Five Fundamentals of the CTA that Small Businesses Need to Understand Now

Photo caption: © royalty –

As part of the 2021 National Defense Authorization Act, small businesses will now need to comply with the new Corporate Transparency Act (CTA). This is meant as an additional preventative measure against money laundering and funding of terrorist organizations.  

Small business owners will need to provide basic identifying information and comply by January 1, 2022. It’s important to comply as the penalties are significant and raise daily until the information is provided. Don’t forget to put this new requirement on your calendar!

This is a guest post by Laura Sims of PilieroMazza PLLC.

On January 1, 2021, Congress enacted the 2021 National Defense Authorization Act. In an effort to strengthen the fight against money laundering and the funding of terrorist activities, it included broad amendments to the U.S. Anti-Money Laundering Act, the most significant of which was the Corporate Transparency Act (CTA). 

The CTA will greatly impact the way businesses are formed and how they operate, and it will require regular reporting practices that businesses need to prepare for before the CTA takes effect. Below are five fundamentals of the CTA that small businesses need to understand now.

1. What is the CTA?

The CTA is legislation that requires privately held U.S. businesses to report certain identifying information for all beneficial owners of such businesses to the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). The CTA was passed to identify and prevent formation of shell companies with no legal U.S. connections that were created solely for illicit financing purposes, including money laundering and terrorist organization funding. 

To provide greater transparency into who owns and controls small businesses in the U.S., the CTA will require each beneficial owner of qualifying entities to report his or her full name, date of birth, current address, and unique identification number, such as social security number, passport ID number, or driver’s license ID number, to FinCEN, unless exempt. Under the CTA, a “beneficial owner” is any individual who directly or indirectly owns or controls at least 25% of the ownership interests of, or exercises substantial control over, a qualifying entity.

Some of the individuals exempt from beneficial owner reporting include:

  • Creditors of entities unless the creditor independently qualifies as a beneficial owner;
  • Employees of entities if the “control” over the entity is based solely on their employment status;
  • Minor children, if their parent / guardian information is reported; and
  • Those who own or control interest in an entity solely through inheritance.

2. Who is subject to the CTA?

All privately held business entities either formed or registered to do business under the laws of any State or jurisdiction in the U.S., unless exempt, will be subject to the CTA reporting requirements.

A few examples of exempt entities include:

  • Non-profit organizations;
  • Publicly traded companies, banks, credit unions, and other financial institutions heavily regulated by government agencies, such as the Securities and Exchange Commission; and
  • Companies with over twenty (20) full-time employees with reported gross receipts or sales over $5 million on the previous year’s tax returns and an operating physical office address in the U.S.

3. When does it go into effect?

The start date for reporting requirements under the CTA are tied to when the Treasury adopts regulations under the CTA, which must take place no later than January 1, 2022. All qualifying U.S. business entities formed after the regulations are adopted will be required to report at the time of formation. 

Qualifying business entities formed before the regulation adoption date will be required to submit reports no later than two (2) years after the regulation adoption date. All businesses, whether formed before or after the regulations are adopted, will be required to update any change in their previously reported information within one (1) year of such change.

4. How will this affect businesses?

The most obvious answer is that qualifying entities will need to completely and correctly submit required beneficial owner information to FinCEN within the applicable reporting window and ensure that any changes in the previously reported information are updated in a timely manner. In many instances, business entities will need to start collecting the required information from beneficial owners well in advance of the reporting deadline. 

All qualifying entities will need to build beneficial owner information collection into their regular operations with the realization that, where there are multiple qualifying beneficial owners, the reporting and update deadlines might be logistically burdensome. Similarly, future business transactions, such as mergers and acquisitions, may need to include additional due diligence and representations and warranties specific to a target entity’s CTA reporting.

5. Why is it important, and what should you do to prepare?

Under the CTA, failure to report beneficial owner information, reporting incorrect information, or failure to update previously reported information will have serious consequences. These may include civil penalties up to $500 per day until the violation is corrected, as well as criminal fines up to $10,000 and imprisonment up to two (2) years. 

While CTA regulations are not mandated until January 1, 2022, business entities should stay informed about regulatory insights released before the regulation adoption date to ensure that all required information is properly collected and submitted when reporting is due. 

Finally, there are still ambiguities in several critical aspects of the CTA, including how ownership and control will be determined, as well as what the reporting requirements will be for certain partnerships and trusts. Because of these ambiguities, privately held business entities should work with legal counsel in advance of the CTA regulation adoption to fully understand whether they will be subject to the reporting requirements, and if so, what those reporting requirements will be.

If you have questions about how the CTA could impact your business or would like to learn more, please contact Laura Sims, the author of this blog, or any member of PilieroMazza’s Business & Transactions Group or Corporate and Organizational Governance Group.

This post originally appeared on the PilieroMazza blog at and was reprinted with permission.

Are IDIQs All They are Made Out to Be?

IDIQs are absolutely critical to the growing small business. Whether chasing a re-compete to existing work or growing your portfolio of contracts, IDIQs often provide that “access” that is just not available without them. Either as a Prime IDIQ contract holder or a subcontractor/teaming partner these are the way to success. The fish don’t jump in the boat, but these IDIQ tips will help you land them.

