CMMC Coming to Solicitations

Cybersecurity Maturity Model Certification (CMMC) requirements may show up in solicitations within six months. (GOVCONWire, May 12, 2020)

A Department of Defense spokesperson expects about 10 DoD RFIs in June to include the new requirements. She said, “As we release the RFIs, we’ll have the certified and trained auditors who will be able to go out to industry and certify companies at the level of maturity required for the work that they’re bidding on.” (ibid)

Additionally, changes to the Defense Federal Acquisition Regulation Supplement 252.204-7012 should be finalized by October. “You will not see the CMMC in any Department of Defense contracts or RFPs until the rule change is completed.” (ibid)

Questions on the Cybersecurity Maturity Model Certification and whether you can bid on upcoming solicitations? Give us a call.

Government Contracting Automation?

Recent survey results of federal acquisition senior procurement executives and chief acquisition officers provide a window into the world of government procurement and what should occur over the next few years, according to Kraig Conrad CEO of the National Contract Management Association (NCMA), who conducted the survey. (Federal News Network, January 7, 2020)

According to NCMA, the three major findings from the survey are:

  • The role of the contracting officer is changing
  • The business of contracting is changing.
  • The workforce is changing.

The survey found that respondents are looking to shorten the procurement cycle while giving the Contracting Officer the ability to be less restricted and able to focus on providing solutions as opposed to getting mired in the routine administrative tasks. According to Conrad, the acquisition professional should see their role as a solution maker and not a compliance “police” officer, which ultimately limits the Contracting Officer’s impact. (ibid)

One element that threads itself through all of the findings is the need for top cover from agency executives to allow contracting officers as well as program managers the leeway and freedom to try different things and bring new ideas to the table. Conrad gives the example of the Air Force pitch days, in which 51 contracts were awarded to companies that have little or no experience with the military. The service doled out $3.5 million to those small businesses on a Wednesday — each in 15 minutes or less. The first installments of the companies’ contracts were in their bank accounts almost immediately. (ibid)

Conrad noted, “we heard from a lot of our senior procurement executives that in an environment where they feel they have top cover, the risk aversion conversation is easier to overcome. Otherwise, you will go right back to the same old model where everyone is trying to protect themselves. That top cover really only comes when someone in a leadership structure is not afraid to get in trouble. You run into situations where the senior leadership doesn’t feel they are covered or protected. It will take leaders stepping out and leaning over these challenges to be able to open challenges for their workforce.” (ibid)

Another area of impact on federal acquisition is technology. The survey white paper states “Several senior leaders even described a future in which an encyclopedic knowledge of the rules and regulations will be devalued as artificial intelligence further automates their application to acquisitions or incorporates regulatory provisions and requirements into contracting app algorithms.” (ibid)

According to Conrad, “we need to get better at how we train into the workforce. Those that have data science understanding need to tell a really good story with data. How are the contracting officers the solution makers? That really comes down to competency. What is those balance of skills that will allow someone to be competent as a business leader in this function? That is one of the areas, because of technology advances, that the technical components will soon be outweighed by the software skill needs.” Conrad feels the “softer skills” include a baseline knowledge of the actual problem/mission, products, and their related markets. (ibid)

Most senior leaders interviewed expect a shift from tactical to strategic work as technology is used for repetitive or routine tasks. It’s expected that many administrative tasks, for example, contract modifications, will become fully automated. Some senior leaders look to AI to further automate regulatory provisions and requirements into contracting app algorithms. (ibid)

Conrad expects to meet with federal acquisition leaders to discuss the survey results and begin the process of changing the role of the contracting officer.

Wondering if this will affect how you work with a Contracting Officer? Give us a call.

 

Federal Supply Class Review

What happens when the Defense Logistics Agency (DLA) and the General Services Administrations (GSA) get together to increase efficiencies and effectiveness of the national supply chain? You get the first Federal Supply Class (FSC) review in almost 50 years. (Defense Logistics Agency, October 9, 2019)

So why now, you ask? According to Alan Thomas, commissioner of GSA’s Federal Acquisition Service, it is to “optimize the movement of supplies to our nation’s troops and reduce duplication in the federal supply chain.”

FSC’s review involves all 600 FSCs, or about seven million items used by federal and military consumers and categorizes them by similarity. This review will reduce redundancies and improve purchasing efficiencies as well as customer readiness and responsiveness. Checks and balances will keep both organizations compliant with principles of their original agreement. (ibid)

The 1971 Supply Management Relationship Agreement between DLA and GSA gave DLA authority over supplies within assigned FSCs used by the military regardless of their use by civil agencies. GSA manages items used by federal agencies that are commercially available. Today GSA and DLA  maintain contracts with vendors delivering directly to customers. DLA forecasts demand and then supply chain representatives, vendors and DLA Distribution ensure on-time delivery worldwide.

DLA and GSA are working side by side to put together an automated tool that categorizes FSCs for analysis. The tool will produce summary-level data on all items to ultimately determine if a change in acquisition strategy might lead to improved efficiencies and effectiveness for the government, taxpayers, and customers. Both DLA and GSA must be in agreement to transfer logistics management of any items.

“Regardless of item transfer decisions, the process and tools we’ve developed in conducting this review provide an archive of information that supports FSC management determinations beyond the simple criteria identified in the 1971 agreement,” Jay Schaeufele, GSA account manager for DLA Logistics Operation’s Whole of Government Division, said. “This information is important as we navigate government and acquisition reform initiatives and evaluate potential economic efficiencies without losing vision of DLA’a first priority to warfighter readiness. (ibid)

Jeff Thurston, director of GSA’s Office of Supply Chain Management, said: “GSA’s new business model challenges us to identify new ways to serve environments where stocking product was previously the go-to solution.” (ibid)

The Commercial Platforms Program will update how commercial products are bought by federal agencies via partnerships with commercial e-platform providers. Government agencies will access commercial platforms as part of a whole-of-government approach. This approach will give agencies visibility into online spending, thus reducing supply-chain risk while providing more time for focusing on mission-oriented acquisition.

