Three court cases reveal the importance of ensuring that contracts for an ERP software system and other digital transformations be carefully negotiated to remove the possibility that a lawsuit over a failure can be blocked by, seemingly harmless clauses that vendors and integrators insert as a matter of routine in their template agreements.

The first case involves an ERP software system sold by IBM to Lufkin Industries LLC (Int’l Bus. Mach. Corp. v. Lufkin Indus., LLC, No. 17-0666 (Mar. 15, 2019)). The system failed and Lufkin sued, claiming IBM had promised an “out of the box” solution that didn’t exist. At trial, a jury awarded the user a total of $27-million in damages. IBM appealed and the Texas Supreme Court ruled that even though fraud was committed, the contract blocked Lufkin from collecting damages and overturned the lower court’s jury award.

The second also involves a Texas lawsuit between Mercedes Benz and a franchise dealer (Mercedes-Benz USA LLC, et al. v. Carduco, Inc. d/b/a Cardenas Metroplex, Case No. 16-0644). The dealer sued the automaker when it claimed it has been assured during discussions that it could move the location of the dealership to another city. After the contract was signed, Mercedes blocked the move which led to the lawsuit.

The Texas Supreme Court upheld the defendant’s argument that the contract specified “no representations outside of the contract were made by (Mercedes).” As a result, the plaintiff lost their case.

In the third situation, recently we wrote about car rental giant Hertz Corp. suing equally large integrator Accenture over the failure of Hertz’s website rebuild project. A few weeks ago, Accenture asked a federal court to narrow the scope of the lawsuit. It asked a federal judge to remove claims of consumer protection and damages, saying they don’t belong in a breach of contract dispute.

The judge has not yet ruled on the Accenture motion,

Fighting Chance

The Accenture filing and the Texas case provide an important object lesson for all buyers of ERP software systems: Never sign the vendor’s or integrator’s template contract without negotiating and redrafting key provisions – even the boilerplate ones. Failing to do so may restrict your ability to sue for damages in the event of a failure.

To prevent this from happening, we usually insist that any marketing materials and proposals presented to a prospective user during the sale process be included as an appendix to the contract. This makes the sometimes-extravagant claims made by a sales team trying to land the deal binding on the vendor or integrator.

More to the point, if a vendor is willing to brazenly lie to a potential customer during the sales process, they are going to fight from letting you use that lie as the basis for a lawsuit later on. It’s not good business but at that point the defendants are more concerned with their potential liability than in acting appropriately.

Users need to give themselves a fighting chance in court.

Be Specific, Be Detailed

For instance, in each of the three examples we cited the plaintiffs relied on various representations made by the vendors, whether verbally or in the sales material that was given. Yet by not including this material in the contract, the users were left holding the bag after it unravelled and everything fell out.

This means being very specific and detailed to ensure that all parties to the agreement understand and acknowledge their responsibility and obligations – including those made when the supplier is desperate to get you to buy their product or service and is willing to say anything to get you to sign.

We have worked with ERP software system contracts for our entire career, from both sides of the table. One of the key things we know is that almost every clause in a contract from a vendor or integrator needs to be negotiated and rewritten. Not doing so puts the vendor and integrator in the cat bird seat and hangs the customer out to dry.

If you are considering a new ERP software system, or are about to upgrade a legacy system, feel free to call us with any initial questions you might have about the deal or the contract. We will be happy to let you know where the potential pitfalls and hidden traps might be waiting for the unsuspecting.

It’s been said that to succeed in today’s digital world, every company must be a technology-first organization that also specializes in another industry. Cloud computing is the operating model that’s fueling the digital transformation, modernizing IT platforms around the globe. It involves software and other hosted services rented from sources like Microsoft Azure and Amazon Web Services (AWS) and delivered over the Internet.

Chicago partner, Marcus Harris was part of an industry expert panel who shared their views on the game-changing model with Crain’s Content Studio.

To access the full discussion, click here.

 

After retiring from a wildly successful career running Ford and then saving Chrysler from bankruptcy, Lee Iacocca was asked by an interviewer how American automakers could have allowed their globally dominant position in the market to be eroded by foreign car companies. Iacocca replied, “There is nothing more vulnerable than entrenched success.”

