GAO Release: Recommendation to monitor and ensure contractor business system reviews are conducted in a timely fashion.

CONTRACTOR BUSINESS SYSTEMS: DOD Needs Better Information to Monitor and Assess Review Process

GAO-19-212: Published: Feb 7, 2019. Publicly Released: Feb 7, 2019.

The U.S. Government Accountability Office (GAO) is an independent, nonpartisan agency that works for Congress. Often called the “congressional watchdog,” GAO examines how taxpayer dollars are spent and provides Congress and federal agencies with objective, reliable information to help the government save money and work more efficiently.

We have written a few times recently on the matter of government contractor business systems.  The government’s (DCAA and DCMA) review of the six contractor business systems is expected to rise significantly in the near term based on information we have received from the DCAA and DCMA.  This GAO report released today adds further reality to this renewed focus on contractor business system reviews.

Contractors are encouraged to take the time and make the investment now to perform proper due diligence to ready themselves for these government reviews.

Fast Facts

The Department of Defense uses data from contractors’ business systems—e.g., accounting or purchasing systems—to guard against fraud, waste, and abuse in DOD contracts. For example, reviewing data from a contractor’s accounting system can help keep the contractor from overcharging.

DOD must review contractors’ business systems to ensure that the data from them can be used. We’ve previously found that it was years behind on some of these reviews.

DOD has an ambitious plan to catch up on these reviews in 3 years but has no way to measure its progress. We recommended that DOD monitor and assess whether it’s completing these reviews as planned.

GAO Findings

Since 2011, the Department of Defense (DOD) has implemented several changes to its processes for reviewing contractor business systems—which include systems such as accounting, estimating, and purchasing. Among other changes, DOD clarified the roles and responsibilities of the Defense Contract Management Agency (DCMA) and the Defense Contract Audit Agency (DCAA)—the two agencies that are responsible for conducting the reviews; clarified timeframes for business system reviews and established criteria for business systems; and withheld payments from contractors that were found to have significant deficiencies in their business systems.

DOD does not have a mechanism to monitor and ensure that these reviews are being conducted in a timely manner. For its part, DCAA has conducted few business system audits since 2013, as it focused its efforts on other types of audits. DCAA plans to significantly increase the number of business system audits over the next 4 years, but its success in doing so depends on its ability to shift resources from other audits; to use public accounting firms to conduct other, non-business system audits; and DCAA staff’s ability to execute new audit plans in a timely manner.

GAO Chart Businss System Audit

DCMA relies on the three offices responsible for conducting DCMA-led reviews to manage the reviews, but DCMA does not formally monitor whether these reviews are being conducted consistent with policy nor does it monitor DCAA’s efforts to complete the audits for which it is responsible. DCMA is ultimately responsible for approving a contractor’s business systems. DCMA currently lacks a mechanism based on relevant and reliable information, such as the number of reviews that are outstanding and the resources available to conduct such reviews, to ensure reviews are being completed in a timely fashion. Such information could help inform more strategic oversight on whether the current review process is achieving its intended results, or whether additional changes to the timing of or criteria for conducting reviews are needed.

Why GAO Did This Study

Contractor business systems produce critical data that contracting officers use to help negotiate and manage defense contracts. These systems and their related internal controls act as important safeguards against fraud, waste, and abuse of federal funding. Federal and defense acquisition regulations and DOD policies require that DOD take steps to review the adequacy of certain business systems, but GAO and other oversight entities have raised questions about the sufficiency and consistency of DOD’s review process.

The National Defense Authorization Act for Fiscal Year 2018 contained a provision for GAO to evaluate how DOD implemented legislation intended to improve its business system review process. Among other things, this report examines (1) the changes DOD made to its review process and (2) the extent to which DOD is ensuring timely business system reviews.

GAO analyzed DOD acquisition regulations, policies, and procedures for conducting contractor business system reviews and analyzed data on reviews conducted between fiscal years 2013 and 2018.

Read more on this 


DCAA Audits of Government Contractor Business Systems

DCAA Audits of Government Contractor Business Systems – Key Risk Mitigation Strategies to Promote an Adequacy Determination

Craig Stetson, Partner | Capital Edge Consulting, Inc.

