Published Articles

CDI Founder Greg Fordham has authored more than 70 articles on government contracts, computer forensics and security, and electronic discovery. Below are some of his best known government contract articles that are available for download.

10 Steps to Protect Your Network from Employee Based Computer Compromise

 

When it comes to computer security and protecting the data contained on them, our attention is often focused on forces from outside the organization. Even the NIST 800-171 security controls imposed on contractors by the requirements in DFARS 4.7300 and the clause at DFARS 52.204-7012 invovling safeguarding Controlled Unclassified Information (CUI) are more outwardly focused than internally focused. There are several reasons for this.  One is that many computer threat assessments quantify attacks from outside the organization as much more numerous than attacks from within.  Another is that there have been many large data compromises from forces outside the organization.

Despite those numbers, there are mitigating factors that should also be considered. One is that many hackers just like the challenge.  Consequently, while there are a lot of attacks, the damage is often minimal because the hacker lost interest or did not know what to do next once the penetration was perfected.

By contrast, the number of internal threats is usually a much smaller number.  Nonetheless, forces within the organization are likely a bigger threat than forces from outside.  One need look no further than the cases involving Bradley Manning and Edward Snowden to realize just how much more significant an internal compromise can be than an external one.

Not all internal based compromises are the result of malevalent insiders. Indeed, there are two other situations where insiders are cause for data compromise.

The first situation where insiders are a considerable risk, other than malevalent actors, is that even the large hacks that come from outside are often the result of an unwitting security compromise by an insider.  In other words, an insiders is the unwitting victim of a physhing or social engineering exploit.  Thus, the reason that there should be more concern about employee based compromise is not simply that one needs to protect themselves from the malevolent employee but that they must also protect themselves against the unwitting employee that falls prey to a malevolent outsider. 

The second situation where insiders are considerable risk, other than malevalent actors, is that successful hacks also occur when human error has misconfigured some device on the network which leaves the network vulnerable to attack. In either of these latter two situations, the employee based computer compromise is equally problematic.

The following sections discuss the 10 steps to protect your network from employee based computer compromise.
<< keep reading >>

Commercial Items: A New Frontier

 

Prior procurement practices of the federal government reflect its intoxication with protecting the public fisc.  Cost based pricing, excessive management interference, and malicious prosecution are all examples of the tools that it created to discharge its duties.  In the end, however, all that occurred was that it ended up squandering precious resources. 

As a cure for this ailment. regulatory provisions have been considerably revised to streamline the procurement process so that the government can escape the consequences of its own vanity and benefit from commercial items and practices in prescribed situations.   While this offers great prospects, the government nonetheless retains many of its elitist philosophies, since cost based pricing, excessive management interference, and malicious prosecution remain the status quo unless the commercial item practices are adopted for the procurement.
<<. . . keep reading . . .>>

Cost Accounting Standards

 

The CAS are one of several regulations governing the accounting methods of government contractors. Another common set of accounting rules is contained within the FAR 31 Cost Principles and Procedures that impose its own unique accounting requirements on contractors along with other accounting principles like Generally Accepted Accounting Principles when they apply.

The CAS are generally said to govern cost allocation, whether direct or indirect, while the FAR 31 Cost Principles are said to govern allowability. Since the two sets of rules are generally complimentary, it is easy for contractors to find themselves subject to both sets of regulations.

When contractors are subject to both, the CAS will prevail if their is a conflict in the requirements of FAR 31 and the CAS. In the event that contractors are not covered by the CAS and only covered by the FAR 31 rules, contractors will still find themselves subject to some elements of the CAS, since many of their elements, not their entirety however, have been incorporated in the FAR 31 rules.

To a great extent the real consequence of CAS coverage is contractor liability. Since many contractors will escape much of the burden and risk of performing fully-covered contracts as a result of the increased thresholds for full coverage, the increased risk of the CAS will be blunted for all but the largest contractors or smaller contractors performing very large contracts.
<< . . . keep reading . . >>

Cost or Pricing Data

 

The requirement for cost or pricing data originates from the Truth in Negotiations Act (TINA), (10 USC, §2306a, P.L. 87-653). The TINA was first enacted in 1962 as a means to legislatively curb excess profiteering by government contractors. Since the goal was the negotiation of a fair and reasonable price, the law’s objective was to place the government on an equal negotiating level as the contractor by requiring contractors to make certain disclosures about the proposals they prepared for their products and services. Once both sides were equipped with the same information, all that separated the parties would be their negotiation skills.

