CMMC not for COTS

A recent modification to DoD’s website spells out a small but very specific change about the Cybersecurity Maturity Model Certification (CMMC): it’s not applicable to DoD suppliers that only provide commercial-off-the-shelf products. (FedScoop, May 5, 2020)

Originally, DoD and CMMC administrators explained that all contractors and subcontractors must be certified under  CMMC by a third-party assessor. However, a few weeks ago, the Office of the Under Secretary of Defense for Acquisition and Sustainment changed the official website. The revised FAQ section states: “Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.” (ibid)

CMMC is in place to certify contractors have the cybersecurity practices in place to work with controlled unclassified information, the actual products themselves. (ibid)

Wondering if CMMC applies to the products and or services you provide? Give us a call.

HHS Did What?

The Department of Health and Human Services Program Support Center (PSC) has decided to end assisted acquisition services. Some agencies under the PSC umbrella include: the Office of Personnel Management, the Office of Special counsel, the Environmental Protection Agency, and the Defense Department (DoD).  (DoD accounts for roughly $1 billion of the $1.4 billion total contract amount under the PSC.) (Federal News Network, July 22, 2019)

It appears HHS stopped offering assisted acquisition services in mid June, just as agencies are preparing for fourth quarter acquisitions. This likely includes the $150 million multiple-award contract PSC was about to award for EPA along with a number of “in-process” contracts for DoD. Additionally, any award for the prior four years must be moved to other agencies or absorbed by the “home” agency by September 20, 2020. (ibid)

So why exactly did HHS decide to stop its assisted acquisition services? In a memo to the civilian agency customers, they said they do not have the internal controls, policies, or procedures necessary. DoD customers received a comparable memo. (ibid)

Why now? Possibly due to the manner in which PSC has handled classified information for DoD and other agencies’ procurements through the self-certification process. The self-certification process is achieved through the DD-254 form. However, a recent audit found that PSC does not actually perform classified work. (ibid)

Unfortunately, this abrupt change is putting a burden on many agencies. Since the decision was made and will affect the fourth-quarter spending, agencies must now scramble to get other assisted acquisition service provider help. The decision also affects vendors, who spend time and money to bid on solicitations that must restart. And the question remains: will vendors lose work from existing contract awards that they bid on and won?

Roughly one-third of all federal spending occurs in the fourth quarter, with one-quarter of the spending in September. Administrators plan to meet with member companies, DoD ,and the Office of Federal Procurement Policy to arrive at  a game plan going forward. (Federal News Network, July 22, 2019)

Will this affect a bid you are working on or a recent contract award? If so, give us a call.

Shutdown is Long, Still Going Strong

Is there an end in sight? Will the Dems and Trump come to an agreement soon? Will you get paid? Will you receive back pay for the time the government doors are shut? These are the questions government workers, contractors, and subcontractors are asking.

Here’s what we know:

• Private companies that serve civilian agencies such as the Department of Homeland Security, the United States Agency for International Development (USAID), and the EPA have been told to stop work on specific contracts. (No word as to what happens next.) (Washington Post January 6, 2019)

• The government is offering guidance to contractors on an agency-by-agency basis and contractors are starting to receive “stop work order” notices from those agencies that no longer have funds. (Department of Defense and intelligence agencies are, for the most part, unaffected.) (ibid)

• FEMA has posted a “blanket” stop work order. This likely will not affect deep pockets of larger companies working on FEMA contracts, but will undoubtedly negatively impact smaller businesses. Government workers will get back pay, government contractors will not. (Washington Post, January 6, 2019)

As feared, the smaller the business the greater the impact.

Have questions about your contracts with the government and what you should be doing? Give us a call at 301-913-5000.