Your Guide to Thriving in the Evolving GovCon Landscape - Top 5 Industry Updates for 2024

Guest Authors: Jon Bencivenga, Director Government Contracting, Global Consulting Solutions at CohnReznick and Kean Reilly, Manager, Government Contracting, Global Consulting Solutions at CohnReznick 

Businesses in the U.S. public sector marketplace experienced various changes in 2023, and these changes will continue to have an impact. While some of these changes were minor, others will have lasting implications for years and may require government contractors to expend resources and re-evaluate strategic, operational, and compliance goals. 

Here is our list of the top five industry developments government contractors need to know about in 2024.

Cybersecurity Maturity Model Certification (CMMC) 2.0

The CMMC Proposed Rule published in the Federal Register on Dec. 26, 2023, requires that Department of Defense (DoD) contractors and subcontractors comply with certain cybersecurity safeguards to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). To do so, the CMMC Proposed Rule requires defense contractors to meet the basic safeguarding requirements of FAR clause 52.204-21 for FCI (CMMC Level 1), the requirements of the 110 controls and 320 objectives of NIST Special Publication 800-171r2 for CUI (CMMC Level 2), and certain controls of NIST SP 800-172 for certain classes of sensitive CUI (CMMC Level 3).

• What Do You Need to Know? The CMMC program is currently in the rulemaking phase, with the rule expected to be published as final sometime in late 2024 or early 2025. The final rule will bring context and details to enforcing and auditing mandatory cybersecurity minimum requirements. Starting Q2 or Q3 2025, the industry should begin to see the CMMC requirements as part of select Requests for Information (RFIs) and Request for Proposals (RFPs). The Department of Defense plans to include these requirements in all solicitations issued on or after Oct. 1, 2026.
• Impacts and Recommendations Do not delay! The current requirements will likely prompt a rush for conformity once the final rule is published, creating a shortage of experts formally certified by the government to conduct independent assessments. Government contractors should continue to verify all assertions made in solicitations and understand their contract requirements. Each government contractor should continue to review and brief their contracts to ensure compliance with the necessary data provisions. Second, and most importantly, each government contractor should start to prepare and implement the measures needed to meet the CMMC requirements. This can be done by creating a System Security Plan (SSP), reviewing one if you already have one, and performing a company-wide compliance gap assessment based on the required CMMC level. The company should revise or develop policies, procedures, or additional controls to reduce the risk if any gaps are identified.

CMMC Updates and Consequences

One of the consequences of the CMMC Proposed Rule is the possibility of an increase in legal cases based on the Civil Cyber Fraud Initiative. The Civil Cyber-Fraud Initiative uses the False Claims Act to identify, pursue, and deter cyber vulnerabilities and incidents that arise with government contracts and grants that put sensitive information and critical government systems at risk. In a recent settlement dated Sept. 5, 2023 (Press Release Number: 23-965), Verizon Business Network Services agreed to pay $4,091,317 to resolve a False Claims Act allegation in which it failed to satisfy specific cybersecurity controls in connection with an information technology service provided to federal agencies. Settlements and future cases such as these underscore the importance of contractors being aware of the certifications and ensuring that all aspects are adequately addressed. 

Defense Federal Acquisition Regulation Supplement (DFARS) Flow Down Changes

DFARS Flow Down Clauses are contract clauses that a prime contractor may be obligated to include in subcontracts for certain types of work and contract types. There are both mandatory and optional flow-down clauses. The flow-down clauses contractually attach the subcontractor to the terms and conditions of the prime contract. For administrative noncompliance, the government has no direct contractual privity with the subcontractor, and therefore, the primes are held accountable in most cases. Noncompliance can significantly impact obligations, price, and overall risk of performing on the contract for both the prime and the subcontractor. 

• What Do You Need to Know? Prior to November 2023, DFARS 252.244-7000 allowed flexibility for prime contractors to be selective in flowing down clauses to subcontracts on commercial products or services; however, prime government contractors would historically include more clauses than required to remain safely "in compliance" with subcontract monitoring requirements and ensuring all clauses are addressed from the prime government award. The final rule, dated Nov. 17, 2023, implements language from the 2017 National Defense Authorization Act (NDAA). This final rule states that prime contractors should not include any FAR or DFARS clauses in subcontracts for commercial products or services except under certain conditions per DFARS 252-244-7000. There is no retroactive application within the rule; however, moving forward, the responsibility will be on the prime to flow down the correct contract clauses for new awards after November 2023, which may alleviate the unnecessary burden on subcontractors. This does not impact noncommercial contracts.
• Impact/Recommendation: Although the DFARS changes should lighten the requirements for commercial awards, prime government contractors should continue monitoring subcontracts on noncommercial awards. Assessments should be completed on at least a yearly basis for subcontract monitoring provisions in contracts. Corrective action should be taken to ensure compliance if any deficiencies are found. The new final rule has now added the responsibility of the prime government contractors not to flow down all the FAR clauses but only the clauses that apply to the subcontract.

Small Business Administration 8(a) Changes

The SBA 8(a) Program is designed to help government contractors owned and controlled by socially and economically disadvantaged individuals partner with federal agencies. This is to help ensure equitable access by these organizations to contracting opportunities in the federal marketplace. Once certified, this opens government contractors up to increased opportunities, training, and other services.