The Defense Contract Audit Agency (DCAA) recently indicated as a 2019 agency initiative a significant increase in their 2019 audit efforts around contractor business systems. The DCAA’s renewed focus on performing contractor business system audits, is largely the result of the DCAA’s recent reduction in its prior and long-standing backlog of incurred cost proposal audits. The DCAA is responsible for oversight of three of the six contractor business systems, including accounting, estimating, and material management and accounting. Under this 2019 initiative, the accounting system will be the primary focus with a planned audit activity of nearly 1,000 audits. Estimating and material management and accounting system audits also are planned to increase significantly from the 2018 activity, however, nothing near the planned accounting system amount noted prior.

Download your copy of Key Risk Mitigation Strategies to Promote an Adequacy Determination below:


DoD Class Deviation Issued On Use of Fixed-Price Contracts

SUMMARY: Award of cost-reimbursement contracts exceeding $50M now requires the head of contracting activity approval. Further, this threshold decreases to $25M applicable to contracts awarded on or after October 1, 2019. We would expect further guidance on the implementation as related to options, mods, IDIQ TOs / DOs, etc.

SUBJECT: Class Deviation-Use of Fixed-Price Contracts Effective immediately. contracting officers shall first consider the use of fixed-price contracts. including fixed-price incentive contracts. in the determination of contract type and shall not award the following cost-type contracts unless the contract is approved by the head of the contracting activity:

• Cost-reimbursement contracts in excess of $50 million to be awarded after October I. 2018, and before October l, 2019. • Cost-reimbursement contracts in excess of $25 million to be awarded on or after
October l. 2019.

DETAILS: This class deviation implements section 829 of the National Defense Authorization Act for Fiscal Year 2017 (Pub. L. 114-328). which directs establishment of a preference for fixed­price contracts, including fixed-price incentive contracts. in the determination of contract type and establishes the requirement for higher-level approval for certain cost-type contracts. The Under Secretary of Defense for Acquisition and Sustainment has determined that the use of cost-type contracts is approved for research and development valued in excess of $25
million. if the contracting officer executes a written determination that the level of program risk does not permit realistic pricing and it is not possible to provide an equitable and sensible allocation of program risk between the Government and the contractor. 

Read more:


FY 2018 NDAA – House Section 874 (Engrossed)

The House version of the National Defense Authorization Act (NDAA) for fiscal year 2018 contains a provision (Section 874) to repeal contractors’ ability to utilize commercial auditors for purposes of auditing their annual incurred cost proposals.  Specifically, Section 874 of the 2018 NDAA would strike in its entirety subsection (f) of Section 820 of the 2017 NDAA previously passed by Congress and signed by the President.

Get your copy of FY 2018 NDAA – House Section 874: Download below!

FY 2018 NDAA Change to Procurement Thresholds

On December 12, 2017, the 2018 National Defense Authorization Act (NDAA) was signed into law by President Trump. Title VIII of the NDAA contains many provisions designed to reduce burdensome regulation and improve the procurement process. Section 805, 806, and 811 would increase the Micro-Purchase Threshold (MPT) from $3,500 to $10,000, Simplified Acquisition Threshold (SAT) from $150,000 to $250,000, and Truthful Cost or Pricing Data (aka “TINA”) threshold from $750,000 to $2,000,000. The Cost Accounting Standards (CAS) threshold for contract awards would also increase to $2,000,000 since it is tied to the TINA threshold…..


Read more: get your copy of FY 2018 NDAA Change to Procurement Thresholds: Download below!

DoD issues a final rule relating to commercial item acquisitions

By Paul M. Bailey, CPA, Managing Director and S. Chase Kunk, J.D., Vice President, Contracts & Procurement

DoD issued a final rule, published and effective today, January 31, 2018 to implement sections of the National Defense Authorization Act for Fiscal Years 2013, 2016 and 2018 relating to commercial item acquisitions.

About the proposed rule:

The DoD published a proposed rule in the Federal Register on August 11, 2016, to provide guidance to contracting officers for making price reasonableness determinations, promote consistency in making commercial item determinations, and expand opportunities for nontraditional defense contractors to do business with the DoD.

The final rule amends the DFARS to provide additional guidance to contracting officers and additional details on the types of ‘‘other than certified cost or pricing data’’ that offerors should include in their proposal for the purpose of determining whether proposed prices for commercial items are fair and reasonable.

Who does this affect?

This rule will apply to contractors that compete for contracts being awarded using FAR Part 15 Negotiation procedures that are valued at $750,000 or more.

