U.S. Department of Defense

As we noted in a blog post in December 2016, “LPTA Out, Fixed Price Contracts In,” the Department of Defense (DoD) has been moving to restrict the Lowest Price Technically Acceptable (LPTA) evaluation methodology, which requires award to the lowest-price offeror that meets the minimum requirements regardless of whether more expensive solutions are optimal.  Further, in 2016 legislation went into effect requiring that limitations on the use of LPTA evaluations be codified in the Defense Federal Acquisition Regulation Supplement (DFARS).

New Restrictions on LPTA Evaluations

On September 26, 2019, DoD issued a final rule that amends the DFARS to implement that legislation.  The new rule, which was mandated by Section 813 of the National Defense Authorization Act (NDAA) for 2017, as amended by section 822 of the NDAA for 2018, establishes that the LPTA evaluation methodology shall only be used when the following conditions are met:
Continue Reading

A major shift in cybersecurity requirements for Department of Defense (DoD) contractors is about to come into effect—earlier this month the DoD released for public comment the long-anticipated Version 0.4 of the draft Cybersecurity Maturity Model Certification (CMMC). This new framework to safeguarding controlled unclassified information (CUI), which includes a certification requirement by a third-party auditor, presents both significant opportunities and challenges for DoD contractors.

In an overview briefing on the new model, DoD emphasized that the new framework will impose a unified cybersecurity standard for all DoD acquisitions and, in so doing, “reduce exfiltration of [CUI] from the Defense Industrial base.” To achieve this goal, the new model significantly bolsters the existing compliance regime around cybersecurity—which currently, for the most part, requires compliance with the security standards set forth in NIST SP 800-171 through DFARS 252.204-7012.


Continue Reading

The Department of Defense (DoD) Inspector General recently issued a report summarizing the findings of an audit into the protection of Controlled Unclassified Information (CUI) on contractor networks.  Based on an in-depth review into nine contractors, the audit uncovered some common practices that fall short of meeting the standards set forth in NIST SP 800-171, which contractors are obligated to follow under DFARS 252.204-7012.

Shortcomings Discovered in DoD Audit

These common lapses include the following, among others:

  • Inconsistent tracking of cybersecurity threats
  • Failure to consistently mitigate network vulnerabilities
  • Uneven use of strong passwords
  • Inconsistent use of multifactor identification


Continue Reading

Bass, Berry & Sims attorney Richard Arnholt provided insight into delays to the procurement timeline in the Department of Defense’s (DoD) important $10 billion "JEDI" cloud procurement due to pending and potential protests.I recently provided insight into delays to the procurement timeline in the Department of Defense’s (DoD) important $10 billion “JEDI” cloud procurement due to pending and potential protests.

In a recent court filing, DoD said it would not award the contract until at least July 19, but the resolution of Oracle’s pending suit, as well as other potential related actions, may push the award and implementation dates out past this summer.


Continue Reading

In 2016, Congress instructed the Department of Defense (DoD) to review its procurement regulations by convening a panel of procurement professionals—from both the public and private sectors. This panel became known as the Section 809 Panel (809 Panel). Congress instructed the 809 Panel to recommend amendments or repeals of defense procurement regulations. The 809 Panel’s objective was to help streamline or improve the efficiency and effectiveness of the defense acquisition process while still maintaining an advantage in defense technology. While Congress and the DoD are not required to adopt these recommendations, the report shows an attempt to define the issues in modern federal procurement and improve upon the old system.
Continue Reading

The Government recently indicted an Army veteran for allegedly using his status as a service-disabled veteran to help a company qualify as a service-disabled veteran-owned small business and falsely obtain nearly $40 million in healthcare facility construction task orders from the Department of Defense.

The indictment is an indication that the government is continuing to aggressively pursue small businesses that fail to comply with set-aside requirements, and is a reminder that businesses benefiting from small business programs must be fully compliant with the complex regulations governing those socio-economic programs. It is also a reminder that the consequences of failing to meet those requirements are real – the Army veteran, Joseph Dial Jr., is facing over a century in prison.


Continue Reading

As recent malware, ransomware and distributed denial of service attacks have made clear, the cyber threats posed to governments and commercial entities are real and growing. Critical infrastructure such as power plants, airports and communication systems are vulnerable to attacks on the cyber battlefield, as are banks, manufacturers, and law firms, among other commercial entities. In an attempt to address these risks, the U.S. government is imposing heightened cyber-security requirements on contractors, some of which are summarized below. But, in light of the growing cyber threats posed by nation states, subnational groups and bored teenagers, even companies that are not subject to these new requirements should evaluate the sufficiency of their current cyber security protocols and consider taking steps such as the simplified four-step “starter plan” – train, maintain, test and repeat – laid out below to address vulnerabilities.

Continue Reading