It’s not just car manufacturers where hubris has cost a business its market position.

Who remembers that photocopiers were invented by 3M using a sticky, coated paper and the company ignored the advent of plain paper copying machines because it had a lock on the market?

Or that cameras were being sold long before Kodak made them, and photography, simple, cheap and easy for anyone to use, pushing many of its competitors out of business who didn’t think Kodak’s Brownie camera would catch on? Indeed, Kodak met a similar fate by not finding a way to take advantage of the advent of digital photography.

A similar day of reckoning may be coming for the major developers, vendors and integrators of Enterprise Resource Planning (ERP) software systems.

Entities such as SAP, Oracle and Microsoft, and the humongous system integrators such as Accenture, may feel snugly entrenched in the market. After all, combined they have been the dominant players for a long time. Yet their arrogance coupled with the often-high-handed way they deal with customers may be creating a situation in the ERP sector that mirrors what happened to Detroit, 3M and Kodak.

Holding Users Hostage

Not to stretch a point but in some respect the big players act like commercial terrorists when dealing with their users.

True, vendors all have user groups and discussion forums. These give the veneer of soliciting feedback and responding to concerns and complaints. But the reality is that, for the most part, vendors give no real evidence of actually caring about a user beyond making tweaks here and there in the coding to fix a problem.

If they did genuinely care about their customers, after a contract is negotiated and signed they would not upsell anything and everything they can come up with including  functionality and upgrades that may be not be needed for years – if ever, or software that is a questionable fit for the customer.

A supplier who was genuinely concerned about its customers would not arbitrarily require all of them to migrate their systems to the vendor’s cloud – and pay an additional fee – by a set date even if a company’s own servers and infrastructure are secure, perfectly serviceable and have years of useful life left in them.

The vendor who truly had the best interest of their customer in mind would not load its sales teams with economic incentives to upsell as much as it can for as long as it can without any regard for whether there is a benefit to the user buying the service.

An integrator who put their clients first would not do everything possible to shoulder other consultants out of the way during an implementation, even if the integration was in a tailspin heading for a crash landing.

Climbing Mountains

Because the cost of entry to the ERP development market is so high, the existing goliaths may feel that they’ll never face any meaningful competition that might make inroads into their market position and market share.

This is precisely what Detroit thought about Volkswagen’s Beetle and the first Toyota’s, and nothing bad happened to the Big Three automakers as a result of ignoring the threat.

Certainly, entering the ERP business as a competitor going up against a Microsoft, Oracle or SAP is not easy. It takes a very deep pocket and a willingness to invest tens of millions into creating a product. Yet ERP software system users are becoming increasingly restless and dissatisfied with how they are being treated by companies the buyers thought – hoped – were their partners in addressing a management issue with a sophisticated technology solution.

It’s a steep mountain to climb but as an ERP attorney who has been in the business for a very long time, we are starting to hear of attempts to ascend the rockface.

Meanwhile, users have to be much more aggressive in dealing with vendors and integrators, which starts with negotiating and drafting contracts that hold the vendors and integrators to account.

If you have concerns about either an ERP vendor or ERP integrator, feel free to call us. We’ll be happy to answer any questions, refer you to highly-respected consultants, or assist you in dealing with any issues you might be facing with you acquisition or implementation

When an ERP software system implementation fails, sometimes it’s because the vendor told a potential buyer that its round peg would fit into the user’s square hole in order to make the sale. But maybe even more often, the failure is because the integrator either did not fully understand the user’s industry or business, the client’s relationship with its supply chain, customers and employees, or how the digital transformation was intended to improve corporate performance.

As an ERP software system attorney who has litigated disputes between users and integrators, we’ve learned from experience that many of the larger integrators are very good at selling their services but are not nearly as good at delivering what is in their marketing material, sales pitches and proposals. Sometimes, they oversell their capability.

Choosing the right ERP integrator is as important as selecting the correct ERP vendor. As is the case with vendors, price seldom should be the ultimate determining factor. Here are the six critical criteria every company needs to keep in mind when considering which integrator will be involved in upgrading a legacy ERP software system or installing one for the first time.