This is a guest post from our friends at Proposal Helper.

© iqoncept –

Indefinite Delivery Indefinite Quantity (IDIQs) are here to stay and are going to get more and more popular. For any company doing business with the United States Government, pursuing and winning a spot on an IDIQ is not an option, it’s an absolute necessity.  In fact, the government agencies are almost mandated to use Best In Class IDIQs for common procurements (OMB Memorandum M-19-13, issued March 20, 2019).

But are IDIQs all they are made out to be? Not all IDIQs are made alike. Knowing which one to pursue – and why – is an important consideration for any business. What are the pros and cons of IDIQs for your business?

Increases Access to Unique Opportunities

The contracting agencies (NITAAC, GSA, etc.) are marketing the IDIQs to their internal customers, which allows the IDIQ contractors to gain access to some very unique opportunities. It is also a great way for small businesses to learn about and pursue contracts that might otherwise be too competitive.

Limited and Known Competition

Perhaps the most attractive aspect of an IDIQ is limited and known competition. IDIQ winners are part of the “winner’s circle,” generally every company gets to know who they are competing with for task orders. The number of companies you are competing against is smaller than with other procurement opportunities, and they are all known to you. This significantly propels your capture efforts and allows you to fine-tune your strategy. You can plan your win themes and differentiators and establish your unique qualifiers ahead of time. 

Companies that invest time to learn their competition are able to not only speak to their differentiators but also align their company’s capabilities to push forward and reap the benefits of the IDIQ. However, lately, it may appear that everyone who submits a proposal is awarded, which erodes some of the IDIQ luster. This does not mean companies should not pursue IDIQs — it only means that you need to be selective in which IDIQs to bid and win.

Increase Market Valuation

With Category Management, IDIQs fall under different Tiers, and the value of the IDIQ to your company will vary. Understand the IDIQ Tiers (Tier 0 – Tier 3) before you make a bid decision. Some companies amass IDIQs to increase their market value before getting ready to exit (sell the company). 

If increasing market valuation is your primary goal for pursuing IDIQs, companies should profile their ‘ideal’ buyer and focus on pursuing IDIQs that will make their company attractive to that buyer demographic. It is not always BIC (Tier 3) IDIQs that fetch the most value. Your company’s capabilities will dictate which IDIQ makes the most sense.

Stretch the Finish Line – 8(a) Category

When it comes to socio-economic privileges, IDIQs that extend your socio-economic status beyond your original graduation date (currently only applies to companies in the 8(a) category) – may be important. For example, the GSA 8(a) STARS III was recently recompeted and any 8(a) company that wins a seat at this table will likely be able to extend their 8(a) status through the life of the contract. 

This is especially important if your current 8(a) contract clients would like to continue working with you—with an “extended” graduation date, you will be able to offer your clients a prolonged platform to continue working with your company. On this note, GSA publicized their latest efforts to create an IDIQ just for Woman-Owned Small Business and HUBZone Small Businesses via the announcement of the latest IDIQ – GSA POLARIS.

At the end of the day, IDIQs are what companies make of them. There’s no denying that they are very popular in the world of government contracting. Oftentimes, once companies have secured the IDIQs, most let them fall by the wayside, for one of two reasons: they went after the wrong types or they have too many of them and are too overwhelmed to keep up with task orders. 

Bidding on IDIQs can be expensive, but the return on investment (ROI) will come from bidding on actual task orders. For that to be successful, companies should be prepared and have the infrastructure in place to bid on task orders, recruit key personnel, estimate and price your services competitively, and—most importantly—be prepared to successfully deliver on the contracts.

How to Take Advantage of IDIQs

Since there are many benefits of IDIQs, it’s wise for your small business to make them a priority. If you don’t, you’ll miss out on a -billion-dollar industry of tasks and orders for the government.

So how do you get started? Before you decide to pursue an IDIQ, be sure to answer the following types of questions so you can set realistic expectations:

●      Why is the IDIQ important to your company?

●      How will your company respond to task orders?

●      How will you work with partners?

The answers to these questions should help you determine exactly why you’d like the IDIQ. Maybe your goal is to boost your company’s sales value or, perhaps, you’d like the peace of mind of having a guaranteed amount of work.

Be sure you understand the value of the IDIQ, whether or not it is used by your target audience, and the type of outcome you expect. If you’re interested in using IDIQs to your advantage, check out ProposalHelper’s IDIQ Reports and follow us on LinkedIn to learn about upcoming IDIQs every Friday.

This post was originally published on the Proposal Helper blog at and was reprinted with permission.

9 “Pieces” to Diminish Cyber Risk for Small Companies, Part II

This is a guest post by Stewart Wharton, TAPE VP of Operations.

Mr. Wharton is a cybersecurity expert, having spearheaded the cyber capability at TAPE and serving in a variety of cyber roles, including Defense and Intelligence Cyber Sector Lead, at KPMG and with the Office of the Chief of Naval Operations N6 as the Deputy Chief Information Officer for Information Assurance and Enterprise Architecture.

