Podcast: FY22 NDAA Cybersecurity Provisions and Acquisition Reform

Dan Sennott: Thank you very much for joining us. I'm Dan Sennott of the National Security Practice Group here at Holland & Knight, and this is the Eyes on Washington podcast. This is another in a series of podcasts we're doing on the National Defense Authorization Act, or NDAA. I'm joined today by two of my partners from the Government Contracts Practice here at Holland & Knight, Eric Crusius and Leila George-Wheeler. Eric, could you tell us a little bit about your practice?

Eric Crusius: Sure. First of all, thanks for having me here. It's a pleasure. And so I'm a government contracts lawyer, so that means I represent government contractors when they interface with the government, help them with compliance issues and help them in legislation such as this, find opportunities, see where the money's going to go from the legislation to eventually to the contractors. So I hope to be as much of a kind of a business partner, as a lawyer and a compliance person for them.

Dan Sennott: Great. And tell us a little bit about your background?

Eric Crusius: So I've been practicing for more than 20 years. It's hard to say that, it's a recognition that I've gotten older, and I've been at Holland & Knight for about five years and been in this space for about 12 years. So it's been an interesting ride and I always say that government contracts lawyers are specialized generalists because we have to do everything. You have employment law that's specific to government contracts. You have real estate that's specific to government contracts. Any kind of corporate or business law area, there is a specific government contracts twist to it. So it makes our jobs really interesting because we have to face something new every day, which I really love.

Dan Sennott: Great. Well, thanks so much for joining us. And we also have with us, Leila George-Wheeler. Hi, Leila. Tell us a little bit about your practice.

Leila George-Wheeler: Sure. Thanks for having me as well. I am also a member of the Government Contracts Group, as you mentioned, and also a member of the White Collar Practice Group here at Holland & Knight. I tend to focus in the area of compliance, specifically with government regulations and avoiding any pitfalls of noncompliance, which can land contractors in potential trouble or at least under scrutiny from the government. My other area of practice is focusing on helping government contractors when they do get inquiries from the government or more serious subpoenas, CIDs things of that nature and focus my practice on government investigations.

Dan Sennott: Great. And how did you come to Holland & Knight, what's a little bit of your background?

Leila George-Wheeler: Sure. So, I've been at Holland & Knight for almost, well, maybe nine and a half, almost 10 years now. And before that, actually, I worked on the Senate Judiciary Committee doing investigations, among other, you know, legislative areas of focus. And so that is a bit about my background.

Key Cybersecurity Provisions in FY22 NDAA

Dan Sennott: Great. Well, thanks so much for joining us, and I'll tell you, today's podcast promises to be a great one. We'll be discussing provisions in the FY22 NDAA related to cybersecurity and acquisition reform. We have intentionally combined these two subject areas because over the last several years we've seen the Department of Defense navigate the ever evolving landscape of all things cyber, including acquisition and management of cyber technologies. So let's go ahead and get started. Eric, there are over 40 provisions in this year's NDAA related to cyber. What are some of the big issues that jump out at you in this year's NDAA? But who's counting, right?

Eric Crusius: It's a lot. It's more than I think I've ever seen before, and there's some kind of what could be seat-changing provisions in there. And it's hard to kind of gauge because sometimes there's a provision that you look at and you're like, 'Wow, this is really important, it's going to be impactful for the next 10 years.' And then it winds up nothing, nobody does anything with it. But, you know, from looking over the NDAA, there's there's a few things I think that really stick out. There's a section, there's one Section 866, which looks at the impact of the CMMC program, the Cybersecurity Maturity Model Certification Program on small businesses. And for the uninitiated, you're about to be initiated on what that is. CMMC is going to require certain DoD contractors to get third party certifications that their cybersecurity systems meet certain thresholds and it's been in the works for a couple of years now. DoD just came out with a 2.0 version of it, which is going to scale back a little bit of the third party requirement that making it a more of a first party self-certification, which I think Leila will be very busy with in the coming years. But you know, there was a lot of concern over the cost to small business of this program. I've long said that DoD just has to look into its couch cushions for the money to fund small business compliance with cybersecurity, let's have a goal of doing that instead of putting the burden on the small business. So anyway, this provision is going to require a duty to look at that impact on small business for the CMMC program. A few others, you know we talk about, where do we see the money flowing, post-NDAA in the coming years. One area, of course, is cybersecurity, and there's a section in the NDAA that talks about looking at cybersecurity products and services on an enterprise-wide a DoD-wide basis and kind of going through a process to figure out which of those products and services are going to be ones that DoD want to use on a large scale instead of having it stovepiped. This is kind of like Viterra, but 3.0 essentially. And the stakes will be higher for contractors. There will be some major winners in this, and there'll be some pretty big losers because, you know, you're not going to have those smaller cybersecurity contracts for products and services. They're going to be much larger contracts. So contractors that are small should look to build relationships with larger contractors, so when these procurements do come out, you know they're in a position where they can support a DoD-wide procurement.

