Tense times have arrived for federal contractors. Whether seeming coercion to lower contracted prices or the threat of supply chain sanctions for anyone connected to the SolarWinds epic breach. For analysis, Federal Drive with Tom Temin turned to federal sales and marketing consultant Larry Allen.
Insight by Splunk: USDA, FDA and Army Futures Command will explore how agencies are using data as a tool in digital transformation and cybersecurity.
Tom Temin: Larry, let’s start with that SolarWinds breach. That’s a supply chain issue and infected not only the government, but also the government suppliers. And so nobody can figure out where all of this hash is going to end or what the effects are. But it could really mean trouble for supplier relations and the government, couldn’t it?
Larry Allen: Tom it could mean trouble on a number of different layers. First, on the technology level, it seems to be a breach of unprecedented size and depth and breadth. And as you alluded to, it’s both on the side of government agencies and government contractors. And right now, we’re not even sure of all of the changes, problems, what all of the breaches really mean. So that’s going to have to be evaluated from the technology side. And certainly that may impact some sensitive systems, whether your private sector supplier or government agency.
Tom Temin: Yes, because I’m thinking of this juxtaposed with the still relatively brand new CMMC, cybersecurity model maturity certification system. And that’s barely got to choose tide. And I’ve got this thing racing around the world. And so does the government have the means otherwise to somehow sanction suppliers or insist on some sort of compliance to minimum standards, in light of what happened at SolarWinds?
Larry Allen: This is something that we’re definitely going to see play out in the weeks to months ahead, Tom. Right now, I think everybody is on the page of let’s try to fill in the damage there, no more holes in our networks, patch the things that correctly assess the damage. But soon enough, it’s going to turn into a little finger pointing, and who’s to blame for disrupting, particularly government systems. And if you’re a government contractor that provided the software patches that caused the problem, this is something that you and your legal department want to take a look at. We have the Federal False Claims Act, the government may want to go after companies that supplied improper patches, and allege that the companies did not do their due diligence in scrutinizing the security of the patches. You mentioned CMMC. However, there are already a number of regulations on the books, particularly for DoD contractors, around having a secure supply chain and making sure that you’re providing authentic goods to the government. There are many tools that exist already that the government could use to go after contractors to get some money back, this is going to cost people money. And anytime it costs people money, Tom, there’s going to be a drive to try to get that money back. So I’m urging all the contractors in addition to doing your technology related due diligence, you better do a contemporaneous contract compliance due diligence assessment to make sure you understand what your potential vulnerabilities are with regard to this breach.
Tom Temin: Yeah, I guess when you sell software to the government or system to the government, there is an implied merchantability implied warranty in there, even if it’s not subject to yet to CMMC or something like it is what you’re basically saying,
Larry Allen: Right. Well, you’re supposed to be supplying legitimate goods to work as they’re supposed to work. And if you’ve got a patch, that you provided a contractor, you provided that patch to a government agency as part of your government contract, and then he went and billed for that patch. A lot of people would say that’s a technical violation of the Federal False Claims Act, you didn’t do your due diligence to ensure that that patch wasn’t infected, you just went ahead and uploaded it. And because there’s money involved, as I said, there’s going to be a tendency to want to get some of that money back. The False Claims Act is the most powerful tool for that and there are plenty of contractual obligations already in place, regardless of the status of CMMC. That contractors could be liable under if they are not careful if they haven’t done their due diligence, or if they can’t show that they did their proper due diligence. The bottom line here for contractors time is make sure that you know the language that’s in your contract, start pulling the records to show any testing that you might have done on these patches, anything that you did other than just say here’s a patch, let’s turn it over to the government client, because it could be the Inspector General and or the Department of Justice that comes knocking on your door in a few months saying hey, you remember that data breach, let’s talk how it got on our network in the first place.
Tom Temin: And I guess maybe the sad irony is that this whole thing comes as the government was simply installing a patch to find out where else it needs to be patched. So people were trying to do the right thing and it’s almost as if the water supply itself was tainted. And I want to turn to another topic that you brought up recently. And that is GSA’s unrealistic pricing expectations, as you call it, the idea that they’re trying to go back and change pricing on already agreed to deals.
Larry Allen: Tom this is, I think, a potentially significant issue. And I’ll tell you why. First of all, GSA awarded contracts with a warranted contracting officer signing off on the decision, they made an attestation that the pricing was fair and reasonable, that pricing stayed in place, and sometimes for as long as six or seven years maybe longer, didn’t go up in many cases. And all of a sudden, when it comes time for renewal or extension, the contracting officer is saying, hey, those prices that were good, then we think they should be 40%. Lower now. And the contractor is saying, well wait a minute, we negotiated in good faith, the market has certainly changed, but in many cases, it’s changed where our rates should be going up, not down and GSA doesn’t see it that way. One of the great ironies to me and, Tom, is that this is happening precisely at the time when GSA is doing its thorough, multiple award schedule consolidation project, GSA has had people out in the field, talking to industry for over two years about multiple award schedule consolidation, not once, not one time, did the issue of pricing in the services arena come up. This could have been handled during the consolidation effort with a thorough dialogue, it could have been part of what had been an excellent dialogue between government and industry on how to best move forward on consolidating the schedules. And yet, for whatever reason, GSA leadership chose to keep this action separate from discussions they were having with industry, I think, betting on the fact that they were going to pick on individual contractors, and it would take individual contractors some time to realize that, hey, it’s more than one, maybe this is something that we as an industry should take up our concerns with GSA with. So I’m going to fault GSA for having open and constructive discussions with industry for a couple of years on other issues related to the multiple award schedule, and never once did they bring up this issue that we’re gonna have a policy change, or we’re gonna have a process change. And this is why when be open and honest about what’s driving it, and that get feedback from industry, they didn’t do that they elected to just spring it on contractors,. And in some cases, really, I think Jonathan Arnie’s assertion that some contractors were bullied is pretty accurate. To be honest, this is no way to run a multiple award scheduled programs, no way to foster a good relationship with industry, Tom. GSA has had up until now a very good track record of working with industry. And now if your industry you’re kind of wondering what that got you and where things are now, if the agency wasn’t giving you all the truth.
Tom Temin: Alright, Emily, that one’s on you. You’ve got three weeks to fix it. Larry Allen is president of Allen Federal Business Partners. Thanks so much.
Larry Allen: Tom, thank you and I wish your listeners happy selling.