Evolving compliance challenges in the US government contracts market
July 2023 | TALKINGPOINT | RISK MANAGEMENT
Financier Worldwide Magazine
July 2023 Issue
FW discusses the evolving compliance challenges in the US government contracts market with Luis Avila, Bryan Lathbury and Damien Lawless at RSM US LLP.
FW: Reflecting on the last 12-18 months, could you provide an overview of how the compliance landscape has evolved?
Avila: We have been living in a hyper-globalisation economy for 30 years. But in the last 12 to 18 months, geopolitical and economic events – and great advances in technology – have reshaped our flow of trade, foreign investment restrictions and technology. Our flow of trade has been swinging back and forth between protectionism and friend-shoring. The Infrastructure Investment and Jobs Act expanded the rules of the Buy America Act (BAA), but we expect the US government (USG) will leverage exceptions, such as the Trade Agreements Act, to build a wider fence that includes our trade and strategic allies. Due to global security risks, we expect the Committee on Foreign Investment in the US (CFIUS) to take a more aggressive and coordinated approach to enforcement. Recent advancements in large language models (LLMs) have created a quantum leap in productivity and heightened the need for robust cyber security controls.
Lathbury: Geopolitical factors are ratcheting up the regulatory environment with respect to international trade. The US has implemented additional export controls restricting trade with China, Russia and Belarus. For example, the US has broadened its control policy to include exports of advanced computing, semiconductor manufacturing items and technology to China. In response to the Russian war in Ukraine, the US has added controls restricting a broad range of exports to Russia and Belarus. In addition, the US has implemented sanctions against individuals and entities located in Russia and Belarus that prohibit US residents, wherever they are located, from transacting business. Importers of Chinese goods are now facing heightened customs scrutiny under the Uyghur Forced Labour Prevention Act. US Customs and Border Protection will now block entry based on the presumption that goods originating from the Xinjiang Uyghur autonomous region of China are produced using forced labour.
Lawless: Considering recent Cybersecurity Maturity Model Certification (CMMC) developments, it is essential for global companies to understand why the General Data Protection Regulation (GDPR) alone is insufficient for contracting with the USG. While the GDPR provides comprehensive data privacy and protection regulations for personal data, the USG requires a specific set of cyber security requirements to protect controlled unclassified information (CUI). CUI is sensitive but unclassified information that requires safeguarding for numerous reasons, including privacy, intellectual property and compliance regulations. CMMC was designed to verify contractor compliance with the National Institutes of Standards and Technology (NIST) SP 800-171 requirements mandated since 2016. At the end of 2021, CMMC 2.0 was released to streamline cyber security maturity to three levels and require certain organisations to be assessed and certified by a third-party organisation. Effective October 2025, organisations will need a CMMC certificate at the required level to bid on USG contracts containing CUI. At this moment, CMMC certification is required for organisations that wish to compete for USG contracts containing the Defence Federal Acquisition Regulation Supplement (DFARS) 252.204-7021.
FW: In general, the learning curve of US government compliance can be steep for commercial multinational organisations. What risks and challenges do new entrants to the US government contract market face? How can companies keep abreast of changes to US government contract requirements?
Lathbury: Defence contractors face unique challenges from a trade compliance perspective. The International Traffic in Arms Regulations (ITAR) control the export of defence articles. The regulations include hardware, software and technical data, and defence services that appear on the US munitions list. Many consider export controls within the context of physical shipment. However, the US considers the transfer of software or technical data to a foreign individual, even if located in the US, to be the equivalent of an export to the foreign individual’s home country. The BAA is another challenge that USG contractors face. It gives preference to goods that are produced in the US and in World Trade Organization government procurement agreement signatory countries, free trade agreement countries and designated ‘least developed’ countries. Failure to comply with the BAA may result in contract cancellation and, in cases of fraud, criminal liability.
Avila: In the commercial marketplace, price is established by what the market is willing to pay. USG purchasing is unique in that price may be defined as costs incurred plus a fee, and contracts are awarded within a framework of established and mandatory requirements to protect taxpayers’ dollars while minimising knowledge differentials between parties to the transaction to reach fair and reasonable prices. Mandatory requirements may include a submission of a cost accounting manual, detailed build-up of costs when bidding, and approved indirect cost rates and accounting systems. To ensure adherence to these requirements, USG contractors may be subject to audit depending on the procuring agency, acquisition type and monetary value. The good news is these regulations do not change often, but it is important to be aware of which ones apply and to ensure that requirements are understood throughout the organisation to protect the value of the company.
