There are a few simple steps your business should be following right now to create what I call a Culture of Compliance:

  • Implement a Contractor Code of Business Ethics and Conduct (even if you are not technically required to have one under FAR 52.203-13)
  • Establish a Business Ethics Awareness and Compliance Program (including regular employee trainings and updates)
  • Establish an Internal Control System (to monitor for and catch issues before they arise); and
  • Inform the IG Office of “Credible Evidence” of any Violation (and know what “credible evidence” really means before you do).

By taking these steps, your employees will be much less likely to commit mistakes rising to the level of fraud – and will be in a much better position to interface with the government in the event an investigation takes place.

For small business government contractors, the question of affiliation should always be at the top of the list of priorities.  A finding of affiliation between your business and another business (and, in particular, a large business) could be enough to lose your small business size status – and the ability to compete for those coveted set-aside contracts.

One of the few recognized exceptions to affiliation is an approved mentor-protégé relationship under the Small Business Administration’s (SBA) 8(a) business development program.  In short, an 8(a) protégé can joint venture with its SBA-approved large business mentor and still qualify as a small business for any federal government contract or subcontract – without the fear of affiliation.

While it may seem a bit obvious or a simple matter of housekeeping, the SBA’s Office of Hearing and Appeals recently issued a stern warning that the exception to affiliation depends of having an approved mentor-protégé agreement in place.  Specifically, OHA concluded that failure to obtain the proper documentation resulted in a finding of affiliation and precluded eligibility for a small business set-aside contract — even when the two firms involved had a long history of participation in the mentor-protégé program.

45903865 - compliance legal rule compliancy conformity concept

This decision serves as an important reminder for firms currently partnering as part of the 8(a) program to stay current – but it should also be a wake-up call for all of the businesses out there planning to take advantage of the SBA’s imminent (groundbreaking) expansion of the mentor-protégé program.

Now that the SBA is accepting expanded mentor-protégé program applications, it is a great time to take stock of how to make the program work for your business.  As we recently highlighted, partnering between government contractors can open the door to new and exciting opportunities – but it works best for those firms that conduct proper due diligence.

Is your mentor-protégé agreement working for you?  Now is the time to find out and (if necessary) make the appropriate course corrections.

Just last week, we looked at the importance for small business contractors to check their SAM.gov profiles to make sure they are properly certified as small.  Incorrect information can lead to a variety of problems, not the least of which is potentially losing out on a small business set-aside contracting opportunity.

36995065 - set of check mark, check box icons

This point was refined by a newly published opinion from the Government Accountability Office.  As part of the GAO protest, a disappointed offeror alleged that the awardee on a VA electrical services contract lacked the technical expertise required by the solicitation.  Specifically, (among other things) the protest argued that the awardee’s SAM profile did not specifically list the NAICS code applicable to the procurement.

The GAO disagreed and dismissed the protest – stating that it could not identify a regulation requiring an offeror to have a particular NAICS code included in its profile.

So, are SAM profiles back to the Wild West?  Not so fast.  Part of the reason that the GAO dismissed the protest was that the awardee was certified under other NAICS codes requiring the same (or even smaller) size standard.  Also, by taking proper steps to certify under the NAICS codes where your business primarily operates, your business will be in a position to fend off challenges like these altogether.

So, the advice remains the same.  Take the time to check and spruce up your SAM profile (and any other publically available databases listing information about your business).

Novations are the government contracting equivalent of M&A in the private sector – the process through which a government contract can be transferred from one business to another (without violating the Anti-Assignment Act).

There are many reasons that a novation might be necessary.  A business holding a government contract could be acquired by another business (that now wants to take over and perform the contract).  Or a government contractor could divest assets during a bankruptcy proceeding.  The common denominator is a material change in the identity of the business that will perform under a contract with the government.

The novation process set out in FAR 42.1204 is deceptively simple.  According to this regulation, a formal Novation Agreement is granted when the government determines that the transfer is in the “best interest” of the government and supported by appropriate documentation (set forth in checklist format).

In reality, novation is a fluid and unpredictable process.  But, by thinking proactively about the transfer in advance, you can ease the administrative burden and set your business up for the future successful performance of a new contract.


Plan Ahead (If Possible)

FAR 42.1204 does not establish any timeline or schedule for the novation process.  Even if you have all of your “checklist” documents prepared and ready for primetime, there is no guarantee that your Novation Agreement will get the rubber stamp that you hope for (in fact, it probably won’t).

Look carefully at the contract that is being transferred.  By understanding the expectations and deadlines, you’ll minimize the chance of penalties caused by a longer-than-anticipated novation process.

You Might Not Check Every Box

Just because FAR 42.1204 has a list of required documents does not mean that your business (or the business transferring the contract) will be able to check all of those boxes.  For any number of reasons, there may be a document here or there that is not in your records.

Before creating unnecessary work for yourself, contract the ACO (administrative contracting officer) that will handle the novation.  By discussing your particular circumstances, you may be able to agree on a smaller or different set of documents that will satisfy that government’s process.

But beware.  Exceptions or concessions that are approved for one novation may not work for the next.  Whether it’s a different ACO or a change in the government’s expectations, plan on treating each contract novation like a unique process (which, when you think about it, it is).

Stay Flexible and Be Ready to Supplement

The novation process is marked by a back-and-forth process between the contractor and the government.  The ACO may ask for more – or different – information from what was included in your opening submission (even if you think your information is totally comprehensive).

