Updating Govt Cloud Security

Cloud vendors will soon see standardized security liability language in all government contracts. This is partly due to agencies’ migration to the cloud being sped up once the pandemic hit and increased teleworking, making the need for cybersecurity assurances essential. (Nextgov, May 20, 2020)

Thomas Santucci, the director of the Data Center and Cloud Optimization Infrastructure Program Management Office at GSA, recently elaborated on the subject, “I think there is a need to update our [service level agreements] with the cloud providers and we’re actively working on that within [the General Services Administration]…. OMB has just stood up a [program management office] to work on a cloud SLA template for the federal government to be attached to every contract.” (ibid)

When referring to the pandemic, Santucci said, “Users are now remote rather than in a central building or campus. Agencies that are doing well are mostly in the cloud with little or no impact. Remote users do not need a [virtual private network] to gain access to their emails or files, collaboration products have significantly reduced file duplicates, and bandwidth consumption is between the home internet connection and the cloud. It’s a great success story.” (ibid)

Officials at the National Institute of Standards and Technology (NIST) believe moving to the cloud does not mean security is a “one and done” feature. There are many considerations that customers may be responsible for under contracts. Increased use of cloud services is not 100 percent secure.

Rep. Doris Matsui, D-California recently wrote to NIST Director Walter Copan, requesting NIST work to establish metrics to accompany their Cybersecurity Framework. The framework allows entities to implement security controls based on their needs. Matsui’s letter to Copan asked for ways to evaluate the security implications of those decisions. Matsui states, “with quantifiable measurement tools, cybersecurity strategies can be compared across industries and between entities. Metrics and measurements that facilitate comparisons and assess risk will be valuable for consumers, companies, and governments.” (ibid)

Wondering how your contract or upcoming proposal might be impacted by cloud migration and updated service level agreements? Give us a call.

Speedy Payments? Yes Please.

The Federal Acquisition Regulation (FAR) is changing to allow government contracting small businesses to get paid within 15 days of invoicing. Furthermore, the Department of Health and Human Services (HHS), the Department of the Treasury (Treasury), the Department of Homeland Security (DHS) and the General Services Administration (GSA) are working together to issue a memorandum that authorizes the expedited payments in advance of the updated changes to the FAR. (JDSUPRA, May 14, 2020)

Contractors should contact their government Contracting Officer to facilitate those payments. For example, a DHS Small Business Innovation Research (SBIR) recipient currently paid within 30 days of invoicing may be eligible for a contract modification to accelerate payments upon the exercise of any options under that contract. (ibid)

The National Defense Authorization Act for Fiscal Year 2020, Section 873, requires agencies to establish an accelerated payment date for certain contracts with a goal of payment 15 days after an invoice is received, if a specific payment date is not established by the contract. The change will be implemented via an applicable FAR revision.

Other formal additions to the FAR include 52.212-5 (Contract Terms and Conditions Required to Implement Statutes or Executive Orders – Commercial items), FAR 52.213-4 (Terms and Conditions – Simplified Acquisitions (Other Thank Commercial Items)), and FAR 52.244-6 (Subcontracts and Commercial Items.) (ibid)

This is great news for small businesses looking to decrease hardships produced by the COVID-19 pandemic.

Questions about the FAR changes and the expedited payment memorandum? Give us a call.

Industry Looking to GSA for Guidance

Agencies are pressuring GSA to provide guidance for meeting deadlines to modernize telecommunications. The  pandemic has delayed many agency transitions, thus making those deadlines nearly impossible to meet. (FEDSCOOP, May 12, 2020)

COVID-19 slowed task order awards under the Enterprise Infrastructure Solutions (EIS) contract, the government’s $50 billion telecom and network modernization channel. In some cases where task orders have been awarded, agencies can’t provide contractors clear instructions. Many believe the task order award delays impede the move from Networx, Washington Interagency Telecommunications System 3, and local service area contracts.

Legacy contracts are set to expire in May 2023. The GAO expects 19 of the agencies who spend the most on EIS to be transitioned over by the legacy expiration date; however many will not meet the GSA’s more aggressive 30 September 2022 deadline. (ibid)

Allen Hill, executive director of telecom services in the Office of IT Category at GSA believes agencies will make GSA aware of the effects of the pandemic, and GSA will in turn work with agencies on a case by case basis. (ibid)

The Department of Defense has their own strategy. They are beginning to rely on the lowest price technically acceptable (LPTA) source selection for EIS. DoD plans to report the methodology used to award contracts and task orders in June, once the Federal Procurement Data System modification is complete. Meanwhile, the Defense Information Systems Agency executed six EIS awards last month. Most EIS solicitations are “best value” yet agencies need to balance the overall cost of their transition with the time for implementation. (ibid)

Unfortunately, when agencies speed up transition, companies have less time to address task order requirements properly. This puts the risk on industry to provide the best value while accurately responding to agency requirements. Many task orders were written prior to the pandemic, therefore contractors are forced to address network issues while teleworking. The time it takes to address issues is naturally increased. (ibid)

“Agencies are encouraged to examine any gaps in their network infrastructures and ensure they make appropriate adjustments to their EIS task orders to provide needed capabilities. Modern IT demands modern infrastructure,” Hill stated. (ibid)

Have questions concerning a delayed task order or need one? Give us a call.

CMMC Coming to Solicitations

Cybersecurity Maturity Model Certification (CMMC) requirements may show up in solicitations within six months. (GOVCONWire, May 12, 2020)

A Department of Defense spokesperson expects about 10 DoD RFIs in June to include the new requirements. She said, “As we release the RFIs, we’ll have the certified and trained auditors who will be able to go out to industry and certify companies at the level of maturity required for the work that they’re bidding on.” (ibid)

Additionally, changes to the Defense Federal Acquisition Regulation Supplement 252.204-7012 should be finalized by October. “You will not see the CMMC in any Department of Defense contracts or RFPs until the rule change is completed.” (ibid)

Questions on the Cybersecurity Maturity Model Certification and whether you can bid on upcoming solicitations? Give us a call.

GSA Extends Contract Data Reports Transition

GSA is extending the transition period for Contract Data reports in beta.SAM.gov. We don’t have a final transition date yet, although it’s expected later this year. This applies only to the reports function of FPDS.gov; everything else will remain as is. (GSA Interact, May 12, 2020)

GSA wants users to familiarize themselves with beta.SAM.gov while reports are available on both platforms. Furthermore, they want users to provide input on running reports. GSA is providing videos, FAQs, and reference guides to assist with the transition. (ibid)

GSA sees the following benefits to beta.SAM.gov:

  • Increased maximum number of rows returned from 30,000 to 150,000 rows in each report
  • Increased maximum number of years of reportable data from five years to 12 years
  • Additional data fields available for creating ad hoc reports
  • Tools for sharing ad hoc report structure with others, such as attributes and filters
  • Report Builder, a “wizard” that helps create new ad hoc reports
  • Intuitive tools to build, save, and share reports (ibid)

GSA used earlier feedback to determine the need for additional time before making the final transition to beta.SAM.gov. They will continue to take all feedback into consideration while transitioning. Any user can still use the feedback button to participate.

Trying to figure out if your reports will change and if you can retrieve them on the new platform? Give us a call.