Cyber Protection May Become a Contract Compliance Issue
We have written about cyber threats and cyber security before. (For example, see this post.) To our disappointment, such articles receive few hits. The threat is real and requires thoughtful
preparation in order to successfully defend against it. Now, perhaps,
our readers will consider the issue from a different angle, as DOD
seems poised to make cyber security a matter of contract compliance.
On
March 3, 2010 the DOD published an “Advance Notice of Proposed
Rulemaking (ANPR) and notice of public meeting” in connection with
DFARS Case 2008-D028, Safeguarding Unclassified Information. See the
Federal Register notice here.
The summary of the rule is as follows—
DoD
is seeking comments from Government and industry on potential changes
to the Defense Federal Acquisition Regulation Supplement (DFARS) to
address requirements for the safeguarding of unclassified information.
The changes would add a new subpart and associated contract clauses for
the safeguarding, proper handling, and cyber intrusion reporting of
unclassified DoD information within industry. … This ANPR does not address procedures for Government sharing of cyber security threat information with industry; this issue will be addressed separately through follow-on rulemaking procedures as appropriate.
Among the potential changes being considered is the addition of two new DFARS contract clauses. “DFARS 252.204–7XXX would require contractors to protect DoD information from unauthorized disclosure, loss, or exfiltration
by employing basic information technology security measures, while
DFARS 252.204–7YYY would require enhanced information technology
security measures applicable to encryption of data for storage and
transmission, network protection and intrusion detection, and cyber
intrusion reporting.” In addition, “A cyber intrusion reporting
requirement is contemplated for enhanced protection to assess the
impact of loss and to improve protection by better understanding the
methods of loss.”
The
ANPR states that a public meeting will be held on April 22, 2010 at
NASA’s James W. Webb Memorial Auditorium in SE Washington, D.C.
(Details are in the Federal Register notice, link above.) In lieu of
speaking at the all-day meeting, you can submit written comments and
answers to questions posed by the DAR Council. At the meeting, “DoD
is interested in receiving input regarding ‘‘best practices’’ for
protecting networks and data, experience with any of the proposed
safeguards, and an evaluation of its value.” The rule drafters have provided 13 questions that they hope industry will answer, so help them craft the proposed rule.
Our
take on this is that DOD and its contractors are in this together. It
was less than a year ago, in April of 2009, when the Wall Street
Journal (among others) reported that “Computer spies have broken into
the Pentagon's $300 billion Joint Strike Fighter project ….” According
to the story (found here)—
Computer
systems involved with the program appear to have been infiltrated at
least as far back as 2007, according to people familiar with the
matter. Evidence of penetrations continued to be discovered at least
into 2008. The intruders appear to have been interested in data about
the design of the plane, its performance statistics and its electronic
systems, former officials said.
The
intruders compromised the system responsible for diagnosing a plane's
maintenance problems during flight, according to officials familiar
with the matter.
So
it seems entirely appropriate for the DOD to consider issuing basic
standards of minimum cyber protection to its industrial base, and to
require reporting (including root cause analyses) when network breaches
occur and data is compromised. And we applaud the opportunity offered
industry to help shape the rule and its implementation. We hope
knowledgeable companies will help DOD craft a good rule that is easily
implementable.
After that, companies
will need to comply with the requirements of the new contract clauses,
or else risk accusations of breach of contract (or worse). Remember,
when BAE Systems recently paid the U.S.
Government $400 million, the fine was imposed for False Statements
associated with certain representations and certifications made to the
Government, and not necessarily for any other alleged wrongdoing.
Accurate Stimulus Reporting is Not Optional
We’ve written about the American Recovery and Reinvestment Act (ARRA) and its reporting requirements before.
The GAO published a six-month assessment of the how the Federal
government would oversee usage of ARRA funds, which we reported here.
It’s worth noting that recipients of ARRA funds needed to register in
August 2009, and to begin to report their expenditure data effective
October 2009. Accurate reporting was a condition of providing the funds; contract clauses make registration and reporting mandatory.
