Podcast Season 2 Episode 2 – Why Compliance is So Important Under FAR Part 9
Now that we know what FAR Part 9 is in the world of cybersecurity and government contracting, we speak again with expert Eric Crusius to discuss why cybersecurity compliance is so important and how CMMC will change the way we think about certifying contractors.
Transcript
Erin Keating: Welcome to NeoCast. Join our experts each week as we discuss strategies and solutions for your businesses, and manage IT, cybersecurity, government contracting, and much, much more. Sharing is caring, and we’ve got top shelf advice to help you navigate today’s biggest challenges. Let’s get to it.
Erin Keating: Welcome back to season two of Gov Con Rules. We are discussing in this season FAR Part Nine contracting qualifications, how contractors should handle cybersecurity’s compliance. Today, we’re going to be on episode number two of this season, featuring our resident expert Eric Crusius, with Holland & Knight. Today, we’re going to be talking about why is cybersecurity compliance important under far part nine.
Erin Keating: Eric, thank you so much for coming back and joining us on this episode. Appreciate it.
Eric Crusius: Thanks, good to be here as always.
Erin Keating: Yeah, absolutely. We’ve reviewed a little bit about how contractors should handle cybersecurity as far as what is FAR Part Nine. In our first season we talked through what the cybersecurity certification process is going to look like. Today, let’s go a little bit further into this topic and talk about what’s actually required for contractors under FAR Part Nine.
Eric Crusius: Sure. FAR Part Nine is kind of that catchall, where if the government wanted to do business with a government contractor, the government contractor essentially has to show that they’re a responsible enough company to do business with the government. FAR Part Nine is the guide for that. The government puts those standards in the Federal Acquisition Regulation, FAR Part Nine, and sets that out so everyone in the world can see what the government looks to when deciding whether a company is responsible enough to do business with the federal government.
Erin Keating: Good. Are there anything specific that they need to be requiring? Anything they’re specifically required to do under FAR Part Nine?
Eric Crusius: For those who have a handy dandy FAR guide at home, I can refer you to FAR 9.104-1, but I’ll just kind of summarize it here a little bit so you don’t have to get up from your couch or put your cup of coffee down. You can just kind of listen to us instead.
Eric Crusius: The things that the government looks for in 9.104-1 is about five, six or seven things, but to summarize, one is they want to make sure that the company has adequate financial resources, that it can perform the contract, that it has the money to hire people, get them on the contract, or buy the supplies necessary to perform.
Eric Crusius: There have been issues with contractors that don’t have adequate financial resources, and not finishing performance. So, that’s a big thing that the government looks to.
Erin Keating: Do you actually have to turn in financial paperwork certified by accountants or CPAs, and things like this?
Eric Crusius: That does have to happen sometimes, but it’s not necessary on all occasions.
Erin Keating: Okay.
Eric Crusius: I have seen that required to show the contractor, especially for larger efforts, can perform. It’s not a regular requirement that they have. What they will look for, and this is the next point, is to be able to comply with required or proposed delivery or performance schedule. They’ll look at that, because that’s something that they have to have confidence doing.
Eric Crusius: For those first two points though, oftentimes government looks for past performance references from the government, where else have you performed for the federal government before? Or, if nothing else, where else have you performed for a prime contractor now that you’re trying to get your own contract? But to show that you’ve done this before, you’ve been through this rodeo, you have the… Because you’ve done it, that could kind of show that you have the financial resources to do it again as well as the ability to perform according to the schedule that the government’s laying out.
Erin Keating: If you haven’t actually worked either under another prime contractor for the government, or for the government directly, will they take public resources? So, different companies in the private sector could speak for your abilities to do the work? Or, is that they really want to see that you’ve worked with the government before?
Eric Crusius: There are times that you can, without a government contract or a subcontract in the past, that you can perform. If you’re a small business, there’s this provision that requires the government… Let’s just say they want to award you the contract, but they don’t know if you can perform because you haven’t done this before. They will refer to the Small Business Administration for a review.
