CMMC a Plus for Small Businesses?

Katie Arrington, on staff  with the Undersecretary of Defense for Acquisition and Sustainment believes nation-states are actively targeting small businesses digitally. And, she says, we are losing the battle of cyberattacks. (Fifth Domain, October 8, 2019)

According to Arrington, rivals cost the US an estimated $600 billion per year and 5G will multiply that number exponentially by 2025. As a result, Arrington believes the cybersecurity maturity model certification (CMMC) is actually intended for small businesses. (ibid)

CMMC grades company cybersecurity on a scale of one (least secure) to five (most stringent). Small businesses must comply with a tiered rating structure. So a company offering cleaning services may need only comply with CMMC level one while an engineering firm is held to level four

Arrington says that CMMC levels the playing field. Old compliance standards allowed companies to perform their contracts while working on their plan of action to become technically acceptable. This left sensitive systems that require additional security controls vulnerable and with weak spots. Many small businesses do not have the resources to obtain a high CMMC level, ultimately limiting competition in the marketplace; others fear the costs will be so high, that small companies will be priced out of the marketplace and limit their ability to compete on government contracts. 

The most recent Navy breaches targeted contractors without classified information per se, but taken in total the data disclosed sensitive capabilities. This is exactly what the CMMC framework addresses. (ibid)

Requests for proposals are expected to include CMMC requirements, as early as fall 2020.

Questions about CMMC requirements? Give us a call.

CMMC RFI

The Department of Defense (DoD) has issued a request for information for the “long-term implementation, functioning, sustainment, and growth” of the Cybersecurity Maturity Model Certification (CMMC). (FedBizOps.gov, October 3, 2019)

Last month, DoD issued version 0.4 of the CMMC. Contractors may now see the cybersecurity standards required when working on projects with controlled but unclassified information. CMMC will assist DoD to secure more than 300,000 organizations. (Fed Scoop, October 4, 2019)

The accreditation body does not directly perform the assessments but manages third-party organizations that do. It is  a nonprofit that utilizes “revenues generated through dues, fees, partner relationships, conferences, etc.” to fund the work.  The deadline to submit feedback is October 21, 2019. (FedBizOps.gov ibid)

We’d be glad to discuss this RFI with you. Just give us a call.

GSA Updating their e-Market Portal

On October 1st, GSA issued a solicitation requesting proposals from e-marketplace portal providers. The solicitation is for the initial proof of concept of the Commercial Platforms program, part of the foundation of GSA’s Federal Marketplace Strategy (FMP) to simplify federal buying and selling and how federal agencies buy commercial off-the-shelf products. Proof of concept implementation is through partnerships with many commercial e-marketplace platform providers currently offering business-to-business capabilities. This gives federal agencies greater visibility into their online spending. (GSA.gov, October 2, 2019)

GSA Administrator Emily Murphy said, “As federal procurement continues to evolve, simplifying how we purchase basic commodities will allow agencies to focus more on work that directly serves their missions. Federal agencies spent approximately $260 million using online portals last year and it is critical that we use the Commercial Platforms program to better understand and manage this.” (ibid)

The proof of concept is GSA’s kickoff for changing the way federal agencies purchase commercial products via the open market, implementing the requirement of Section 846 in the FY 18 National Defense Authorization Act (NDAA). Last year GSA conducted stakeholder outreach and market research to get a better understanding of the open market place. They determined to take small steps through an iterative program management approach to Commercial Platforms. (ibid)

Proposals are due by November 1, 2019, at 5 PM EST. (FedBizOpps.gov, October 1, 2019)

Are you wondering how the e-marketplace will affect your current contract? Do you provide B2B services in the private sector and have questions about the solicitation? Give us a call.

It’s Heeeeere…

The new, single GSA Multiple Award Schedule solicitation was released today, 1 October, and it’s mostly what we expected.

Solicitation number 47QSMD20R0001, refresh 00 (!!) points you to the correct NAICS number for your product or service. The first page of the solicitation references the MAS Roadmap, which includes a guide to preparing your offer and required forms such as the:

  • Agent authorization letter
  • Letter of supply
  • Categories and appropriate NAICS (formerly SIN) numbers
  • Labor category matrix

as well as information about the:

  • Price proposal template, pricing narrative, and pricing support
  • Financial statements
  • Subcontracting plan
  • Technical proposal
  • Professional compensation plan
  • Commercial supplier agreements
  • Previous cancellation and rejection letters
  • Commercial sales practices
  • Commercial or market pricing

You must download separate documents, depending on your proposed product/service. Option categories include: office management, facilities, furniture and furnishings, human capital, industrial products and services, information technology, miscellaneous, professional services, scientific management and solutions, security and protection, transportation and logistics, and travel.

The old standards survive. You must submit via eOffer, the pilot TDR still applies, and you must sell $25,000 per year from the Schedule to keep it. Pathways to Success and the Readiness Assessment remain, as does AbilityOne and SCA.

All service AND product offers must now provide corporate experience and quality control narratives. Furthermore, you now have the option to submit CPARS reports instead of Open Ratings or even a narrative if your company hasn’t six references required by Open Ratings. One positive: GSA now requires only one past project description per service.

The following ominous clause has been included: “The offeror must provide a full and broad array of proposed products/services. An offer will not be accepted with limited product/service offerings unless it represents a total solution for the offeror or proposed product/service offering.” Will small, niche businesses have a more difficult time obtaining an award? Hope not.

Also, until SAM has added representations for the new FAR clause regarding covered telecommunication equipment and services (see our Blog post from 10 September) from particular Chinese companies, proposal submissions must include a statement noting compliance with n 52.204-24 Representation Regarding Telecommunications and Video Surveillance Services or Equipment.

Once awarded, yearly increases for contractors will be capped at four percent for the Human Capital Category, five percent for Professional Services and Travel, and ten percent for all others.

Yes, it’s complicated, and yes we have a handle on it. We are primed and ready to answer all your questions either about a new proposal or your current Schedule. Just give us a call.