Overview of the rule:

The final rule prescribes the use of a new DFARS provision 252.215–7010, to be used in lieu of FAR provision 52.215–20, Requirements for Certified Cost or Pricing Data and Data Other Than Certified Cost or Pricing Data. The new DFARS provision includes the existing requirement under FAR provision 52.215–20 for offerors to submit certified cost and pricing data and data other than certified cost or pricing data, as appropriate; further, the new DFARS provision implements a statutory exemption to the requirement for ‘‘certified cost or pricing data’’ for nontraditional defense contractors.

Finally, the rule advises contracting officers that they may presume that a prior commercial item determination made by another DoD component shall serve as a determination for subsequent procurements of such items, unless the contracting officer obtains a determination from the head of the contracting activity that the item is not commercial and the basis for that decision.

The DoD guidebooks

The DoD guidebooks for Commercial Item Determinations (Part A) and Commercial Item Pricing (Part B) were expected to be released concurrent with this final rule. The guidebooks were subject to extensive comments from industry and associations. The final rule indicates these guidebooks will be finalized to provide further guidance to contracting officers.

Executive Order 13771 & Cost Analysis

The final rule is considered to be a deregulatory action and therefore not subject to E.O. 13771, Reducing Regulation and Controlling Regulatory Costs. DoD has estimated the cost savings for this rule which can be accessed at, DFARS Case 2016–D006, Supporting Documents. An estimate of hours to prepare Cost or Pricing Data by business type is provided.

More on this rule:

The final rule, including discussion commentary may be accessed at:

#DFARS #DoD #NDAA #Commercial_Item_Determinations #Defense _Contractor

Evaluating the Defense Contract Auditing Process

The Director of the DCAA and selected industry representatives testified April 6th in front of the House Armed Services Committee regarding the current state of the DoD contract auditing process, i.e., the DCAA.  Not surprisingly, the views of the DCAA and industry were quite opposing based on a read of the written testimony.  A high-level synopsis of the testimony is as follows:


  • Significant focus on the reduction of the incurred cost backlog (about 30% of the written testimony)
  • Primary focus on ROI for Agency performance evaluation purposes
  • Staunch resistance to certain acquisition reform initiatives (use of third-party auditors and CPA requirement for GS-14 level managers)


  • Return to traditional definition of the DCAA mission, roles and responsibilities – advisors to the acquisition community, not debt collectors, independence not isolation, collaborative not unilateral
  • Broader use of DCAA auditors to address other audit areas valuable to the overall acquisition process
  • Movement away from ROI as the primary focus on measurement of DCAA success
  • Change in auditor behavior to better apply GAGAS principles, including determination of materiality or significance and use of professional judgment
  • Staunch support for use of third-party auditors to compliment the overall contract auditing process

The perspectives of the DCAA and industry are quite different.  The DCAA’s view on the audit quality was narrow and opposed efforts to employ outside reform initiatives that may benefit the acquisition process overall – including the DCAA audit process.  Industry views were broader and addressed several aspects of the overall acquisition and audit processes that, from a holistic approach, may streamline federal procurements and provide better value to both government and contractors.

View on YouTube 

DOD Issues Final DFARS Rule on Network Penetration and Cloud Computing

WHAT: The Department of Defense (DOD) has adopted a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to require covered contractors to implement certain cybersecurity safeguards and report data breaches within 72 hours, adopting NIST SP 800-171 as the baseline for covered information system security requirements, and standardizing security requirements for cloud-based services.

WHEN: Contractors are encouraged to implement the adequate safeguarding standards in NIST SP 800-171 as soon as practical, but no later than December 31, 2017, consistent with the December 2015 version of the interim rule. The other requirements for mandatory reporting and cloud services already apply.

WHAT DOES IT MEAN FOR INDUSTRY: The final rule made few material changes to the interim rules that have been in place for more than a year. Key changes included clarifying the definition of “covered defense information,” formalizing the process when contractors seek to vary from the NIST SP 800-171 requirements, exempting contracts that are solely for the acquisition of commercially available off-the-shelf (COTS) items, and clarifying the security requirements that apply to cloud service providers.