Despite its well meaning intentions, the TINA and its progeny, cost or pricing data, have caused much consternation and by many accounts have even deprived the government from the goods or services it desires, since some contractors have refused to sell to the government whenever TINA applies. The TINA requirements are onerous. Some even claim impossible to actually achieve. So, contracting with the government when TINA requirements apply has considerable risk, which should be understood by every covered contractor.

Cost or pricing data are facts. So, they are not a calculation, a methodology or even a presentation format. Consequently, they are not the schedules created by contractors showing the calculation of their proposed prices, since those are just estimates about future performance.

By contrast, cost or pricing data are the facts related to the proposal whether or not the contractor actually even used them in developing its proposal. In fact, there is no requirement that the disclosures actually be used by the contractor when calculating price or conducting negotiations.

A contractor's duty to disclose cost or pricing data is affirmative. In other words the data need not be requested by the buyer. Instead the disclosure obligation is entirely the seller's.
<< . . . keep reading . . >>

Four Reasons Why You Need Celestial Defense to Investigate Your Intrusion and Data Breach

 

When one considers the two choices of using in-house resources or using an outside consultant to investigate an intrusion, data breach, or potential cyber incident under the new DoD rule, two factors loom large.  First, by their own admission in the recent Ponemon Institute survey, over half of the in-house security professionals are not adequately equipped to handle the unique challenges of a network intrusion and data compromise.  Equally shocking is that these results are not an isolated aberration.  Indeed, the firm of Ernst & Young had similar results in their 2013 Global Information Security Survey.   Specifically, they found that, “Information Security Departments continue to struggle with a lack of skilled resources and support.”  In fact, 50 percent of respondents in the Ernst & Young survey “cited a lack of skilled resources as a barrier to value creation.”

Second, over 70 percent of the respondents in recent Ponemon Institute survey think it will take them a year or more to fully understand the scope and consequence of the intrusion. Of course, management does not have that kind of time to determine the cause and assess the impact.

Consequently,  if you are in senior management of a government contractor whose data was just compromised, there are four reasons why you should get help from an outside consultant in general and Celestial Defense in particular. 
<< . . . keep reading . . >>

Managing Requests for Equitable Adjustment

 

Contract changes, particularly for constructive changes, can happen for a variety of reasons like a Protest after Award, Differing Site Condition, the delinquent delivery of government furnished property or information, or the unsuitability of whatever government property or information was furnished by the government.  The change could be caused by a delay caused by the government’s failure to provide permits or give the notice to proceed in a timely manner or some other event that causes work to stop. 

The causes are many and they are common.  There are even provisions that enable the government to change the work itself and they often are to accommodate a change in the government’s actual needs or performance standards.  Changes can even be made in contracts covering work as predictable as commercial items. 

Thus, the challenge in federal procurement is not to avoid contract changes.  Rather, success or failure for both government and contractor alike often turns on how quickly one can recognize a changed condition, match the condition to the proper clause governing the condition, understand the process for settling the change under the correct clause and then managing the resolution process.  This skill is particularly important when contracts are terminated for convenience, since a contractor's recovery on the terminated contract could be needlessly reduced if the contract price has not been properly adjusted to match the actual scope of work performed.

While the importance of good and effective change management is important for both government and contractor, there is a significant payoff for contractors.  Since the work will be performed, every dollar recovered goes essentially to the bottom line and the payoff for effective change management is immense.  After all, in the normal course of business a contractor would likely have to win and perform contracts for ten times the amount of any change dollars recovered to have the same effect on the bottom line.  For contractors, therefore, settling changes represent a considerable sales opportunity.
<< . . . keep reading . . >>

Penalties Under DFARS Safeguarding Controlled Unclassified Information (CUI)

 

Neither the 2013 nor the 2015 and 2016 DFARS rules contains penalties for contractors whose information systems do not comply with the rules’ requirements.  In fact, there is not even a penalty for cyber incidents mentioned in any version of the rules, at least with respect to safeguarding CUI or even a cyber incident.   In fact, the rules indicate that a cyber incident is not by itself evidence that a contractor failed to meet the requirements imposed by the rules.