I've long said that DoD just has to look into its couch cushions for the money to fund small business compliance with cybersecurity, let's have a goal of doing that instead of putting the burden on the small business.

Cohesive Acquisition Approach for Software and Innovative Technologies

Dan Sennott: Well, let me peal to those two back because I think those are both really interesting ones. So we've seen DoD struggle to come up with sort of a cohesive acquisition approach on software and other innovative technology. And we see this in this year's bill they're trying to if Congress wants DoD to sort of make order of all these acquisitions that have been done at the service level or sometimes even at the unit level. And then you have software that can't talk to each other and you don't really understand the capabilities of. And so one of the provisions is actually developing a cadre of software development and acquisition experts who kind of understand that environment and then also requiring sort of a central clearinghouse, if you will, to help DoD understand what's being acquired by the other services. Does that it kind of encapsulate some of the approach that they're taking?

Eric Crusius: Yes. And I think it's a really good idea because, you know, maybe 15, 20 years ago, this was something that most lay people could understand. But the software, especially when you're doing cybersecurity issues, has become so sophisticated and so specialized that, you know, just a generalist at DoD can't really grasp whether this is the right direction to go or not. You know, they'll hear that from the contractor, of course, because the contractor is trying to tell them that and in good faith, I assume. But that doesn't mean that's the right solution for DoD. So having those experts in-house will really, I think, help DoD kind of prioritize and look at things from a broader perspective because there may be a specific issue that impacts one part of DoD, but it may be different in a different part of DoD. But having those cadre of experts that can have kind of a broad based view of things I think will help DoD make smart decisions.

The software, especially when you're doing cybersecurity issues, has become so sophisticated and so specialized that, you know, just a generalist at DoD can't really grasp whether this is the right direction to go or not.

Cybersecurity Maturity Model Certification Program (CMMC) Implementation

Dan Sennott: That's great. And then let's look back to CMMC, which is kind of, as you know, folks have a love hate relationship with CMMC. Obviously the goals behind it are important goals right, to increase cybersecurity. In terms of implementation, what have been the major obstacles you talked about a few of them as far as small businesses are concerned. But in general, what do you see as the major obstacles to implementation of this?

Eric Crusius: So there are a lot of contractors that are going to have to get third party certifications. It's not just the private contractors doing business with the government, it's all the contractors and their supply chain, even if they have no direct link to the federal government except for commercial off the shelf product providers. So you might go down a dozen contractors deep before you hit a cost provider, and a lot of those contracts are going to require a third party certification. So you're talking potentially hundreds of thousands of contractors and that need a third party certification. Right now, there are just a handful of third party certifiers, and that's really been a roadblock for the implementation of CMMC because you know, the line to get a certification that is going to be tremendously long, it's could be years if you only have a handful of folks who can do these certifications because they're not a small feat. When you're talking about anything but the most basic level, it's a multi-day process. You know, it's going to be tough to get on those schedules to kind of make sure that the contractors that DoD needs get those certifications. I think that's the biggest kind of the biggest roadblock. And of course, there's the regulatory process, which is still playing out. We had a final interim rule. DoD took a slightly different tact on how they want to do CMMC, so they haven't withdrawn that rule. But I'm sure we'll see another one replacing it or something substituting it in the next few months. And then there'll be at least a 60 day comment period before they go and take in those comments and decide on the final regulations. So there's a little bit of time. But besides that, when you're looking at procurements, DoD is prioritizing, in some instances, cybersecurity. So if you have a CMMC certification, it may not be required because they can't. require it in your contract, but they could say, what's your cybersecurity prowess, as a technical review. And if you have a CMMC certification, maybe they get you an outstanding, but anything less is not outstanding, unless you could show the equivalency. So even without the regulatory requirement of CMMC, I think a lot of contractors are going to be rushing to get those certifications because they'll achieve a higher technical rating when those things are put in to a solicitation.

