Law360 (July 7, 2020, 9:08 PM EDT) -- Federal agencies made a raft of policy changes and revitalized a previously obscure law to respond to the coronavirus pandemic in the first half of the year. The government also updated its compliance and cybersecurity requirements for contractors.
Here are five areas of policy change that have made an impact on government contracting this year.
Revisions Spurred by the Pandemic
As the COVID-19 crisis began to bite, lawmakers acted swiftly and dramatically in response, introducing a multitrillion-dollar stimulus package — the largest in U.S. history — that included a number of programs either specifically targeted for or available to federal contractors, such as the Paycheck Protection Program providing forgivable payroll loans.
Federal agencies also issued a range of new and tweaked policies along with waivers to existing policies in an attempt to get emergency contracting done quickly or ensure contractors could continue to work on their existing deals. The U.S. Department of Defense, for example, signaled in guidance that it was willing to work with companies on contractual adjustments using existing Federal Acquisition Regulation tools like excusable delay and change clauses.
The DOD also issued a temporary adjustment in March that raised maximum "progress payments" for contractors from 80% of costs incurred to 90% of costs incurred for large contractors, and from 90% of such costs to 95% for small businesses, with a similar deviation for civilian agencies following in April.
Agencies like the DOD and U.S. Department of Health and Human Services have also made billions of dollars available through Other Transaction Authority agreements, which are typically meant for rapid prototyping and development deals, aren't procurement contracts and come with less red tape than traditional acquisitions. In addition, the DOD shifted approval decisions for OTAs lower down the chain of command.
And in an effort to get emergency medical supplies into the U.S., the General Services Administration issued a waiver making certain supplies like disinfectants and N95 face masks exempt from Buy American Act and Trade Agreements Act requirements. The Office of Federal Contract Compliance Programs waived affirmative action requirements for COVID-19 response deals.
The most important policy change in the eyes of many contractors was Section 3610 of the Coronavirus Aid, Relief and Economic Security Act stimulus bill, which authorized agencies to reimburse contractors for the cost of keeping employees and subcontractors in a "ready state" if they were unable to work because of COVID-19, allowing cash to flow even if work stalled.
But the interaction between the various forms of available COVID-19 relief is not always clear, so contractors have had to be careful about which programs they use, said Arnold & Porter partner Michael McGill.
"Do you seek relief under your existing terms, your change clauses, your stop-work orders? Or do you seek relief under 3610, or some mixture, and how do you balance those?" he said. "If you're seeking relief under A, how do you have to take that out of B to avoid problems? Those are very complex issues — 3610 opened the door for great opportunities for contractors to get relief that they might not otherwise be able to get … but there are risks there."
Defense Production Act Goes Into Action
While not a new law, the Korean War-era Defense Production Act, which was previously little-known outside the federal contracting world, has taken on a prominent role in the federal response to the coronavirus. The act has been used both to compel companies to produce needed medical equipment and to ensure the continued viability of other companies seen as vital to domestic production of certain key supplies.
The DPA gives the president broad powers to act in support of the national defense, with Title I allowing him to require companies to accept and prioritize federal contracts, and Title III authorizing directives to expand the production of materials and services to promote national defense.
President Donald Trump — and by designation the Federal Emergency Management Agency — has leaned on Title I amid COVID-19 to require General Motors to manufacture ventilators, to help the government buy N95 face masks from 3M Co. and to obtain virus testing kits.
FEMA also used Title I to issue an interim rule in May establishing a new Emergency Management Priorities and Allocations System, or EMPAS, allowing health care and medical contracts supporting national defense needs to take priority over other federal contracts — even other Defense Production Act contracts. The rule is not time-limited and will continue to apply even after the COVID-19 crisis is over.
What is particularly unusual about EMPAS is that orders made using the system can be used not only to fulfill government requirements, but also to provide for the emergency needs of private parties like hospitals, Hogan Lovells senior associate Stacy Hadeka said.
The DOD has used Title III during the pandemic to support companies such as shipbuilders, jet engine suppliers, body armor manufacturers and smaller providers of space launch services — although it withdrew its June space launch deal after criticism over an alleged lack of clarity regarding how those suppliers were chosen.
Those orders are part of a broader trend during the Trump administration, Hadeka noted, citing as an example a 2019 presidential determination authorizing the use of Title III authority to strengthen the domestic industrial base for small drones.
"We've seen over the last year and a half, outside of COVID, that the administration has been wanting to leverage the DPA to bolster the current domestic sources and also ensure that businesses located in the U.S. are able to survive," she said.
