Skip to content Skip to left sidebar Skip to right sidebar Skip to footer

Author: laura long

Are you practicing “safe cybersecurity”?

The Department of Defense (DoD) is working to extend its own cybersecurity expertise and infrastructure to small and medium-sized businesses. Their current plan is to build a “secure cloud” for company data instead of leaving it to the responsibility of the contractor. (Federal News Network, March 25, 2019)

DoD plans to use their 2020 research and development budget for the Defense Industrial Base (DIB) Secure Cloud Managed Services Pilot. The project will start by making the cloud service available to a specified number of small and medium companies that support prioritized, critical DoD missions/programs. (ibid)

Ellen Lord, the undersecretary for acquisition and sustainment said, “In contract terms, the Department would treat the secure cloud as Government Furnished Equipment (GFE).” She believes larger companies are already quite savvy and have the funds to create a hardened environment. Ms. Lord is most concerned with small, innovative companies. She said, “we sit down and talk to them about cybersecurity, and sometimes we hear – no kidding, ‘my nephew does my cybersecurity.’ That gets us a little bit worried. And we know that we will either put these small companies out of business, or we will drive them away from the Department of Defense if we give them very, very onerous regulations to meet.” (ibid)

In 2017 DoD began inserting clauses into contracts that require firms to implement the security controls in NIST Special Publication 800-171. Prime contractors are required to impose the same requirements on their subcontractors as they are expected to meet when coming in contact with sensitive, unclassified information. (ibid)

It does not appear as though verification of a company’s compliance with the standards has been accomplished, thus far. However, going forward, spot checks are likely to take place with the hope of getting to a point where DoD certifies third-party cybersecurity examiners to help verify contractors systems meet the existing requirements and that their systems are adequately protected. Currently, about 800,000 systems should be regularly audited. (ibid)

We do know that information is being stolen; but classification levels make it hard to investigate in a reasonable time frame. The details of any individual data theft are classified, making specifics about nature and volume difficult to determine. We also know that sufficient cybersecurity capabilities to protect information must be in place sooner rather than later in order for small and medium-sized businesses to remain contractors to DoD.

Call us with any questions regarding this project at 301-913-5000.

 

 

 

 

Ease on Down the Small Biz Road

The federal government is the largest buyer of goods and services in the U.S. The Small Business Administration (SBA) was created to work with small businesses competing for some of that business.

Business owners often ask if they are eligible to participate in SBA’s contracting programs. What makes a small business a small business? Are you a small woman-owned business or an 8A firm? Certify.SBA.gov provides a checklist to help you manage the application process to determine eligibility. Documents and requirements which must be met are spelled out under each checklist. (certify.sba.gov)

Some of the checklists you can expect when logging into SBA.gov are:

  • Women-Owned Small Business (WOSB) Preparation Checklist
  • Economically Disadvantaged Women-Owned Small Business
  • 8(a) Business Development (BD) Program Preparation Checklist
  • Historically Underutilized Business Zones (HUBZone) Program Preparation Checklist
  • All Small Mentor-Protégé Program Preparation Checklist (ibid)

As many of you know, doing business with the government can be overwhelming, tedious, and confusing. Difficult paperwork often dissuades businesses from pursuing government projects that they are capable of performing. The SBA is in the throes of modernizing the application process for federal contracting programs. Forms are now available online and completion of those forms is performed online as well. (ibid)

EZGSA can walk you through the process of certifying your small, 8(a), or women-owned business status. Give us a call at 301-913-0959 to find out more.

Time For a Facelift

All businesses contracting with the U.S. government must obtain a Data Universal Numbering System (DUNS) number. The DUNS number system, managed by Dun & Bradstreet since 1962, was opened to competitive bidding last year and has since been awarded to Ernst & Young.  (Nextgov, March 2019)

The award is for a one-year base period with four one-year options, making the contract total worth $41.8 million if all options are exercised. (ibid)

Over the next few months, the DUNS will be phased out and replaced by the System for Award Management Managed Identifier or SAMMI number. GSA is working on the standards for the new system with an interagency working group. (ibid)

With the new entity validation service, users provide their registration information at SAM.gov and that information is validated against the Ernst & Young data, with no charge to the contractor. The government has unlimited rights to the data in perpetuity. Besides having a safe and secure method for validating entities, the process will be simplified for those seeking contract awards. In addition, the new system will create a workaround for the proprietary nature of the validation services, which have been viewed by many as monopolistic. (ibid)

Have questions about the new validation service? Give us a call at 301-913-5000 and we can explain it.

