DoD and Software

The Department of Defense is updating its purchasing policies for software acquisition, moving toward an  Adaptive Acquisition Framework. (fedscoop, October 7, 2020)

DoD’s new software purchasing policy includes some big changes: its focus will be on updating software on an “as needed” basis instead of custom coding. In the old model DoD purchased software in the same manner as it bought tanks, which often took years. The new policy, titled 5000.87, allows contracting officers to have the tools they need to buy code while giving them the flexibility to focus on the development and maintenance of programs. (ibid)

According to a DoD spokesperson, “as more parts of the military use similar technology-development stacks, achieving Authorities to Operate (ATOs) will happen much faster.” The goal is to improve cycle time which should now be achieved with the new framework in place.

Are you looking to work with DoD to provide software or code and have questions about how to get started under the new purchasing policy? Give us a call.

 

Self-Assess No More

Cybersecurity for  Department of Defense (DoD) contractors is an ongoing issue. Now, DoD is issuing an interim rule to implement an Assessment Methodology and Cybersecurity Maturity Model Certification framework. This will assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain. (Federal Register, DFARS Case 2019-D041 Action: Interim Rule)

The current self-attestation of NIST Special Publication (SP) 800-171 is not working due to a lack of DoD verification. Until the implementation of the interim rule, DoD did not have a mandate to verify contractor basic safeguarding or security requirements prior to contract award.  This regulation changes that. The interim rule adds a process for contractors to  implement cybersecurity requirements. This is to be accomplished while the DoD’s Cybersecurity Maturity Model Certification (CMMC) and the procedures with the Accreditation Body (AB) are solidified. (Meritalk, September 28, 2020)

Questions about how the new rule will affect your contract or upcoming bid and what you can expect? Give us a call.

Industry Looking to GSA for Guidance

Agencies are pressuring GSA to provide guidance for meeting deadlines to modernize telecommunications. The  pandemic has delayed many agency transitions, thus making those deadlines nearly impossible to meet. (FEDSCOOP, May 12, 2020)

COVID-19 slowed task order awards under the Enterprise Infrastructure Solutions (EIS) contract, the government’s $50 billion telecom and network modernization channel. In some cases where task orders have been awarded, agencies can’t provide contractors clear instructions. Many believe the task order award delays impede the move from Networx, Washington Interagency Telecommunications System 3, and local service area contracts.

Legacy contracts are set to expire in May 2023. The GAO expects 19 of the agencies who spend the most on EIS to be transitioned over by the legacy expiration date; however many will not meet the GSA’s more aggressive 30 September 2022 deadline. (ibid)

Allen Hill, executive director of telecom services in the Office of IT Category at GSA believes agencies will make GSA aware of the effects of the pandemic, and GSA will in turn work with agencies on a case by case basis. (ibid)

The Department of Defense has their own strategy. They are beginning to rely on the lowest price technically acceptable (LPTA) source selection for EIS. DoD plans to report the methodology used to award contracts and task orders in June, once the Federal Procurement Data System modification is complete. Meanwhile, the Defense Information Systems Agency executed six EIS awards last month. Most EIS solicitations are “best value” yet agencies need to balance the overall cost of their transition with the time for implementation. (ibid)

Unfortunately, when agencies speed up transition, companies have less time to address task order requirements properly. This puts the risk on industry to provide the best value while accurately responding to agency requirements. Many task orders were written prior to the pandemic, therefore contractors are forced to address network issues while teleworking. The time it takes to address issues is naturally increased. (ibid)

“Agencies are encouraged to examine any gaps in their network infrastructures and ensure they make appropriate adjustments to their EIS task orders to provide needed capabilities. Modern IT demands modern infrastructure,” Hill stated. (ibid)

Have questions concerning a delayed task order or need one? Give us a call.

CMMC Coming to Solicitations

Cybersecurity Maturity Model Certification (CMMC) requirements may show up in solicitations within six months. (GOVCONWire, May 12, 2020)

A Department of Defense spokesperson expects about 10 DoD RFIs in June to include the new requirements. She said, “As we release the RFIs, we’ll have the certified and trained auditors who will be able to go out to industry and certify companies at the level of maturity required for the work that they’re bidding on.” (ibid)

Additionally, changes to the Defense Federal Acquisition Regulation Supplement 252.204-7012 should be finalized by October. “You will not see the CMMC in any Department of Defense contracts or RFPs until the rule change is completed.” (ibid)

Questions on the Cybersecurity Maturity Model Certification and whether you can bid on upcoming solicitations? Give us a call.

CMMC not for COTS

A recent modification to DoD’s website spells out a small but very specific change about the Cybersecurity Maturity Model Certification (CMMC): it’s not applicable to DoD suppliers that only provide commercial-off-the-shelf products. (FedScoop, May 5, 2020)

Originally, DoD and CMMC administrators explained that all contractors and subcontractors must be certified under  CMMC by a third-party assessor. However, a few weeks ago, the Office of the Under Secretary of Defense for Acquisition and Sustainment changed the official website. The revised FAQ section states: “Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.” (ibid)

CMMC is in place to certify contractors have the cybersecurity practices in place to work with controlled unclassified information, the actual products themselves. (ibid)

Wondering if CMMC applies to the products and or services you provide? Give us a call.