Regardless of who is in the White House next year, the expanded use of the DPA is likely to continue, with Democratic presidential hopeful Joe Biden's releasing a proposal Tuesday for ensuring the U.S. doesn't face shortages of critical supplies during crises, saying that he will use the DPA to step up production of those supplies.
Cybersecurity Maturity Model Certification Plan
Initially introduced in draft form in May 2019, the DOD issued version 1.0 of its Cybersecurity Maturity Model Certification program in January and then tweaked slightly.
In a sweeping change to how the department treats contractor cybersecurity, CMMC will require all defense contractors to have their cybersecurity programs assessed and certified at a level from 1 to 5. Eventually, all new defense contracts will specify a minimum required rating.
The DOD has said it expects that roughly 300,000 contractors and suppliers will need to be certified over the next few years, with outside auditors set to handle those reviews.
Although the DOD has yet to release a final Defense Federal Acquisition Regulation Supplement rule implementing the program, the Pentagon is pushing ahead with a rapid implementation plan.
DOD officials have said that the department expects the first few pilot contract solicitations containing CMMC requirements to be released in November, although attorneys have previously told Law360 that timeline may be too ambitious given the scope of the change.
"I think there's still a large amount of uncertainty about what that will actually look like," said K&L Gates LLP associate Amy Conant Hoang.
In recent guidance, the Pentagon has indicated that it won't require CMMC certification until the time of contract award, which makes sense from the point of view of allowing for the widest possible range of bidders, according to Hoang.
"But on the flip side, it seems like it could be a tremendous expense for a company to submit a proposal and go through the procurement process based on the hope or the estimation that they will receive a certain level of certification from a brand new auditor that is reporting to a brand new accrediting body under a brand new certification system," she said.
The GSA recently signaled that CMMC requirements may not ultimately be limited to DOD contractors alone, saying that the program "may also have utility as a baseline for civilian acquisitions" and reserving the right to apply the requirements to contractors under its pending $50 billion STARS III information technology deal.
Other DOD Acquisition Policy Changes
Although they may have gotten somewhat lost in the shuffle, the DOD, the largest federal contracting agency, also made significant acquisition policy changes unrelated to the coronavirus.
In a series of formal instructions and directives between January and April, the DOD released a new "adaptive acquisition framework" designed to be more flexible and less prescriptive for contracting officers than the previous framework.
The adaptive plan gives DOD acquisition staffers a choice of six "pathways" based on the characteristics of what they're trying to buy, such as "urgent operational needs" that have to be delivered within two years or major weapons systems that need heavy ongoing oversight, and recommends appropriate contracting models for each type of deal.
In March, the Pentagon released long-awaited guidance updating its 2012 policy on "controlled unclassified information" — sensitive but unclassified data held by contractors. Among other clarifications and changes, the guidance unveiled a new registry that will list, for contractors that have access, exactly what the DOD considers to be such information.
And in April, the DOD issued a rule tying progress payments to contractors to "objective, quantifiably measurable" results or events, rather than basing them on the percentage of costs the contractor has incurred. The change allows contractors to receive progress payments above their costs to that point.
DOJ's Updated Corporate Compliance Requirements
Although not specifically directed at federal contractors, a June update by the U.S. Department of Justice's Criminal Division regarding how it evaluates corporate compliance programs when investigating companies is nonetheless important for contractors, attorneys said.
Beyond helping to determine whether an investigation leads to criminal charges, a good corporate compliance program may also help contractors avoid other potential consequences, such as suspension or debarment from federal programs.
Although indicating the DOJ is still looking at the same three overarching issues as it had in previous versions of the compliance guidance — whether a compliance program is well designed, being implemented in good faith and works in practice — there some important changes in the new update.
For example, the department noted that the good faith implementation requirement looks specifically at whether a compliance program is "adequately resourced and empowered to function effectively," and that it wants to see programs updated regularly, using data gathered over time to inform those updates.
"For government contractors in particular, I think the big takeaway is that they should be reviewing their internal [Federal Acquisition Regulation]-based business ethics and compliance programs in light of the DOJ's new guidance and should be updating their FAR-mandated compliance programs," said Aron Beezley, government contracts practice co-leader at Bradley Arant Boult Cummings LLP. "That's the thing that's unique for government contractors."
--Editing by Jill Coffey and Kelly Duncan.
For a reprint of this article, please contact firstname.lastname@example.org.