Lawless: Compliance with the complexities of USG cyber security regulations and requirements can be challenging, particularly those new to doing business with the USG. The process of attaining CMMC compliance may be time consuming and costly, especially for small and medium-sized entities (SMEs) that lack the resources to hire dedicated cyber security specialists. USG contractors should implement a compliance programme that includes regular monitoring of regulatory changes to stay up to date on USG contract requirements. Organisations should interact with industry groups and participate in events where government officials and industry professionals exchange updates and best practices. Furthermore, organisations can use third-party consultants to assist with compliance efforts and stay current on the latest regulations and requirements.
FW: What are the potential consequences for organisations that are not compliant with US government contract requirements? How would you describe the authorities’ monitoring and enforcement activities?
Lawless: In the previous two years, False Claims Act (FCA) settlements exceeded historic highs, totalling more than $7bn. Why? Because the Civil Cyber-Fraud Initiative was announced in October 2021, enabling the USG to utilise the FCA to prosecute non-compliant contractors and grant recipients. The FCA is bolstered by the whistleblower or qui tam provision, compensating filers with 15 to 30 percent of recovered funds. Organisations that falsely assert CMMC compliance or have significant deviations from USG cyber security requirements face an unprecedented risk of penalties and fines in connection with resolving whistleblower suits, with an average of 12 new filed cases per week. Along with FCA litigation, organisations can expect immediate contract suspension – up to 12 months, with more egregious violations resulting in three-year debarment. The USG has improved monitoring and enforcement of CMMC compliance through partnerships with independent third parties that certify organisations intending to compete for government contracts.
Avila: Sanctions for non-compliance with USG requirements can be bucketed into three categories. First, an inability to bid and receive contracts and grants from the USG. For example, if a company does not have an approved accounting system, it would be precluded from executing on cost-based contracts. Second, the impact to the bottom line. Certain activities and their associated costs are prohibited from reimbursement. Claiming such costs, and ultimately payment by the USG to the contractor, would require repayment to the USG and may include interest and penalties. Certain acquisitions are also subject to a certificate of cost or pricing data, which carries clawback provisions that allow the USG to seek repayment due to defective pricing. Third, criminal and civil penalties. The FCA has severe penalties for many types of false declarations. Contracts may entitle the USG access to contractor records and mandatory audits. Companies must keep records for over six years after contract completion, and negative audit results can be harmful to profitability.
Lathbury: Enforcement of export controls and sanctions violations is at an all-time high. In April 2023, the USG penalised two companies for violations for a combined total of $808m. Both cases involved large multinational companies violating US export regulations because of activities undertaken by their foreign subsidiaries. Fines and penalties for export and sanctions non-compliance can be as high as $1m per violation and could also include loss of export privileges and, in the most severe cases, imprisonment. US enforcement agencies encourage exporters to voluntarily step forward and disclose violations upon discovery. Historically, exporters can mitigate penalties when voluntarily disclosing violations to the government. The US Bureau of Industry and Security, the agency responsible for regulating the export of commercial and dual-use items, has recently gone so far as to consider not filing a voluntary disclosure to be an aggravating factor when considering penalty amounts.
FW: How important is it for organisations engaged in US government contracts to fully understand the links across their supply chains, to avoid inadvertently breaching compliance requirements?
Lawless: Building on the importance of general compliance, the same principle applies to cyber compliance as well. The USG expects that all organisations in the defence industrial base (DIB) supply chain comply with an established set of cyber security requirements to safeguard sensitive government data and systems from threat actors. This implies that the cyber security posture of all suppliers and vendors in the supply chain is equally as critical as the cyber security posture of the prime contractor. If a contractor’s suppliers or vendors do not comply with CMMC, the contractor’s compliance status is also at risk. Organisations must properly assess and monitor their suppliers and contractors to ensure they satisfy the appropriate cyber security requirements. This involves establishing contractual requirements that require suppliers and contractors to comply with CMMC and demonstrate evidence of compliance through periodic assessments and audits.