© ArturVerkhovetskiy –

In Part I of this post, Stewart “Stu” Wharton explained that defining and communicating your company’s cyber risk management regime is central to your company’s overall cybersecurity strategy. He noted that even if you are outsourcing this task, corporate leadership must be aware of the risks. 

He has already discussed network security, user education and awareness, and malware prevention. In today’s post he will reveal the rest of his 9-piece plan to diminish cyber risk for small businesses.

4. Removable media controls. Make a policy to control all access to removable media. Limit media types and use. Scan all media for malware before importing onto the corporate system. Removable media bring three main risks: 

Data security – Because removable media devices are typically small and easy to transport, they can easily be lost or stolen. In fact, every time you allow an employee to use a USB flash drive or other small storage device, your organization’s critical or sensitive information could fall into the wrong hands. What’s more, even if you encrypt your removable storage devices, you will not be able to recover lost files once the USB flash drive or other device is lost.

Malware – Simply put, when employees use removable media devices, they can unknowingly spread malware between devices. This is because malicious software can easily be installed on USB flash drives and other storage devices. In addition, it just takes one infected device to infiltrate your company’s entire network.

Media failure – Despite its low cost and convenience, removable media is inherently risky. This is because many devices have short life spans and can fail without warning. As such, if a device fails and your organization doesn’t have the files backed up, you could lose key files and data.

5. Secure configuration. Apply security patches and ensure to maintain the secure configuration of all systems. Create a system inventory and define a baseline build for all devices. Web server and application servers are two entry points for configuration vulnerabilities in your organization’s network. According to the Open Web Application Security Project® (OWASP), these security vulnerability types happen through:

Improper file and directory permissions

Unpatched security flaws in server software

Enabled or accessible administrative and debugging functions

Administrative accounts with default passwords

SSL certificates and encryption settings that are not properly configured.

6. Managing user privileges. Establish effective management processes and limit the number of privileged accounts. Limit user privileges and monitor user activity. Control access to activity and audit logs. How can you mitigate the risk of privileged account abuse? To tackle the threat of privileged users in accordance with industry best practices, you need the following:

Efficient privileged account management – Ensure that privileged users in your information technology environment have only the access rights they need to do their jobs.

Control over access to privileged user accounts – Protect your privileged accounts from unauthorized use with strong password management and techniques such as multi-factor authentication.

Privileged user monitoring – Gain visibility into the actions of privileged users to catch abuse or external attacks quickly and limit the damage. Simply letting users know that user activity monitoring is in place can also go a long way toward deterring misbehavior and even preventing accidental misuse, since users are likely to be more careful about their actions.

User behavior analytics – Identify the privileged users with the most suspicious behavior so you can respond in time by discovering and investigating anomalies in user behavior patterns.

7. Incident management. Most small business do not have the means to establish complex incident management processes. Some simple steps to take include:

Establish an incident response and disaster recovery capability 

Develop a simple communications plan to ensure to contact all stakeholders 

Make sure to include third party vendors as part of your plan

As part of your training of employees, test your incident management plans.  

8. Monitoring. Establish a monitoring strategy and produce supporting policies. Continuously monitor all systems and networks. There are a variety of continuous monitoring software available both for on premise and in the cloud. Once you have the monitoring capability you can analyze logs for unusual activity that could indicate an attack. This may seem like overkill for a small company, but consider these eight reasons why small businesses should implement a network monitoring system:

Visually document your growing network 

Do more with less

Monitor from anywhere

Troubleshoot issues more easily

Plan for future growth 

Improve network security

Track trends without hours of data digging

Improve the bottom line

9. Home and mobile working. Especially with the advent of COVID-19, remote working is becoming more the norm than an exception. Develop a mobile working policy and train staff to adhere to it. Apply the secure baseline and build to all devices. Protect data both in transit and at rest.

I hope these simple pieces will allow you to take the actions necessary to make your small business more secure. I will follow up with a piece on how small companies can achieve compliance with National Institute of Standards and Technology NIST 171 standards and the Department of Defense’s Cyber Maturity Model Certification (CMMC) process.

9 “Pieces” to Diminish Cyber Risk for Small Companies, Part I

This is a guest post by Stewart Wharton, TAPE VP of Operations.

Mr. Wharton is a cybersecurity expert, having spearheaded the cyber capability at TAPE and serving in a variety of cyber roles, including Defense and Intelligence Cyber Sector Lead, at KPMG and with the Office of the Chief of Naval Operations N6 as the Deputy Chief Information Officer for Information Assurance and Enterprise Architecture.

© pressmaster –

Regardless of the type of small business, cyberattacks are virtually inevitable. While the bad news is that 81% of cyber-attacks happen to small and medium-sized businesses, the good news is that 97% of these attacks are preventable by implementing recommended security practices and raising security awareness among employees. 

Recognizing this fact, businesses across the globe are willing to spend more on cybersecurity that ever before. According to research firm Cybersecurity Ventures, the cost of cyber-crime will exceed $6 trillion worldwide this year.

