“Nah, we make enough money. Thanks, but no thanks.” “We never worry about making our payments.” “Our employees are dedicated to the mission of the business. They’re okay with lower compensation.” If any of these scenarios sound familiar, stop reading now; this article will not be of interest to you. However, if you want to…
The post Why You Need A Budget appeared first on Left Brain Professionals.
NCMA Dayton hosted “Small Business & Government Relations” as part of it’s monthly Bagels & Business series. Panelists: Tom Krusemark, Procurement Center Representative, Small Business Administration Dave London, Chief Operating Officer, Tridec Technologies Bill Cox, Procurement Specialist, Procurement Technical Assistance Center Michael Bridges, President, Peerless Technologies Bill Cox’s opening statement to small businesses “You need…
The post Small Business & Government Relations appeared first on Left Brain Professionals.
One of the most common topics we address with clients is their billing rate structure. The conversations tend to start in one of two ways. The first relates to a real or perceived competitive pricing issue. The second relates to an accounting system (software) upgrade. In both cases, we train clients how to properly structure…
The post Demystifying Billing Rate Structures appeared first on Left Brain Professionals.
The past month has seen a number of proposed acquisition changes. Remember that the FAR/DFARS is updated on a regular basis. As you read the updates, take note of “proposed” rules versus “final” rules, effective dates, and comment periods. When reviewing an RFP/Q or other document, note the effective date of the contract and the…
The post DoD Acquisition Updates appeared first on Left Brain Professionals.
Question In your discussion of intellectual property in government contracts, you talked about government purpose rights and how you negotiated with the government for your client to keep the background technology but allow the government to own the form factor. Where both the contractor and the government contribute funding, the parties are left to negotiate…
The post Intellectual Property in Government Contracts appeared first on Left Brain Professionals.
A new year presents new opportunities for working more efficiently and effectively. When dealing with federal contracts, the Incurred Cost Proposal (ICP) presents one of the biggest opportunities. You’re closing 2016 and preparing for taxes anyway. What better time to gather information and documents for the ICP?
Not sure what an Incurred Cost Proposal is or whether you’re required to file one? Here’s a brief primer.
What is the ICP?
The Incurred Cost Proposal (also known as an Incurred Cost Submission) is the annual reconciliation of the costs (direct and indirect) that a contractor expends in fulfilling a federal contract. Under FAR 52.216-7, it applies to cost-reimbursable and flexibly priced contracts. However, fixed price contracts are still documented in the submission.
How is the ICP Used?
The ICP is used to determine your final indirect rates for billings used in interim billing rates and forward pricing rate agreements. FAR 42.1701 provides for systematic review and monitoring of rates.
What is the deadline for submission?
The ICP is due six months after the close of a contractor’s fiscal year, which is June 30 for those that follow a calendar year.
An auditor should verify the adequacy of your submission immediately, but it might take two or more years for the full audit. Any errors can result in penalties and interest, so accurate submissions are of paramount importance.
How to Prepare the ICP
My colleague Suzanne Camden and I gave a presentation on How to Prepare the ICP with Success! for the National Contract Management Association World Congress. It outlines the ICP preparation process, including the various schedules that must be completed.
Start Preparing Today!
June 30 might seem like a long way away, but it will be here before you know it. Don’t procrastinate until May or June! Create a folder right now to gather the necessary documents as you perform your month-end, quarter-end, and year-end tasks.
Here are some of the things you can do now to prepare:
Download the ICP Adequacy Checklist and use that as your guide.
Download the ICE (Incurred Cost Electronically) Model (template).
List the required ICP schedules and what you can accomplish or gather right now.
As you reconcile your 940 and 941s, you can reconcile Schedule L.
As you’re comparing budget to actual for overhead and general and administrative expenses, you can reconcile schedules B, C, and E.
If you have a Period of Performance that ended 12/31, you can reconcile that contract immediately.
Pro tip: if you do find yourself running behind while preparing the ICP, you can request an extension in writing from the governing office of the Defense Contracting Audit Agency as long as you do so before the deadline. But this should be a last resort.
Be proactive. Make this a better year for your ICP. Get started today!
If you have questions about the ICP and your federal contract, please feel welcome to reach out to Robert@LeftBrainPro.com or call (614) 556-4415.
The post Why January is the Best Time to Begin Preparing the Incurred Cost Proposal appeared first on Left Brain Professionals.
Understanding unallowable costs is a key factor in profitably managing government contracts. Government agencies will only reimburse contractors for costs that are considered reasonable, allocable and allowable under the contract terms, Cost Accounting Standards or Generally Accepted Accounting Principles. Identifying these costs is important to avoid billing issues, incurred cost audit findings, and to pass pre-award accounting system surveys.
On Thursday, January 26, I will present a webinar for the National Contract Management Association on “Hot Topics in Unallowable Costs.” From noon to 1:30 p.m. ET, we will discuss often-overlooked information in FAR Parts 31.000–31.204, how this information sets the stage for the selected costs in FAR 31.205, and hot topics for auditors.
Attendees will leave with a greater understanding of how unallowable costs impact their government contracts. Key takeaways include:
• A deeper understanding of FAR Part 31, “Contract Cost Principles and Procedures”
• Knowledge of other sources of cost interpretations
• Critical thinking on unallowable costs
We’ll cover a lot of ground in the webinar, including:
• Defining unallowable costs
• Unallowable costs vs IRS deductible costs
• Unallowable vs non-billable costs
• Cost Accounting Standards – CAS 405
• Common issues, such as auditor hot buttons, bad debts, entertainment, etc.
• Travel expenses
• Legal expenses
Once we’ve covered the basics, we’ll go on to discuss current Hot Topics, including:
• The annual hat trick: what it is, and what to watch for
• Unallowable vs expressly unallowable costs
• Directly associated unallowable costs
• New FAR 31.205 Selected Cost Principles Guidebook
• Related party rent vs cost of ownership
As we’ll discuss, non-compliance can be costly! The government charges penalties for expressly unallowable costs. Moreover, The Defense Contract Audit Agency is, on average, 5 to 6 years behind in auditing incurred cost proposals. That means a disallowed amount could incur 5 to 6 years of interest.
The webinar will wrap up with a discussion of best practices for handling unallowable costs, including how to be audit ready and audit proof. We’ll go over:
• DCAA tools to use
• Policies & procedures
• Structures & reporting
• A prudent approach to documenting costs
If you’d like to attend the webinar, tickets are available on the NCMA website. If you’re unable to attend or want to pick my brain about unallowable costs, give me a call at (614) 556-4415 or email Robert@leftbrainpro.com.
The post January 26th NCMA Webinar: Hot Topics in Unallowable Costs appeared first on Left Brain Professionals.
In this episode, Robert spoke with Michael LeJeune from RSM Federal about implementing a DCAA approved accounting system for government contracting. Robert does an excellent job of breaking down exactly what a DCAA approved accounting system looks like as well as what it takes to get your system approved. We think this episode will make the concept of getting your system approved much less intimidating as well as provide you with practical advice that will set your company up for success.
You can listen to the full podcast below. For more podcasts from the Game Changers, check out their website.
The post Podcast: Implementing a DCAA Approved Accounting System appeared first on Left Brain Professionals.
We often receive questions regarding the amount of allowable rental costs between related parties. Rental costs are normally allowable to the extent they are reasonable and allocable. In an effort to reduce operating costs, small business owners often purchase a building under a separate entity and lease it back to the government contracting entity at or below market rates. This seems like a reasonable approach. The government incurs the same or similar rental costs as if the contractor leased from an unrelated third party. Sometimes the government incurs less cost because of lower-than-market rental rates. The owner limits certain liabilities by separating the two entities. And, the owner has an opportunity to earn income on the resources employed in ownership of the building.
FAR 31.205-36, however, limits the allowability of rental costs “to the extent they do not exceed the normal costs of ownership.” The normal costs of ownership include depreciation, taxes, insurance, facilities capital cost of money, and maintenance.” As always, interest expense is not allowed. Facilities capital cost of money is way the government allows for an interest-type factor to be included. The Government does recognize that there is a cost to tying up capital, and allows for a limited recovery of that cost.
Let’s walk through a scenario:
30,000 sf building
Market rate $7.00/sf + $1.25/sf CAM (common area maintenance)
Lease rate $6.00/sf, no CAM
Annual rent expense at market rate: $247,500
Annual rent expense per lease $180,000
Purchased Jan 1, 2014 for $1,850,000
Current FMV $2,250,000
Depreciation (39 years)
Fac Cap Cost of Money1
In this scenario of common ownership (related party transaction), the allowable rental costs are $158,811 ($21,189 less than the lease rate). If the contractor claimed rental costs of $180,000 in their incurred cost proposal, those costs would be disallowed and marked as expressly unllowable per FAR 31.2105-36. Expressly unallowable costs are subject to penalty and interest. With DCAA 4 to 6 years behind on incurred cost audits, the contractor could incur several thousand dollars in penalties and interest in addition to the over paid amount of $21,189.