The most significant aspects of the rule remain unchanged: the final DFARS clause 252.204-7012 requires contractors to provide “adequate security” (i.e., the standards outlined in NIST SP 800-171) to covered defense information on all covered information systems and to rapidly report any incidents involving those systems. While industry pushed back on the scope of the rule, noting in particular that the security measures can be particularly onerous for smaller businesses or barriers to entry for commercial item contractors, DOD determined that the “cost to the nation in lost intellectual property and lost technological advantage over potential adversaries is much greater than these initial/ongoing investments.” DOD also left unchanged the rapid 72-hour reporting requirement, despite industry concerns that such rapid reporting poses myriad practical challenges.

While the heart of the rule and DFARS clause 252.204-7012 remain unchanged, the final rule does have at least four notable updates. First, the definition of “covered defense information” was clarified to include information that is either “controlled technical information or other information (as described in the Controlled Unclassified Information (CUI) Registry) that requires safeguarding or dissemination controls and is (1) marked or otherwise identified in the contract, task order, or delivery order, and provided to the contractor by or on behalf of DOD in connection with the performance of the contract; or (2) collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.” The expanded definition of “covered defense information” is in line with the National Archives and Record Administration’s (NARA) recent rule addressing “Controlled Unclassified Information,” and includes all of the categories of information that are considered CUI. The final rule provides better clarity to the scope of the contractor’s obligation by requiring the Government to either mark or expressly identify in the contract information furnished by the Government that will be subject to the safeguarding requirements (which is akin to a standard DOD first adopted when a previous version of DFARS Clause 25.204-7012 was issued in November 2013), but continues to make contractors responsible for determining whether information developed or received from third parties in the course of performance is “covered defense information.” DOD considers this to be a “shared obligation” of the contractor to recognize and protect such information, despite industry concerns that it creates an undue burden.

Second, the final rule amended DFARS clauses 252.204-7008 and 252.204.7012 to clarify the procedure for contractors requesting limited exemptions from specific NIST 800-171 requirements, where specific requirements are “nonapplicable” or the contractor implements an “alternative, but equally effective” measure. The -7008 clause permits contractors to submit written requests to the Contracting Officer in their proposals, prior to award, to vary compliance with NIST SP 800-171, and those requests will be adjudicated by a representative of the DOD CIO within a targeted five-day turnaround. The preamble also clarifies that while the rule does not require the Government to consider proposed deviations in the evaluation of proposals, there is nothing that precludes drafting the solicitation to include such an evaluation. The revised -7012 clause includes a similar process for submitting requests after award. For subcontractors, the revised rule clarifies that any requests to vary the implementation should be submitted directly to the Contracting Officer, with notice of the request furnished to the prime contractor (or next higher-tier subcontractor).

Third, DFARS clauses 252.204-7008 and 252.204-7012 were revised to include a limited exemption for use in solicitations and contracts that are solely for the acquisition of commercially available off-the-shelf (COTS) items. Despite this limited exemption, DOD determined that it is in the best interests of the Government to apply these requirements for other commercial item acquisitions, as well as to acquisitions below the simplified acquisition threshold.

Finally, the final rule provided additional clarification on the security standards that apply to cloud-computing services and capabilities from Cloud Service Providers (CSP). Where contractors will store or transmit covered defense information on a cloud-based information system, the CSP should meet the Federal Risk and Authorization Management Program (FedRAMP) standard for “Moderate” compliance, as well as the final rule’s cyber incident reporting requirements. The reporting obligation would extend to any incidents involving a shared infrastructure. These obligations may require significant modification to standard CSP terms and conditions, including any service level agreements (SLAs) that dictate the terms of a commercial vendor’s cloud services, and DOD contractors who utilize cloud-based services for covered defense information should give careful attention to whether existing CSP vendor agreements meet these standards.

Origination-Wiley Rein LLP


Want to receive regular feeds of our blogs, offer topic suggestions and get regular updates? Follow us on social links.

LinkedIn   –  Twitter  –  Facebook

To Learn more contact us:
T: 855-CAPEDGE (855-227-3343)  I


Join LinkedIn Group- ASK an EXPERT: Government Contracting 


DoD Launches Acquisition Regulations Advisory Panel

WASHINGTON — The Department of Defense today announced the creation of a new Advisory Panel on Streamlining and Codifying Acquisition Regulations, with the goal of finding ways to streamline the notoriously cumbersome Pentagon acquisition process.