Avila: Tier-N visibility is a complex challenge heightened by hyper-globalisation. Under USG contracts, every member of the supply chain has the responsibility to understand and flow down applicable requirements to subcontractors. This responsibility is particularly tough at the US prime level, which is the first direct supplier to the USG. These companies generally are required to monitor compliance and educate companies providing components. A challenge for US primes is the Christian Doctrine rule, which states that procurement policies are contained in USG contracts by virtue of being the law even if the clause is not in the contract. Due to the complexities of being a US prime, many primes include the full extent of USG procurement policies to subcontractors out of fear of falling into non-compliance. Therefore, it is important for subcontractors to understand the applicability of USG contract clauses to avoid costly and unnecessary requirements.
Lathbury: Understanding the cross-border trade activity across the entire supply chain is of critical importance and is often the greatest source of risk. This is particularly true for companies in the defence industry that most often handle sensitive ITAR-controlled technical data. When technical data, such as drawings or specifications, are shared with others inside or outside the organisation, effective internal controls ensure that such data is not inadvertently shared with an unauthorised party. Contractors should be mindful of relying on foreign subcontractors to manufacture defence articles because sharing the design specifications would likely be subject to licensing requirements or outright prohibition. BAA compliance also requires an effective understanding of the organisation’s supply chain to establish adherence to the product country’s preference rules. Given the global nature of supply chains, it is important that government contractors capture and track country-of-origin details for the products sourced both domestically and internationally for ultimate sale to the USG. As more companies consider reshoring and friend-shoring, the US content and country preference clauses in the BAA must not be overlooked.
FW: What are the key elements of an effective US government contract compliance programme? How important are robust risk management processes, such as third party due diligence, in this regard?
Avila: Any USG compliance programme should start with a clear understanding of the company’s strategy for capturing grants and contracts. The elements of a USG compliance programme framework can vary greatly, depending on the customer, acquisition method and award value. Once there is a clear USG market strategy and well-defined requirements, organisations can leverage the five components of the Committee of Sponsoring Organizations (COSO), which include control environment, risk assessment, control activities, information and communication, and monitoring activities. We see two leading practices in the DIB regarding USG contract risk management. One is leveraging control activities across multiple stakeholders and requirements, such as Sarbanes-Oxley and the DFARS contractor business systems rule. The second is periodically leveraging third-party consultants with knowledge of USG contract regulations and the Defence Contract Audit Agency Contract Audit Manual to help prepare for upcoming audits and provide independent views through monitoring activities.
Lathbury: Each of the USG agencies responsible for administering export controls and sanctions regulations has published guidelines for the development of an effective compliance programme. Companies often engage third parties to periodically conduct mock assessments based on the government guidelines. An effective export and sanctions compliance programme should contain the following elements. First, management commitment. Second, a risk assessment. Third, proper management and staffing. Fourth, internal controls. Fifth, training. Sixth, self-assessment. Seventh, record keeping. And finally, detection and reporting of violations.
Lawless: Leveraging the five COSO components may establish a foundation for a sound compliance programme. To navigate cyber compliance, organisations must tailor the programme for cyber risk with the following key elements. First, awareness of cyber security regulations and requirements, including the DFARS and Federal Acquisition Regulation clauses related to their contracts. Second, cyber security policies and procedures to ensure compliance with contract requirements. Third, training to ensure employees and stakeholders understand the requirements and their cyber security responsibilities. Lastly, risk management processes, including third party due diligence, to ensure that the supply chain is compliant with the USG’s regulations and requirements. It is essential that organisations establish contractual provisions, or flow downs, that require third-party compliance with the applicable cyber security standards. In addition, aligned with COSO’s monitoring component, they must conduct periodic security assessments to ensure ongoing compliance with regulations and requirements.
FW: To what extent is technology helping companies operating in the US government contracts market maintain compliance, manage profitability and meet the expectations of regulators?
Lathbury: There are several software providers of export and sanctions compliance solutions. These solutions may be web-based as an on-demand service – such as restricted party sanctions screening – or as a solution fully integrated with an organisation’s enterprise resource planning (ERP) system. Fully automated solutions can typically utilise ERP master data, such as product and trading-partner attributes, in conjunction with trade content to comprehensively screen export transactions based on the product, destination country, end-user and end-use. Such automated export solutions also offer document generation, including commercial invoice, export declaration and certificate of origin and, in some cases, connect to the USG’s automated export system declaration-filing portal.
