Stan Soloway


Contractors face greater risk as accountability measures grow

From personnel-related executive orders to emerging proposals that would hold prime contractors entirely accountable for information security practices throughout their entire supply chain, we are seeing today a renewed government trend toward shifting greater responsibility (and thus, risk) to contractors for the behavior and performance of others, including those over which they have no real control.

As is so often the case, taken alone, it is difficult to argue with the government’s intentions. Everyone can agree that government contracts should not be awarded to companies that routinely and intentionally (emphasis on the latter) violate federal labor statutes. And everyone can agree that government contractors have to assume reasonable responsibility for protecting information in their possession or ensuring the authenticity of the parts they use. That’s the easy part. But what we are seeing today has less to do with the term “reasonable” and more to do with pure risk shifting.

On the information security front, what we call “supply chain accountability” is one of the most significant, but under-discussed, trends in government contracting. Here, policies are quickly evolving that will place all responsibility for protecting information and for cybersecurity at every level of the supply chain on the prime contractor. This includes holding the prime contractor liable for information breaches at lower-tier subcontractors, an area into which the prime often has no visibility or even privity of contract. To be sure, the government has reason to be concerned. We see almost daily news about hacks at banks, retail outlets, government agencies, universities, and companies. And many argue that information security has only recently begun to attract the level and degree of attention it deserves in both the public and private sectors.

But is the answer really as simple as slapping total accountability on a prime contractor? Some make the case that, by virtue of being a prime, a company is willingly accepting a wide array of responsibility for ultimate performance on a contract or program, so why is information protection and security any different? However, the reality is that while prime contractors can and should be held accountable, that liability can only reasonably be extended to areas and elements over which the contractor, within reasonable and practical parameters, actually has visibility and control. Breaches and other problems will inevitably happen, but if reasonable steps were taken to protect against them, can we really expect that much more from any institution?

This issue was at the heart of the debate over the government’s acquisition of counter-terrorism capabilities in the immediate post-9/11 environment and that experience offers a possible option here. Absent liability limits, bidding companies faced effectively “betting the farm” on every contract since a failure to stop a terrorist attack could result in a near endless series of lawsuits and liability. In that case, the SAFETY Act was born. Under it, contractor liability is limited, provided they have met all reasonable performance requirements. Given the rise of well-placed concern over information and cybersecurity, it is time to extend SAFETY Act-like protections into the cyber realm. We have already recommended to Congress just such an action.

However, a similar answer does not exist for the most recent workforce executive order, “Fair Pay and Safe Workplaces.” That order, a reprise of the Clinton era “blacklisting rule,” is so broadly and vaguely written that a practical middle ground will likely prove elusive, absent significant changes to the order or to the soon-to-be-issued implementing regulation. Indeed, while we all agree that companies that routinely violate labor laws should generally not be given government contracts, this order raises serious questions about fairness, due process, timeliness, objectivity, and scope.

But as different as supply chain accountability and the “Fair Pay” executive order might be, they have two, critical, common components: significant additional compliance costs and the shifting to the prime contractor of virtually all risk, even for matters over which they have no real control. And that should be a concern for both government and industry.

Some experts estimate that compliance with government unique rules today costs about 25 cents for every contract dollar. The added supply chain requirements and, to the extent compliance is even possible, the new labor executive order, are likely to jack that cost up to well over 30 cents of every contract dollar. Seem like a lot? It is. In fact, almost across the board, the government-unique compliance regime, as its associated costs and risks, is growing.

Collectively, if we are serious about improving and enhancing competition, innovation, and efficiency in federal contracting, this trend has to be reversed.

Reader Comments

Sat, Nov 19, 2016 Frustrated & Underpaid Prime

By the way....not all Primes are corporations. This Prime, like virtually all in my field, are sole proprietors.

Sat, Nov 19, 2016 Frustrated & Underpaid Prime

The problem for some primes, like myself, is that we are paid a standard, regulated fee for our service. When the government shifts responsibility to us we must pay for the necessary protections out of our pocket. Our rates are not competitive anyway so all costs are entirely the burden of the prime on a "fixed" income. Give us a raise in rates or keep the costly responsibility where it belongs, with the government who ultimately holds the confidential data.

Thu, Nov 13, 2014 Cheerleader in chief

The leader of our industry's top association complains about "shifting to the prime contractor of virtually all risk, even for matters over which they have no real control." Ok, Stan, that is the way the law reads. It is also a management principal. Should we pay primes for not being primes? The cost gotta go somewhere. Should we stop ladling out profit to these guys because they would shoulder less risk--in your formulation. Yes, I know, most big firms are not growing, and the profit margins suggest you could do better with CDs, but what you are really asking for is a subsidy. Why do that?

Tue, Nov 11, 2014

Booster made some valid points. These costs might be more acceptable if they were clearly labeled and sized so all could see what they are levied for. Again, the government would expect every qualified source to assume them. Thus the competitive impact would be largely direct. However, the weight would be heavier on smaller firms. Perhaps that could be scaled in the price eval. No one should count on these costs going away, unless there were massive--and unexpected-- changes in the behaviors of government and contracting firms, respectively. If both parties managed better and more openly, there could possibly be a reversal of these costs--but don't count on that. Common expectations are for less care and introduction of more problems by non-accountable Federal and contracting firm managements.

Fri, Nov 7, 2014 Contractor Booster

The column's view seems to be in denial about the understandable bag-holding role of its primes for a sub. Why have primes, the govt might say, if the prime won't manage and vouch for and police its subs? Or are contractors no different than day laborers you can hire in the Home Depot parking lot to do fence post digging for you on a daily basis for cash. What are teams if the prime won't take responsibility? Sure, there is risk shifting, but it is visible and can be baked into the costs and the price. Someone has to hold the bag and pay the bill. Let competitive elements be visible--that's a good idea. And what's all this kvetching about compliance costs? The roots, as the columnist knows well are: 1.--the USG trying to paper over, yet address, the many gaps and faults in its own acquisition mgt, especially contractor oversight. 2. --many of the new compliance activities are the result of some pretty rampant contractor behavior of the bad sort. There are still time-charging issues at many firms, one hears and sees, as well as staffing games, and even billing hi jinx. What is the govt to do with a field of sources like this? Self policing won't work for many of them. It is no walk in the park. The contractor work force, and the companies behind the work, even of a butts-in-seats nature, need some extra vetting and watching. And that explains a lot of the compliance work. Yeah, it costs, but it creates jobs, too. There's no way around it when contractors understandably are not trusted much by the government. The impact on competition of more compliance costs is a secondary issue--but necessary.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above.

WT Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.