PCL Section Public Comments on Proposed Rules: 2024 Year in Review

Periodically, the Public Contract Law (PCL) Section prepares and submits comments on proposed changes to the federal procurement regulations. Led by the Section’s Legislative and Regulatory Coordinating Committee, the Section’s comments collect varying perspectives and insights, recommending nonpartisan improvements to the FAR and related procurement regulations.

The year 2024 was a busy year for the Section, which submitted comments on a total of eight separate proposed rules. In an attempt to keep Section members better informed of what the Section is publicly saying, we offer the following summaries of the public comments submitted in 2024. Copies of these latest materials, as well as historic comments submitted by the Section, are available on the Section’s website.

Use of DoD Program Nomenclature

Submitted on April 12, 2024, the Section provided comments on DFARS Case 2021-D002, Use of DoD Program Nomenclature. This proposed rule seeks to amend the DFARS to govern how contractors use Department of Defense (DoD) trademarks and program names (“Government designations” or “contract-specific designations” for government designations applicable to a particular contract); require contractors and offerors to identify existing and proposed marks applicable to a given contract in a new rights assertion table (a “marks-list”); authorize the government to use contractor marks and the contractor to use government designations in the course of contract performance; and limit how those marks can be used both during contract administration and beyond.

The Section’s comments on the proposed rule asked the DoD to consider several key issues:

1. The DoD should withdraw the proposed rule as contrary to congressional intent in waiving liability for trademark infringement.
2. The DoD should withdraw the proposed rule because the government has less onerous mechanisms to achieve the same end, including using words in an RFP, negotiating royalty-free licenses, or engaging in cross-licensing activity.
3. The DoD should withdraw the proposed rule and replace it with a rule focused on addressing confusingly similar marks and program names.
4. The DoD should withdraw the proposed rule and replace it with improved guidance on licensing alternatives specific to a procurement rather than a blanket rule affecting all contracts.
5. The DoD should revise the proposed rule to remove a requirement to identify trademarks during the proposal process.
6. The DoD should revise the proposed rule to eliminate or revise requirements that contractors acknowledge and agree that, if the contractor does not claim rights in a contract-specific trademark designation, the contractor cannot use the same mark and cannot create its own trademark based on the contract-specific designation.
7. The DoD should revise the proposed rule to eliminate the contractor’s duty to report any potential trademark infringement, which is not time-limited.
8. The DoD should revise the flow-down requirement to all subcontracts at all tiers.

Cybersecurity Incident and Threat Reporting

Submitted on January 23, 2024, the Section provided comments on FAR Case 2021-017, Proposed Rule to Federal Acquisition Regulation: Incident and Threat Reporting and Incident Response Requirements for Products and Services Containing Information and Communications Technology. This proposed rule implements Executive Order (EO) 14028, Improving the Nation’s Cybersecurity, signed by President Biden on May 12, 2021, and seeks to implement cybersecurity reporting standards where information and communications technology is used or provided in the performance of contracts with the federal government.

The Section’s comments on the proposed rule recommended that the FAR Council consider nine key issues:

1. Security Incident Reporting Harmonization: The FAR Council should consider aligning the reporting timelines with other government requirements, expressly making costs associated with reporting and investigation allowable under FAR Part 31 and recoverable, requiring agencies to limit the use of the clause to the types of contracts in the rule and to specify in solicitations that the new clause will apply, and defining “incident” in harmony with other government definitions.
2. Access to Contractor Information and Systems: The FAR Council should consider adding safeguards to protect contractor information to which the government has access under the proposed rule.
3. Reporting Cyber Threat Indicators and Defensive Measures: The FAR Council should make it optional to report directly to the Cybersecurity and Infrastructure Security Agency (CISA) rather than as a condition to contract.
4. Compliance When Operating in a Foreign Country: The FAR Council should consider compliance barriers arising from foreign laws and regulations.
5. Customization Files: The FAR Council should amend its expansive definition of “customization files” to protect contractor intellectual property and to avoid imposing a burden outweighing any potential benefits.
6. Flow Down: The FAR Council should clarify and limit the scope of the flow down requirement to subcontractors, particularly adjusting the proposed timeline for reporting to allow a lower-tier subcontractor to report to CISA within eight hours of discovery of the security incident, and then subsequently to higher-tier contractors or prime contractors as soon as practicable. The FAR Council also should define and limit the scope of what information subcontractors are required to report to non-government entities.
7. Software Bill of Materials (SBOM): The FAR Council should remove the SBOM requirement and address this requirement in a separate rulemaking to ensure harmonization with OMB Memo M-22-18 and DHS CISA SBOM provisions.
8. IPV6: The FAR Council should remove IPV6 requirements and implement those in separate rulemaking or agency guidance. IPV6 refers to “Internet Protocol version 6,” which is the current version of the internet communications protocol providing an identification and location system for computers on networks, and also routing traffic across the Internet.
9. FAR 52.239-AA, Security Incident Reporting Representation: The FAR Council should revise the certification requirement to provide for “best of my knowledge as of the time the incident report was submitted” given the inherent conflict between speed and accuracy in reporting incidents.

