In a decision published last week, Appeals of CiyaSoft Corp., ASBCA Nos. 59519, 59913, the Armed Services Board of Contract Appeals (ASBCA) held for the first time that the Government may be bound by the terms of a commercial software license it has neither seen nor expressly agreed to, so long as those terms are provided with the software, are consistent with those customarily provided to the public, and do not otherwise violate federal law. At least for commercial item acquisitions (and possibly beyond), this is big news for commercial software suppliers, particularly those at lower tiers in the supply chain who often are left only to hope their prime contractors have procured affirmative government approval of their end-user license terms and conditions. But that’s not all: CiyaSoft also expands the implied duty of good faith and fair dealing to obligate the Government to take reasonable measures to protect licensed software from unauthorized copy or release. And, in between these landmark holdings, the ASBCA managed to touch on whether modified commercial software is still commercial, how close a license agreement must be to a standard form commercial license to be deemed one “customarily provided to the public,” and the Government’s duty to maintain a reliable point of contact during contract performance. Let’s dive in!
Buying Commercial Computer Software Under the FAR and DFARS
Although the FAR and DFARS provisions governing commercial computer software licensing differ slightly in text, their thrust is the same. Both direct the Department of Defense (DoD) and other executive agencies to acquire commercial computer software “under licenses customarily provided to the public to the extent such licenses are consistent with Federal law and otherwise satisfy the Government’s needs.” FAR 12.212(a); see DFARS 227.7202-1(a) (stating the same policy, but with the qualifier in the negative: “unless such licenses are inconsistent with Federal procurement law or do not otherwise satisfy user needs”). Both the FAR and DFARS allow the Government and a supplier to negotiate additional or lesser rights – civilian agencies under FAR 27.405-3 and DoD under DFARS 227.7202 – but the DFARS differs somewhat from 12.212, specifying this negotiation is necessary where “the Government has a need for rights not conveyed under the license customarily provided to the public.” DFARS 227.7202-3(b). This may be a crucial distinction in noncommercial item acquisitions, as we will see.
The more pertinent question in CiyaSoft is how, once negotiated, these commercial terms and conditions become a part of the contract and bind the Government. The FAR is relatively clear: the Government receives “only those rights specified in the license contained in any addendum to the contract.” FAR 12.212(b); see also FAR 27.405-3(a) (“If greater rights than the minimum rights identified at [FAR] 52.227-19 are needed, or lesser rights are to be acquired, they shall be negotiated and set forth in the contract.”). The DFARS, on the other hand, states that the Government “shall have only the rights specified in the license under which the commercial computer software . . . was obtained,” DFARS 227.7202-3(a), and mentions incorporation only with regard to specifically negotiated license rights, requiring the “specific rights granted to the Government [to] be enumerated in the contract license agreement or an addendum thereto.” DFARS 227.7202-3(b). Although not giving a definitive answer on the matter, the United States District Court for the North District of Texas found in GlobeRanger Corp. v. Software AG, 27 F. Supp. 3d 723, 753 (N.D. Tex. 2014), that “[a]t the very least, it would seem that the [DoD] needs to receive some notice of the EULA before it can be bound by its terms.”
Off this platform, the ASBCA in CiyaSoft jumps headfirst.
The Dispute in CiyaSoft
The dispute in CiyaSoft arose out of the Army’s purchase of 20 licenses of CiyaSoft’s “bidirectional” translation software capable of translating language from English to Dari or Pashto and vice versa. More specifically, for $98,000, the 2nd Brigade Combat Team bought 20 “Single User Bi-Directional English/Dari Software Licenses” with one year of support and maintenance. All parties agreed that in the course of negotiations, the contracting officer did not attempt to negotiate license terms. The contract itself – which consisted of little more than a Standard Form 1449 referencing FAR 52.212-4, Contract Terms and Conditions – Commercial Items (Jun 2010), and FAR 52.212-5, Contract Terms and Conditions Required to Implement Statutes or Executive Orders – Commercial Items (Jul 2010) – was silent as to incorporation of CiyaSoft’s license. But, the ASBCA noted, the contract referred to the purchase of “Software Licenses” as a contract line item.
