Per DFARS 252.204-7012, Contractors were to implement NIST SP 800-171 by 12/31/2017 “Safeguarding Cover Defense Information and Incident Reporting”. However, Contractors self-certification has not gone as well as the Department of Defense (DoD) had hoped. They have even included it as part of 2019 Contractor Purchasing System Reviews (CPSR) for the Defense Contract Management Agency (DCMA) to evaluate Contractors monitoring of subcontractor’s self-certification. In the meantime, DoD has shifted gears and is developing the Cybersecurity Maturity Model Certification (CMMC) to help strengthen the DoD supply chain's cybersecurity at all levels of the supply chain, from the prime Contractor on down to the lowest subcontractor.
As we noted in our last blog, DCMA has issued another updated CPSR Guidebook, dated May 29, 2018. DCMA issued two updates in 2017 and have already issued 2 updates in 2018. This leads us to question: Will there be more? And our intuition leads us to answer: More than likely!
A new DCMA CPSR Guidebook has been released effective May 29, 2018 and can be found here: http://www.dcma.mil/Portals/31/Documents/CPSR/CPSR_Guidebook_052918.pdf The Redstone team will be conducting a more comprehensive review of the guidebook, but we want to share our initial thoughts with readers.
Is your purchasing system ready for a DCMA Contractor Purchasing System Review? Time to dust off those policies and procedures, and make sure your employees are trained on FAR and DFARS requirements.
DCMA has been hard at work reviewing contractor purchasing systems, making several updates in 2016 to the CPSR Guidebook, the most recent being January 18, 2016. In addition, in October 2016, the Director of DCMA issued a Class Deviation from FAR 44.302(a), increasing the CPSR threshold from $25 million to $50 million. Questions remain on how this will impact contractors whose contracts include FAR 44.3 and who are on DCMA’s review schedule. The threshold can be lowered if the ACO determines a contractor’s risk level warrants a review. We have already seen the lower threshold enforced in the early part of 2017 for a couple of our clients.
“Help! We received a letter from our ACO informing us that they will be conducting a Contractor Purchasing System Review (CPSR) three months from now – can you help us?” This is a scenario we hear all too frequently these days. As promised, DCMA has ramped-up their efforts to ensure contractors purchasing systems are being reviewed and assessed for adequacy.
In March 2013, we blogged about “a new Sheriff in town”. That blog commented on DFARS 252.244-7001 Contractor Purchasing System Administration which sets forth 24 criteria to be used in the determination of an adequate contractor purchasing system. It also reflected on DCMA-INST 109 Contractor Purchasing System Reviews issued November 2012 which has since been revised in January 2014. At the time it was unclear as to just what DCMA would be including in its reviews. Specifically what criteria would it use when evaluating a contractor’s purchasing system. Late last year we began seeing a bad trend from DCMA reviewers.
As published in the Federal Register on May 6, 2014 the Department of Defense has issued a final rule amending the DFARS to require certain qualifying contractors to adequately address the detection and avoidance of counterfeit electronic parts. This was done to implement those sections of the NDAA for fiscal years 2012 and 2013 respectively dealing with the same subject and is effective May 6, 2014.
On September 5th, DCMA issued a letter to the National Defense Industrial Association (NDIA) addressing industry concerns raised at a meeting with DCMA on April 25, 2013. We will highlight some key points in the letter that will help contractors deal with DCAA’s assertions which often times are not supported by regulations. The letter reinforces that it is DCMA that determines if a contractor’s business system is compliant or not and if a Corrective Action Request (CARs) is necessary.
DCMA reviewers and consultants alike used a years’ old guidance instruction for performing CPSRs (Contractor Purchasing System Reviews) in ascertaining if a contractor’s purchasing practices represent methods for achieving “best value” in purchasing of services and supplies. This guidance, DCMA Instruction “Consent to Subcontract/Contractor Purchasing System Review (CPSR)” includes an Appendix B that was specifically used in the reconciliation of a contractor’s purchasing or procurement related policies and procedures. That appendix in essence is a checklist with 55 far ranging questions from purely subcontract management issues to Affirmative Action and Standards of Conduct items, and effectively represents criteria and parameters for acceptable government contractor procurement practices in addition to preferred documented company policies and procedures.