GovCon Developments for 2024

Aerospace, defense, and security businesses are subject to a myriad of regulations and operational requirements that are constantly changing. These include things like SBA rules for credit for small businesses and cybersecurity requirements that are particular to defense contractors and subcontractors, but they also include rules applicable to other companies and employers, like DOL overtime rules. 2023 seemed to be a year of many proposed and implemented changes to rules and regulations. Outlined herein are several changes relevant to businesses in the government contracts industry for 2024.

White House Initiative to Promote Small Business Participation in Multiple Award Contracts

Multiple award contracts (“MACs”) accounted for nearly $163 billion (20%) of total contract spending in FY 2022. MACs are a popular buying tool for federal agencies because they provide a quick and cost-effective way to obtain goods and services using streamlined competitions. MACs are highly coveted by federal contractors and winning an “on ramp” for one of these contracts can put small businesses in the catbird seat to capture significant future work.

On January 25, 2024, the White House Office of Management and Budget (“OMB”) announced guidance to federal agencies to promote greater participation by small businesses under multiple award contracts. The OMB guidance includes recommendations to (1) engage agency small business specialists earlier in the contract planning process; (2) consider greater “on-ramp” opportunities for small businesses; (3) discourage agencies from using “off ramps” to remove small businesses from MACs due to growth; (4) apply the “Rule of Two” to reserve opportunities for small businesses where possible; and (5) maximize the issuance of small orders to small businesses.

Multiple award contracts are highly coveted by federal contractors and winning an “on ramp” for one of these contracts can put small businesses in the catbird seat to capture significant future work.

This announcement is great news for small federal contractors. Small business participation is essential to protection of the nation’s supply chain and defense industrial base. Implementation of this guidance should result in a greater number of opportunities for small businesses to compete for, win, and keep lucrative multiple award contracts.

Small Business Credit Rules

The SBA revised its Small Business Subcontracting Plan regulations in 13 CFR 125.3 in response to changes made in section 870 of the National Defense Authorization Act (NDAA) of 2020, Public Law 116–92. Specifically, changes were made to the requirements that apply to contractors seeking to obtain subcontracting credit on certain types of Federal contracts.

Most federal contracts require awardees to submit a subcontracting plan that includes small business goals. The update contains three changes to subcontracting plan requirements. First, a prime contractor may elect, in some instances, to receive credit toward its subcontracting plan for lower-tier subcontracts to small businesses. Second, agencies are prohibited from setting tier-specific goals for prime contractors that use lower-tier credit. Third, subcontracting plans are required to recite the records that contractors will maintain to substantiate lower-tier credit.

The SBA has removed a mandate that contractors with individual subcontracting plans take credit for lower-tier subcontracts, and instead provides that prime contractors “may elect to receive credit” either for first-tier subcontracts on their own or for subcontracts at any tier.

Also, agencies are now prohibited from setting tier-specific goals for prime contractors that use lower-tier credit. SBA is revising the regulations so that all prime contractors will have only one set of subcontracting goals, and contractors are required to include in their subcontracting plans a statement of the types of records they will maintain to substantiate subcontracting credit.

Prime contractors cannot receive lower tier subcontracting credits when the subcontracting plan applies to multiple contracts.

To summarize one important change, previously small regulations allowed prime contractors to receive credit for some small business subcontracts below the first tier for purposes of meeting their small business subcontracting plan goals. However, the new rule allows prime contractors to take credit for lower-tier subcontracts only if their subcontracting plan applies to a single contract with a single agency. So prime contractors cannot receive lower tier subcontracting credits when the subcontracting plan applies to multiple contracts.

