While there may be a lot of concern about “midnight regulations” coming from the White House over the last month of President Barack Obama’s term, there is no concern about the steady updates of acquisition regulations.
The Federal Acquisition Regulatory Council and the 2017 National Defense Authorization Act are providing a constant stream of changes federal agencies and industry alike need to know about.
Here are three recent changes the federal community needs to know about:
Finally, one definition for veterans
Congress finally brought the hammer down on the Small Business Administration and the Veterans Affairs Department about the confusing and differing definitions of a service disabled veteran-owned small business.
In the 2017 NDAA, lawmakers told SBA and VA to implement regulations within six months to create a governmentwide description for service disabled veteran-owned small businesses.
“The Secretary [of VA] would continue to determine whether individuals are veterans or service-disabled veterans and would be responsible for verification of applicant firms,” the conference report stated. “Challenges to the status of a VOSB or SDVOSB based upon issues of ownership or control would be decided by the administrative judges at the Office of Hearings and Appeals of the Small Business Administration. The committee notes this section would not affect the Department of Defense.”
The debate over whether SBA or VA decides if a company qualifies under this socio-economic status has been ongoing for at least five years.
In fact, Rep. Mike Coffman (R-Colo.) introduced a bill in 2013 that would’ve given SBA full authority to determine status. SBA already has that authority for small and disadvantaged businesses as well as those owned by women and located in a Historically Underutilized Business Zone (HUBZone).
Rep. Steve Chabot (R-Ohio), chairman of the Small Business Committee, said in May when the Armed Services Committee included this provision in the bill that it would promote integrity and accountability in small business programs.
The provision in the NDAA says a service-disabled veteran-owned small business must be at least 51 percent owned and operated on a day-to-day basis by at least one qualified veteran. It also lets the veteran’s spouse retain socio-economic status if the servicemember was rated 100 percent disabled and died because of the disability.
Prompt payment rule
Six years after the passage of the Small Business Jobs Act of 2010, the FAR Council finalized a rule requiring prime contractors to notify agencies in writing if they pay a reduced price to a small business subcontractor or if payment is more than 90 days overdue.
“The rule also requires contracting officers to record the identity of contractors with a history of late or reduced payments to small business subcontractors in the Federal Awardee Performance and Integrity System (FAPIIS),” the final rule stated. “This regulation will benefit small business subcontractors by encouraging large business prime contractors to pay small business subcontractors in a timely manner and the agreed upon contractual price.”
The final rule also more clearly defines how agencies will evaluate large vendor subcontracting efforts. The ratings go from “exceptional” to “unsatisfactory.”
The delays in implementing the provisions of the bill aren’t new. In 2014, Congress expressed concern about how long it was taking to address changes to the Mentor-Protégé program and subcontracting changes.
The 2010 law included 17 major provisions dealing with small businesses that charged the SBA, the Treasury Department and the Office of Federal Procurement Policy and FAR Council with implementing.
OFPP issued a memo in 2012 to implement several provisions, including letting agencies use set-asides under multiple-award contracts. But several others like this one and the Mentor-Protégé program updates have been slow to materialize.
New training requirements
It’s a little hard to believe it took more than five years to finalize a FAR policy requiring industry to provide employees who handle sensitive or personal data with privacy training. But it did, as the FAR Council finalized a rule on Dec. 20 doing just that. It issued the proposed rule in July 2011.
The council reported in January 2013 it expected to finalize this rule by April of the same year.
But five years later, the council says the final rule clarifies the responsibilities for contractors and streamlines the options for training.
“The objective of the rule is to ensure that contractor employees complete initial and annual privacy training if the employees have access to a system of records, handle personally identifiable information (PII), or design, develop, maintain, or operate a system of records involving PII on behalf of the government,” the final rule stated.
The FAR Council estimates the rule will affect more than 31,000 federal prime and subcontractors.
Vendors will have to provide training that is role-based and provides multiple levels of training depending on the knowledge of the employee.
At a minimum, contractors must educate employees about:
The provisions of the Privacy Act of 1974, including penalties for violations;
The appropriate handling and safeguarding of personally identifiable information;
The authorized and official use of a system of records or any other personally identifiable information;
The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access personally identifiable information;
The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information; and
Procedures to be followed in the event of a suspected or confirmed breach of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information.
The Obama administration has emphasized the need to separate privacy from cybersecurity, creating a Chief Privacy Officer’s Council and issuing an executive order to update privacy rule and regulations. The Office of Management and Budget also is working on updating the privacy portions of all of OMB’s incident response guidance that will address how an agency should address an incident that involves personally identifiable information (PII).