Over the past two decades, the government contracting community has experienced a significant increase in compliance obligations. Some of these new regulatory requirements—such as obligations relating to cybersecurity and counterfeit parts—address challenges posed by an increasingly global, networked economy. Others, such as the mandatory disclosure requirement, continue the trend of the government relying on third parties, whether it be whistleblowers or contractors themselves, to police the procurement system.
To adequately address the growth in the number and complexity of these obligations, it is vital that corporate risk managers at companies that sell goods and services to the federal government ensure that they fully understand which of these requirements apply to their businesses. They can then design effective training programs, translate the obligations into actionable policies and effectively monitor adherence with those polices.
But before addressing specific compliance measures, contractors must ensure they have established the underlying compliance structure required by federal procurement regulations. Failure to build the basic compliance structure increases the risk of violations and, when violations occur, makes it more difficult to demonstrate to the government that the violation was an aberration.
An Ethics and Compliance System
Before discussing the specifics of some developing government procurement obligations, it is important to note that the regulations applicable to the vast majority of federal procurements, the Federal Acquisition Regulation (FAR), require that “government contractors … conduct themselves with the highest degree of integrity and honesty.” Those same regulations also provide that every contractor should have an ethics and compliance system in place that includes: 1) a written code of business ethics and conduct, 2) an ethics and compliance training program, and 3) an internal control system.
While not every contractor is required to have an ethics and compliance program equal to the size and complexity of the major prime contractors supporting the Department of Defense (DOD), the size of the system must be suitable to the size of the company and the extent of its involvement in government contracting. It must also facilitate the discovery and disclosure of improper conduct in connection with government contracts as well as ensure that, upon discovery of violations, corrective measures are promptly taken.
Not only do the procurement regulations require ethics and compliance programs, since 2008 they also mandate that, irrespective of the size of a company’s government contract business, certain types of violations be reported to the government. Specifically, all contractors risk administrative exclusion (suspension or debarment) from the government marketplace pursuant to FAR Subpart 9.4 if a principal knowingly fails to timely disclose the following: 1) evidence of a significant overpayment; 2) credible evidence of a criminal violation involving fraud, conflict of interest, bribery or gratuity violations found in Title 18 of the U.S. Code; or 3) credible evidence of a violation of the civil False Claims Act (FCA) in connection with a government contract performed by the contractor or its subcontractors.
Further, for contracts over $6 million that are expected to last over 120 days, a contractual provision, FAR 52.203-13, mandates timely disclosure to the Office of Inspector General of those same criminal or civil violations (but not overpayments) where the company, not a principal, has credible evidence of a violation by a principal, employee, agent or a subcontractor. As a result, corporate compliance managers must ensure that the corporate culture encourages disclosure of potential violations and that such reports are carefully evaluated to determine whether disclosure is required, as well as what remedial measures are needed to address any compliance gaps.
That contractual provision also requires that within 30 days of contract award, contractors have a written code of business ethics and conduct and make it available to every employee engaged in the performance of the contract. Contractors must also exercise due diligence to prevent and detect criminal conduct and promote a culture that encourages ethical conduct and commitment to compliance with the law, which is generally understood to mean demonstrable leadership commitment to ethics and compliance at minimum.
Large businesses that sell non-commercial items are also required to have a business ethics awareness and compliance program and internal control system in place within 90 days of contract award. A host of specific features, including periodic reviews of practices and procedures, must be part of that program.
In addition to rolling out a code of ethics and compliance addressing key risk areas, educating the work force about those obligations, promoting an ethical culture and exercising diligence in detecting violations, corporate risk managers must be prepared to, upon detection of a violation and working with counsel, evaluate whether they must report that violation to the government. Failure to make that disclosure can result in contract termination or suspension/debarment, among other consequences.
Evolving Compliance Obligations
There are myriad obligations attached to federal procurements that should be covered in the overarching ethics and compliance program mandated by the FAR, including combatting human trafficking, discouraging text messaging while driving, specific wage rates for service employees, transporting goods using U.S. flagged vessels, among others. However, there are a handful of evolving provisions that have received significant attention recently. These obligations—cybersecurity, telecommunications equipment prohibitions and counterfeit parts monitoring—warrant additional discussion.
- Cybersecurity: Recent cyberattacks have shown the vulnerability of infrastructure systems, resulted in the exfiltration of classified weapons program data and exposed sensitive personal data for thousands of government employees. Recognizing this growing threat, federal agencies have not only moved to secure their own systems, but have also required contractors to secure their systems on which sensitive government data resides. Notably, these requirements “flow down” to subcontractors at all levels of the supply chain.
Until recently, for both civilian agencies and the DOD, that was accomplished primarily by requiring contractors to self-certify that their IT systems met the applicable cybersecurity standards. Both failure to meet those standards and falsely representing compliance with those requirements have resulted in significant liability, with a recent FCA claim being settled for $8 million.
Today, the DOD is moving toward a third-party certification cybersecurity standard, the Cyber Security Maturity Model Certification (CMMC). In the near future, being awarded a DOD contract will require a company to have an active CMMC certification at the security level appropriate for that contract. While this approach may reduce FCA exposure, contractors that are not certified will be ineligible for DOD contracts, heightening the importance of cybersecurity compliance.
- Telecommunications Equipment Prohibition: Due to concerns that the Chinese government may be using telecommunications and video surveillance equipment to spy on U.S government activities, in the 2019 National Defense Authorization Act, Congress prohibited federal agencies from purchasing goods or services using such equipment from several Chinese companies and their subsidiaries and affiliates, including Huawei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, and Dahua Technology Company. That statute also prohibits the government from entering into or renewing a contract with an entity that uses such equipment.
This prohibition, fully implemented in August 2020, requires prime contractors to certify that they are not using prohibited equipment in their work for the government or providing it to the government, and that they are not using this equipment themselves at all, even if unrelated to government work. For corporate risk managers, this, like the cybersecurity requirements, represents an expansion of the obligations they must ensure are being met, and it increases the complexity of the representation and certifications a government contractor must complete to do business with the federal government.
- Counterfeit Parts: Approximately a decade ago, Congress reported that huge numbers of counterfeit parts (primarily Chinese) had infiltrated the defense supply chain and been found in critical military systems, including helicopters, surveillance planes and cargo planes. These counterfeit parts presented risk of mission failure, potentially causing the loss of life, as well as potential espionage.
The government now requires for certain DOD procurements that federal contractors put in place counterfeit electronic part detection and avoidance systems, and that they report and quarantine counterfeit and suspect counterfeit parts to mitigate the risk. Initially, this obligation only applied to DOD procurements, but a final rule was issued in November 2019 establishing a FAR provision applicable to civilian contracts.
The new contract clause, FAR 52.246-26, which is not required in contracts or subcontracts for commercial items, generally requires contractors to screen a counterfeit parts database to confirm they are not using counterfeit parts, report to the government counterfeit and suspect counterfeit items, as well “common items” that have major or critical non-conformances. It also requires contractors to retain the counterfeit or suspect counterfeit part until provided instructions from the government.
For government contractors, having a robust ethics and compliance system is not optional. As companies become increasingly reliant on global supply chains and dependent on networked systems, contractors must mitigate emerging complex risks that reflect national security concerns. To meet these challenges, government contractors must ensure compliance functions are adequately resourced and that they are fully committed to “conduct[ing] themselves with the highest degree of integrity and honesty.”