CMMC Updates

CMMC (Cybersecurity Maturity Model Certification) is nothing new. CMMC 1.0 was DoD’s initial vision for the program, which was implemented in September 2020, and CMMC 2.0 was announced in November 2021. But on December 26, 2023, the Office of the Department of Defense Chief Information Officer (CIO), Department of Defense (DoD) issued a proposed rule in 88 Fed. Reg. 246 with proposed requirements for “a comprehensive and scalable assessment mechanism to ensure defense contractors and subcontractors have, as part of the Cybersecurity Maturity Model Certification (CMMC) Program, implemented required security measures to expand application of existing security requirements for Federal Contract Information (FCI) and add new Controlled Unclassified Information (CUI) security requirements for certain priority programs.” While the DoD currently requires covered defense contractors and subcontractors to implement the security protections outlined in NIST SP 800-171 Rev 2 (National Institute of Standards and Technology Special Publication 800–171 Revision 2) to provide adequate security for sensitive unclassified DoD information on contractor information systems and requires a System Security Plan (SSP), the updated CMMC Program is to provide DoD with a mechanism to verify implementation by contractors and subcontractors at the outset and throughout contract periods of performance.

The updated CMMC Program is to provide DoD with a mechanism to verify implementation by contractors and subcontractors at the outset and throughout contract periods of performance.

Presently FAR 52.204-21 requires compliance with fifteen security requirements set out in 52.204-21(b)(1)(i) to (xv), and for defense contracts DFARS 252.204-7012 requires contractors to provide adequate security by implementing the 110 requirements in NIST SP 800-171. These requirements are primarily self-assessment and planning/policy requirements. The goals of CMMC overall are to safeguard sensitive information to enable and protect the warfighter, enforce DIB cybersecurity standards to meet evolving threats, ensure accountability while minimizing barriers to compliance with DoD requirements, perpetuate a collaborative culture of cybersecurity and cyber resilience, and maintain public trust through high professional and ethical standards.

CMMC 2.0 requires defense contractors and subcontractors that have access to controlled unclassified information (CUI) to demonstrate the “maturity” of their cybersecurity programs against a set of increasingly advanced capabilities. The rules contain a three-level scale by which contractors must implement cybersecurity standards. The new proposed rule reaffirms that contractors must follow the controls set by NIST SP 800-171. For contractors and subcontractors who already comply with the NIST SP 800-171 requirements, the proposed CMMC program rules will not create new measures of security, but will require either self-assessments or certifications from outside contracted assessors periodically. These are intended to demonstrate compliance with security measures.

For contractors and subcontracts that do not presently follow the requirements of FAR 52.204-21 and/or DFARS 252.204-7012, they will have to implement new security measures, which can be expensive.

DoD expects contractors of all sizes – large companies and small businesses – to comply, and these updates to the CMMC rules are aimed at strengthening the cybersecurity of the defense industrial base – in recognition of increased targeting of the supply chain by adversaries like China and Russia. Since the proposed rule requires contractors and subcontractors to annually affirm their compliance with specified security requirements for each level of CMMC 2.0, they can be held accountable and false affirmations could lead to False Claims Act issues.

DoD expects contractors of all sizes – large companies and small businesses – to comply, and these updates to the CMMC rules are aimed at strengthening the cybersecurity of the defense industrial base.

Comments on the proposed rule are due February 26, 2024. The final rule will not appear before 2025.

In other cyber-news related to the DoD – in November 2023, the Deputy Secretary of Defense published the 2023 DoD Data, Analytics, and Artificial Intelligence (AI) Adoption Strategy, providing more strategic guidance related to AI. The Strategy document lays out DoD’s approach to improving the organizational environment within which DoD leaders and warfighters will make decisions leveraging data, advanced analytics, and AI for strategic advantage – from the boardroom to the battlefield.

CTA – Corporate Transparency Act

The Corporate Transparency Act (CTA), part of the Anti-Money Laundering Act of 2020 contains requirements for reporting the ownership of many business entities. (National Defense Authorization Act for Fiscal Year 2021, Pub. L. No. 116-283, 134 Stat. 3388 (Jan. 1, 2021)). The CTA became effective January 1, 2024.

In short, the CTA requires that certain businesses disclose to the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) certain information about the company, its beneficial owners, and in some cases, the company applicant. The reporting is through FinCEN’s website.