1 – Define the Critical Criteria. Know what you want to buy. Some integrators take the approach that they alone are qualified to tell you what you need to purchase. Know whether a global partner is needed to support and work in multiple countries or if a boutique firm with deep but specialized knowledge is more important.

2 – Find the Right People. Beyond merely reading the bios on a website or in a proposal, see if the people used by the integrator have the methodology and tools needed for the size and scope of your project. Don’t neglect looking for what is repeatable from their other assignments that will mesh with the needs and requirements of your specific implementation.

3 – Experience in Your Industry. It is extremely beneficial for the integrator to have handled successful projects in your industry or sector, or in businesses close enough to what you do to have acquired transferrable knowledge. When reviewing proposals, look hard for challenging projects they’ve handled and how they dealt with unexpected problems when the implementation project required changes.

4 – Depth of Their Resources. A deep reservoir of reserve talent is important but this is available to many integrators, not simply the large entities such as Accenture. While you need to know the strength of the bench, also ask about how often and for what tasks the integrator brings in third-party subcontractors, what access you’ll have to both staff working on the project day-to-day as well as to upper echelon executives when you have a question or concern. Finally, make sure that there’s a good cultural fit between the integrator and your organization.

5 – Approach to ERP Implementation. Different integrators take different approaches to their assignments. Beyond whether your integration will be done by a dedicated, full-time team or be accomplished by part-time resources depends partly on the size of your project. More important are things such as including a change management package, using a certified Project Manager through the implementation, having an industry-specific model to drive key metrics, providing critical reports during the process, and your participation in the design, data conversion and integration phases.

6 – Post-Implementation Support. Frequently, this is overlooked yet post-implementation problems can result in production downtime, accounting or payroll issues and day-to-day business operations. Know how many people will provide support after “go live” and whether they’re inhouse or contract personnel. What kind of ongoing information will be provided about performance data? What service level is appropriate the needs to be negotiated and written into the contract with the integrator.

Key Differences in Integrators
A simple fact-of-life is that not all integrators are created equal, and some are less equal than others.

An effective way to choose an integrator is employing an outside consultant to help you create an RFP, weigh the various proposals and sit at the table asking hard questions as you interview finalists.

 

If you want some referrals to the better consultants and integrators, feel free to contact us. We’ll be pleased to point you in the right direction.

Offer and Acceptance . . . by Inquiry Notice. This is not a traditional understanding of contract law, but then again, internet sites do not always provide traditional contracts. Recently, a district court cited 9th Circuit precedent in deciding that because an online user had “at least inquiry notice of his need to comply with the Terms in using the website, and he continued to use the site knowing he was bound by the Terms, the user accepted the Terms by using the site.” Gutierrez v. FriendFinder Networks Inc., No. 18-CV-05918-BLF, 2019 WL 1974900, at *8 (N.D. Cal. May 3, 2019).

With ever-increasing internet usage rates, online contracts are becoming more and more commonplace; consequently, it is more important than ever for webpage providers and consumers alike to understand the basics (and the complexities) of online contract law. As the court explained in Gutierrez, contracts formed on the internet can usually be described as either clickwrap or browsewrap agreements:

“clickwrap” (or “click-through”) agreements, [are agreements] in which website users are required to click on an “I agree” box after being presented with a list of terms and conditions of use; and “browsewrap” agreements, [are agreements] where a website’s terms and conditions of use are generally posted on the website via a hyperlink at the bottom of the screen … Unlike a clickwrap agreement, a browsewrap agreement does not require the user to manifest assent to the terms and conditions expressly … a party instead gives his assent simply by using the website … The defining feature of browsewrap agreements is that the user can continue to use the website or its services without visiting the page hosting the browsewrap agreement or even knowing that such a webpage exists.

Id. at *4 (citing Nguyen v. Barnes & Noble Inc., 763 F.3d 1175-76, 1177 (9th Cir. 2014). The 9th Circuit, in Nguyen, noted that courts are generally reluctant to enforce browsewrap agreements against individual consumers, but courts are more inclined to do so when a website contains “an explicit textual notice” that continued use of the website will suffice as intent to be bound. Id at 1176. Thus the “Inquiry Notice” theory.

