COMPETENCIES 2.0 2.1 2.4 2.5 3.0 3.4 3.5 3.7 4.0 4.1 4.2 4.3 4.4 6.

.5 3.7 4.0 4.1 4.2 4.3 4.4 6.0 6.3

The Top 10
Compliance
Challenges
for 2020
A brief overview of the biggest
compliance issues government
contracting professionals likely will
face this year (if they haven’t already).

BY ERIC S. CRUSIUS, AMY L. FUENTES,

KELSEY M. HAYES, AND VIJAYA S. SUR AMPUDI

34 C ON T RAC T M A N AG E M E NT MA RCH 20 20 NC M A
W
hile government a two-year transition period, contractors’ determination is well
contracting can during which time contractors can documented and communicated
be extremely choose either a three-year averag- to relevant employees.
rewarding, it is ing period or a five-year averaging  Corporate restructuring may be a
not always for the faint of heart. period for calculating average tool that small businesses wish to
Successful government contracting annual receipts for size standards use in advance of an anticipated
requires compliance with myriad purposes during the transition; merger and acquisition transac-
requirements that can be found and tion. By reorganizing a segregable
in agency-specific regulations,  Finally, the SBA clarified in the fi- division into a subsidiary prior
governmentwide regulations, nal rule that in a merger or acqui- to the transaction, a seller does
statutes, class deviations, guidance, sition transition, whether a seller not have to include the recently
and more. Complicating matters or buyer must include the annual organized subsidiary’s receipts and
further, sometimes these regulatory receipts and employees after the employees when computing its
requirements are at odds with state closing of the transaction de- size post-closing.
and local requirements. pends on whether the transaction  Contractors should cautiously
As we dive into the next decade involved the sale of a segregable contemplate how the five-year
of government contracts, some of the division or the sale of a separate lookback period will affect their
following compliance-related issues legal entity. business, whether utilizing the
(presented in no particular order) three-year or five-year lookback
promise to be some of the biggest Now that the Act is effective, con- period will be most advantageous
challenges for government contract- tractors should be aware that: during the transition period, and
ing professionals in 2020.  The SBA declined to make the final plan for how the Act may impact
rule retroactive to the date of the a company’s small business status
1. SBA Final Rule Implements Act (i.e., December 17, 2018). This both now and in the future.
the Small Business Runway means that the three-year averag-
Extension Act ing period continues to apply to 2. Interim FAR Rules Prohibit
In one of the biggest changes to the offers submitted prior to January 6, Contracting for Certain
small business regulatory landscape 2020, because a company’s size is Telecommunications and
in 2019, the long-awaited Small Busi- determined as of the date the firm Video Surveillance Services or
ness Runway Extension Act became
1
certified its size as part of its initial Equipment (a.k.a., the “Huawei
effective just after the new year offer. Ban”)
on January 6, 2020, after the Small  Contractors may be able to keep The Federal Acquisition Regulatory
Business Administration (SBA) issued (or reclaim in certain instances) Council has issued two interim rules
its final rule implementing the Act in small business size status for to implement Section 899 of the John
December 2019. procurements during the tran- S. McCain National Defense Authoriza-
There are three key elements of the sition period. This is dependent tion Act (NDAA) for Fiscal Year 2019,2
Act and its implementing regulation on whether using a three-year or which generally prohibits govern-
that contractors should be aware of: five-year lookback period would be ment agencies, contractors, and grant
 First (and most important), the most advantageous to a company’s or loan recipients from procuring or
SBA’s receipts-based size standard size status. using “covered telecommunications
has now changed from a three-  Contractors should consider adopt- equipment or services” produced or
year averaging period to a five- ing or revising internal policies provided by certain Chinese com-
year averaging period; regarding determination of size panies as a “substantial or essential
 Second, the final rule also includes status so that the basis for the component of any system, or as criti-

