25 minute read
President’s Letter
Welcome to the summer edition of Service Contractor magazine! You don’t need my words to tell you that this summer will be unlike anything we have ever seen.
While the world changes around us, the government must continue to operate key missions and functions that help keep the country running.
At PSC, our COVID-19 priorities remain: keep the entire government operating, keep contractors working, and keep you getting paid.
We continue to work with the federal government on issues ranging from access to secure facilities to securing the cybersecurity supply chain. Read more about these in Alan Chvotkin’s Policy Spotlight on page 14.
Contractors face new approaches to acquisition policy amidst uncertainties over next year’s funding in the context of a national election. I share some considerations about that in “Acquisition Policy: Can Bureaucracy Keep Pace?” on page 8.
This summer edition offers timely insights into how industry adjusts in times of rapid change.
Leo Alvarez and Jeff Clayton of Baker Tilly Virchow Krause, LLP, share insights into tracking procurement trends in supply chain management, on page 6.
Shayn Fernandez of Rockridge Venture Law highlights legal issues on Proprietary Information Deliverables in his article on page 11.
Leaders from PSC member companies give their insights into managing and leading during a pandemic, including Amentum’s Jeff Treffinger on return to work (page 20), TSI’s Shawn James on leadership and strategic thinking skills for all employees (page 21), and Lawrence Solutions’s Mitch Lawrence on access to secure facilities during COVID-19 (page 22).
PSC encourages and supports accurate, timely, and useful government agency forecasts of future contract activity. These help companies prepare and respond better, leading to more effective competition and improved results. On page 24, read more from PSC’s Amanda Goff on our 2nd annual PSC Federal Business Forecast Scorecard, covering 60 agencies and sub-agencies.
PSC continues to refine and create resources for our members to stay informed and engaged. Read more on page 26 from PSC’s Membership Team on the Coronavirus Resource Center on the PSC web site, PSC virtual events, and the advent of PSC online communities.
Cate Benedetti’s regular PSC legislative bill tracker is more important than ever, with its overview of key Congressional actions on COVID-19 and much more, beginning on page 15.
PSC conferences have gone virtual, with the July 13 Federal Acquisition Conference, Defense Services on August 13, FedHealth on September 15, and our annual Vision Forecast Conference in November. These provide member and non-member companies with outstanding market intelligence and policy insight while letting us reach members and their employees nationwide and around the world.
The rescheduled Annual Conference in October remains the best way to learn about key industry changes that affect us now and will shape doing business with the government in the future. Watch the PSC Daily for updates on this in the coming weeks.
Let me close on a note of somber reality and renewed hope. The response to the killing of George Floyd and other Black Americans feels different this time, generating needed actions to address systemic racism and other forms of discrimination throughout society. I urge you to visit our website and read my open letter to PSC members on PSC’s actions to practice and promote diversity, inclusion, and equality.
As always, I welcome your input, your feedback, and your engagement in our efforts.
David J. Berteau
Can your government contracts stand up to the scrutiny of a DOL investigation?
Industry experts estimate thatatleast50% ofContractors are currently outofcompliance. Did you know that Contractors are also subject to fines and penalties if their subcontractors are out of compliance with the DOL requirements?
Not knowing your duties is not a defense against compliance deficiencies! With penalties and sanctions becoming more frequent and often substantial, now is the time to put a strategic partner to workforyou and yourbottom line.
GSA National understands the bid implications ofSCA compliance and can help you navigate the everchangingandcomplexcompliancelandscape. Letourteamofcomplianceexpertsbetheasset thatincreases yourabilityto submitwinning proposals.
Service ContractAct Coaching and Training Davis-Bacon Act Training Recordkeeping, Reporting and SCA Compliance Review Compliance and Audit Consulting GSA Online: Web-Based Benefits Administration Premium Reserve and TrustAccounting COBRA, FMLA and Leave ofAbsence Legal Support
Pressure Testing Supply Chain Management:
What Do Today’s Challenges Mean for Government Contractors?
by Jeff Clayton, Principal, Government Contractor Advisory Services and Leo Alvarez, CFCM, Senior Manager, Government Contractor Advisory Services, Baker Tilly Virchow Krause, LLP
Over the past year, Federal contractors have been subject to a continual and growing drum beat of regulatory measures seeking to alleviate concerns over data security and vulnerabilities in the information and communications technology (ICT) supply chain. For many, these measures had appeared as though they would crescendo with the rollout of the Cybersecurity Maturity Model Certification (CMMC) and the system-wide ban on covered Chinese equipment and sources stemming from the implementation of Section 889 of the 2019 National Defense Authorization Act (NDAA).
