Polaris Replacing Alliant 2

This past July, GSA put to rest the Aliant 2 Small Business contract. The just last week, GSA released a draft RFP named Polaris, a Governmentwide Acquisition Contract (GWAC) to provide customized Information Technology (IT) services-based solutions.  The draft RFP breaks out small business contractors into specific “pools,” for Small Business, HUBZone Small Businesses, and Women Owned Small Businesses. GSA reserves the right to add additional pools when deemed necessary. (beta.SAM.gov, December 31, 2020)

According to the draft RFP, Polaris will provide agencies with customized IT services and IT services-based solutions, which can be tailored to meet particular mission needs and may include any combination of IT services and new and emerging technologies. (ibid)

GSA encourages contractors to provide innovative solutions to task order requirements prioritizing emerging technologies.  Examples of emerging technologies included within the draft RFP are:

  • Advanced and Quantum Computing — cryptography/encryption, secure communications, design of high-performance computers, computer clusters, and networks, Quantum Machine Learning
  • Artificial intelligence (AI) — Computer Vision, Deep Learning, Machine Learning, Natural Language Processing (NLP),  Spatial Computing, Speech Recognition
  • Automation technology — Robotic Process Automation (RPA), Automated Messaging Services, Data Cleaning Scripts, Interactive Voice Response (IVR), Smart Notification
  • Distributed ledger technology — Blockchain Implementation Solutions, DLT Network Design Services, Smart Contract Programming Services
  • Edge computing — 5G Implementation Services, Edge Analytics, Edge Application Services, Edge Computing Architecture Design Services, Internet of Things (IoT) Services
  • Immersive technology  — Virtual Reality, Augmented Reality

Examples of Performance areas within the draft RFP are as follows:

  • Cloud Services
  • Cybersecurity
  • Data Management
  • Information and Communications Technologies
  • IT Operations and Maintenance
  • Software Development
  • System Design

Contractors may “provide ancillary support as necessary to offer an IT services-based solution,” but, as with the GSA Schedule, only “when it is integral to and necessary for the IT services-based effort.” (ibid)

Contractors should take note of the security considerations as purchasers may be from the Department of Defense as well as civilian agencies. In particular, the Defense Department’s Cybersecurity Maturity Model Certification is a developing regulation and requirement included in the draft RFP. Additional Cybersecurity and Supply Chain Risk Management (SCRM) requirements are expected to also be included. (ibid)

All draft RFP feedback is due by 4:00 PM Central Time, January 29, 2021.

Have questions concerning the draft RFP, who can respond, and how? Give us a call.

CMMC in GWACs

GSA is expected to begin applying the Department of Defense’s Cyber Maturity Model Certification (CMMC) at the order level to governmentwide acquisition contract vehicles. (Govconwire, November 10, 2020)

According to Keith Nakasone, deputy assistant commissioner for acquisition in the General Services Administration Office of IT, future Government Wide Acquisition Contracts (GWACs) will include CMMC requirements, layered in over time. In this video interview, Nakasone explains that the requirements are being added to make sure contracts are within scope for the Department of Defense, the largest GWAC customer. (Government Matters, November 8, 2020)

Nakasone hopes to educate and train industry partners on the CMMC requirements over time. Although he didn’t state outright that CMMC will become part of all future contracts, they are part of the Polaris draft RFP, scheduled for release in December. (ibid)

Need assistance in understanding the CMMC requirements? Give us a call.

Self-Assess No More

Cybersecurity for  Department of Defense (DoD) contractors is an ongoing issue. Now, DoD is issuing an interim rule to implement an Assessment Methodology and Cybersecurity Maturity Model Certification framework. This will assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain. (Federal Register, DFARS Case 2019-D041 Action: Interim Rule)

The current self-attestation of NIST Special Publication (SP) 800-171 is not working due to a lack of DoD verification. Until the implementation of the interim rule, DoD did not have a mandate to verify contractor basic safeguarding or security requirements prior to contract award.  This regulation changes that. The interim rule adds a process for contractors to  implement cybersecurity requirements. This is to be accomplished while the DoD’s Cybersecurity Maturity Model Certification (CMMC) and the procedures with the Accreditation Body (AB) are solidified. (Meritalk, September 28, 2020)

Questions about how the new rule will affect your contract or upcoming bid and what you can expect? Give us a call.

What Brand is Your Telcom and Video?