Right now, there are just a handful of third party certifiers, and that's really been a roadblock for the implementation of CMMC because you know, the line to get a certification that is going to be tremendously long, it's could be years if you only have a handful of folks who can do these certifications because they're not a small feat.

Dan Sennott: Do you see this being adopted by other agencies within the federal government?

Eric Crusius: I think so. I think one of the things that DoD did when they brought out this new version of CMMC was to kind of peel back the bespoke DoD requirements, and they're just relying on the NIST's special publication 800-171, NIST meaning National Institute of Standards and Technology. We love using acronyms here in D.C., I always joke that D.C., of course, is an acronym itself. But because of NIST's 800-171 has kind of broad based appeal, it's used throughout the federal government. I think DoD removing those DoD specific requirements and just relying on NIST 800-171 is a signal I think that other agencies are going to pick this up.

Dan Sennott: And shameless plug for Eric Crusius and his practice. Nobody I know knows more about CMMC than Eric, and that's been a big part of your practice in the last couple of years.

Eric Crusius: Yes, it's been, I mean, the thing that's interesting about it is that it's going to impact probably every contractor that does business with the federal government at some point in the next few years, and there's just not a lot out there about it. So a lot of it's just an education. Educating contractors about what they need to do and when. And I'd like to think, you know, more than a few people since you said that. But you know, it's certainly an interesting road. It's cutting edge, but it's also something when it comes to the nuts and bolts if contractors want to win business from the federal government they're going to have to be compliant with this, and that's what makes it fascinating.

[CMMC] is going to impact probably every contractor that does business with the federal government at some point in the next few years, and there's just not a lot out there about it. So a lot of it's just an education. Educating contractors about what they need to do and when.

False Claims Act: Overview and Current Day Relevance

Dan Sennott: Leila, one of the issues that comes up in a lot of different contexts, including CMMC, and this is one that Eric referenced before Level One certification has now moved to a self-certification requirement. So one of the things that comes up in a lot of different contexts is the False Claims Act. Could you tell our listeners about what the False Claims Act is and a little bit about the practice that you have regarding that?

Leila George-Wheeler: Sure, the Federal False Claims Act is the U.S. government's primary weapon for combating fraud. It imposes liability on any person who knowingly presents or causes to be presented a false or fraudulent claim to the government. And it allows whistleblowers to sue persons or entities that are defrauding the government and recover damages and penalties on the government's behalf. The statute also provides whistleblowers financial rewards as well as job protection against retaliation. And I think CMMC, you know, is an emerging area in particular with the False Claims Act because, you know, in order for contractors to be on the hook for, you know, submitting a false claim, you have to know what the standards are, right? What do you have to comply with? I mean, often there's like an implied certification in contracts where, you know, the contractor certifies that they comply with all laws and regulations, or it can be more specific. There's the actual DFARS provision that requires implementation of the NIST standards or whichever you know you have different standards. But when you're figuring out what, there need to be clear standards that contractors need to comply with in order to be able to certify self-certify that they are compliant with these standards. And then, you know, in order to hold them accountable for that. And I think that the area of whistleblowers who is going to be doing the whistleblowing with regard to CMMC, for example, well, we can assume it would be IT professionals, right? Or, you know, the people actually implementing it, if the contractor certifying that they're complying with certain standards. And then, you know, it turns out that they're not, you know, these are the type of whistleblowers I think that we'll get in this CMMC context. However, what constitutes a violation exactly? You know, there's breaches or there's, you know, cyber attacks happening, especially to large contractors, maybe daily. And so, you know, making sure that you comply with the reporting requirements. I just think there's a lot of, you know, I'd be interested to hear Eric's thoughts, but there's a lot of gray area. And so it's unclear exactly how it's going to be enforced, I think, in the CMMC context.

The Federal False Claims Act is the U.S. government's primary weapon for combating fraud. It imposes liability on any person who knowingly presents or causes to be presented a false or fraudulent claim to the government. And it allows whistleblowers to sue persons or entities that are defrauding the government and recover damages and penalties on the government's behalf.

Dan Sennott: Eric, any thoughts on that?