According to Laura Stanton, deputy assistant commissioner for Category Management in GSA’s Office of Information Technology Category, “this three-year proof of concept will offer federal buyers easy access to e-marketplace providers and commercial products. Additionally, agencies will have better visibility and insight on purchasing patterns to bring one-off spending under management. The Commercial Platform’s proof of concept offers a way for agencies to access commercial platforms as part of a whole-of-government approach, strengthening GSA’s commitment to maximize the government’s buying power through economies of scale.” (ibid)

GSA and DLA are consolidating purchasing, tracking, and spending analysis while taking advantage of government-wide and best-in-class acquisition vehicles. In addition, they are working together to communicate supply chain issues such as cybersecurity, fraud, and counterfeit parts while working with the military to determine optimal shipping routing.

Will this translate into possible changes to your current contract or bid? We’re available to discuss.

Program UnSupport Center

Back in June, the Health and Human Services Department (HHS) announced it would halt assisted acquisition services for non-HHS customers after September 30, 2020. Until the announcement, HHS provided assistance through the Program Support Center (PSC). After the deadline, all 19 agencies (with more than $1.4 billion in contracts per year) who had contracts administered by HHS will have to look elsewhere or figure out how to administer the contracts themselves. (Government Executive, September 13, 2019)

PSC lacks the procedures, policies, and internal controls to work with agencies outside of HHS. In addition, questions have been raised as to whether the PSC is actually legally authorized to administer contracts for agencies outside of HHS. (ibid)

Many questions remain unanswered, such as the fate of bids in the process of evaluation. Unfortunately, the PSC is not communicating with customers at this time, according to Federal News Network. This is surprising, as the Office of the Assistant Secretary of Administration focused on the need for “continuous communication” in customer service. (ibid)

So where will all of these contracts be administered? An EPA spokesperson said EPA contracts will either placed on new or existing EPA contract vehicles or handled through interagency agreements with other federal agencies. The Office of Special Counsel is partnering with Merit Systems Protection Board to process a number of mission-critical procurements. In 2020 GSA is assisting OSC with their procurement requirements. (ibid)

If you have questions about how this affects a current bid or your current HHS-administered contract, give us a call.

Line Item: Cybersecurity

We knew it would eventually happen. DoD is finally looking to permit cybersecurity costs as “allowable” on certain types of government contracts. (Federal News Network, June 2019)

Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD, recently spoke at the Professional Services Council (PSC) gathering in Virginia. Ms. Arrington is the lead for the DoD effort to develop and institutionalize the new Cybersecurity Maturity Model Certification (CMMC) standard for vendors. She told attendees that she wants to enact a legitimate standard for cybersecurity allowable costs. (ibid)

During a recent webinar, Arrington spoke about cyber attacks and the need for the defense industrial base to defend themselves against nation-state attacks. DoD is aiming at not just it’s 200,000 prime contractors but all vendors (approximately 300,000) that comprise the DoD supply chain. (ibid)

Arrington is working with the Johns Hopkins University Applied Physics Lab and Carnegie Mellon University’s Software Engineering Institute to generate initial requirements. The draft will require DoD vendors to be certified through third-party assessment organizations. The standard incorporates existing requirements from NIST, the Federal Risk Authorization Management Program (FedRAMP), and other models.  (ibid)

Arrington expects DoD to carry out 12 webinars across the country over the summer. She aims to receive feedback from industry experts with a draft standard by the end of summer and third-party assessors to start certifying vendors in January. (CMMC requirements will be added to requests for information by June of 2020 and become a standard in solicitations by September 2020.) (ibid)

According to Alan Chvotkin, senior vice president and general counsel for PSC, the certification of contractors will be a very competitive discriminator in the marketplace. His main concern is whether DoD will only certify the big six contractors and what is going to take place for the prime and a subcontractor. (ibid)

Congress recognizes that risks to the supply chain need to be reduced. The Senate version of the 2020 National Defense Authorization Act, includes a provision requiring DoD to move to a broader cybersecurity standard with its contractors. Currently, DoD mandates defense contractors meet the requirements of NIST Special Publication 800-171; however, there is no current audit for compliance. Oversight of subcontractors by prime contractors is also a reasonable concern as is the lack of information available on subcontractors. The committee feels prime contractors should be held responsible and accountable for securing DoD technology and sensitive information and ultimately delivering uncompromised products and capabilities. This is seen as a first step in securing the supply chain. (ibid)

The Senate Armed Services Committee (SASC) believes DoD should provide direct technical assistance to contractors, based on risk, and in such a way as to not harm the industrial base while at the same time providing incentives/penalties for non-compliance of vendors’ cyber performance. DoD is being asked to provide the SASC with a briefing by March of 2020 and quarterly briefings on how the standard is being implemented by both vendors and the DoD. (ibid)

Although security has always been an allowable overhead cost, it will now be used as an incentive to get vendors to more quickly align themselves to the CMMC standard. The incentive doesn’t force companies to trade off security for other expenses. It appears the government will offer some reimbursement for some share of the cost, hopefully bringing all vendors up to the same level. (Firm-fixed-price contracts do not fall under the allowable cost umbrella in the same manner, as cyber is counted as general overhead in the final cost to the government.) (ibid)

Eager to learn a little more about the cyber standard and how it might affect your current contract or an upcoming bid? Give us a call at 301-913-5000.