Plan X
It’s been a while since we’ve had a decent cyber-warfare story to tell you about. It’s not like there haven’t been lots of stories in the news; but nothing has really caught our eye.
Until now.
You know, if you’re a long-time reader of this blog, that we don’t just confine ourselves to government cost accounting, contract compliance, or even fraud-related stories. We also, from time to time, address new technologies and new development programs that we think might be of interest to our readership. In that vein, we’ve published several stories about cyber-security, cyber-warfare, and how we think the future of warfare will be less “kinetic” (as they say), and more “cyber.” We offer, as but one example, this story published about eighteen months ago.
In that story, we told our readers—
We think we are all watching history being made. We believe that 2011 will one day be noted for the beginning of the cyber-wars.
No, we don’t think we’re being overly alarmist. Just ask Lockheed Martin, or L-3 Communications, or Citigroup, or the IMF. Our website was attacked and wiped-out a few weeks ago—and we had taken the precaution of blocking all IP addresses based in China. (Fortunately, our back-ups worked and we were up and running again within 72 hours.)
We think the U.S. has fallen behind other countries, and parastatial entities, in the strategy and tactics of cyber-warfare. Like the French and their Maginot Line, the U.S. has spent billions on its military assets, without adequately securing the information grid that is the true backbone of its high-tech military. We think the U.S. military is vulnerable; we think corporate America is vulnerable. And we’re pretty sure you are vulnerable as well.
In the past eighteen months the U.S. has taken steps to address what we asserted were deficiencies in its ability to conduct cyber-warfare. We can argue whether those steps are proactive or too-little/too-late reactive, but the fact of the matter is that forward progress is being made—as this story over at NextGov demonstrates.
According to the NextGov story, DARPA is “setting up a technology incubator for Defense-funded developers to stitch together computer code to automate offensive cyber operations.” The incubator, dubbed the “Collaborative Research Space,” will be located in Arlington, VA. (Of course. Why would you want to locate it in Silicon Valley? But we digress.) The goal of the CRS (according to NextGov, who quoted a DARPA solicitation document) is to develop "an end-to-end system that enables the military to understand, plan, and manage cyberwarfare in real-time." This will be the testing ground for “Plan X,” according to the story.
The NextGov story provided some light details of “Plan X,” reporting—
Plan X, also called ‘foundational cyberwarfare,’ signals an increasingly aggressive turn in the Defense Department’s approach to addressing threats to its networks. The laboratory, a designated Collateral Secret area, is described as a collaborative space for contractors and the military. “DARPA intends to arrange program interaction with a variety of users from DoD and other government agencies, including onsite military personnel who will be testing and using the Plan X system on a daily basis,’ contract databases indicate.
Further, NexGov stated—
With algorithms that can help calculate the resources and tools needed to infiltrate networks, assess possible collateral damage from targeting enemy systems, and capabilities to model opponent moves, DARPA hopes that planners will be able to draw up a plans of action more quickly.
Once a cyberwarfare mission plan can be drawn up for an operation, ‘the next step is to compile or synthesize the plan into a fully encapsulated executable program or script,’ according to the tender. DARPA wants researchers to think about how to build ‘automated techniques that allow mission planners to graphically construct detailed and robust plans that can be automatically synthesized into an executable mission script.’ While automation could speed up the response time of the military, moves to reduce human control could raise concerns, especially if computer glitches go unchecked.
NextGov also noted—
The initiative comes as the National Cyber Range for Defense personnel to hone computer attack capabilities is slated for a multimillion dollar boost as the system transitions from research laboratories into deployment. President Obama in October signed a secret directive giving the military additional leeway to address computer threats, according to reports.
Okay. This cyber-warfare stuff is getting real. If you are a small business with expertise in these areas (and appropriate clearances) you might want to get the DARPA solicitation and see if you can play in the new CRS sandbox. If you are a U.S. adversary, you might want to think twice about going toe-to-toe with this country, as it appears to be moving quickly to position itself to respond to attack by launching its own cyber counter-attacks.
As has been said before, by many others, we are truly living in the future.