Eric Crusius: Yeah, I mean, the one issue with, all this is tied, at least for two of the levels to NIST 800-171. And I've heard this concern from contractors that how you kind of implement 800-171, the language in 800-171 is not very specific about how to do it, which is a blessing and a curse. It's a blessing because it gives contractors flexibility. It's a curse because a regulator in the future may disagree how you implemented something with 800-171, even if you had a good faith basis to do it the way you did it, and that could lead to false claims accusations where you need to call Leila up in a hurry because all of a sudden, you know, there's five controls which you've certified are correct, that you are compliant with, and in fact, the DoD is saying you're not compliant with because you have kind of this issue where you have possible inconsistent certifications because contractors who have held control on classified information, and that actually is being addressed in the NDAA also, the contractors who have been holding control of classified information have had to comply with 800-171 for a number of years now. And by taking on these contracts, they've been, as Leila mentioned, there's this implied certification that they're complying with it.

The language in 800-171 is not very specific about how to do it, which is a blessing and a curse. It's a blessing because it gives contractors flexibility. It's a curse because a regulator in the future may disagree how you implemented something with 800-171, even if you had a good faith basis to do it the way you did it, and that could lead to false claims accusations.

Now we have two things that have happened since then, years later. There's a requirement in a new clause that came out November 2020 that requires contractors to enter their compliance with 800-171 into a DoD database. How many of the 110 controls are you compliant with? If you've been taking on these contracts that had the clause in it before and now you're compliant with something less than 110 security controls? That's an inconsistency that DoD can really harp on and look at and decide whether there was there a false certification here? Because, you know, you're saying you're complying with 90 of 110 controls now, but you took this contract on three years ago that you implicitly certify that you're complying with the 110 security controls by doing the work. And now you're undergoing a CMMC certification process where maybe you don't have 110. Maybe that doesn't mesh with the database entry that you did a year before that. So there's a real risk, I think that if DoD has the resources and the wherewithal, they can really kind of exploit this issue and look back at what contractors said a few years ago by taking on these contracts and what they're saying now because there is a difference. It's one thing to have a clause in your contract and you just accept the contract and you perform. It's one of a hundred clauses you may have, but when you have to kind of physically go into a DoD database and check the box, you know, affirmatively, for each of the 110 security controls to get a score, for some reason, psychologically, it's a lot different, even though you're doing the same thing, really. And there have been a lot of contractors who I've talked to, not necessarily clients, but a lot of contractors I've talked to that have said, 'Well, my score is X,' which is not a perfect score, and they've had these contracts for a long time. And I'm concerned for them that if DoD puts the resources behind it, that they're going to have a field day with these contractors.

Enforcement Actions under the Biden Administration: CMMC, False Claims Act and more

Dan Sennott: Well, let's talk a little bit about the current administration, the Biden Administration. Leila, what are you seeing in terms of enforcement, not just CMMC, but in general False Claims Act, any trends that you're seeing in the under the Biden Administration?

Leila George-Wheeler: Sure. So, you know, actually during the initial part of the Biden Administration, and you know, over the four years before that part of it, False Claims Act cases were actually down. And I think part of that has to do with the pandemic. And so also, you know, making sure the right appointees, etc., were all confirmed and in the right places in the Justice Department. But I think we're going to see an uptick, certainly in False Claims Act cases. There's been, you know, some policies that the Biden Administration has implemented that, you know, really welcome whistleblower complaints and, you know, open the door for that and almost encourage it. And I want to note, in October 2021, the DOJ announced a new Civil Cyber Fraud Initiative, where they plan to use the False Claims Act as the tool to pursue cybersecurity fraud by government contractors and grant recipients. So that is a new initiative where it's not just DOJ, but they're coordinating with a number of other agencies, Treasury, you know, IGs at other agencies where they are looking at best practices and how to kind of go after cybersecurity fraud. And they plan to hold accountable entities or individuals that put U.S. information or systems at risk in three ways: knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, which as we you know, Eric mentioned with the affirmatively certifying on the DoD website that could come into play there and then, or three knowingly violating obligations to monitor and report cybersecurity incidents and breaches. And I know, you know, you wanted to talk about more broadly the False Claims Act, but I just wanted to mention that because it's relevant to what we're talking about and a recent cyber fraud initiative that was just started. And I think sometimes it seems a little bit, although it's important, I think, for agencies to be coordinating on in this area, and it seems sometimes that, you know, the U.S. is a little bit behind when it comes to cybersecurity, but it's sometimes it can also seem like it putting the cart before the horse because we're still figuring out what the requirements are, right? And what they mean, and how to implement them. And then there's also this task force that's like already coming in for enforcement. So I definitely think, you know, we're going to continue to see a rise on not just false claims act cases, but whistleblowers in particular.

