Friday Flash 02.10.17

FAR & Beyond Blog: GSA’s TDR Roundtable: Can we talk?

This week, GSA hosted a roundtable discussion on the Transactional Data Reporting (TDR) rule and what it means for GSA’s agency customers and contractors.  After listening to the TDR roundtable dialogue, the question that arises is whether GSA is actively listening to the questions and concerns of its customers and its contractors.  Here are some examples:

First, during the discussion, GSA characterized the federal government as a “Fortune One” company in terms of its procurement spending.  This characterization was to support TDR, category management, strategic sourcing, and the centralized management of federal markets, but it was not the consensus view of the panel.   Indeed, one of the panelists, a GSA customer, appeared to have a different perspective citing differences in mission, organizational structures, and behaviors across government and within agencies.  Interestingly, industry’s view of the market aligns with this perspective.  The government is simply too big and too varied for a one-size-fits-all approach.  Each day, Coalition members provide best value support to meet each agency’s unique mission requirements.

Moreover, this “Fortune One” philosophy rests on the view that the federal government can drive/shape the commercial market to its advantage.  This perspective runs counter to Congressional and Department of Defense (DoD) recognition that government procurement does not drive the commercial marketplace.  Congress and DoD are streamlining acquisition processes, focusing on commercial item contracting and reducing oversight risk, in a strategic effort to acquire commercial innovation and solutions to support the warfighter.  Incidentally, the Coalition applauds the Congressional efforts to streamline DoD acquisition.

Second, there are clearly different views regarding the utility of collecting transactional data on services.  Two panelists (one representative from industry and one from a GSA customer) expressed their concern that the utility of TDR is limited in the context of services acquisition, in part because the unique nature of service requirements/approaches inhibits direct comparisons.  One panelist further commented that the key to improving service performance outcomes was by improving training, requirements development, and performance-based contracting.  Notwithstanding these extant and well-communicated concerns, GSA continues to apply TDR to the Professional Services Schedules.

Third, GSA heard concerns during the panel discussion regarding TDR’s impact on pricing.  Here, the conversation focused on the use of TDR to drive down contract pricing to uneconomical, unsupportable levels.  Even customer agencies have expressed concern that the drive to low prices may drive innovative contractors out of the market.  Unfortunately, GSA’s response did little to alleviate industry concerns.  Indeed, listening to the conversation, it appeared, at times, that GSA and industry were talking past each other on this issue.

A member of the audience shared their experience negotiating a GSA schedule service contract where pricing data was used to compare rates.  The result was that, for a certain labor category on the contract, the rate was driven so low as to make it unsupportable/uneconomical.  As a result, the contractor indicated that it did not plan on bidding/using the low-priced category for any schedule task orders. (Presumably, the contractor agreed to include the low rate on the contract to facilitate negotiation and award.)   GSA’s response was, in essence, that TDR would help it identify/determine that the low-priced labor category was not being used, and that GSA could then determine how to best address the situation.  Of course, that response gives rise to a number of existential questions for the contractor, such as how long the process would take, and what would it look like. The answers to those questions are unclear, but one thing is certain, while the wheels of central planning grind through their process of analysis, the contractor likely will move on to other contracting vehicles that present sound business opportunities.

Finally, there was a discussion of performance measures towards the conclusion of the roundtable.  As the Coalition has pointed out in its filings, GSA’s performance measures currently do not include any assessment of the total cost of TDR, specifically, its direct and indirect costs, for government and industry.  As evidenced by our comments and throughout the rule making process for TDR, there are significant disagreements regarding the cost impact of TDR on GSA contractors.  It is impossible to assess the value of TDR without understanding its direct and indirect cost for industry and government, and any attempt to do so is simply an exercise in futility.


Update on Fair Pay and Safe Workplaces

Last week, a joint resolution of disapproval pursuant to the Congressional Review Act (CRA) was issued for the Fair Pay and Safe Workplaces (FPSW) final rule. The Coalition provided an update on the situation in last week’s Friday Flash. This week, the House of Representatives voted 236-187 to pass a resolution under the CRA which would block the final rule from going into effect. The resolution will now go to Senate where it is expected to pass.