Avila: Technology helps companies minimise human error while reducing the time spent on extracting data and preparing reports. There are third-party software applications created specifically to augment commercial ERP systems to meet the specific demands of USG contracts. These applications weave the ability to accumulate data necessary to meet USG-specific requirements into the functionality of commercial ERP systems while maintaining one user interface and supporting both the commercial and USG parts of the business. The technology serving USG contracts has been focused on helping businesses with number-driven requirements, such as project costing, timesheet-entry compliance and indirect rate monitoring dashboards. But we envision that artificial intelligence (AI) will create opportunities to enhance the operational side of USG contract compliance. Specifically, it may automate the ability to identify contract clauses, compare those to required regulatory requirements, and develop and maintain polices and standard operating procedures.
Lawless: Many CMMC resources and automated solutions are available to assist organisations in streamlining and managing the complexity of USG regulations and requirements. Preconfigured network enclaves can provide sophisticated security features such as hardware-level isolation, memory encryption and trusted execution. Security suites can offer organisations anti-malware software to identify and eliminate malicious code, intrusion detection and prevention tools to prevent unauthorised access, and security information and event management to monitor and report security-related events. A compliance suite may minimise the effort and cost of compliance-related tasks such as policy creation, risk assessments and control monitoring by offering a single solution for managing compliance activities across the organisation. If an organisation is contemplating using technology, such as a compliance or security suite, to manage CMMC compliance, it must ensure that the technology meets the necessary contractual requirements.
FW: How is the US government contracts landscape likely to evolve in the months ahead? Against this backdrop, what advice would you offer to organisations in the US government contracts market?
Lawless: The USG will continue to prosecute non-compliant contractors and grant recipients under the FCA. Once the CMMC programme rule is finalised, USG contracts will require the contractor to possess a CMMC certificate at the specified level. If a contractor lacks the required CMMC certification, it will be unable to supply services and goods to the USG. Going forward, we advise organisations to carry out at least three critical steps, according to existing USG contract requirements. First, they should communicate with their contracting officers and customers, since this is the only way to discover whether sensitive USG data, including CUI, is received or created through their contracts. Second, if their contracts include CUI, then organisations should develop and maintain a system security plan and a plan of actions and milestones. Third, they should submit an accurate score to the supplier performance risk system.
Lathbury: Aggressive government enforcement of export controls and sanctions violations is expected to continue its upward trajectory. Enforcement activity is no longer limited to large organisations, as SMEs that may have flown under the radar previously are now the subject of export and sanctions penalty cases. Major advancements in artificial intelligence may provide the government with more sophisticated methods for detecting potential violations. Due to the extraterritoriality of US export and sanctions regulations, multinational organisations should take extra care with respect to the activities of their foreign subsidiaries. Recent shifts in trade policy, coupled with the major disruption of the coronavirus (COVID-19) global pandemic, have many US companies rethinking their supply chains. When considering changes to the supply chain, it is important not to overlook the impact on trade regulations and potential risks.
Avila: We will continue to see growth in USG demand for products and services, especially for defence items, as the Department of Defence budget increased 10 percent year over year, totalling $858bn. In addition, many US allies are demanding similar products and services, especially those closer to the Ukraine-Russian conflict. We also see opportunities for horizontal growth leveraging developed technology to address new regulatory requirements. For example, the Federal Communications Commission recently issued a rule lowering the timeframe for deorbiting low-earth-orbiting satellites to five years after the end of their mission. This rule will attract contractors that provide cost-effective services for deorbiting satellites in a timely manner. The USG contracts ecosystem is a ‘recession-proof’ market. We expect more companies to continue to include the USG as part of their customer base or expand into this market to hedge against difficult economic times.
Luis Avila has over 18 years of professional experience serving businesses that operate in the US government contracts and grants market. He helps clients optimise their cost structure, transform functional processes to bid and execute contracts, and digitalise activities through automation and data analytics. He can be contacted on +1 (703) 403 7748 or by email: luis.avila@rsmus.com.
Bryan Lathbury specialises in export controls and sanctions, customs tariffs, preferential trade agreements and global trade management systems. Prior to RSM, he was the empowered official at a multinational medical and safety technology corporation and a senior solutions architect for a global trade management software company. He can be contacted on +1 (443) 618 5572 or by email: bryan.lathbury@rsmus.com.
Damien Lawless has 10 years of experience in the IT sector. He specialises in security and risk, bridging the gap between business operations and security requirements through compliance and risk assessments, including the Cybersecurity Maturity Model Certification (CMMC). He formerly served in the US Navy as a cryptological technician. He can be contacted on +1 (563) 888 4124 or by email: damien.lawless@rsmus.com.
© Financier Worldwide