Facilities Capital Cost of Money
The biggest question in determining the amount of ownership costs is the calculation of facilities capital cost of money. In simplest form, this is the net book value of the asset in question times the allowable interest rate. The interest rate is set semi-annually by the Secretary of the Treasury and published in the Federal Register in December and June of each year for the following six-month period. You can read more about the facilities cost of capital in DCAA’s CAM 8-414.2.
Jan – Jun
Jul – Dec
When calculating the cost of money, you must use rates for the year in question. Use the weighted average for the calendar year, fiscal year, or contract period.
For calendar year 2016, the blended rate is 2.1875% ((2.5% + 1.875%)/2).
For fiscal year 2016 (10/1/2015 – 9/30/2016), the blended rate is 2.3125% ((2.375% x 3/12) + (2.5% x 6/12) + (1.875% x 3/12))
1Cost of Money Calculation
Avg Bldg Balance
Note that facilities capital cost of money is based on the net book value (purchase price minus depreciation), not purchase price or fair market value. Even though you have $1,850,000 tied up in the building and could sell for $2,250,000, your allowable cost of money decreases over time.
Tips & Tricks
Use our calculator to determine your allowable rental costs.
Consider a property management fee paid to the owner. A portion of rent paid to an unrelated third party is for property management. A company could outsource property management to a real estate company, so paying that fee to the owner of the building may be allowable. Remember to keep it fair and reasonable. In our scenario above, $20,000/year may be a reasonable fee. $100,000/year would certainly be unreasonable.
The post Allowable Rental Costs appeared first on Left Brain Professionals.
A number of recent DoDIG reports indicate that DoD did not make an accurate determination of fair and reasonable pricing, could have purchased items at a lower price, or could have purchased fewer items. While excess inventory does not necessarily mean the prices were not fair and reasonable, it does mean that DoD spent more money than necessary – something that could have been avoided with a better requirement.
Husky Mounted Detection System Spare Parts
U.S. Army Engineering and Support Center
C-130J Excess Inventory
Billions Spent on F17 Engine Without Knowing Fair Price
I constantly remind students and clients that FAR 15.402(a) clearly states that “contracting officers shall purchase supplies and services from responsible sources at fair and reasonable prices.” This requirement also applies to primes and subs at every level. While commercial items, sole source procurements, and single responses to solicitations present obstacles, they are not barriers and do not negate that primary directive. When you are responsible for awarding contracts or subcontracts, be sure to perform market research (FAR 10) and document how you determined fair and reasonable pricing.
The post DoD Needs Pricing Improvement appeared first on Left Brain Professionals.
Implementing a new accounting system inherently implies change to your current processes. It also means entering data in different fields in a new system. To be certain your system setup is correct, you must test all of your scenarios. Let’s back up for a moment. Before testing, you need a good list of what you want to test. At a high level, every organization needs to test two main cash flow processes:
Order to Cash, and
Procure to Pay
Depending on the type of products (services vs manufacturing) and the specific structure of your organization, you may have a few or several sub-processes to test. For example:
Order to Cash
Customer order entry
Receive customer payment
Back to my main topic: test, test, test. Write out a list of scenarios and test each scenario multiple times. Fully execute each process as if you were doing it live. While you won’t actually manufacture a part, you will simulate issuing and receiving inventory, delivering product, invoicing customers, and receiving payments. Test, test, test each scenario until you validate the expected results.
The post Test, Test, Test appeared first on Left Brain Professionals.
December books closed ✔
Payroll tax returns filed (940/941/944) ✔
W-2s distributed ✔
1099s delivered ✔
Incurred Cost Proposal…in Process…?
You might not consider preparing for the Incurred Cost Proposal (ICP) during all of your other year-end tasks. You might think, “I’ve got 5 more months to worry about that.” Now is the best time to prepare and worry. Why? Most importantly, all of the information is fresh. If you wait until May or June to start the ICP process, you’ll have the worries from the first half of 2016 clogging your brain. It’s much easier to find and fix problems now. As time passes, people change and memories fade. Trying to figure out what happened 12 months ago is difficult enough. Why wait and try to figure out what happened 17 months ago?
If you closed December books, your financial statements are complete and your trial balance is accurate. You need financial statements and the TB for Schedules B, C, and G. Your payroll tax returns are needed for Schedule L. Job cost ledgers are used for Schedule H, and invoicing-to-date reports are used for Schedule K. See, you’re ICP is already halfway complete!
One piece of information contractors overlook is a contract brief. These are not only required for the ICP, but are a best practice for your contract and financial management processes. Contract briefs give the reader a quick summary of important details without rifling through a stack of documents. The more of these data items you incorporate in your accounting or contract management software, the easier your data extraction process. For example, marking each customer order/job/project (aka contract) with the appropriate contract type and prime contract number means you can easily run revenue and cost reports by contract type and prime contract.
We help clients with preparation of the Incurred Cost Proposal and developing and implementing systems to improve all reporting processes. Call today!
The post Year End Preparations for Incurred Cost Proposal appeared first on Left Brain Professionals.
Has your prime or contracting officer told you that you need an approved or adequate accounting system before your next award? What exactly is an approved or adequate accounting system?
In the world of government contracting, most people think of DCAA-approved accounting systems. There are a few misnomers in that statement:
DCAA does not approve accounting systems. They audit or review systems and provide recommendations to the contracting officer who holds the responsibility and authority for approving a system. DFARS 242.7502(b)
DCAA can no longer (at least temporarily) perform audit services for non-defense agencies. Sec. 893 of the National Defense Authorization Act of 2016 prohibits the DCAA from providing outside audit support to non-DOD agencies until the DCAA certifies that the backlog for incurred cost audits is less than 18 months of incurred cost inventory.
DCAA is not the only organization that can perform accounting system reviews. See the DFARS clause above and item #3 on DCAA’s SF1408 Checklist.
There are other misnomers regarding the requirement of an adequate or approved system. FAR 16.301-3 states that an “adequate” system is required for cost-reimbursement contracts while DFARS 242.7502(a) implies that an “approved” system is required for cost-reimbursement, incentive-type, time-and-materials, and labor-hour contracts. Note the distinction that the FAR does not indicate incentive-type, time-and-materials, and labor-hour contracts and neither clause mentions fixed-price contracts. Approved systems are also not required for the acquisition of commercial items or actions below the simplified acquisition threshold.
While the FAR does not define an “adequate” or “approved” system, two common sources of guidelines are the SF1408 Preaward Survey of Prospective Contractor Accounting System and the Accounting System Administration criteria in DFARS 252.242-7006(c). Additional guidance can be found in the 18 Cost Accounting Standards. The basic criteria include:
Transactions under general ledger control, in accordance with GAAP
Segregation of direct and indirect costs
Identification of all costs, particular time (labor), by end cost objective, contract, and/or line item
Logical collection and allocation of indirect costs
Identification and segregation of unallowable costs
How can you get an accounting system review? You have three primary options:
Have prime’s audit team review your system
Hire an outside firm
You probably realize some of the issues with those options. Self-certifying, if the contracting officer allows, add another layer of compliance risk in your federal contract. Most subcontractors view their primes as competitors and don’t want them nosing around their books. And there’s no guarantee that a contracting officer will accept your letter from an outside firm. That said, most contracting officers acknowledge the obstacles to system approval and recognize the role that outside firms play.
Are you looking for accounting system review or guidance in designing your system? We can help! Call today.
The post SF1408 Accounting System Review appeared first on Left Brain Professionals.
DCAA Recently provided updated guidance on the incurred cost proposal through two MRDs (audit guidance memos) and an update to the ICE model.
The first MRD on August 27, 2015, updated the Incurred Cost Proposal Adequacy Checklist to aid in determining the auditability of the proposal. Note that there is no score or definitive guide on adequacy. A proposal with multiple deficiencies may be auditable while another proposal with only one deficiency may not be auditable. Audit teams must use their professional judgment in evaluating deficiencies.
The second MRD on September 30, 2015, updated the Post Year-End and Corporate Incurred Cost Audit Programs. The update resequenced the steps in risk assessment, consolidated reconciliation audit procedures, add a separate small business risk assessment, and updated procedures for subcontracting testing.
DCAA also released ICE Model Version 2.0.1d in August 2015. The latest update is only to Supplementary Schedule C. This schedule identifies prime contracts where the contractor is a subcontractor. The information on this schedule should be the same information as the Schedule J of the prime contractor. Submission of Supplemental Schedule C is not mandatory.
Need help with preparation of your incurred cost proposal? We can help! Call today.
The post Updated DCAA Guidance for the Incurred Cost Proposal appeared first on Left Brain Professionals.