 

DoE Bureaucracy Hard at Work

In fiscal year 2016, the General Accounting Office (GAO) conducted an audit of 28 entities to address issues with Department of Energy (DoE) contractor oversight. DoE, including it’s National Nuclear Security Administration, is the largest federal civilian contracting agency, spending about 90 percent of its appropriations on contracts with companies, universities, and others for federal research and development,  production, and engineering. (GAO, March 12, 2019)

After reviewing contracting and subcontracting data and documents, analyzing regulations, and interviewing federal officials and contractor representatives, GAO found: DoE awards about $23.6 billion in prime contracts with about 30 percent ($6.9 billion) of that total going to subcontractors in the form of universities, different companies, or entities; almost all 28 primes were also subs; subcontractors totaled nearly 3,000; and subcontractor complexity makes it difficult to figure out the relationship between the various parties. (ibid)

More than $3.4 billion in subcontract costs (over a ten year period) were never audited. Because the statute of limitations is six years (according to the Contract Disputes Act), many unallowable costs may not be recovered. (ibid)

GAO made six recommendations, including that DoE develop procedures requiring local offices to verify completion of subcontract audits and that DoE independently review subcontractor ownership information to identify potential conflicts of interest. DoE agreed with all recommendations except to independently review subcontractor ownership information. (ibid) Huh. Wonder why.

Small Businesses, Come on Down!

The Centers of Excellence, established in 2017 by GSA and the White House Office of American Innovation, work with agencies to develop IT modernization plans. So far, two agencies are on board: the Department of Agriculture is in the second and last phase of the program and the Department of Housing and Urban Development is planning a September start. (Nextgov, March 12, 2019)

During the first year of the program, Agriculture completed Phase I and entered Phase II, prior to HUD’s start beginning work on phase I. The pace should pick up this year with many agencies, under a new BPA, working through Phase I at the same time, according to program Director Bob DeLuca, although no start-up date has been made available. (ibid)

It’s expected the program’s next generation will include the original five centers, focused on cloud adoption, contact center, customer experience, data analytics, and infrastructure optimization. Two additional centers for change management and information security will be added. GSA is adding the change management piece to keep things running smoothly once GSA leads step out of the picture. (ibid)

A blanket purchase agreement released last Tuesday outlined the program’s next iteration. This BPA adds new functional areas and points to the future procurement strategy. It will last three years from the award date with an expected value of $100 million, which can increase without mods. (ibid)

Two phases will continue to exist in the updated program: a discovery phase, wherein an agency works with the relevant centers to assess the current situation and devise a plan; and an implementation phase. The new BPA will cover the first phase only, with the second phase of work contracted separately. (ibid)

The final RFQ has been created to attract more small businesses to the program. Vendors can bid on as many or as few of the functional areas as they choose. (ibid)

Prospective bidders must hold GSA Schedule 70 contracts for the relevant special item numbers listed in the RFQ. The turnaround time for the entire RFQ process is short to test how companies respond during short cycles. (ibid)

Vendors interested in bidding will have to complete four submissions: a set of challenge questions, a list of potential scenarios, a technical and management approach description, and a pricing sheet. The challenge questions will be available through Google Forms starting 28 March. (ibid)

Vendors will also be responding to the scenario through a Google Form, answering the question: How would you obtain agency wide buy-in for the modernization efforts promoted by the CoE while also linking efforts and fostering collaboration with other vendors and government staff across all of the centers at the agency partner? (ibid)

Instructions for the other submissions are included in the RFQ. The entire package is due by noon on April 1.

Are you interested in bidding or learning more about the BPA? Call us at 301-913-5000, and we can walk you through the submission requirements.