The coronavirus pandemic’s shift into a worldwide crisis has upended global supply chains, causing shortages in numerous critical industries - ranging from medical devices, personal protective equipment, and pharmaceuticals, to electronics and even the U.S. food supply. In response, public and private sector organizations have been compelled to focus not only on strengthening the resiliency of their supply chains, but also on improving their visibility into and understanding of the risks that they face. Amidst this backdrop, the government’s metaphorical regulatory drum has kept on beating and, to this point, has not been slowed by the pandemic.
In early April, DoD re-emphasized that the pandemic would not slow down the CMMC implementation. Just a few weeks later, the DHS Cybersecurity and Infrastructure Security Agency’s (CISA) Supply Chain Risk Management (SCRM) Task Force released its “SCRM Essentials” guidance to help organizations demonstrate effective business governance over their vendor management practices. In mid-May, news outlets began to report that lawmakers on Capitol Hill were reviewing legislative proposals to incentivize companies to “re-shore” their manufacturing operations to the U.S. 1 And, as of this writing, industry is awaiting rulemaking related to Part B of the Section 889 implementation. 2
Given the persistent threat of foreign surveillance, it should not be a surprise that the federal government has pushed on with its efforts to secure and strengthen the federal supply chain. Notably, this underlying objective has also manifested itself in key acquisitions throughout the procurement landscape. Below is a sampling of SCRM requirements in two recent solicitations /programs that require plan development, implementation, and varying levels of assurance once contracts are awarded:
Acquisition
SCRM Requirement
Sub/Supplier Tier GSA Second Generation Information Technology (2GIT) BPA
• SCRM Plan Implementation • Risk Assessment Methodology • Applicability of appropriate NIST frameworks /security controls • Protection from component substitution, functional alteration, and malware insertion • SCRM Awareness Training • Reporting
All Tiers; Lowest sub-component producer or manufacturer to the delivery point
DHS Continuous Diagnostics and Mitigation (CDM)
• SCRM Plan Implementation • Risk Assessment Methodology • Applicability of appropriate NIST frameworks/security controls • Supplier Management Questionnaires • Item/product family level description of product development, integration, and deployment
Suppliers associated with all stages of System Development Life Cycle (SDLC)
1 https://www.reuters.com/article/us-usa-china-supply-chains-idUSKBN22U0FH. May 18, 2020. 2 Phase Two, slated to go into effect on August 13, 2020 is intended to prohibit the “use” of covered equipment, applications, and services by contractors.
This means that the federal government will be prohibited from contracting with organizations that use banned items or services as a substantial or essential component of any system, or as critical technology as part of any system.
Supply chain risk management has been receiving significant focus. For companies who do business with the federal government, even those that may be several tiers down in the supply chain, it is no longer something that is nice to have or that just makes good business sense; it is becoming a necessity.
While these requirements may not be routine evaluation criteria in Federal procurements today, they offer a glimpse into how far they may reach when present. Given how critical it is to limit unsecure ICT operations within the federal supply chain and the absolute necessity to thrive in an environment of everincreasing technological threats, contractors should expect that SCRM requirements will become more prevalent in the future - especially where sensitive data is at play.
Several characteristics that contractors should take note of among these procurements, and others that we are aware of, include: • Establishing a plan to provide transparency around how a vendor will identify, analyze, and manage risks among its subcontractors and supplier base; • Identifying a plan of action to address security vulnerabilities as they arise; • Use of supplier assessments to gauge risk throughout supplier tiers; • Fulfillment of reporting obligations around SCRM practices; and, • Testing to ensure conformance against the plan and solicitation requirements.
Understanding that a contractor positioned with a secure and strengthened supply chain will be extremely valuable to the Federal Government in the future, what tangible steps should contractors consider in the short term?