Defining and communicating your company’s cyber risk management regime is central to your company’s overall cybersecurity strategy. To maximize the effectiveness of your regime, senior leadership must support efforts.

Many companies cannot afford a chief information officer or a chief information security officer to lead cybersecurity tasks and strategy. In many cases, companies may outsource information technology infrastructure with very little corporate oversight. Even in the case of outsourcing, corporate leadership must be aware of the risks. 

So where should a small company start? 

If you are a small company looking to solidify your cybersecurity posture, I’ve created a simple 9-piece approach for creating a cyber risk management regime. I use the term “piece” instead of “steps” because you can implement these strategies in almost any order. When implementing these pieces, assess the risks to your corporate information and systems with the same vigor you would for legal, regulatory, financial, or operational risks. 

Here are the 9 pieces:

  1. Network security. Protect your networks from attack. Defend the network perimeter and filter out unauthorized access and malicious content. Monitor and test security controls. To perform this step, you must know what operating systems and devices you have and ensure to keep up to date with the latest version and patching. Encrypt your data in transit and at rest and use strong passwords. 
  1. User education and awareness. Produce user security policies covering acceptable and secure use of your systems. Include in staff training. Maintain awareness of cyber risks. The Small Business Administration offers free online cyber awareness training
  1. Malware prevention. Produce relevant policies and establish anti-malware defenses across your organization. Some typical anti-malware practices include:
    1. Backing up or archiving business data is essential to recover from cyberattacks, theft of devices, or loss of equipment or media resulting from a flood or fire. Archiving data is also quite easy since the rise of cloud storage. Cloud storage is a simple, fast, and an affordable way to back up your data. Saving your data in the cloud means that your business is protected from certain serious cyber-attacks such as ransomware. Why is this so important for your business? A ransomware attack encrypts all your data and files, making them inaccessible to you. Cyber criminals will demand money in exchange for unlocking these files, ranging from $100 to $2,000 for each infected system. This form of extortion can be devastating on a small business when several or more computers are infected by ransomware. 
    2. Making your business data useless when it falls into the wrong hands is an effective protection strategy. You can do this by encrypting your data. Full-disk encryption software is available from all major computer and mobile operating systems to encrypt all the data you manage and make sure all your company devices have this software activated and updated. When you use data encryption, you must take measures to protect encryption keys from corruption, loss, and unauthorized access. You must also manage activities such as changing keys regularly, controlling and managing how to assign keys and to whom. Small businesses that do not have information technology staff with data encryption skills should consult with professional information technology services providers to identify and deploy their data encryption needs and solutions.  
    3. Conducting regular risk assessment involves identifying, analyzing, and evaluating risk and ensuring that you have picked appropriate cybersecurity controls to protect your business from cyberattacks. 
    4. Consider buying cybersecurity insurance. Cyber criminals work tirelessly to find more targets and breach different security defenses. They can harm any business, even the most security conscious. According to research conducted on data breaches in 2017, the global average cost of one data breach incident was $3.6 million. To mitigate the losses due to data breaches, it is imperative for businesses to invest in cyber-security insurance. 

Continue reading Part II of this post to learn Stu’s other cybersecurity tips.

How the CMMC is Changing Culture One Company at a Time

Note from John: Seems like every time I have a conversation with another colleague or company the topic of CMMC comes up. The Cybersecurity Maturity Model Certification is not going away…for many good reasons. As defense contractors we have to protect our assets, resources and those of our clients. It is in OUR best interest. Here is another great article from Jason Miller.

© Skorzewiak –

This is a guest post by Jason Miller, executive editor, Federal News Network.

Let’s set the record straight: The Cybersecurity Maturity Model Certification, or CMMC, accreditation body is not part of the Defense Department.

Of all the misconceptions out there about CMMC, Chris Golden, a former member of the CMMC accreditation body and the director of information security for Blue Cross, Blue Shield, said that is the one he hears the most.

So 18 months into the CMMC development and roll out, Golden said industry and agencies still need to grasp why this initiative matters so much.

“We’re losing a lot of intellectual property as a country to our adversaries through gaps in cybersecurity practices and maturity throughout the supply chain. And right now, that’s focused on DoD supply chain, but it will very quickly go out,” Golden said in an interview. “If you look at the Air Force, Navy, Marine Corps F-35 aircraft, and then you look at the Chinese J-31 aircraft, and you wonder why those airplanes look exactly the same? You wonder how that happened. That’s the problem we’re trying to fix.”

Golden said the idea behind CMMC, and supply chain security more broadly, is changing one company’s culture at a time.

“As each company does their assessment, they’re going to get a little bit better. And hopefully, the next time they have their next assessment, they’re going to be a little bit better,” he said. 

“We’re just going to slowly change the culture, where companies are going to start looking at cyber the way they look at human resources. Most people that start a company are not experts on local, federal and state labor laws. So what do they do? They hire an expert to help set up a HR office to handle all that stuff for them to do everything right to keep them out of jail. Cyber has got to be seen as the same thing. It’s just part of doing business in the modern global enterprise. What we’re trying to do is we’re trying to get the point where people don’t forget about it or whitewash it or whatever the case is, but actually take it seriously as a part of doing business.”

