Modernizing and Funding IT

GSA will continue IT modernization through the new fiscal year, according to Suzette Kent, Federal Chief Information Officer, and Emily Murphy, GSA Administrator. (Federal Times, October 21, 2019)

While Kent and Murphy were speaking at the American Council for Technology-Industry Advisory Imagine Nation conference, the Technology Modernization Fund (TMF), announced $8 million of funding to be made available for the Department of Agriculture and $4 million for the Equal Employment Opportunity Commission (EEOC). (TMF provides funding to agencies for IT projects.) TMF recently granted GSA $20 million for its New Pay HR system.

The EEOC will implement a Cloud-based charge and case management system while the Agriculture project will replace an outdated, manual IT system used for food inspection and certification. Both of these systems have thousands of touch points around the country. The Office of Management and Budget has said both agencies will leverage modern commercial capabilities to move their digital modifications. (ibid)

Interested in the upcoming GSA RFQ or DoA or EEOC opportunities? Give us a call.

Cybersecurity Knowledge for Free

Who should understand cybersecurity? According to the Department of Homeland Security, everyone.  Whether or not you work in IT,  a basic understanding of cybersecurity is necessary. Now, thanks to the National Security Agency (NSA) and Penn State University, you can learn online at no charge. (Federal News Network, October 11, 2019)

NSA and Penn State, as part of an undertaking directed by the Department of Homeland Security, have created an online course to educate people on cybersecurity operations, law, and policy. Geared toward non-lawyers, no technical background is required. The entire course can be taken as a whole or in modules. In addition, anyone interested in the course can teach it or take it. It is offered through the Clark Center, with a variety of other cybersecurity courses.

The course begins with an overview of the U.S. government and the legal system and how they operate, providing a legal framework around cyber operations and cybersecurity. It gives similar overviews of technology concepts, then steps into the legal foundations for modern cyber law and policy focusing on the Constitution and the Bill of Rights and their application to these concepts. 

The third and final module reviews cyber operations. This is taught as a cyber threat response framework using real-world cases to keep students engaged. Many examples are taken from actual current events and show how domestic law, national security, and technology intersect. (ibid)

Wondering if you should hone up on your cyber education? Give us a call and we can discuss it with you.

Update on GSA’s Schedule Consolidation

Stephanie Shutt, who is spearheading the GSA Schedule consolidation, recently spoke about the effort’s three phases. On October 1, GSA completed the first phase of the consolidation and released the new single solicitation. (Nextgov, October 9, 2019)

Phase one organizes the Multiple Award Schedule Consolidation into categories that correspond to OMB’s category management approach. This allowed GSA to work with a template instead of starting from nothing. During the Schedule review, duplicates were removed as were multiple versions of specific contract clauses. (ibid)

To date, the Schedules had been divided into service and supply subcategories or Special Item Numbers (SINs). Duplicate SINs were removed, about 600 in all. The new SINs structure is based on the North American Industry Classification System (NAICS) which many agencies already use. (ibid)

Phase two, set to begin after the new year, will focus on existing contract holders completing a mass modification to update their base terms and conditions, which will ultimately moving most current holders to the new Schedule. Updates do not apply to negotiated elements of contracts, such as warranties or periods of performance. They will, however, impact the baseline terms and conditions. Vendors will also see a relocation of SINs and have the opportunity to select SINs that previously were across separate Schedules. Look for an advanced notice regarding mass modifications from GSA in early November. (ibid)

Phase three is slated to launch in July 2020. During this time, contracting officers will assist multiple Schedule holders with more than five years remaining on their contracts to consolidate into a single contract under the new Schedule. (ibid)

Shutt stressed that vendors with one contract under MAS or multiple contract holders that see completion within the next five years will have reviewed and completed the process by signing the “mass mod” during phase two. Phase three affects only contractors with multiple contracts, especially those with more than five years remaining on the contract. Those particular contractors will receive support directly from Shutt’s team to devise a plan to funnel all products and services down to one contract. (ibid)

Questions about how these phases might affect your current contract or a current bid? Give us a call.

CMMC a Plus for Small Businesses?

Katie Arrington, on staff  with the Undersecretary of Defense for Acquisition and Sustainment believes nation-states are actively targeting small businesses digitally. And, she says, we are losing the battle of cyberattacks. (Fifth Domain, October 8, 2019)

According to Arrington, rivals cost the US an estimated $600 billion per year and 5G will multiply that number exponentially by 2025. As a result, Arrington believes the cybersecurity maturity model certification (CMMC) is actually intended for small businesses. (ibid)

CMMC grades company cybersecurity on a scale of one (least secure) to five (most stringent). Small businesses must comply with a tiered rating structure. So a company offering cleaning services may need only comply with CMMC level one while an engineering firm is held to level four

Arrington says that CMMC levels the playing field. Old compliance standards allowed companies to perform their contracts while working on their plan of action to become technically acceptable. This left sensitive systems that require additional security controls vulnerable and with weak spots. Many small businesses do not have the resources to obtain a high CMMC level, ultimately limiting competition in the marketplace; others fear the costs will be so high, that small companies will be priced out of the marketplace and limit their ability to compete on government contracts. 

The most recent Navy breaches targeted contractors without classified information per se, but taken in total the data disclosed sensitive capabilities. This is exactly what the CMMC framework addresses. (ibid)

Requests for proposals are expected to include CMMC requirements, as early as fall 2020.

Questions about CMMC requirements? Give us a call.