Government Contract Surveillance: Understanding Oversight and Inspection

Contract surveillance is the government's systematic monitoring of contractor performance to ensure compliance with contract terms, specifications, and quality standards.

Purpose of surveillance:

• Verify compliance — Ensure work meets contract requirements
• Protect government interests — Detect problems before they become costly
• Document performance — Support payment decisions and CPARS ratings
• Support corrective action — Identify deficiencies requiring correction

Legal basis:

• FAR 42.1 — Contract Auditing and Surveillance
• FAR 46 — Quality Assurance
• Agency-specific policies and procedures

Who performs surveillance:

• Contracting Officer's Representative (COR/COTR) — Primary surveillance role
• Quality Assurance Evaluator (QAE) — Performs inspections per QASP
• Contracting Officer (CO) — Overall responsibility, may delegate
• Technical SMEs — Specialized reviews (security, safety, etc.)
• DCMA — Defense Contract Management Agency for major DoD contracts

Surveillance vs. inspection vs. audit:

• Surveillance: Ongoing monitoring of performance (broad)
• Inspection: Examination of specific deliverables or work (specific)
• Audit: Independent review of financial records and compliance (financial)

What is a QASP?

The Quality Assurance Surveillance Plan is a government document that defines how contract performance will be monitored and evaluated.

QASP components:

• Performance standards — What constitutes acceptable performance
• Surveillance methods — How government will monitor (100% inspection, sampling, customer feedback, etc.)
• Frequency — How often surveillance occurs (daily, weekly, monthly)
• Acceptable Quality Level (AQL) — Threshold for acceptable defect rate
• Roles and responsibilities — Who performs surveillance and evaluation

Performance-based vs. compliance-based QASPs:

• Performance-based: Measures outcomes and results (e.g., "95% customer satisfaction")
• Compliance-based: Measures adherence to processes (e.g., "submit reports by 5th of month")

Performance-based QASPs are preferred but require well-defined measurable standards.

When you receive the QASP:

• May be included in solicitation (ideal)
• May be provided at kickoff or shortly after award
• Some agencies develop QASP post-award with contractor input

Reading your QASP:

The QASP tells you exactly what government will measure and how. Pay close attention to:

• Which deliverables get 100% inspection vs. sampling
• Acceptable defect rates (e.g., "no more than 5% errors")
• Response time requirements (e.g., "acknowledge within 2 hours")
• Criteria for "satisfactory" vs. "unsatisfactory"

Negotiating the QASP:

If QASP standards are unrealistic or unclear, raise concerns early. COR may adjust if you have valid rationale. Don't agree to standards you can't meet.

Contracting Officer's Representative (COR):

Government employee designated by CO to monitor contractor performance and provide technical oversight.

COR authorities (per delegation letter):

• Monitor contractor performance
• Inspect and accept/reject deliverables
• Approve invoices (within limits)
• Coordinate with contractor on technical matters
• Recommend contract modifications to CO
• Document performance for CPARS

What COR cannot do:

• Modify contract — Only CO has this authority
• Direct out-of-scope work — Cannot unilaterally change requirements
• Make commitments — Cannot bind government financially
• Accept late deliverables — Without CO approval

COTR (Contracting Officer's Technical Representative):

Same role as COR, just different terminology. Some agencies use COTR, others use COR. Functionally equivalent.

COR delegation letter:

CO issues formal letter delegating authority to COR. This letter specifies:

• Specific authorities delegated
• Limits of authority (e.g., "approve invoices up to $50K")
• Contract(s) covered by delegation

Ask to see the COR delegation letter at kickoff. Understand what the COR can and cannot do.

Working with your COR:

• Primary point of contact — Day-to-day technical and administrative issues
• Escalation path — COR → CO for issues beyond COR authority
• Regular communication — Weekly or monthly check-ins, plus ad-hoc as needed
• Document everything — COR directions, approvals, and feedback in writing

COR performance evaluation:

COR's input is critical for your CPARS rating. Build a strong working relationship — responsive, transparent, proactive problem-solving.

1. 100% Inspection:

• Every deliverable or unit of work inspected
• Used for high-risk or critical items
• Time-consuming but ensures quality

Example: Every security clearance application reviewed before submission.

2. Random Sampling:

• Statistically valid sample inspected
• Results extrapolated to entire lot
• Efficient for high-volume repetitive work

Example: Inspect 10% of data entry records selected randomly.

3. Periodic Inspection:

• Scheduled inspections at regular intervals
• Common for ongoing services

Example: Monthly facility inspections for janitorial contracts.

4. Customer Feedback/Surveys:

• End users rate contractor performance
• Qualitative data on satisfaction, responsiveness
• Common for help desk, support services

Example: IT support tickets rated by users: satisfied/neutral/dissatisfied.

5. Performance Metrics/Data Analysis:

• Government reviews contractor-submitted metrics
• Looks for trends, outliers, patterns
• Common for performance-based contracts

Example: Review monthly status reports for on-time delivery rates.

6. Direct Observation:

• Government observes work being performed
• Common for services performed on government site

Example: COR walks through facility to observe maintenance work.

7. Record Review:

• Examination of contractor records, logs, documentation
• Verifies compliance with processes and procedures

Example: Review training records to verify all staff completed required certification.

8. Testing and Validation:

• Government tests deliverables to verify functionality
• Common for software, equipment, systems

Example: User acceptance testing (UAT) for custom software development.

