CMMC a Plus for Small Businesses?

Katie Arrington, on staff  with the Undersecretary of Defense for Acquisition and Sustainment believes nation-states are actively targeting small businesses digitally. And, she says, we are losing the battle of cyberattacks. (Fifth Domain, October 8, 2019)

According to Arrington, rivals cost the US an estimated $600 billion per year and 5G will multiply that number exponentially by 2025. As a result, Arrington believes the cybersecurity maturity model certification (CMMC) is actually intended for small businesses. (ibid)

CMMC grades company cybersecurity on a scale of one (least secure) to five (most stringent). Small businesses must comply with a tiered rating structure. So a company offering cleaning services may need only comply with CMMC level one while an engineering firm is held to level four

Arrington says that CMMC levels the playing field. Old compliance standards allowed companies to perform their contracts while working on their plan of action to become technically acceptable. This left sensitive systems that require additional security controls vulnerable and with weak spots. Many small businesses do not have the resources to obtain a high CMMC level, ultimately limiting competition in the marketplace; others fear the costs will be so high, that small companies will be priced out of the marketplace and limit their ability to compete on government contracts. 

The most recent Navy breaches targeted contractors without classified information per se, but taken in total the data disclosed sensitive capabilities. This is exactly what the CMMC framework addresses. (ibid)

Requests for proposals are expected to include CMMC requirements, as early as fall 2020.

Questions about CMMC requirements? Give us a call.

CMMC RFI

The Department of Defense (DoD) has issued a request for information for the “long-term implementation, functioning, sustainment, and growth” of the Cybersecurity Maturity Model Certification (CMMC). (FedBizOps.gov, October 3, 2019)

Last month, DoD issued version 0.4 of the CMMC. Contractors may now see the cybersecurity standards required when working on projects with controlled but unclassified information. CMMC will assist DoD to secure more than 300,000 organizations. (Fed Scoop, October 4, 2019)

The accreditation body does not directly perform the assessments but manages third-party organizations that do. It is  a nonprofit that utilizes “revenues generated through dues, fees, partner relationships, conferences, etc.” to fund the work.  The deadline to submit feedback is October 21, 2019. (FedBizOps.gov ibid)

We’d be glad to discuss this RFI with you. Just give us a call.

It’s Heeeeere…

The new, single GSA Multiple Award Schedule solicitation was released today, 1 October, and it’s mostly what we expected.

Solicitation number 47QSMD20R0001, refresh 00 (!!) points you to the correct NAICS number for your product or service. The first page of the solicitation references the MAS Roadmap, which includes a guide to preparing your offer and required forms such as the:

  • Agent authorization letter
  • Letter of supply
  • Categories and appropriate NAICS (formerly SIN) numbers
  • Labor category matrix

as well as information about the:

  • Price proposal template, pricing narrative, and pricing support
  • Financial statements
  • Subcontracting plan
  • Technical proposal
  • Professional compensation plan
  • Commercial supplier agreements
  • Previous cancellation and rejection letters
  • Commercial sales practices
  • Commercial or market pricing

You must download separate documents, depending on your proposed product/service. Option categories include: office management, facilities, furniture and furnishings, human capital, industrial products and services, information technology, miscellaneous, professional services, scientific management and solutions, security and protection, transportation and logistics, and travel.

The old standards survive. You must submit via eOffer, the pilot TDR still applies, and you must sell $25,000 per year from the Schedule to keep it. Pathways to Success and the Readiness Assessment remain, as does AbilityOne and SCA.

All service AND product offers must now provide corporate experience and quality control narratives. Furthermore, you now have the option to submit CPARS reports instead of Open Ratings or even a narrative if your company hasn’t six references required by Open Ratings. One positive: GSA now requires only one past project description per service.

The following ominous clause has been included: “The offeror must provide a full and broad array of proposed products/services. An offer will not be accepted with limited product/service offerings unless it represents a total solution for the offeror or proposed product/service offering.” Will small, niche businesses have a more difficult time obtaining an award? Hope not.

Also, until SAM has added representations for the new FAR clause regarding covered telecommunication equipment and services (see our Blog post from 10 September) from particular Chinese companies, proposal submissions must include a statement noting compliance with n 52.204-24 Representation Regarding Telecommunications and Video Surveillance Services or Equipment.

Once awarded, yearly increases for contractors will be capped at four percent for the Human Capital Category, five percent for Professional Services and Travel, and ten percent for all others.

Yes, it’s complicated, and yes we have a handle on it. We are primed and ready to answer all your questions either about a new proposal or your current Schedule. Just give us a call.

Dun(s) Dun Dun Dun … No More

After almost 60 years of utilizing a DUNs number, every organization doing business with the government will receive a new identification number. Beginning in December 2020, the number and the process to acquire the Unique Entity Identifier (UEI) will change. The new identifier will be generated through SAM.gov; however, DUNS numbers will be retained for historical purposes and Dunn & Bradstreet open data limitations remain in effect in perpetuity.

GSA is moving to a new, non-proprietary identifier, a 12 character alpha-numeric value, will be assigned by the System for Award Management. The Federal Register announced the new (UEI), including the identifier standards. Additional updates to the UEI can be found here: gsa.gov/entityid. (GSA.gov Unique Entity Identifier Update, September 9, 2019)

As you can imagine, many questions surround the upcoming change, and GSA’s recent online meeting answered some of them. Those that missed the meeting or want to listen again can find the presentation at beta.SAM.gov  and selecting the UEI video link. All questions submitted and answers provided are also available on this downloadable pdf.

The transition phase began in July of 2019, but DUNS will continue as the official identifier until December 2020. During the transition, all existing entity registrations will automatically be assigned a new UEI which will be displayed in SAM.gov and no one will be required to re-enter this data. (ibid)

Thinking this small change can lead to a lot of confusion? Have some questions that didn’t get asked or answered during the GSA public meeting? Give us a call.

Program UnSupport Center

Back in June, the Health and Human Services Department (HHS) announced it would halt assisted acquisition services for non-HHS customers after September 30, 2020. Until the announcement, HHS provided assistance through the Program Support Center (PSC). After the deadline, all 19 agencies (with more than $1.4 billion in contracts per year) who had contracts administered by HHS will have to look elsewhere or figure out how to administer the contracts themselves. (Government Executive, September 13, 2019)

PSC lacks the procedures, policies, and internal controls to work with agencies outside of HHS. In addition, questions have been raised as to whether the PSC is actually legally authorized to administer contracts for agencies outside of HHS. (ibid)

Many questions remain unanswered, such as the fate of bids in the process of evaluation. Unfortunately, the PSC is not communicating with customers at this time, according to Federal News Network. This is surprising, as the Office of the Assistant Secretary of Administration focused on the need for “continuous communication” in customer service. (ibid)

So where will all of these contracts be administered? An EPA spokesperson said EPA contracts will either placed on new or existing EPA contract vehicles or handled through interagency agreements with other federal agencies. The Office of Special Counsel is partnering with Merit Systems Protection Board to process a number of mission-critical procurements. In 2020 GSA is assisting OSC with their procurement requirements. (ibid)

If you have questions about how this affects a current bid or your current HHS-administered contract, give us a call.