**In *Appeal of IBM Corporation* (ASBCA No. 60332), the Armed Services Board of Contract Appeals tackled a government claim for roughly $5.9 million in alleged overcharges on an Army IT services task order — and IBM argued the claim was too late under the Contract Disputes Act's six-year statute of limitations. The dispute isn't about cybersecurity, but the lesson — timing and records decide cases** — sits underneath every compliance obligation a contractor has.
The Setup
In 2003, the Army awarded IBM an IDIQ contract for worldwide IT services, then issued Task Order 2 for IT support at the National Defense University. Years later, a contracting officer's final decision asserted a government claim for about $5,903,353 in alleged overcharges, contending IBM hadn't performed certain task-order requirements. IBM moved to dismiss and for summary judgment, arguing in part that the government's claim was time-barred under the CDA, 41 U.S.C. §§ 7101–7109.
The Legal Core: The Six-Year Clock
The CDA generally requires that a claim — by either the contractor or the government — be submitted within six years of when the claim accrues. "Accrual" turns on when the claimant knew or should have known of the events fixing liability. The litigation fight is usually about that accrual date: the government wants it late (clock starts later), the contractor wants it early (clock already expired). Pinning down *when* the government knew enough to assert its claim is the whole ballgame.
Why a Cyber-Focused Contractor Should Read a 2018 IT Case
Two reasons this old, non-cyber decision earns space on a cyber compliance blog:
1. The limitations clock runs both ways. The government can pursue *you* years after performance. The defense — or the exposure — often comes down to dates and documentation: when did the relevant facts become known, and can anyone prove it? 2. Records are the case. Whether the dispute is overcharges or a cybersecurity certification, your contemporaneous records — what you did, when, and what you told the government — are what win or lose it. The discipline that protects you in a billing dispute is the same discipline that protects you under DFARS/CMMC enforcement: dated assessments, change logs, and a clear paper trail.
The Practical Lesson
- Know your accrual dates. For any potential claim — yours or the government's — understand when the clock started.
- Keep records past performance. Six years is a long tail; retention policies should reflect the CDA's reach (and longer windows can apply, e.g., under the False Claims Act).
- Document contemporaneously. Reconstructed records are weaker than ones created at the time.
Key Takeaways
- The Contract Disputes Act imposes a six-year limitations period that binds the government's claims as well as the contractor's.
- Disputes frequently turn on the accrual date — when the claimant knew or should have known the facts.
- Records and dates decide these cases — the same discipline that underpins cyber-compliance defense.
For the cybersecurity enforcement parallel, see the Enforcement page. *(This summarizes a Board decision for general information; it is not legal advice.)*