• Evaluate Current Practices
To address ICT supply chain risk, contractors should at the very least consider the SCRM essentials. While a somewhat basic formulation, they do outline essential actions that all contractors can evaluate with their internal procurement and subcontract management teams to determine the effectiveness of their SCRM function. Of utmost importance, contractors should take steps to map their supply chain, to the furthest extent possible, to verify the chain of custody from raw materials, to assembly of subcomponents, to the final product or application. This will also help an organization determine if there are any risky organizations in their supply chain, and also identify any areas where they may only have one supplier for a critical sub-component or item. By diversifying the organization’s sourcing of that particular item to multiple vendors, an organization can reduce the risk of a disruption should that vendor suffer from an event that would preclude them from delivering, or require remediation, exclusion, and reporting to the federal end user.
Additionally, by mapping their supply chain, contractors may be able to employ better management strategies across their supplier pool. These techniques are likely to vary by tier, as tier-one suppliers are likely to require a different kind of monitoring approach than those that are further down in the supplier ecosystem. More sophisticated and complex organizations should consider evaluating their
SCRM practices to identify gaps. One option for assessing gaps is the NIST SP 800-161 (“Supply Chain Risk
Management Practices for Federal Information Systems and
Organizations”) framework, which seeks to align people, process, policies, procedures, and systems, so that they can work in concert to address supply chain concerns.
• Assess Vendors
A sophisticated SCRM function will require the completion of supplier risk assessments for risk rating assignment (for example, low, moderate, or high), and to provide visibility into the security culture of the third party vendor. Based on the level of risk and complexity of the relationship, contractors may need to develop short-term remediation plans with critical suppliers to bring them into compliance with contractor standards.
• Update Policies and Procedures
The internal control environment for federal contractors has been an area of increased scrutiny in recent years. Formal documentation of SCRM-related policies and procedures supports the internal control framework, helps establish best-in-class practices, and ensures accountability and consistency so that processes are repeatable, systematic and integrated throughout the organization.
• Monitor and Evaluate
Once contractors put the necessary controls in place, they should continuously monitor their supply chain, working to identify changes or risks. Cross-functional involvement in the plan and communication across a variety of functional areas are likely to be an important component here. Technology can often be employed and serve as one component of many that will enable an organization to more efficiently identify changes and new risks as they arise. In addition to continuous monitoring of the supply chain, regular “health-checks,” or reviews of the SCRM plan, its policies and processes, and their effectiveness is considered a best practice.
Conclusion
Supply chain risk management has been receiving significant focus. For companies who do business with the federal government, even those that may be several tiers down in the supply chain, it is no longer something that is nice to have or that just makes good business sense; it is becoming a necessity. For some organizations, it can serve as a competitive advantage. Companies should not wait for these requirements to show up in a procurement or to be included as a contractual requirement; they should be proactive in addressing these risks. They should assess their supply chains now, and develop an SCRM plan that puts the systems, policies and processes in place that will allow them to better understand their supply chains and effectively mitigate and manage risks. 3
Acquisition Policy: Can Bureaucracy Keep Pace?
by David J. Berteau, PSC President and CEO
Based on the pace and dimensions of change, it seems that federal procurement practices and procedures are in con stant need of updates and improvements. In times of crisis, two competing dynamics come into play.
On the one hand, crises generate attention to problems that can lead to lasting positive changes in acquisition. Cost overruns in the 1960s led to David Packard’s concise directive on defense acquisition. Victory in World War II was in part due to American industry’s ability to shift resources to war efforts.
On the other hand, crises can expand bureaucracies and slow procurement actions. Throughout American history, crises have led to the creation of oversight bodies whose functions were often overlapping.
How are those competing dynamics playing out today? The COVID-19 crisis is in its sixth month, and there are signs of hopeful changes in Federal acquisition at the program level, the agency level, and government-wide. In addition, there are nearterm opportunities for Congress to enact changes with substantial benefits for government programs and procurement practices. Let’s look at a number of examples.
Teleworking
Until mid-March, many federal agencies were reducing or limiting teleworking for federal civilian workers. For contractors, many contracts were silent on the issue. Under the theory that actions not explicitly permitted are banned, that silence was generally inter preted to mean teleworking was not authorized under the contract.
This became a problem as COVID-19 meant that federal workers were sent to work from home but contractors were not eligible for the same actions. PSC urged the Office of Management and Budget (OMB) to encourage maximum teleworking by contractors. Comprehensive guidance was issued on March 20, 2020. The speedy response and quick action in a time of crisis is noteworthy, but that’s not the only example.
