Third Quarter 2024 Government Contracts Policy and Regulatory Review

At a Glance

• On August 23, 2024, the U.S. Small Business Administration proposed key amendments to its regulations governing the Historically Underutilized Business Zone (HUBZone) Program, the Women-Owned Small Business program and Veteran Small Business Certification program.
• The Office of Management and Budget issued a memo providing requirements and guidance to federal agencies on the responsible acquisition and procurement of artificial intelligence (AI).
• The Department of Health and Human Services proposed amendments to its Health and Human Services Acquisition Regulation to implement new standards requirements for procuring health information technology.
• The Department of Defense published its final rule regarding the Cybersecurity Maturity Model Certification (CMMC) Program, which will go into effect on December 16. The Department also proposed regulatory amendments that would increase public access to federally funded research, implement recent National Defense Authorization Act provisions, and revise regulations on Other Transactions agreements for prototype projects.

Federal agencies proposed or finalized several important rulemakings during the third quarter of 2024, raising new opportunities and considerations for government contractors. Below, we highlight some of these changes and opportunities related to small business programs, AI procurement and defense contracting.

HUBZone Program Updates

On August 23, 2024, the U.S. Small Business Administration (SBA) proposed amendments to its regulations governing the Historically Underutilized Business Zone (HUBZone) Program. The amendments arrive following a comprehensive revision to the HUBZone Program regulations in 2019, intended to clarify and improve policies related to the 2019 review. Specifically, the revisions would require any certified HUBZone small business to be eligible as of the date of offer for any HUBZone contract and adjust SBA’s size and 8(a) Business Development (BD) regulations. The amendments also include technical changes to the Women-Owned Small Business (WOSB) and Veteran Small Business Certification (VetCert) programs and reorganize several program-specific recertification provisions.

One of the most significant impacts of the proposed rule concerns recertification requirements. Moving forward, small businesses must recertify their size and status if they are involved in a merger, sale or acquisition after submitting an offer for a set-aside opportunity and an award has not been given. Specifically, if the merger, sale or acquisition occurs within 180 days of offer submission and before award, the small business concern is then ineligible for the award. If the merger, sale or acquisition occurs after 180 days of its offer and before award, the concern would continue to be eligible. These changes would provide additional certainty regarding eligibility when a firm submits an offer, while also raising questions for buyers of small business concerns whose targets may become disqualified through subsequent recertifications.

Additionally, the rule would amend SBA affiliation regulations on size and control by making the negative-control rules consistent across SBA’s various programs (i.e., 8(a) BD, WOSB and VetCert). Under the negative control provision, a concern may be deemed controlled by (and affiliated with) a minority shareholder that can prevent a quorum or otherwise block action by the board of directors or shareholders. The proposed rule would make it easier for small businesses to seek equity funding without becoming affiliated with the investors solely because of a broad interpretation of the negative-control rule. Specifically, the proposed rule would codify specific “extraordinary circumstances” under which a minority shareholder may have some decision-making authority without a finding of negative control. Per amendments to § 121.103(a)(3), the SBA “will not find that a lack of control exists where a qualifying individual or business does not have the unilateral power and authority to make decisions regarding: (1) adding a new equity stakeholder; (2) dissolution of the company; (3) sale of the company or all assets of the company; (4) the merger of the company; (5) the company declaring bankruptcy; and (g) amendment of the company's governance documents to remove the shareholder's authority to block any of (1) through (5).”

The rule would also add a new § 121.1001(b)(2)(iii) to specifically authorize SBA to request a formal size determination where SBA initially verified the eligibility of an 8(a) participant for the award of an 8(a) contract, but then subsequently receives specific information that the participant may be other than small and consequently ineligible. In effect, the rule would restrict eligibility for small businesses acquired by larger firms who must recertify as non-small business concerns, particularly for future orders based on an underlying multiple award contract.

