CMMC a Plus for Small Businesses?

Katie Arrington, on staff  with the Undersecretary of Defense for Acquisition and Sustainment believes nation-states are actively targeting small businesses digitally. And, she says, we are losing the battle of cyberattacks. (Fifth Domain, October 8, 2019)

According to Arrington, rivals cost the US an estimated $600 billion per year and 5G will multiply that number exponentially by 2025. As a result, Arrington believes the cybersecurity maturity model certification (CMMC) is actually intended for small businesses. (ibid)

CMMC grades company cybersecurity on a scale of one (least secure) to five (most stringent). Small businesses must comply with a tiered rating structure. So a company offering cleaning services may need only comply with CMMC level one while an engineering firm is held to level four

Arrington says that CMMC levels the playing field. Old compliance standards allowed companies to perform their contracts while working on their plan of action to become technically acceptable. This left sensitive systems that require additional security controls vulnerable and with weak spots. Many small businesses do not have the resources to obtain a high CMMC level, ultimately limiting competition in the marketplace; others fear the costs will be so high, that small companies will be priced out of the marketplace and limit their ability to compete on government contracts. 

The most recent Navy breaches targeted contractors without classified information per se, but taken in total the data disclosed sensitive capabilities. This is exactly what the CMMC framework addresses. (ibid)

Requests for proposals are expected to include CMMC requirements, as early as fall 2020.

Questions about CMMC requirements? Give us a call.

CMMC RFI

The Department of Defense (DoD) has issued a request for information for the “long-term implementation, functioning, sustainment, and growth” of the Cybersecurity Maturity Model Certification (CMMC). (FedBizOps.gov, October 3, 2019)

Last month, DoD issued version 0.4 of the CMMC. Contractors may now see the cybersecurity standards required when working on projects with controlled but unclassified information. CMMC will assist DoD to secure more than 300,000 organizations. (Fed Scoop, October 4, 2019)

The accreditation body does not directly perform the assessments but manages third-party organizations that do. It is  a nonprofit that utilizes “revenues generated through dues, fees, partner relationships, conferences, etc.” to fund the work.  The deadline to submit feedback is October 21, 2019. (FedBizOps.gov ibid)

We’d be glad to discuss this RFI with you. Just give us a call.

Program UnSupport Center

Back in June, the Health and Human Services Department (HHS) announced it would halt assisted acquisition services for non-HHS customers after September 30, 2020. Until the announcement, HHS provided assistance through the Program Support Center (PSC). After the deadline, all 19 agencies (with more than $1.4 billion in contracts per year) who had contracts administered by HHS will have to look elsewhere or figure out how to administer the contracts themselves. (Government Executive, September 13, 2019)

PSC lacks the procedures, policies, and internal controls to work with agencies outside of HHS. In addition, questions have been raised as to whether the PSC is actually legally authorized to administer contracts for agencies outside of HHS. (ibid)

Many questions remain unanswered, such as the fate of bids in the process of evaluation. Unfortunately, the PSC is not communicating with customers at this time, according to Federal News Network. This is surprising, as the Office of the Assistant Secretary of Administration focused on the need for “continuous communication” in customer service. (ibid)

So where will all of these contracts be administered? An EPA spokesperson said EPA contracts will either placed on new or existing EPA contract vehicles or handled through interagency agreements with other federal agencies. The Office of Special Counsel is partnering with Merit Systems Protection Board to process a number of mission-critical procurements. In 2020 GSA is assisting OSC with their procurement requirements. (ibid)

If you have questions about how this affects a current bid or your current HHS-administered contract, give us a call.

Setting Aside the Small Biz Set Asides

The National Background Investigations Bureau (NBIB) is moving from the Office of Personnel Management to the Department of Defense (DoD), merging with the Defense Counterintelligence and Security Agency (DCSA). Of interest to many of EZGSA clients, sources say the move anticipates plans to significantly diminish small business goals at the agency from 65 percent to 10 percent, according to Elizabeth Mudd, small business program manager. (Defense Systems, August 7, 2019)

Mudd believes that the whopping decline in small business goals intends to promote more subcontracting to supplement the four primes that oversee background investigation services. While this may be true, the bottom lines remains that in this fiscal year, NBIB is contributing about $804 million in small business eligible dollars compared to DCSA’s $73.4 million. (ibid)  Maybe the merger won’t actually change the dollar amount contracted with small businesses in the long run, but we’re not holding our breath.

Want to gripe or discuss strategy? We’re here.

HHS Did What?

The Department of Health and Human Services Program Support Center (PSC) has decided to end assisted acquisition services. Some agencies under the PSC umbrella include: the Office of Personnel Management, the Office of Special counsel, the Environmental Protection Agency, and the Defense Department (DoD).  (DoD accounts for roughly $1 billion of the $1.4 billion total contract amount under the PSC.) (Federal News Network, July 22, 2019)

It appears HHS stopped offering assisted acquisition services in mid June, just as agencies are preparing for fourth quarter acquisitions. This likely includes the $150 million multiple-award contract PSC was about to award for EPA along with a number of “in-process” contracts for DoD. Additionally, any award for the prior four years must be moved to other agencies or absorbed by the “home” agency by September 20, 2020. (ibid)

So why exactly did HHS decide to stop its assisted acquisition services? In a memo to the civilian agency customers, they said they do not have the internal controls, policies, or procedures necessary. DoD customers received a comparable memo. (ibid)

Why now? Possibly due to the manner in which PSC has handled classified information for DoD and other agencies’ procurements through the self-certification process. The self-certification process is achieved through the DD-254 form. However, a recent audit found that PSC does not actually perform classified work. (ibid)

Unfortunately, this abrupt change is putting a burden on many agencies. Since the decision was made and will affect the fourth-quarter spending, agencies must now scramble to get other assisted acquisition service provider help. The decision also affects vendors, who spend time and money to bid on solicitations that must restart. And the question remains: will vendors lose work from existing contract awards that they bid on and won?

Roughly one-third of all federal spending occurs in the fourth quarter, with one-quarter of the spending in September. Administrators plan to meet with member companies, DoD ,and the Office of Federal Procurement Policy to arrive at  a game plan going forward. (Federal News Network, July 22, 2019)

Will this affect a bid you are working on or a recent contract award? If so, give us a call.