Mobile-Ready Workers
Many government contractors have been able to shift work from federal facilities to remote locations, but others still need to be on site. Parts cannot be repaired over the internet, and access to classified systems and data is often limited. Health and safety guidelines, coupled with closures of government facilities and state-wide activity restrictions, meant service contractors could not perform their missions.
That March 20 OMB memo also encouraged agencies to reimburse contractors for the cost of keeping skilled workers and key personnel on the payroll even if they could not access their worksites. A memo was not enough, however. PSC worked with federal agencies and Congress to produce needed authorities in law, leading to Section 3610 of the CARES Act, signed on March 27 of this year.
Laws rarely self-implement, and 3610 is no exception. Federal agency guidance has been insufficient and inconsistent. As a result, PSC has pursued better guidance from agencies while seeking clarifying statutory language from Congress.
The Speed of Bureaucracy
The federal government usually takes months to craft and issue guidance. Part of that time is spent in issuing a draft for public comment, allowing perhaps 60 days for such comments to be written and submitted, then taking additional months to adjudicate comments and revise guidance documents. Under COVID-19, time has been cut, but comments have still been sought and incorporated.
For example, on May 18 the Department of Defense (DoD) issued a draft of its guidance memorandum for reimbursement under Section 3610 (mentioned above). It granted three days for industry comment, and PSC submitted a 12-page letter on May 22. While this time is exceedingly short, past practices often provided no comment opportunities at all. At least for once, speed won out over bureaucracy.
Improved Communications
From the first week of government-wide COVID-19 retrenchments, it was apparent that existing government-industry communications mechanisms would not be timely or robust enough. Beginning with DoD on March 17, agencies began to conduct regular update phone calls with trade associations, including PSC.
Nearly four months later, many of these calls still take place, with civilian agencies as well as DoD and the intelligence community.
These regular calls enable our member companies to raise issues through PSC, often anonymously, and agencies respond quickly when they can. We have had issues resolved in the time it takes for a single call. These means of communications and issue response, to us, warrant continuation in normal times as well as during crises.
Continuing Concerns
The above successes in process and issuances are still the exception. While agency officials can be responsive, program offices continue to move at their own pace. Ordinary inertia has joined with COVID-19 impacts to add delay to ongoing procurements, slowing the obligation of necessary funds. The absence of publiclyavailable data on procurement administrative lead times (PALT) makes it harder to track. (Though Congress mandated such data by law years ago, agencies have yet to fully comply, leaving PSC and our member companies to rely on anecdotes.)
Federal agencies, program offices, and facilities have begun the process of returning workers to offices and other workspaces. These processes have been marked by unclear (and sometime unavailable) guidance, few clear standards, and a lack of attention to impacts on contractors. PSC has highlighted these shortfalls to agencies and suggested corrections that can be made, but what’s needed here is broad guidance that applies government-wide. Leaving return-to
work to the determination of individual programs or contracting officers will produce uncertainty and inefficiencies at best.
Congress Needs to Act
The Congress has several key roles to play. As PSC’s Alan Chvotkin notes in this issue’s Policy Spotlight, there are encouraging signs that Congress will mark up appropriations bills for FY21. PSC continues to urge enactment of those appropriations on time, in advance of the start of the new fiscal year on October 1, though election-year politics may mean the return of yet more rounds of debilitating continuing resolutions.
Congress could help even more by extending the life of FY20 funds which expire in less than three months. COVID-19 delays mean that making funds available past the end of the fiscal year would be one of the wisest actions Congress could take this year. It should apply government-wide, requires no new funds, and would support agency work to counter COVID-19. Perhaps most importantly for government programs and the contractors who support them, it would reduce the uncertainty that all agencies would face in the event FY21 begins under a Continuing Resolution.
Focus on Results
Perhaps the greatest potential benefit from acquisition policy responses to COVID-19 is the opportunity for the federal government to expand and strengthen its attention to procuring service contracts that produce results. Too many contracts focus in inputs, defining labor categories and specifying labor hours in tasks that would be better aimed at defining desired results and measuring outcomes.