Having Solved Its Audit Backlog Problems, DCAA Takes on Additional Work
Quite recently, we told you about the U.S. Department of Defense Inspector General’s concerns with DOD’s new approach to performing audits on “priced proposals” submitted by contractors seeking a contract award. Essentially, the DOD IG had two concerns with the notion that DCAA should no longer audit certain low dollar value, low risk, proposals: (1) it calculated that the lack of audits resulted in lost taxpayer savings (from questioned proposal costs) of nearly $250 million each year, and (2) it asserted that the change simply shifted the workload from DCAA to DCMA—and that DCMA was “not prepared to perform” its new responsibilities.
The rationale for making the change was simple and obvious, as was made plain by DOD IG interviews of Shay Assad (former Director, Defense Procurement and Acquisition Policy, who approved the policy change while heading DPAP). Mr. Assad “advised the OIG that the decision to approve the [policy change] was a ‘resources decision’. He reasoned that DCAA does not have unlimited resources and the issue he confronted was how to reduce the number of audits DCAA was performing.” That, as they say, was that.
Because DCAA did not have sufficient resources to perform the audits it needed to perform, DOD Leadership decided to reduce the backlog by shifting the workload to DCMA Contracting Officers. That workload shift would, in Mr. Assad’s words, permit DCAA management to redirect “DCAA’s limited resources” into what was judged to be more important audit assignments, which included “large dollar value contractor proposals, incurred cost audits relating to the backlog of DoD contracts awaiting final close-out, and defective pricing audits.”
Perhaps surprising nobody who has followed the sniping between DOD oversight agencies over the past four years, DOD IG expressed some serious concerns with the audit policy change. We thought (and still think) those concerns have some merit.
In any case, DOD Leadership has found a new area in which DCAA can perform audits. No, the new area does not include working down the unbelievably large backlog of audits of contractor proposals to establish final billing rates (also known as “contractor incurred cost audits”). No, the new area does not include performing any defective pricing audits. It may include performing audits of “large dollar value contractor proposals”—but we can’t even be sure of that.
No. The new area of DCAA audit responsibility is that DCAA auditors will now perform audits on U.S. DOD contracts that are awarded directly to Canadian companies, and they will now perform audits on Canadian companies that have received subcontracts under U.S. DOD Prime contracts. Subject to the contract type/dollar value thresholds of the new audit policy, of course. This is work that used to be performed by auditors of the Public Works and Government Services Canada (PWGSC). Now, DCAA will be performing audit work that used to be performed by auditors of the Canadian government.
We’re not kidding.
On one hand, we have DOD Leadership telling the DOD IG that it needed to reduce the amount of audits performed by DCAA so as to be able to redirect scarce audit resources towards “more important audit assignments.” On the other hand, we have DOD Leadership issuing a Policy Memo that directs DCAA to assume additional audit responsibilities pretty much unrelated to those “more important audit assignments.” On one hand, we have the former DPAP Director telling the DOD IG that DCAA has to push its workload towards an unprepared DCMA Contracting Officer workforce, because it can’t perform the audits already on its plate. On the other hand, we have the current DPAP Director telling DOD that DCAA will be adding additional audit assignments to its plate—no doubt freeing up the auditors of PWGSC to focus on what PWGSC may consider more important audit assignments. (We have no idea what those more important Canadian audit assignments might be.)
DCAA will not only be performing pre-award audits of priced proposals from Canadian companies. According to the DPAP Policy Memo, “DCAA will perform the same pre-award and post-award range of audit services [on Canadian companies] that DCAA conducts for U.S. Government contractors.”
Yeah, sure. Because DCAA didn’t already have enough to do.
|
Cost Accounting and Pricing Issues Related to Inter-Organizational Transfers
Long-time blog reader “Black Hawk Dawn” asked us to comment on a recent DCAA assertion that an executed Certificate of Current Cost or Pricing Data (CCCPD) was required “of each separate entity from the same parent.” In essence, DCAA was asserting that work performed by an affiliated entity was effectively a subcontract with that entity. We wish that were the case, because it would solve so many difficulties … but unfortunately it is not. The DCAA auditor was wrong.
A cost transfers between affiliated entities under common control is not a matter of subcontracting. Instead, such transfers are commonly known as Inter-Organizational Transfers (IOTs). Yes, there are many names for such transfers—including Inter-Divisional Transfers, Inter-Entity Transfers, or even (our favorite) Inter-Divisional Work Authorization and Delegations ( iWADs). But they are not subcontract costs. Subcontract costs are a separate cost element, related to, but not the same as, IOTs.
