The U.S. federal government can be a lucrative market for many vendors in the IT hemisphere, thanks to its constant demand for technology, certain agencies’ willingness to sign long-term contracts for products and services, and the current focus on data security. One might even say the path to government contracts is paved with gold — and crater-size potholes.
Here’s the problem: Despite some generally well-received changes to the General Services Administration (GSA) Schedule — the list of companies from which government agencies can buy products and services — selling to federal agencies still involves following a complex set of protocols, languages and rules. As a result, many companies seeking to target this vast market tap the expertise of legal professionals who are expert in the many subtleties and laws of serving the government sector.
Marcia Madsen, a partner at Mayer, Brown, Rowe & Maw in Washington, D.C., is one such legal professional. She spends her work hours advising clients about contracts, teaming and strategic alliances, audits and technical data rights. Who are those clients? For the most part, they are businesses hoping to win some of the many federal government contracts up for grabs in the post-9/11 world.
The E-Commerce Times spoke with Madsen about the pitfalls and opportunities facing vendors that seek to sell to the country’s largest customer.
E-Commerce Times: Could you give us an idea of what your law firm does and how it works with contractors and the government?
Marcia Madsen: At Mayer, Brown, Rowe & Maw, my practice focuses on government contracts. All of my clients conduct business with the United States government in one form or another, whether it’s DoD, the Treasury Department, the Department of Homeland Security, et cetera. Some of the companies we represent may be commercial companies, others are [longstanding] government contractors. In any event, we advise them when they’re trying to sell products or services to the United States government.
ECT: How has the federal marketplace changed since September 11th?
Madsen: There’s at least a two-part answer to that. First, because of a combination of patriotism, the economy and the realization that the United States, for Homeland Security purposes, is going to spend a whole lot of resources on technology security … a number of technology companies are approaching government agencies for the first time with regard to federal sales.
One example: The General Services Administration, through its Federal Supply Schedule contracts, has a whole Schedule for their Program Safeguards Contracts. They have several contracts in place with major contractors whose job, from a service and hardware/software perspective — they’re really integrators — is to be available to federal agencies to help them address particular security problems. The way the schedule works is these companies have a contract vehicle with the government. If a particular Agency has a requirement that they need to fulfill or they need help figuring out how to solve a particular problem, then the Agency can approach … one of these contractors, or the Agency can have a mini-competition and select someone.
Those contractors, which include some of the major aerospace and system integration companies, are actively talking to and identifying smaller companies or other companies that have interesting technology or interesting software that they can combine in an integrated approach to an agency’s security needs. So, although there are only 27 companies on this schedule, those companies are reaching down and buying from a lot of different sources.
ECT: So, obviously, that’s opened up some opportunities for smaller or niche developers and solution providers.
Madsen: It’s opened up a lot. It wouldn’t necessarily surprise you to see who holds the big contracts — it’s not new companies and it’s not startups. But the opportunities for the new startups appear to be at the subcontractor level as the major players in the government marketplace are out looking for new technology. That’s not to say there isn’t room for new players, too. There are a lot of companies in other parts of the GSA Schedule with new information technology and services to offer.
ECT: And what’s the second part of how the market’s changed?
Madsen: The other piece is, with the E-Government Act [of 2002], of course the government is much more attuned to security. [It] is really just getting under way the process, in many instances, of making an overall assessment under OMB’s (Office of Management and Budget’s) guidance of what all government systems — not just Homeland Security, TSA (Transportation Security Administration) or Department of Defense — need in the way of information security.
Title three of the Federal Information Security Management Act (FISMA), which was enacted as part of the E-Government Act in December 2002, is a provision that addresses government information security. It has a number of provisions in it that require, for example, each agency to develop its own system configuration guidelines and do a security analysis, make a report to OMB and identify where it may have deficiencies and weaknesses. Initially, those reports were going to be due at the end of , but they’ve been pushed out into 2004. The National Institute of Standards and Technology (NIST) is supposed to be developing standards for information security for government agencies. At least some of them came out in draft in November 2003.