In Gutierrez v. FriendFinder Networks Inc., the plaintiff was banned from at least a portion of the FriendFinder website. A FriendFinder customer service representative informed the plaintiff that he had been banned because he violated the Terms of the website, which he needed to follow when using the website. The plaintiff responded “Yeah I know,” but allegedly still did not read the Terms. See Gutierrez, 2019 WL 1974900 at *8. The court reasoned that a “failure to read [the Terms], despite knowing he was bound by them, cannot absolve [a party] of his need to comply with them.” Id. Thus, mere knowledge that a website’s Terms were posted in a browsewrap-fashion and a user’s continued use of the website with the understanding that he was bound by the Terms, was enough to show that the user accepted the website’s terms of use because he had “Inquiry Notice” of the terms of use. Id.

One could argue that the Inquiry Notice theory is merely a “well-advertised browsewrap” standard, and that Gutierrez v. FriendFinder Networks Inc. opens the door to online users being bound by a website’s Terms without seeing or acknowledging that they have read the Terms. Take, for example, the following hypothetical webpage:

Following the Gutierrez court’s interpretation of Nguyen v. Barnes & Noble Inc., the hypothetical webpage above might be sufficient to bind the user to the Terms of Use, because the webpage (i) provides “explicit textual notice that continued use will act as a manifestation of the user’s intent to be bound,” and (ii) the Terms are “readily available to [an individual user of] the website, such that his failure to read them, despite knowing he was bound by them, cannot absolve him of his need to comply with them.” Id at *7. Thus, the hypothetical webpage above could bind the user by nothing more than a well-advertised browsewrap agreement.

Companies with an online presence should be wary of the decision in Gutierrez and wary of browsewrap agreements in general, but especially of those drafted in an incomplete manner. While the Northern District of California decided that an Inquiry Notice standard was enough to show a user’s acceptance of the Terms, the court did so with a tight fact pattern and a loose interpretation of the 9th Circuit’s decision in Nguyen v. Barnes & Noble Inc. In Nguyen v. Barnes & Noble Inc., the 9th Circuit cited cases favorable to an Inquiry Notice standard only where the cases included an online user, who indicated they “read and agreed to” the terms of use. Nguyen, 763 F.3d at 1177. Thus, if companies with an online presence choose to use a browsewrap agreement, it is still advisable to ensure that the individual user has both “read and agreed” to the terms of use.

Taft partner Marcus Harris will be a keynote speaker at the Digital Stratosphere event August 7-9, at Thompson Chicago Hotel. Digital Stratosphere is the premier independent educational and peer networking event for organizations about to embark on a digital transformation or ERP / CRM/ HCM implementation.

This is a premier event with limited seating. This is an opportunity to jumpstart your digital transformation initiatives. It will provide the best practices and lessons require to make your digital transformation more successful.

This event is designed for CIOs, CFOs, project team members, software vendors, consultants, and others that are involved in digital transformation and ERP projects. Use the promo code HARRIS20 by July 15 to receive 20% off your registration. When you register one team member, others from your team will receive 50% off. Visit the Stratosphere event page to register or learn more.

The U.S. government no longer has the authority to bar federal trademark registration for words or symbols that it determines to be immoral, obscene, vulgar or profane. On Monday, June 24, 2019, the U.S. Supreme Court (the Court) struck down a longstanding federal prohibition on the registration of “immoral or scandalous” trademarks, holding that such a prohibition violates the First Amendment right to free expression.

By a vote of 6-3, the Court found in favor of Erik Brunetti, the founder of the clothing line brand FUCT. In 2011, Brunetti sought federal registration of the trademark FUCT. The U.S. Patent and Trademark Office (USPTO) denied his application under Section 1052(a) of the Lanham Act, which prohibits registration of trademarks that consist of or comprise “immoral[] or scandalous matter.” 15 U.S.C. § 1052(a). After the USPTO Trademark Trial and Appeal Board agreed with the USPTO’s decision, Brunetti brought the case to the U.S. Court of Appeals for the Federal Circuit, which found that the “immoral or scandalous” bar violated the First Amendment.

