Line Item: Cybersecurity

We knew it would eventually happen. DoD is finally looking to permit cybersecurity costs as “allowable” on certain types of government contracts. (Federal News Network, June 2019)

Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD, recently spoke at the Professional Services Council (PSC) gathering in Virginia. Ms. Arrington is the lead for the DoD effort to develop and institutionalize the new Cybersecurity Maturity Model Certification (CMMC) standard for vendors. She told attendees that she wants to enact a legitimate standard for cybersecurity allowable costs. (ibid)

During a recent webinar, Arrington spoke about cyber attacks and the need for the defense industrial base to defend themselves against nation-state attacks. DoD is aiming at not just it’s 200,000 prime contractors but all vendors (approximately 300,000) that comprise the DoD supply chain. (ibid)

Arrington is working with the Johns Hopkins University Applied Physics Lab and Carnegie Mellon University’s Software Engineering Institute to generate initial requirements. The draft will require DoD vendors to be certified through third-party assessment organizations. The standard incorporates existing requirements from NIST, the Federal Risk Authorization Management Program (FedRAMP), and other models.  (ibid)

Arrington expects DoD to carry out 12 webinars across the country over the summer. She aims to receive feedback from industry experts with a draft standard by the end of summer and third-party assessors to start certifying vendors in January. (CMMC requirements will be added to requests for information by June of 2020 and become a standard in solicitations by September 2020.) (ibid)

According to Alan Chvotkin, senior vice president and general counsel for PSC, the certification of contractors will be a very competitive discriminator in the marketplace. His main concern is whether DoD will only certify the big six contractors and what is going to take place for the prime and a subcontractor. (ibid)

Congress recognizes that risks to the supply chain need to be reduced. The Senate version of the 2020 National Defense Authorization Act, includes a provision requiring DoD to move to a broader cybersecurity standard with its contractors. Currently, DoD mandates defense contractors meet the requirements of NIST Special Publication 800-171; however, there is no current audit for compliance. Oversight of subcontractors by prime contractors is also a reasonable concern as is the lack of information available on subcontractors. The committee feels prime contractors should be held responsible and accountable for securing DoD technology and sensitive information and ultimately delivering uncompromised products and capabilities. This is seen as a first step in securing the supply chain. (ibid)

The Senate Armed Services Committee (SASC) believes DoD should provide direct technical assistance to contractors, based on risk, and in such a way as to not harm the industrial base while at the same time providing incentives/penalties for non-compliance of vendors’ cyber performance. DoD is being asked to provide the SASC with a briefing by March of 2020 and quarterly briefings on how the standard is being implemented by both vendors and the DoD. (ibid)

Although security has always been an allowable overhead cost, it will now be used as an incentive to get vendors to more quickly align themselves to the CMMC standard. The incentive doesn’t force companies to trade off security for other expenses. It appears the government will offer some reimbursement for some share of the cost, hopefully bringing all vendors up to the same level. (Firm-fixed-price contracts do not fall under the allowable cost umbrella in the same manner, as cyber is counted as general overhead in the final cost to the government.) (ibid)

Eager to learn a little more about the cyber standard and how it might affect your current contract or an upcoming bid? Give us a call at 301-913-5000.

 

 

We See the Future and it is … Single Sign On

By now you’ve likely heard of Single Sign On (SSO). It’s not exactly new, and it’s currently used by just a few agencies, but it is the wave of the future as agencies move to more cloud-based apps. In fact, 6 U.S. Code § 1523(b)(1)(D), a provision of law governing federal cybersecurity regulations, states that agency heads must “implement a single sign-on trusted identity platform for individuals accessing each public website of the agency that requires user authentication.” This provision was created by GSA working with the Department of Homeland Security. (FedTech, May 24, 2019)

What exactly is SSO? SSO allows a user to sign in one time with one high-strength password and access all that specific user’s authorized applications. With SSO, a user need not memorize a different password for each and every application they access. SSO uses the Security Assertion Markup Language protocol that gives the user the ability to log on once for affiliated but separate websites. According to Tracy David, a cloud client executive at CDW, SSO uses “highly complex encrypted keys, which the end user has no access to view or change.” Ultimately, this makes for a much higher level of security for each agency. (ibid)

At this time, you must log in to each app with a different password. More often than not, passwords across applications are similar (if not the same) and easily remembered. This weakens the security level of the agency as stolen credentials account for roughly 80 percent of breaches. With SSO, you have one complex, single-sign-on password protected with multi-factor authentication.  (ibid)

Many agencies are still using on-premises SSO, which will be more difficult as apps move to the cloud. Insiders believe that the Defense Department’s forthcoming Joint Enterprise Defense Infrastructure cloud contract signals cloud adoption becoming the “norm” in government.

Questions about how this affects your current government contract, or how you might work with the government on SSO Technology? Give us a call at 301-913-5000.

