What, Why, When, Who, Where, and How – Understanding the DCMA CPSR process as it exists today and what your organization needs to know and expect is paramount. So, what is a CPSR?
Some of the salient questions this document is intended to answer includes:
For any organization thinking about the prospects of a Contractor Purchasing System Review (CPSR), some of the basic questions must be answered so your organization can feel confident about what it needs to know pertaining to CPSRs conducted by the Defense Contract Management Agency (DCMA). Having the foundational knowledge and insights will propel your organization in their CPSR compliance maturation process and enable effective preparation for and navigation through the DCMA CPSR process, with the objective of earning a DCMA approved purchasing system determination.
That question – What is a CPSR – has several layers. First, a CPSR, occasionally referred to by some as a “CPSR Audit” or “CPSR Review”, is a regulatorily established activity performed by the U.S. Government. Specifically, Federal Acquisition Regulation (FAR)Subpart 44.3, codifies the CPSR in the federal regulation. That means that contractors doing business with federal civilian agencies exclusively can be and are subjected to CPSRs – all agencies require contractors to maintain government approved purchasing systems in theory.
Does the FAR answer the question – What is a CPSR? Yes. FAR Subpart 44.1 defines the CPSR as “the complete evaluation of a contractor's purchasing of material and services, subcontracting, and subcontract management from development of the requirement through completion of subcontract performance.”We need to pause – that FAR Part 44 definition requires an understanding of two other key terms from the same FAR Subpart 44.1 as well as the definition of a “Purchasing System” found at Defense Federal Acquisition Regulation Supplement (DFARS) 252.244-7001:
Moreover, FAR 44.301 establishes the “objective” of the CPSR, at least from the regulatory rule-maker’s perspective. That is, FAR 44 tells us the CPSR objective is “to evaluate the efficiency and effectiveness with which the contractor spends Government funds and complies with Government policy when subcontracting.” It goes on to point out that the review provides for a decision-point – approval or disapproval of the purchasing system – by the Administrative Contracting Officer (ACO).
However, in practice, especially within the DCMA CPSR construct, the meaning, objective, purpose and focus of the review seems to vary some from that regulatory-based intent. For one, identifying areas the DCMA evaluates for “efficiency” in a CPSR is tenuous at best. So, what is a CPSR in reality?
In layman’s terms, a DCMA CPSR is an adequacy evaluation of certain documented policies, procedures and practices memorialized almost exclusively in procurement file documentation associated with transactions that qualify for a CPSR under FAR Part 44. These artifacts are evaluated, not for mere existence but for adequacy of content, against certain FAR and DFARS requirements. Like any regulation, the FAR and DFARS leaves room for reasonable interpretation and application. However, interpretation can equate to potential compliance risk as reasonable minds can and do differ on interpretations and therefore what is “adequate.” This regulatory and interpretive flexibility is adopted and applied by the DCMA CPSR Group and informs their expectations of your organization – especially, the specific content within your policies, procedures and procurement file documentation.
In short, if FAR 44.301 were to be aligned with the DCMA CPSR of today, the objective may be better described as – “….to evaluate the effectiveness with which the contractor complies in policy, procedure and practice with the applicable statutory, regulatory and contractual requirements in their subcontracting and purchasing activities in support of qualifying U.S. government contracts.”
As noted, FAR 44.301 provides the objective of the CPSR, to include that “The Review provides the administrative contracting officer (ACO) a basis for granting, withholding or withdrawing approval of the contractor’s purchasing system.” That is, the review affords the ACO with the opportunity to approve the purchasing system. However, there is a deeper reason “why” the Government performs these CPSRs – it is to protect itself and the American taxpayer.
Government contracting is a high-stakes, high-risk and high-reward industry. All CPSR qualifying contracts are FAR-based procurement contracts. And we all know where the executive agencies that award these FAR-based contracts receive their budgets as well as where those appropriated funds are ultimately derived from – the U.S. taxpayer. As such, the CPSR is a protective measure. A prophylactic tool. An instrument, among others, to be used by the Government to protect against waste, fraud and abuse within the supply chain. More optimistically, it helps ensure (and assure civil servants leading these executive agencies as well as our elected federal officials) that contractors are acting responsibly and in the best interests of the Government when buying goods and services in support of the Government’s programs.
