Infotech and the Law: New FAR alters buying regs at Homeland Security
Jonathan Cain, member of the law firm Mintz Levin Cohn Ferris Glovsky & Popeo PC in Reston, Va.
When the administration proposed consolidating numerous agencies into a Department of Homeland Security, proponents of procurement deregulation took advantage of the opportunity to advance their agenda in the name of speedy protection of lives and property from terrorist attack.
During congressional debate, the administration argued that relieving DHS of certain Federal Acquisition Regulations (FAR) would improve the efficiency of its procurements and permit more agile response to the terrorist challenge. DHS' enabling legislation provided the department with several opportunities to relax the regulation of its procurements.
DHS published interim rules Dec. 4, effective immediately, as supplements to the FAR.
What's interesting is how little DHS' FAR supplements diverge from the regulations that govern procurements of other civilian agencies. Most of the changes are limited in scope and, with only a few exceptions, result from unique issues faced by the Coast Guard in its procurements now that it can no longer rely on the regulations of the Transportation Department, its former parent agency.
But important exceptions to the FAR do exist, including some of special interest to IT contractors.
The enabling legislation gives the DHS secretary authority to use streamlined procedures for certain procurements if the agency's mission would be impaired without them. This authorization is implemented by FAR supplements that provide increased limits on micropurchases and streamlined acquisition thresholds.
The authorization also allows the secretary to procure, without competition and as a commercial item, any item up to $7.5 million under a special "test authority."
Congress also encouraged the agency to stimulate unsolicited proposals. Under the rules, unsolicited proposal are explicitly encouraged. Unsolicited proposals will receive an initial review within seven days, and comprehensive evaluation within two months.
Companies submitting proposals should be aware, however, that agency employees may release confidential information outside the government. The interim rule states that proposals and information may be released "outside the government for evaluation and similar purposes." It is not clear what "similar purposes" are or what constraints will be attached to such releases.
Significantly, the rules do not require DHS to obtain a company's permission before releasing the information.
Contractors developing technical data or software under a DHS contract get more liberal terms than are usually offered under the FAR. The DHS supplement notes that Alternate IV to the standard FAR data rights clause will be incorporated in all contracts by default. Under Alternate IV, the contractor automatically obtains the copyright to data and software produced under the contract without contracting officer approval but subject to the government's worldwide, irrevocable rights to reproduce and create derivative works of the copyright protected data or software.
The most significant change from the FAR in the DHS procurement rules involves security. DHS imposes new security requirements on unclassified data. Contractors with access to such data will be required to maintain and implement security plans acceptable to the agency.
The agency may elect to designate any information as sensitive if disclosing it would adversely affect national interests or "the conduct of federal programs." Employees working with sensitive information must be U.S. citizens or resident aliens and will be subject to background investigations.
The agency may require a contractor to discharge employees it deems to be insubordinate or "otherwise objectionable." The procedure for obtaining the mandated background investigations has not been specified. It is not clear, for example, whether DHS intends to sponsor its prime contractors or whether the contractor will have to have a pre-existing security clearance to obtain DHS work. Contractors should expect delays resulting from these additional demands on an already overtaxed clearance processing system.
The cost to developing, implement and administer these data security plans will likely be significant, especially for contractors that have not been required to maintain security programs. The government is not responsible for indemnifying the contractor for legal liability it may incur as a result of discharging an employee, or otherwise violating employment rights at the government's insistence. The contractor must require its subcontractors to meet the same data security obligations.
Finally, contractors and subcontractors must be prepared to open their operations to government investigators in the name of data security. Contractors with access to unclassified DHS data must provide the agency, including its inspector general, entry to the its facilities, including all documentation, databases and personnel, to the extent that DHS determines necessary to "carry out a program of IT inspection, investigation and audit" of data and computer systems used on DHS contracts, including "to preserve evidence of a crime."
In other words, DHS will acquire by contract and without subpoena, the right to "carry out a program of . . . investigation" of the contractor's facilities and records to preserve evidence of a crime.
Jonathan Cain is a member of the law firm Mintz Levin Cohn Ferris Glovsky & Popeo PC in Reston, Va. The opinions expressed in this article are his. He can be reached by e-mail at firstname.lastname@example.org.