So, you have a Contractor Purchasing System Review (CPSR) in the pipeline. Whether your first CPSR review or Defense Contract Management Agency (DCMA) is returning to perform a comprehensive review, you should make sure your house is in order.
DFARS 252.244-7001 Contractor Purchasing System Administration Criteria contains 24 system criteria that a contractor’s purchasing system should meet in order to have an adequate purchasing system, although DCMA has realigned them into 30 different areas for their review (see DCMA’s CPSR Guidebook dated September 10, 2021).
Where You Can Get Into Trouble
It is important to understand some of the common deficiencies that DCMA identifies in a purchasing system in order to understand where you can get into trouble. The following list of common issues will assist you in revisiting your policies and practices to ensure compliance with the CPSR criteria.
Inadequate Policies and Procedures
Policies and procedures should address the requirements in the DFARS criteria. Even if a criteria is not applicable, your purchasing manual should have a section on the criteria stating something such as, “XYZ LLC is a small business and therefore not required to have policies and procedures addressing small business subcontracting plans.” Make things as easy as possible for the DCMA reviewer. Policies and procedures should not simply refer the buyer to the FAR cites for requirements, as they should also include procedures informing how the buyer will comply with the requirements. DCMA’s expectation is that the policy contains procedures as well as FAR/DFAR references on how to perform the requirement.
Actual Practices Do Not Comply With Written Policies and Procedures
DCMA selects a sample of subcontracts/purchase orders to ensure the documentation complies with FAR/DFARS as well as a contractor’s policy. A contractor can have well written policies and procedures that comply with the FAR/DFARs criteria, but if the company is not following them, DCMA will cite this as a finding. Contractor policies should not be so detailed as this could set contractors up for failure (i.e., too complex to implement or leaves no flexibility for the buyer). One example is a contractor’s policy stating a negotiation memorandum will be prepared for any purchase over $10K. DCMA would expect to see a negotiation memorandum for each purchase over $10K; however, if you used competition, a negotiation memorandum is not necessary, as either lowest price or best value establishes a fair and reasonable price and negotiation is not required. Ensure your policies do not include stricter requirements than are required by the FAR/DFARS.
Inadequate Sole Source Justifications
DCMA will request as part of the universe of subcontracts and purchase orders that you identify whether they are competitive and sole source. If there is an overwhelming amount of sole source subcontracts, not only will DCMA include a higher percentage in the sample selection, but they will scrutinize the sole source justifications to ensure they are adequately documented, supported with market research, and contain approvals. Documentation of the justification such as “directed by the government” should have support from the government that it is a directed source. If there is an estimated savings by using sole source (e.g., no tooling or qualification costs of a new supplier), the justification should include a dollar amount associated with the savings.
Debarment Not Verified at Time of Award
Contractors are required to document that a supplier/subcontractor is not debarred, suspended, or proposed to be debarred. The common practice is to check sam.gov prior to sending a Request for Proposal (RFP) and have the subcontractor sign a Representations/Certifications indicating they are not debarred. However, sometimes these two procedures are performed well in advance of award of the subcontract. FAR 52.209-6 requires the subcontractor to disclose in writing at the time of award that the subcontractor or its principals are not debarred, suspended, or proposed for debarment. While it is a good practice to check sam.gov and have the supplier sign the reps and certs in advance to ensure your vendor is not debarred, it seems the DCMA CPSR team’s expectation is that the debarment language is included on the face of the PO. This meets the requirement as the subcontractor is signing the PO (date of award) which includes the language confirming they are not debarred.
Inadequate Price or Cost Analysis
Some of the common issues identified in a price analysis are:
- The use of historical prices without documentation that the prior price was determined to be fair and reasonable,
- Using GSA pricing as the sole price justification, or
- Not performing/documenting market research for pricing commercial products/services.
For a cost analysis, the common issues include:
- All the cost elements including evaluation of profit/fee were not addressed,
- No documentation of requesting and following up on a request for government audit when a subcontractor denies access to the entire proposal or specific cost elements, and
- No documentation of any review the contractor was able to perform (e.g., independent estimate by the contractor technical personnel).
