In the second of our series about what to watch for in government contracts in fiscal year 2018, we focus on Cybersecurity, Cloud-Based Services, Employment Regulations, M&A, FCA enforcement, and Block Chain.
For a more in-depth discussion of current trends, please join us for our inaugural MoForward event on October 26, 2017 at the Tysons Corner Ritz-Carlton. Click here for more information and to register for the event.
At the forefront of every defense contractor’s mind in FY 2018 may be the cybersecurity requirements in Defense Federal Acquisition Regulation Supplement (DFAR) 252.227-7012. Pursuant to this clause, specified IT security system protections must be implemented by December 31, 2017. Many contractors are working on their system security plans and plans of action and milestones for implementation of the NIST SP 800-171 IT security standards incorporated by reference into the rule. In addition, prime contractors are developing plans to ensure that their subcontractors and vendors with covered information systems are in compliance as well.
All government contractors, not just those in the defense space are continuing to ensure compliance with the Federal Acquisition Regulation (FAR) basic safeguarding clause (FAR 52.204-21). Although this clause requires only a bare minimum standard for cybersecurity protection, it has been somewhat overlooked given the more extensive DFARS clause.
Beyond the basic safeguarding requirements, more specific cybersecurity protections are sometimes called for in civilian contracts on an ad hoc basis. In the coming fiscal year, however, we expect a more robust FAR rule will make cybersecurity requirements uniform across both Department of Defense (DoD) and civilian agencies, which will hopefully ease contractor compliance efforts. The most likely outcome is introduction in FY 2018 of a FAR rule analogous to DFAR 252.227-7012 and incorporating NIST SP 800-171 as the required standard baseline for IT protection.
Another ongoing trend in government contracting is continued movement to the cloud. Cloud services raise additional cybersecurity concerns, which is why we see many companies turning to the Federal Risk and Authorization Management Program (FedRAMP) and its certified cloud platforms to host their services, as opposed to doing it themselves. As contractors and their government customers increasingly use the cloud, we anticipate that government and industry alike will intensify their focus on FedRAMP-certified cloud platforms.
Labor and Employment Regulations
Perhaps surprisingly, the Trump administration has not rolled back the Obama-era executive orders concerning minimum wages and sick leave for government contractors. Going forward it appears unlikely that this White House will seek to use government contracting as a mechanism for imposing social reforms.
Mergers and acquisitions involving government contractors have continued to be a two-sided coin. In the past year, smaller government contractors have been able to find targeted success, while prime contractors have been able to service larger contracts. Firms in the middle market have increasingly found that they are not agile enough to compete with smaller firms and do not have the economies of scale to compete with larger firms. One result is marketplace consolidation, as mid-size firms grow via acquisition or are themselves acquired to form still larger companies, a dynamic we anticipate to see more of in the coming year.
There does, however, appear to be a major increase in size, at least for government services. This is evidenced by some of the divestitures and spin-offs of services businesses by larger prime contractors in recent years, including the original Leidos spinoff, Lockheed’s spinoff (and sale to Leidos) of its information systems division, and CSC’s spinoff of CSRA. Even so, given the realities of continuing pressures on mid-size companies, high-performing capital markets and relatively low interest rates, many expect that M&A activity will maintain a similar pace in the year ahead.
Enforcement and FCA
With the change in administrations this year, we have been carefully watching to see how (and whether) the Department of Justice (DOJ) continues its focused enforcement efforts on individuals as delineated in the Yates Memo, which contains guidelines for certain DOJ policies. Among other guidance, the Yates Memo provides that prosecutors must “identify culpable individuals at all levels in corporate cases” and withhold cooperation credit unless a company provides “all relevant facts” about the individuals in question.
To date, all indications are that Federal Claims Act (FCA) enforcement remains a DOJ priority, and Attorney General Jeff Sessions has gone on record as saying that the United States intends to punish individuals for their role in corporate crimes. However, in a speech to the Heritage Foundation last month, Deputy Attorney General Rod Rosenstein indicated that DOJ was reviewing its policies on prosecuting white collar crimes, including taking a softer approach than outlined in the Yates Memo. To date, DOJ has not indicated how it intends to change the policy currently implemented by prosecutors. Until such time, contractors should be mindful of the role of individual wrong-doing in conducting internal investigations, making disclosures, and defending against applicable enforcement efforts.
Block Chain and Government Contracting
The General Services Administration (GSA) just recently completed a concept study on the utilization of block chain in certain GSA schedule contracts. As the popularity of this new technology continues to grow in applications such as digital currency, we will be watching to see whether GSA and other procuring agencies embrace block chain as a technology to garner efficiency in both the procurement process itself as well as in functions throughout government.
*Victoria Dalcourt is a Law Clerk in our Washington, D.C. office and not admitted to the bar.