 

 

 

HHS is buying smarter

Over the past 18 months, the Department of Health and Human Services (DHHS) has been developing the Buy Smarter Initiative. The production phase has ended, and with it a new name: “Reimagined Buy Smarter.” Reimagined Buy Smarter uses artificial intelligence (AI) to analyze vast amounts of data, comparing prices along with other money saving plans. (Federal News Network, May 17, 2019)

Last year, 97,000 contracts were fed into an AI solution. Algorithms and a proof of concept of 10 product categories demonstrated significant price differentials on the same items. For instance, the same case of copy paper was $27 a case in one instance and $59 in another. (ibid)

DHHS wants requirements operating across all divisions in order to use of economies of scale. Through the development process, they have found that many departments order the same items, but from different contracts at pricing all over the map and duplication of efforts. With Reimagined Buy Smarter, DHHS  departments can consolidate requirements, utilize economies of scale, and eliminate unnecessary contracts. (ibid)

They plan to introduce 18 steps of technology for buyers.  The program has a $49 million multi-award Indefinite Delivery, Indefinite Quantity (IDIQ) contract for a catalog of new and emerging technologies. DHHS hopes “to get a very large number of vendors who can provide services that can be shared/scaled across HHS and ultimately the entire government.” (ibid)

DHHS created the new contract due to older contracts being so outdated. The Program Support Center for DHHS receives many requests for new technologies, but by the time the contracts are awarded, they are already obsolete. Additionally, contracting officers have spent a lot of time cutting and pasting from a “paper” system, which will be answered by a pre-populating process automation. (ibid)

Findings suggest the following categories of spending:

  • Medical and lab supplies
  • Software licenses
  • Professional services (ibid)

Workgroups are forming to address consolidating contracts for shared opportunities, eliminating overlapping or unnecessary contracts, and taking advantage of economies of scale. (ibid)

Interested in discussing Reimagined Buy Smarter? Give us a call at (301) 913-5000.

Are You a Solver?

The Government Effectiveness Advanced Research Center (GEAR) is responsible for improving the way the federal government solves issues. It has started making use of “Solvers” also known as academic leaders and subject matter experts in economics, design, and other creative areas.  (Federal Times, May 14, 2019)

Solvers (including participating individuals, teams, or legal entities) have been challenged by the government to tackle one or more of the major challenges facing government described in the current President’s Management Agenda (PMA). To take part in the challenge, Solvers demonstrate usefulness of a GEAR Center model that directly maps to cross-agency priority goals and proposes a workable GEAR Center model creatively addressing the PMA. (Challenge.gov)

The GEAR Center Challenge takes place in three phases: project proposal, project plan, and proposal presentations. Interested individuals or parties may submit multiple proposals to the challenge; however, only one prize per challenge will be awarded. Proposals might be used to shape the GEAR Center or as potential first steps for the long term. (Federal Times, May 14, 2019)

The first phase opened for submissions May 2nd, with each subsequent phase consisting of participants selected from the previous phases. Submissions for the first phase are due May 24, 2019. Submissions should consist of a two-page proposal summarizing the potential program, predicted outcomes, and the best possible team to implement the proposal and the materials necessary to undertake the proposal. (ibid)

Want to know more about the GEAR Center challenge? Give us a call at (301) 913-5000.

The Future is Cloud-y

In February, GSA released a draft request for proposal (RFP) to consolidate and upgrade all of the Defense Department’s back office functions into the commercial cloud. GSA’s Federal Acquisition Service is now in the early stages of doing the same for civilian agencies with Civilian Enterprise Office Solutions (CEOS). (Federal News Network, May 7, 2019)

To help ensure supply chain security, DHS took the lead on early efforts. GSA has taken over efforts to reduce the attack surface of the network. With managed service, security is already embedded in the solution, making it more secure than the currently situation. (ibid)

Alan Thomas, GSA FAS commissioner and a board member managing the Technology Modernization Fund (TMF), has recommendations/lessons learned for agencies applying for Fund loans to modernize their IT:

  • Agencies submitting proposals this year need to build incremental benchmarks into their proposal, or their funding will likely be pulled.
  • Quarterly reviews will be conducted on agencies receiving funding.
  • Agencies should make sure their proposals focus on value creation and cost savings as the agencies must pay back funding provided by TMF.
  • Agencies should coordinate internally on proposals prior to submission; otherwise, they run the risk of being turned down for funding. (ibid)

FAS is also in need of IT modernization. The FAS internal systems, FSS 19, is nearly 40 years old. It uses older programming languages (COBOL, PowerBuilder) that solved specific problems instead of approaching an integrated solution. FAS is in need of a new, updated IT solution to bring the agency out of the 1970s. (ibid)

Are you a software provider or integrator looking to bring civilian agencies into the 21st century? Let’s talk! 301-913-5000.