On January 30, 2020, the Department of Defense (DoD) released new cybersecurity standards that will be incorporated into defense contracts later this year. The DoD's new standards (Cybersecurity Maturity Model Certification, CMMC) outline five different levels of cybersecurity. The CMMC's five levels of cybersecurity range from Level 1 (17 practices that deal with basic security requirements) to Level 5 (171 practices for systems that pose a potential threat if penetrated). Pentagon officials will choose 10 contracts this summer to start the slow process of incorporating these requirements into its contracts, with all contracts subject to the requirements of CMMC by 2026. As part of this process, the DoD created a Cybersecurity Maturity Model Certification accreditation board. This independent board decides which cyber third-party assessors (C3PAOs) will certify contractors' compliance with CMMC. The accreditation board, a 13-member governing body led by Ty Schieber, will start training C3PAOs this spring. New certification requirements will apply to new contracts and will be incorporated into the Defense Federal Acquisition Regulation Supplement (DFARS) under 252.204-7012, Defense Industrial Base Compliance Information. The amended regulation will be released for comments this spring, with a final version set to be released in September.
On February 7, 2020, the DoD released class deviation DARS 2020-O0005 on the prohibition of contracting with persons who have business operations with the Maduro government. Contracting officers are directed to include provision 252.225-7974, Representation Regarding Persons that have Business Operations with the Maduro Regime, in all solicitations. Exceptions for the use of this provision include contracts that the secretary of defense and the secretary of state determine are (1) necessary for humanitarian assistance to Venezuela, provide disaster relief, or carry noncombatant evacuations; (2) vital to U.S. national security; and (3) relate to the operation and maintenance of U.S. consular offices and diplomatic posts in Venezuela.
On February 7, 2020, the DoD released class deviation DARS 2020-O0006 on the restriction of tantalum. Contracting officers are directed to use an amended clause in lieu of DFARS 252.225-7052, Restriction on the Acquisition of Certain Magnets and Tungsten. This deviation implements section 849 of the National Defense Authorization Act (NDAA) for Fiscal Year 2020 (Pub. L. 116-92). Under 10 U.S.C. 2533c, tantalum is added to the definition of "covered materials." Albeit with exceptions, 10 U.S.C. 2533c prohibits the acquisition of covered materials melted or produced in any covered country (i.e., North Korea, China, Russia, and Iran), or any end item manufactured in any covered country that contains covered material.
Recent Cases and Administrative Decisions
On January 13, 2020, the Supreme Court declined to hear a case that would have nullified the U.S. Department of Veteran Affairs' (VA) precedence of the "Rule of Two" over the AbilityOne Program. The case, Winston-Salem Industries for the Blind v. PDS Consultants Inc., dealt with conflicting language between the Javits-Wagner-O'Day Act (JWOD) and the Veterans Benefits, Healthcare, and Information Technology Act (VA Act). The VA Act requires the VA to set aside procurements for small disadvantaged veteran-owned small businesses (SDVOSB) or veteran-owned small businesses (VOSB) if the agency expects that two or more of such concerns will submit an offer (also known as the "Rule of Two"). The JWOD requires all agencies purchasing items on the AbilityOne list to prioritize awards to nonprofits that employ blind and disabled persons.
PDS Consultants, Inc., a SDVOSB, challenged an award to the Industries for the Blind under the AbilityOne program at the Court of Federal Claims (COFC). The COFC determined that the Rule of Two must be followed before purchasing goods or services from the AbilityOne list. The government and Winston-Salem Industries for the Blind appealed this decision to the Federal Circuit, where the court sided with the lower court. The Federal Circuit held that a "specific statute takes precedence over a more general one" (referencing the JWOD as a general statute that applies to all agencies, whereas the VA Act applies only to the VA). The Federal Circuit also noted that the statute stemming from the Rule of Two was enacted after JWOD. The court's approach to statutory construction gives the Rule of Two precedence over products or services on the AbilityOne list. The Federal Circuit's holding will remain, as the Supreme Court denied petition for certiorari, maintaining the Federal Circuit's decision.
Contracting Reviews, Audits, and Assessments
On February 7, 2020, the Government Accountability Office (GAO) conducted a study of the implementation of required elements for TRICARE's Managed Care Support contracts. The study comes after the NDAA of 2017 required a number of changes to the TRICARE program to include 13 specific elements related to provider networks, telehealth services, and referrals. The GAO's report looks at the changes the DoD has implemented in its TRICARE contracts and acquisition process and whether the 13 elements required by the NDAA have been implemented. The GAO found that the DoD made changes to its managed care support contracts and implemented changes to the acquisition process from the third-generation contracts to the fourth-generation (T-2017) contracts. These changes were mostly intended to streamline TRICARE requirements and simplify the administrative process. The GAO found that the DoD partially implemented 6 out of 13 required elements established under the NDAA 2017. The DoD said that the remaining elements will be implemented through modifications or will be implemented in fifth-generation contracts set to be awarded in 2021. The GAO found that the DoD lacks clear time frames and specific actions needed to fully implement all elements; thus the GAO recommends that the DoD develop a plan with time frames and specific actions needed to implement all 13 elements.