Ultimately, agencies are going to buy more software and services with a focus on security. In addition to new stuff, [because] the government owns so much in the way of legacy stuff, they’re going to have to do some patches. This process has just gotten under way.
You can tell where it’s going in a general sense, but we don’t have a lot of details to go with it.
ECT: Will this have any impact on the private sector?
Madsen: One of the results of FISMA, as the standards get developed for the public sector and the public sector spends money on security upgrades — particularly for the government’s big systems, such as Internal Revenue, Treasury, HHS — it’s inevitably going to have an impact on the private sector and what becomes the standard for information security.
ECT: And how far out do you think that will be?
Madsen: I think the agency assessments and their reports that are supposed to identify deficiencies and solutions will probably [appear] in the spring, and then the agencies will start making procurement plans for what they need. I think it will be visible this year.
ECT: How involved are third parties with agencies’ IT assessments?
Madsen: I think a lot of them are already working with government agencies. Government agencies have contracted out a fair amount of this analysis on deficiencies and potential corrections. For most of these agencies, their IT is procured from an integrator and operated by an integrator. It’s not outsourced in a commercial sense, but major contractors are very involved in helping an agency manage its IT needs. The assessments that agencies are making of where they need improvements and what those improvements might consist of are being made in conjunction with various contractors. Those companies are going to have a pretty good sense reasonably early on as to what the agencies are going to need.
I suspect some of these procurements are starting to be made from the GSA Schedule and other government-wide vehicles where they don’t have to do a head-to-head competition. We’ve seen agencies who’ve already focused on specific things they need making acquisitions — patch-type software, diagnostic-type software. TSA and DHS are building new systems of their own, so they’re going to build them to the latest technology and latest guidelines — to the extent budgets permit.
ECT: When clients come to you, what sort of things do they need your help with?
Madsen: It’s a highly regulated marketplace, so [they ask], “What are the rules? How do some of these competitions work? How do we make sure we get fair treatment?” If it’s somebody with a new product that hasn’t been exposed to this market, how do they make people aware of what they’ve got? How do they generate interest in their product? How do they make government buyers aware of their products? What risks are they taking with their intellectual property?
We’ve seen all kinds of exciting technology — people who come in with an interesting piece of software that does data-mining or it’s got some artificial intelligence or biometric applications — there are all kinds of hardware, software and biotech-related products and services out there. A lot of it is new companies, new ideas. Some of it’s coming from overseas. It’s amazing what people walk in the door with, but they don’t know how the process works, how to get an opportunity to tender, so those are the kinds of things we would typically help them with — help them understand [that] if they get one of these contracts they’re going to have some compliance complications.
ECT: You don’t just pop that champagne after winning a contract!
Madsen: Right. They’ve got a lot more work to do. You know the United States government is very much security-focused and is very concerned about who has access to data. You’ve got the whole environment where companies and people have to have security clearances to work for defense agencies or intelligence agencies or a national security agency. And then you’ve got lots of other places where contractors handle data where, people are increasingly realizing, it may not be confidential, but it is sensitive. It’s government personnel data, payroll data, tax information. There’s great concern on the part of the agencies that either these procurements have a security classification to them or, even when they don’t, the agency wants to know who its contractor is and know who the people working with sensitive data are. Are they a potential security risk?
There are a couple of clauses that have popped up. There was a draft regulation written about 15 months ago by the people at the Defense Security Services (DSS), and it addressed a subject called “sensitive but unclassified” (SBU) information. We saw it picked up later as a clause in RFPs involving data processing. Basically, it said: If you’re the vendor — and the potential vendors for this contract were major database companies — “Your employees have to be citizens of the United States. They must have background checks. And don’t for a minute think you’re going to send this information outside the United States.”
We’re seeing these types of clauses in a lot of government procurement. The Department of Homeland Security, in December, released its interim procurement rules, and they have a very specific provision. They want to know who’s got access to this stuff and that it’s not potentially compromised. This clause has to be flowed down to all the subcontractors on the contract.