I think we're going to see an uptick, certainly in False Claims Act cases. There's been, you know, some policies that the Biden Administration has implemented that, you know, really welcome whistleblower complaints and, you know, open the door for that and almost encourage it.

Dan Sennott: Great. Eric, did you want to follow up on that one?

Eric Crusius: Just one thing, really quick. You know, what Leila brings up is a great point. You know, the Cyber Fraud Initiative because it was right around the same time that DoD announced that the most basic cybersecurity compliance requirements will require a self-certification instead of a third-party certification. I don't think that's a coincidence, at all, that when DoD moved a bunch of contractors from requiring a third-party certification to self-certification, they also almost simultaneously announced the Cyber Fraud Initiative that's going to look at how contractors are certifying their cybersecurity compliance. I think it's definitely coordinated.

I don't think that's a coincidence, at all, that when DoD moved a bunch of contractors from requiring a third-party certification to self-certification, they also almost simultaneously announced the Cyber Fraud Initiative that's going to look at how contractors are certifying their cybersecurity compliance. I think it's definitely coordinated.

Acquisition Reform in FY22 NDAA

Dan Sennott: Great observation. Leila, let's transition to Title VIII of the National Defense Authorization Act, which is a personal favorite for a lot of us. That is the acquisition section acquisition policy. And like previous years, there are several provisions dedicated to acquisition reform. What are some of the most interesting to you in the FY22 NDAA?

Leila George-Wheeler: Sure. So there's obviously there's a lot of provisions, but one interesting area is there are several provisions in the bill that highlight Congress's continued interest in commercial technology and nontraditional acquisition methodologies, nontraditional contractors. So, for example, Section 803 permanently authorizes DoD's use of commercial solutions openings or CSOs, to acquire innovative commercial products and services. So that is one interesting provision, and we've seen, I think the CSOs being used by DoD in the area of COVID-19 related procurements. And so this is going to permanently authorize those. These target small businesses and commercial companies and without necessarily the restrictions applicable to FAR-based procurements, so allows more leeway for DoD to get what they need without the restrictions of FAR. And the Senate Armed Services Committee's report explains that the Air Force and the Defense Innovation Unit have successfully used CSOs with commercial firms. There's other I mean, there's others as well that focus on emerging technologies. Section 833 establishes a pilot program to develop and implement unique acquisition mechanisms for emerging technologies. And there's also some that focus on the use of, you know, examining the use of OTAs or other transaction authority agreements at DoD to make recommendations to Congress as to whether that authority should be modified or expanded. So those are some areas focusing on emerging acquisition methodologies, I think or nontraditional.

There are several provisions in the bill that highlight Congress's continued interest in commercial technology and nontraditional acquisition methodologies, nontraditional contractors.

Insight on Repeal of Preference for Fixed Price Contracts

Dan Sennott: Yeah, there's one other one that I'd love to get your take on both Leila and Eric, on repeal of preference for fixed price contracts. Can you explain kind of the genesis of why was there a preference for fixed price contracts in statute and why was it repealed?

Leila George-Wheeler: Sure. So I can start and then Eric can jump in. So interestingly, in the FY 2017 NDAA, DoD had implemented a preference for fixed price contracts, and I think the goal was intended to control costs on particularly large DoD programs. Fixed price contracts, you know, require the contractor to, I mean it's negotiated, they come to an agreement, but the contractor puts forth the project and the costs, and it's fixed price. So regardless of any, you know, delays cost overruns, any of that, the risk of those cost overruns are borne by the contractor. The government gets a fixed price and they can better manage, you know, in theory, what their costs are going to be for particular procurements, and so this Section 817 repeals this preference. And so it seems like perhaps that didn't go as if they had planned or wasn't actually, you know, controlling cost overruns on large DoD programs, as predicted. So, you know, this is an interesting provision, and it's unclear, to me at least, as to why exactly the change.

Dan Sennott: Eric, any thoughts on that.