In its decision on Monday, the Court referenced its 2017 decision, Matal v. Tam, 582 U. S. ___ (2017). In Matal v. Tam, the Court invalidated the Lanham Act’s bar on registration of trademarks that “disparage[d]” a “person[], living or dead,” holding that the “disparaging” bar violated the First Amendment because it discriminated on the basis of viewpoint.

Justice Kagan delivered Monday’s opinion on behalf of the Court, making it clear that the 2017 decision served as precedent and that refusing to register a trademark because it might offend people was viewpoint discrimination. Justice Kagan stated that the prohibition of “immoral or scandalous” trademarks “infringes the First Amendment for the same reason: It too disfavors certain ideas.” The Court’s opinion states:

[T]he Lanham Act allows registration of marks when their messages accord with, but not when their messages defy, society’s sense of decency or propriety. Put the [terms “immoral” and “scandalous”] together and the statute, on its face, distinguishes between two opposed sets of ideas: those aligned with conventional moral standards and those hostile to them; those inducing societal nods of approval and those provoking offense and condemnation. The statute favors the former, and disfavors the latter. “Love rules”? “Always be good”? Registration follows. “Hate rules”? “Always be cruel”? Not according to the Lanham Act’s “immoral or scandalous” bar.

While all nine justices agreed with Justice Kagan that the prohibition on “immoral” trademarks violated the First Amendment, three justices dissented by stating that the “scandalous” prohibition should have been upheld. The dissenting justices stated that the “scandalous” portion of the provision is susceptible to a narrowing construction, and that the term “scandalous” can be read more narrowly to bar only marks that offend because of their mode of expression(i.e., marks that are obscene, vulgar or profane), not because of the ideas that they convey.

The Court is empowered to narrowly interpret statutes so as to avoid striking them down as unconstitutional. However, Justice Kagan stated that such a narrow construction could not be applied to the “scandalous” provision:

The “immoral or scandalous” bar does not draw the line at lewd, sexually explicit, or profane marks. Nor does it refer only to marks whose “mode of expression,” independent of viewpoint, is particularly offensive. To cut the statute off where the Government urges is not to interpret the statute Congress enacted, but to fashion a new one.

While the ban on all “immoral” and “scandalous” trademarks is now unconstitutional, the justices suggested in both the majority and dissenting opinions that the Court may uphold Congress’ enactment of a narrower prohibition on “modes of expression” that are obscene, vulgar or profane.  As Justice Alito wrote, “… [W]e are not legislators and cannot substitute a new statute for the one now in force.” Nonetheless, “Our decision does not prevent Congress from adopting a more carefully focused statute that precludes the registration of marks containing vulgar terms that play no real part in the expression of ideas.”

Only time will tell whether Congress will work to implement a narrower prohibition against registration of obscene, vulgar or profane marks. Until then, it will be interesting to see how the Court’s decision affects the landscape of new trademark filings.

About 20 years ago, commercials for a food product used the tag line “It’s not nice to fool Mother Nature.” By mid-June, 2019, the line was adaptable to warn, “It’s not nice for a software vendor to fool a state government.”

In yet another example of a software vendor’s sales team overpromising and underdelivering with the result costing the State of Maryland millions of dollars, IBM and its subsidiary Curam Software, shelled out nearly $15-million to settle a lawsuit over the botched website the defendants were hired to build for the health department’s insurance exchange under the Affordable Care Act (ACA).

In its lawsuit filed in federal court, the state alleged that Curam misrepresented the development status for a software package it developed to meet the requirements of ACA, and that it could not accurately determine an applicant’s eligibility, calculate tax credits provided under the law nor meet other technical aspects spelled out in Maryland’s original RFP and contract with the vendor.

Finally, in something we often see in lawsuits over the failure of ERP software systems, the state could not integrate the Curam software with other key components of its insurance exchange website.

Cause and Effects

After seeing a demonstration of Curam’s software in January, 2012, Maryland awarded it and Noridian a five-year contract to build the website for $193-million. But when the site launched in October 2013, it immediately crashed. Worse, trying to bring the site back online created other issues which forced people to complete and mail paper applications.

Noridian paid Maryland $45-million in 2015 to settle its involvement in the state’s action.