Now we have two questions answered – What is the CPSR? Why do CPSRs occur? But when can my organization expect a CPSR?
There are several layers to that question. First, this pulls in CPSR eligibility – when does a company trigger a CPSR? Second, this brings up the CPSR cadence a contractor could expect year-over-year.
Let’s start with CPSR eligibility. FAR 44.302is our guiding regulatory reference point and outlines some key takeaways:
In short, and which seems to be a common misconception, FAR Part 44 (and DFARS 244) does not limit the Government from performing a CPSR based on a dollar level ($25M or $50M). In other words, be cautious in viewing the $25M/$50M as a CPSR eligibility threshold. Rather, FAR Part 44 makes it clear that the ACO shall determine the need for a CPSR once a contractor’s projected qualifying sales will exceed that amount – not that the ACO is restricted from determining the need for a CPSR if the contractor’s projected qualifying sales will not exceed that amount. Yes, that means even small businesses may be subjected to the DCMA CPSR.
Moving beyond the CPSR eligibility equation, when does the DCMA CPSR occur? As background, there are four types of DCMA CPSRs: (1) Initial; (2) Comprehensive; (3) Follow-up; and (4) Special. Once the ACO determines the need for a CPSR and that contractor has never been reviewed under FAR Part 44 before (e.g., that CAGE code’s first CPSR), then that first CPSR is the “Initial” type. Once the contractor clears that Initial CPSR and ultimately secures an approved purchasing system determination from the ACO, then the contractor should expect the next CPSR – the “Comprehensive” type – to occur within three-to-five years and then subsequently in every three-to-five-year cycle prospectively. However, anecdotally, there is a trend across industry that most Comprehensive CPSRs are occurring much closer to a three-year cadence. As alluded to above, that is at least partly due to FAR 44.302(b) which requires the ACO to determine the need for a CPSR every three years.
The “Follow-Up” and “Special” CPSRs are generally much less common. The primary reason is because, with those CPSR types, the Government has essentially determined something highly problematic exists or is suspected to exist in your purchasing system. The Follow-Up CPSR is reserved for those instances when the contractor’s Initial or Comprehensive CPSR results in a disapproved purchasing system determination. The Special CPSR is reserved – or is supposed to be reserved – for an even more catastrophic necessity.
Now we have three questions answered – What is the CPSR? Why do CPSRs occur? When can my organization expect a CPSR? Now, let’s understand who is going to perform it?
Under FAR Part 44, the Government performs the CPSR. Not an accounting firm. Not your consulting firm. Not your internal audit department. As noted above, the CPSR provides the basis for an ACO decision – approval or disapproval of the purchasing system. In accordance with FAR 44.302(b), the CPSR is to be performed by the cognizant government contract administration office.
With that said, there are no regulatory restrictions on a federal agency from “outsourcing” the CPSR to a non-governmental entity per se. Moreover, some federal agencies utilize a hybrid model – a combination of government employees and contractors – to perform CPSRs. One example of that are Department of Energy M&O contractors. Those contractors are subject to “Procurement Evaluation and Re-Engineering Teams” which is the CPSR equivalent (although a very different equivalent in scope, expectation and risk) for those contractors that operate the National Laboratories. Other federal agencies or departments may even have a “CPSR expert” of sorts in house – such as the Office of Naval Research – or even local contract management offices may too.
However, for most federal contractors, at least those who hold one or more contracts with DoD, their experience has been and/or will be with the DCMA CPSR Group. That is because no other federal agency or department employs a team of full-time CPSR analysts, and in DCMA’s case, dozens of dedicated CPSR analysts are within the CPSR Group. The DCMA CPSR Group is comprised of the DoD’s functional specialists on purchasing system compliance. They are a single-purpose group of over 40 government employees – that singular purpose being all things CPSR. In fact, civilian agencies can and do utilize the services of the DCMA CPSR Group in performing reviews of their contractors’ purchasing systems.