That culture change has to happen with just more than defense industrial base companies. This is why the Department of Homeland Security and the General Services Administration are starting to consider how they can use CMMC.

Click the link below to read the full article and listen to Jason’s interview with Chris Golden, a former member of the CMMC accreditation body and the director of information security for Blue Cross, Blue Shield:

Court of Federal Claims (COFC) Finds in Favor of the Small Business Community

Note from John: This is potentially huge news for the small business community. In recent years, the government has often put new or existing requirements directly onto a multiple-award large business IDIQ contract vehicle without doing an analysis to see if there are two viable small business entities capable of providing those services. This COFC finding mandates that the government do a Rule of Two analysis prior to moving the requirement onto the large business IDIQ. This will provide more opportunities for us…possibly many more. 

© AndreyPopov –

This is a guest post by Nicole Pottroff of Koprince Law, LLC.

The United States Court of Federal Claims (COFC) has ruled that an agency has to conduct a small business Rule of Two analysis before it can use an existing multiple-award indefinite delivery indefinite quantity (MAIDIQ) contract vehicle to procure services.  This is a landmark decision, given that GSA Schedule contracts are exempt from the Rule of Two. 

The COFC’s decision in Tolliver Grp., Inc. v. United States, No. 20-1108C, 2020 WL 7022493 (Fed. Cl. Nov. 30, 2020), arose out of the Department of the Army’s decision to cancel two General Services Administration (GSA) Federal Supply Schedule (FSS) support staffing solicitations, which were 100% set aside for service-disabled veteran owned small businesses (SDVOSB). The solicitations sought fire support specialists training services for the Fires Center of Excellence field artillery school at Fort Sill. The Army had previously procured these services through a long-term omnibus MAIDIQ contract.

The Army first awarded the solicitations to two SDVOSBs. But it subsequently cancelled the solicitations and the awards for the purpose of transferring the work to an existing MAIDIQ. According to the Army, this Training Management Support (TMS) MAIDIQ would “provide a potentially better procurement vehicle for this requirement” than the GSA FSS contract.

Two SDVOSBs brought this lawsuit under the Tucker Act, arguing that the Army’s actions violated two laws: (1) the Administrative Procedure Act (more on that issue in an upcoming blog); and (2) the Rule of Two (the subject of this blog). Specifically, the plaintiffs argued that the Army violated the Rule of Two by “mov[ing] the unchanged requirements to the New Ft. Sill IDIQ, where only large businesses are eligible for award[.]”

The court explained:

The Rule of Two . . . is straightforward, and provides that the contracting officer shall set aside any acquisition over the simplified acquisition threshold for small business participation when there is a reasonable expectation that – (1) Offers will be obtained from at least two responsible small business concerns; and (2) Award will be made at fair market prices.

According to the court, the Army did not dispute that there were “at least two responsible business concerns capable of performing the work at fair market prices, or that, in general, the Rule of Two is mandatory.” The Army, instead, argued that the Small Business Act and the FAR gave it the discretion “to make use of a multi-award contract without first conducting a rule of two analysis to determine whether the task order should be set aside for small business.” The Army cited the following statutory language:

Federal agencies may, at their discretion:

(1) set aside part or parts of a multiple award contract for small business concerns . . . ;

(2) notwithstanding the fair opportunity requirements under section 2304c(b) of title 10 and section 4106(c) of title 41, set aside orders placed against multiple award contracts for small business concerns. . .; and

(3) reserve 1 or more contract awards for small business concerns under full and open multiple award procurements . . . .

The Army also cited the FAR clause for “[p]artial set-asides of multiple-award contracts[,]” which similarly says that “contracting officers may, at their discretion, set aside a portion or portions of a multiple-award contract” under certain circumstances.

Based on these sources, the Army argued that, since it “exercised its discretion not to set-aside any portion of the TMS MAIDIQ scope or any of the TMS MAIDIQ‘s contract awards for small business,” it could now “utilize the TMS MAIDIQ for any acquisition – and avoid the Rule of Two – so long as the contemplated scope of work is within the TMS MAIDIQ’s scope.”

But the court rejected this “sweeping inference.” The FAR and Small Business Act provisions the Army cited, instead, tell the agency “how a multiple award contract may be structured or how a task order competition under a multiple award contract may be competed.” They do not address whether the agency may ignore the Rule of Two simply because the agency prefers to use a MAIDIQ that already has been awarded. As the court explained:

[T]he fact that an agency has the discretion to partially set-aside “a portion” of a multiple award contract for small business does not lead to the ineluctable conclusion that having decided not to engage in a partial set-aside, an agency may thereafter dispense with the Rule of Two. The latter does not follow from the former. To the contrary, the grant of discretion applies even where the Rule of Two does not require a set-aside, but the grant of discretion does not somehow, by negative implication, eliminate the Rule of Two requirement.