Eric Crusius: I mean, I think there's a disconnect. I think one of the reasons why it may have changed and this is the cynical part of me. I think there's a disconnect in the government versus industry about what industries profit margins are on these fixed price contracts. I've heard time and time again DoD thinking that contractors regularly run 20, 30 percent margins on their fixed price contracts, and that's often really untrue. There are a lot of contractors out there. I've seen it myself who are struggling to get two, three percent margins. And I think that kind of that disconnect works, you know the DoD thinks that contractors are kind of running away with the store here by making all these profits, I think drove kind of Congress to look at this and say, 'All right, let's not do fixed price contracts anymore because it's too good for the contractors.' Let's figure out a way to kind of take that preference away and maybe move to more of a cost-based system. Of course, a complicating factor with that also is that you have the different agencies within DoD that audit contractors, DCAA, Defense Contract Audit Agency, you know, and they'll be far busier looking at non fixed price contracts than they would be for fixed price contracts and would be interesting to see how this all plays out. But if we have more kind of cost type contracts or non-fixed fee type contracts, there's certainly going to be more work for them to do. So, you know, this is one of those provisions that looks like a big sea change and put in practice will matter very much. So I'll be curious to see whether this does kind of filter all the way down to the contracting officer level when they're putting out solicitations, if instead of the first box, they check being fixed price, is it something else? And what that impact is. Because if you know these folks have been trained a certain way to kind of look at fixed price contracts, first. How will DoD implement this will be? Will there be new internal guidance? Will there be new training to move away from fixed price contracts? Without those things, we might not see a big change with those things though, we could see a pretty dramatic change, and contractors will have to learn to account for their costs I think very specifically to kind of undergo these audits from DoD that may come up because they're not utilizing fixed price contracts.

I think there's a disconnect in the government versus industry about what industries profit margins are on these fixed price contracts.

What's Next? FY23 NDAA Predictions

Dan Sennott: So as we enter our last minute, as we wrap up Leila, any thoughts on what's to come in the in the FY23 NDAA? What are you seeing from the acquisition standpoint? What are you looking for on the horizon?

Leila George-Wheeler: Well, I think, you know, I think we've seen over during the pandemic in particular, where the government had a lot of trouble procuring the supplies and products and services that were needed. And so I understand, like in FY22, there is a focus to be able to diversify DoD's, you know, ability to procure from nontraditional contractors, small businesses, etc. I think though, you know, and I think we've seen as part of that an increased focus on domestic production here, you know, necessary items in the United States and DoD is infusing money into those efforts to increase domestic production here. But I think that there's a, if you balance that out with the contractor, you know, mandatory minimum wage of $15 an hour, which is, you know, now going into effect. Sure, there might be incentives for contractors to start producing manufacturing domestically. But whether that's actually feasible in the long run for contractors to continue doing that and viable business options with these other types of policies, like the contractor minimum wage, especially for small businesses, I think will be interesting to see. So I don't know if we'll see anything related to that in FY23, but that's just something that's been on my mind.

Dan Sennott: Great, Eric, any parting thoughts?

Eric Crusius: Sure, yeah. We're seeing it play out in real time this whole push and pull. The government is really trying to get innovative companies into the government contracting ecosystem because they realize, you know, as innovative as the government contractors are and they are very innovative. It's great to have these new products and services that are being developed in Silicon Valley or elsewhere around the country. And then there's this kind of struggle with, but we also need to kind of regulate cybersecurity and these things for national security purposes. But a lot of times those companies aren't willing to undergo those regulations. The market, the government market just not worth it for them. So I think what we will hopefully see and we saw some of it here and we've seen some of it in the past is kind of more solutions to kind of help that problem where you keep the government infrastructure safe, but you also still encourage those companies to come into the government contracting marketplace and undergo kind of whatever kind of regulatory requirements there are. And finding that balance, I think, is going to be critical moving forward. And I'd be interested to see how the next year's NDAA kind of helps to do that.

I think what we will hopefully see and we saw some of it here and we've seen some of it in the past is kind of more solutions to kind of help that problem where you keep the government infrastructure safe, but you also still encourage those companies to come into the government contracting marketplace and undergo kind of whatever kind of regulatory requirements there are. And finding that balance, I think, is going to be critical moving forward.

Dan Sennott: Well, this has been a great discussion. Eric, Leila , thanks so much for joining me today, and we'll look forward to talking again real soon. Thanks.

Eric Crusius: Thanks.

Leila George-Wheeler: Thanks, Dan.