NC M A MAR CH 2020 CONTR ACT MANAGEMEN T 35

cal technology as part of any system.” not made any representation in FAR Phase 2
Broadly speaking, the prohibitions in 52.204-26 or FAR 52.212-3(v), it must Further prohibitions in Section
Section 899 will be implemented in still complete the representations 899(a)(1)(B) will become effective on
two phases. required by FAR 52.204-24. August 13, 2020. These prohibitions
The clause at FAR 52.204-25 pro- restrict agencies from entering into
Phase 1 hibits contractors from providing “any contracts (or extending or renewing
The prohibitions in Section 899(a)(1)(A) equipment, system, or service that contracts) “with an entity that uses
became effective on August 13, 2019. uses covered telecommunications any equipment, system, or service
This Section prohibits agencies from equipment or services as a substantial that uses covered telecommunica-
“procuring or obtaining, extending, or essential component of any system, tions equipment or services as a
or renewing a contract to procure or or as critical technology as part of any substantial or essential component of
obtain, any equipment, system, or system” unless an exception can be any system, or as critical technology
service that uses covered telecommu- applied, or the covered equipment as part of any system.” This portion of
nication equipment or services as a or services are covered by a waiver. the ban is far stricter than the inter-
substantial or essential component The clause imposes stringent report- im rule effective in 2019.
of any system, or as a critical tech- ing requirements that obligate the Contractors must take steps to
nology as part of any system” unless contractor to immediately notify the review their supply chains for the
an exception applies or a waiver has contracting officer when it discovers presence of any banned telecommu-
been granted. These prohibitions “covered telecommunications equip- nications equipment or services and
were implemented with the creation ment or services used as a substantial ensure they are not incorporated into
of Federal Acquisition Regulation (FAR) or essential component of any system, government deliverables. It is also
Subpart 4.21 and the related solicita- or as critical technology as part of worth taking steps to rid covered
tion provisions and contract clauses at any system, during contract perfor- telecommunications equipment or
FAR 52.204-24, 52.204-25, and 52.204- mance[.]” 3
services from the contractor’s entire
26, respectively. In the event a contractor discovers business operations to comply with
The new annual representation re- covered equipment or services are the governmentwide ban that will go
quirement at FAR 52.204-26 mandates used during contract performance, into effect later this year.
that an offeror must represent wheth- the contractor must report certain
er it does or does not “provide covered information within one business day. 3. New FAR and DFARS
telecommunications equipment or From there, within 10 business days, Amendments Seek to Curb
services as part of its offered products the contractor must— Agencies’ Use of LPTA Source
or services to the government in the  Submit “any further available Selection Procedure
performance of any contract, sub- information about mitigation ac- The Department of Defense (DOD)
contract, or other contractual instru- tions undertaken or recommend- recently published a final rule4
ment.” If an offeror represents that ed”; and amending the Defense Federal
it does not provide covered telecom-  Describe— Acquisition Regulation Supplement
munications equipment or services to 2 “[T]he efforts it undertook to (DFARS) to implement limitations
the government, in response to FAR prevent use or submission of a and prohibitions on the use of the
52.204-26 or in the new paragraph (v) covered article,” lowest price technically acceptable
added to FAR 52.212-3, then it is not 2 “[A]ny reasons that led to the (LPTA) source selection process and
required to complete the represen- use or submission of the cov- the FAR Council recently proposed
tations in FAR 52.204-24, which is to ered article,” and a similar amendment to the FAR.
be included in all solicitations and 2 “[A]ny additional efforts that As the contracting community is
contracts. If the offeror represents that will be incorporated to prevent aware, LPTA is an evaluation method
it does provide covered telecommuni- future use or submission of for selecting an awardee when the
cations equipment or services or has covered articles.” government expects to receive the

