Line Item: Cybersecurity

We knew it would eventually happen. DoD is finally looking to permit cybersecurity costs as “allowable” on certain types of government contracts. (Federal News Network, June 2019)

Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD, recently spoke at the Professional Services Council (PSC) gathering in Virginia. Ms. Arrington is the lead for the DoD effort to develop and institutionalize the new Cybersecurity Maturity Model Certification (CMMC) standard for vendors. She told attendees that she wants to enact a legitimate standard for cybersecurity allowable costs. (ibid)

During a recent webinar, Arrington spoke about cyber attacks and the need for the defense industrial base to defend themselves against nation-state attacks. DoD is aiming at not just it’s 200,000 prime contractors but all vendors (approximately 300,000) that comprise the DoD supply chain. (ibid)

Arrington is working with the Johns Hopkins University Applied Physics Lab and Carnegie Mellon University’s Software Engineering Institute to generate initial requirements. The draft will require DoD vendors to be certified through third-party assessment organizations. The standard incorporates existing requirements from NIST, the Federal Risk Authorization Management Program (FedRAMP), and other models.  (ibid)

Arrington expects DoD to carry out 12 webinars across the country over the summer. She aims to receive feedback from industry experts with a draft standard by the end of summer and third-party assessors to start certifying vendors in January. (CMMC requirements will be added to requests for information by June of 2020 and become a standard in solicitations by September 2020.) (ibid)

According to Alan Chvotkin, senior vice president and general counsel for PSC, the certification of contractors will be a very competitive discriminator in the marketplace. His main concern is whether DoD will only certify the big six contractors and what is going to take place for the prime and a subcontractor. (ibid)

Congress recognizes that risks to the supply chain need to be reduced. The Senate version of the 2020 National Defense Authorization Act, includes a provision requiring DoD to move to a broader cybersecurity standard with its contractors. Currently, DoD mandates defense contractors meet the requirements of NIST Special Publication 800-171; however, there is no current audit for compliance. Oversight of subcontractors by prime contractors is also a reasonable concern as is the lack of information available on subcontractors. The committee feels prime contractors should be held responsible and accountable for securing DoD technology and sensitive information and ultimately delivering uncompromised products and capabilities. This is seen as a first step in securing the supply chain. (ibid)

The Senate Armed Services Committee (SASC) believes DoD should provide direct technical assistance to contractors, based on risk, and in such a way as to not harm the industrial base while at the same time providing incentives/penalties for non-compliance of vendors’ cyber performance. DoD is being asked to provide the SASC with a briefing by March of 2020 and quarterly briefings on how the standard is being implemented by both vendors and the DoD. (ibid)

Although security has always been an allowable overhead cost, it will now be used as an incentive to get vendors to more quickly align themselves to the CMMC standard. The incentive doesn’t force companies to trade off security for other expenses. It appears the government will offer some reimbursement for some share of the cost, hopefully bringing all vendors up to the same level. (Firm-fixed-price contracts do not fall under the allowable cost umbrella in the same manner, as cyber is counted as general overhead in the final cost to the government.) (ibid)

Eager to learn a little more about the cyber standard and how it might affect your current contract or an upcoming bid? Give us a call at 301-913-5000.

 

 

COMET Commeth!

The General Services Administration (GSA) has released the second and much sought after piece of the IT services procurement known as COMET. The solicitation aims to create a multiple-award blanket purchase agreement (BPA) on top of IT schedule 70.

GSA plans to make between 10 and 12 awards with a minimum of 25 percent set aside for small businesses. The BPA will require a host of IT services, including operations and maintenance, cloud and the continued development, and support of the acquisition systems portal beta.SAM.gov. GSA’s goal is a three-step evaluation approach, including an in-person technical challenge.

In April, GSA issued the RFP for the first and substantially smaller piece of COMET focused on architecture, engineering, and advisory support. (FedBizOpps)

Have questions about COMET and how your company fits in? Give us a call at 301-913-5000.

Self Certification — No More ;-(

The 2015 National Defense Authorization Act mandated that the Small Business Administration (SBA) discontinue self-certification of women-owned and other small businesses. In 2020, SBA plans to finalize a self-certification rule that closes a loophole allowing participants in the SBA’s Women-Owned Small Business (WOSB) program to self-certify. (Federal News Network, June 2019)

Approximately one-quarter of all federal contracts are held by small businesses, which over the past six years has helped federal agencies to  exceed  SBA’s governmentwide small business contracting goal. This year’s spending of more than $120 billion on small business contracts surpasses last year’s spending by nearly $15 billion.