That’s been a fairly straightforward answer since early in 2020. As of March 2020 (COVID pandemic), all available information points to DCMA performing their purchasing system reviews in a purely remote (or “virtual”) manner through October 2022. If and when in-person CPSRs will resume in full swing, as had been the practice pre-COVID, is an unknown at this time. We do understand DCMA is conducting at least one hybrid CPSR – one week in-person and one week virtual – going into December 2022 and has scheduled at least one in-person review in early 2023.
A virtual CPSR means that every step in the DCMA’s process occurs in a digital world and which seem to result in a much more impersonal experience with less collaborative discourse between the Government and contractor personnel involved. Some of the common technologies DCMA and the contractors use are of no surprise – Microsoft Office suite applications (e.g., Word, Excel, Outlook), DoD SAFE Site or contractor-specified file transmission protocols for large data sharing purposes, Microsoft Teams or other video conferencing platform for meetings, etc. The human connection and collaborative opportunities that arise when co-located with your government counterparts ceases (at least largely) to exist in today’s CPSR virtual environment.
A DCMA CPSR – the Initial and Comprehensive type – are performed in three phases. Summarily, these three phases encapsulate the following:
Once the contractor is scheduled for the CPSR, the DCMA CPSR Group issues a series of data calls and questionnaires. These include, without limitation, the “DCMA CPSR Policies and Procedures Checklist” and “PO Universe.” The DCMA CPSR procurement analyst assigned to your review as the “lead” will process and analyze your incoming data and records, including your policies, procedures and terms and conditions. Please see upcoming thought leadership from Capital Edge regarding the details and expectations of the Pre-CPSR Phase.
The DCMA CPSR Group schedules CPSRs – at the least the Initial and Comprehensive types – for a for two-week period. The major activities during that period where the Government and contractor personnel verbally engage are the entrance briefing, “daily debriefs” and exit briefing. Otherwise, the DCMA CPSR team is nose down assessing a sample of procurement files for adequacy.
As those file reviews are occurring, the DCMA team may and do often have questions, many of which are a clear inference that they believe the contractor violated a statutory, regulatory or contractual requirement. Those file-specific questions are communicated in writing via email. The contractor then has 24 hours to respond in writing. All available information suggests that the contractor should expect somewhere in the 150-220 range of specific written questions (file-specific and the general questionnaire type) during that two-week review.
The vast predominance of risk to the approvability of any purchasing system are the contents of those procurement files reviewed by the DCMA CPSR team. Why is that? Because violations of applicable statutory, regulatory and contractual requirements occur, nearly exclusively, in practice, and practice is memorialized in the procurement files.
Once the exit briefing occurs, the review is officially completed and the parties transition into the next phase of this process. If the DCMA CPSR Group did not find one or more deficiencies in the purchasing system, then the DCMA CPSR Group writes, finalizes and issues the DCMA CPSR Report to the ACO who then has 10 days to issue a final determination to your organization – a purchasing system approval.
If the DCMA CPSR Group did detect one or more deficiencies, then the next phase of the process is triggered once the DCMA Corrective Action Request is received by the contractor. That DCMA Corrective Action Request is to be issued to the contractor within three business days after the exit briefing, although, anecdotally, the trend seems to be issuance of the Corrective Action Request within in a matter of hours after the exit briefing. The contractor then has 30 calendar days to develop and submit a Corrective Action Plan to address each deficiency cited in the Corrective Action Request. Please see upcoming thought leadership from Capital Edge regarding the details and expectations of the Post-CPSR Process.
For more information about and insights into the DCMA CPSR process, stay tuned for upcoming thought leadership pieces from Capital Edge pertaining to the pre-CPSR “data calls” DCMA will require of your organization and the post-CPSR process that DCMA implemented in April 2021.
Capital Edge Consulting is a professional services company comprised of adept problem solvers who deliver tangible results to address today’s most complex U.S. government contracting challenges. Capital Edge helps clients address the challenging regulatory, contractual, and compliance requirements of U.S. federal contracts and we have experience working with a wide variety of industries that provide goods or services to the federal government including industries such as biotech and healthcare, nuclear energy, education, information technology, non-profit, professional services, defense, and software.
Capital Edge government contract consultants support Government Contractors and Federal Grant Recipients. Our consultants specialize in the regulatory compliance matters you need.
8200 Greensboro Dr #1400
McLean, VA 22102