36 C O N T RAC T M A N AG E M E NT MA RCH 20 20 NC M A
best value as the result of selecting 4. SBA Proposes the
the technically acceptable proposal Consolidation of the
with the lowest evaluated price. Mentor-Protégé Programs
Agencies’ use of LPTA has long been The end of 2019 saw a flurry of
criticized for placing price or cost proposed and final small business
over technical value and is often regulatory changes. One of the
seen as a “race to the bottom.” most important proposed rules that
Under DOD’s final rule, con- contractors should be aware of is the
tracting officers may use the LPTA SBA’s proposed consolidation of the
process only when certain criteria Mentor-Protégé (M-P) Programs.
are met. The new rule also provides Importantly, the proposed rule
that contracting officers must avoid, seeks to:
Agencies’ use of
“to the maximum extent practi-  Consolidate the M-P Programs by
cable,” using the LPTA process if a
procurement is predominantly for
eliminating the 8(a) M-P Program
and allowing any small business—
LPTA has long
the acquisition of: including 8(a) concerns—to partic-
 “Information technology ser- ipate in the All Small M-P Program.
been criticized
vices, cybersecurity services, If implemented, this proposed
systems engineering and techni- change will eliminate the require- for placing price
cal assistance services, advanced ment for the SBA to approve joint
electronic testing, or other venture agreements between a or cost over
knowledge-based professional mentor and 8(a) protégé.
services”5;  Consider whether to implement a technical value
 “Items designated by the requir- size limitation on mentor eligi-
ing activity as personal protec- bility following the SBA’s receipt and is often seen
tive equipment” ; or
6
of suggestions that elimination
 “Services designated by the
requiring activity as knowl-
of very large contractors from the
as a ‘race to the
pool of eligible mentors would
edge-based training or logistics
services in contingency opera-
benefit mid-sized contractors’ abil-
ity to compete.
bottom.
tions or other operations outside  Eliminate the three-contract
the United States, including limit for joint ventures between
Afghanistan or Iraq.”7 small businesses or parties to an
approved M-P agreement for two
The proposed rule for civilian years following receipt of its first
agencies includes the same limita- award (which includes a novated
tions, but also includes “audit or contract).
audit readiness services, health care  Require the recertification of a
services and records, [and] telecom- contractor’s size status under unre-
munications devices and services.” If stricted multiple award contracts
implemented, the proposed rule will (MACs) for:
amend FAR 15.101-2. 2 Task order submissions of small
For many contractors, these rules business set-aside orders under
are a step in the right direction— an unrestricted MAC, and
promoting technical merit over cost 2 Task order submissions for
or price. set-aside orders differing from

NC M A MAR CH 2020 CONTR ACT MANAGEMEN T 37

 the socioeconomic status of the DOD recognizes that many secu-
The CMMC program
underlying set-aside MAC. rity risks have arisen due to several
 Authorize size protests relating to high-profile breaches under the
the new proposed recertification of current acquisition system—where
is expected to
a contractor’s size status (as previ- contractors provide individualized
ously discussed). cybersecurity plans in accordance with
measure the
the security controls in the NIST SP
Contractors should be aware that 800-71. However, these plans are gen- maturity of
the proposed rule continues to be in erally provided post-award and depend
the rulemaking process and should on contractors’ self-certification. a company’s
be on the lookout for the SBA’s final The CMMC program is expected to
rule expected later in 2020. Overall, measure the maturity of a company’s institutionalization
the proposed consolidation of the M-P institutionalization of cybersecurity
Programs is largely applauded by the practices and processes. Through of cybersecurity
industry as addressing the longstand- combining several cybersecurity
ing issues of inconsistency between control standards into a single unified
practices and
the Programs because of the different standard for cybersecurity, the CMMC
approving entities, as well as propos- program intends to designate maturi-
ing to eliminate the preapproval re- ty levels ranging from “Basic Cyber-
processes.
quirement of 8(a) joint ventures. This security Hygiene” to “Advanced.” The
may prove difficult in practice due most basic level is “Level 1” and the
to unknown timing constraints that most sophisticated level is “Level 5.”
companies cannot rely on. Addition- Each level is designed to minimize
ally, there is some concern over the the risk against a specific set of cyber
feasibility of implementing the con- threats relevant to that procurement
solidated M-P Program due to limited by assigning the associated security
resources from the agency. Only time controls and processes. Contracting
will tell whether these changes can be officers will be required to assess
effectively implemented. which CMMC level is required for
each procurement and to include that
5. New DOD Cybersecurity CMMC level in the solicitation. DOD
Standard: The Cybersecurity advises that these levels will be mod-
Maturity Model Certification ified on a yearly basis to ensure the
(CMMC) Program cybersecurity controls remain current
DOD’s Office of Acquisition and as cyber threats evolve.
Sustainment (OA&S) is launching Importantly, contractors must be
the CMMC program to enhance the certified by a third-party auditor who
protection of controlled unclassified will evaluate a contractor’s cybersecu-
information (CUI and other nonpub- rity hygiene and certify (or not certify)
lic information) within the supply a contractor at a desired level. DOD
chain. Beginning in June 2020, some recently released the initial standards
requests for information will require and the Accreditation Board is devel-
offerors to be certified at the appropri- oping training for potential assessors
ate CMMC level. Likewise, in Septem- who will be charged with assessing
ber 2020, requests for proposals will companies’ compliance with the
require the same. appropriate CMMC level they seek.