Erin Keating: Oh, okay.
Eric Crusius: And the SBA, if they find that the contractor has, they’ll look more deeply into financial resources and things like that. If the SBA finds that the contractor has adequate financial resources, they’ll issue what’s called a Certificate of Competency, and then the contractor will get the award. You have to be kind of proposed to get the award-
Erin Keating: Right, okay.
Eric Crusius: They refer it to SBA, the SBA looks at the documents that the contractor has, or proposed contractor, and then they will issue that certificate and then they can go on their way and perform hopefully.
Erin Keating: Great, so this is a little bit of a tangent question here, and you may not know the answer. Is that then the recommended or the typical way someone moves their way up to being a prime contractor, is sort of, hitches their wagon to other prime contractors until they’re ready to take on and bid for some of the business themselves?
Eric Crusius: Absolutely. That’s a very common way that all prime contractors were probably at once, first subcontractors. They get there from the door, and they want to see if this the kind of business they want to get into, it’s lower risk. They’re not required to comply with all the clauses necessarily, that prime contractors are required to comply with. So, they don’t have the cost of those systems that they have to develop internally as a prime contractor.
Erin Keating: Right, right.
Eric Crusius: Absolutely.
Erin Keating: That sounds smart. What does it mean… Are there other requirements under there? I want to make sure we get through those.
Eric Crusius: There’s a few more that have a satisfactory record of integrity and business ethics, have a satisfactory performance record, which is really what we already talked about, have the necessary organization experience, accounting and operational controls, and technical skills, or the ability to obtain them. I think this is really where cybersecurity compliance comes in. They want to make sure you have the internal systems necessary to perform and to be compliant with the rules and responsibilities that the government puts on contractors. For a lot of things in cybersecurity, there are some cybersecurity-specific clauses that contractors have to follow. If you look at the overwhelming number of clauses that are out there that contractors have to follow that bring in essentially cybersecurity, they’re older clauses before anyone cared about cybersecurity.
Erin Keating: Oh, okay.
Eric Crusius: This clause was originally written in the 1980s, although it was edited and updated through this year actually.
Erin Keating: Okay.
Eric Crusius: A lot of these kinds of things were around long ago, but still bring in cybersecurity because if they want you to have the technical skills, that would include cybersecurity skills necessary to protect your things, or protect the government’s information. There’s a couple more: have the necessary production and construction technical equipment and facilities, or the ability to obtain them. Again, that’s something that could bring in cybersecurity. If you don’t have those things, you may not be cybersecurity compliant. Then just the catchall, be otherwise qualified and eligible under the applicable laws.
Eric Crusius: These are kind of the standards the government will look to when deciding whether a contractor is responsible or not. I can see at least two of them really imply cybersecurity, even if it’s not what the drafters intended at the time. That’s what it will mean in the present day.
Erin Keating: Right, now as I’ve said several times on all these episodes, as the layman, as the person that doesn’t know any of this and is wanting to be sure that we have question out there that can be answered for those that are brand new listeners and trying to figure out if this an area they want to get into, one question that came to mind while you were talking about that was this seems to refer a lot to systems, and things that you have to have in place as far as infrastructure of a company. How much of it ever refers to the actual human resources that you’re pulling on to any projects, and the security levels, and things like that, that they might need to have?
Eric Crusius: That certainly occurs. That’s more on a contract by contract basis.
Erin Keating: Okay.
Eric Crusius: Although, I think it’s implicit in all these requirements anyway, so it’s a great question. I think also from a contract by contract basis, it’ll talk about what kind of history an individual on the contract must have, besides their qualifications and all that kind of stuff, what kind of clearance they have to have, what kind of cybersecurity training they may have to have, things like that. For sure.
Erin Keating: When dealing with the Department of Defense and getting into cybersecurity, is there just a base level clearance that people need to get into that field in the first place? Or is that something that you can build up towards? Do you know? It’s okay if you don’t have the answer.
Eric Crusius: If you’re talking about individuals who a contractor would hire, that would highly dependent on what they’re going to do on the contract.
