The double-edged sword of oversight

Is increased oversight a burden, or an opportunity to stand apart from the crowd?

We've been reporting for some time now that government contractors and subcontractors are coming under increased scrutiny. Previously, small business subcontractors were somewhat immune from harm, but this immunity is rapidly being whittled away. The Washington Post has noticed this phenomenon:

"The days of 'No one is checking,' are over. For too long, there was inadequate oversight." --Daniel Gordon, an administrator at the White House Office of Federal Procurement Policy

Washington Technology is reporting the same thing this week.

This increased focus on procurement regulations might have some contractors and subcontractors quaking in their boots. Oversight tends to send business owners into a panic, because it often means increased costs in a world of razor thin profit margins. No one wants to risk being debarred or suspended, or have payments withheld, especially when federal contracting can provide a crucial stream of profitable business in many industries.

But the costs need not be prohibitive, and this negative can be turned into a strong positive for contractors and subcontractors. Increased oversight is bad news for those who don't follow government regulations, but good news to those who know and observe the rules!

There are great benefits to proving competence with federal procurement regulations. A contractor who can say they have a procurement regulations management system in place is going to be much more attractive to contracting officers than those who don't. Competence is a crucial factor among contracting officers when evaluating the competition--you can place yourself above your competitors by showing that this new focus on oversight doesn't burden or scare you because you have already taken steps to ensure compliance.

FARSmarterBids.com offers the most extensive library of federal procurement regulations in one place. Not only that, but regulations can be managed: contractors and subcontractors can store key regulations in their own virtual filing cabinets for easy, repeated access, meaning they can save valuable time and energy, preserving their profit margins. Many contractors use what they learn from the service to supplement the knowledge they receive from attorneys and consultants, thus shaving hundreds to thousands off these professionals' fees. All of this is offered for a low monthly or quarterly fee--as low as $55 per month.

Of course, just knowing the federal procurement playbook in general confers benefits of its own. This knowledge helps you compete because you have a better grasp of the regulatory costs and can use that knowledge to decide on what contracts to bid.

Subcontractors, too, can use this knowledge to better compete for work. Any smart businessperson will tell you how crucial it is to know your customer--and that includes being familiar with their regulatory landscape. Subcontractors who understand what the primes are up against--including payment withholding and evaluating supply chain risk--are attractive competitors. Often, subcontractors must comply with regulations when completing work for a prime contractor--those who work within the scope of those regulations are going to find themselves better positioned for repeat work.

Also, subcontractors can better insulate themselves from lawsuits and disputes if prime contractors face penalties levied by federal contract managers or agency heads if they know their regulations. This means potentially averting costly, even business-killing litigation in the unfortunate event a prime contractor tries shifting the blame to a subcontractor in such a situation. The knowledge contained within FARSmarterBids provides a cost-effective "keep off the grass" sign to prime contractors who might try an underhanded technique to keep the heat off themselves.

We find that, far from being a costly burden, compliance with federal procurement regulations can be turned into a net positive. At very little cost, prime contractors and subcontractors can market themselves as the most capable, competent, efficient organizations with which to do business. Instead of groaning at the thought of increased oversight, companies can relish the thought of beating out the competition by playing the government's game.

Your Supply Chain at Risk: A Secret Blacklist for Government Contractors? Part 2

While Congress dithers about tax rates, a crucial piece of legislation, the National Defense Authorization Act of 2011, is still not resolved. This legislation may allow government officials to secretly blacklist contractors, with no notice, and no public accountability.

We examined some of the potentially alarming implications of Section 815 of this Act last week, and continue our analysis here.

Section 815 of the 2011 NDAA defines a supply chain risk as:

(4) The term ‘supply chain risk’ means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system or a covered item of supply so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of the system or item.

An "adversary" is not defined by this legislation, and there is no reference to an accepted definition in the U.S. Code. An obvious example would be an al Qaida terrorist. No one wants such a person working for a government contractor or subcontractor.

But what about a mischievous person? Someone who slips in a line of code as a joke or calling card? How about a careless programmer? A quick jaunt around StackOverflow.com can yield plenty of examples of funny comments, little "features," and all manner of bugs that made it into programs because programmers were coding for three days straight on only eight hours' sleep and gallons of coffee. If a little joke affects the performance of a "covered system," will the whole company be debarred?

What about a bug? The section mentions "maliciousness," but it also says "and otherwise subvert"--meaning that maliciousness may not be a criteria for deciding whether a programmer's actions fall under the definition of subversion. All code has bugs; the open-ended language of this legislation makes it ambiguous whether those bugs could be fixed with a patch or bankrupt the contractor.

This bill basically puts a premium on prime contractors to closely monitor the actions of all their employees as well as the employees of their subcontractors. While a terrorist might not have the patience to infiltrate a major prime contractor, build up years of trust, and then quietly place malicious code into crucial systems, contractors will still face devastating outcomes if an employee goes rogue.