38 C O N T RAC T M A N AG E ME NT MA RCH 2 0 2 0 NC M A
There is no indication how long these 6. OFCCP Reports Record clause10 covers both civilian and
certifications will be valid, but DOD Recoveries in 2019 defense contracts that are above the
has noted that— The Office of Federal Contract Com- simplified acquisition threshold.11 Cov-
 It is advising all companies against pliance Programs (OFCCP) reported ered contractors must provide written
publishing their certifications that in 2019 it hit the highest three- notice to their contracting officers,
publicly, such as on their company year period on record for recoveries within 60 days of becoming aware
websites, to avoid these certifica- against government contractors, or “having reason to suspect” that
tions becoming a check-the-box recovering over $40 million in mone- any part purchased for delivery to or
exercise for contracting officers; tary settlements. purchased on behalf of the govern-
and The basis for many of these allega- ment is counterfeit or suspected to be
 Contracting officers will be al- tions against government contractors counterfeit. The suspected counterfeit
lowed to request recertification has been a violation of Executive item must provide reasonable doubt
under certain circumstances. Order 11246, “Equal Employment Op- of its authenticity through inspection,
Importantly, there are no ex- portunity.” Pursuant to the Executive testing, record review, or notification
ceptions for small businesses, com- Order, federal contractors with over from a third party. All suspected coun-
mercial products, or whether the $10,000 worth of business with the terfeit items must be kept for review
contractor will ever possess CUI while government in one year are prohib- and disposition by the contracting of-
performing the relevant contract. ited from discriminating in employ- ficer. Further, the contractor must sub-
All contractors and subcontractors ment decisions on the basis of race, mit a report to GIDEP within 60 days
will be required to be certified at the color, religion, sex, sexual orientation, of becoming aware or having a reason
appropriate CMMC level for each and gender identity, or national origin. to suspect an item is counterfeit.
every procurement. The only variable Contractors are also required to take The final rule requires FAR 52.246-
between procurements will be the affirmative action to ensure the com- 11, “Higher-Level Contract Quality Re-
CMMC level required. pany is providing equal opportunity quirement,” to be flowed down to all
DOD recognizes that this is a huge in all aspects of employment. subcontracts without any alterations
undertaking and contemplates it will OFCCP’s increased recoveries should involving these items. There are four
take at least five years to fully imple- serve as a gentle reminder to contrac- distinct contract types that will be
ment. It has further noted that its goal is tors to review hiring and employment impacted by this final rule:
for CMMC to be cost-effective and afford- practices and to update affirmative  Items that are subject to high-
able for small business. To that end, DOD action plans to ensure compliance. er-level quality standards, such as
has noted that the cost of the certifica- those where the nonconformance
tion should not be prohibitive. Further, 7. Updated FAR Counterfeit could lead to a higher risk of
DOD is treating the cost of certification Reporting Requirements performance (e.g., complex and
as allowable reimbursable costs. The FAR Council published a final critical items);
The program is ripe to bring new rule, effective December 23, 2019,  Items the contracting officer has
enforcement mechanisms to cyber- setting forth new counterfeit re- determined are “critical,” such as
security and to build on the already porting requirements. The final rule those likely to result in hazardous
growing number of False Claims Act institutionalizes a mechanism for or unsafe conditions or for which
(FCA)8 actions involving cybersecurity all contractors—both civilian and failure would prevent performance
standards. Whether a business has the defense contractors—to report the of an agency’s critical missions;
proper CMMC level of certification is use of certain counterfeit and suspect  Electronic parts or items contain-
also likely be a hot issue in protests. counterfeit parts and certain major ing electronic parts; and
Contractors should prioritize becom- or critical nonconformance to the  Services provided in conjunction
ing familiar with these requirements Government–Industry Data Exchange with any of these items.
and be prepared to tackle the upcom- Program (GIDEP). Ultimately, the rule has more bark
ing certification process. The new FAR provision and
9
than bite due to the limited require-