PSC members have reported instances of change on this. Agencies whose support workers are no longer at the next desk need improved ways of assigning tasks and seeing results. These steps should be expanded and strengthened.
Program requests for information (RFIs) and for proposals (RFPs) can change to define needed results and evaluate bids based on the ability of bidders to produce those results. We know from experience that when agencies do this, contractors deliver better outcomes, often at less cost and faster.
In addition, agencies under COVID-19 have accelerated the adoption and promulgation of new technologies and the accompanying infrastructure. The next edition of PSC’s Service Contractor will take a deeper look at some of those efforts and their positive results.
The Better Way Forward
The uncertainties of COVID-19 make it hard to see the near future, but if federal agencies can combine speed of action with an expanded focus on results and outcomes, the benefits will extend far. At PSC, we will work to help in every way we can. 3
NEW DATE ANNOUNCED!
October 21 – 23, 2020 Greenbrier • West Virginia
A letter from Bill Vantine, Chair of the Annual Conference Planning Committee
These days we are all pressing pause on our traditional ANNUAL CONFERENCE nature of assembly in order to support the health and FP AD wellbeing of ourselves and those around us. As such, the 2020 PSC Annual Conference, originally scheduled to take place at the end of April, will now take place October 21-23 at the Greenbrier. The efforts of our planning committee over the past seven months do not go unnoticed nor without gratitude. The agenda we have worked hard to put together remains compelling and the challenges we face in our current environment may give us new critical issues to address. While we all continue to focus on our social responsibility of flattening the curve, let’s also look forward to assembling once again as industry leaders, colleagues, and friends of the PSC community. More information about the 2020 PSC Annual Conference can be found at www.pscouncil.org/annual. Stay safe and healthy, and I look forward to seeing you in October. Bill Vantine Chair, Annual Conference Planning Committee CEO, Systems Planning & Analysis
Learn more at www.pscconference.org
Protecting Proprietary Information in the World of Public Procurement
by Shayn Fernandez, Corporate, Technology, and Government Contract Attorney, Rockridge Venture Law
As the government increases its demand for innovative technical solutions, companies are increasingly reliant on highly skilled personnel to deliver these solutions. Obtaining and retaining key personnel, however, is no small task and contractors must comply with a complex regulatory scheme in which protecting intellectual property and unfair competition is difficult, prohibited, or unclear. This complexity, coupled with the lack of uniformity on the enforceability of protective measures, has caused some to forego protection entirely and others to charge full steam ahead even without direction. Neither approach is recommended.
In competitive procurement, a contractor’s demonstration of superior technical skill often separates an awardee from a disappointed bidder. A contractor must differentiate itself from competitors, often through trade secrets. Generally, trade secrets are technical, financial, or business information that has economic value from not being known to outsiders. As the name suggests, trade secrets must be kept secret and a contractor must take steps to protect them from disclosure. A competitor’s use of another’s trade secrets may not, however, be enough to sustain a protest. 1
Often, disclosure occurs when a former employee joins a competitor and releases that information in performance of his or her everyday tasks. This is particularly important to contractors, who tend to see a heightened level of employee turnover due to the unique regulatory scheme, which, in turn, increases the risk of disclosure. If a contract calls for the delivery of vital services, the government can require an incumbent to allow certain employees to remain on a successor contract even when the successor (and new employer) is a competitor. 2 Additionally, FAR 52.203-6 restricts agreements that impede a subcontractor from selling directly to the Government on
items offered under the subcontract. Maintaining a competitive advantage is not the only situation in which a contractor must restrict disclosure. A contractor may be required to limit disclosure when classified information is covered by the International Traffic in Arms Regulations (“ITAR”), the violation of which may result in fines up to $1 million per violation, debarment, or even 20 years imprisonment. Given these concerns, contractors often seek to limit unfair disclosure and competition through restrictive covenants (e.g., nondisclosure, non-solicitation, and non-compete agreements).
1 See DynCorp Int’l, LLC v. U.S., 757 F. App’x 927 (Fed. Cir. 2018) (https://law.justia.com/cases/federal/appellate-courts/cafc/18-1209/18-1209-2018-12-10. html). December 10, 2018. 2 FAR 52.237-3 (https://www.law.cornell.edu/cfr/text/48/52.237-3). Note, that this is different from FAR 52.222-17, which was revoked by Executive Order 13495. July 25, 1997.