What are your current profit margins on government contracts? Are you still bidding a fee of 6% to 10%? Many contractors think they must accept low profit margins on government contracts. Not true! FAR 15.404-4(a)(3) clearly states,
“Both the Government and contractors should be concerned with profit as a motivator of efficient and effective contract performance. Negotiations aimed merely at reducing prices by reducing profit, without proper recognition of the function of profit, are not in the Government’s interest. Negotiation of extremely low profits, use of historical averages, or automatic application of predetermined percentages to total estimated costs do not provide proper motivation for optimum contract performance.”
Profit/fee calculations must consider the unique circumstances of the immediate negotiation. The only statutory limits on profit/fee are for cost-plus-fixed-fee contracts:
Experimental, developmental, or research work performed under a cost-plus-fixed-fee contract – 15% of estimated contract costs
All other cost-plus-fixed-fee contracts – 10% of estimated contract costs
Are primes and contracting officers beating you with the Weighted Guidelines stick? That tool only applies to negotiated contracts when certified cost or pricing data is obtained. The Weighted Guidelines are certainly a tool to use in calculating a fair and reasonable fee, but not a constraint. Look at items 13-20 – COST. Since cost analysis is not applicable to many acquisitions (see FAR 15.403-1(b), and acquisitions below the threshold of $750,000 for certified cost or pricing data), cost data should not be supplied to the Government or prime and should not be the basis for price negotiations.
So, how much fee can you charge? A lot of factors go into pricing and price analysis, so there is no black-and-white answer. You should start at 30% and adjust your rates as necessary. Keep in mind that the contracting officer must determine that your prices are fair and reasonable (through market research), so higher rates will make you less competitive. I see many contractors successfully bidding and winning at 18% to 25%, well above the 6% to 10% myth.
Another myth is that you must offer the Government a discount, a rate less than you charge everybody else. Not true! The Government simply asks that you not charge them more than you charge your most favored customer for the same or similar products under the same or similar circumstances. If you offer discounts based on quantity, prepayment, or prompt payment, you need to offer those same discounts to the Government. If they do not meet the quantity requirements or choose not to negotiate terms and conditions (such as early or flexible delivery), then you don’t have to honor the discount. Just be sure your pricing schedule for government contracts reflects the same options and discounts you offer your best customer, nothing more. And, if you reduce your commercial pricing or offer additional discounts, make the same offer to the Government. See GSAM 538.270 for details on GSA’s “Most Favored Customer” clause.
Want to increase your profit margins on government contracts? Call today to learn more of our insider secrets. We’ll walk you through a cost and price analysis of your products.
The post Increased Profit Margins On Government Contracts appeared first on Left Brain Professionals.
Doing business with the government can be lucrative, but it requires compliance with a litany of complex laws and regulations impacting your day-to-day business operations. Complying with federal prevailing wage law requirements is one of the biggest headaches for many government contractors.
Two primary laws govern how much you are required to pay employees and subcontractors on many contracts: The Davis-Bacon and Related Acts (DBRA) and the McNamara-O’Hara Service Contract Act (SCA).
The Davis-Bacon and Related Acts (DBRA)
The Davis-Bacon and Related Acts govern wages paid for federally funded construction work on public buildings and public works. On any contract over $2,000, contractors and subcontractors must pay their laborers and mechanics no less than the locally prevailing wages and fringe benefits for work on similar projects in the area. The Department of Labor sets prevailing wages for given classes of labor and types of projects by geographic area.
The original 1931 Davis-Bacon Act applied only to federal or District of Columbia contracts. Since then, Congress has passed more than 60 “Related Acts” that extend prevailing wage requirements to construction projects that receive federal funding assistance through grants, loans, loan guarantees, and insurance.
DBRA record-keeping and reporting requirements are quite stringent. Covered contractors must maintain payroll and basic records for all laborers and mechanics during the course of the work and for three years thereafter. Records to be maintained include:
Name, address, and Social Security number of each employee
Each employee’s work classifications
Hourly rates of pay, including rates of contributions or costs anticipated for fringe benefits or their cash equivalents
Daily and weekly numbers of hours worked
Actual wages paid
If applicable, detailed information regarding various fringe benefit plans and programs, including records that show that the plan or program has been communicated in writing to the laborers and mechanics affected.
If applicable, detailed information regarding approved apprenticeship or trainee programs
On a weekly basis, covered contractors and subcontractors must provide the federal agency a copy of all payrolls providing the information listed above for the preceding weekly payroll period. Each payroll submitted must be accompanied by a “Statement of Compliance,” which must be signed by the contractor or an authorized officer or employee who supervises the payment of wages.
Non-compliance penalties are stiff. Contractors or subcontractors found to have disregarded their obligations to employees, or to have committed aggravated or willful violations, may be subject to contract termination and debarment from future contracts for up to three years.
The McNamara-O’Hara Service Contract Act (SCA)
While the DBRA govern construction contracts, the McNamara-O’Hara Service Contract Act sets rules for service contracts. The SCA applies only to contracts awarded by the federal or District of Columbia governments. It requires contractors and subcontractors on most prime federal contracts exceeding $2,500 to pay service employees no less than the wage rates and fringe benefits found prevailing in the locality, or the rates (including prospective increases) contained in a predecessor contractor’s collective bargaining agreement. All employees must be paid fringe benefits, including a health and welfare fringe benefit currently set at $4.27 per hour. Contractors are also required to compensate employees for overtime work according to overtime pay standards of the Fair Labor Standards Act and the Contract Work Hours and Safety Standards Act.
For contracts of $2,500 or less, contractors are required to pay the federal minimum wage as set in Section 6(a)(1) of the Fair Labor Standards Act. Since July 2009, this has been set at $7.25 per hour.
The Department of Labor issues wage determinations on a contract-by-contract basis based on each worker’s employment classification. By classifying the different types of workers and their corresponding wages, the government can outline what each level and type of worker will be paid on that job. Since an individual employee may perform work in several different categories in a given day or week, however, compliance and record-keeping quickly become complicated. Employers must keep detailed records of the hours each employee works on the contract and the amounts paid under the contract. Prime contractors must ensure that all employees (including those working for subcontractors) are paid the correct wage and fringe rate as set by the contract.
Again, penalties for non-compliance are severe. Violations of the SCA may result in contract terminations and liability for any resulting costs to the government, withholding of contract payments in sufficient amounts to cover wage and fringe benefit underpayments, legal action to recover the underpayments, and debarment from future contracts for up to three years.
The Smart Fringe Solution
Complying with federal prevailing wage law requirements is complicated and time-consuming. Failing to comply can result in expensive penalties, loss of your contract, and even disbarment from bidding on other federal contracts.
That’s why Left Brain Pro is part of an alliance that developed an automated compliance tool for government contractors called SmartFringe.
Through seamless integration with your existing corporate structure, Smart Fringe can help you:
Keep your organization in compliance with federal compensation laws
Create accurate and consistent job classifications
Redistribute wage discrepancies between private sector and contract prevailing wage compliance.
Smart Fringe is designed to simplify record keeping, lower administrative costs and increase profits. This accounting software suite performs a variety of roles and functions, including:
Reduces work load on HR/Payroll
Customizes your strategies within regulations
Automates calculations and compliance
If you have questions about DBRA and SCA compliance or how SmartFringe can simplify this process, please give me a call at (614) 556-4415 or email firstname.lastname@example.org.
The post Complying with Prevailing Wage Laws on Government Contracts appeared first on Left Brain Professionals.
Unique compensation requirements apply to federal contractors. In the construction sector, the Davis Bacon Act (DBA) requires covered contractors and subcontractors to pay a specific prevailing wage and fringe dollars for each hour an employee works on a covered job site.
The regulations are difficult to understand for the non-initiated. Luckily, Lind Sawyer of Capital Strategies can make the confusing understandable. Here’s my conversation with Lind who was educating me on the finer points of the regulations. This could be illuminating for you too!
Anne-Lise Gere, SPHR – What are the risks of not complying with prevailing wage and fringe benefits for DBA contractors?
Lind Sawyer – The Department of Labor (DOL) is hot on the compliance trail. It recently announced a strategy called, “Plan, Prevent, Protect” to ensure these regulations are met. The DOL has teams of auditors who target federal contractors of all sizes. An audit from the DOL can be overwhelming, and the fines for noncompliance are expensive. The scary part is there is no formula for the fines. Fines are at the DOL auditor’s discretion. I have seen an auditor shut down a worksite where the contractor and subcontractors were not in compliance. It puts small businesses at risk of losing everything. So this is a big deal.
When audited, federal contractors must be prepared to prove compliance and show that all regulations have been followed. This means being able to prove that the prevailing wage was paid for every hour, for every pay period and the fringe benefit dollars are properly allocated to eligible benefits.
Anne-Lise – Why is compliance so tricky for federal contractors?
Lind Sawyer – The DBA wages and fringe are often higher than what’s paid to the employees on a private sector job. Some contractors are working simultaneous federal contracts and private sector jobs with individuals shifting between job sites frequently. It’s hard to keep track of which hours are on a DBA contracts and which are not.
