Skip to content Skip to left sidebar Skip to right sidebar Skip to footer

Tag: cybersecurity

Can Alliant 2 Be “Newer, Better” ?

GSA has finally put us all out of our Alliant 2 Small Business misery. Last week they canceled the acquisition contract. The original award was wrought with confusion, protests, and court disputes, so cancellation isn’t that surprising. (Nextgov, July 2, 2020)

However, GSA promises that the small business IT instrument will live on in a newer, better solicitation. Keep your eyes peeled for the larger and newly structured solicitation. No word yet on the release date of the new solicitation. (ibid)

Laura Stanton, acting GSA Assistant Commissioner for the Office of Information Technology when announcing the cancelation said, “The needs of our customer agencies, small business partners, and industry partners are rapidly evolving, GSA is committed to finding ways for our GWACs to reflect the current IT marketplace so that we can maximize the opportunities for small and women-owned, HUBzone, service-disables veteran-owned, and 8(a) small businesses to contract with the government for cybersecurity, emerging technology, and IT supply chain risk management needs.”

Stanton also said, “we are working to expand the number of master contract awards to highly qualified small businesses on our GWACs, while focusing on technology requirements that support our customer agencies for future mission success.” (ibid)

Questions about the cancellation and or the upcoming solicitation? Give us a call.

More COVID-19 Guidance

Last week the Office of Management and Budget (OMB) updated its agency guidance for federal contractors, as a response to the COVID-19 pandemic. The three main takeaways are:

  • Agencies are encouraged to work with their contractors to allow for the maximization of telework.
  • Agencies must be flexible providing extensions to performance dates if working virtually isn’t possible or if a contractor must quarantine. Agencies should also weigh whether to keep key personnel in a mobile-ready state for national security measures.
  • Agencies are urged to leverage the special emergency procurement authorized in connection with the emergency declaration under the “Stafford Act”. These include increases to: the micro-purchase threshold; the simplified acquisition threshold; and the threshold for using simplified procedures for certain commercial items. These are designed to reduce discord for contractors, especially small businesses, allowing for a more rapid response to the increasing demands agencies face. (Nextgov, March 22, 2020)

The agency guidance comes after trade groups and lawmakers strongly voiced the need for contractor guidance. The updated guidance includes a section of frequently asked questions, including contractor exposure to COVID-19. (ibid)

OMB also issued technology guidance for use during the COVID-19 national emergency. The technology guidance also includes a FAQ section, with steps to ensure IT and cybersecurity measures are met while working remotely. It urges agencies to continue updating their websites to enable public access to government services.

Need some help figuring out OMBs agency guidance for contractors? Give us a call.

Cybersecurity Knowledge for Free

Who should understand cybersecurity? According to the Department of Homeland Security, everyone.  Whether or not you work in IT,  a basic understanding of cybersecurity is necessary. Now, thanks to the National Security Agency (NSA) and Penn State University, you can learn online at no charge. (Federal News Network, October 11, 2019)

NSA and Penn State, as part of an undertaking directed by the Department of Homeland Security, have created an online course to educate people on cybersecurity operations, law, and policy. Geared toward non-lawyers, no technical background is required. The entire course can be taken as a whole or in modules. In addition, anyone interested in the course can teach it or take it. It is offered through the Clark Center, with a variety of other cybersecurity courses.

The course begins with an overview of the U.S. government and the legal system and how they operate, providing a legal framework around cyber operations and cybersecurity. It gives similar overviews of technology concepts, then steps into the legal foundations for modern cyber law and policy focusing on the Constitution and the Bill of Rights and their application to these concepts. 

The third and final module reviews cyber operations. This is taught as a cyber threat response framework using real-world cases to keep students engaged. Many examples are taken from actual current events and show how domestic law, national security, and technology intersect. (ibid)

Wondering if you should hone up on your cyber education? Give us a call and we can discuss it with you.

CMMC a Plus for Small Businesses?