“Reporting Companies” are companies with twenty or fewer employees formed by filing paperwork with the Secretary of State or an equivalent official (usually corporations or LLCs). “Beneficial Owners” are individuals that exercise “substantial control” over the Reporting Company or have an ownership interest in the Reporting Company of at least 25 percent. Senior officers, directors, and others who make significant decisions on behalf of the company could meet the definition of “substantial control.” The Beneficial Owner Information (BOI) includes full name, date of birth, passport or other state-issued identification number, and copy of the identification document.

There are penalties – civil and criminal – for non-compliance.

Reporting Companies created or registered before January 1, 2024, have until January 1, 2025, to file an initial report with Beneficial Owner Information with FinCEN. Reporting companies created or registered after January 1, 2024, and before January 1, 2025, have ninety days after creation or registration to file a report. Entities created on or after January 1, 2025, will have 30 days to submit the reports to FinCEN. There are penalties – civil and criminal – for non-compliance.

FLSA Overtime Requirements

In 2023, the DOL proposed new rules concerning the salary threshold for exempt employees under the Fair Labor Standards Act. The DOL’s proposal raises the salary threshold level for exempt workers under the FLSA to $1,059 per week (approximately $55,000 annually) from its current rate of $684 per week ($35,568 a year).

By way of background, unless specifically exempted, an employee covered by the FLSA must receive pay for hours worked more than forty in a workweek at a rate not less than one and one-half their regular rate of pay, referred to as “overtime” pay. To be “exempt” under the “white-collar” or Executive, Administrative, or Professional exemption, presently an employee generally must be paid a salary (the “salary basis test”) of at least $684 per week (the equivalent of $35,568 annually for a full-year employee) in the current regulations (the “salary level test”) and must primarily perform executive, administrative, or professional duties, as provided in the Department’s regulations (the “duties test”). (Certain employees are not subject to either the salary basis or salary level tests (e.g., doctors, teachers, and lawyers)).

The DOL proposes to increase the standard salary level to the 35th percentile of earnings of full-time salaried workers in the lowest-wage Census Region (currently the South), which would be $1,059 per week ($55,068 annually) based on current data; apply the standard salary level to Puerto Rico, Guam, the U.S. Virgin Islands, and the Commonwealth of the Northern Mariana Islands, and increase the special salary levels for American Samoa and the motion picture industry; increase the highly compensated employee (HCE) total annual compensation requirement to the annualized weekly earnings of the 85th percentile of full-time salaried workers nationally, which would be $143,988 per year based on current data; and automatically update these earnings thresholds every 3 years with current wage data to maintain their effectiveness.

We expect DOL to issue its Final Rule after the public comment period (a 60-day period that began September 8, 2023), so the new salary requirements are likely to begin early this year.

COTS Rules

Commercially available off-the-shelf (COTS) items are a subset of commercial products. In November 2023, by issuing a Final Rule, DoD amended DFARS to implement a part of FY 2017’s NDAA concerning the inapplicability of certain laws and regulations to acquisition of commercial products, including commercially available off-the-shelf items and commercial services. Currently, FAR 12.503 through 12.505 sets out certain contract clauses that are inapplicable to contracts for commercial products and services. However, the new DFARS rule creates two new lists of inapplicable clauses that will apply in addition to the existing FAR provisions for DOD contracts. DFARS 212.370 lists inapplicable clauses for contracts and subcontracts for the acquisition of commercial products, commercial services, and commercially available off-the-shelf items, and DFARS 212.371 lists additional clauses inapplicable to contracts for the acquisition of commercially available off-the-shelf items.

In a separate proposed rule, DoD proposes to make 252.203–7003, DFARS 252.203–7005, and DFARS 252.215–7007 no longer applicable to solicitations and contracts for commercial products, commercial services, and COTS items DFARS. Public comments for that proposed rule are due January 16, 2024.

[View source.]