• What Do You Need to Know? The more controversial topic within the federal space is the notion of small business certifications and the challenges that will occur. On May 27, 2023, the SBA issued the final rule regarding changes and clarifications to the 8(a) program. The changes included a Bona Fide Place of Business Requirement (Section 123.501(k)), Limitations on Subcontracting (Section 125.6), Joint Ventures (Section 121.103(h)), and Release of Follow-Own Requirements From the 8(a) program to name a few.
• Impact/Recommendation: If a contractor is currently in the SBA 8(a) program, careful consideration should be taken to track how the changes affect the status of that business. As this will likely accelerate the graduation of the 8(a) program, we recommend careful business planning around how this could impact the business. 

SBA Changes and 8(a) Impacts

The most notable change is the language around what the SBA will consider business activity requirements under a sole source 8(a) multiple award contract for a specific entity before acceptance. In addition, the SBA will consider the size of a small business at the time of offer under a multiple-award contract. Previously, recertification took place at the individual order level. This will impact contractor bidding on Indefinite Delivery, Indefinite Quantity (IDIQ) contract vehicles where most contractors are not awarded all task orders under the IDIQ within a program. This will also impact the small business status for most contractors if recertification does not occur at an individual order. We believe 8(a) status will continue to be a point of contention for companies trying to keep or obtain 8(a) status. There will be increased scrutiny of the certifications of both new contractors and the overall current statuses of recertifications of contractors in general. 

Uniform Guidance Updates

Uniform Guidance, formally known as 2 CFR 200, is the government-wide framework for grants management that streamlines and simplifies the requirements for non-federal entities receiving federal awards.

• What Do You Need to Know? On September 22, 2023, the Office of Management and Budget (OMB) presented pending changes to the Uniform Guidance requirements. While the spirit of the requirements remains consistent, the intended purpose of these changes is to clarify the Guidance and enhance its overall comprehensibility. However, based on the pending rule, several modifications will impact grantees moving forward. These include the following: 
1. Increasing the Single Audit Act audit threshold from $750,000 to $1 million.
2. Increasing the amount of subawards that can be counted within the Modified Total Direct Cost Base (MTDC) from $25,000 to $50,000. MTDC encompasses all direct salaries and wages, applicable fringe benefits, materials and supplies, services, and travel. It excludes equipment, capital expenditures, charges for patient care, rental costs, tuition remission, scholarships and fellowships, participant support costs, and the portion of each sub-award over $25,000. Other items may only be excluded when necessary to avoid a serious inequity in the distribution of indirect costs and with the approval of the cognizant agency for indirect costs. 
3. Increasing the de minimis indirect rate from 10% to 15%. (The de minimis rate is the percentage of the Modified Total Direct Cost (MTDC) that can be used by non-governmental entities that do not have a negotiated Indirect Cost Agreement.) 
4. Removing the "simplified acquisition threshold" for fixed amount subawards. 
• Impact/Recommendation: The uniform guidance changes are good news for government contractors stepping into the government grant space for the first time. These changes allow for greater flexibility without increasing audit risk (e.g., higher de minimis rate). We see many clients using new U.S. government funding opportunities to evaluate doing business with the government. But buyers should beware; there are still requirements that contractors should consider as they move into this space. We recommend performing a compliance assessment of your current environment against any regulatory requirements before receiving an initial award. This allows the contractor or grant recipient to start on the right foot and provides the ability to address any issues before a formal audit is initiated once the Single Audit threshold is met.

Davis-Bacon Act Changes

The Davis-Bacon Act applies to contractors and subcontractors performing on federally funded or assisted contracts over $2,000 for the construction, alteration, or repair (including painting and decorating) of public buildings or public works. In the Davis-Bacon Act and related Acts, contractors, and subcontractors must pay their laborers and mechanics employed under the contract no less than the prevailing wages and fringe benefits for corresponding work on similar projects in the area.

• What Do You Need to Know? A final rule went into effect Oct. 23, 2023, which adjusted the definition of a "prevailing wage" to include at least 30% of workers in the respective classification of the area where the work is performed to act as the wage. In addition, several other definitions changed, which included "secondary locations" and "site of the work." This clarified the inclusion of locations specific to the Davis-Bacon Act or the job in a particular period. This will likely impact the industry by pushing higher wages into more rural locations. This will also likely impact overall pricing and how contractors address increased pricing on current contracts. 
• Impact/Recommendation: New prevailing wages under the Davis-Bacon Act should be addressed and carefully determined. Government contractors should identify how this will impact their business and address them quickly, if applicable.  

Each topic should be thoroughly reviewed to determine its impact on your organization. We recommend performing a yearly compliance assessment for the organization's overall health. Learn more about critical areas and steps to take in the new year. 

About the Authors

Jon Bencivenga brings over 15 years of extensive expertise supporting government contractors across regulatory compliance, accounting, contracts and training. His specialization encompasses Federal Acquisition Regulations (FAR), agency supplement regulations, Incurred Cost Submissions (ICS), Cost Accounting Standards (CAS), DCAA audit support, dispute resolution, and litigation support. He provides comprehensive contract lifecycle support to government contractors ranging from small businesses to Fortune 100 companies in diverse sectors, including architecture, engineering, aerospace and defense, construction, manufacturing, information technology, not-for-profits, and higher education. 

Kean Reilly is a manager in CohnReznick's Government Contracting Advisory Practice, where he advises clients on government funding management and project cost analysis. He performs in-depth performance analyses of client government awards to identify opportunities for enhancing business systems, internal controls, project management, and reporting functions, ultimately optimizing cost recovery through indirect rates aligned with Federal Acquisition Regulation (FAR), Cost Accounting Standards (CAS), and Uniform Administrative Guidance (2 CFR 200) criteria. Kean offers a comprehensive suite of advisory services, including budgeting, business system implementations, claims management, terminations, investigations, and contract administration.