Maryland officials blamed Curam for lost applications which threatened its eligibility for federal funds and may have cost some people to lose their tax credit eligibility. The state canceled the contract in 2014 and adapted Connecticut’s exchange software in time for ACA’s second open enrollment later that year.

We were not involved in any aspect of Maryland’s dispute with IBM, Curam or Noridian. But the cause-and-effect of the failed digital transformation is all too familiar to us as attorneys who have negotiated, drafted and litigated countless similar situations, often in the realm of ERP software systems.

Common Thread

There is a common thread that seems to run through every situation involving a failed digital transformation.

1 – Don’t rely on sales representations. It appears as if the decision-makers for the Maryland project accepted at face value what IBM, Curam and Noridian wrote in their sales material and response to the state’s RFP. This never is very wise. The vendor’s goal is to make a sale and this isn’t the first time we’ve worked with a client who was led astray by promises that couldn’t be kept.

2 – Ask detailed questions. For example, when being shown a product demonstration, find out where it is being used in real time by an organization similar to yours. What issues arose and how were they addressed? How much of the work will be outsourced to third parties and what is their experience and expertise with both the system and the type of business you are in? Each organization will have its own unique questions and they must be asked – and answered satisfactorily.

3 – Ensure that the contract is very detailed. Every digital transformation project is a large undertaking. The vendor and integrator have one goal: Make the sale. The contract they shove across the table for a user to sign is always one-sided in the vendor’s favor. To minimize the risks inherent in such a large project, the contract has to detail everybody’s responsibility and accountability. We don’t know what the Maryland-IBM contract looked like but it’s a same guess that a lot was left to chance.

4 – Use a third-party consultant. The larger an organization the less likely senior management is going to have the time to pay close attention to the project’s details as it unfolds. An outside consultant who knows the goal of the project, how vendors and integrators work, and can ride shotgun throughout is a cheap investment to ensure things go smoothly – and who can jump in to liaise with top management when an issue arises.

Planning is Paramount

These steps need to be planned for and taken prior to when the sales people arrive and open their sample case of jellies and jams. In fact, most of the failed ERP software system projects we have seen started going sour long before the first line of code ever was written.

If your organization is planning a major digital transformation, we can refer you to consultants and other entities who can greatly increase the odds of the project being a success. Feel free to call and we’ll be happy to point you in the right direction.

The Supreme Court of the United States has granted certiorari in Georgia et al. v. Public.Resource.Org, Inc., case number 18-1150, to address whether state statutory codes, including annotations, are protectable by copyright.

In October 2018, the 11th Circuit held that the annotations, while not having the force of law, were sufficiently law-like to be regarded as sovereign works constructively authored by the People, and thus were not copyrightable. Code Revision Comm’n for Gen. Assembly of Georgia v. Public.Resource.Org, Inc., 906 F.3d 1229 (11th Cir. 2018), cert. granted sub nom. Georgia v. Public.Resource.Org, Inc. (U.S. June 24, 2019).

As the court indicated, copyright interests vest in the author of the work. Id at 1232. In most states, the official code is comprised of statutory text alone, which cannot be copyrighted because, though the legislature drafted the statutory text, it did so only as an expression of the public—the true author of work. Id. Conversely, annotations created by a private party generally can be copyrighted because the annotations are an original work authored by a private publisher. Id. The annotations in the Official Code of Georgia Annotated (OCGA) are not exactly like either of these two types of works; they are published by the LexisNexis Group, but under the supervision and ultimate editorial control of the Code Revision Commission (CRC) comprised of Georgia government officials. The identity of those who drafted the OCGA, the authoritativeness of the work and the process by which the work was created ultimately led the 11th Circuit to its decision that the OCGA was constructively authored by the public, and therefore uncopyrightable.

The petitioner for certiorari, the CRC on behalf of the General Assembly of Georgia and the state of Georgia, asked the Supreme Court to review whether the OCGA may be copyrighted by the state of Georgia. The respondent, Public.Resource.Org (PRO), is a non-profit organization with a mission of improving public access to government records and primary legal materials. Although PRO was successful at the circuit level, it also filed a brief in support of the CRC’s petition for Writ of Certiorari.