Anne-Lise – How do DBA contractors operate in this context?
Lind Sawyer – Because many contractors don’t have a system in place to track and allocate the benefit dollars, they end up paying the higher federal wages and the fringe benefit to employees in cash.
Anne-Lise – What’s the problem of paying benefit dollars in cash?
Lind Sawyer – Paying fringe benefits dollars in cash creates a multitude of problems. Most business owners are acutely aware of the added financial burden of paying cash instead of providing benefits. It can increase their overall labor costs by up to 30%. Every cash wage also raises the FICA, FUTA, SUTA, General Liability and Workman’s Compensation cost.
Fringe dollars are meant to provide additional benefits to workers on federal contracts. The DOL encourages fringe benefits to be used for insurance benefits (medical, dental, disability) and paid time off.
Unfortunately, most federal contractors are UNAWARE of the option of paying fringe dollars in benefits although it is in the DOL Regulations.
With the advent of paid sick leave for federal contractors on January 1, 2017, it will be in the employer’s best interest to use those fringe dollars to fund the sick leave requirements.
Anne-Lise – So what’s a DBA employer to do?
Lind Sawyer – DBA employers should have a system in place tracking DBA hours, allocating prevailing wages and fringe benefits dollars in accordance to the regulations. Unfortunately, most payroll systems do not provide these functionalities.
At Capital Strategies we have developed proprietary software called Fringe Tracker. It integrates with the existing benefits and payroll companies. So it doesn’t disrupt the existing relationship with payroll provider and benefit administrator. It calculates the amounts to be allocated. Allocating fringe dollars to indirect compensation has a significant and meaningful impact on employers’ bottom line.
Anne-Lise – What are the most common fringe benefits funded by those federal dollars?
In a few words, put in place an additional system to track and allocate fringe dollars. At Capital Strategies, our software not only allocates the fringe dollars to different benefit categories, it also adds the wage differential between private sector pay and federal contract wages to fund the benefits in the most efficient manner possible. By reducing the wage differential between federal and private sector jobs, we also reduce the temptation for inaccurate timekeeping by employees.
Our system automates compliance, applying the math calculations and recordkeeping according to the DOL Regulations, and generates profit by optimization of the fringe benefit payout.
If you have questions about this article or HR compliance, please contact:
Anne-Lise Gere at (757) 240-4402 or email email@example.com, or
Lind Sawyer at (757) 421-0411 or email firstname.lastname@example.org, or
Robert Jones at (614) 556-4415 or email email@example.com.
The post Federal Contractors’ Obligations With Prevailing Wage and Fringe Benefits appeared first on Left Brain Professionals.
There is a lot of talk these days that the only proposal for which we are likely to see bipartisan support is President Trump’s promise to rebuild the nation’s infrastructure. According to Trump’s website (www.donaldjtrump.com), “Infrastructure investment strengthens our economic platform, makes America more competitive, creates millions of jobs, increases wages for American workers, and reduces the costs of goods and services for American consumers.” What’s not to like? Spending that benefits everyone – new airports, bridges, freeways, clean water, less traffic – plus new jobs and increased wages? Hold on a sec – not so fast. It’s wages where we are going to see a test of Trump’s loyalty: to the American worker who put him in office or to fiscally conservative Republicans who now hold sway in Congress.
In the crosshairs lies the Davis-Bacon Act. Since 1935, the Davis-Bacon Act has required that workers on all federally funded or federally aided construction projects be paid at least the “prevailing wage” in the area where the project is located. The Department of Labor determines the prevailing wages on the basis of the wages and benefits earned by at least 50 percent of the workers in a particular type of job or on the basis of the average wages and benefits paid to workers for that type of job. Ironically, the Act was passed with the specific intent of preventing non-unionized black and immigrant laborers from competing with unionized white workers for scarce jobs during the Depression. The week after Trump took office, U.S. Senator Jeff Flake (R-Ariz.) introduced the Transportation Investment Recalibration to Equality (TIRE) Act, which proposes a repeal of the Davis-Bacon Act and would eliminate the prevailing wage requirement on federal infrastructure and construction projects. And on January 30, 2017, Congressman Steve King (R-Iowa) re-introduced the Davis-Bacon Repeal Act in the House with Senator Mike Lee (R-Utah), who introduced the companion bill in the Senate. According to the Congressional Budget Office, if this policy change is implemented, the federal government would spend less on construction, saving an estimated $13 billion from 2018 through 2026. There would be only nominal administration cost savings – the rest of the savings would come directly from workers’ paychecks.
Those in favor of the repeal argue that, since the 1930s, other policies (including a federal minimum wage) have been put in place that ensure minimum wages for workers employed in federal construction. Additionally, when prevailing wages are higher than the wages that would be paid absent the Act, the construction market is distorted. In that situation, projects are likely to use more capital and less labor than they otherwise would. Additional arguments for repealing the Davis-Bacon Act are that the paperwork associated with the Act effectively discriminates against small firms and that the Act is difficult for the federal government to administer effectively.
One argument against repealing the Davis-Bacon Act is that doing so would lower the earnings of some construction workers. In addition to wages, the Act requires a certain amount per hour be designated as fringe benefits that typically fund medical and retirement plans. If not required, employers would be incentivized to curtail their benefit spending to have more competitive bids. Another argument against such a change is that it might jeopardize the quality of projects. Lower wages might attract workers who are less skilled and do lower-quality work. Also, if one of the objectives of Trump’s infrastructure proposal is to increase earnings for the local population, repealing the Davis-Bacon Act might undermine that aim. The Act prevents out-of-town firms from coming into a locality, using lower-paid workers from other areas of the country to compete with local contractors for federal work, and then leaving the area upon completion of the work.
With Republicans poised to gleefully slash spending the next two years, the repeal will most likely have a lot of support. Were it to end up on the President’s desk, the decision to repeal or leave intact the Davis Bacon Act will be the litmus test that will prove whether President Trump is serious about his promised commitment to the American worker and their wages.
Questions about the Davis-Bacon Act and your federal contract? We’re here to help! Contact Bryan Uecker at (877) 982-8348 or Email Bryan@Benquest.com. Contact Robert Jones at (614) 556-4415 or Email Robert@LeftBrainPro.com.
The post Davis-Bacon Act vs. Trump’s Looming Litmus Test appeared first on Left Brain Professionals.
Government agencies use the Request for Proposal process to find the best available solution to their needs at the most competitive price. In competitive bidding, an agency has a duty to reject proposals that are non-responsive or that fail to comply with the invitation to bid in a material way. This promotes objectivity and fairness in the bidding process and ensures that vendors are competing on an equal footing.
In too many cases, contractors expend considerable time and effort developing a proposal that the contracting agency ultimately rejects as non-compliant or non-responsive. Part 1 outlines the standard format of RFPs. Part 2 outlines steps you can take to avoid such costly errors and increase your chances of winning.
As you write your proposal, keep these grading factors top of mind. The agency is telling you what is important to them. Believe them!
Preparing Your Proposal
As you write your proposal, make sure to:
Sign and acknowledge all amendments to the original RFP.
Submit questions to clarify any ambiguities created in the original Q&A or by amendments. If you are assuming something, ask the question! Clarifying questions rarely expose your strategy. Ask one question per ambiguity – the government will likely only answer one of them. Make sure to phrase questions to elicit clear answers
Watch out for RFPs that include provisions for full and open as well as set-aside awards. Clarify any proposal requirements not clearly designated as applying to one group or both, and clarify the applicability of contract clauses to each group.
Prime contractors need to conduct a cost or price analysis and include results of the analysis in your proposal.
You may need to submit subcontractor certified cost or pricing data as part of a prime proposal.
If you are a subcontractor, you may need to submit pricing faster and assist in the analysis process.
Primes should request information from subcontractors, including:
System adequacy letters.
Disclosure of proposed profit.
In Federal Financial Participation (FFP) contracts, disclose labor hours and categories.
Although it is okay for primes to request full disclosure, it is equally okay for subs to insist on sealed packages.
The prime should be clear about what is required in sanitized and sealed packages. Do not assume the sub has read the RFP requirements!
Subs should always read the full RFP, even if the prime sends a summary RFP.
If the government does not provide a method for subcontractors to submit directly to them, request that subcontractors provide sealed packages.
Best Practices for Responsive Proposals
Read the RFP. Then read it again, and again. Read it all the way through at least once. You may focus on key areas the first time, but consider reading out of order in subsequent reviews to reduce fatigue when reaching Schedules L and M. Keep an eye out for RFP amendments, and read those as well.
Craft a proposal that directly and efficiently addresses the agency’s needs. Stop focusing on telling your story and start focusing on telling the story the RFP is requesting of you. Remember, a great conversationalist is someone who listens. The best consultants and sales people do not talk about their product or service. They talk about you and solving your problems.
Prepare a compliance matrix. Your matrix should document general requirements such as format and due date as well as requirements for each volume. Update the compliance matrix to stay current with amendments.