Recently, reports have begun to emerge that suggests ARRA fund recipients are not doing a good job of accurate reporting. For example, this article at FederalTimes.com
states that “Nearly 12 percent of fourth quarter 2009 reports from
recipients of stimulus funds needed to be corrected.” Roughly 19,000
of the more than 160,000 recipient reports input in the fourth quarter
of 2009 needed correction, according to the article—which was an
improvement from the results of the third quarter, where “nearly 21
percent” of recipient reports needed correction. Unsurprisingly, the
largest number of corrections was in the number of jobs created by the
stimulus funds. Corrections are not a major problem since, as the
article noted, “Recipients are allowed to correct their mistakes
online, through www.FederalReporting.gov , the portal that collects stimulus data.”
Another recent article on FederalTimes.com says the big problem isn’t with inaccurate data; it’s with those recipients who didn’t
report anything at all. In the second reporting period (the fourth
quarter of 2009), the article reports that “More than 1,000 recipients
— state and local governments and private companies — failed to report
spending data … as required by law. Those organizations received more
than $583 million in stimulus funds.”
The article reports that 389 recipients have never reported anything at all in either of the first two reporting periods.
It
is interesting to note that the current law does not impose any
penalties for failing to report expenditure data, though many have
promised to remedy that oversight. In the meantime, according to the
article (which quotes RATB Chair Earl Devaney),
“those recipients should really be embarrassed. … Federal agencies
now need to take whatever administrative action they can against those
who flout the law so cavalierly.”
We’re
guessing some of those recipients didn’t know or understand the
reporting requirements (though they would have if they had read the
articles posted on this site!). However, we wouldn’t bet against a few
entities “taking the money and running”—which is why we have auditors
and law enforcement officials. And courts of law. There’s a simple word to describe such entities: “defendant”.
|
Watchdog Group Says DCAA Not Implementing Meaningful Reforms
When
Patrick Fitzgerald took over as Director of the Defense Contract Audit
Agency (DCAA) in November 2009, he had a clear mandate for change.
Senators called for fundamental reforms in the way DCAA executed its audits; Senator Joe Lieberman said, "I hope that the DoD
comptroller as well as the incoming DCAA director will continue to
bring outside auditing expertise into the agency, strengthen quality
control, improve training at all levels of DCAA, and prioritize audits
based on the risk of contractor over-billings as well as waste, fraud
and abuse." The Commission on Wartime Contracting called for substantive reforms in the way DCAA audited defense contractors’ “business systems;” it reported that—
As
a result of personnel shortfalls, DCAA system reviews and follow-ups
are not always timely; therefore, the real-time status of contractor
business systems cannot always be determined. As noted in our Interim
Report to Congress, DCAA has not performed timely reviews of many
contractor business systems.
And even the Pentagon Spokesperson said Mr. Fitzgerald was being brought in to replace Ms. April Stephenson “because DoD leaders feel he is the best-qualified person to continue making improvements at DCAA.” So the only impediments to substantive reform were the inertia of the audit agency and Mr. Fitzgerald’s will to change it.
We here at Apogee Consulting, Inc even got into the spirit of reform, penning an open letter to Mr. Fitzgerald, making several suggestions for his consideration.
It’s
been four months, and from our outsider perspective there have been
zero substantive reforms executed by the new management regime. The
status remains quo; the course seems unchanged; and it’s business as
usual. But that’s just the perspective of one consulting firm. Surely
insiders must have insight into the changes underway at the Federal
government’s premier audit agency? Senior auditors within the agency
must be seeing the course changes, the personnel changes, and the
changes to audit metrics and guidance that will herald the reemergence
of DCAA from the ashes of its failed audits, right?
Wrong.