The proper cost accounting (and pricing) for IOTs is established by the FAR Cost Principle found at 31.205-26(e), which states—
(e) Allowance for all materials, supplies and services that are sold or transferred between any divisions, subdivisions, subsidiaries, or affiliates of the contractor under a common control shall be on the basis of cost incurred in accordance with this subpart. However, allowance may be at price when—
(1) It is the established practice of the transferring organization to price interorganizational transfers at other than cost for commercial work of the contractor or any division, subsidiary or affiliate of the contractor under a common control; and
(2) The item being transferred qualifies for an exception under (b) and the contracting officer has not determined the price to be unreasonable.
(f) When a commercial item under paragraph (e) of this subsection is transferred at a price based on a catalog or market price, the contractor—
(1) Should adjust the price to reflect the quantities being acquired; and
(2) May adjust the price to reflect the actual cost of any modifications necessary because of contract requirements.
[Emphasis added.]
That seems fairly straightforward, does it not? IOTs must be priced, and costed, on the basis of actual cost incurred in accordance with the various cost accounting rules of FAR 31.2. (Unless the stated exception applies, which it may only in very rare circumstances.) In other words, the performing entity must transfer only allowable, allocable, costs. And it must transfer all costs actually incurred; it cannot agree to a fixed-price or lump-sum budget value, and then simply bill that agreed-upon amount.
It seems fairly straightforward, but compliant cost accounting is more difficult than it seems, as Bell Textron learned to its chagrin. In addition, we also told readers about similar problems faced by U.S. Foodservice for allegedly creating shell companies (called “value-added service providers”) that were used to inflate the cost of goods and services provided to the DOD and the Department of Veterans Affairs.
So, no, getting the cost accounting and pricing right for IOTs is more difficult than it might seem. And penalties for being caught getting it wrong can be painful.
Getting back to the original question, DCAA should not be requesting separate CCCPDs from each affiliated organization whose costs were included in the proposal, since all IOT efforts are considered to be parts of the same overall effort to be performed by the parent organization. How do we know that?
Well, because the FAR tells us so.
Let’s start by disposing of the very rare circumstance when the IOT is transferred at price (including profit), because the contractor met all the requirements of 31.205-26(e) and (f), and 15.403-1(b)—and the Contracting Officer has not determined that the transfer price was unreasonable. If the basis of the 15.403-1(b) exception is that the contractor is transferring a “commercial item” (as that term is defined in FAR 15.403-1(c)(3) and FAR 2.101), then the DCAA auditor might have a slight scintilla of a point. In that circumstance—and in no other—the IOT would be considered to be a subcontract. (See the definition of “subcontract” found at 15.401. As we told you before, the FAR has many definitions of “subcontract” and you need to know which one applies to your situation. In this case—and in this particular case only—the IOT should properly be treated as a subcontract for purposes of determining compliance with FAR Part 15 requirements.)
But while that transfer of a commercial item at commercial prices would be considered to be a subcontract for purposes of determining compliance with FAR Part 15 requirements, that commercial item “subcontract” would not need a separate CCPD. So the DCAA auditor is still wrong.
We know this because we read FAR 15.403-1(b), which references 15.403-1(c)(3). And 15.403-1(c)(3) states—
(3) Commercial items.
(i) Any acquisition of an item that the contracting officer determines meets the commercial item definition in 2.101 … is exempt from the requirement for certified cost or pricing data. …
There’s quite a bit more verbiage under that section, worth reading if one is thinking about trying to justify commercial item inter-organizational transfer pricing, but it’s not particularly germane to the main topic. The point is, if one takes advantage of the exception to the default rule that IOTs must be costed and priced on the basis of actual, allowable, incurred costs—and the basis of that exception is that the item in question is a commercial item being transferred at commercial prices—then one is dealing with a subcontract. But it’s also a subcontract that is exempt from the requirement to submit certified cost or pricing data; and hence it’s also exempt from the requirement to submit a separate CCCPD. So that’s the story on that.