Erin Keating: Okay.
Eric Crusius: There are some individuals who would just need to have the necessary background. The government cares about… If you look at agencies, they care about what the qualifications are, because that predicts what they will be able to do in the workplace.
Erin Keating: Okay, okay.
Eric Crusius: So they care about that. That doesn’t necessarily mean they need some kind of clearance or something like that, but for most cybersecurity things today, I think they would probably need clearances of some kind.
Erin Keating: Right, right. Interesting, okay. What does it mean when a contractor signs an invoice? What is the contractor actually promising at that point?
Eric Crusius: There’s an implicit promise, and I know we’re going to get more into this in the next episode so stay tuned, but there’s an implicit promise that the contractor is following and complying with all the regulations that are in their contract. That’s one. Number two, it’s that we have provided what we said we’re going to provide in this invoice. So if the invoice is for 30 people for $60.00 an hour working eight hours a day, with certain qualifications, that’s what happened. I’m signing this invoice, and I’m certifying that’s what happened. Aside, there is one off, and it’ll impact a few of probably our listeners, but under the Davis-Bacon Act, which is an act for construction government contracts, it’s a little more complicated than that, but essentially government contracting construction, they have to do certified payrolls every week.
Erin Keating: Oh, okay.
Eric Crusius: So, it’s a little bit more complicated. Besides that, I really think for the most part, signing an invoice, you are promising the government that you have provided what you said you’re going to provide, and doing so in a compliant manner. So, all those regulations, including cybersecurity regulations, have been complied with.
Erin Keating: Okay, so we jumped sort of straight from contract to invoice. Assuming that the contract has come through, then you’re saying that once every time we sign an invoice sent to the government, that’s what we’re promising.
Eric Crusius: Right, and again, this is a little bit more [inaudible 00:10:53] of the False Claims Act, but because of that, it’s a claim every time you sign an invoice and file it. That means if there is a problem with your underlying systems, that is a new claim that the government has against you, the contractor, for not complying.
Erin Keating: Oh, okay. Interesting.
Eric Crusius: Yeah.
Erin Keating: Okay, so that’s the relevance of pulling out that specific information around an invoice.
Eric Crusius: Mm-hmm (affirmative).
Erin Keating: Because each one sets up a new claim.
Eric Crusius: Yes.
Erin Keating: Interesting, okay. Okay, well what would be required by contractors for cybersecurity compliance under FAR Part Nine?
Eric Crusius: I would say it’s probably a whole range of things that I think have not been [inaudible 00:11:30] out by the federal government. For instance, you have the DFARS clause that we’ve already talked about a little bit. We have the FAR clause, which I think we’re going to talk about in a later episode.
Erin Keating: Sure.
Eric Crusius: Those are two clauses where the contractor is promising that they’re going to comply, and by signing their invoices, they’re promising they are going to comply. Under FAR Part Nine, if you’re going to be a responsible contractor, you are promising to comply.
Erin Keating: Right.
Eric Crusius: If the government comes across a contractor who doesn’t care about cybersecurity compliance, or is willfully ignorant of cybersecurity compliance, that’s not going to be a responsible contractor under FAR Part Nine.
Erin Keating: Right.
Eric Crusius: If you just go here and go back to 9.104-1 and talk about the requirements or the things that the government looks to when a contractor is responsible or not, one is have a satisfactory record of integrity and business ethics. Well, if you don’t care about complying with the law, you probably don’t have a satisfactory record of business ethics. Have the necessary organization, experience accounting, controls, things like that, again if you don’t care about complying cybersecurity, you’re not going to have those controls in place for cybersecurity.
Erin Keating: Right, right.
Eric Crusius: I think all those things FAR Part Nine kind of brings in cybersecurity, even if it was not intended at the time it was drafted to do that.
Erin Keating: Right, okay. Gotcha. Does the new CMMC certification change anything?