ECT: So all employees at a large company would have to be a U.S. citizen or legal resident alien?
Madsen: Well, or in the contracting entity. Most of those companies have a federal systems company or organization.
ECT: And then everybody they subcontract to?
Madsen: Yes. And then it also has a clause that says no contractor or personnel shall start work under this contract that involves sensitive information until [they are] approved for access, receive a security briefing, sign appropriate non-disclosure forms and, potentially, depending on what aspect they’re going to work on, [pass] a background check. This is actually in their regs and is going to be included in all of their IT contracts. Versions of this have cropped up in a lot of different places. The DHS regs are, by and large, pulled from the Department of Transportation regulations.
ECT: And these DHS regulations are currently in effect?
Madsen: Yes. And this is a clause that’s now required by regulation. [In onesituation that arose], if you bid on [a] job, you had to agree to comply with this policy, which was only U.S. citizens can handle this data. I have to tell you, we had one client who will obviously remain unnamed that’s basically a commercial company that looked very seriously at bidding on this opportunity and, when they realized who does their programming, who works with their database and how [much] of that was sourced outside the United States and how many of those people were not U.S. citizens, they said, “You know what? We can’t do this.” They took a hard look at it but took a pass.
ECT: Do you think it will affect pricing?
Madsen: This is speculation, but some of the steps companies have taken to reduce costs, like outsourcing to companies in India or wherever — they won’t be able to use that approach. We see this popping up in a lot of places.
ECT: What are some of the penalties if companies don’t abide by these rules?
Madsen: It depends what ends up in one’s contract. Obviously, if you fail to comply, your contract could be terminated. If information has gotten where it’s not supposed to go, certainly there would be investigations. Under a lot of these contracts, when the contractor submits its invoice for payment, the contractor has to make various representations about compliance with the terms, so they may have submitted representations that were not accurate, in which case the ramifications are pretty serious. Of course, if a contractor’s failure jeopardizes national security, both the contractor and potentially the employees are at risk for prosecution.
ECT: Does this add to the lead time of selling to government?
Madsen: I don’t think so. It’s just something they’ve added. I don’t think it’s got a time implication for the procurement process. What it does is affect the composition of the offer and who can participate and what their prices are going to be. It obviously has compliance implications on the back end.
ECT: Has this further complicated dealing with the federal government?
Madsen: I think, in many respects, the federal government procurement process, particularly for IT, over the past six or seven years has been simplified. The GSA Schedule is a good example of that. Anybody can get on if they’ve got a product that’s offered in the marketplace. They can apply for and get on the schedule. What these provisions do is emphasize that your ability to perform these contracts is going to be limited in various ways for security reasons.
As FISMA gets implemented and agencies identify hardware and software needs, they’ll probably reach out to the commercial marketplace first, so you’ll see a lot of companies coming in to perform this kind of work, and they’re going to bump into these security concerns.
The other thing I was going to mention is the corporate inversion legislation. The Department of Homeland Security, for example, as well as other government agencies, cannot now contract with companies that fit this offshore inversion definition. I think that’s another piece of the concern — that work for the United States be done by United States companies or United States citizens. And you have to ask yourself, is that really an unreasonable request?
Is it unreasonable for the U.S. government to ask its contractors — those that are performing services and handling sensitive information — to comply with these requirements? Are these requirements unreasonable? I’m not sure they are. There are people that are concerned about them because they have pretty far-reaching implications. But I think ordinary people — citizens — might feel better about having these kinds of requirements.
ECT: How many people are involved in this segment of law in your firm?
Madsen: There are about 15 of us, and we work closely — not every day — with our outsourcing practice, from time to time. We do have some clients in common.
ECT: Do you work with any non-DC lawyers in this?
Madsen: Yes, we do work with our London office and our Frankfurt office. There are companies in the U.K. and Europe who have interesting software and technology that they would like to offer to the U.S. government.