Three DoD DFARS will soon become permanent rules

According to a recent statement by Katie Arrington, the Pentagon’s CISO for acquisition and sustainment, three Defense Federal Acquisition Regulation Supplements (DFARS) for the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) will soon be permanent rules. (MeriTalk April 15, 2021)

The CMMC program enforces cybersecurity standards in the Defense Industrial Base (DIB) supply chain. The certification requirements will be part of all DoD contract requirements by 2026. (ibid)

The soon-to-be-permanent rules are:

  • DFARS Provision 252.204.7019 requires contractors to complete self-assessments and upload them into the DoD’s Supplier Risk Performance System (SPRS)
  • DFARS Clause 252.204.7020 takes place upon contract completion, allows DoD access to systems, facility, and personnel if DoD assesses the necessity due to risk
  • DFARS Clause 252.204.7012 requires all contractors to maintain adequate security of defense information that is “processed, stored or transmitted” on their network (ibid)

According to Arrington, 300,000 contractors need to get CMMC certified within the next five years. She said, “we have thought carefully about this, and making cybersecurity foundational to acquisition wasn’t something that we just thought “Let’s do it one time.” It has to be an enduring capability.” (ibid)

Questions concerning CMMC certification? Give us a call.

 

CPARS is getting a refresh

For over a decade, the Office of Federal Procurement Policy (OFPP) has encouraged government agencies to increase their research and evaluation of contractor performance on contracts, with little effect. (Federal News Network April 12, 2021)

The general consensus is that the current Contractor Performance Assessment Reporting Systems (CPARS) is broken. Contractors and Contracting Officers feel it inaccurately rates performances while also being burdensome. For the past two years, Mike Smith, a former DHS director of strategic sourcing and now an executive vice president at GovConRx, has led an effort to rebuild CPARS. His goal, “make sure it results in good information and the information is more strategic and tactically used.” (ibid)

What are some of the problems with CPARS? Many contracting officers rate contractor performances as satisfactory because it takes too much of their time to verify exceptional or outstanding performance and too much time trying to explain why a rating might be below average or poor. (ibid)

DHS is looking to solve this problem through a pilot application of artificial intelligence (AI). DHS recently awarded contracts to five companies to demonstrate their ability to build production-ready software. User groups will view demos using software-as-a-service (SaaS). The user groups are, The departments of Commerce, Energy, Interior, Veterans Affairs, and Health and Human Services as well as GSA, NASA, the Air Force, and the U.S. Agency for International Development. The agencies gave the 5 companies in the pilot, 50,000 anonymous procurement records, to assist in training the AI. The goal is to decide which technologies will move to phase 3 in June with an actual launch in January 2022. (ibid)

GSA has some barriers to overcome too. Contracting officers must see the value in vendors providing self-assessments on certain projects. GSA senior procurement executive Jeff Koses sent a memo in February recommending the use of vendor self-assessments s one step in the overall CPARS process. The memo is a permission slip, of sorts, for contracting officers to begin asking for self-assessments as one part of the CPARS process. This should alleviate some of the burden on contracting officers.(ibid)

Mike Smith, a former DHS director of strategic sourcing and current executive vice president at GovConRX said, “you wouldn’t believe how many contracting officers refuse to take input from industry because they think they aren’t allowed to. As a contracting officer, I’d rather have a back and forth at least by midyear, if not before, so we can adjust course and have a common understanding at the end of the performance period and there are no surprises about ratings and the basis of that rating.” Most agree that good contractors will jump at the opportunity to do a self-assessment because they will finally be able to have input into the process. (ibid)

CPARS should also help small businesses. When contracting officers see the small business has done larger jobs and done them well, through a relevancy search and high CPARS, they are a lot more likely to award them a contract. This in turn helps the contracting officer make better-informed decisions through the use of data. (ibid)

Questions concerning self-assessments and the intricacies involved? Give us a call.

 

 

GSA just got $150 million, want your piece?

Congress recently passed several spending measures designed to support federal IT modernization and cybersecurity. The one measure, possibly most overlooked, is the $150 million assigned to the General Services Administration (GSA) under the Federal Citizen Services Fund (FCSF).

Many question how exactly the $150 million will be used. Recently, Dave Zyvenyach, director of the GSA’s Technology Transformation Services (TTS), explained, “funding multiple projects within TTS, the FCSF drives innovation in government through interagency projects that enhance and promote the public’s digital experience with government. This includes using technology to improve service delivery, transparency, security, and the efficiency of Federal operations, while also increasing public participation.”