Hold a proposal kick-off meeting. Invite your teammates, and identify critical milestones and due dates. Delegate responsibilities as needed, and provide templates if available. Designate one or more people to be responsible for regularly checking for amendments.
Avoid math errors or other inconsistencies. Use rounding formulas in all calculations. Ensure that someone other than the person who prepared the price proposal prints out and manually checks all figures on a calculator.
Ensure your proposal arrives on time! In most cases, agencies will reject late proposals out of hand, so don’t wait until the last minute to finish your proposal.
If your proposal must be hand-carried, prepare a delivery receipt and obtain a signature, date, and time of delivery from the person accepting your proposal package.
For online submissions, ensure that your firm is registered and able to post its proposal on the web site. If permitted, do a test submission to make sure you are able to submit documents successfully. Submit your proposal 24 hours before the due date, and no later than 5pm the day before to comply with FAR 15.208(b). After your submission, print out a copy of the web site delivery notification or receipt. When submitting by email, use read receipt in your email program. Ask the contracting officer if there is a file size limit for submitting via email. If your proposal exceeds that limit, you may need to break it into multiple parts.
Conduct a final review. Have independent parties to the proposal process perform a final check for compliance.
Questions for Your Proposal
Before submitting your proposal, ask yourself these questions:
Is it formatted correctly?
Is your bid organized and easy to follow?
Is your solution plausible?
Have you demonstrated your ability to perform?
Have you presented an acceptable delivery schedule?
Are you proposing a reasonable price?
Have you had someone spell check, grammar check and error check?
Have you printed or produced the required number of proposals?
Crafting responsive proposals is both a science and an art. There’s much more to the process than we can cover in a single blog post. If you have questions about responsive proposals or any other aspect of the RFP process, call (614) 556-4415 or email firstname.lastname@example.org.
The post Best Practices for Preparing Responsive Proposals – Part 2 appeared first on Left Brain Professionals.
Government agencies use the Request for Proposal process to find the best available solution to their needs at the most competitive price. In competitive bidding, an agency has a duty to reject proposals that are non-responsive or that fail to comply with the invitation to bid in a material way. This promotes objectivity and fairness in the bidding process and ensures that vendors are competing on an equal footing.
In too many cases, contractors expend considerable time and effort developing a proposal that the contracting agency ultimately rejects as non-compliant or non-responsive. Part 1 outlines the format of standard RFPs.
Governing Regulations and Forms
The Federal Acquisition Regulations system sets uniform policies and procedures for acquisition by all executive agencies. FAR 15.203 establishes rules for RFPs, including the government’s requirements, anticipated terms and conditions, information required in the offeror’s proposal, and selection criteria. Agencies employ several standard forms in issuing RFPs, including:
SF 33 Services and Commodities
SF 1442 Construction
SF 1449 Commercial Items
In this blog post, we will focus on the FAR 15 requirements and SF 33.
Read the RFP and Understand the Agency’s Problem or Request
First things first. Read the entire RFP, including all attachments and referenced clauses or documents! Read it section by section. Never assume that all RFPs are equal. Not all agencies and offices structure RFPs the same way. Not all of them do it correctly. You may find important information in a different section or document than you were expecting to find it.
After you have read the RFP, go back and read it again, paying particular attention to the underlying problem the agency needs to solve and the request for goods or services that it specifies. As you are writing the proposal, you will want to keep these needs top of mind.
Schedule A – General Information
Schedule A often consists of a single-page solicitation form (e.g. Form 33). It provides basic information such as:
The Solicitation Number
The Type of Contract
Where and When to Submit Your Bid
Contact Information for the Contracting Officer
Schedule B: Supplies or Services and Prices
Often the bulk of the RFP in terms of pages, Schedule B provides a summary description of the contract requirements. It lists all requirements as Contract Line Items (CLINS) or Sub-line Items (SLINS). This section also includes other billable items such as travel and other direct costs (ODCs).
Schedule C: Description/Specs/Statement of Work
Since it outlines the agency’s needs, Schedule C forms the heart of the RFP. In writing your proposal, describe how you will fulfill the contract – and be certain that your solution meets all specifications. This section may include specific labor category requirements. For service contracts with defined labor categories, make sure your resources line up with the appropriate education, experience, and certification requirements.
Schedule D: Packaging and Marking
This section contains packaging, packing, preservation, and marking instructions. In some cases, products may require Unique Identification Marking (UID) labels. Many shipments require Military Specification (MIL-SPEC) packaging that resists water or sand. Some agencies require use of specific transportation, early notification of shipments, or specific forms and labels. Make sure your proposal addresses all RFP requirements.
Schedule E: Inspection & Acceptance
Schedule E details the inspection process and conditions that you must meet for the work to be accepted by the government. Inspection may occur during manufacturing, before shipment, or after delivery. Some contracts allow for self-inspection, while others require government employees to carry out the inspection. Keep in mind that inspection by an external party may delay shipment, so plan accordingly. Acceptance may occur only after delivery and testing, which can affect when you will be paid. Plan accordingly.
Schedule F: Deliveries or Performance
This schedule sets requirements for “where” and “how” you must deliver products. A single contract may require shipping to multiple locations, in different quantities, or by different methods. Make sure to price your product to conform to delivery instructions and that your products arrive by the required delivery date using the preferred shipping method. Keep in mind that agencies are free to reject shipments that do not arrive on time.
Schedule G: Contract Administration Data
This section sets standards for the ways in which you and agency personnel will interact during the contract. It may include:
Accounting and appropriation data
Contact information for key agency personnel
Some tasks or functions may be delegated.
Schedule H: Special Contract Requirements
This schedule can be a dumping ground for clauses and other important information.
Schedule I: Contract Clauses
Read the clauses carefully, as you will be bound by all clauses in the contract. Clauses can include:
Clauses that will be included in any resulting contract
Clauses in full text
Clauses incorporated by reference
FAR, agency supplements, and local clauses
Make sure you are compliant with all clauses, and price your proposal accordingly. Some clauses may increase your cost of compliance.
Clarify or reject any clauses that are not applicable or are inappropriate. These will become part of the awarded contract, so if you have questions on any that should or should not apply, ask at the RFP stage. In many cases, you may want to have an attorney review the clauses and your responses.
Schedule J: List of Attachments
RFPs and contracts are not single documents. They may include:
Statements of Work
Carefully review all attachments and clarify any conflicting information among the documents.
Schedule K: Representations, Certifications, & Other Statements
Sometimes called “Reps & Certs,” this section requires you to demonstrate eligibility by providing business entity information and certifying that you comply with all of the acquisition’s applicable laws and regulations. For example, an agency can only award a contract set aside for woman-owned, small businesses to a company that represents and certifies that it is a woman-owned, small business. You must complete this section even if your System for Award Management (SAM) registration is current.
Schedule L: Proposal Preparation Instructions
While the content of your proposal (products, services, and prices) are critical to your ability to win, delivering a compliant proposal may be what keeps you in the competitive range. Make sure you adhere to all proposal preparation requirements, including:
Volumes (Technical, Cost, Management)
Proposal Adequacy Checklist
Proposals and elimination from the competitive range are the source of many protests. Failure to follow the instructions is not a valid basis for a protest, and it will likely be dismissed.
Schedule M: Evaluation Factors for Award
This section outlines how the agency will grade proposals – including yours! It includes main factors for consideration and the importance of each factor. It may include:
Lowest-price, technically acceptable (LPTA)
Crafting responsive proposals is both a science and an art. There’s much more to the process than we can cover in a single blog post. Be sure to read Part 2 for specific tips. If you have questions about responsive proposals or any other aspect of the RFP process, call (614) 556-4415 or email email@example.com.
The post Best Practices for Preparing Responsive Proposals – Part 1 appeared first on Left Brain Professionals.
Is your proposal in response to a federal Request for Proposal thorough, accurate and complete? If not, chances are high that you will be eliminated from competition – which represents a waste of time and opportunity for you and a corresponding waste of time for the contracting agency.
Contracting agencies use the RFP process to identify the best supplier based on a combination of qualifications, history of achievement, timeliness, responsiveness, and cost. To have a chance at winning a contract, it is vitally important that you submit the information requested, in the level of detail requested or required by law, in the format requested.
To reduce the number of nonresponsive contracts, several federal contracting authorities have developed proposal adequacy checklists. These walk contractors through format, cost elements, subcontracts, and exceptions to certified cost or pricing data. Checklists require prospective contractors to provide the location of requested items, or an explanation of why the requested information is not provided. Checklists apply only to the cost proposal, and not to the entire proposal submission.
Agencies that rely on proposal adequacy checklists include:
Department of Defense/Defense Acquisition Regulations System (36 items)
Defense Contract Audit Agency (uses DFARS checklist)
Defense Contract Management Agency (35 items)
National Aeronautics and Space Administration (34 items)
Certain RFPs, including those that require certified cost or pricing data, should require a proposal adequacy checklist to be submitted as part of the proposal (DFARS 215.408 (5)). In addition, any contracting officer has the authority to require inclusion of a checklist in response to an RFP. In any event, completing the appropriate checklist is a valuable tool to validate the adequacy of your proposal.
