Marshall & White, PC - mw-pllc.commw-pllc.com/assets/trends-and-issues-in-government-contracting.pdf · “covered defense information” •Controlled unclassified information (NIST

Marshall & White, PC

Trends and Developments in the Government Space

Presented by James M. White, Esq.

May 6, 2016

©2016 Marshall & White, PC

Who We Are

• M&W was established in 2010

• Located in Washington, DC

• Our focus is the IT and defense industries

• Technology clients include:

– Federal Systems Integrators / VARs

– Storage OEMs / data center providers

– Enterprise software developers

– Professional Service (PS) providers


Practice Areas

• Government Contracting

• IP Protection / Gov’t Data Rights

• Compliance / Security Law

• Technology Agreements

• International Law / Export

• Enterprise Agreements

• Corporate Law / Formation


Approach and Strategy

• We offer clients a unique blend of legal, business and regulatory insight

• Strong network of government contacts, industry experts, and consultants

• Participation with technology and government contracting associations

Northern Virginia Technology Council

TechAmerica

ABA Public Contracts Committees

Federal Publications (FPI) seminar series


Overview of Trends and Developments in the Federal

Government Space


Trans-Pacific Partnership

• Trans-Pacific Partnership (TPP) Agreement

– Multi-Nation trade agreement (11 countries)

– Status of TPP in United States • President Obama signed TPP in February 2016

• Congress must pass TPP before it’s binding on U.S. (including for government buys)

• TPP subject to so-called “fast track” authority, so Congress cannot amend or alter – just vote on it

• Unlikely TPP will be considered in 2016

– 90 days from submission until a vote (already May)

– Probably tabled / revisited by next administration in 2017




– Eliminates key barriers to both commercial and government sectors of each country

– Would operate like other trade agreements for gov’t procurement purposes • Products sourced from TPP countries may compete in federal

government opportunities

• Malaysia and Vietnam are key additions for many technology companies

• Not applicable to state / local government

• Will function similar to WTO / GPA




– Monetary threshold for TPP applicability is ~ $190,000 for U.S. and most other countries • Higher thresholds for Brunei, Malaysia, Vietnam

– Threshold applies to central government actors • Unclear if sub-central agencies will implement

• Defense / security agencies will have carve-outs


Government IP Rights

• Commercial software licensing

– Current rule: Government acquires commercial software under standard commercial licenses • DFARS has no commercial software clause

• FAR has 52.227-19 clause, but only used if agency’s needs are not met by the contractor’s EULA

– EULA provisions contrary to federal law rejected • Open-ended liability provisions

• State governing law

• Certain disputes provisions



• Commercial software licensing

– Government more aggressive with respect to IP • Fewer patent waivers /broader data rights

• Residual / reach-back clauses

– Inclusion of FAR 52.227-19 license, even where contractor’s EULA is generally acceptable • Clause permits agencies to copy, modify, distribute and even

combine software with other IP

– FAR 52.232-39 (June 2013): renders unenforceable all indemnification clauses (including w/ click-wrap agreements)



• Software licensing on GSA IT-70 Schedule

– Legal review / scrutiny of EULAs causing delays

– 2015 GSA Class Deviation – created two new GSAR clauses

– GSAR 552.232-78: identifies 15 unenforceable clauses in commercial supplier agreements (including EULAs) • Most of these clauses were already subject to disputes between

GSA counsel and contractors




– Clauses deemed unenforceable under 552.232-78: • Auto renewal / auto incorporation clauses

• Future fees or penalties / tax payment clauses

• Equitable remedies / governing law clauses

• Payment terms / invoicing clauses

• Vendor indemnity (where vendor assumes control of proceedings)

• Unilateral termination / modification clauses

• Contractor definition / contract formation clauses

• Confidentiality / audit clauses




– GSAR 552.212-4: grafts new sections onto FAR 52.212-4 clause used for IT-70 Schedule contracts • Subsection (s): Alters the order of precedence clause

• EULA terms now subordinated to (i) solicitation terms and (ii) all 52.212-4 terms

– Could impact warranty, title, patent immunity issues as well

– Creates uncertainty re whether a GSA contracting officer will enforce 52.212-4 terms (over EULA) in the future

– Conflicts with FAR 12 mandate to acquire software under terms “consistent with customary commercial practice”



• OMB Enterprise Software License Initiative

– Mandate creation of govt-wide software licenses

– Team comprised of OMB, DoD and GSA will identify “best in class” licenses

– Licenses for proprietary, open source and mixed source software types

– Total life cycle cost (TCO) approach to licensing

– License terms will permit “sharing” of pricing across different agencies

– May not reconcile with FAR/DFARs direction that agencies use standard commercial licenses



• Restricted / limited data rights

– 10 U.S.C. 2320(a)(2)(F): Government cannot condition award on contractor’s relinquishment of restricted / limited data rights • Includes preexisting data or software

• Prohibits agency from downgrading a proposal if contractor refuses to grant greater rights

– Despite this, increased prevalence of RFPs with priced options for technical data / software with unlimited or government purpose rights • Proposals w/ such pricing treated more favorably



• Restricted / limited data rights

– DoD Open Systems Architecture Contract Guidebook (2013): “Ratings for proposals to deliver TD [technical data], or SW [software] with more than the minimum rights specified for the Government by applicable statute and regulation may be positively impacted.”