The
Project on Government Oversight (POGO), an inside-the-Beltway “public
watchdog” group focused on (among other things) DOD oversight of its
contractors, sent a letter to influential Senators on March 2, 2010, expressing
its concern that “some of the reforms being implemented at DCAA as a
result of your investigations are only superficial fixes in order to
alleviate political pressure on the agency.” POGO asserted that “the
‘reforms’ implemented to date have not been meaningful, particularly
when it comes to human capital management.” In the words of POGO—
We
worry that these problems are indicative of a systemic strategy for
reform that seeks to decrease congressional pressure rather than to
institute meaningful reform. More importantly, we think that it would
be naïve to assume that removing April Stephenson from DCAA solves the
systemic problems at DCAA.
POGO cited three areas where it believes reform efforts have fallen short of expectations. The areas were:
1. The
dismantling of an ad hoc “grassroots” group of “high-level DCAA
auditors tasked with evaluating DCAA’s promotion process.” The POGO
letter states, “when the group asked for information
that would allow them to conduct compliance testing to see if DCAA was
following its own policies, DCAA headquarters denied them the
information and the group was disbanded. “
2. Implementation
of a DCAA “hotline” that “was intended to be used as a tool to ensure
audit quality by giving auditors the ability to report management
misconduct, but in practice it may be a tool for retaliation against
the kind of independence in auditing that DCAA should be fostering.”
POGO asserted that “it is frequently up to the manager responsible for
the alleged wrongdoing to act upon hotline findings, presenting an
obvious conflict of interest.”
3. The
lack of action taken by DCAA leadership to discipline managers found to
have provided lax oversight (or worse) leading to defective audits.
The POGO letter states, “There should be accountability for managers
who consistently exercise bad judgment by wrongfully changing audit
opinions, facilitating ‘cozy’ relations with contractors, or creating
an abusive work environment. The fact that some of these abusive managers remain at DCAA continues to demoralize the agency's work force.”
The POGO letter is “based on concerns several DCAA auditors brought to POGO” and concludes that “The
Pentagon thinks they got Congress off their back by removing the
Director of the Defense Contract Audit Agency, but the problems at DCAA
are far from solved.”
We
understand that several fundamental changes are actually underway at
the audit agency, focused on changing the way in which contractor
internal control systems are audited and the way in which DCAA provides
the results of its audits to its customers. Practitioners should start
to see those changes being implemented in the near future, perhaps in
the next few months. That being said, we are forced to agree with
POGO’s concerns that agency reforms, if any, have been hidden—and it is
past time that DCAA signals its willingness to transform, by making fundamental, substantive reforms to its culture visible to outside observers.
DFARS, WSARA, MDAPs, and Competition
We’ve discussed the Weapon Systems Acquisition Reform Act (WSARA) (P.L. 111-23) before, notably here and here. You can find a nice summary of the recent law over here.
Section 202 of WSARA requires the Secretary of Defense to (among other actions) “ensure
fair and objective `make-buy' decisions by prime contractors on major
defense acquisition programs.” According to Senator Levin’s analysis,
this requirement was driven by a July 2008 Defense Science Board report
that “consolidation in the defense industry has
substantially reduced innovation in the defense industry and created
incentives for major contractors to maximize profitability on
established programs rather than seeking to improve performance.”
The requirement assumes that prime contractors would rather vertically integrate that subcontract work to outside entities. It also assumes that competition—or the threat of competition—will spur defense contractors at all tiers in the program supply chain to better performance. Of particular note, this Section of the law assumes that “government oversight of [contractor] make-or-buy decisions” will “maximize competition throughout the life of a program,” including maximizing competition a lower tiers in the supply chain.
While
you cogitate on those dubious assumptions, we’ll let you know that on
February 24, 2010, the Defense Department published DFARS Case
2009-D014 implementing Section 202 of WSARA as an “interim rule with
request for comments.” Here is a link to the entire Federal Register Notice.
The
interim rule notes that it is simply a change to “internal Government
operating procedures,” and thus should not significantly impact
contractors. You may not agree with that assessment—but remember it
applies only to acquisitions of “major defense acquisition programs”
(MDAPs) as that phrase is defined at 10 U.S.C. 2430.