The rule also provides new guidance for how contracting agencies will evaluate joint ventures moving forward — including SBA mentor-protégé joint ventures — by providing that a procuring activity may not require the protégé firm to individually meet the same evaluation or responsibility criteria as that required of other offerors. Section 125.9 provides further requirements related to SBA’s mentor-protégé program.

Department of Defense Updates

DFARS Proposed Rules

On September 26, 2024, the Department of Defense (DoD) published three proposed rules to amend the Department of Defense Federal Acquisition Regulation Supplement (DFARS).

Public Access to Results of Federally Funded Research (2020-D028)
DoD has proposed changes to DFARS Part 235, adding two clauses that require contractors to (1) submit final peer-reviewed manuscripts to the Defense Technical Information Center’s publicly accessible repository, and (2) to develop and maintain a data management plan throughout the performance of the contract. The latter clause will impose a new obligation on contractors awarded research and development contracts, as data management plans are not currently required.

Preventing Conflicts of Interest for Certain Consulting Services (DFARS Case 2024-D007)
This rule would implement Section 812 of the National Defense Authorization Act (NDAA) for FY2024 by prohibiting contracting officers from awarding contracts assigned a NAICS code beginning with 5416 to offerors who hold contracts that involve consulting services with certain covered foreign entities. Offerors will also be required to certify whether they hold contracts that involve consulting services with one or more covered foreign entities and whether they maintain a conflict-of-interest mitigation plan. Accordingly, offerors responding to solicitations for DoD management, scientific or technical consulting contracts should review provisions of 2024-D007 to ensure they do not hold contracts for consulting services with one or more covered foreign entities. Contractors can submit a conflict-of-interest mitigation plan and seek a waiver of the restrictions under the proposed rule.

DoD Cost or Pricing Data Requirements (DFARS Case 2022-D004)
DoD has also proposed increases to the statutory threshold for contract modifications, subcontracts and subcontract modifications in the Truth in Negotiations Act (TINA). This rule would make it easier for government contracting officers to obtain data other than certified cost or pricing data for contract modifications analogous to what they could obtain when issuing contracts.

Transactions Other Than Contracts, Grants or Cooperative Agreements for Prototype Projects

On September 4, 2024, DoD proposed a rule that would revise its regulations on Other Transaction (OT) agreements for prototype projects. The rule is specifically intended to expand the defense marketplace by improving access to technologies and services of companies that otherwise would not work with DoD, such as startups and companies developing innovative technology. In addition to adjusting approval requirements for large dollar OT agreements, the proposed rule would assist small businesses, nontraditional defense contractors, nonprofit research institutions and consortia by making it easier for them to compete for prototype projects.

For example, Section 4022(d) provides that if a nontraditional defense contractor or nonprofit research institution participates to a significant extent in the prototype project — or if all significant participants in the prototype project are either small businesses or nontraditional defense contractors — there is no requirement for the participants to provide a one-third cost share of the project. This limitation on cost sharing should benefit small businesses seeking OT prototype transactions. The comment period for this rule is open until November 4, 2024.

New OMB Guidance Regarding the Acquisition of Artificial Intelligence in the Federal Government

On September 24, the Office of Management and Budget (OMB) issued M-24-18, a memo providing requirements and guidance to federal agencies on “establishing meaningful cross-functional and interagency collaboration to reflect new AI responsibilities, managing AI risk and performance, and promoting a competitive AI market with innovative acquisition.”

Among other requirements, agencies must identify contracts associated with agency use of “rights-impacting” or “safety-impacting” AI and ensure those contracts comply with M-24-18. Starting March 23, 2025, M-24-18’s requirements will apply to new contracts awarded for solicitations issued after that date and to any renewals or extensions of existing contracts. Federal contractors should review their AI service offerings before then to ensure they are in compliance with new and existing requirements.