Not only are there not any expressed penalties, there are no pre-award representations or certifications either.  Rather, it is just required that the contractor comply with the rules’ requirements and the contractor is advised that by submitting its offer it is representing that it will comply with the safeguarding requirements.   
There are no requirements for a contractor to claim that its information system actually complies with the requirements of the new rule or has been certified as complying with the rules or any other such claim.  As a result, there is no requirement that the contractor’s system comply with the rule prior to award or have the ability to comply with the rule prior to award.  All that is required is that the contractor comply with the rule at time of award and during performance.
<< . . . keep reading . . >>

Reporting Requirements Under DFARS Safeguarding Controlled Unclassified Information (CUI)

 

All of three of the rule iterations, the 2013, 2015 and 2016 versions, require contractors to report a “cyber incident”.   There are no other reporting requirements such as whether a contractor’s systems actually comply with the security standards. 

Whether a contractor’s system meets the various system standards is likely a very subjective determination, however.  The various security controls are broadly worded.  In addition, there simply are no hard and fast rules about how they are to be achieved or how compliance should even be measured.  In fact, the only thing that likely is measurable is whether or not the contractor has experienced a “cyber incident”.
A cyber incident is defined identically in all versions of the rules as, “actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein.”  Remarkably, the definition of a cyber incident is not very helpful when determining a contractor’s reporting requirements.  After all, what is an adverse effect, whether actual or potential? 
<< . . . keep reading . . >>

Safeguarding Controlled Unclassified Information (CUI): The Covered Data Requirements

 

Unlike the rules governing classified data, which function to protect all classified data, the new rules do not apply to all unclassified data.  Rather, they apply to only certain unclassified data that has been identified as worthy of protection.  Thus, even though the new clauses are required in every defense contract, their requirements for security controls and incident reporting are triggered only if the covered data resides or transits through the contractor’s information systems.  Consequently, a first step to understanding the requirements of the rule is understanding to what kinds of data the controls and security standards apply. Amazingly, the types of data to be protected are different for the 2013, 2015 and 2016 versions of the DFARS rule.  The difference is both obvious and immediate since it appears in the first paragraph of the scope section, DFARS 4-7300(a) of the respective rules. 
<< . . . keep reading . . >>

Terminations for Convenience

 

Despite that terminations are common in government contracting, the prospect of contract terminations is still a significant situation. As a result, in return for being able to terminate a contract for convenience, the government makes considerable promises for compensating the contractor in the event of a termination.

When a contract is terminated, contractors are required to submit a termination settlement proposal indicating the additional compensation to which it is entitled in accordance with the considerable promises made by the government in exchange for having the right to terminate for convenience. This proposal then forms the basis for negotiating a final resolution with the government for the terminated contract.

Terminating contracts is no simple matter. Contractors should expect to expend considerable effort in settling their terminated contracts. Understanding the consequences of the termination with respect to their own organizations and then maximizing the cost recovery for those consequences will prove substantial. Satisfying their responsibilities relative to subcontract settlement will also be expensive and time consuming.

Fortunately, all of these costs are recoverable including the costs of outside consultants and experts experienced in navigating the complex rules and maximizing a contractor's revenue stream. In fact, using experts can be essential since successfully negotiating a settlement can often require the contractor to know the government's job as well as his own in order to overcome objections and reach final settlement.
<< . . . keep reading . . >>

The Case Against Offsets When Pricing Changes and Delay Claims in Government Contracts

 

Author Fordham presents a compelling and well thought-out 10-page article that advocates there is no basis for offsetting Eichleay overhead with amounts received as markups on change orders.  In presenting his thesis, Fordham examines the issue from three perspectives.  First, he examines the percentage markup method as required in the Federal Acquisition Regulations (FAR) and Cost Accounting Standards (CAS).  Second, he examines the mechanics of the Eichleay formula and the variables used for making the computation.  Finally, he examines the decisions by the General Services Board of Contract Appeals and by the Federal Circuit in Wickham Contracting where both the Board and the Court rejected the government’s decrement to the Eichleay value for overhead recovered in priced changes.

This article first appeared in The Procurement Lawyer, Spring 2004, Vol. 39, No 3, American Bar Association Section of Public Contract Law, and is available by request only.

Understanding the Road to the DFARS Safeguarding Controlled Unclassified Information (CUI)

 

DoD’s expanded interest in data security for unclassified information follows an expanded government wide interest in protecting unclassified information.  In fact, the federal government’s interest in safeguarding unclassified information has grown dramatically since 2000, at least unclassified data on its own systems.  In 2000, the primary direction for the protection of unclassified information was memorialized in OMB Circular A-130, which focused on the management of federal information resources.  Since 2000 there have been several significant initiatives related to cyber security in general and Controlled Unclassified Information (CUI) in particular.

