Podcasts

Join host Erin Keating and expert Eric Crusius as they discuss what FAR Part 9 is and how government contractors should handle cybersecurity compliance.

Transcript

Erin Keating: Welcome to NeoCast. Join our experts each week as we discuss strategies and solutions for your businesses in managed IT, cybersecurity, government contracting, and much, much more. Sharing is caring and we’ve got top shelf advice to help you navigate today’s biggest challenges. Let’s get to it. Hello and welcome back to NeoSystems’ NeoCast Podcast. We are in a series called GovCon Rules. We’re talking through several different things that are impacting both civilian and defense contractors when dealing with the government and new cybersecurity certifications that are needed and new contractor certifications and requirements that are needed.

Erin Keating: We have our lead expert here, Eric Crusius, partner with Holland & Knight, and we are onto our season two. Last season, we focused on the third party cybersecurity certification and this season, we’re going to focus on FAR Part 9 contracting qualifications and talking through how contractors should handle cyber security compliance. So, with that, welcome to the podcast today. Eric, thanks for joining us again.

Eric Crusius: Thank you.

Erin Keating: So, our first topic in our first episode here is going to be what is FAR Part 9. So, let’s just kick it off with that. What is FAR? And remember, we might have some younger folks that are just joining the industry and may not even know what FAR stands for. I’m your resident layman that needs it explained. So, if you don’t mind explaining what FAR is and then what FAR Part 9 refers to and why it’s important to contractors, that would be a great way to kick us off.

Eric Crusius: Sure. Well FAR stands for Federal Acquisition Regulation, and those are kind of the rules of the road by which the government operates when awarding or not awarding contracts to contractors and the process after the contract is awarded to be compliant with these rules. The FAR contains all these rules of the road, at least in theory so contractors have a central clearing house where they know which rules and regulations they need to be compliant with. That being said, there are the supplements to the FAR.

Eric Crusius: Even though the FAR was put into place to be this one standard guide, agencies have come up with their own regulations that they supplement the FAR with. The best known, of course, is the DFARS, Defense Federal Acquisition Regulation Supplement. A lot of people think the S is just plural, but it’s actually Supplement. So, other agencies have their own supplement, like GSAR, General Services Administration Regulation supplement. So, there’s a lot of different rules and regulations out there.

Eric Crusius: Despite the fact that the government likes to make things more standard, of course, everyone likes to have their own customized regulations. Within the FAR, there are parts and sub parts and within that, there is FAR Part 9. FAR Part 9 deals with whether a contractor is essentially worthy of doing business with the federal government because they have the requisite responsibility to do business with the federal government.

Erin Keating: Okay. So, why is it important to the contractors? What things are they looking for within Part 9?

Eric Crusius: So, the last thing, generally speaking, or just about the last thing the government does prior to awarding a contract is they look to see if a contractor is somebody they want to do business with. Is this a contractor that has the responsibility to do business with the government? If they don’t, they don’t get the contract. It’s as simple as that. There are ways that the government does that. Initially, what they’ll do is they’ll look on what’s called SAM, the System for Acquisition Management.

Eric Crusius: Sam.gov lists all the contractors that have been suspended or debarred and can’t do business with the federal government. So, the contracting officer hopefully is checking SAM and looking to see whether they’re about to award a contract to a contractor that can do business with the federal government. Believe it or not, there are exceptions where they can award smaller contracts especially to contractors that are suspended and debarred. But that’s a conversation for another day.

Erin Keating: Oh, great.

Eric Crusius: But I knew you’d be comforted by that.

Erin Keating: Yes.

Eric Crusius: But even if a contractor is not suspended or disbarred, the agency should still look to see, does this contractor have the requisite responsibility to do business with the federal government? Obviously, not being listed on SAM is a good place to start, but sometimes the agency will go look further. Sometimes, with small businesses, a contract is awarded to a small business. Then if the agency is unsure whether that small business is up to the task, they will refer it to the small business administration and they’ll make a separate determination on responsibility. So, it’s kind of an overview of responsibility and why it’s important.

Erin Keating: Does responsibility go with how you treat your employees, your financial stability, things like this? Or are there specific requirements within Part 9 that are more broad ranging or more singular to be that?

