1. of XX Data Rights, Intellectual Property, Information Technology and Export Controls in Government Contracting Fernand Lavallee, Partner, Jones Day ©2015 PubKLearning. All rights reserved. 1 Is a Class Deviation Appropriate? –Generally federal agencies are required to provide notice and afford the public an opportunity to comment on proposed changes prior to enacting significant regulatory changes. FAR 1.301(b); 1.501-2. –Public meetings to solicit/obtain additional views and discussion on significant regulatory revisions is encouraged. FAR 1.503. When regulatory change is intended to be permanent, a FAR revision – not a Deviation – should be proposed. FAR 1.404. 1.When a class deviation is needed on a permanent basis, a FAR revision should be proposed. GSAR 501.402; Class deviations are expected to expire in 12 months unless extended. GSAR 501.404(e)(1). 2.Court of Federal Claims held use of a class deviation to implement a uniform contract clause violates the FAR and Office of Federal Procurement Policy Act § 22, it may be unenforceable. Sunoco, Inc. v. United States, 59 Fed.Cl. 390, 396 (2004). 3.This Deviation will have a material effect beyond the internal operating procedures of the GSA. - Effect on subcontractors; disproportionate impact on Small Business Concerns 4.No “urgent Government need” compelling Deviation.

2. of XX Data Rights, Intellectual Property, Information Technology and Export Controls in Government Contracting Fernand Lavallee, Partner, Jones Day ©2015 PubKLearning. All rights reserved. 2 Department of Defense's (DoD) proposed Interim Rule on Network Penetration Reporting (Aug. 26, 2015): –Adds new clause: DFARS 252.204-7009, Limitations on the Use and Disclosure of Third-Party Contractor Reported Cyber Incident Information; Revises DFARS 252.204-7012; –Establishes NIST SP 800-171 as the baseline for adequate security for covered defense systems (change from current subset of NIST SP 800-53 controls); –Continues the 72-hour rapid reporting requirement for incidents affecting covered contractor information systems/covered defense information or ability to perform operationally critical contracts.

3. of XX Data Rights, Intellectual Property, Information Technology and Export Controls in Government Contracting Fernand Lavallee, Partner, Jones Day ©2015 PubKLearning. All rights reserved. 3 Impacts of the DoD proposed Interim Rule: –New DFARS clause applies to a broader category of information (called “covered defense information”) which includes export controlled information and a revised definition of Unclassified Controlled Technical Information (UCTI); –Scope of reportable cyber incidents significantly broadened; –Uncertainty associated with replacement of the detailed chart of security controls from NIST SP 800-53 with the general reference to the security families from NIST SP 800-171; –Subcontractors are now explicitly required to report cyber incidents “up the chain” to the ultimate Prime Contractor and directly to DoD.

4. of XX Data Rights, Intellectual Property, Information Technology and Export Controls in Government Contracting Fernand Lavallee, Partner, Jones Day ©2015 PubKLearning. All rights reserved. 4 And a “Sleeper” for GSA Schedule Commercial Item contractors: U.S. General Services Administration's (GSA) GSAR 552.239-71(k) clause: –Applicable to unclassified IT resources; –Requires federal contractors to afford the GSA access to both the contractor's and subcontractors' installations, operations, documentation, databases, IT systems and devices, and personnel used in performance of the contract regardless of the location. –Access is to extent required in the judgment of the GSA for the government to conduct an inspection, evaluation, investigation or audit (including vulnerability testing) to safeguard against threats and hazards to the integrity, availability, and confidentiality of GSA data (including that simply "transiting“ contractor's/subcontractors' systems) and to preserve evidence of computer crimes.