Skip to content Skip to left sidebar Skip to right sidebar Skip to footer

Selling to the government

Line Item: Cybersecurity

We knew it would eventually happen. DoD is finally looking to permit cybersecurity costs as “allowable” on certain types of government contracts. (Federal News Network, June 2019)

Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD, recently spoke at the Professional Services Council (PSC) gathering in Virginia. Ms. Arrington is the lead for the DoD effort to develop and institutionalize the new Cybersecurity Maturity Model Certification (CMMC) standard for vendors. She told attendees that she wants to enact a legitimate standard for cybersecurity allowable costs. (ibid)

During a recent webinar, Arrington spoke about cyber attacks and the need for the defense industrial base to defend themselves against nation-state attacks. DoD is aiming at not just it’s 200,000 prime contractors but all vendors (approximately 300,000) that comprise the DoD supply chain. (ibid)

Arrington is working with the Johns Hopkins University Applied Physics Lab and Carnegie Mellon University’s Software Engineering Institute to generate initial requirements. The draft will require DoD vendors to be certified through third-party assessment organizations. The standard incorporates existing requirements from NIST, the Federal Risk Authorization Management Program (FedRAMP), and other models.  (ibid)

Arrington expects DoD to carry out 12 webinars across the country over the summer. She aims to receive feedback from industry experts with a draft standard by the end of summer and third-party assessors to start certifying vendors in January. (CMMC requirements will be added to requests for information by June of 2020 and become a standard in solicitations by September 2020.) (ibid)

According to Alan Chvotkin, senior vice president and general counsel for PSC, the certification of contractors will be a very competitive discriminator in the marketplace. His main concern is whether DoD will only certify the big six contractors and what is going to take place for the prime and a subcontractor. (ibid)

Congress recognizes that risks to the supply chain need to be reduced. The Senate version of the 2020 National Defense Authorization Act, includes a provision requiring DoD to move to a broader cybersecurity standard with its contractors. Currently, DoD mandates defense contractors meet the requirements of NIST Special Publication 800-171; however, there is no current audit for compliance. Oversight of subcontractors by prime contractors is also a reasonable concern as is the lack of information available on subcontractors. The committee feels prime contractors should be held responsible and accountable for securing DoD technology and sensitive information and ultimately delivering uncompromised products and capabilities. This is seen as a first step in securing the supply chain. (ibid)

The Senate Armed Services Committee (SASC) believes DoD should provide direct technical assistance to contractors, based on risk, and in such a way as to not harm the industrial base while at the same time providing incentives/penalties for non-compliance of vendors’ cyber performance. DoD is being asked to provide the SASC with a briefing by March of 2020 and quarterly briefings on how the standard is being implemented by both vendors and the DoD. (ibid)

Although security has always been an allowable overhead cost, it will now be used as an incentive to get vendors to more quickly align themselves to the CMMC standard. The incentive doesn’t force companies to trade off security for other expenses. It appears the government will offer some reimbursement for some share of the cost, hopefully bringing all vendors up to the same level. (Firm-fixed-price contracts do not fall under the allowable cost umbrella in the same manner, as cyber is counted as general overhead in the final cost to the government.) (ibid)

Eager to learn a little more about the cyber standard and how it might affect your current contract or an upcoming bid? Give us a call at 301-913-5000.

 

 

Self Certification — No More ;-(

The 2015 National Defense Authorization Act mandated that the Small Business Administration (SBA) discontinue self-certification of women-owned and other small businesses. In 2020, SBA plans to finalize a self-certification rule that closes a loophole allowing participants in the SBA’s Women-Owned Small Business (WOSB) program to self-certify. (Federal News Network, June 2019)

Approximately one-quarter of all federal contracts are held by small businesses, which over the past six years has helped federal agencies to  exceed  SBA’s governmentwide small business contracting goal. This year’s spending of more than $120 billion on small business contracts surpasses last year’s spending by nearly $15 billion.

The Government Accountability Office reported in March that almost 40 percent of WOSB-certified businesses were ineligible. Meanwhile, SBA’s Office of Inspector General June 2018 audit found 89 percent of sole-source (50 out of 56 contracts) did not meet all program criteria. Basically, there is currently no way to know if the contracts, listed in the chart below, were actually eligible for the sole-source awards. (ibid)

Rob Wong, SBA’s associate administrator of the Office of Government promotes a formal certification to  give the program some much-needed integrity. Wong said, “simply put, the wrong companies were receiving our contracts, we want to make sure that, if a company receives a contract through these programs, they’re actually eligible to receive it.” (ibid)

SBA has subsequently published a proposed rule in the Federal Register eliminating self-certification and providing a free online certification application to WOSB. Comments on the proposed rule are being accepted until July 15. In Wong’s opinion, it is high time to streamline the vetting process for the many other set-aside programs, all of which have different sets of eligibility criteria. Wong feels that going to three formal certifications for 8(a), Historically Underutilized Business Zones, women-owned, and service-disabled veterans will unify the processes. The rule with set-aside screening is expected to take a year for the changes to take effect. (ibid)

Do you have questions about the new certification process and how it may affect your current contract or an upcoming opportunity? Give us a call at 301-913-5000.