We’re going to move on from this rare situation, because it’s very hard to jump over the regulatory bar imposed by the FAR. It’s far more likely—perhaps almost certain—that your organization will be forced to price and cost (and bill) its IOTs on the basis of actual, allowable, incurred costs.
If that’s the case, then you most definitely do not have a subcontract. This is made manifestly clear at FAR 15.407-2 (“Make-or-Buy Programs”). For those who may not know, a make-or-buy decision is simply that: it’s a decision (made by the Prime Contractor or higher-tier subcontractor) as to whether or not it will perform the work itself (in-house) or if it will outsource the work to another, lower-tier, contractor. A “make” item is one that is made in-house, while a “buy” item is one that will be acquired from an external source. FAR 15.407-2(b) states—
(b) Definition. ‘Make item,’ as used in this subsection, means an item or work effort to be produced or performed by the prime contractor or its affiliates, subsidiaries, or divisions.
So an IOT is not an acquisition from an external source. It is clearly a “make” item, and not a subcontract.
But there’s more support for the notion that your basic, average, IOT is not a subcontract—and that support comes from DCAA itself.
We told readers that DCAA has developed a checklist to ensure the adequacy of proposals it is auditing. DCAA reasons that, after all, why should it waste its scarce resources auditing proposals that are inadequate for audit? While we respectfully disagree with DCAA’s notion that it is the sole arbiter of cost proposal adequacy, we don’t mind using its “Criteria for Adequate Contract Pricing Proposals” (issued January 2012) to support our position.
Criteria Number 25 addresses IOTs. (You can find it at the bottom of Page 6 of 8 of the adequacy checklist.) It says (in part)—
NOTE: Interorganizational work is considered to be part of the cost or pricing data submission of the prime. As such, the prime contractor’s responsibility for conducting subcontract cost/price analyses does not apply to interorganizational transfers. Prior to the submission of the proposal, the prime contractor shall (a) ensure that all statement of work tasks are addressed without duplication and are consistent with the overall program performance schedule and, (b) ensure ground rules and assumptions are consistent with the prime’s proposal.
So there you go. The IOT is not a separate subcontract; it is an inherent part of the cost or pricing data of the organization submitting the proposal. As such, it is subject to the Truth-in-Negotiations Act (TINA) requirements of the organization as a whole—but it is not subject to any separate TINA requirements. In particular, it need not submit a separate CCCPD; the organization’s single CCCPD covers all IOTs subject to certified cost or pricing data submission requirements.
So there you have it.
Our thanks to “Black Hawk Dawn” for submitting this issue for us to think about. If you have a similar conundrum of your own, please feel free to do the same.
New DOD Audit Approach Concerns DOD Inspector General
You know (because we’ve told you) that in September, 2010, DOD changed its approach to auditing cost proposals received from bidders. Formerly, nearly every proposal for which the contracting officer requested “field pricing assistance” was audited by DCAA. Now, the expected dollar value and the anticipated contract type determine whether or not DCAA will perform an audit. Generally speaking, DCAA only audits proposals for firm, fixed-price contracts if the value is expected to be more than $10 million, and it only audits proposals for cost-reimbursement contracts if the value is expected to be more than $100 million. For other (smaller, assumed-to-be-less-risky) proposals, the DCMA contracting officer is on his or her own.
If you are DCAA, the benefit of this new approach is that your pipeline of to-be-audited proposals—which are deemed to be high-priority “demand” assignments that pull auditors off other, more long-term assignments—has shrunk significantly, leaving you free to focus your resources where you want them. If you are DCMA, the benefit of this new approach is that you can now bypass the lengthy and sometimes not-so-helpful DCAA audit, and award contracts to your winning bidders more quickly—a situation that ought to please Frank Kendall.
You might be thinking that DOD’s new approach is a “win/win” and everybody should be happy. But not quite everybody is sporting a Cheshire cat-like grin. There’s a least one stakeholder who’s concerned that the new approach might be less than optimal.
If you’re DCAA, then you’re golden. If you’re DCMA, you see a small, yet distinct, silver lining in the new situation. But if you are the DOD Inspector General, you might see a downside to the new approach. You might notice what Apogee Consulting, Inc. predicted—there is now a rather largish amount of proposed costs that are not being audited by DCAA under the new approach.