The memo’s three key areas of AI procurement are outlined below:

1. Cross-functional and interagency collaboration: Agencies are required to create or update acquisition policies, procedures and practices to reflect new responsibilities and governance for AI. For example, within 180 days of the memo’s publication, agencies must submit to OMB a plan for coordinating its AI acquisition strategies with the chief acquisition officer, chief information security officer (CISO), chief financial officer, senior agency official for privacy (SAOP), and other relevant officials (e.g., chief technology officer, chief data officer, chief competition officer and/or an official responsible for protecting civil liberties). The memo also requires agencies to share information on acquisition of AI across the executive branch.
2. Managing AI risks and performance: Although the memo does not replace or supersede existing risk management requirements relevant to AI, it directs agencies to “adjust their acquisition policies and practices to account for the distinctive ways that AI systems and services are developed, trained, and deployed.” Specifically, the memo directs agencies to take specific actions related to privacy, security, data ownership and rights, and interoperability issues that may arise when acquiring an AI service or system. For those agencies acquiring generative AI or AI-enabled biometric systems, the memo provides requirements and recommendations based on industry standards and international frameworks (e.g., NIST, International Organization for Standardization (ISO), International Electrotechnical Commission (IEC)).
3. Promoting a competitive AI market with innovative acquisition: To take advantage of a “dynamic and evolving” AI marketplace, the memo encourages agencies to prevent AI vendor lock-in by establishing data management, portability and interoperability requirements. Appendix I of the memo outlines specific strategies agencies should consider in “promoting innovative acquisition” through implementing performance-based requirements, leveraging an AI-trained workforce and limiting the duration of contracts to align vendor proposals with agency needs. Contractors should review this section of the memo to ensure their proposals are responsive to agency procurement strategies and directly address agency priorities.

HHS Acquisition Regulation: Acquisition of Information Technology; Standards for Health Information Technology (HHSAR Case 2023-001)

On August 9, 2024, the Department of Health and Human Services proposed amendments and updates to its Health and Human Services Acquisition Regulation (HHSAR) to implement requirements to procure health information technology (health IT) that meets standards and implementation specifications adopted by the Office of the National Coordinator for Health Information Technology (ONC). The proposed rule would add a new HHSAR subpart 339.70 with revised definitions, policy and a prescription for a new HHSAR clause to implement requirements of the HITECH Act. The rule would also implement requirements applying to all solicitations and contracts issued by or on behalf of HHS entities that involve implementing, acquiring or upgrading health IT used (1) for the direct exchange of individually identifiable health information between agencies and non-federal entities, or (2) by health care providers, health plans or health insurance issuers.

Accordingly, health plan providers, health providers, health insurance issuers, health IT system administrators and product contractors must review the standards and implementation specifications included under Sec. 3004 of the Public Health Service Act to ensure they are in compliance with the requirements adopted by the ONC for HHS contracts involving the direct exchange of health information.

Upcoming Topics of Interest

Looking ahead to the fourth quarter of 2024, we anticipate several other important regulatory developments from the DoD and other agencies. For example, on October 15, 2024, the DoD published a final rule to establish the Cybersecurity Maturity Model Certification (CMMC) Program. The CMMC requires defense suppliers, contractors and subcontractors to implement specific cybersecurity measures depending on what level of sensitive government information they will handle during contract performance. The Final Rule establishes three CMMC levels — down from five tiers in the interim rule — against which contractors will be assessed, based on whether a contractor intends to secure Federal Contract Information (FCI), Controlled Unclassified Information (CUI) or other assets requiring safeguards.

Although the program will be implemented across four phases, the first phase will take effect on December 16, 2024. Contractors should review active and pending DoD contracts to ensure they are in compliance with the relevant CMMC standards and consider conducting a self-assessment or certification assessment, and completing a Plan of Action and Milestones (POA&M) to meet the requirements set forth in the Federal Acquisition Regulation (FAR) and by the National Institute of Standards and Technology (NIST). Contractors can also review Faegre Drinker’s recent client alert for more detailed information regarding the final rule.

Law Clerk Asher Friedman Young contributed to the preparation of this article.