Eric Crusius: It’s really, if you look at the different factors, I always like to look at the endgame. So, if I have to try a case one day, I’ll look at what the jury instructions are going to be two years from now to see what the jury’s going to look at, and that’s how I know I’m going to fashion a case leading up to that point. When looking at whether a contractor is responsible or not, I’ll look at the debarment standard. What does the government look at when they decide whether they’re going to debar a contractor?

Eric Crusius: Those are the factors I’ll look at to determine whether, well, I don’t personally determine, but help clients through process on whether they are responsible or not. So, to answer your question, of course, I’m a lawyer. I get paid by the word. So, you get these long answers-

Erin Keating: Yeah, that’s great.

Eric Crusius: … for your questions.

Erin Keating: I like it that we’re giving you practice.

Eric Crusius: Yeah.

Erin Keating: You’re welcome, Holland & Knight.

Eric Crusius: I’m sure they’re very appreciative. You do look at holistically what the contractor’s doing and probably treatment of employees is somewhere in there. If they’re not complying with labor laws and paying their employees underneath through minimum requirements, that can go to responsibility for sure. Yelling at their employees probably will not, although that’s not really a good thing to do. But they lay out a multipart test as far as if a contractor should be debarked or not.

Eric Crusius: There’s a whole process that contractors go through if the government decides they want to suspend them. Nobody has a constitutional right to do business with the government. But on the other hand, there is a constitutional right to have due process in various aspects of your life, and I would argue that this is one of them.

Erin Keating: Right. So, that leads me to my next question. If the government does happen to think that you’re a contractor that’s not responsible, what happened?

Eric Crusius: There’s a number of ways the government finds that out. One, it’s how you’re performing on the contract. If they see you’ve promised certain things and you’re not even trying to fulfill them, that may indicate to them that you’re not responsible. Another is sometimes, if you’ve been accused of something, even if it hasn’t been proven, the government to protect itself may suspend a contractor. It does that by sending out a letter, giving the contractor time to respond to the letter as to why they should not be suspended or debarred.

Eric Crusius: Then kind of specific to cybersecurity, you’ve had this process the last couple years that’s actually pretty interesting with especially these foreign technology companies like Kaspersky, like Huawei, where the government has gone out and proactively not just tried to suspend or debar a contractor, but they’ve actually passed laws debarring the contractor from doing business with the federal government. That’s been in the last couple of years, National Defense Authorization Act.

Eric Crusius: Those laws have been kind of messy because what has happened is that those companies, like Kaspersky, like Huawei, have gone to court and to challenge them on constitutional grounds. Kaspersky lost their lawsuit and they lost it on appeal and Huawei’s is still pending. In fact, there’s some argument in September on their lawsuit and then we expect a decision not too long after that. But the government saw that this was a, and I’m just talking mainly about cybersecurity now, the government saw that this was kind of a messy process.

Eric Crusius: So, in the last year’s National, actually it was after the last year’s National Defense Authorization Act. It was at the very end of 2018. Right before Congress left town, they passed a law that establishes a Federal Acquisition Security Council, FASC, of course, because we live and die by acronyms here. The Federal Acquisition Security Council, what it does is it allows the government to consider evidence that a contractor is not worthy of doing business with the federal government, or product or service specifically, because of risks inherent in their cybersecurity posture. Or maybe they’re tied to the Chinese government or something like that, at least in accusation.

Eric Crusius: The council will make a recommendation as to whether this contractor should be excluded from doing business with the federal government. At that point, the company has a chance to put in essentially a brief or evidence arguing why the government’s wrong. Then that recommendation is forwarded on to the specific agencies. So, for any DOD agencies, it’s DOD. Any civilian agencies, it’s Homeland Security. Then their separate intelligence agencies are separate and apart.

Eric Crusius: So, you have that whole process and then once that happens, if the agency decides to exclude a certain product, service, or company, the contractor has the opportunity to go to court and challenge that in an orderly process. Very orderly. The court that they have the opportunity to go and challenge is a federal appellate court. It’s not even a trial court, which is very interesting because I think they expect it to be on the papers. But we’ve had this ad hoc process of companies getting essentially suspended and debarred, even if it wasn’t through the regular process.

