Contractors face greater risk as accountability measures grow

From personnel-related executive orders to emerging proposals that would hold prime contractors entirely accountable for information security practices throughout their entire supply chain, we are seeing today a renewed government trend toward shifting greater responsibility (and thus, risk) to contractors for the behavior and performance of others, including those over which they have no real control.

As is so often the case, taken alone, it is difficult to argue with the government’s intentions. Everyone can agree that government contracts should not be awarded to companies that routinely and intentionally (emphasis on the latter) violate federal labor statutes. And everyone can agree that government contractors have to assume reasonable responsibility for protecting information in their possession or ensuring the authenticity of the parts they use. That’s the easy part. But what we are seeing today has less to do with the term “reasonable” and more to do with pure risk shifting.

On the information security front, what we call “supply chain accountability” is one of the most significant, but under-discussed, trends in government contracting. Here, policies are quickly evolving that will place all responsibility for protecting information and for cybersecurity at every level of the supply chain on the prime contractor. This includes holding the prime contractor liable for information breaches at lower-tier subcontractors, an area into which the prime often has no visibility or even privity of contract. To be sure, the government has reason to be concerned. We see almost daily news about hacks at banks, retail outlets, government agencies, universities, and companies. And many argue that information security has only recently begun to attract the level and degree of attention it deserves in both the public and private sectors.

But is the answer really as simple as slapping total accountability on a prime contractor? Some make the case that, by virtue of being a prime, a company is willingly accepting a wide array of responsibility for ultimate performance on a contract or program, so why is information protection and security any different? However, the reality is that while prime contractors can and should be held accountable, that liability can only reasonably be extended to areas and elements over which the contractor, within reasonable and practical parameters, actually has visibility and control. Breaches and other problems will inevitably happen, but if reasonable steps were taken to protect against them, can we really expect that much more from any institution?

This issue was at the heart of the debate over the government’s acquisition of counter-terrorism capabilities in the immediate post-9/11 environment and that experience offers a possible option here. Absent liability limits, bidding companies faced effectively “betting the farm” on every contract since a failure to stop a terrorist attack could result in a near endless series of lawsuits and liability. In that case, the SAFETY Act was born. Under it, contractor liability is limited, provided they have met all reasonable performance requirements. Given the rise of well-placed concern over information and cybersecurity, it is time to extend SAFETY Act-like protections into the cyber realm. We have already recommended to Congress just such an action.

However, a similar answer does not exist for the most recent workforce executive order, “Fair Pay and Safe Workplaces.” That order, a reprise of the Clinton era “blacklisting rule,” is so broadly and vaguely written that a practical middle ground will likely prove elusive, absent significant changes to the order or to the soon-to-be-issued implementing regulation. Indeed, while we all agree that companies that routinely violate labor laws should generally not be given government contracts, this order raises serious questions about fairness, due process, timeliness, objectivity, and scope.

But as different as supply chain accountability and the “Fair Pay” executive order might be, they have two, critical, common components: significant additional compliance costs and the shifting to the prime contractor of virtually all risk, even for matters over which they have no real control. And that should be a concern for both government and industry.

Some experts estimate that compliance with government unique rules today costs about 25 cents for every contract dollar. The added supply chain requirements and, to the extent compliance is even possible, the new labor executive order, are likely to jack that cost up to well over 30 cents of every contract dollar. Seem like a lot? It is. In fact, almost across the board, the government-unique compliance regime, as its associated costs and risks, is growing.

Collectively, if we are serious about improving and enhancing competition, innovation, and efficiency in federal contracting, this trend has to be reversed.