– Creates a “race to the bottom” given agency budgetary constraints on IT

– Issue likely to be litigated in the near future • Trade Secrets Act (18 USC 1905) supposed to restrict disclosure

of trade secrets / confidential data



• White House Open Source Policy (Mar 2016)

– Mandates the following: • Sharing of any customized OSS amongst agencies

• Release of 20% of all customized OSS to public

– Concerns: • Unclear how agencies will determine which portion of

developed OSS to release

• What about existing OSS platforms?

• If a platform is mixed source, what about any proprietary code linked to the released OSS?

• GitHub / 18F want 100% release – “OSS by default”


False Claims Act

• Implied Certification Theory of Liability

– Supreme Court Case: Universal Health Services, Inc. v. United States ex rel. Escobar (argued in April) • Traditional FCA theory: defendant must either (i) submit a false

claim for payment, or (ii) violate a term explicitly linked to payment

• Implied certification theory: even if defendant submits proper claim, still FCA violation if defendant fails to comply with all governing statutory, regulatory, or contractual requirements

• First Circuit did not make a distinction b/w implied and express conditions of payment


False Claims Act

• Implied Certification Theory of Liability

– Supreme Court Case: Universal Health Services, Inc. v. United States ex rel. Escobar (argued in April) • First Circuit: since several regulations in the contract explicitly

required compliance, as a condition of payment, UHS’s failure amounted to a cert violation

• Issues:

– Is this really an implied certification case?

– Will an implied certification theory be upheld?

– Even if it is, should violation trigger FCA liability


False Claims Act

• VMWare / Carahsoft settlement (2015)

– $75.5M FCA settlement

– Actual discounting practices (not just disclosed discount floors) were scrutinized

– DoJ viewed special (ad hoc) discounting and incentive programs as standard practices

– Licensing model itself was scrutinized • DoJ focused on # of licenses to government vs. commercial sector

for similar requirements


Other Key Trends

• Agency Developments

– Increased Auditing (particularly w/ DoD, intel agencies and GSA)

– Preference for Multiple Award Indefinite Delivery, Indefinite Quantity Contracts

– Preference for Lowest Price Technically Acceptable (LPTA) evaluation methodology

– Continued movement to the cloud • Section 890 of 2016 NDAA – directing DoD to create a

SIPRNet cloud strategy

• DCGS move to cloud in next two years


Other Key Trends

• Integrator / Channel Developments

– Increased use of master agreements / pre-negotiated terms with OEMs • Uptick in multiple award IDIQs driving this

– Increased reliance on OEMs and tech partners at the program development stage

– Increased focus on sales to foreign govts

– OEMs offering unified partner programs / provider-centric approaches

– Restructuring affecting business opportunities • GD and Northrop IT consolidations; SAIC split


Cybersecurity

• Cybersecurity still not well-defined in Govt

– Separate OMB, DoD, NIST, IC rules/standards

• Overlaps with Supply Chain Management (SCRM) and data governance

• Government views it primarily as system or network level defense, BUT

– In wake of Snowden, also includes personnel security, subcontracting restrictions

– In wake of Target, Google, Dropbox and other attacks, increased focus on cloud / software


Cybersecurity

• Cybersecurity Trends

– 2011-2016: non classified cybersecurity spending increased from $3B to $14B • $65.5B: 2015-2010

– Dual focus: • Prevention (outside the wall)

• Mitigation (inside the wall)

– Machine-readable data solutions in vogue • FireEye, Splunk, Applied Enterprise

– DoD / IC still the lion’s share of cyber


Cybersecurity

• DFARS 252.204-7012 (2015): Safeguarding Covered Defense Information and Cyber Incident Reporting

– Applies to all DoD contractors and subs owning or operating a system that stores, processes or transmits “covered defense information” • Controlled unclassified information (NIST 800-171)

• Export controlled information

• OPSEC information

• Any other marked / identified information that must be safeguarded pursuant to law or policy


Cybersecurity

• DFARS 252.204-7012 (2015):