The hallmark of the government’s Service-Disabled Veteran-Owned Small Business programs is ownership and control of the business by a qualifying service-disabled veteran of the U.S. military.  So what happens when you intentionally violate that rule to take advantage of program benefits?  The answer won’t surprise you – and it should serve as a reminder of the powerful enforcement stick the government wields.


Today’s unfortunate example is Hayner Hoyt Corporation – a Syracuse based contractor that agreed to pay in excess of $5 million to resolve allegations that it intentionally exploited the SDVOSB program for contracting opportunities.  Specifically, the government alleged that Hayner Holt officials exerted control over a purported (and now defunct) SDVOSB.  While a service-disabled veteran figurehead was placed at the head of the operation, all of the actual control, day-to-day management, and decision making was in the hands of Hayner Holt and its affiliates.  In reality, the responsibilities of the service-disabled “president” of the SDVOSB included taking inventory and snow removal.

While these allegations may be a blatant example of government contracting fraud, it bears repeating that most government investigations and lawsuits are based on conduct that falls far short of this example.  In fact, in today’s enforcement environment, many allegations of so-called fraud come down to nothing more than failing to know the rules.

For example, again looking at the SDVOSB program, did you know that a service-disabled veteran must obtain written verification that she qualifies for the program?  Failing to obtain that verification could land a contractor operating an SDVOSB in the same kind of trouble as Hayner Hoyt – even without the elaborate scheming.

The only true way to avoid these pitfalls is a robust ethics plan that creates a culture of institutional compliance.  Do you know the current state of your Code of Business Ethics and Conduct?

Federal contractors have two additional markets to consider when providing commercial items, products and services to the government; now that New Zealand and Montenegro are included within the countries whose eligible supplies or products are exempt from the Buy American Act (“BAA”). On October 30, 2015, the Department of Defense issued final rule 48 CFR Part 252 amending “Defense Federal Acquisition Regulation Supplement: New Designated Countries” to reflect that Montenegro and New Zealand have been added as newly designated countries under the World Trade Organization Government Procurement Agreement (“WTO GPA”).  The import of this final Rule signifies that the United States Trade Representative (“USTR”) waived the BAA and other discriminatory provisions for eligible products from New Zealand and Montenegro.

The fundamental purpose of the BAA is to encourage purchases of American-made goods by the Federal Government. However, under the authority of the Trade Agreements Act (“TAA”), which was delegated to the United States Trade Representative by the President, the USTR can waive BAA requirements for eligible products in acquisitions covered by countries that are signatories to the WTO GPA and other trade agreements.  The waiver qualifies for purchases over specific thresholds that are based on a supply or service originating from a designated TAA country.  Section 25.409 of the Federal Acquisition Regulation (“FAR”) specifies that eligible products from WTO GPA and Free Trade Agreement (“FTA”) countries are entitled to nondiscriminatory treatment from the BAA as described in 25.402(a)(1) of the FAR as well as to procurement procedures designed to ensure fairness as set forth in 25.408 of the FAR.  The USTR waived BAA requirements for Montenegro and New Zealand because he determined that these countries will provide appropriate reciprocal competitive Government procurement opportunities to United States’ products and services.

Although, federal contractors now have two new options to explore when importing products and/or services to provide to the federal government, federal contractors should consult an attorney in order to assess any risks, exposure, or hardships that can potentially result from doing business in a BAA-exempt country.  For example, New Zealand ranked high in the World Bank’s 2014 “Doing Business Report” and its lack of corruption has been touted in the Transparency International Corruption Index 2013 with a score of 91 on a scale of 0 being highly corrupt and 100 being “very clean.”  Whereas, Montenegro ranked 59th in the World Bank’s 2014 “Doing Business Report” and ranked around 44 in the Transparency International Corruption Index of 2013.   Montenegro has implemented steps to improve and modernize their customs systems and has worked with the World Bank Group to ensure that the reforms made will produce real and practical benefits for the private sector.


We are currently in the midst of an unprecedented uptick in the prosecution of (alleged) government contractor fraud under vehicles such as the False Claims Act and agency suspension and debarment programs.  Generally speaking, the government uses these methods to claw back Federal contracting dollars from contractors suspected of engaging in unethical practices and fraud.

Add another one to the list – the U.S. Department of Transportation (USDOT) Disadvantaged Business Enterprise (DBE) Program is in the news, as the government is cracking down on contractors alleged to have misrepresented their DBE standing in order to reap Program benefits.

In a nutshell, the Program requires state and local transportation agencies that receive USDOT assistance to establish goals and facilitate DBE participation on transportation projects.  To be certified as a DBE, a contractor must be a small business owned and controlled by socially and economically disadvantaged individuals.


Recently, the owners of a Pennsylvania contractor pled guilty to defrauding the DBE Program to the tune of nearly $19 million by setting up a sham entity designed to look like a woman-owned minority business.   The fraud, which lasted more than 15 years, involved 224 federally funded projects.

While this extreme example involves an obvious case of fraud that all contractors should know to avoid – there is still a lesson to be learned:

The increased level of government enforcement is not limited to contractors intentionally behaving badly.  The government is lowering the threshold for culpability – meaning that contractors that make inadvertent mistakes – or simply do not know the rules – are being caught in the crossfire.

For contractors participating in set-aside programs like the USDOT DBE Program, it is particularly important to make sure that your business satisfies the participation requirements before getting started.   Failure to know the rules could result in allegations of fraud and severe penalties, including fines, jail time, and debarment.