The panel, which was congressionally mandated under section 809 of the 2016 National Defense Authorization Act, will be led by Deidre Lee, former Director of Defense Procurement and Acquisition Policy and former Office of Federal Procurement Policy Administrator.

Over a two-year term, the panel will focus on five target areas, according to a Pentagon release – to establish and administer appropriate buyer and seller relationships in the procurement system; Improve the functioning of the acquisition system; Ensure the continuing financial and ethical integrity of defense procurement programs; Protect the best interests of the Department of Defense; and Eliminate any regulations that are unnecessary for the purposes described.

While there will be interim reports to the Secretary of Defense, the final report from the panel is due third quarter of 2018. The panel also created a website to seek public comment on these issues.

Lee is joined by 17 other members, including William LaPlante, recently Air Force acquisition head and Ret. Vice Admiral Joseph Dyer, former Commander of the Naval Air Systems Command and Naval Air Warfare Center. Maj. Gen. Casey D. Blake, Deputy Assistant Secretary for Contracting, appears to be the only member of the panel still in the military.

The full panel list:

Mr. Elliott Branch
Dr. Allan Burman
Mr. David Drabkin
Vice Admiral Joseph Dyer, USN, Ret.
Mr. Harry Hallock
Mr. Laurence Trowel
Ms. Deidre Lee (Chair)
Mr. David Metzger
Dr. Terry Raney
Ms. Claire Grady
Ms. Cathleen Garman
Major General Darryl Scott, USAF, Ret.
Mr. Charlie E. Williams, Jr.
Lieutenant General Ross Thompson, USA, Ret. Mr. Elliott Branch
Dr. Allan Burman
Mr. David Drabkin
Vice Admiral Joseph Dyer, USN, Ret.
Mr. Harry Hallock
Mr. Laurence Trowel
Ms. Deidre Lee (Chair)
Mr. David Metzger
Dr. Terry Raney
Ms. Claire Grady
Ms. Cathleen Garman
Major General Darryl Scott, USAF, Ret.
Mr. Charlie E. Williams, Jr.
Lieutenant General Ross Thompson, USA, Ret.
Dr.William LaPlante

Source: Aaron Mehta Defence News

Want to receive regular feeds of our blogs, offer topic suggestions and get regular updates? Follow us on social links.

LinkedIn   –  Twitter  –  Facebook

To Learn more contact us:
T: 855-CAPEDGE (855-227-3343)  I


Join LinkedIn Group- ASK an EXPERT: Government Contracting 

Final Rule – Small Business Subcontracting Plans Effective November 1

Small Business Subcontracting Improvements on the way.

Craig Stetson, Director, Capital Edge Consulting

Final rule issued by the DoD, GSA and NASA July 14, 2016 to amend the FAR to add various improvements related to small business subcontracting (  These statutory amendments will affect prime contractor responsibilities on how they deal with subcontractors and report to the government.

Prime contractors should review now existing business system processes and capabilities to address these requirements to avoid potential compliance risks – including, for example, CPSR adequacy and past performance evaluation.

Among the changes:

  1. Requires prime contractors to make good faith efforts to utilize their proposed small business subcontractors during performance of a contract to the same degree the prime contractor relied on the small business in preparing and submitting its bid or proposal.
  2. To the extent a prime contractor is unable to make a good faith effort to utilize its small business subcontractors as described above, the prime contractor is required to explain, in writing, within 30 days of contract completion, to the contracting officer the reasons why it was unable to do so.
  3. Authorizes contracting officers to calculate subcontracting goals in terms of total contract dollars in addition to the required goals in terms of total subcontracted dollars.
  4. Provides contracting officers with the discretion to require a subcontracting plan in instances where a small business represents its size as an other than small business.
  5. Requires subcontracting plans even for modifications under the subcontracting plan threshold if said modifications would cause the contract to exceed the plan threshold.
  6. Requires prime contractors to assign North American Industry Classification System (NAICS) codes to subcontracts.
  7. Restricts prime contractors from prohibiting a subcontractor from discussing payment or utilization matters with the contracting officer.
  8. Requires prime contractors to resubmit a corrected subcontracting report within 30 days of receiving the contracting officer’s notice of report rejection.
  9. Requires prime contractors to provide the socioeconomic status of the subcontractor in the notification to unsuccessful offerors for subcontracts.
  10. Requires prime contracts with subcontracting plans on task and delivery order contracts to report order level subcontracting information after November 2017.