Inadequate Commercial Product/Service Determinations
Contractors prepare commercial determinations, but they don’t always include market research or have the determination signed and approved by management. DCMA expects the commercial determination to include market research supporting the commerciality of the product or service as well as management approval.
Untimely Reporting of First Tier Subcontractors in Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) System
FAR 52.204-10 requires contractors to report executive compensation for first tier subcontractors as well as input the first-tier subcontract information into the fsrs.gov website in a timely manner. Contractors generally provide a representation/certification to first-tier subcontractors to determine if they are required to and did report executive compensation. However, the second requirement in the clause requires the contractor to upload the first-tier subcontractor information into the fsrs.gov website by the end of the month following the month of the subcontract award. We have found that contractors are not uploading the subcontractor information at all, or it is not being uploaded in a timely manner. Once the upload is performed, it is a best practice to maintain a copy of the upload to the website in the procurement file, supporting compliance.
Flowing Down All Clauses
We have seen instances where contractors have flowed down all the clauses from the prime contract to a subcontract and indicate they are self-deleting. This is not a good practice. We have seen where contractors have flowed down clauses from an incentive prime contract to a firm fixed price (FFP) subcontract and even flowed down clauses for cost reimbursable contracts to a FFP subcontract. DCMA expects contractors to have a procedure in place to ensure only the appropriate clauses are flowed down to the subcontract.
Lack of Documentation
The most common deficiency is the lack of documentation in the procurement file. We find that the buyer performed the necessary requirements, but for some reason the related documents (e.g., signed purchase order, requestions, request for proposals, etc.) are not in the procurement file. While the work has been done, it needs to be filed in the purchase order file.
Lack of Internal Audit/Assessments
Contractors are not always performing internal audits, self-assessments or peer reviews of files. DFARS requires contractors to perform internal audits or management reviews, complete training, and maintain policies and procedures. While most companies may not have an internal audit department, these reviews can be as simple as pulling some purchase order files to ensure the buyers are following the policies and procedures and documentation is clear and included in the files. It is important to have periodic training just to address issues that come up, changes in regulations, etc.
New Area - Not Confirming Subcontractor Actions Related to Cyber Security Requirements
The government is taking a hard look at contractor’s cyber security controls. While we are not sure if the CPSR team is addressing it during a review, we are recommending contractors add a certification to its Reps and Certs to address the requirements under the various clauses DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements. When a prime contractor flows the DFARS 252.204-7012 to a subcontractor and the subcontract includes covered defense information, the subcontractor is required to notify the prime if they requested a variance from the NIST SP 800-171 security requirement with the Contracting Officer and if there is a cyber incident, report the cyber incident number to the prime. In addition, when DFARS clause 252.204-7020 NIST SP 800-171 DoD Assessment Requirements is flowed down, it states the prime contractor shall not award a subcontract that is subject to the NIST requirements in accordance with DFARS 252.204-7012 unless the subcontractor has completed a basic self-assessment within the last three years and uploaded it into the Supplier Performance Risk System (SPRS). Contractors should protect themselves by requiring subcontractors certify that they have completed the self-assessment, uploaded it to SPRS, and are aware of the cyber security reporting requirements to the prime.
Takeaways
We recommend companies revisit their policies and procedures to make sure they are current or modify if them if necessary. Take a look at your process for flowing down clauses. Ensure the appropriate approvals for sole source justifications and commercial determinations are made. Consider adding a cyber security section to your reps and certs. Make sure you have a checklist or other controlling document to ensure all the documents are placed in the file. DCMA pulls a sample of subcontracts and purchase orders for the previous year, so it is good to get a head start on ensuring your files are up to date.
Redstone GCI assists contractors throughout the U.S. and internationally with understanding the Government’s expectations and supporting contractors from contract award to contract closeout. We would be happy to assist you with questions and concerns on your purchasing system. Our staff is able to assist with reviewing or drafting policies and procedures, performing mock CPSR reviews, or maybe just sampling procurement files to assist our clients in the contracting industry.