Submit Your Schedule 36 ERM Demos Now

GSA is accepting demos for the revised the Schedule 36 Electronic Records Management (ERM) Vendor Demo Process. (GSA Interact, June 4, 2019)

This month, GSA updated the original September 2018 notice regarding ERM demos, removing the GSA-recorded demo option. Vendors interested in participating in the demo presentation process must now record their presentations and provide its link to GSA. Once the demo presentation is approved, GSA will post the link to their Discovery tool. (ibid)

Discovery allows customers to explore GSA services contracts, vendors, and vendor contract history. Customers use this information to determine whether a GSA contract meets their needs. Within the next few months, Discovery should be loaded with current ERM vendor contract information.; at that time, contract holders will be notified. While the tool is being updated, vendors may submit their demo link via email to RecordsManagement@gsa.gov.

GSA wants vendors to create demos for the following:

  • ERM.010.L1.02. Determine if the electronic message can be placed under records management control
  • ERM.020.L1.02. Manage the metadata of an electronic message record throughout the lifecycle
  • ERM.030.L1.02. Dispose of approved electronic message records (ibid)

For additional information regarding the use cases, please see Records Express and the Federal Electronic Records Modernization Initiative (FERMI) website. (ibid)

GSA Guidelines for Demos

Technical

  • All scenarios should last no longer than five minutes, with an introduction of up to five minutes. Maximum running time for each demo should be no more than 20 minutes; shorter demos are encouraged.
  • GSA strongly encourages Section 508 compliance for all vendor demos.

Content

  • Data must be included at the beginning of the demo presentation
  • The types of electronic messages to address are email, SMS/MMS, and chat messages
  • Include as much automation as possible as agencies are looking to reduce the number of steps for end users to manage their electronic messages. Be certain to describe where people are involved in managing electronic messages.
  • Traditional, Hosted, Embedded and ERMaas are the types of approaches to records management.
  • Do not mention competitor names in your demo presentation.
  • Do not mention federal or commercial customers or reveal, in any way, other customers, for any reason. (ibid)

NARA/GSA Demo Submission, Review, and Approval

The submitted link or pdf should allow access to all updated or new video demos in the future. Please keep in mind that before any new demos are added to a vendor’s site or channel, they must be submitted to recordsmanagement@gsa.gov for review. Once approved, vendors can add the demo to their site/channel. Unauthorized demos will be removed from Discovery. GSA is asking for vendors to submit their demos as soon as possible. (ibid)

Release of the Vendor Demo Videos

  • Video on Demand
  • Hyperlinks to the Use Cases will be posted to GSA’s Discovery Tool
  • There may be a short period of time between the video approval and the video being posted on Discovery. GSA reserves the right to post videos in the order they are received.

Questions about these guidelines? Give us a call at 301-913-5000.

 

Training to Go FAST!

GSA recently announced that it will be holding a Federal Acquisition Service Training (FAST) Conference in Atlanta April 12 – 16, 2020. This event will promote constructive dialogue and facilitate an environment where the government and industry can come together to be educated on GSA’s contracting programs. (Federal News Network, May 2019)

The FAST conference is expected to provide many hours of procurement training, as well as providing GSA, government agencies, and industry with an opportunity to share information on key program initiatives, acquisition policies, commercial capabilities, and commercial marketplace trends. It will provide a forum to bring together all of GSA’s agency customers and industry partners under one roof to collaborate, educate and network. (ibid)

Have questions about the FAST conference and whether you should attend? Give us a call at 301-913-5000, and we can discuss it with you.

Accelerating Money to Small Business

If the Accelerating Defense Innovation Act passes Congress, small businesses with more than 50 percent of venture capital funding will find it easier to obtain Small Business Innovation Research (SBIR) grant money from the Department of Defense (DoD). To date, legal hurdles have prevented DoD from utilizing these companies. (Fedscoop, May 21, 2019)

The SBIR, created in 1983, provides small businesses with grants to help them expedite product development, and offers follow-on funding and assistance to provide guidance meeting requirements during the government purchasing process. In 2003, courts ruled that companies owned (more than half) by venture capital firms were ineligible for SBIR grants. Then in 2011, a waiver was created by Congress for those small businesses that are majority-owned by venture investors. These waivers required congressional notification as well as Small Business Administration approval. (ibid)

Unfortunately, DoD has never used the waiver. Defense Contracting Officers continue to shy away from small businesses funded through venture capital. Rep. Mac Thornberry (R-Texas), the new legislation sponsor, cited a recent example of a small satellite technology startup that visited DoD’s Hacking 4 Defense program but did not receive an SBIR grant because of the majority capital investment in the firm, even though their technology is cutting edge. (ibid)

A new pilot program, on which the legislation is based, allows the Secretary of Defense and service acquisition executives for each arm of the military to make an SBIR award to a small business that is majority-owned by domestic venture investors. The bill will allow no more than 15 percent of DoD SBIR program funds to be awarded to these small businesses. Its end date of September 30, 2022. (ibid)

Aside from SBIR, small tech companies can look at other ways to work with the DoD. For instance, the Defense Innovation Unit currently handles commercial innovation pilot projects. Once testing is complete, any DoD branch may procure from a small business, generally within 90 days of the first contact with the company. (ibid)

Rep. Thornberry, the ranking Republican on the House Armed Services Committee, would like to include his legislation in the 2020 National Defense Authorization Act (NDAA).

EZGSA has information about this and other ways small businesses can obtain government contracting. Give us a call at 301-913-5000.