As such, the court concluded that “[t]he Rule of Two unambiguously applies to ‘any’ ‘acquisition,’ FAR 19.502-2, without any loophole for MAIDIQ task orders.” The court noted, “where the FAR intends to make the Rule of Two entirely inapplicable to the selection of a particular procurement vehicle, the FAR knows how to do so,” and it cited FAR subpart 8.4, which expressly exempts FAR Part 8 FSS procurements from the Rule of Two requirements. The indefinite delivery contract regulations in FAR subpart 16.5, however, do no such thing.

Because there was no legal exemption from the Rule of Two for MAIDIQs, the court turned to the specific question of “whether the agency has any obligation to apply the Rule of Two to a particular scope of work that is covered by the scope of an already-issued multiple-award contract[]” before it can leverage the existing MAIDIQ.

To this, the court answered “yes.” Interestingly enough, its decision was actually based on a GAO decision, LBM, Inc., B-290682, where GAO found that the “Army violated FAR § 19.502-2(b) when [it] did not consider continuing to acquire the Fort Polk motor pool services under a total small business set-aside[.]” GAO’s decision there–and therefore, the court’s decision here–centered around the definition of an “acquisition.” The FAR defines an acquisition as:

the acquiring by contract with appropriated funds of supplies or services (including construction) by and for the use of the Federal Government through purchase or lease, whether the supplies or services are already in existence or must be created, developed, demonstrated, and evaluated. Acquisition begins at the point when agency needs are established and includes the description of requirements to satisfy agency needs, solicitation and selection of sources, award of contracts, contract financing, contract performance, contract administration, and those technical and management functions directly related to the process of fulfilling agency needs by contract.

According to GAO, the purchasing of services with appropriated funds in LBM was an acquisition, “regardless of the fact that the agency anticipated acquiring those services through their transfer to the [IDIQ] scope of work.” GAO said, “[h]ad the agency complied with the requirements of [the Rule of Two], it might have concluded that the [IDIQ] contracts were not the appropriate vehicle for this acquisition.” Thus, GAO concluded that “the agency’s intent to use a task order under [a multiple award contract] as the contract vehicle did not eliminate the legal requirement that the agency undertake that analysis.”

The COFC followed suit, stating:

The bottom line from this Court’s perspective is that the cancelled solicitations at issue here are themselves acquisitions. The government’s identification of a need – of a scope of work – that it must procure itself begins an acquisition. Accordingly, we view the identification of the continued need for [the two solicitations’] requirements as either part of in-process acquisition or a new acquisition.

According to the court, either way the acquisition is viewed, the Rule of Two applies. The court said, even if the Army had “satisfied its small business set aside obligations with respect to the TMS MAIDIQ acquisition in 2018,” that did not mean that it also satisfied those obligations with respect to the acquisitions of the requirements set forth in the 2020 solicitations. The court said:

In sum, the government’s failure to apply the Rule of Two prior to deciding to cancel the solicitations at issue is fatal to that decision, whether because that failure undermines the central rationale of the cancellation decision or whether because the decision to move the work to the TMS MAIDIQ prior to conducting a Rule of Two analysis constitutes an independent violation of law.

In the end, the COFC enjoined the agency from cancelling the solicitations and transitioning the work to the MAIDIQ (or to any other procurement vehicle) without first complying with the Rule of Two.

This is truly a landmark decision by the COFC–with the potential to affect a multitude of federal contracts. Especially of late, we have seen many federal agencies attempt to shuffle new requirements to existing IDIQs, often to simplify their acquisition procedures or avoid certain rules or litigation. At least now, those agencies will not be able to escape the small business Rule of Two in doing so.

This post was originally published on the SmallGovCon blog at and was reprinted with permission.

FAR Council Issues New Interim Rule on Section 889 – Prohibitions on Using Chinese Telecommunications and Video Surveillance Equipment

© PirenX –

This is a guest post by Isaias “Cy” Alba, IV of PilieroMazza, PLLC.

Note from John: Seems like the list of action items for us small business folks is forever growing. With CMMC looming and now this requirement in place we must make sure we are ever vigilant to protect ourselves and our most important clients. This one requires the annual SAM reps and certs BUT also requires we conduct these repeated, reasonable inquiries throughout the contract performance. This one may not be so onerous…especially after the initial review of assets and services.

If you have not viewed PilieroMazza’s prior client alert and webinar on the implications of the new prohibition on the use of certain Chinese telecommunications and video surveillance equipment, we highly recommend you do so before reading this article as it will provide helpful background and information which we will not rehash in this article. You can find that content here and here, respectively.

The FAR Council released a new interim rule, effective October 26, 2020, allowing federal contractors who already certified in SAM, pursuant to the new FAR 52.204-26, that they “do not” use the prohibited equipment or services to update that certification only once a year instead of in conjunction with every proposal or bid pursuant to FAR 52.204-24(d)(2). Pursuant to this interim rule, FAR 52.204-26(c)(2) adds the following representation, which will be included in all contractor’s SAM representations and certifications:

After conducting a reasonable inquiry for purposes of this representation, the offeror represents that it [ ] does, [ ] does not use covered telecommunications equipment or services, or any equipment, system, or service that uses covered telecommunications equipment or services.

