L & R Alert October 2015
FY 2016 National Defense Authorization Act
The just passed FY NDAA has several provisions benefitting small businesses. The most important among them are:
Section 861: Extends the DoD Pilot Mentor-Protégé Program for three years.
Section 863: Requires that bundling and consolidation justifications be published with a solicitation so that small businesses can challenge agencies that are unfairly taking away opportunities for small businesses.
Section 864: Prevents agencies and courts from applying nonmanufacturer rule to contracts the principal purpose of which is services or construction.
Section 867: In bundled, consolidated or multiple-award contracts, agencies must consider the capabilities and past performance of small business subcontractors on par with that of the small business prime contractor. In bundled, consolidated or multiple-award contracts, agencies must consider the capabilities and past performance of small business joint venture members if joint venture does not have the requisite capabilities or past performance.
Section 869: Establishes a statutorily independent office within SBA to hear challenges to size standards.
For more information on this topic, contact Devon E. Hewitt at firstname.lastname@example.org
WOSB Sole-Source Contracting
On September 14, 2015, the Small Business Administration (SBA) finalized a rule allowing sole-source awards to women-owned small businesses (WOSBs). The rule implements a provision of the 2015 National Defense Authorization Act (NDAA). Sole-source awards are limited to contracts with manufacturing NAICS codes valued at less than $6.5 million and less than $4 million for contracts with all other NAICS codes. Competitive WOSB contract awards may be made at any dollar level, under a change made by the 2013 NDAA.
For now, both WOSB sole-source and competitive awards are limited to those contracts with one of the 83 four-digit NAICS codes identified by SBA as industries where women are underrepresented. However, the 2015 NDAA mandated an accelerated study to add additional industries, which must be completed by January 2, 2016.
The 2015 NDAA also required WOSBs to be certified as eligible for both set-asides and sole-source awards either by SBA, by federal or state agencies, or by a national certifying entity approved by SBA. In this final rule, SBA decided that certifying WOSBs will require substantial resources and, for this reason, SBA deferred the issue to a subsequent rulemaking. For the time being, therefore, WOSBs may self-certify their eligibility for WOSB contract awards.
Under the new rule for sole-source awards, only the contracting officer or SBA may protest the WOSB status of the awardee. For competitive awards, an interested party may protest the WOSB status of the awardee.
The rule takes effect October 14, 2015. For more information on this topic, contact Steve Ramaley at email@example.com.
Cybersecurity Policy and Reporting Rule
- On August 11th, OMB released a draft policy memo entitled “Improving Cybersecurity Protections in Federal Acquisitions.” The purpose of the memo is to provide federal agencies with guidance to implement stronger cybersecurity protections in federal acquisitions for products or services that generate, collect, maintain, disseminate, store, or provide access to Controlled Unclassified Information. Of note, OMB recommends that federal agencies clearly and effectively address cybersecurity issues in contracts with contractors. To this end, OMB is working to establish sample cybersecurity contract clauses. OMB also signaled that the FAR Council will amend the FAR to provide for contract clauses that address required contractor security controls, cyber incident reporting, information system security assessments, and information security continuous monitoring. In addition, the policy memo notes that GSA is leading an effort to develop a business due diligence sharing system that would allow government agencies to access a system that tracks various sources of information about contractors to determine whether the contractor poses a cybersecurity risk. The business due diligence sharing system could be used in future decisions to award and continue contracts and in past performance evaluations. Comments on the OMB memo were due by September 10th, and OMB expects to release the final guidance later this year.
- On August 26th, DoD issued an interim final rule on cyber incident reporting. The rule requires contractors and subcontractors (including lower-tier subcontractors) to rapidly (i.e., within 72 hours) report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system, on covered defense information residing on such a system, or on the contractor’s ability to provide operationally critical support. New DFARS clauses and provisions also address expanded safeguarding and reporting policies, limitations on the use and disclosure of third-party contractor information reported to DoD as part of a cyber incident, and offeror representations as to their intention to use cloud computing services in performance of a contract. When a contractor uses cloud services, a new DFARs clause requires the contractor to follow and implement certain safeguards and controls, and this DFARS clause must be flowed down to subcontractors (including subcontracts for commercial items). The interim rule was effective immediately, but the public is invited to comment by October 26, 2015. In particular, small businesses are encouraged to comment on DoD’s conclusion that there are no significant alternatives that would minimize the impact of the rule on small businesses.