Eric Crusius: Then they’ve tried to stand up this new process, which has not been tested yet, but it just was passed late last year. That’s an interesting way that we see this happening in the cyber realm. In the non-cyber realm, the general processes that you have, an agency that decides to suspend a contractor, the contractor has a right to come in and say why they shouldn’t be suspended. Then the spent suspension and debarment authority has the opportunity to make a decision on that. You as the contractor, if you think they are wrong, you have the opportunity to go to court and challenge it.

Eric Crusius: Very hard to overturn those things in court because the courts will presume that the government is acting in good faith in is acting within the bounds of their requirements. If there’s no basis for it, a court challenge may very well be fruitful, but if there is some basis for it and there’s something the government can hold on to-

Erin Keating: Anything, yeah.

Eric Crusius: Yeah, you’re not going to have a lot of luck.

Erin Keating: Right. So, in speaking about that, we talked about some of the factors, like if you’re not doing the work that you said that you’re going to do or not even showing that you have an attempt to do the work that you said that you could do. What are some other factors that the government would use to determine whether a contractor is responsible?

Eric Crusius: Right. So, they look at a few things. One, if a contractor has been subject of a criminal proceeding, that would weigh heavily towards them not being responsible. Believe or not, there are things that happen where there is a criminal proceeding and the contractor is responsible, depending on the nature of the criminal proceeding. What the government will look for, let’s just say something wrong happened in the government’s eyes. There’s a criminal proceeding.

Eric Crusius: Maybe there was a falsification of records or something like that. There’s some fraud upon the government. The contractor promised something it didn’t deliver and knew it couldn’t deliver, all those kinds of things maybe. Then the contractor looks to see what, I’m sorry, the government looks to see what the contractor has done to remedy that situation because FAR Part 9 is all about present responsibility. It’s not about punishment.

Eric Crusius: So, if you’ve done something really terrible as a contractor, but you’ve cleaned house and everyone that did those bad things is gone, long gone, and you’ve put these new processes in place to ensure it won’t happen again, you’re probably going to be a responsible contractor and the government will do business with you. But they want to see that and they want you to agree to it even separately, contractually through an administrative agreement.

Eric Crusius: So, they’ll look for certain things. They’ll look to see whether you’ve internally investigated what happened. Maybe a third party has internally investigated, such as a prosecutor, and how that’s been resolved and what they have found. Did the contractor fully cooperate with the agencies while this was happening or was it trying to hide the ball? Right. If it’s trying to hide the ball, it hasn’t learned its lesson, so it’s not going to be presently responsible.

Eric Crusius: Did the contractor, as I kind of noted just a few minutes ago, take disciplinary action against the employees involved? Usually, that disciplinary action, if it’s serious enough, will amount to dismissal. You have to burn the house to save the village kind of thing. You do have to get rid of the bad eggs or the ones who are a part of the problem. What kind of processes has the contractor instituted to be sure that this won’t happen again. So, those are kind of some of the things that they’ll do. Is there a recognition among management that this was wrong and it shouldn’t happen again and management is taking a leading role to ensure it won’t happen again?

Erin Keating: I think that’s actually very heartening to hear. I only wish that we could apply that across the government and our criminal justice system and so forth, speaking personally. But that’s good to know that the government is willing to look at those circumstances and then help, which we talked about if a contractor is suspended or debarred, it looks like there are things that they can do, not just appeal things, but from this last moment here that they can remedy privately and then be able to prove that to the government that they are doing it, whether it’s been forced upon them or not. Anything else that that contractors should be thinking about if they have in fact been suspended or debarred and what they can do?

Eric Crusius: Certainly, if they have been subject to suspension or debarment or they fear they’ve done something that may subject them to suspension or debarment, there are certain, and this is not applicable all across the board, but there are certain FAR regulations that encourage contractors to self-disclose, voluntarily disclosed some wrongdoing, depending on if it’s like a False Claims Act violation, a Title 18 violation, which is a criminal violation, or part of the criminal code.

Eric Crusius: If the covers those things, there may be an opportunity or a requirement, they call it mandatory disclosure, to disclose these things. But it, in effect, almost always acts as a get out of jail free card so that way you as the contractor can move on and the government can move on and you’ve taken the steps necessary to make sure that won’t happen again.

