New Cybersecurity Certification Requirements

The Office for the Under Secretary of Defense and Sustainment (OUSD (A&S)) recently released its Cyber Security Maturity model Certification (CMMC). DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDCs) and the Defense Industrial Base (DIB) all had a hand in developing the CMMC model. This model measures cybersecurity maturity using five levels (from basic to advanced) and aligns a set of processes and practices with the type and sensitivity of the information to be protected and any associated threats to that information. (CMMC Model v1.0, January 30, 2020)

DoD’s CMMC enhances the protection of:

  • Federal Contract Information (FCI) provided or generated by the government, but not intended for public release
  • Controlled Unclassified Information (CUI), which requires safeguarding or dissemination consistent with laws, regulations and government-wide policies. (ibid)

The CMMC model includes the safeguarding requirements for FCI spelled out in FAR clause 52.204-21 and the security requirements for CUI stated in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 per DFARS clause 252.204-7012 [3,4,5].

Included in the CMMC model is a certification piece verifying the implementation of cybersecurity maturity measure processes and practices. This is intended to deliver assurance to the DoD that contractors and subcontractors can sufficiently protect CUI at a level equal to the risk. (ibid)

To obtain a full overview of the CMMC Model, domains, practices, and processes, please review the Cybersecurity Maturity Model Certification.

Have questions about the effect on your current contract or one in works? Give us a call.

FAR 51 Deviation Authority is expired!

Here’s what you need to know.  Contracting officers were permitted to give contractors access to the Federal Supply Schedule (FSS) and GSA Global Supply Programs if appropriate, for the fulfillment of their agency requirements. They used the FAR 51 Deviation Authority vehicle for this purpose. On 23 October, the FAR 51 Deviation expired. It will no longer be used on orders placed after this date. Under Refresh 1, clause CI-FSS-056 Federal Acquisition Regulation (FAR) Part 51 Deviation Authority (Federal Supply Schedules) (Jan 2010) is deleted.

In lieu of FAR 51 Deviation, agencies may use Order Level Material (OLM) procedures to acquire other direct costs (OCDs) and material support items to meet specific order requirements. Additional information for OLMs may be found at www.gsa.gov/olm.

Many question if a contracting officer can issue a letter of authority (required by the Deviation) anytime during the life of the order, if the order or BPA was awarded on or before 23 October 2019. The short answer is yes, as long as the order was issued prior to the 23 October Deviation expiration date. However, if the BPA was awarded prior to then, and subsequent award terms were awarded after 23 October, those subsequent award terms may not use the deviation.

Wondering if you are grandfathered in and still able to take advantage of the FAR 51 Deviation Authority? Give us a call.

BAA TAA SBA Huh?

It appears the Buy American Act (BAA) and the Trade Agreements Act (TAA) may, under certain instances, actually reduce the federal market accessibility for US manufacturers. (Federal News Network, October 28, 2019)

In order to be considered for a small-business set-aside, end-items must be manufactured in the U.S. Or the company can qualify as a non-manufacturer (13 CFR 121.406) if:

  • The company is principally engaged in the retail or wholesale  of the product and normally sells the type of product being supplied
  • The company takes ownership of the item with its personnel, equipment or facilities consistent with industry practice and
  • The company supplies the end item of a small business manufacturer, processor or producer made in the U.S. or obtains a waiver of the requirement. (ibid)

Non-manufacturers may receive an individual waiver if the Small Business Administration (SBA) accepts the contracting officer’s determination that no small business manufacturer “reasonably can be expected to offer a product meeting the solicitation specifications.” Additionally, the SBA Administrator may provide a class waiver if she determines that no small business manufacturer “product or class of products is available to participate in the Federal procurement market.”

Of course, TAA restricts product acquisition to manufacturers in the U.S. and certain “designated countries,” (those companies that have a Free Trade Agreement with the U.S. or participate in the World Trade Organization Government Procurement Agreement (WTO GPA)). Therefore, products from non-signatory countries such as China are ineligible for award.  Per FAR 25.101(a), BAA restricts the purchase of non-domestic end-products as well. Some exceptions provide more access to foreign end-products than under the TAA; for instance, BAA makes exceptions where the domestic offer is not the low offer (FAR 25.103) as well as in certain instances of public interest for non-availability in the U.S., and at an unreasonable cost. (ibid)

TAA does not apply to small business set-asides, FAR 25.401, leaving the BAA in place. The waiver of the non-manufacturer rule for a set-aside gives a somewhat illogical result. This makes the TAA inapplicable to set-asides, and the BAA applicable to set-asides where the non-manufacturer rule has been waived. This might result in the Government purchasing an item, such as a medical/surgical product, manufactured in a non-designated country that has subsidized its price to assure the product’s selection. Therefore, the intended law restricting non-domestic products actually facilitates more access to those products. This includes products of manufacturers from non-designated countries, rather than providing controlled access over non-domestic end-products. (ibid)

Ultimately, this could harm small and non-small manufacturers producing domestically. This may also open up small business set-asides to products made in China that would otherwise be ineligible for purchase if the TAA applied. A good deal more statutory guidance and analysis are warranted. (ibid)

Do you have questions about your compliance obligations under an upcoming proposal or current contract? Give us a call.

