On October 5, the Information Security Oversight Office (ISOO) issued a joint notice (Joint Notice) with the Small Business Association (SBA) and in coordination with the Department of Defense (DOD) clarifying that the Cognizant Security Agency (CSA) is responsible for determining which entities are required to hold an Entity Eligibility Determination (EED), also known as a Facility Clearance (FCL), and providing specific guidance as to which entities must possess EED in different scenarios.
This comes after an SBA rule and Government Accountability Office (GAO) decision created confusion as to whether the joint venture (JV) itself needed to hold an EED or whether the individual entities must.
On October 16, 2020, the SBA issued a rule that made significant changes to its regulations concerning small business contracting. In addition to consolidating the 8(a) and All Small Mentor-Protégé programs and eliminating the three-in-two rule, it permitted the award of a contract to a JV "where either the joint venture itself or the individual partner(s) to the joint venture that will perform the necessary security work has (have) a facility clearance."
Following the issuance of the rule, on August 27, 2021, the GAO found that the 2020 National
Defense Authorization Act (NDAA) "clearly and unambiguously prohibits DOD agencies . . . from issuing solicitations that require a joint venture, rather than the members of the joint venture, hold the required facility clearance." The protestor was an unpopulated mentor-protégé JV where both members possessed the required FCL. GAO relied on three statutes and regulations to justify its holding: Section 644 of the Small Business Act, Section 1629 of the 2020 NDAA, and the SBA's implementing regulations at 13 CFR § 121.103(h)(4).
The 2020 NDAA language arose from a Congressional fear that SBA JVs, many in the Mentor-Protégé Program, cannot obtain a facility clearance prior to submitting a proposal as EEDs can only be issued when a contractor has a need to access classified information. To address that concern, Congress prohibited the DOD from requiring a JV to have an EED if both members of the JV possessed a clearance.
The Joint Notice explains that GAO failed to address the requirements delineated in the National Industrial Security Program (NISP) when applying the SBA rule to the procurement. The notice provides "guidance clarifying how the SBA regulations interact with NISP requirements" in an attempt to reconcile both requirements.
The NISP clearly requires any entity that must access classified information pursuant to a government contract or agreement to first undergo an EED and be cleared before performing on the classified contract. The Joint Notice clarifies that this includes JVs and any partners to the JVs. Further, the guidance confirms that "an entity must be legally organized and existing in the U.S. to be eligible for an EED."
The Joint Notice clarified that a JV formed as separate legal entities may be awarded a classified contract and may hold an EED itself, however, it is not required to hold an EED upon award.
However, a JV formed "by contract," where there is no separate legal entity, cannot be awarded a classified contract as it cannot hold an EED. Instead, the JV's members will be directly awarded the classified contract and must possess the requisite EED. These JVs are called "unpopulated," meaning they do not employ people who will perform on the classified contract.
Ultimately, the NISP CSA has the responsibility to determine which entities involved with a JV must obtain an EED after assessing the JV business structure. The NISP requirement at 32 CFR 2004.32(a)(1) states: "when determin[ing] whether an entity is eligible for access to classified information . . . the CSA must consider all information relevant to assessing whether the entity's access poses an unacceptable risk to national security interests."
The guidance provides helpful instructions as to how contractors submitting proposals as JVs should approach obtaining an EED. These clarified requirements mark a change from prior CSA practices where any entity (unpopulated or not) that was awarded a classified contract was required to obtain an EED.
In addition, while the ISOO guidance represents a mutual understanding between the SBA and CSAs, contractors should continue to carefully read solicitations to identify contradictions with the guidance's explanations to file a protest prior to the dates submissions are due. The terms of the solicitation must be protested prior to the date of submission for a complaining party to have standing. Lastly, the guidance clearly states that entities must only obtain an EED prior to performing on a classified contract rather than award of the contract. Moreover, the guidance specifies that this is the timing necessary for "any U.S. legal entities," not exclusively JVs.
Overall, the guidance is a welcome clarification of a conflict between two sets of requirements. While the ISOO has clarified the confusing interplay between the small business JV rules and NISP, some questions still remain, including whether the principle applies to non-DOD procurements. We will continue to monitor any developments and keep you updated as they become available.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.