Cybersecurity for Unclassified Federal Information Systems

Submitted on January 23, 2024, the Section provided comments on FAR Case 2021-019, Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems. This proposed rule also implements the section of EO 14028 noted above, setting minimum cybersecurity standards for unclassified federal information systems (FISs).

Beyond lauding the spirit of the proposed rule, the Section’s comments recommended seven changes to the FAR Council:

1. The FAR Council should amend the rule to clarify that contracting officers must identify any applicable FISs in the solicitation before including the new FAR clauses in the resulting contract.
2. The FAR Council should add provisions ensuring that these new requirements apply only to contracts for services to develop, implement, operate, or maintain an FIS on behalf of the government.
3. The FAR Council should more narrowly tailor the definitions of “Government data” and “Government-related data.”
4. The FAR Council should restrict agencies from adding additional security and privacy controls outside specified high-value FISs.
5. The FAR Council should harmonize the timing for compliance between the proposed rule and Cybersecurity Maturity Model Certification (CMMC) 2.0 milestones.
6. The FAR Council should limit access to contractor systems to ensure confidential, proprietary, and privileged information are appropriately protected.
7. The FAR Council should delete the proposed indemnity language and should engage in dialogue with industry before proceeding with such an expensive and expansive requirement.

CMMC 2.0

Submitted on October 15, 2024, the Section provided comments on DFARS Case 2019-D041, Defense Federal Acquisition Regulation Supplement (DFARS): Assessing Contractor Implementation of Cybersecurity Requirements. This proposed rule incorporates contractual requirements related to the CMMC 2.0 program rule, Cybersecurity Maturity Model Certification Program.

The Section’s comments raised several concerns and suggested multiple proposed changes to DoD:

1. Implementation: DoD should clarify how the requirements will apply to contract option periods that are exercised after newly implementing the rule, and DoD should either prohibit contracting officers from implementing the rule ahead of schedule or require advance warning if the DoD chooses to identify certain programs for early adoption.
2. Data and Information Systems: DoD should revise the definition of “Controlled Unclassified Information” (CUI) to include only information expressly marked as such, and to add a definition of “Federal Contract Information” (FCI), distinguishing the requirements when only FCI is being used by the contractor. DoD also should include a definition or alignment with DFARS 252.204-7012 on “Covered Defense Information” (CDI) and either define “data” or only use defined terms like FCI, CUI, or CDI. Finally, DoD should permit contractors to define the scope of the information system that applies to a given DoD unique identifier requirement.
3. Compliance and Change Management: DoD should clarify that contractors may continue to rely on their CMMC Plans of Action and Milestones (POA&Ms) for maintaining ongoing compliance in order to address newly discovered risks or system flaws or updates that lead to temporary deficiencies. DoD also should define what constitutes a “change” that could affect compliance status, remove duplicative reporting requirements, clarify subcontracting reporting timing, and define “senior company official” for purposes of compliance affirmations.
4. Supply Chain: DoD should consider providing financial and technical support to small businesses that will have difficulty meeting the CMMC standards, revise the subcontract flow-down requirements to avoid overburdening subcontractors, and carve out certain suppliers.

SBA WOSB Updates

Submitted on July 15, 2024, the Section provided comments on Docket 2024-0004—Small Business Administration (SBA) Proposed Rule on Women-Owned Small Business Federal Contract Program Updates and Clarifications. The proposed rule would make changes to standardize requirements in the women-owned small business (WOSB) and economically disadvantaged women-owned small business (EDWOSB) programs by adding definitions, conforming the regulations to current statutes, and harmonizing language.

Beyond expressing appreciation for most of the proposed changes and suggesting other minor regulatory updates for consistency across the socioeconomic programs, the Section’s comments recommended a handful of changes to the SBA, including:

1. SBA should further harmonize the language across the socioeconomic programs, including by allowing control exceptions in the WOSB and EDWOSB programs for “extraordinary circumstances.”
2. SBA should add a definition of when a WOSB/EDWOSB application is “complete” for purposes of eligibility, pending approval of a concern’s application.