NC M A MAR CH 2020 CONTR ACT MANAGEMEN T 39

ments on contractors to monitor their Investment Risk Review Moderniza- sensitive information. In turn, this has
supply chains and its limited appli- tion Act of 2018 (FIRRMA), the scope
12
led to increased enforcement efforts
cability to certain contracts. The rule of investments or transactions that by the government concerning con-
itself also does not require companies will be reviewed by CFIUS has expand- tractors’ noncompliance with cyberse-
to implement any systems or mecha- ed. This was detailed in proposed curity regulations.
nisms to detect and avoid counterfeit regulations released in fall of 2019. As one example, a company re-
parts. Further, the rule provides “carve- Highlights include: cently settled a qui tam lawsuit with
outs” for certain contracts, such as  Nonpassive investments by for- the New York Attorney General that
commercial item contracts and certain eigners will be reviewable under alleged the company’s software, which
medical devices. It also has limited certain circumstances (broadly was designed to control security cam-
application for contracts with— speaking, investments in compa- era systems, had flaws that rendered
 Foreign corporations with no nies that house critical technology, the system vulnerable to hackers. The
offices, locations, or fiscal paying involve critical infrastructure, or lawsuit alleged that the company
agents in the United States; have sensitive personal data of U.S. was aware of these flaws and failed to
 Items that contractors know are citizens); disclose the flaws after selling the soft-
subject to an ongoing criminal  Certain real estate transactions will ware to U.S. state governments and the
investigation; and now be subject to review by CFIUS federal government (including every
 Single source items (i.e., items that (though this review is highly de- branch of the U.S. military).
have not been sold to any other pendent on the location of the real In another example, a California
company). estate—e.g., if it is within one mile judge recently allowed a relator’s
The FAR provision and clause pres- of a U.S. military installation); and cybersecurity FCA case to proceed,
ent another policy measure designed  Investments and transactions that denying the company’s motion to
to address and attack risks within the allow a substantial interest by dismiss. The relator alleged that the
supply chain. This focus on supply foreign governments. company failed to comply with DFARS
chain management suggests that Notably, the proposed regulations 252.204-7012, which imposes report-
compliance and risk management will also contemplate a “white list” that ing requirements on defense contrac-
likely be on the forefront of the gov- would contain foreign investors tors and requires specific controls to
ernment’s enforcement radar and may (transactions are not included) that be in place to safeguard technical CUI
lead to an increase in investigations. are exempt from CFIUS requirements. from cybersecurity threats. Specifi-
As the proposed regulations noted, cally, the relator contended that the
8. Proposed Regulations Seek such a list promises to be very short. company fraudulently entered into
Expanded Scope of CFIUS Contractors that may be subject to contracts with the federal govern-
Review these new requirements should mon- ment, despite knowing that it did not
There has been a lot of change when itor the final regulations closely when meet the cybersecurity compliance re-
it comes to foreign ownership or in- they are released. quirements of DFARS 252.204-7012 and
vestment in companies that have con- a related NASA regulation. The U.S.
tracts with the federal government. 9. Cybersecurity Qui Tam District Court of the Eastern District
At the center of that is the Committee Actions on the Rise of California agreed with the relator,
on Foreign Investment in the United Cyberattacks have skyrocketed in re- finding that these false statements
States (CFIUS). cent years, leading to increased focus were material to the government’s de-
Following the passage of Foreign on preventing attacks and protecting cision to award contracts and pay the
company. Thus, it allowed the case to
proceed. This is the first time a court
POST ABOUT this article on NCMA Collaborate has found an allegation of noncompli-
at http://collaborate.ncmahq.org. ance with a cybersecurity standard to
form the basis of FCA liability.