Here are some highlights of the interim rule:
· Acquisition
plans for MDAPs must include measures that “ensure competition at both
the prime contract level and subcontract level (at such tier or tiers
as are appropriate….”
· “Require
prime contractors to give full and fair consideration to qualified
sources other than the prime contractor for the development or
construction of major subsystems and components of major weapon systems.”
· “Provide
for Government surveillance of the process by which prime contractors
consider such sources and determine whether to conduct such development
or construction in-house or through a subcontract.”
· “Provide
for the assessment of the extent to which the prime contractor has
given full and fair consideration to qualified sources in sourcing
decisions as a part of past performance evaluations.”
A couple of quick comments on the foregoing.
First, there is little or no basis to think that prime contractors
aren’t subbing-out work. The plain fact is that most MDAP prime
contractors only self-perform about 10 to 20 percent of the program;
the rest is subbed-out. (Granted, some of that “subcontracted effort”
is going to other divisions of the prime.) Second, make-buy decisions
are already reviewed during DCMA
Contractor Purchasing System Reviews (CPSRs). In reality, then, these
efforts aren’t going to make much a difference. So who cares, right?
Well,
what worries us is the language that seems to suggest that the
government oversight can go beyond the prime contractor’s efforts, and
evaluate make-or-buy decisions at lower tiers in the program supply
chain. It is possible that a second-tier, third-tier, or even lower
tier’s make/buy analysis could be subject to DCMA scrutiny. Why is
that a problem?
First,
the government has no privity of contract with those lower-tier
contractors. In other words, the contracts are between the performing
entity and its next higher-tier, and the government is not a party to
that agreement and has precious few enforcement rights. For example, if a second-tier entity commits defective pricing, the government’s
remedy is at the prime contractor level, not at the tier where the
actual violation occurred. If the prime wants to be made whole, then
it has to take its subcontractor to court. So how does the Government get rights to the lower tier subcontractors with respect to implementing its oversight of the make/buy decisions, and what does it do if it doesn’t like what it finds?
To be litigated, we assume.
Second, where does DCMA get the resources to implement the requirements of this public law? The Commission on Wartime Contracting in Iraq and Afghanistan (about whom we’ve posted more than a few articles) had this to say about the subject in its Special Report No. 1 (“Defense Agencies Must Improve Their Oversight of Contractor Business Systems to Reduce Waste, Fraud, and Abuse”):
There
have been too few experts to conduct reviews and too few personnel to
validate that contractor corrective action was properly implemented. …
Another indication of personnel shortages is the small number of DCMA
personnel devoted to contractor purchasing system reviews (CPSR). The
number of personnel assigned to perform CPSR reviews has decreased from
102 in 1994 to 70 in 2002, to 14 in 2009. Contract transactions, on the
other hand, have increased by 328 percent since fiscal year 2000. This
steep decline in personnel, combined with the exponential increase in
contracting activity, demonstrates a diminishing level of DCMA critical
analysis of contractor purchasing systems.
So,
with only 14 heads to perform CPSR reviews, DCMA is going to take on
the added challenge of reviewing not only prime contractor make-or-buy
decisions, but also the make/buy analyses of the lower tier
subcontractors as well? Sure. No problem.
And the results of those analyses will be reported in the year 2220, if ever.
As
readers know, we here at Apogee Consulting, Inc. are very much in favor
of improved contract performance. We are also in favor of improved
subcontractor management. And we believe that the defense industry can
do a lot better than it currently does in both of those domains. Yet
we are forced to question whether this aspect of WSARA will
significantly address any shortfalls. We believe the odds are that
this will simply become another bureaucratic report-writing exercise, diverting resources from where they are really needed.
If
you agree with our assessment, perhaps you will let the Ms. Meredith
Murphy of the DAR Council know by submitting your comments in
accordance with the directions specified in the interim rule (link
above).
|
