Redstone Government Consulting Blog | Contractor Purchasing System Review (CPSR) (3)

So, you have a Contractor Purchasing System Review (CPSR) in the pipeline. Whether your first CPSR review or Defense Contract Management Agency (DCMA) is returning to perform a comprehensive review, you should make sure your house is in order.

Office of Management and Budget (OMB) issued a memorandum dated September 14, 2022, Subject Enhancing the Security of the Software Supply Chain through Secure Software Development Practices. This is a result of the President’s Executive Order on Improving the Nation’s Cybersecurity.

The Department of Justice (DOJ) settled one of the first lawsuits related to alleged cybersecurity fraud by Aerojet Rocketdyne, a defense contractor. So how did it begin. Aerojet Rocketdyne hired an employee as the Senior Director for Cyber Security, Compliance and Controls. The employee asserts that Aerojet misrepresented its compliance with the cyber requirements in DFARS 252.204-7012 when communicating with government officials to obtain DOD and NASA contracts between 2013 and 2015. The employee later refused to sign documents stating Aerojet was compliant with the cybersecurity requirements and reported it to the company’s ethics hotline and filed an internal company report. The employee was terminated and filed a qui tam suit alleging cybersecurity fraud under the False Claims Act.

DoD issued a final rule under DFARS Case 2020-D033, effective April 28, 2022, that allows Contracting Officers to rely on a contract issued under FAR Part 12 procedures to serve as a prior commercial item determination on future buys. It only makes sense, that Contracting Officers rely on prior FAR 12 contracts instead of recreating the wheel each time a contractor submits a commercial product/service and making the contractor continually support a product/service already determined commercial.

CMMC was put on hold until recently – but is rolling forward again at a high speed. DOD held a CMMC Day Conference in May 2022 stating its goal of submitting a proposed rule in July 2022 ( no proposed rule to date) and issuing two interim final rules by March 2023. If DoD is able to stay on track (which does not appear to be the case) and issue the final interim rule by March 2023, contractors could start seeing CMMC requirements in solicitations soon after.

Contractor compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is back in the news. The Principal Director, Defense Pricing and Contracting (DPC), issued a memorandum dated June 16, 2022, to the Department of Defense Departments, Subject: Contractual Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulation Supplement Clause 252.204-7012, for contracts and orders not subject to Clause 252.204-7020; and Additional Considerations Regarding National Institute of Standards and Technology Special Publication 800-171 Department of Defense Assessments.

The Department of Justice (DOJ) announced in October 2021 that they are following through on the launch of the DOJ’s Civil Cyber-Fraud Initiative. This initiative is being used to pursue cybersecurity related fraud when Government contractors and subcontractors knowingly fail to comply with cybersecurity requirements, through the use of the False Claims Act (FCA). The DOJ is asking individuals (yes that means your employees) to focus their attention on potential cyber security noncompliance under the False Claims Act. It only takes one upset employee to report that you are not complying with your reported cybersecurity practices or have an unreported cyber-attack affecting covered defense information. Contractor employees who file a qui tam suit can receive a government payment incentive of 15 to 30 percent of the recovery. There has already been one reported contractor settlement resolving a qui tam suit for a company failing to meet federal cybersecurity standards.

There seems to be a lot of questions and misconceptions about purchase orders and subcontracts. Is there a difference? When is it appropriate to issue either instrument?

The FAR Council published a final rule on March 7, 2022, implementing revisions to the Buy American Act. The final rule strengthens the impact of Federal procurement preferences for products and construction materials domestically manufactured from substantially all domestic content and is effective October 25, 2022.

What is a CPSR Review?

A CPSR Review is a Contractor Purchasing System Review. This review is performed by the Government on a contractor, in order to:

• assess the overall health of the purchasing organization,
• evaluate the efficiency and effectiveness of the contractor’s practices in expending Government funds,
• perform an independent review of the contractor’s system to optimize its effectiveness in compliance with Government policy, and
• identify risk to provide the Administrative Contracting Officer (ACO) a basis for approving or disapproving the purchasing system.