Erin Keating: Now, just out of curiosity, and this is coming back from previous episodes we’ve done that I have a question about, because we did mention public companies vs. companies. Are there any differences? Does the government see a public company vs. a private company any differently?

Eric Crusius: Not officially, but I would say that a large public company is usually given more slack because the government’s usually more reliant on those companies and probably, there’s a recognition that these companies have more processes and controls in place. So, I would say they’re probably starting from ahead of the private companies because it’s easy to show that you’ve done things to make sure that whatever the wrongdoing was won’t occur again.

Erin Keating: The governance that being a public company necessitates probably gives a level of comfort to the government, knowing that there’s at least some gate that you’re going through in order to survive as a public company vs. a private company.

Eric Crusius: Absolutely.

Erin Keating: So, that makes sense. Yeah. So, how can a contractor show itself to be responsible? So, I know that you say don’t show up on the SAM list or the SAM website. But are there other things that it can … We’ve been talking about certification requirements. We’ve been talking about the NIST 800-171 and things that you can just remain in compliance with. What’s out there for someone to be able to readily show the government that they’re responsible?

Eric Crusius: I don’t know that there’s anything, any kind of guide that’s out there. It’s just about doing good work and doing it in a timely manner and staying on the right side of the law. It’s doing all the things that as a company you hopefully strive to do on a daily basis. Keeping your head down and just doing the work and performing is really the best way. That being said, there’s so many gray areas surprisingly that pop up during the performance of a contract that you don’t anticipate and it can be difficult for contractors to see what’s the right decision here and how far do I need to go to ensure I’m presently responsible?

Eric Crusius: There may be such a thing as going too far. Government doesn’t want to hear from you every second to know that you’re performing properly and nobody’s been arrested. But there may be times that additional information is needed and should be provided. So, I would say that while there’s no guide, I think a lot of it’s just common sense, just trying to do the right thing, keeping your head down.

Erin Keating: Well, I would say that I’ve definitely been learning a lot about what it’s like to do business with the government and it doesn’t necessarily sound off the top of my head that it’s easy per se. It sounds like a lot of alphabet soup you’ve got to sort through. I’m assuming that’s a majority of the work that you do with your clients is helping them to understand what they might be at risk for from a legal perspective.

Eric Crusius: Yeah, and I may have mentioned this on an earlier episode, I don’t remember at this point, but I call what government contracts lawyers do, we’re specialized generalists because we’re specialized in the field of government contracts, but government contracts covers everything. It covers cybersecurity, it covers employment law, it covers contract law, covers real estate. There’s this whole separate body of government contracting real estate law. So, yes, and I think it’s our responsibility to know a wide breadth of law and help contractors go through that because they have a hard enough time running a business. They don’t need to worry about these other things too.

Erin Keating: Right. Well, I think that this wraps up what we needed to know about FAR Part 9. I look forward to the next episode where we’re going to talk a little bit more in depth around why cybersecurity compliance is important under FAR Part 9. But thank you again, Eric, for being with us today. Any parting thoughts for our audience listening as far as FAR Part 9 is concerned?

Eric Crusius: I would just say that, especially as, and this is kind of previewing the next episode, but as far as cybersecurity is concerned, if you are saying as a contractor that you’re compliant with a provision, make sure you’re compliant with it. Right? The government does not like to find out later down the road if there’s been a cybersecurity breach that you’re not, and that will go towards your present responsibility. So, it’s something to just keep in mind.

Erin Keating: Great. Well, I look forward to deep diving into this next episode and appreciate your time today, Eric. Thank you so much.

Eric Crusius: Thank you.

Erin Keating: Take care. The NeoSystems difference. We specialize in serving organizations of all sizes. In today’s fiercely competitive market, is your organization constantly searching for ways to gain the advantage over competitors? Smart organizations are paying more attention to their strategic back office operations. NeoSystems offers scalable back office services and solutions to improve your organization with a team of industry experts, industry leading information technology tools, and an advanced technical infrastructure.

Erin Keating: From software hosting and security solutions to managed accounting services, NeoSystems custom builds solutions and services that are tailored to fit your organization’s needs. Check us out on the internet at neosystems, C-O-R-P, .com. That’s neosystemscorp.com.