Section 889 of the FY 2019 National Defense Authorization Act was passed to fight national security and intellectual property threats to the United States.  The legislation includes two prohibitions Part A and Part B. (GSA Section 889 Industry Focused Flyer, GSA.gov, July 16, 2020)

Part A, which became effective on August 13, 2019 bans telecommunications/video surveillance equipment made by the following companies:

  • Huawei Technologies Company
  • ZTE Corporation
  • Hytera Communications Corporation
  • Hangzhou Hikvision Digital Technology Company
  • Dahua Technology Company

Part A can be found in the Federal Acquisition Regulation (FAR) at FAR subpart 2.1.

Part B, effective 13 August 2020, prohibits the government from contracting with any organization that uses equipment or services of any of the companies listed under Part A. Part B applies, whether or not that usage is in performance of work under a Federal contract. In other words, if you use any of the banned companies in the fulfillment of a  non-government contract, you will be prohibited from working with the government. All contractors must verify whether they do or do not use prohibited telecommunications/video surveillance equipment or services. Part B has been added to the Federal Acquisition Regulation (FAR) at FAR subpart 4.21. (ibid)

GSA recommends companies to complete an in-depth review of all in-house technology to rule out using banned companies in Part A . If prohibited equipment or services are being used, companies that wish to continue doing business with the government must eliminate them. GSA does not take responsibility for changes contractors make, unless done so by a modification to a current contract.

However, two possible waiver procedures with extremely high standards are available. This is to ensure waivers are not used to get “around” the prohibitions.

GSA is modifying all solicitations, Indefinite Delivery Vehicles (IDVs), GWACs, and other IDIQ contracts, to include Section 889 Part B requirements immediately. These requirements will be added to GSA’s existing non-IDV contracts as those contracts have their periods of performance extended.

GSA is hosting the following events so that industry may obtain additional guidance:

  1. The GSA Office of Small Business Utilization webinar on Section 889, July 30, 2020, 2:00 p.m. EST, registration may be found here.
  2. GSA recorded virtual webinar August 12, 2020, at 1:00 p.m. EST, registration forthcoming. This webinar will include leaders from GSA’s business lines explaining how they are implementing Section 889 into their business lines and panelists will answer pre-collected questions. (Questions may be sent to gsaombudsman@gsa.gov to arrive by COB August 5, 2020.) (ibid)

GSA recommends that vendors study the tools and publications to aid their understanding and compliance, as provided in Acquisition.gov.

Not certain if your contract is affected by Section 889 Part B and if so, what you can do? Give us a call.

Updating Govt Cloud Security

Cloud vendors will soon see standardized security liability language in all government contracts. This is partly due to agencies’ migration to the cloud being sped up once the pandemic hit and increased teleworking, making the need for cybersecurity assurances essential. (Nextgov, May 20, 2020)

Thomas Santucci, the director of the Data Center and Cloud Optimization Infrastructure Program Management Office at GSA, recently elaborated on the subject, “I think there is a need to update our [service level agreements] with the cloud providers and we’re actively working on that within [the General Services Administration]…. OMB has just stood up a [program management office] to work on a cloud SLA template for the federal government to be attached to every contract.” (ibid)

When referring to the pandemic, Santucci said, “Users are now remote rather than in a central building or campus. Agencies that are doing well are mostly in the cloud with little or no impact. Remote users do not need a [virtual private network] to gain access to their emails or files, collaboration products have significantly reduced file duplicates, and bandwidth consumption is between the home internet connection and the cloud. It’s a great success story.” (ibid)

Officials at the National Institute of Standards and Technology (NIST) believe moving to the cloud does not mean security is a “one and done” feature. There are many considerations that customers may be responsible for under contracts. Increased use of cloud services is not 100 percent secure.

Rep. Doris Matsui, D-California recently wrote to NIST Director Walter Copan, requesting NIST work to establish metrics to accompany their Cybersecurity Framework. The framework allows entities to implement security controls based on their needs. Matsui’s letter to Copan asked for ways to evaluate the security implications of those decisions. Matsui states, “with quantifiable measurement tools, cybersecurity strategies can be compared across industries and between entities. Metrics and measurements that facilitate comparisons and assess risk will be valuable for consumers, companies, and governments.” (ibid)

Wondering how your contract or upcoming proposal might be impacted by cloud migration and updated service level agreements? Give us a call.