Your Supply Chain at Risk: A Secret Blacklist for Government Contractors? Part 2

While Congress dithers about tax rates, a crucial piece of legislation, the National Defense Authorization Act of 2011, is still not resolved. This legislation may allow government officials to secretly blacklist contractors, with no notice, and no public accountability.

We examined some of the potentially alarming implications of Section 815 of this Act last week, and continue our analysis here.

Section 815 of the 2011 NDAA defines a supply chain risk as:

(4) The term ‘supply chain risk’ means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system or a covered item of supply so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of the system or item.

An "adversary" is not defined by this legislation, and there is no reference to an accepted definition in the U.S. Code. An obvious example would be an al Qaida terrorist. No one wants such a person working for a government contractor or subcontractor.

But what about a mischievous person? Someone who slips in a line of code as a joke or calling card? How about a careless programmer? A quick jaunt around StackOverflow.com can yield plenty of examples of funny comments, little "features," and all manner of bugs that made it into programs because programmers were coding for three days straight on only eight hours' sleep and gallons of coffee. If a little joke affects the performance of a "covered system," will the whole company be debarred?

What about a bug? The section mentions "maliciousness," but it also says "and otherwise subvert"--meaning that maliciousness may not be a criteria for deciding whether a programmer's actions fall under the definition of subversion. All code has bugs; the open-ended language of this legislation makes it ambiguous whether those bugs could be fixed with a patch or bankrupt the contractor.

This bill basically puts a premium on prime contractors to closely monitor the actions of all their employees as well as the employees of their subcontractors. While a terrorist might not have the patience to infiltrate a major prime contractor, build up years of trust, and then quietly place malicious code into crucial systems, contractors will still face devastating outcomes if an employee goes rogue.

No prime contractor is going to have the ability to examine every line of code in every program supplied by a subcontractor for bugs, pranks, or malicious code. The cost of doing so is prohibitive. This doesn't even cover the intellectual property issues that might come into play; subcontractors may have trade secrets to protect in their code that they do not want a larger company to co-opt. Subcontractors may find that the increased scrutiny or intellectual property risks are not worth it, and are, in effect, self-selected out of government contracting. And, of course, the cost of whatever "qualification requirements" could be prohibitive to smaller businesses, leading to either more self-selection out of contracting or the de facto debarment that the American Small Business League warns about.

It is important to remember that we already have measures in place to effectively debar contractors who deal with foreign terrorists or whose practices might weaken the supply chain. In addition to the measures identified in the Federal Acquisition Regulations and supplements, the Excluded Parties List provides a means of achieving the goal of excluding potentially terrorist-linked firms without the secrecy and potential abuse at the hands of a consolidated few heads of agencies.

Even if Section 815 of this Act does not survive the legislative process to become law, a seed has been planted. The notion of withholding payments from contractors with "inadequate" business systems started in a proposed DFARS, and subsequently appeared in a modified form in Section 841 of the 2011 NDAA. Another version of Section 815 may crop up in the Federal Acquisition Regulations.

Not only that, but these legislative and regulatory moves point to a larger trend: federal government officials are increasingly seeking to monitor prime contractor and subcontractor work, with potentially crippling consequences if they don't like what they see. Subcontractors are coming under increasing scrutiny; they are taking unnecessary risk if they do not have an effective means to manage the information in the Federal Acquisition Regulations. Meanwhile, prime contractors are forced to become increasingly risk-averse and only deal with companies they can trust to follow regulations while they, themselves, grapple with managing the regulations that apply to them.

Implications of the GTSI Suspension: FARS Management

Jonathan S. Aronie over at GovernmentContractsLawBlog.com pointed out some interesting implications of the recent GTSI suspension.

He astutely points out some possible consequences:

"Prime contractors reassessing their current relationships with small businesses. (And small businesses doing the same.)

Greater contracting officer focus on the SBA’s rules, and greater scrutiny of proposals in set-aside procurements.