To learn more about proposal adequacy checklists, you can view Proposal Adequacy Checklist—The New Normal, a presentation that Robert Jones and Suzanne Camden gave for the National Contract Management Association’s World Congress in July 2014.
Our next blog post will delve into more detail about creating responsive proposals. In the meantime, if you have questions about proposal adequacy checklists or any other aspect of the RFP process, we’re here to help! Email firstname.lastname@example.org or call (614) 556-4415.
The post The Proposal Adequacy Checklist appeared first on Left Brain Professionals.
For more than 20 years, government contractors and their employees that operate an agency’s system of records have been subject to the same criminal penalties as government employees for violations of the federal Privacy Act (PA).
These penalties have taken on new importance because a recent FAR amendment makes PA training required for certain federal contracts. Moreover, the training must include information on the criminal penalties a government contractor and its employees face for violating the PA. Specifically, violations are a misdemeanor punishable by a fine of up to $5,000; there is, however, no possibility of imprisonment.
Because the language Congress used to describe this criminal violation is so carefully drafted, it’s important to get into the law’s wording and details.
The criminal penalty provision of the PA punishes any contractor or its employees who “knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it.”
Unfortunately, it’s not easy to describe what these words mean because there are not a lot of reported court decisions interpreting them. According to U.S. Department of Justice, there are at least two reported decisions on this criminal law. Realistically, however, only one of them really helps to describe how anyone, including a government contractor, can violate the PA’s criminal provision.
That decision, actually a defeat for the government, involved a list of patients and their addresses prepared by Richard Trabert, the administrator of an Army hospital that was closing. A doctor at the closing hospital who would be seeing patients at a nearby private clinic asked Trabert to prepare the list which Trabert prepared from data in his computer. Trabert prepared the list and gave it to the administrator of the private clinic. The information on Trabert’s list was protected by the PA.
The government charged Trabert with violating the criminal provision of the PA but a judge concluded that the government had not proven that Trabert violated the PA beyond a reasonable doubt. The government had failed to prove that there was both a “knowing disclosure” and a “willful disclosure.”
Knowing disclosure. The government could prove a “knowing disclosure” from circumstantial evidence such as the fact that the employee had taken PA training. In Trabert’s case, however, there was no evidence he had received PA training and Trabert testified that he did not remember getting any PA training. In addition, senior personnel at the hospital knew Trabert was compiling the list but no one had told him it was illegal. Moreover, other lists had been prepared by others for the benefit of other clinics.
Another way the government could prove a “knowing disclosure” would be “a specific admonition provided as to the general application of the Privacy Act” which in Trabert’s case was a computer screen banner warning of the PA’s applicability to information in the computer every time the computer was turned on.
Significantly, the government did not have to prove that Trabert had been told specifically that the PA applied to the list he gave the clinic’s administrator.
But here, there was no “knowing disclosure” for several reasons including the fact that similar lists had been prepared on other occasions by other employees without any one being charged with a crime.
Willful disclosure. The government had also failed to prove a “willful disclosure:” that Trabert voluntarily and purposely disclosed the information in violation of the Act. Here, Trabert was guilty at most of gross negligence. According to the judge, it was not clear to Trabert that the disclosure of the list was inappropriate. Trabert was not aware of any improper motive in providing the list to the clinic and he knew that the clinic could not produce the useful list itself. He did not know that the doctor requesting the list wanted it for expanding his practice at the new clinic. Nor did Trabert benefit financially for disclosing the list like getting a job at the new clinic; the government did not prove that he even wanted a job there.
Conclusion. Trying to distinguish an unfortunate “gross negligence” disclosure from a criminal “knowing and willful disclosure” is difficult. Trabert was wrong to prepare the list and give it to the private clinic. But he did not do it with the intention of violating someone’s privacy rights protected by the PA. United States v. Trabert, 978 F.Supp. 1368 (D.Colo. 1997).
A good example of conduct that goes beyond “gross negligence” comes from civil (not criminal) lawsuits against an agency (and not its employee like Trabert) that violated the employees PA rights.
Department of Energy employees filled out personnel security questionnaires after being told that the information would be used only for security clearances purposes. But the information was then sent to the Department of Justice for purpose of criminal prosecution. DOE had not told the employees that questionnaire information could be used for law enforcement purposes. Covert et al. v. Harrington, Secretary, Department of Energy, 876 F.2d 751 (9th Cir. 1989).
Perhaps a good summary of what it takes to violate the PA is this: the violation “must be so patently egregious and unlawful that anyone undertaking the conduct should have known it unlawful.” While Trabert’s conduct was wrong, you cannot say that his actions met this test.
Terrence O’Connor is a Partner and Director of Government Contracts at Berenzweig Leonard LLP, McLean, VA. He can be reached at toconnor@BerenzweigLaw.com.
The post Federal Privacy Act Criminal Penalties Apply to Government Contractors appeared first on Left Brain Professionals.
Part 1: New Rules Go Into Effect December 31.
Federal government agencies rely upon external contractors to carry out a wide range of functions. Many contractors have access to sensitive data that could, if compromised, potentially reveal classified information, threaten national security or even put lives at risk. As a result, cybersecurity is a critical and growing concern for both federal agencies and contractors.
The issue has gained greater urgency, as contractors of all sizes must demonstrate compliance with new federal government rules by December 31, 2017.
Understandably, many small business contractors feel overwhelmed. If you don’t comply, your contracts – and, perhaps, your business – are at risk. Yet you may not know where to begin. Common obstacles to compliance include:
Lack of knowledge of the rules,
Not knowing how to meet the requirements spelled out in the rules,
Lack of access to information security resources, and
Lack of financial resources to implement required safeguards.
Many small businesses do not employ a dedicated information technology employee or consultant. Often, an owner or key employee performs IT functions in addition to their regular duties. And even Fortune 500 companies with vast resources struggle with information security. No wonder small business owners feel overwhelmed!
Still, when you submit an RFP or sign a contract containing one or more information security clauses, you are affirming your ability to comply with the contract. You need to employ as many best practices as possible to show that you have employed good faith due diligence to achieve compliance. As with any compliance program, you must be able to demonstrate that you are doing – or trying to do – the right thing.
This series of blog posts is designed to help small business contractors prepare to meet the December 31 deadline. We’ll break down compliance into bite-size, manageable and affordable chunks that an average small business of a few to up to 50 employees can tackle. Let’s start with the rules.
Federal Cybersecurity Rules
NIST (SP) 800-171
FAR Case 2011-020
Federal Information Security Rules
In June 2016, the US Department of Defense, General Services Administration, and National Aeronautics and Space Administration published a new rule entitled “Basic Safeguarding of Contractor Information Systems.” The new requirements supplement DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), which imposes several more requirements on covered DoD contractors.
Safeguarding requirements are based on security requirements published in the Department of Commerce National Institute of Standards and Technology’s Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” However, several other overlapping rules and regulations may apply (see box).
These rules and regulations require contractors of all sizes to comply with two key information security requirements:
Maintain Adequate Security
Report any Incidents
In the case of defense contracts, within 30 days of contract award, a contractor must notify the DoD Chief Information Officer of any security requirements not implemented at the time of contract award. The contractor can propose alternate, equally effective measures to DoD through the contracting officer.
Where Must You Maintain Adequate Security?
Security requirements affect any system for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information, including:
Requirements under NIST (SP) 800-171
Nearly 80 pages in length, NIST Special Publication 800-171 includes 109 items broken into 14 categories. Under these guidelines, the purpose of computer security is to protect an organization’s valuable resources, such as information, hardware, and software. Through the selection and application of appropriate safeguards, security helps the organization’s mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.
The document covers the NIST framework for Improving Critical Infrastructure, details on each of the 14 security requirements, mapping tables and a special section dedicated to acronyms. See below for an outline of each category, with tips for compliance.
Access Control: Limit physical access to building and servers. Limit access to accounts and services through assigned users. Only those who need access should be granted access.
Tip: Review active users on accounts at least annually (best practice involves quarterly or semi-annual review). Look for terminated employees and employees whose duties have changed (they no longer need access to a server, site, folder, file, or account). Revoke their access.
Awareness and Training: Provide annual training to all employees on existing policies and procedures. Provide updated training as appropriate for changes in laws, regulations, etc.
Tip: Document the training. Be able to prove due diligence in training your employees to do the right thing.
Audit & Accountability: Perform internal and external audits. Have someone outside the company or department review policies against actual practices. Hire an outside firm. Have individual team, department, or project managers review user access to their sites, servers, folders, files, and accounts.
Tip: Document the audit, as well as any remedial training, new policies, or other mitigation strategies that arise as a result of the audit.