Eric Crusius: The CMMC certification is interesting. Usually, when there’s a new requirement like this, contractors look at it with a very skeptical eye. What more money am I going to have to spend to continue to have my customer, the federal government? That’s not necessarily a good thing for the contractor.
Erin Keating: Sure.
Eric Crusius: There may be a good policy reason for it. I’m not going to argue that. But CMMC certification is kind of interesting. It’s going to be, and we’ll see how it plays out, but I think it has the potential to be a boon for contractors because you’re offloading in essence that responsibility onto the certifying company.
Erin Keating: Right.
Eric Crusius: That’s not to say that a contractor has absolved itself of any responsibility, and if they are purposely hiding things from the certifying company and things like that. Those are problems in themselves. But the government will look to that certification, and if it sees it, the contractor doesn’t have to worry about doing anything else, except for complying with whatever the requirements are to get certified and to maintain that certification.
Erin Keating: Sure. Sure.
Eric Crusius: I see the process now as kind of ad hoc. Different contracting officers taking different positions that are sometimes less favorable to contractors, sometimes more. The requirements within a contract, where they look at your cybersecurity compliance possibly, depending on the type of work you’re going to do, is a little bit uneven. It’s all over the board right now. I see the CMMC certification as really standardizing what’s going to happen. I think contractors love when things are standardized when they know what to expect, and know how to respond to it, and can prepare. I could see that changing a lot as far as FAR Part Nine because that certification will be assigned that the contractor is responsible, at least with respect to the cybersecurity, and that is something the contractor doesn’t have to worry about proving out every time they’re bidding on a contract.
Erin Keating: Right. Well, and even… I have bid on government work before, and just the amount of paperwork that you have to be submitting every time you’re doing it. I would imagine the certification letter supplants having to every time pull up this boilerplate and have 35 pages that outline everything that you’re going to do and so on and so forth. To your point, it doesn’t advocate the contractor the responsibility, but it at least puts the responsibility on the certification body to maintain the certification level I guess, if you will.
Eric Crusius: Right.
Erin Keating: Then that sort of certificate, or whatever it is that you would supply to the government agency, would then suffice as saying, “We are compliant with these types of things.”
Eric Crusius: That’s the idea, and I think that’s what contractors are hoping for.
Erin Keating: Sure.
Eric Crusius: I can’t read all contractors out there of course, [crosstalk 00:15:41] a little smaller than that. I can see this is something that the contractors will welcome if it’s done the right way.
Erin Keating: Right, cool. Anything else that we want to talk about on this particular topic of why cybersecurity compliance is important under FAR Part Nine?
Eric Crusius: I would just say that cybersecurity obviously is somewhat of a new thing for contractors to have to worry about. I would say that it doesn’t matter how small or how big you are, this is an equally important problem. I’ve had contractors who have two or three employees come up to me after a presentation and say, “Holy cow, somebody tried to hack me,” because this contractor had valuable information. I wouldn’t ignore this if you’re just two or three employees. I would pay a lot of attention to it still. Obviously, the resources you have may be something different than the resources of a Top Five government contractor, but that doesn’t abdicate the responsibility of the small business to comply. These clauses are all applicable to small businesses as well.
Erin Keating: Right, right. Great. Well, thank you so much Eric. We have covered now topic number two in episode number two, of season number two. I look forward to our next episode, topic number three, which will discuss false claims and other risks of noncompliance. Thanks so much.
Eric Crusius: Thank you.
Erin Keating: Talk to you next episode.
Erin Keating: The NeoSystems difference. We specialize in serving organizations of all sizes. In today’s fiercely competitive market, is your organization constantly searching for ways to gain the advantage over competitors? Smart organizations are paying more attention to their strategic back office operations. NeoSystems offers scalable back office services and solutions to improve your organization with a team of industry experts, industry leading information technology tools, and an advanced technical infrastructure from software hosting and security solutions to managed accounting services, NeoSystems’s custom build solutions and services that are tailored to fit your organization’s needs. Check us out on the Internet at NeoSystemsCorp.com. That’s NeoSystemsCorp.com.