With its brief in support of the petition, PRO has doubled down. While PRO’s victory at the 11th Circuit mitigated the risk of copyright infringement in Georgia and other states in the 11th Circuit, PRO is now gambling in an effort to protect potential copyright infringers in other states as well. By encouraging the Supreme Court to make the 11th Circuit’s decision the law of the land, PRO could extend its victory to exempt all states’ statutory codes and annotations from copyright protection.

Regardless of the Supreme Court’s decision, this case will have a significant impact on free, public access to the law and the states’ ability to profit from their commentary on the law. By affirming the 11th Circuit’s decision, the Supreme Court has the opportunity to provide real, meaningful access to the law and to legislators’ counsel on how to interpret the law. While many large firms have the luxury of commercial databases and online libraries to access the annotated state statutes, it is small firms, solo practitioners and the legal education community that stand to meaningfully benefit from a decision by the Court to curtail copyright ownership in published state law.

Law360 published an article recently with the title, “DoD Official Says Cyber is an Allowable Contractor Cost.” The article states that the U.S. Department of Defense (DoD) will allow defense contractors to treat the costs of bringing their cybersecurity programs in line with DoD requirements as an allowable cost and, therefore, reimbursable. Specifically, at the June 14, 2019 Professional Services Council’s Federal Acquisition Conference, DoD special assistant for cybersecurity Katie Arrington said, “security is an allowable cost.”

Further, Law360 reported that in May, DoD said it was developing a “Cybersecurity Maturity Model Certification” (CMMC) program to build on the Defense Federal Acquisition Regulation Supplement regulation (DFARS § 252.204-7012(b)(2)) that requires defense contractors to implement the security controls in the National Institute of Standards and Technology’s Special Publication (NIST SP) 800-171. The security controls are intended to protect covered defense information on nonfederal systems. DoD said the CMMC will require defense contractors to get third-party audits of their compliance with the NIST SP 800-171 controls, down through their supply chains.

Arrington told the conference attendees that the CMMC will be developed by DoD working in conjunction with the Johns Hopkins University Applied Physics Lab and Carnegie Mellon University Software Engineering Institute. The goal is to develop one unified standard for cybersecurity. This standard will include five different levels of required cybersecurity protections, from a level one of “basic hygiene,” which will be cheap and straightforward enough that a small business could meet it, to level five for “state-of-the-art” protections. Arrington said that DoD has planned 12 related industry days across the United States in July and August to work in a collaborative manner with defense contractors to improve cybersecurity practices in the CMMC plan. Acknowledgments to Daniel Wilson and Law360 for reporting these developments.

As always, the devil is in the details. Will DoD’s recognition of cybersecurity costs as allowable mean that contractors will be able to treat their recent security costs as allowable? Defense contractors have had to prepare to comply with DoD’s cybersecurity requirements for the past four years as the regulation was noticed in 2015 and implementation was required no later than Dec. 31, 2017. Or, will DoD limit allowability to only the cost incurred to meet the requirements of the new CMMC program?

The original answers to frequently asked questions said that contractors would be required to self-certify their compliance with the DFARS regulation. The Under Secretary of Defense for Acquisition, Tech and Logistics previously stated in response to the question, “Is a 3rd Party assessment of compliance required?”

… The rule does not require “certification” of any kind, either for DoD or Federal contractors. Nor will DoD give any credence to 3rd party assessments or certifications – by signing the contract, the contractor agrees to comply with the terms of the contract. It is up to the contractor to determine that their systems meet the requirements….

Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018) Frequently Asked Questions (FAQs) Regarding the Implementation of DFARS Subpart 204.73 and PGI Subpart 204.73, DFARS Subpart 230.76 ad PGI Subpart 239.76, Q25.

Given the uncertainty that many contractors had with meeting their obligations under NIST SP 800-171, it is good to see that third-party certifications will be required and that the cost for third-party audits will at least be allowable. Finally, one cautionary note – the establishment of various levels may give rise to pre-award protests as defense contractors challenge whether a particular contract merits a particular level of CMMC protection or post-award protests if the level is unspecified and competitors challenge whether the awardee’s level of CMMC protection is sufficient.