Configuration Management: Keep track of hardware and software. Know who has possession of equipment and what is installed on each machine. Ensure that users have limited ability to download and install software. Have a defined list of preapproved software. Have a formal process to request and vet new software.
Tip: Perform audits of your system and software. See #3 above.
Identification and Authentication: Identify and authenticate any user gaining access to your facility, servers, or accounts. Assign unique logins for each user; do not use shared logins. Use electronic key cards for physical access to facilities and rooms. Authenticate users through some other tool such as a password, PIN, one-time password, or biometrics. Access to server rooms may require a key card and PIN.
Tip: Review access control on regular basis. See #1 above.
Incident Response: Document an incident response process including roles and responsibilities. Incident response should include or be coordinated with your disaster recovery plan. With government contracts and data breaches, there are specific reporting requirements.
Tip: Your response plan must specify how you are notified internally, who you need to notify and how (such as customers and government entities), response times, and public relations outreach.
Maintenance: Keep all hardware, software, and firmware updated with the latest patches. Perform routine preventive maintenance such as backups and destruction of backups.
Tip: Automate as much as possible. Have a calendar to track needed items. Document all updates.
Media Protection: Physically limit access to the media. Limit or prohibit use of removable media or portable storage devices such as thumb drives. Protect backup media the same as live data.
Tip: Enable system/network protocols that identify removable media or portable storage devices.
Personnel Security: Screen personnel before providing access. This may be as simple as validating a need-to-know for basic access and as complex as performing background checks on individuals with advanced access or responsibilities.
Tip: Ensure terminated employees are removed from all access and accounts.
Physical Protection: Allow only authorized access to systems, equipment, and facilities. Maintain audit logs of physical access (may be automated with electronic key cards), monitor and escort visitors.
Tip: Implement a visitor policy and process with logs and badges.
Risk Assessment: Perform a risk analysis to identify vulnerabilities. If this happened, what would it mean to us, our business, our reputation. Compare analysis to existing policies and practices, and then remediate accordingly.
Tip: Perform a risk assessment when acquiring another company, moving locations, adding new technology, or changing providers.
Security Assessment: Assess effectiveness of existing controls. Are controls doing what they’re supposed to do? Can someone bypass a control?
Tip: Perform spot checks on controls. These should be unannounced “audits.” See if an unauthorized user can gain access to a facility, server, folder, or file.
System and Communications Protection: In comparison to protecting the storage of data, this is meant to protect the flow of data between systems. It also includes boundaries between systems such as between private and guest networks.
Tip: Deny network communications by default. Permit authorized communication by exception.
System and Information Integrity: Monitor activity to detect flaws, irregularities, and malicious code. Perform system and file scans for viruses and malware. Irregularities may include size, volume, and timing of network traffic.
Tip: Install antivirus and malware protection. Perform routine system and file scans.
From Understanding to Compliance
After reading this summary, you should have a general understanding of what the new rules require. Although the topic may still seem overwhelming, our next post will help you get a handle on practical steps you can take to comply by the December 31 deadline. We’ll review information security requirements for individual systems, with a discussion of best practices and affordably priced tools suitable for small business use.
The post Cybersecurity Best Practices for Small Business Contractors – Part 1 appeared first on Left Brain Professionals.
Part 2: Covered Systems and Security Tools
In the 21st century, broadband networks and information technology have become powerful tools for small businesses. They help business reach new markets and increase sales and productivity. However, the same technology that powers business improvement is vulnerable to attack. Businesses must implement the best tools and tactics to protect themselves, their customers, and their data.
As discussed in Part 1, federal contractors face a December 31 deadline for compliance with new rules for safeguarding contractor information systems. In Part 2, we’ll discuss the devices and systems that must be secured, including suggestions for best practices and affordably priced tools that small businesses can use to comply. Note that in many cases vendors offer multiple tools. These are listed by category rather than by vendor.
What Must Be Secured?
All contractor information systems, which are defined as systems owned or operated by contractors that “process, store, or transmit federal contract information” must be secured. Let’s take a look at each category and applicable security tips and tools.
Hardware (NIST Category 7): Firewalls, Routers, Servers, PCs, Laptops, Tablets, Mobile Phones, IP phones, Network Printers.
All hardware that stores or transmits data requires protection from unauthorized access and malware such as viruses and spyware. This generally involves the use anti-virus software, firewalls and Virtual Private Networks, which are discussed in more detail below.
Tips: Ensure that all firmware is updated, devices are encrypted (where available/appropriate) and that devices have passcodes or PINs. Make sure mobile devices (including laptops) can be remotely wiped in case of theft or loss.
Taking steps to prevent unauthorized network access is important for a wide number of reasons, including preventing others from installing malware or stealing or deleting important files.
Tips: Unauthorized persons should never have access to your business network! Make sure both home and office networks have secure passwords. Create a separate guest network for sharing with family, friends, and visitors.
Your network should be protected with a Firewall (hardware and/or software) and/or Virtual Private Network.
A firewall is a network security system that uses rules to control incoming and outgoing network traffic. A firewall acts as a barrier between a trusted network and an untrusted network. Firewalls come in two varieties: hardware and software. You can purchase a physical firewall device or run a firewall application. Many routers have firewall software built into them.
A greater level of security can be provided through a Virtual Private Network, which is a method employing encryption to provide secure access to a remote computer over the Internet. VPN tools for small businesses to consider included Avast SecureLine VPN and PureVPN.
Mobile Devices (phones and tablets)
The ease of doing business anytime, anywhere comes with a price. Mobile device security threats are on the rise. According to IT Web, the number of new malware programs detected each day has reached over 230,000–many of which target mobile devices.
Tips: Use mobile antivirus and security tools such as Avast Mobile, Avira and Lookout to secure mobile devices. Avast and Avira offer both free and more robust paid plans for devices running on Android and iOS. Lookout’s mobile security suite includes mobile endpoint security, app security, personal device security and threat intelligence
Wi-Fi and Bluetooth
Wi-Fi and Bluetooth are protocols allowing computers, smartphones, or other devices to connect to the Internet or communicate with one another wirelessly within a particular area.
Tips: Keep them off until needed. They are doors through which hackers can access your device or network. In addition, they drain batteries on mobile devices.
Do not use free public Wi-Fi. Ever. Many people have access, and the network is unsecured. It’s laughably easy to hack other users on the same network. Use your phone’s hotspot, a mobile hotspot, or trusted network (such as that of a client or vendor). If and when you use public Wi-Fi, use a Virtual Private Network to access your network or the internet in general.
Software (NIST Category 7)
Commercially available software represents one of the biggest vulnerabilities in information security. Don’t let hackers exploit holes in your software to access your information!
Tips: Ensure that all updates and patches are installed. Developers release security patches on a regular basis. Consider auto updates to plug any holes. Outdated software, even with updates or patches, is vulnerable because developers eventually stop supporting old software. If your software is more than 4 years old, check to see if you are still receiving updates and patches. Hackers know that companies run old software, and developers stop supporting it, so they look for ways to break in.
Online Services and Accounts
Email (NIST Category 8, 14)
After the recent presidential race, it’s hard to believe that anyone is unaware of the importance of safeguarding email communications. Email accounts are easily hacked. Take steps to protect them.
Tips: Keep separate accounts for business and personal email. Do not cross contaminate them. Keep business in business and personal in personal.
Use a professional domain for your business. If you are a small business, buy a domain, secure it, and use it. Do not send business email from Yahoo, Hotmail, AOL, Gmail, etc. Even if you designate one of these as a business account, it comes from a public domain, which reflects poorly upon your business and opens you up to hacking and other issues.
Keep in mind that if you keep multiple email accounts on a single device (as we all do), a hack from one account can easily bleed to the other accounts, causing release of information or unpleasant emails sent on your behalf.
To be clear, if you’re using Google’s G Suite (formerly Google Apps) for work, the security features are different than a personal Gmail account. That said, in our humble opinion, Gmail has one of the most secure personal email platforms, with multi-factor authentication (discussed below) and SPAM filtering.
Like email, keep separate accounts/services for work and personal. We recommend separate services, so it’s clear that one is business and one is personal. Do not cross contaminate. Do not store business documents on your personal service and vice-versa. Cloud storage services to consider include:
It’s too common to see hacking of LinkedIn, Facebook, Instagram, Twitter and other accounts. If hackers make disparaging posts or comments, it can affect your brand and reputation.
Tips: Use strong passwords and the highest privacy settings on all social media accounts. Change passwords frequently.
Create a social media usage policy for your company. Never forget that anything shared on social media can ultimately be viewed by anyone, anywhere the world. Be careful about what you post, even on private accounts. Ask your employees to do the same, and make sure they don’t comment on company business from unauthorized accounts. Quite apart from embarrassment, you could open yourself up to blackmail or legal consequences.
Online banking, utilities, customer/vendor portals, shopping, shipping, tax reporting/payment sites can all be vulnerable to hacking.