The DoD’s process for extending CUI requirements on its contractors began with a proposed rule in 2011 that was then made a final rule in August 2013.  This was before NARA, the executive agent for CUI, ever issued any rules or standards, although NARA had requested NIST to develop a set of security standards.  It was also before NARA had promulgated any of its own rules governing federal contractors, although it had indicated that a single FAR [Federal Acquisition Regulation] wide rule would likely be proposed in 2016.  In fact, a final rule was published in May 2016 that added requirements to FAR 4.1900, 7.105, 12.301 and the contract clause at FAR 52.204-21, 52.213-4, and 52.244-6.
<< . . . keep reading . . >>

Untangling the Governing Set of Security Standards for DFARS Controlled Unclassified Information (CUI)

 

Under all versions of the DFARS rules contractors are required to provide adequate security to safeguard the covered data.  The security systems and controls, that are used by the contractor to adequately safeguard covered data, are required to meet certain minimum standards that are prescribed by the contract clauses.   

The 2013 rule requires only 51 security controls from the NIST SP 800-53 standard.  Those standards are to be applied, however, only to its own systems. Thus, even though the definition of a contractor information system is quite broad, as discussed previously, these controls only apply to the contractor’s own information systems.

The 2015 and 2016 versions prescribe standards for both contractor information systems as well as cloud computing service providers.  With respect to contractor information systems the 2015 and 2016 versions impose the NIST SP 800-171 security standards.  The NIST SP 800-171 standards contains 109 controls which can be mapped to 124 of the NIST SP 80-53 standards. 

With respect to cloud computing service providers under the 2015 and 2016 versions, the applicable standards are different for cloud service providers used by DoD versus those being used by a contractor.  For those cloud providers serving  DoD the requirements are those described in the Cloud Computer Security Requirements Guide (CCSRG), which follows a DoD modified version of the FedRAMP version 2 Moderate baseline.  The CCSRG applies when contractors are providing cloud computing services directly to DoD. 

The 2016 version of the rule also applied cloud computing standards to cloud service providers used by contractors.  In that situation, the CCSRG was not specified.  Rather, the 2016 rule simply required the FedRAMP modified baseline requirements.
<< . . . keep reading . . >>

Wickham Contracting: A Holocaust

 

Wickham Contacting is the case where the Federal Circuit proclaimed the Eichleay formula as the only means for computing unabsorbed overhead (delay damages) for Federal government contracts. In this 20 page article, author Fordham reviews the history of delay claim quantification in government contracts as well as the damages theory and explains how the court's decision in Wickham undermines equitable analysis.

This article first appeared in The Clause, December 1995, The Board of Contract Appeals Bar Association, and is available by request only.

Safeguarding Controlled Unclassified Information the Fundamental Contract Requirements

 

The DoD was the first federal agency to impose requirements for safeguarding CUI on its contractors.  The process began in 2011, shortly after passage of ED 13556, with the publication of a proposed rule.  While the proposed rule was not being included in contracts, the rule was finalized in 2013 and it imposed safeguarding requirements of CUI on contractors at every tier including commercial items.  Thus, starting in November 2013 every award of defense contract would have the safeguarding requirements.  In addition, those requirements would be passed down to subcontractors at every tier.

DoD’s efforts were well ahead of NARA, the government’s executive agent for managing EO 13556 and the government’s initiative for protecting CUI in non-federal organizations like federal contractors.  Once NIST published its standards for the protection of CUI in non-federal organizations in May 2015 in its Special Publication 800-171, it was obvious that DoD’s requirements for safeguarding CUI were severely misaligned.  As a result, DoD published another interim rule later in 2015 that both updated its information security controls for contractor information systems but also expanded the coverage to cloud computing services under FedRAMP, another initiative being managed by OMB.  The expanded coverage was considered so burdensome that in late December 2015 contractors were given until December 31, 2017 to comply.

DoD’s 2015 rule was finalized in late 2016.  Several more changes were made to both definitional aspects of the rule as well as its coverage.  The definitions were streamlined.  They were also made more tangible with inclusion of the CUI registry as an added source for identifying the covered data.  With respect to coverage, it was scaled back such that the requirements were no longer an automatic flow down to subcontractors.  Rather, primes and upper tier subcontractors would make an assessment about whether covered data would even be involved with their subcontracts before including the requirements in the subcontracts.

While the 2016 final rule narrows the safeguarding requirements, there are still aspects about the coverage that are still beyond the intended scope of the initiative.  The government’s interest in safeguarding CUI is to extend the protection to the systems of non-federal organizations so that the CUI data is similarly protected regardless of the actual environment. 

This article is available by request only