40 C ON T RAC T M A NAG E ME NT MA RCH 2 0 2 0 NC M A

 Expect enforcement actions con- may be an effort to jump-start that ly if you get ahead. Fortunately, there
cerning cybersecurity to increase. Con- process. are a lot of free resources to help con-
tractors should diligently monitor and  Section 886—Requires a report tractors, such as this magazine. CM
update their cybersecurity programs as from the Government Account-
new rules and regulations have been ability Office detailing how many Eric S. Crusius
j Partner, Holland & Knight LLP
recently enacted and should diligently contractors, in the last five years, [email protected]
comply with any control standards have been found to have willfully
and reporting requirements. Contrac- or repeatedly violated the Fair Amy L. Fuentes
j Associate, Holland & Knight LLP
tors must also ensure the appropriate Labor Standards Act or the Occu-
16
[email protected]
controls and measures are in place to pational Safety and Health Act.17
protect sensitive data, prevent attacks, Perhaps this is a prelude to intro- Kelsey M. Hayes
j Associate, Holland & Knight LLP
and detect breaches. ducing an updated version of Fair [email protected]
Pay and Safe Workplaces.18 Because
10. Highlights from the 2020 its implementing regulations Vijaya S. Surampudi
j Associate, Holland & Knight LLP
NDAA were rescinded, Fair Pay and Safe [email protected]
Each year’s NDAA is always a great Workplaces regulations cannot be
look into the future of government reintroduced in identical form.
contracting. Often, NDAA provisions  Section 873—Would allow pay- ENDNOTES
1 Pub. L. 115-324.
turn into regulatory requirements ments to small businesses to occur 2 Pub. L. 115-232.
3 Emphasis added.
over the following one to two years. in as little as 15 days under certain 4 DFARS 215.101-2-70, “Limitations and Prohi-
Understanding each NDAA’s require- circumstances. This is a valuable bitions” (i.e., on the LPTA source selection
process).
ments and thinking about how these tool for small businesses because 5 DFARS 215.101-2-70(a)(2)(i).
6 Ibid., at (ii) (except when 215.101-2-70(b)(1)
affect a contractor or contracting they often expend a tremendous applies).
agency can allow all to prepare for 7 Ibid., at (iii).
amount of resources to start
8 31 USC 3729–3733.
changes that are due to come. working on a contract—often with 9 FAR 46.317.
10 FAR 52.246-26.
While a thorough analysis of the limited resources. 11 $250,000 for most agencies as of January 2020
pursuant to class deviations.
provisions of the 2020 NDAA13 is be-  Section 827—Requires the Gener-
12 Enacted as Section 1701 of the 2019 NDAA (see
yond the scope of this article,14 a few al Services Administration (GSA) note 2).
13 Pub. L. 116-92.
items stick out: to review the relative cost of the 14 Editor’s Note: For an in-depth review of the
 Section 254—Addresses the United acquisition-related provisions of the 2020
different models being considered
NDAA, see: Joe Martinez, Chris Fetzer, and Ty-
States’ shortfall in developing 5G for the new e-commerce portal. ler Thomas; “2020 NDAA Highlights,” Contract
Management Magazine (February 2020): 38–43.
technology. It requires a plan to GSA must review the e-commerce, 15 Editor’s Note: Officially the “Advisory Panel
implement and harness 5G tech- on Streamlining and Codifying Acquisition
e-marketplace, and e-procurement
Regulations,” the Section 809 Panel was creat-
nology, including research and methods. ed pursuant to Section 809 of the 2016 NDAA
(Pub. L. 114-92) and charged with analyzing
development and strengthening Other provisions of interest will im- the defense acquisition system and deliver-
outreach to industry. ing recommendations for improvement. The
pact intellectual property, the SBIR/STTR
Panel was sunset in July 2019, and its collected
 Section 845—Requires a closer look programs, the acquisition workforce, reports—including findings and recommenda-
tions—are available at https://discover.dtic.mil/
at modernizing the acquisition and federal supply chains. In addition, section-809-panel/.
16 29 USC 203, et seq.
process. The Section 809 Panel15 there are other sections of the 2020
17 Pub. L. 91-596.
released its final report nearly a NDAA that cover some of the topics 18 Editor’s Note: A policy originally issued via
Executive Order 13673, “Fair Pay and Safe
year ago, which outlined detailed previously discussed in this article. Workplaces” (July 31, 2014), it was essentially
recommendations on how to revoked by the passage of Pub. L. 115-11 (signed
March 28, 2017), which overturned the Execu-
modernize the U.S. acquisition Conclusion tive Order’s implementing regulations.

process. While some of these rec- While compliance headaches abound

ommendations have already been for the remainder of 2020, compliance
adopted, others have not, and this does not have to be a hassle—especial-

NC M A MAR CH 2020 CONTR ACT MANAGEMEN T 41