Time to Uncover Some Chinese Equipment

Recently, GSA sent a letter to contractors explaining the new FAR interim rule regarding supply chain security, which went into effect last month. The rule prohibits federal agencies from procuring, obtaining, extending, or renewing a contract to procure or obtain “any equipment, system, or service that uses covered telecommunications equipment or services  as a substantial or essential component of any system or as critical technology as part of any system.” (Acquisition.gov)

Covered equipment encompasses telecommunications and video surveillance products and services by Hauwei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Hikvision Digital Technology Company, or Hahua Technology Company, or any company that the head of a relevant federal agency reasonably believes is controlled by the government of the Peoples Republic of China.

The interim rule:

  • Prohibits contractors from providing covered telecommunications services/equipment unless an exception or waiver is granted
  • Mandates every offeror represent whether it will provide covered telecommunications equipment/services as part of its offer, and if that is the case, the offeror must provide details about the covered equipment or services
  • Requires contractors to report any covered equipment/services throughout the life of the contract. (ibid)

At the same time, the FAR interim rule went into effect, GSA issued a class deviation. This essentially takes a risk-based approach to the new FAR interim rule by limiting the representation requirement for GSA funded orders to the indefinite-delivery contract level. The deviation necessitates the following:

  • At all times requires an order-level representation for acquisition vehicles that carry a “high risk” of including covered telecommunications equipment or services.
  • Must have an order-level representation for all orders that could include information technology or communications technology under all GSA acquisitions.
  • The creation of a GSA Acquisition Regulation (GSAR) representation clause, requiring the GSAR and FAR reporting clauses in all new and ongoing GSA contracts.
  • Initiates GSA specific implementation targets for modification of existing contracts.
  • Simplifies the application of Section 889 of the NDAA to other GSA program areas. (ibid)

The interim rule affects ALL contractors. As a contractor, you are responsible for determining whether covered telecommunications equipment/services will be provided under both new and existing contracts and orders.

Below is some fundamental information to help you prepare as GSA puts into place the interim rule and class deviation:

  • FAS contracting activity will issue a mod requiring you to respond to incorporate FAR clause 52.204-25 and GSAR clause 552.204-70.
  • Your mod response must delineate if you will or will not provide covered telecommunications equipment/services in the performance of any contract, subcontract, order, or any other contractual instrument.
  • The substance of FAR clause 52.204-25 must be inserted into all subcontracts.
  • You must report any covered telecommunication equipment or services you discover during the course of contract performance.
  • For new GSA solicitations, you are required to represent at the contract level if you will or won’t provide covered telecommunications equipment/services to the Government in the performance of a contract or subcontract.
  • Contract level solicitations will include FAR provision 52.204-24, clause 52.204-25and GSAR clause 552.204-70.
  • In responses to solicitations and orders under indefinite-delivery contracts, representation of FAR 52.204-24 is required when there is a high risk of inclusion of covered telecommunications equipment/services. (ibid)

Wondering how all this might affect your current contract or upcoming bid? Give us a call.

FAR Changes

With the end of the Fiscal Year looming, the push is on to exhaust agency budgets. In an effort to make acquisitions move through the process more quickly and smoothly, DOD, GSA, and NASA have issued an amendment to the Federal Acquisition Regulation (FAR). The amendment fine-tunes the  FAR and eliminates a step in the acquisition process. (Fedscoop, July 15, 2019)

Per the FAR, agencies were required to justify the best procurement approach when using GSA’s IT Schedule 70, Governmentwide Acquisition Contracts, or assisted acquisition solutions. As of June 5, the new FAR amendment allows agencies to skip that step. Agencies are now able to quickly find GSA IT category contracts and acquisition solutions. (ibid)

According to Bill Zielinski, assistant commissioner of GSA’s Federal Acquisition services office, agencies “can now identify and quickly use GSA IT Category contracts and acquisition solutions, especially as they embark on their end-of-year IT spending and acquisition efforts.” Zielinski feels the new change to the FAR reduces the administrative burden for agencies procuring through GSA’s IT Schedule 70 or through GWACs such as 8(a) STARS 2 and Alliant 2, as well as through assisted acquisition programs. (Federal Computer Week, July 15, 2019)

Curious about the new FAR language and how it affects your GSA schedule? Give us a call and we can review it with you.