This software license was delivered to a base in Afghanistan, in a box with 20 compact discs (each of which contained a short-form of the license agreement physically in its shrinkwrap and digitally in its installation wizard, i.e., clickwrap), installation instructions, and a letter to the contracting officer. At the agency’s direction, the package was addressed to a point of contact other than the contracting officer; although this contact testified he had no recollection of receiving the box, he supposed he likely would have opened it, counted the number of copies, and disregarded the license agreement. The contracting officer never saw the package or its contents, and never discussed or saw the licensing agreement.
Within a few days of delivery, CiyaSoft noticed multiple registrations on the same product ID number for one of the delivered copies, causing some concern that the license agreement was being violated. CiyaSoft ignored these concerns, assuming the Government simply made a mistake in the installation process. A few months later, though, CiySoft asked the contracting officer to provide a list of registered users, as required by the software license agreement. The contracting officer, away on leave for the Christmas holiday, never responded. In the meantime, CiyaSoft began receiving technical support inquiries from nonregistered users, including one contractor employee who said he was just one of many who received a copy while working at a translating/interpreting services company he previously worked for in Afghanistan. CiyaSoft also became aware of secondary purchases in Kabul, Afghanistan, and Mashad, Iran, of some of the 20 copies it had delivered to the Army.
CiyaSoft filed a claim alleging five breaches of the contract and its license agreement: (1) the Government’s installing the same copy on more than one computer; (2) its failing to provide a list of activations or registered users; (3) its letting personnel outside the 2nd Brigade Combat Team use the software; (4) its failing to protect the software from copy and distribution by others, particularly the Army’s translator/interpreter services contractors; and (5) its failing to provide a point of contact throughout the contract.
Incorporation of the License Agreement Into the Contract
The Government first argued that it could not have breached the license agreement because it had never signed up to the license agreement as part of the contract in the first place. The Board agreed with the Government that the contracting officer never saw the license agreement, that the contract makes no mention of the license agreement, and that the only person who might have seen the full license agreement was not authorized to accept its terms; but the Board disagreed that these facts protected the Government from being bound. After all, the Board noted, citing FAR 12.212, the Government’s policy when licensing commercial software is to accept the licensing terms customarily provided by the vendor to other purchasers, so long as the license is consistent with federal law and otherwise satisfies the government’s needs.
But can that policy effect a binding agreement without actual acceptance of the commercial terms? The Board decided it can, adopting a rule of commercial law to find that the contracting officer, even without reading the agreement, had been placed on “inquiry” notice of its terms. The Board chided the Army for never requesting the opportunity to review the license prior to awarding the contract, and noted that the Army never objected to the license upon its receipt. Given these circumstances, the Board held, the contracting officer had failed his duty to inquire about the license terms and, as such, should have imputed knowledge of those terms. Thus, in the face of seemingly clear language in the FAR requiring incorporation through attachment, the Board found that the contract included the license agreement shipped with the software. The Board even went a step further and generalized its holding:
[T]he government can be bound by the terms of a commercial software license it has neither negotiated nor seen prior to the receipt of the software, so long as the terms are consistent with those customarily provided by the vendor to other purchasers and do not otherwise violate federal law.
The Board then asked whether the license agreement was (1) for commercial software and (2) customarily provided to other purchasers. It is unclear how the outcome of the case would have changed had the license agreement failed either one of these. Given the Board’s conclusion that the license agreement was incorporated into the contract through its delivery with the software, the only remaining question should be whether the terms are consistent with Federal law. The FAR requires a contracting officer to ensure that a license agreement is one customarily provided to the public and satisfies the Government’s needs, but there is no reason to think that, where the contracting officer does not do so, the agreed-to license is constructively bound somehow. Nevertheless, even though this analysis arguably is unnecessary, the Board offers some interesting comments.
Defining Commercial Software
The Board supposed that one could argue CiyaSoft’s software does not meet the definition of a “commercial item” in FAR 2.101 because it has not been sold to the general public (despite being sold internationally to government agencies and corporate customers). In addition to the fact the software was procured under a FAR Part 12 commercial item contract, the Board looked to the software’s function, which it defined as “translating one language into another,” and noted this function is not “inherently government or non-commercial.” The Board also noted evidence in the record of sales to the public, albeit unauthorized sales, presumably referring to the unauthorized sales in Kabul and Mashad.
The Board then addressed whether certain modifications to the software – removal of an online registration requirement to facilitated secure government use and insertion of a unique version number and product identification numbers – changed the software’s commercial status. The Board concluded they did not, reasoning “the change does not affect the core purpose of the software, which is translation,” and “the change merely substituted one form of registration for another” without “add[ing] any requirement that was not previously required.” These are helpful goalposts for commercial software suppliers to consider when determining whether modifications to tailor a product to Government needs ruins a claim to commerciality.