If you are the DOD IG, you might notice that, despite reports at the time that stated “defense officials believe the change will focus resources on high-risk areas and increase savings to the department,” the fact of the matter is that the change in audit approach did not reduce DCAA audit hours as much as initially predicted, did not help DCAA reprioritize the workload as much as initially promised and, as a result, the new approach actually led to a reduction in taxpayer savings. If you are the DOD Inspector General, you might well conclude that the entire initiative was poorly thought out and was, in essence, a mistake.
Indeed, that’s exactly what the DOD IG concluded, in a new audit report published this month.
The DOD IG’s audit objective was “to review factors leading to the functional changes between DCAA and DCMA … to ensure that the interests of the Department were adequately protected.” Along the way, the DOD IG provided a fascinating insight into DCAA audit management, as practiced by DOD Leadership.
The first thing that the DOD IG found was that the Defense Procurement and Acquisition Policy (DPAP) Directorate failed “to perform a business case to support the decision” to change the cost proposal audit thresholds. The audit report stated—
A business case analysis would have considered total risks to the Department, including the potential rates of return across the DCAA audit portfolio. Such an analysis would have identified that the DCAA proposal to increase the thresholds for requesting a DCAA audit will decrease the potential return on investment to the Department and taxpayer. The DPAP decision to revise DFARS PGI 215.404-2(c) halted DCAA audits of low dollar proposals and may result in a potential loss of $249.1 million per annum in return on investment from such audits … DPAP performing a review could also have identified that DCMA was not prepared to perform cost analysis of low-dollar proposals, … could not report performance statistics related to their cost analysis, … and was not positioned to replace the potential return on investment identified by DCAA prior to the revision … Additionally, in reviewing and approving the revision DPAP did not (i) perform a cost/benefit analysis, (ii) determine a payback period, or (iii) determine a potential return on investment that would result from the proposed change.
The DOD IG asserted that, had a proper business case been performed, it would have identified a significant reduction in DCAA-identified taxpayer savings. The DOD IG stated—
… low-dollar proposal audits returned substantially more questioned cost per audit hour (both fixed price, cost-type and combined) than other areas in the DCAA audit portfolio, including incurred cost audits and defective pricing audits. … Reducing the questioned cost per audit hour by the estimated cost per audit hour, DCAA was achieving a potential return on investment of $1,885 per audit hour when performing low-dollar proposal audits.
At this point, we must confess that the math does not work out as DOD IG, DCAA, DCMA, and DPAP would have it. As we’ve told readers before, the “taxpayer savings” game uses grossly inflated numbers. To explain what we mean: if there are three bidders and DCAA questions $1 million per bid, DOD gets to tell Congress that DCAA just saved $3 million. Which is bullshit, of course. Assuming DCMA picks one of the three bidders for a contract award, then DCAA just saved $1 million, not $3 million. Questioning costs on proposals which never result in a contract award saves taxpayers nothing, since no costs will ever be incurred. So let’s all keep that dirty little secret in mind as we continue.
The Honorable Shay Assad, former DPAP Director (and now Director of DOD Pricing), told the DOD IG that he made the decision to agree to DCAA’s request to change the audit thresholds in order to focus the audit agency’s limited resources on high-impact audit areas. According to the DOD IG—
The former Director, DPAP advised the OIG that the decision to approve the revision to DFARS PGI 215.404-2(c) was a ‘resources decision’. He reasoned that DCAA does not have unlimited resources and the issue he confronted was how to reduce the number of audits DCAA was performing. In making this decision, he indicated that he was looking for ways to direct DCAA’s limited resources to what he considers DCAA’s most important work: large dollar value contractor proposals, incurred cost audits relating to the backlog of DoD contracts awaiting final close-out, and defective pricing audits. He advised the OIG that senior procurement executives in the Department continue to seek more timely responses from DCAA on contractor high-dollar proposal audits and that contractors have voiced concerns about unpaid contract withholding fees caught up by the DCAA backlog of incurred cost audits.
Mr. Assad acceded to DCAA’s request based on DCAA’s estimate that it would save 211,191 audit hours annually, which would then be available to support audits in more important areas, including “incurred cost audits … and defective pricing audits.” However, as soon as the change was approved, DCAA changed its ground rules, according to the DOD IG, who stated—
DCAA decided to continue performing audits on under-threshold subcontract proposals where the subcontract is included in an over-threshold prime contract proposal that DCAA is also auditing [which] reduce[d] the estimated savings from 211,191 hours to 132,133 hours.