Surveillance frequency:

• Continuous: Real-time monitoring (e.g., system uptime)
• Daily: High-risk or critical services
• Weekly: Routine services with moderate risk
• Monthly: Standard for most contracts
• Quarterly: Low-risk, stable performance
• Random/Unannounced: Prevents gaming the system

Facilitate surveillance:

• Provide access to facilities, records, personnel
• Respond to government requests for information
• Make subject matter experts available for interviews
• Don't obstruct or delay surveillance activities

Self-inspection and quality control:

Government surveillance doesn't replace your internal quality assurance. You're responsible for delivering quality work, not relying on government to catch your mistakes.

• Implement internal QA processes
• Conduct self-inspections before government review
• Identify and fix defects proactively

Documentation:

• Maintain records required by contract
• Provide documentation requested for surveillance
• Keep evidence of quality control measures

Cooperation and transparency:

• Answer questions honestly and completely
• Alert COR to problems before they discover them
• Explain root causes when issues arise
• Propose corrective actions

Compliance with surveillance findings:

• Acknowledge deficiencies identified
• Implement corrective actions promptly
• Demonstrate fixes have been applied
• Report on effectiveness of corrective actions

What you can push back on:

• Unreasonable access demands — Must balance with security, IP protection, other client work
• Out-of-scope surveillance — Government can only inspect work covered by contract
• Improper rejection — If work meets specs but is rejected, escalate to CO

Types of deficiencies:

• Minor deficiency: Doesn't materially affect use, correctable quickly
• Major deficiency: Materially affects use, function, or safety
• Critical deficiency: Prevents use or poses safety/security risk

When deficiencies are identified:

1. Acknowledgment:

• Don't argue or make excuses immediately
• Acknowledge the finding
• Ask clarifying questions to fully understand

2. Root cause analysis:

• Investigate why deficiency occurred
• Don't just fix the symptom, fix the cause
• Involve team in understanding what went wrong

3. Corrective action plan:

• Immediate fix: Correct the specific deficiency
• Systemic fix: Prevent recurrence (process changes, training, etc.)
• Timeline: When will fixes be complete?
• Verification: How will you prove it's fixed?

4. Documentation:

• Document the deficiency, root cause, and corrective actions
• Provide written response to COR
• Track corrective action completion

5. Verification:

• Demonstrate to COR that issue is resolved
• Provide evidence of corrective actions implemented
• Show sustained improvement (not one-time fix)

Formal deficiency notifications:

Letter of Concern:

• Informal notice of performance issue
• Gives contractor opportunity to correct before formal action

Cure Notice (FAR 52.249-8 or 52.249-10):

• Formal notice that you're failing to perform
• Specifies deficiencies and cure period (typically 10 days)
• Failure to cure can lead to termination for default

Show Cause Notice:

• Demands explanation why contract shouldn't be terminated
• More serious than cure notice
• Termination likely if response is inadequate

If you disagree with findings:

• Provide factual basis for disagreement
• Reference contract specifications
• Escalate to CO if COR won't reconsider
• Consider filing claim if material to payment or reputation

Direct connection:

Government uses surveillance findings as primary basis for CPARS performance ratings. Your surveillance record IS your CPARS rating.

What COR documents:

• Deliverable acceptance/rejection rates
• Timeliness (on-time vs. late)
• Quality metrics (error rates, rework)
• Customer satisfaction (complaints, compliments)
• Responsiveness (how quickly you address issues)
• Deficiencies and corrective actions

Building a strong surveillance record:

• Exceed standards: Don't just meet minimums — exceed when possible
• Early delivery: Submit deliverables ahead of deadlines
• Proactive communication: Alert COR to issues before they find them
• Responsive: Quick turnaround on requests and fixes
• Quality first: Don't rush and submit defective work
• Process improvement: Show continuous improvement over time

The "no surprises" rule:

COR should never be surprised. If there's a problem, tell them before they discover it. If there's a success, make sure they know. Control the narrative.

Surveillance documentation you should keep:

• All correspondence with COR/QAE
• Inspection reports and findings
• Corrective action plans and completion evidence
• Acceptance memos for deliverables
• Meeting minutes discussing performance

This documentation supports your CPARS review and future past performance references.

Quarterly performance reviews:

Some contracts have formal quarterly reviews where COR discusses performance. Treat these seriously — they preview your CPARS and give you opportunity to course-correct.

DCMA surveillance (DoD contracts):

Defense Contract Management Agency provides surveillance for major DoD contracts. More rigorous than typical COR oversight.

• DCMA reviews schedules, earned value, quality systems
• May conduct on-site reviews and inspections
• Issues Contract Deficiency Reports (CDRs) for non-compliance
• Can recommend withholding payment or contract action

DCAA audits:

While not surveillance per se, DCAA audits of cost-type contracts serve similar oversight function. Separate from COR surveillance but equally important.

Software development surveillance:

• Code reviews and static analysis
• User acceptance testing (UAT)
• Security scanning (SAST, DAST)
• Agile sprint reviews and demos

Construction surveillance:

• Daily inspection logs
• Progress photos and videos
• Material testing and certifications
• Safety inspections
• Punch lists and final walkthrough

Services surveillance (help desk, maintenance):

• Ticket/call logs analysis
• Response time tracking
• Customer satisfaction surveys
• Facility walkthroughs
• Random sampling of completed work

Multiple-award IDIQ surveillance:

• Surveillance at contract vehicle level (minimal)
• Surveillance at task order level (detailed)
• Different CORs for different task orders
• Maintain consistent quality across all orders