Deviations From Customary Commercial Licenses
The Board reasoned that an argument also could be made that the license agreement at issue was not the standard license agreement CiyaSoft offers to other customers. Indeed, the license expressly stated “CiyaSoft Corporation standard software license agreement does not apply to this agreement: Activation is not online and registration is not required,” referencing the software modifications noted above. This was the only change to the license – instead of registering online to activate the software, the Army was required to provide a list of activations to CiyaSoft directly. The Board found that this additional requirement did not cause the license to “differ materially” from that customarily provided because the “core function or purpose” of the license agreement – in this regard, to grant permission for use on only one computer system per copy of the software – did not change.
Government Duties and Breach
Having concluded that the Government was bound by CiyaSoft’s license agreement, the Board then turned to whether the license agreement imposed the duties CiyaSoft claimed, and if so, whether the Government breached those duties, resulting in damages to CiyaSoft.
With regard to allowing government personnel outside the 2nd Brigade Combat Team to use the software, the Board concluded that the license agreement, which identified the licensee as the “US Government,” did not limit the software’s use to that specific unit. The Board interpreted the designation of the US Government as the licensee to mean “any government employee, or employee of a contractor acting on behalf of the government or other agent of the government, may use the software” – of course, so long as the software is not installed on more than the number of allotted computers, in this case 20.
By contrast, CiyaSoft succeeded in showing breach where the Government installed the same copy of the software on more than one computer and failed to provide CiyaSoft a list of activations. The Board found these obligations to be expressly set forth in the license agreement, and concluded that the Agency breached them, resulting in damages to CiyaSoft by “depriving it of the license fee the government would have had to otherwise pay to obtain a valid copy of the software,” and by “undermining its ability to have proven that more copies of the software than were licensed were used by the government.”
The two remaining alleged breaches – the Government’s failure to maintain a point of contact throughout the contract, and its failure to protect the software from copy and distribution by others – find no footing in the text of the license agreement, and instead are rooted in the implied duty of good faith and fair dealing.
With regard to the first, the Board found it “self-evident that a party’s performance of a contract could require communication with the other party,” and held that a failure to facilitate such communication through maintaining a point of contact could breach the Government’s implied duty of good faith and fair dealing through a lack of cooperation. The Board ultimately found that the Government did not breach this duty in its dealings with CiyaSoft, but contractors nevertheless might consider keeping this section of CiyaSoft in their hip pocket to show to particularly hard-to-reach government personnel.
The second of these implied obligations – requiring a licensee to protect licensed software from harm – is significant. The Board held that “an implied duty exists that the licensee will take reasonable measures to protect the software, to keep it from being copied indiscriminately, which obviously could have a deleterious effect on the ultimate value of the software to the licensor.” Finding no support for such a duty in intellectual property law, the Board looked to the common law doctrine of waste, which provides an owner of real property relief for damage by a current tenant. The Board quoted the Supreme Court’s 1876 decision in United States v. Bostwick, 94 U.S. 53 (1876), holding the United States liable for the destruction of ornamental trees and other damage to the Kalorama estate in Washington, D.C., while it was occupied and operated by Union soldiers as a smallpox hospital during the Civil War. The same obligation “to use the property in a manner so as to not unnecessarily damage [its] value” applies, the Board reasoned with little explanation, to software the Government has been authorized to use in a form embodied on a compact disc.
The Board did not elaborate on what “reasonable measures” must be taken, but found CiyaSoft failed to present sufficient evidence of the Government’s failure to meet them. In Bostwick, the Supreme Court applied a negligence standard, distinguishing certain damages that were the result of the Government’s breach of its duty “not to commit waste, or suffer it to be committed,” from a fire supposedly caused by a defective stovepipe during the hospital staff’s Christmas Eve ball, for which the Government was not liable because it happened “by accident” and not “through the neglect of the United States.” It is not clear what such a standard would mean when applied to the protection of software. Must the Government, for example, prohibit employees from using thumb drives on computers with access to the software? Or keep the software in a protected format that prevents copy? In the absence of clarity, commercial software suppliers wishing to impose any such affirmative measures should write them explicitly in their licensing agreements.