GSA wants to make it easier for the government to deliver digital services to the public and for the public to interact with agencies online. Zyvenyach said, “near-term initiatives will be investments in addressing the pandemic and improving service delivery and security, while longer-term initiatives will improve security, enable mission delivery, and really transform the Federal Technology workforce and improve the government’s experience for the public.”

Bringing private industry innovation to the government is the goal. As a result, the government will see secure, sustainable services, improvements in mission delivery, and costs reduced.

Want a your piece of that pie? Give us a call.

 

EZ-ier requirements for COVID efforts at GSA says EZGSA

GSA’s Multiple Award Schedule (MAS) program may be used by state and local governments to procure commercial products, services, and solutions necessary to respond to the pandemic. GSA is providing additional support by issuing Acquisition Letter (AL) MV-21-03 and Supplement to further aid America in response to COVID-19. (GSA Interact April 14, 2021)

AL achieves this by:

  • Temporarily waiving (3) MAS solicitation requirements in MAS provision SCP-FSS-001 when a company is proposing products/services to support COVID-19 efforts.
  • The AL waives:
  1. The requirement to possess two years of Corporate Experience
  2. The requirement to submit a Relevant Project Experience for each SIN proposed
  3. The requirement to submit an Annual Financial Statement for the previous two years (ibid)

The AL, however, does not change the following:

  • Certain vendor instructions regarding the submission of a Corporate Experience narrative, Letter of Commitment/Supply, Past Performance Information, Quality Control Plans
  • Category/SIN specific technical requirements outlined in the MAS Solicitation category attachments
  • A Contracting Officer’s overarching responsibilities especially determining fair/reasonable pricing, ensuring compliance with vendor instructions, and making a responsibility determination in accordance with FAR subpart 9.1 (ibid)

AL applies to all MAS large categories, subcategories, and SINs under the following conditions:

  • New vendors proposing products, services, and/or solutions in direct support of COVID-19 efforts
  • Current MAS contractors adding service SINs in direct support of COVID-19 efforts (ibid)

AL does not apply under the following conditions:

  • Any offers or modifications which include products, services/solutions that do not directly support COVID-19 efforts
  • To VA MAS for medical equipment, pharmaceutical services, or supplies (ibid)

GSA is doing a number of things to support the ongoing COVID-19 efforts. The following are to name a few:

  • Deferring MAS contract cancellations when minimum sales haven’t been met under I-FSS-639 Contract Sales Criteria
  • Issuing a non-availability determination for Trade Agreement, Buy American Statute Class Determination, allowing contracting officers to temporarily award non-TAA compliant product to support COVID-19 requirements
  • Purchase Exceptions from the AbilityOne Program
  • Implementation of Emergency Acquisition Flexibilities (ibid)

GSA/FAS has many mechanisms for its Federal Partners to access the vital supplies and services required to meet the COVID-19 pandemic. For companies who would like to reach the government market beyond the MAS program, the Commercial Platforms program provides options to partner with several commercial e-marketplace platforms. It is also possible to partner with an existing MAS contractor as a subcontractor, providing part of a total solution to an agency’s COVID requirements. (ibid)

Questions concerning AL, what it does, doesn’t do, or do you now qualify for GSA? Give us a call.

 

 

 

 

NIST looking for a Small Cybersecurity Business – Do you qualify?

The National Institute of Standards and Technology (NIST) is looking for a small business to assist with the creation of privacy and cybersecurity standards that will apply to federal agencies. Additionally, NIST hopes to gain assistance with the development and modeling of software and applications for various tools, including the National Vulnerability Database.(Nextgov March 29, 2021)

The sources sought notice posted on beta.SAM.gov states, “with a new and re-energized national emphasis on information security, the NIST Information Technology Laboratory’s (ITL) Computer Security Division (CSD) is uniquely positioned to ensure that new technology initiatives are selected, deployed, and operated in a manner that does not increase the risk to organizational missions, individuals and the Nation.” (ibid)

“NIST expects the requirements of its mission to expand and anticipates the need for support in meeting these requirements. The support needed to ensure a successful mission ranges from internal programmatic support to technical expertise and research consulting in a wide range of cyber and information security areas.” (ibid)

Do you qualify for the cybersecurity SINs? Give us a call.