While the FAR Council has billed this as a change to ease the administrative burden of having to conduct repeated “reasonable inquiries” prior to certifications on each bid or proposal, this rule does NOT change the ongoing reporting requirements during contract performance which are, arguably, the most onerous part of the new Section 889 compliance regime.

Specifically, clients are already asking me about how this impacts the reviewing and reporting requirements of FAR 52.204-25, and whether this is still required if they take advantage of the new FAR 52.204-26 annual reporting. Unfortunately, the answer is “YES,” the constant monitoring and reporting during all federal contracts required under FAR 52.204-25(d) still applies. 

This means that even if a contractor has made the new FAR 52.204-26 certification in SAM, they still have to closely monitor the performance of themselves, employees, and subcontractors to ensure that none of the prohibited equipment or services are used or delivered on any federal contracts. If such use or delivery is found, the one-day required disclosure and the ten-day follow-up disclosures still apply in full force. 

Thus, while this new interim rule is helpful to ease the burden of having to perform a “reasonable inquiry” prior to every bid or proposal, it does not alleviate the eternal vigilance that all federal contractors must now undertake to comply with the full application of Section 889 of the 2019 NDAA.

Please contact Cy Alba, the author of this client alert, or a member of PilieroMazza’s Government Contracts or Cybersecurity & Data Privacy groups with inquiries.

This post originally appeared as a PilieroMazza Client Alert at and was reprinted with permission.

GAO Reviews Agency Oversight of Small Business Subcontracting Plans

© Olivier26 –

This is a guest post by Haley Claxton of Koprince Law LLC.

Recently, GAO published a report on small business subcontracting plan compliance, concluding that agency oversight of these plans need improvement.

As many of our readers know, some federal contracts require large business prime contractors to utilize small business subcontractors under a small business subcontracting plan, as described in FAR 52.219-9. For context, in 2019, federal agencies “awarded more than 5,000 contracts requiring a small business subcontracting plan, and obligated more than $300 billion to contracts with required small business subcontracting plans.”

If a small business subcontracting plan is in place, contractors are required to report on any subcontracting achievements and make a “good-faith” effort to keep to the plan. In addition, some regulations and procedures require contracting officers to review the subcontracting plan before or after award to make sure certain information is included in the plan. Agencies are also required to provide SBA Procurement Center Representatives (or PCRs) the opportunity to review the proposed contract and associated subcontracting plan.

After a contract is in place, the FAR requires contracting officers to ensure that subcontracting reports are submitted via the eSRS web platform within a certain amount of time. Contracting officers must then review and decide whether to accept these reports. In addition to reviewing the reports, agencies are also required to perform annual evaluations of all contractor performance though CPARS (the Contractor Performance Assessment Reporting System). One aspect of the annual CPARS evaluation, where applicable, is compliance with the contractor’s small business subcontracting plan.

Despite the amount of oversight agencies appear to have over contractor compliance with small business subcontracting plans on paper, some folks at the Department of Defense were concerned about how much actual oversight agencies were providing to ensure contractors complied with their plans. Thus, GAO looked into how four representative agencies (the DLA, the Navy, GSA, and NASA) provide oversight. It found that the DoD was right to be concerned.

First, GAO looked to pre-award procedures for reviewing subcontracting plans. It found that COs from all four representative agencies reviewed and approved subcontracting plans as required in most, but not all, cases. More problematically, however, the “[a]gencies also could not demonstrate they followed procedures related to PCR reviews in about half of the contracts reviewed.” Put differently, most of the time, the SBA wasn’t involved in reviewing subcontracting plans before contract award, as required. 

Next, GAO turned to agency overview of contractor compliance with their subcontracting plans post-award. GAO found this overview was pretty “limited.” Even though each representative agency did offer some amount training to contracting officers on subcontracting plans, GAO found that these contracting officers did not ensure contractors met their reporting requirements in most of the reviewed contracts. In addition, even where reports were submitted as required, many were not reviewed in the manner anticipated.

As a result of its investigation, GAO offered ten recommendations for the reviewed agencies and the SBA. These recommendations are outlined here, but in summary, they ask the relevant agencies to make sure they have steps in place to ensure appropriate review of subcontracting plans and contractor compliance with those plans.

Overall, an increased focus on compliance with subcontracting plans is likely to have an effect on many contractors–hopefully ensuring more contracting dollars go to small business subcontractors. For more on small business subcontracting plans, check out our related blog posts here

This post originally appeared on the SmallGovCon blog at and was reprinted with permission.

California Consumer Privacy Act Enforcement Effective July 1

This is a guest post by David T. Shafer and Emily J. Rouleau of PilieroMazza PLLC.

© Wavebreakmedia –

Despite requests for delay due to COVID-19, California Attorney General Xavier Becerra has affirmed that enforcement of the California Consumer Privacy Act (CCPA) has started, effective July 1, 2020. The CCPA is a huge step forward in data privacy law, granting California consumers robust data privacy rights and increased control over their personal information. Previous PilieroMazza coverage of the CCPA can be viewed here and here.

While the CCPA has been in effect since January 1, 2020, companies that do business with California consumers will now risk penalties for noncompliance. Below is key information for companies seeking to ensure CCPA compliance and to avoid enforcement action.