The result in CiyaSoft is, in many regards, a victory for computer software suppliers, but it should not be overread. At times, the decision’s legal reasoning is less than rigorous, even if the Board arguably reaches the right results. Moreover, it is unclear whether the Board would reach the same result in a noncommercial item acquisition if it were construing the DFARS provisions at 227.7202-3(b), rather than FAR 12.212. Although CiyaSoft provides a nice backstop in case things go wrong, contractors should continue diligently pursuing express Government acceptance of their software licensing agreements.
 Even though a Department of the Army contract is at issue, the ASBCA does not once refer to the DFARS in its decision. Instead, because the Army procured the software in accordance with FAR Part 12, the Board refers only to the FAR commercial software licensing provisions at FAR 12.212 and FAR 27.405-3. The first makes sense – all purely commercial item procurements are subject to FAR Part 12, and where a conflict arises with other parts of the FAR or DFARS, FAR Part 12 takes precedence. See FAR 12.102(c). However, the Board’s reliance on FAR 27.405-3 is less sure. FAR 27.400 specifically exempts the Department of Defense from all provisions in that subpart (with the exception of the general policy statement in FAR 27.402), but FAR 12.212 itself directs agencies to proceed in accordance with FAR 27.405-3. It is unclear whether, when procuring commercial software alone under FAR Part 12 (as opposed to non-Part 12 procurements that merely involve commercial software), the DoD is meant to follow FAR 27.405-3 (and all it entails, including the possible incorporation of certain contract clauses) or its own regulations at DFARS 227.7202. In all events, the provisions at DFARS 227.7202 warrant consideration here.
 In this particular analysis in GlobeRanger, the court relied heavily on the direction in DFARS 227.7202-3(b), “If the Government has a need for rights not conveyed under the license customarily provided to the public, the Government must negotiate with the contractor to determine if there are acceptable terms for transferring such rights.” The court reasoned that this language would be rendered superfluous if the Government could be bound by a commercial license it never had the opportunity to review. 27 F. Supp. 3d at 753. As mentioned, DFARS 227.7202-3 is absent from the ASBCA’s decision, and the Board similarly does not cite to GlobeRanger. One wonders whether the Board’s result would be the same if confronted with a commercial license supplied under a noncommercial procurement, therefore analyzing DFARS 227.7202-3 instead of FAR 12.212. The Board’s reliance on inquiry notice, though, as described in more detail later on, does not conflict directly with any language in the DFARS and would appear to apply equally to DoD. Indeed, DFARS 227.7202-3’s grant of rights based on the “license under which the commercial computer software . . . was obtained” seems more open to a theory of inquiry notice and acceptance sight unseen than FAR 12.212’s analogous grant of “only those rights specified in the license contained in any addendum to the contract.”
 The contract also omitted FAR 52.227-19, an optional clause that establishes restricted rights in commercial computer software and is to be used when “there is any confusion as to whether the Government’s needs are satisfied or whether a customary commercial license is consistent with Federal law.” FAR 27.405-3(a).
 To be precise, CiyaSoft actually claimed seven breaches, but the ASBCA determined that two were equivalent and one was not presented clearly enough in CiyaSoft’s claim to establish jurisdiction at the Board.
 A contracting officer does not have authority, through inquiry notice or otherwise, to accept on behalf of the Government an agreement that violates statute.
 To this list of valid justifications of commerciality, the Board added that the software was developed without any government funding. This perpetuates a common misunderstanding. The commercial item definition refers to development at private expense only in the limited case of establishing commerciality through sales to State and local governments; there is no requirement that an item be developed at private expense to be commercial if it meets any of the other prongs in the FAR 2.101 definition, such as sale to commercial entities like CiyaSoft’s corporate customers.
 The Board also cites A&B Ltd. Partnership v. Gen. Servs. Admin., GSBCA No. 15208, 04-1 ¶ 32439, for its citation of Bostwick as one of the earliest enunciations of the common law principle of waste by a United States court.
 Stating, “We see no reason why a similar duty should not be applicable to software licenses, which resemble leases to some degree in that only a limited use of the property, rather than its entirety is being conveyed.” Of course, the Board is not the first authority to borrow from real property when analyzing intellectual property law. See, e.g., Westinghouse Elec. & Mfg. Co. v. Formica Insulation Co., 266 U.S. 342 (1924) (“It was manifestly intended by Congress to surround the conveyance of patent property with safeguards resembling those usually attaching to that of land.”).