Simply requiring personnel to sign sweeping restrictive covenants, however, is not the answer. To the contrary, overly broad prohibitions may run afoul of federal and state law. For instance, the FAR prohibits contractors from binding employees or subcontractors to agreements that could be read to restrict the lawful reporting of waste, fraud, or abuse related to contract performance; a violation of which could make an offeror ineligible for award and potentially subject to False Claims Act liability. 3 Blanket prohibitions may also violate the National Labor Relations Act, which provides employees with the right to discuss the terms and conditions of their employment with co-workers and union representatives. State law is ever-changing and varies. Virginia recently enacted legislation subjecting employers to liability for including restrictive covenants in agreements with certain employees.
State law also often requires a showing of a legitimate business interest and that the restriction is “reasonable” in time, territory, and topical scope. Although contractors generally have a legitimate business interest in protecting their proprietary information and relationships with personnel, customers, and vendors, this interest must, nonetheless, be balanced against the government’s interest in access to solutions and services and the interest of those subject to the restriction. Balancing these interests results in a fact-intensive analysis and a contractor is more likely to prevail when the restriction is specifically tailored to the nature and needs of the business.
In Omnisec Int’l Investigations, Inc. v. Stone, 4 a Virginia court addressed the enforceability of restrictive covenants imposed by a government contractor on a former employee when the former employee joined a competitor and allegedly brought proprietary information along for the ride. In this case, the agreement provided for: (i) non-disclosure of confidential and proprietary information in perpetuity, (ii) non-solicitation of employees and customers for one year, and (iii) noncompete in perpetuity. The court held the non-disclosure and non-solicitation provisions were enforceable, while the non-compete provision was unenforceable. Specifically, the non-solicitation was reasonable because it was for a limited time period and only applied to the federal agencies in which the former employee was directly involved. Despite being perpetual and covering “any and all confidential and/ or proprietary information,” the non-disclosure provision was reasonable because it did not impede the former employee’s ability to earn a living. The non-compete provision, however, was unenforceable because it was not narrowly tailored to prohibit future employment with identifiable persons and for a fixed period.
The Virginia Supreme court has undertaken a similar analysis in evaluating restrictive covenants on subcontractors. In Preferred Sys. Sols., Inc. v. GP Consulting, LLC, 5 a subsubcontractor promised not to enter into an agreement with the plaintiff’s prime contractor directly, or with a competitor offering similar support as the plaintiff, or for one-year after termination of the subcontract. The court found that the noncompete provision was enforceable because it was narrow in time and applied only to a program with a specific agency. Moreover, the court noted that the lack of geographical limit was not fatal because it only applied to specific projects.
As these cases show, restrictive covenants are not per se unenforceable, even for government contractors. Instead, courts may enforce provisions that are reasonable in time, territory, and topic, such as those that apply to high-level employees, for relatively short periods (e.g., one-year), and are tied to an identifiable group of customers or projects. Ultimately, the company must show that it has a legitimate business interest in imposing the restrictive covenants, which is strengthened when the restrictions are part of a comprehensive and tailored plan to protect proprietary and confidential information and relationships.
Given the indefinite and intangible form of proprietary information and the prohibition on blanket non-disclosure, protecting proprietary information cannot be achieved in a vacuum. Instead, the protection must be tailored to the business involved and be part of a comprehensive plan to protect other forms of intellectual property. The protected information must be broad enough to cover the various forms in which such information may be disclosed to personnel (e.g., documents, emails, oral communications) and also enumerate the type of information that is considered confidential, while also tailored for enforceability and legality. Although it is best to require personnel to execute these agreements at the start of their employment, that is not always possible. Depending on state law, getting agreement from an existing employee may require additional consideration beyond just continued employment. 3
3 FAR 52.203-19 (https://www.law.cornell.edu/cfr/text/48/52.203-19). January 13, 2017. 4 Omnisec Int’l Investigations, Inc. v. Stone, 101 Va. Cir. 376 ( Mar. 26, 2019) (https://casetext.com/case/omnisec-intl-investigations-inc-v-stone). 5 284 Va. 382, 732 S.E.2d 676 (2012) (https://www.leagle.com/decision/invaco20120914f53). September 14, 2012.