Subcontracting to Puerto Rican and Other Small Businesses

Submitted on July 24, 2024, the Section provided comments on FAR Case 2023-001—Subcontracting to Puerto Rican and Covered Territory Small Businesses. The proposed rule harmonizes the FAR with SBA’s final rule and implements paragraphs (a) and (d) of section 861 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2019 and paragraphs (a) and (c) of section 866 of the William M. (Mac) Thornberry NDAA for FY 2021, which amended 15 U.S.C. §§ 632 and 657r(a) to add Puerto Rico, as well as the US Virgin Islands, American Samoa, Guam, and the Commonwealth of the Northern Mariana Islands, to the list of US territories from which small businesses are eligible for preferential treatment under the SBA Mentor-Protégé Program.

The Section’s comments applauded the proposed rule and offered one concern on a lack of consistency in the proposed FAR rule’s use of the word “question,” whereas the SBA final rule had used the word “doubt” instead. Based on the dictionary definitions of “question” and “doubt,” this difference in terminology could lead to an inconsistent application and interpretation of the two rules.

A final rule was issued on January 3, 2024, without any significant changes from the proposed rule. The FAR Council declined to implement the Section’s recommendation.

SBA HUBZone Changes and Other Clarifications

Submitted on October 1, 2024, the Section provided comments on Docket 2024-0007—HUBZone Program Updates and Clarifications, and Clarifications to Other Small Business Programs. The proposed rule makes several changes to the Historically Underutilized Business Zone (HUBZone) program, the 8(a) Business Development program (the 8(a) Program), and the SBA’s size regulations, as well as technical changes to the WOSB and Veteran Small Business Certification (VetCert) programs. The Proposed Rule clarifies and improves policies surrounding some of those changes. The SBA proposed many changes to make requirements consistent across the multiple socioeconomic programs, which should ensure that the size and status requirements will be uniformly applied.

Beyond lauding most of the proposed rule and requesting additional time to provide further comments, the Section’s comments recommended five changes to the SBA:

1. SBA should make additional revisions to 13 C.F.R. § 121.1001 to identify who may initiate size protests or size determinations.
2. SBA should not consolidate the recertification requirements for all SBA programs, as each has different requirements and should have different standards.
3. SBA should consider the disruption the new recertification rules will have on existing concerns and their contracts, particularly Federal Supply Schedule contracts, which SBA has historically not sought to regulate. SBA should ensure the final rule is prospective and not retroactive.
4. SBA should amend the mentor-protégé program portion of the proposed rule to alleviate harms to protégés when mentors merge, are acquired, or acquire other protégés.
5. SBA should ensure HUBZone employees are protected under the Uniformed Services Employment and Reemployment Rights Act (USERRA).

SBA Rule of Two for Multiple-Award Contracts

Submitted on December 16, 2024, the Section provided comments on Docket 2024-0002—Increasing Small Business Participation on Multiple-Award Contracts. The proposed rule would clarify the applicability of the “Rule of Two” to multiple-award contracts (MACs) by directing that an agency set aside an order under a MAC for small business contract holders when the contracting officer determines there is a reasonable expectation of obtaining offers from two or more small business contract holders under the MAC that are competitive in terms of market prices, quality, and delivery.

The Section raised several issues with the proposed rule:

1. SBA should add a mechanism to require contracting officers to justify in writing refusal to implement a set-aside recommendation from SBA’s Procurement Center Representative (PCR).
2. SBA should clarify that the exception regarding repetitive orders applies only to orders under the same MAC and within the prior six months, rather than 18 months.
3. SBA should increase the period of time for agency coordination with SBA PCRs and also add more precision to the standard for when coordination should occur.
4. SBA should align the rule to comply with the decision from the US Court of Federal Claims in Tolliver Grp., Inc. v. United States, 151 Fed. Cl. 70, 104 (2020), by requiring agencies to provide a written justification for why the agency is using a particular MAC that does not have any small business holders.

Conclusion

We thank the Section members who contributed to these public comments for their time and attention. When it comes to public contracting, regulations are inevitable. But improving the quality of these regulations relies on the careful consideration of individuals in the FAR Council, particular agencies, and members of this Section. If you are interested in joining the Legislative and Regulatory Coordinating Committee and helping with future public comments, please contact Co-Chairs Eric Crusius or George Petel.