Tips: Use a different, strong password on each account, and change passwords frequently. Use multi-factor identification if available. Check all billing statements on a regular basis for unauthorized charges.
Website & Portals
You may not think your website has anything worthy of hacking. However, even the most mundane websites are compromised all the time. Most hacks are not to steal data, although this is always a concern. However, hackers may be trying to use your server as an email relay for spam, or to set up a temporary web server to serve files of an illegal nature.
Websites that use the standard HTTP protocol transmit and receive data in an unsecured manner. This means it is possible for someone to eavesdrop on the data being transferred between the user and the web server.
Tips: Invest in a secure website that encrypts the messages between the visitor and the site using SSL (secure socket layer) to ensure that no hacker or eavesdropper can intercept the information.
Never transmit personal or financial information via an unsecured site. If the web address begins with https://, instead of just http://, you are accessing a secure website. Most browsers will also display a lock icon somewhere along the edge of the window to indicate a website is secure. SSL tools are discussed below in the tools section.
Security Tools to Consider
According to a recent Verizon Data Breach Investigations Report, 60 percent of cyber-attacks target small and medium-sized businesses, primarily because they are easier targets. Using the tools below will help take the target off your back as well as provide compliance with federal regulations.
Managing passwords can be a pain. However, a strong password is your first line of defense against intruders and imposters.
Tips: You should pick passwords that are difficult to guess. Don’t use names, dates or common words as passwords. Here are some examples of passwords of increasing strength:
Poor passwords: Password, Sally1, Columbus, etc.
Fair passwords: pAssWorD2017,sAllY12
Good passwords: PaSsWoRd2017!!, SaLLy12$
Better passwords: P@$$w0rd2017#, S@lly12#!
Best passwords: l#Svr!25Nw^q, h*J47(sB2#xR
Use an encrypted database to store passwords. We still see clients with Word or Excel documents for their list of passwords. Even with a password-protected file, be careful. We’ve seen clients leave the file open on their desktop throughout the day.
The tools listed below can be auto-locked after use or after elapsed time. These tools also work across browsers and devices, making the passwords readily available to you and aid in entering the information in websites. More importantly, they have password generators that create strong passwords. The tools require you to remember only one strong password – the tool remembers everything else. You can also force multi-factor authentication access to the tool (user ID, password, and one-time code generated by a separate device). Several of the tools below have free, premium and enterprise versions to adjust to the size, security needs and budget of your company:
Virus & Malware Protection (NIST Category 7, 13, 14)
According to CNN, more than 317 million new pieces of malware — computer viruses or other malicious software — were created last year. That means nearly one million new threats were released each day.
Tips: Invest in a paid antivirus subscription, then keep the software and virus definitions updated daily (automated). Make sure virus protection is installed on all applicable devices such as servers, PCs, laptops, and mobile phones. Some of antivirus tools you might want to consider are listed below. Several of these vendors offer additional security software and services:
Multi-factor Authentication (NIST Category 5)
Multifactor authentication is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction. The use of multiple authentication factors to prove one’s identity is based on the premise that an unauthorized user is unlikely to be able to supply the factors required for access.
Tips: Set authentication factors that are not likely accessible via public records. For example, a user’s mother’s maiden name is less secure than asking a personal question such as the name of the user’s favorite pet. Send randomly-generated codes to verified mobile phones or email addresses.
Choose a service and use it across every account possible (banks, email, servers, etc.) Some options include:
Authenticator for Windows
Encryption (NIST Category 8, 13)
A key information security tool, encryption converts information or data into a code to prevent unauthorized access. This protects the confidentiality of digital data stored on computer systems or transmitted via the Internet or other computer networks.
Tips: Encrypt mobile devices and tablets with a passcode or PIN. Encrypt laptops with software. Encrypt your website and servers with SSL certificates as described above. When shopping on the internet, look for https in websites. Only use secure sites to enter your personally identifiable information such as Social Security Number, Federal Employer ID Number, Dun & Bradstreet report number, credit card and bank account numbers, etc.
Encryption tools to consider include:
Next Step: Essential Policies for Compliance
In Parts 1 and 2 of this blog series, we reviewed new cybersecurity requirements for federal contractors, the systems covered by the rules, and affordable tools small businesses can use in their compliance programs. In Part 3, we’ll wrap up the series with a look at policies you need to put in place to ensure and track compliance.
The post Cybersecurity Best Practices for Small Business Contractors – Part 2 appeared first on Left Brain Professionals.
Part 3: Essential Information Security Policies
Now that you have an understanding of the rules, what systems must be covered and security tools you can use to comply, it’s time to consider policies. Keep in mind that your investment in security tools can be rendered useless without appropriate policies and training in place to require that employees use them.
Policy Manual (NIST Category 2)
A good policy manual should address all 14 categories. You need to provide written policies and formal training. This includes training for new employees (based on role) with annual refresher training on key items for all employees. Review and update policies at least annually. Review and update training at least annually. Roll out training on new topics or revised policies as appropriate.
Review Access Control (NIST Category 9)
Review access control requests when received and at least annually. Does the person have a valid need-to-know or need-to-access requirement? Perform background checks as appropriate for positions with advanced level of access or responsibility.
Tips: Review access membership lists at least annually for continued need-to-know. Have terminated employees been removed or had their accounts deactivated?
Physical security (NIST Category 1, 5, 8, 10)
Limit access to facilities, servers, and systems. Have separate locks on server rooms. Have a visitor policy with sign-in, sign-out, and unique badges.
Password Management (NIST Category 5)
Password management is so important that it falls into both tools and policies.
Tips: Force system password changes every 30-90 days. For very secure or sensitive information, require more frequent password changes. Require multi-factor authentication for new devices or sensitive systems. Set system requirements for secure passwords (upper, lower, number, and symbol) and do not all reuse of passwords or creation of sequential passwords.
Multi-factor Authentication (NIST Category 5)
As discussed above, MFA helps prevent unauthorized access by requiring multiple types of identification. In addition to a username and password, it requires a third piece of information such as a text code (to your phone or mobile device), digital certificate, CAC or “smart” card, one-time password (from a fob), or biometric such as figure print or retina scan.
Tip: Have a policy requiring MFA use on specific accounts/services and recommend its use on all possible accounts/services. Enable MFA on every account possible.
Audit, Risk, Configuration Management and Security
Audit, risk, configuration management, and security may be a combined effort. Guidelines are outlined in NIST Special Publication 800-53 (Rev. 4): Security Controls and Assessment Procedures for Federal Information Systems and Organizations.
Audit and Accountability (NIST Category 3)
You audit and accountability policy should address purpose, scope, roles and responsibilities, and compliance. In addition, it should contain guidance for implementation of the audit and accountability policy and associated management controls.
Tip: Include provisions for internal and external audits.
Risk Assessment (NIST Category 11)
Your policy should outline requirements for risk assessments, including the likelihood and magnitude of potential harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits.
Tip: Update the risk assessment procedures whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security of the system. This should be done at least annually.
Configuration Management (NIST Category 4)
Configuration Management is a discipline designed to ensure that the configuration of an item (and its components) is known and documented, and that all subsequent changes to it are controlled and tracked.
Your policy must outline procedures for keeping track of hardware and software, including who has responsibility for tracking, how they will track possession of equipment and the software installed on each machine, and how they will ensure that users have limited ability to download and install software. It must include a defined list of preapproved software as well as a formal process for requesting and vetting new software.
Tip: Document, document, document. Then spot check to make sure everything is being documented.
Security Assessment (NIST Category 12)
Your security assessment policy should document your existing controls and outline procedures for testing their effectiveness.
Tip: Include a requirement for spot checks on controls. These should be unannounced “audits.” See if an unauthorized user can gain access to a facility, server, folder, or file.
Incident Response (NIST Category 6)
Your policy should document an incident response process that outlines roles, responsibilities and procedures. Incident response should include or be coordinated with your disaster recovery plan. With government contracts and data breaches, there are specific reporting requirements.
Tip: Your response plan must specify how you are notified internally, who you need to notify exterrnally and how (such as customers and government entities), response times, and public relations outreach. For government contractors, one of the first calls should go to the contracting agency. Openness and transparency are the best policy.
In Conclusion: One Step at a Time
We’ve covered a lot of ground in the past three blog posts, including:
Federal information security requirements
What hardware, software and online resources must be secured
Available security tools
Essential policies and procedures
That’s a lot for any small business owner to take in! With the December 31 deadline looming, however, inaction or delay are no longer options.
My recommendation is to divide your compliance efforts into manageable steps. Begin with an assessment of where you stand as far as meeting each of the NIST requirements, then develop a plan for compliance in each area. Assign responsibilities and deadlines, and call in help as you need it.
As always, if you have questions about information security or any other aspect of government contract compliance, you can reach me at email@example.com or by callng (614) 556-4415.
The post Cybersecurity Best Practices for Small Business Contractors – Part 3 appeared first on Left Brain Professionals.