SBA OIG audits of large and small teammates on set-aside contracts, like SEWP or FirstSource."

A greater focus on the rules. Audits. Sound familiar? Anyone who has been following contracting news knows that the Obama Administration has placed a greater focus on oversight and regulations. But what is a contractor to do about it?

Small businesses that find themselves under greater scrutiny by prime contractors should take a look at how they manage the FARS. Proving competence with the FARS is a good way for contractors to keep each other comfortable with the arrangement. Would you do business with someone who doesn't keep track of the terms of the contracts you make with them? Someone who ignores applicable regulations--which may in turn get you suspended, or get you negative ratings in the FAPIIS system, or may cause the DoD to withhold payments? Someone who would make you look less trustworthy to the greater contracting community?

Yet the FARS and their supplements are a monstrosity. How can a small business compete? It's increasingly apparent that in order to stay competitive, a FARS management system is crucial. It's not enough to print out regulations, stuff them into a folder and never look at them again. It's not enough to keep them in overflowing email inboxes. Competitive contractors of all sizes face the need to prove regulatory competence, the same way ISO-certified companies must.

Mr. Aronie also points out in his post:

"When push comes to shove, you may not get the expected mileage from a defense based upon the oral advice of a contracting officer."

Contractors shouldn't take the word of others; they need to be responsible for this information themselves. Competitive contractors must show that they have the regulations at their fingertips, and that applicable regulations are revisited frequently to ensure compliance. ISO certified companies often attest to the increased business brought by their certifications; we believe the same will be true of contractors who can show good FARS management.

Free FARS management subscription

If you're interested in a FARS management system with comprehensive scope and easy ways to save links and annotations to the FARS, check out the FARSmarterBids subscription service. We now offer a free 1-month trial to help you evaluate our software, to see how it can help save you time and money, and avoid contracting risks.

Contractor GTSI suspended; who is next?

As we reported earlier on our Twitter feed, the SBA has suspended GTSI from government work based on allegations of contracting fraud. According to a Washington Post article:

"There is evidence that GTSI's prime contractors had little to no involvement in the performance of contracts, in direct contravention of all applicable laws and regulations regarding the award of small business contracts," an SBA official wrote in a letter to GTSI's chief executive, Scott W. Friedlander. "The evidence shows that GTSI was an active participant in a scheme that resulted in contracts set-aside for small businesses being awarded to ineligible contractors."

The article goes on to say it's the first time in decades that such an action has been taken.

This comes as no surprise to government contracting newshounds. This administration has stated many times that stopping contracting fraud, waste, and abuse is a priority. President Obama's memorandum back in March challenges federal agencies to ferret out companies that don't follow contracting rules.

Contracting and subcontracting, including small business contracting, have become increasingly important targets in Congress; as we reported earlier, the new Small Business Jobs and Credit Act aims to enforce subcontracting plans. Congress is looking at agencies like the Department of Homeland Security to ensure proper management and oversight of contracts. And Congress may yet pass a version of the DoD's payment withholding plan in the National Defense Authorization Act 2011 for contractors who don't follow the rules.

If a large contractor like GTSI can be taken to task under this increased oversight, it is likely that other contractors will as well. Furthermore, knowledge of the Federal Acquisition Regulations is increasingly at a premium; even the smallest subcontractors could stand to lose business if they are not followed. No prime contractor will want to assume the risk of being suspended because of a failure to follow regulations along the supply line. Contracting officers will be on the lookout for companies that can demonstrate good management of the applicable regulations. An effective FARS management system reduces the regulatory burden and ensures compliance, which in turn protects against suspension.

It will be interesting to see what other companies may be suspended by the SBA; if what is alleged against GTSI is true, it is possible there are many other "GTSIs" out there that could be suspended. Time will tell, but in the meantime, contractors and subcontractors should take a close look at their FARS management and ask themselves if they can prove their competence in this era of increased oversight.