Approval of Final Regulations

The Office of the California Attorney General submitted the final proposed CCPA regulations package to the California Office of Administrative Law (OAL) on June 1, 2020, for review. OAL has 30 working days, plus an additional 60 calendar days to review the package.

Once approved, the final regulation text will be filed with the Secretary of State and become enforceable by law. OAL is not expected to make significant changes to the regulations, so a full analysis of the rule will likely be necessary for the creation and implementation of a robust CCPA compliance program.

Compliance Tips

To understand whether or not you are subject to potential enforcement,, first determine if you fall within CCPA’s compliance criteria. Critically, the statutorily defined terms “consumer” and “personal information” are far broader than comparable statutes and regulations found in other jurisdictions, though that itself is currently the subject of debate in many state legislatures.

The enlargement of these terms causes CCPA’s jurisdiction to be larger than it appears on the face of the statute. Below are certain high-level questions that can help a business determine if it meets certain threshold standards:

  • Do you, or any of your subsidiaries or affiliates, engage in business in California?
  • Do you do business with contacts or employees who reside in California?
  • Does your business have over $25 million in annual gross revenues?
  • Does your business buy, sell, or receive personal information?

If you fit certain initial criteria, we recommend identifying the type of personal information your business collects. As briefly mentioned above, CCPA broadly defines personal information as any information that directly or indirectly identifies, describes, or can be reasonably linked to a particular consumer.

CCPA grants consumers significant rights to the use of their personal information, including general notice rights. It is here that companies can take proactive steps to prepare for CCPA’s implementation.

More specifically, CCPA grants consumers the right to know what personal information a business collects, sells, or discloses about them. Additionally, several sections of CCPA require businesses to make affirmative disclosures to consumers by way of privacy policies and other notices.

With the expiration of CCPA’s safe harbor and subsequent July 1, 2020 enforcement, steps that can be immediately taken may include, but are not limited to, the following:

  • updating notices and privacy policies;
  • reviewing data flows including data mapping and classification;
  • segregating data and IT systems between regulated and non-regulated data repositories;
  • implementing cookie banners and web beacons in accordance with CCPA-compliant privacy policies;
  • implementing individual request processes (including opt-out and deletion); and
  • implementing training to meet CCPA’s new requirements.

What to Watch

The California Secretary of State recently announced that the California Privacy Rights Act (CPRA) will be on California’s November 3, 2020, ballot. If approved by voters, the CPRA would significantly update and amend the CCPA, allowing California consumers to block businesses from using a new category of information known as “sensitive personal” information and establishing a new enforcement authority to protect data privacy rights.

PilieroMazza’s attorneys will continue to monitor the CCPA, along with legal developments for data privacy in other states. For assistance with CCPA implementation in your business, please contact the authors of this client alert, Dave Shafer and Emily Rouleau, or a member of the Firm’s Cybersecurity & Data Privacy Group.

This post originally appeared on the PilieroMazza website at and was reprinted with permission.

How to Update Your GSA eBuy Profile to Improve your Visibility to Customers

© iqoncept –

An announcement from the GSA Vendor Support Center.

GSA eBuy will be updated on August 1, 2020 to allow you to self-certify under specific Special Item Numbers (SINs), subgroups of products and services your company offers on contract.

The scope of certain SINs can be very broad. Subgroups were created to highlight specialized products and services that are offered under those SINs. By selecting the subgroup of offerings your company specializes in, your customers can find you more easily in both eBuy and eLibrary when they conduct their searches. As some SINs contain thousands of contractors, this helps the customer to identify the segment of contractors that can perform. Not all SINs have subgroups.

You may have used this functionality under your legacy contract, but you must reestablish these subgroups under the new SIN structure.

Identifying the subgroups of your contract offerings benefits both you and your customers. This function allows your customers to do better market research and email eBuy RFIs/RFQs directly to contractors that can satisfy their requirements.

Please note, the selection of subgroups does not prevent you from seeing opportunities posted for the SIN(s) you have been awarded. Your ability to review all eBuy opportunities on your awarded SIN(s) does not change.

The following SINs will have subgroups starting August 1, 2020:

561210FA, 541690E, 332311P, 532490P, 333241, 336999, 333318F, 335999, 325612, 325998, 325611, 54151HACS, 517312, 54151S, 54151ECOM, 511210, 33411, 339940OS4, 541611, 562112, 541211, 522310, 541330ENG, 562910REM, 541930, 541614, 541620, 561621H, 339113LAB, 334515, 334516, 333997, 332439.

The below steps outline the process to select your SIN subgroups for both eBuy and eLibrary.

How to select SIN Subgroups:

  • Step 1: Login to your vendor profile in eBuy
  • Step 2: Click on the Modify Subgroups button located on the right hand side of the screen
  • Step 3: Select applicable subgroups

If you experience any technical difficulties with updating your eBuy profile, contact our Vendor Support Center help center staff by calling 877-495-4849 or send an email to

A note from Bill: This is really important for those with specialized NAICS and sub-SINS to see the specifics here and make sure to register, since this is an opportunity to register for more and different sub-SINs.