The Government Accountability Office reported in March that almost 40 percent of WOSB-certified businesses were ineligible. Meanwhile, SBA’s Office of Inspector General June 2018 audit found 89 percent of sole-source (50 out of 56 contracts) did not meet all program criteria. Basically, there is currently no way to know if the contracts, listed in the chart below, were actually eligible for the sole-source awards. (ibid)

Rob Wong, SBA’s associate administrator of the Office of Government promotes a formal certification to  give the program some much-needed integrity. Wong said, “simply put, the wrong companies were receiving our contracts, we want to make sure that, if a company receives a contract through these programs, they’re actually eligible to receive it.” (ibid)

SBA has subsequently published a proposed rule in the Federal Register eliminating self-certification and providing a free online certification application to WOSB. Comments on the proposed rule are being accepted until July 15. In Wong’s opinion, it is high time to streamline the vetting process for the many other set-aside programs, all of which have different sets of eligibility criteria. Wong feels that going to three formal certifications for 8(a), Historically Underutilized Business Zones, women-owned, and service-disabled veterans will unify the processes. The rule with set-aside screening is expected to take a year for the changes to take effect. (ibid)

Do you have questions about the new certification process and how it may affect your current contract or an upcoming opportunity? Give us a call at 301-913-5000.

Strategy of the Federal Data Strategy

The recently released Federal Data Strategy focuses on making agency data more transparent and usable while maintaining security. It also strives to make the data more accessible to government agencies. (Federal Times, June 4, 2019)

Agencies must perform 40 actions to build cultures that value data and its public use, protect their data, and promote the appropriate internal use. (ibid)

The principles promoted by the Federal Data Strategy include:

  • Ethical governance – Agencies are to consider current and potential uses of their data and how those can benefit the population the agency serves. “To derive value from these potential uses, agencies need leadership champions, management buy-in, and staff capacity to conduct the data-driven decision-making cycle that prioritizes the informative value of data.” Agencies are instructed to:
    1. Identify data needs to answer key agency questions
    2. Assess and balance the needs of stakeholders
    3. Champion data use
    4. Use data to guide decision-making
    5. Prepare to share
    6. Convey insights from data
    7. Use data to increase accountability
    8. Monitor and address public perceptions
    9. Connect data functions across agencies
    10. Provide resources explicitly to leverage data assets (ibid)
  • Conscious design – agencies are to create a structure that promotes proper management and protection of data. According to the memorandum, “A data governance structure helps agencies use data to answer important questions while meeting legal and ethical requirements essential to maintaining public trust, including protecting the privacy and ensuring confidentiality.” Under this practice, agencies are looking at the largest number of action items:
    1. Prioritize Data governance
    2. Govern data to protect confidentiality and privacy
    3. Protect data integrity
    4. Convey data authenticity
    5. Assess maturity
    6. Inventory data assets
    7. Recognize the value of data assets
    8. Manage with a long view
    9. Maintain data documentation
    10. Leverage data standards
    11. Align agreements with data management requirements
    12. Identify opportunities to overcome resource obstacles
    13. Allow amendment
    14. Enhance data preservation
    15. Coordinate federal data assets
    16. Share data between state, local and tribal governments and federal agencies (ibid)
  • Learning culture – under the final practice, agencies must ensure that data is only used to a favorable effect, and that unauthorized users are denied access. The memorandum states, “Access to data resources includes practices related to sharing data assets, including open data and tiered access to protected data, disclosure review and interoperability of federal data. Use of data resources includes practices related to data documentation, emerging technologies for protecting confidential data and federal data expertise.” The most efficient and suitable use of data will often require cooperation between agencies not only within the government but also outside of the government:
    1. Increase capacity for data management and analysis
    2. Align quality with the intended use
    3. Design data for use and re-use
    4. Communicate planned and potential uses of data
    5. Explicitly communicate allowable use
    6. Harness safe data linkage
    7. Promote wide access
    8. Diversify data access methods
    9. Review data releases for disclosure risk
    10. Leverage partnerships
    11. Leverage buying power
    12. Leverage collaborative computing platforms
    13. Support federal stakeholders
    14. Support non-federal stakeholders (ibid)

Within the Federal Data Strategy is a draft one-year action plan in which goals laid out in the original memo are addressed. Designated agencies will develop and share government-wide resources and tools for implementing the Strategy. Some agencies will be assigned to improve the management and use of specific data while working together with other agencies to determine how they might make their data better to serve their needs both internal and external. (ibid)

Agency comments on the action plan are due July 5.

Questions about how this affects your ability to work with agency data? Give us a call at 301-913-5000.