So not only did the new audit approach reduce reported “taxpayer savings,” but it also did not free up nearly as many hours as had been initially estimated. And speaking of lost “taxpayer savings,” the DOD IG found that the new proposal audit thresholds resulted in a loss of $249,070,705 in potential savings—that’s just about a quarter billion dollars in lost savings (using DOD’s B.S. approach to calculating “taxpayer savings”).
The DOD IG also ranked DCAA’s audit activity by questioned costs per audit hour. Now, we don’t agree that that’s the right metric to use—but it’s clearly the one that DCAA itself is currently using to assess its own performance. Based solely on the single metric of questioned costs per audit hour, the DOD IG found that Mr. Assad’s “most important” audit areas did not have the same bang for the buck (or return per audit hour, if you will) as the proposal audits that DCAA no longer performs. We found the following information to be very interesting. (Note: all information is DCAA FY 2009.)
-
Defective Pricing audits returned $633 in questioned costs per audit hour expended.
-
Incurred Cost audits returned $196 in questioned costs per audit hour expended.
-
CAS compliance audits returned $375 in questioned costs per audit hour expended.
DCAA, DPAP, and DCMA did not concur with the DOD IG audit findings, as might have been expected. For example, DCAA told the DOD IG that—
… using questioned cost per hour as the sole basis for allocating audit resources ignores areas of risk. DCAA provided that certain audits are required by law or regulation DCAA identified its incurred cost backlog which has quadrupled to $573 billion in the last 10 years as an important area of risk. DCAA responded that postponing these incurred cost audits any longer puts the Department at risk for canceling funds and may allow any overpayments made to contractors to go undetected. DCAA also responded that it must perform defective pricing audits before the statute of limitations runs out.
DCAA also non-concurred with the DOD IG estimate of lost taxpayer savings. It told the DOD IG—
… DCAA responded that this amount is significantly overstated. According to DCAA, contracting officers do not always sustain DCAA questioned cost and not every proposal that DCAA audits results in a contract award. DCAA provided that the average net savings rate for audits of fixed price contracts for the fiscal years 2009 through 2011 is approximately 41.8 percent. DCAA responded that ‘using essentially the same DoDIG methodology, combined with this average net savings rate, yields a much more modest potential loss of $122.4 million.’
In response, the DOD IG wrote—
We find that the alternative measure of ‘net savings’ that DCAA used to calculate a ‘much more modest’ potential loss of $122.4 million to the taxpayer is as a good measure of contracting officer performance in settling DCAA questioned costs as it is a measure of DCAA performance. DCAA in its response stated that contracting officers have sustained an average of 41.8 percent of DCAA questioned cost during the fiscal period 2009 through 2011, which indicates that in contract negotiations contracting officers are sustaining just over $4 for every $10 in DCAA questioned cost. DCAA did not indicate whether it considers a 41.8 percent sustention rate as a good indicator of the viability of its reported questioned cost. This area will be considered for future study.
Finally, the DOD IG questioned the entire strategy of eliminating DCAA audits of an entire stratum of low-dollar value proposals. It asserted that the strategy simply shifted the workload to DCMA Contracting Officers, who were already overworked and not prepared to perform the additional cost analysis work. The DOD IG pointed out that nobody in DOD Leadership chose to address that particular finding, writing—
Lastly, we find that DP and DPAP did not demonstrate why they chose to direct Department and taxpayer resources to DCMA to perform a job DCMA was not prepared to perform when DCAA had the existing infrastructure in place to get the job the done. A formal business case analysis could have identified that it was advantageous and more economical to direct any increase in DoD resources to the organization that already had the existing infrastructure to adequately perform proposal evaluations and track the questioned costs.
We here at Apogee Consulting, Inc. have previously reported on GAO findings that implicated DCMA management. Now we have a report from the DOD Inspector General that implicates DOD and DCAA leadership. We’re not saying that these reports are so damning that the people called out by them should be fired. But we do believe that these reports are so damning that the people called out by them should consider resigning their positions, and letting more effective leaders take their turns in the batter’s box.
|