– Reporting of network breaches affecting the system or the information on the system • Update: “affect” now means “compromised”

– Security requirements under NIST SP 800-171 must be implemented • Contractors have discretion re how to implement

• 2-factor encryption / access privileges are top items

• December 2017 deadline for full implementation

– Clause not applied retroactively but can be added via contract modification


Cybersecurity

• DFARS 252.204-7012 (2015):

– Greatest impact on cloud service providers (CSPs) and hosted / managed service providers

– Will also include contractor systems that store or maintain CUI related to other functions: • RFP or proposal information

• Information obtained by services / support personnel (including HW refurbishment)

• Data from remote monitoring

– Note: subs must report breaches up the chain until the prime is aware of the incident


Cybersecurity

• Federal Information Technology Reform Act

– Sections 831-837 of the FY 2015 NDAA

– Greater cooperation b/w agencies re IT buys

– Agency CIOs must have key role in agency IT planning, budgeting and execution • CIOs given actual budget authority

• Partly a function of how cloud tech is consumed

– Cybersecurity protection and supply chain risk management are priority items in major IT investments


Cybersecurity

• Federal Information Technology Reform Act

– Technology industry challenges • Agencies increasingly requiring encryption / authentication

“baked into” the device

• Third party software work-arounds may not be acceptable even though they provide similar security

• Counterfeit goods certs require significant traceability and may unduly limit supplier base

• Hardest on COTS IT providers w/ established product lines

– Integration level challenges


Cybersecurity

• Federal Information Security Management Act (FISMA) of 2014

– Update to the 2002 FISMA requirements

– OMB will now promulgate standards while DHS implements / helps enforce standards • Tighter cybersecurity regulations by agencies

• Incident reporting procedures better defined

• Cloud systems will have ongoing accreditation, rather than the every three years ATO process

• Updates to the original OMB A-130 Circular that sets forth the basic info system management policies


Cybersecurity

• OMB’s “Improving Cybersecurity Protections in Federal Acquisitions”

– August 2015 policy to strengthen cybersecurity in all agency procurements • Government data (e.g. CUI or proposal data) will be subject to

even greater controls

– Technically applies to agencies only however

– Policy directs agencies to apply rules to contractors • Expect new solicitation clauses from FAR Council in the near

future


Cybersecurity

• Example: F500 storage manufacturer’s implementation of basic cyber policy

– Build on existing network security capabilities and processes -- don’t reinvent the wheel

– Frame cyber policy based on NIST “Framework” – new laws / regs based on this

– Determine what (if any) USG data may reside on the network already -- difficult, we know!

– Link to SCRM, Info Governance and other computer access policies


The Security Pentagon

Hardware Security (Functionality,

Firmware)

Software Security (Malware prevention, OS issues)

Systems Security (Network, encryption, info governance)

Personnel Security (Access control,

vetting, training)

Supply Chain Security (OCMs, traceability, testing)

Government Contractor


Agency Developments

• Increased Auditing:

– GSA IT-70 Schedule • VMWare / Carahsoft - $75.5M FCA settlement

• Increased scrutiny of commercial sales practice (CSP) disclosures, incentive programs and special (ad hoc) discounting

– DoD / intel agency security audits • Uptick in audits / investigations of government owned,

contractor managed (GOCO) sites

• Foreign ownership (FOCI) investigations of parent companies / affiliates taking longer


Agency Developments

• Preference for Multiple Award IDIQs

– Large integrator program contracts broken up

– Single awards re-competed as IDIQ task orders

– Creates less certainty (orders are competed)

– Increases importance of good teaming

– Uptick in the number of joint ventures (JVs)


Agency Developments

• Reduced Incumbency Advantage

– Re-competed contracts valued over $100M: • 2012: Incumbents won 66%

• 2015: Incumbents won 30%

– Similar trend for smaller contracts / orders

• Small Business Set-Aside Boom

– Sole source, set asides for Women Owned Small Businesses (WOSBs) • $4M for products; $6M for construction

– Veteran owned business set asides increased


Agency Developments

• Continued Preference for Lowest Price Technically Acceptable (LPTA) Evaluations

– Limits protest basis and differentiating factors

– Enhances import of program phase input

– Watch for competitors that peg pricing to the absolutely minimal specs!

– Watch for “competitive pricing” clauses in teaming / partner agreements

– Driving “platform” ownership trends • IP tied to platforms increasingly valuable


1629 K Street NW, Suite 300 Washington, DC 20006

Tel: 202.204.2256 Fax: 202.204.2258 www.mw-pc.com


Documents

Marshall & White, PC - mw-pllc.commw-pllc.com/assets/trends-and-issues-in-government-contracting.pdf · “covered defense information” •Controlled unclassified information (NIST