Katie Arrington, on staff  with the Undersecretary of Defense for Acquisition and Sustainment believes nation-states are actively targeting small businesses digitally. And, she says, we are losing the battle of cyberattacks. (Fifth Domain, October 8, 2019)

According to Arrington, rivals cost the US an estimated $600 billion per year and 5G will multiply that number exponentially by 2025. As a result, Arrington believes the cybersecurity maturity model certification (CMMC) is actually intended for small businesses. (ibid)

CMMC grades company cybersecurity on a scale of one (least secure) to five (most stringent). Small businesses must comply with a tiered rating structure. So a company offering cleaning services may need only comply with CMMC level one while an engineering firm is held to level four

Arrington says that CMMC levels the playing field. Old compliance standards allowed companies to perform their contracts while working on their plan of action to become technically acceptable. This left sensitive systems that require additional security controls vulnerable and with weak spots. Many small businesses do not have the resources to obtain a high CMMC level, ultimately limiting competition in the marketplace; others fear the costs will be so high, that small companies will be priced out of the marketplace and limit their ability to compete on government contracts. 

The most recent Navy breaches targeted contractors without classified information per se, but taken in total the data disclosed sensitive capabilities. This is exactly what the CMMC framework addresses. (ibid)

Requests for proposals are expected to include CMMC requirements, as early as fall 2020.

Questions about CMMC requirements? Give us a call.

Line Item: Cybersecurity

We knew it would eventually happen. DoD is finally looking to permit cybersecurity costs as “allowable” on certain types of government contracts. (Federal News Network, June 2019)

Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD, recently spoke at the Professional Services Council (PSC) gathering in Virginia. Ms. Arrington is the lead for the DoD effort to develop and institutionalize the new Cybersecurity Maturity Model Certification (CMMC) standard for vendors. She told attendees that she wants to enact a legitimate standard for cybersecurity allowable costs. (ibid)

During a recent webinar, Arrington spoke about cyber attacks and the need for the defense industrial base to defend themselves against nation-state attacks. DoD is aiming at not just it’s 200,000 prime contractors but all vendors (approximately 300,000) that comprise the DoD supply chain. (ibid)

Arrington is working with the Johns Hopkins University Applied Physics Lab and Carnegie Mellon University’s Software Engineering Institute to generate initial requirements. The draft will require DoD vendors to be certified through third-party assessment organizations. The standard incorporates existing requirements from NIST, the Federal Risk Authorization Management Program (FedRAMP), and other models.  (ibid)

Arrington expects DoD to carry out 12 webinars across the country over the summer. She aims to receive feedback from industry experts with a draft standard by the end of summer and third-party assessors to start certifying vendors in January. (CMMC requirements will be added to requests for information by June of 2020 and become a standard in solicitations by September 2020.) (ibid)

According to Alan Chvotkin, senior vice president and general counsel for PSC, the certification of contractors will be a very competitive discriminator in the marketplace. His main concern is whether DoD will only certify the big six contractors and what is going to take place for the prime and a subcontractor. (ibid)

Congress recognizes that risks to the supply chain need to be reduced. The Senate version of the 2020 National Defense Authorization Act, includes a provision requiring DoD to move to a broader cybersecurity standard with its contractors. Currently, DoD mandates defense contractors meet the requirements of NIST Special Publication 800-171; however, there is no current audit for compliance. Oversight of subcontractors by prime contractors is also a reasonable concern as is the lack of information available on subcontractors. The committee feels prime contractors should be held responsible and accountable for securing DoD technology and sensitive information and ultimately delivering uncompromised products and capabilities. This is seen as a first step in securing the supply chain. (ibid)

The Senate Armed Services Committee (SASC) believes DoD should provide direct technical assistance to contractors, based on risk, and in such a way as to not harm the industrial base while at the same time providing incentives/penalties for non-compliance of vendors’ cyber performance. DoD is being asked to provide the SASC with a briefing by March of 2020 and quarterly briefings on how the standard is being implemented by both vendors and the DoD. (ibid)

Although security has always been an allowable overhead cost, it will now be used as an incentive to get vendors to more quickly align themselves to the CMMC standard. The incentive doesn’t force companies to trade off security for other expenses. It appears the government will offer some reimbursement for some share of the cost, hopefully bringing all vendors up to the same level. (Firm-fixed-price contracts do not fall under the allowable cost umbrella in the same manner, as cyber is counted as general overhead in the final cost to the government.) (ibid)

Eager to learn a little more about the cyber standard and how it might affect your current contract or an upcoming bid? Give us a call at 301-913-5000.