No prime contractor is going to have the ability to examine every line of code in every program supplied by a subcontractor for bugs, pranks, or malicious code. The cost of doing so is prohibitive. This doesn't even cover the intellectual property issues that might come into play; subcontractors may have trade secrets to protect in their code that they do not want a larger company to co-opt. Subcontractors may find that the increased scrutiny or intellectual property risks are not worth it, and are, in effect, self-selected out of government contracting. And, of course, the cost of whatever "qualification requirements" could be prohibitive to smaller businesses, leading to either more self-selection out of contracting or the de facto debarment that the American Small Business League warns about.

It is important to remember that we already have measures in place to effectively debar contractors who deal with foreign terrorists or whose practices might weaken the supply chain. In addition to the measures identified in the Federal Acquisition Regulations and supplements, the Excluded Parties List provides a means of achieving the goal of excluding potentially terrorist-linked firms without the secrecy and potential abuse at the hands of a consolidated few heads of agencies.

Even if Section 815 of this Act does not survive the legislative process to become law, a seed has been planted. The notion of withholding payments from contractors with "inadequate" business systems started in a proposed DFARS, and subsequently appeared in a modified form in Section 841 of the 2011 NDAA. Another version of Section 815 may crop up in the Federal Acquisition Regulations.

Not only that, but these legislative and regulatory moves point to a larger trend: federal government officials are increasingly seeking to monitor prime contractor and subcontractor work, with potentially crippling consequences if they don't like what they see. Subcontractors are coming under increasing scrutiny; they are taking unnecessary risk if they do not have an effective means to manage the information in the Federal Acquisition Regulations. Meanwhile, prime contractors are forced to become increasingly risk-averse and only deal with companies they can trust to follow regulations while they, themselves, grapple with managing the regulations that apply to them.

Your Supply Chain at Risk: A Secret Blacklist for Government Contractors? Part 1

The American Small Business League recently released a statement that Section 815 of Senate bill 3454, the National Defense Authorization Act of 2011, "may allow senior Department of Defense (DoD) officials to secretly 'blacklist' government contractors at their discretion and without notice to the contractor or accountability to the public."

This is, of course, the same bill that contains provisions for withholding payment from contractors whose business systems are deemed inadequate. The bill follows proposed changes to the DFARS that would withhold payments up to 100% for "inadequate" business systems, including purchasing systems, which in turn includes subcontracting.

That federal government officials want more and more control over the contracting and subcontracting process is nothing new. Section 815, which covers risk to the supply chain, poses additional challenges for contractors and subcontractors.

At first glance, Section 815 seems to apply only to technology vendors and their suppliers, and it seems to be intended to block terrorists and hackers from maliciously manipulating mission-critical hardware and software. It appears to be a well-intended provision for ensuring that crucial tech vendors--and the military groups who depend on them--can't be shut down by a weak link in the supply chain. Who would be against that?

But the devil is in the details. A more thorough reading reveals some very open-ended wording that could lead to the section being used to justify draconian measures taken arbitrarily against contractors and subcontractors, leaving them with no recourse to restore their businesses and good names.

Section 815 starts by giving the head of "an agency" (which agencies are allowed this power is not specified) to establish qualification requirements for the reduction of supply chain risk, and restrict competition to companies who can meet those requirements. Apparently irrespective of these qualification requirements, the agency head can establish supply chain risk as a major criteria for evaluation of a bid. This begs the question of whether Section 815 could be construed as giving agency heads the ability to exclude non-tech contractors and subcontractors.

The statute does not cover what happens when different agencies establish different qualification requirements. How can a small business keep up with these requirements on top of all the Federal Acquisition Regulations, even if it has an effective FAR management system? These requirements are only available upon request--so contractors must know to request them and contracting officers must be knowledgeable enough to deliver them.

The section goes on to outline how a company that either cannot meet qualification requirements or has been deemed to pose a "supply chain risk" can be restricted from competition either as a contractor or subcontractor. It then states that a determination against a company must be in writing but does not have to be disclosed via Federal Register, that it is at the sole discretion of the agency head or senior procurement executive, and is not subject to review by either a GAO protest or the Federal court.

It doesn't take a contracting expert or attorney to point out the obvious potential for abuse by agency leaders. There are no apparent checks and balances to this system. On top of this, there is another problem that the bill doesn't even address--how the actions of one agency head affects another. Can the head of one agency blacklist a contractor who does business with multiple agencies and therefore cause other agencies to terminate contracts and blacklist the contractor as well? If the answer is yes, then what happens when one agency head blacklists someone another agency head needs to provide crucial systems? And what about contractors who are caught in the middle of inter-agency power struggles?

This is only part of the problem with this pending legislation. We'll examine some of the implications for prime contractors as well as smaller subcontractors next week.