Per DFARS 252.204-7012, Contractors were to implement NIST SP 800-171 by 12/31/2017 “Safeguarding Cover Defense Information and Incident Reporting”. However, Contractors self-certification has not gone as well as the Department of Defense (DoD) had hoped. They have even included it as part of 2019 Contractor Purchasing System Reviews (CPSR) for the Defense Contract Management Agency (DCMA) to evaluate Contractors monitoring of subcontractor’s self-certification. In the meantime, DoD has shifted gears and is developing the Cybersecurity Maturity Model Certification (CMMC) to help strengthen the DoD supply chain's cybersecurity at all levels of the supply chain, from the prime Contractor on down to the lowest subcontractor.
Future Supply-Chain Rules to Be Implemented Under Executive Order 13873, and Under Sections 889(a)(1)(B) and 889(b) of the 2019 NDAA
There have been several recent developments in U.S. law, relating to non-tariff restrictions on foreign-origin information technology and telecommunications equipment, with a focus on Chinese-origin products. This is the third installment of a three-part series on this topic.
Supply-Chain Rules from Section 889(a)(1)(A) of the NDAA for 2019 (Implemented by FAR Subpart 4.21)
There have been several recent developments in U.S. law, relating to non-tariff restrictions on foreign-origin information technology and telecommunications equipment, with a focus on Chinese-origin products. This is the second installment of a three-part series on this topic.
Supply-Chain Rules Under DFARS Subpart 239.73
In the ongoing trade war between the U.S. and China, the U.S. Government’s Section 301 tariffs on Chinese-origin goods has received most of the attention, and rightfully so. Effective September 1, 2019, these tariffs generally impact all Chinese-origin goods imported into the United States, including all information technology and telecommunications equipment (“Equipment”). However, there have also been several recent developments in U.S. law, relating to non-tariff restrictions on foreign-origin Equipment, with specific focus on Chinese-origin products.
The Federal Acquisition Regulation (FAR) implemented Section 822 of the Fiscal Year 2017 National Defense Authorization Act (NDAA) which requires contactors to submit additional certified cost or pricing data when only one offer is received in response to a competitive solicitation. Certified cost and pricing data is required when the following three criteria are met:
Recently, there has been much discussion around comments made by Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD. She made the following statement before a roomful of vendors at the PSC meeting in Arlington, VA.
It has been years since the contract period of performance has ended, DCAA has finally concluded their audit or review of your incurred cost proposal, and you have received the final indirect rate letter from DCAA. Now what? By design, the contract closeout process begins in earnest. Typically, the Administrative Contracting Officer (ACO) is responsible for initiating administrative closeout of the contract after receiving evidence of its physical completion.
“A sound internal control environment, accounting framework, and organizational structure” is criteria number one in DFARS 252.242-7006 Accounting Systems. In fact, all six of the business systems identified in DFARS 252.242-7005 Contractor Business Systems, or commonly known as the “DFARS Business Systems Rule”, references adequate internal controls and the reliability of data. Even more far-reaching than DFARS is that FAR, adhered to by most, if not all US Federal Government agencies, requires adequate contractor internal controls over financial data relied upon for acquisitions. For the purposes of this blog, we shall focus primarily on the DFARS Business Systems Rule as it applies to defense contractors because of the activities of DCAA.
DCAA has had MMAS (Material Management and Accounting System) audit cognizance or review responsibility for DOD contractors since the advent of the DFARS Business Systems Rule in 2012. DCAA’s scope of audit is to determine if a contractor’s MMAS complies with the ten criteria or standards set forth in DFARS 252.242.7004.
Estimating System Deficiencies
In its recent report (DODIG 2015-139), the DOD-IG (Inspector General) found that DCMA Contracting Officers failed to comply with DFARS timing requirements related to contractor business systems (DFARS 215,407-5-70 and DFARS 252.242-7005. In this case, the IG evaluated actions (or more accurately inactions) on 18 DCAA audit reports related to contractor estimating systems which are subject to the criteria in DFARS 252.215-7002. The DFARS Business Systems rule includes no time frames concerning government audits of contractor systems; however, once a government audit report is (finally) issued, DFARS has the following time-requirements (“requirements” used loosely because due dates applicable to the government are routinely ignored as evidenced in the IG report):