The CRA states that if a rule is repealed, an agency cannot issue a “substantially similar” rule in its place. Last October, before the Fair Pay and Safe Workplaces rule could be implemented, it was enjoined by a Federal court. Consequently, the Fair Pay and Safe Workplaces reporting requirements did not go into effect as scheduled.

The Coalition will continue to monitor the situation and provide members with updates as they develop.


VA Pressed by Congress on Vista


On Tuesday, February 7, Federal Computer Week reported that Congress is evaluating whether to retain and improve the Department of Veterans Affairs’ (VA) Vista health record system, or seek commercial market alternatives. Currently, the VA has been updating the system through its Vista Evolution initiative, a five-year plan to improve the VA’s system. The initiative is expected to be completed in 2018. According to Dave Powner, the Director of IT issues at the Government Accountability Office (GAO), the uncertainly of the plan is not acceptable and a decision needs to be made.

Also on Tuesday, GAO published a report summarizing the results of various studies conducted by the agency related to the VA’s management of IT systems. Significantly, GAO determined that, although effective management of IT systems is crucial to the success of the VA, the department has had significant difficulties over the years. These difficulties are cause for concern, according to GAO, as they raise questions related to the VA’s operational effectiveness and ability to deliver intended outcomes for the department’s end mission goals.

GAO recommended that the VA:

  • Develop goals and metrics for determining the extent to which its modernized electronic health record system is achieving interoperability with the Department of Defense (DoD)
  • Address challenges associated with modernizing its scheduling system
  • Address shortcomings with the planning and implementation associated with the Veterans Benefits Management System (VBMS)
  • Initiate efforts to improve their progress in data center optimization and modernizing their IT infrastructure

VA agreed with these recommendations and said it has begun taking actions to implement them. Obtains FedRAMP Authorization

Last week, Federal Computer Week reported that, the General Services Administration’s (GSA) hosting platform, has completed the final stage of Federal Risk and Authorization Management Program (FedRAMP). The platform is the first full, open-sourced service to obtain FedRAMP authorization, which will allow agencies to utilize the service more easily and provide services faster.

The platform is designed to assist Federal agencies in managing their IT infrastructure by handling many of the technical and compliance requirements and freeing agencies to focus on web applications and code instead. Initially, the platform was estimated to be ready in November, but the official review was pushed back to enhance the service’s technical and operational components.


Update on GSA Cybersecurity SINs

gsa pic

In a recent blogpost, Shon Lyublanovits, IT Security Subcategory Manager and Director of Security Services at GSA provided an update on the Highly Adaptive Cybersecurity Services (HACS) Special Item Numbers (SINs). Since they were first established in September 2016, GSA has added 34 vendors to the following HACS SINs:

  • 132-45A: Penetration Testing
  • 132-45B: Incident Response
  • 132-45C: Cyber Hunt
  • 132-45D: Risk and Vulnerability Assessment


According to the blog, all current IT Schedule 70 holders that offer cybersecurity services will eventually be required to migrate to the HACS SINs.

In order to maximize success against potential cyber attacks, GSA has been working in partnership with the national security community to ensure the rapid delivery of emerging cyber technology. These efforts include increasing communication and collaboration with Department of Homeland Security and the Department of Defense and engaging government and industry to expand utilization of the HACS SINs.  For more information, visit GSA’s HACS webpage.


Congressman Thornberry Proposes Increased Defense Funding

On Monday, February 6, Federal News Radio reported that the House Armed Services Committee may be looking to provide more funding through a defense budget supplemental. Congressman Mac Thornberry (R-TX), the chair of the Armed Services Committee, suggested that the proposed supplement cover the $15 billion that was left out of the Fiscal Year (FY) 2017 National Defense Authorization Act (NDAA), which would have been used to procure additional aircrafts, as well as ships for the Navy.

In addition, when assessing the FY 2018 budget, Rep. Thornberry has emphasized that, at minimum, the base budget would need to be $640 billion in order to increase the readiness and end strength of the U.S. military. Further, Rep. Thornberry has stated that his committee will continue to push for reforms to the Department of Defense’s acquisition systems.


Congressional Oversight Plans for 2017

On Monday, Federal News Radio reported that the House Oversight and Government Reform Committee and the House Homeland Security Committee have released their oversight plans for 2017. Although the full details of these plans have yet to be discerned, it is clear that both Committees have committed their attention to addressing cybersecurity, legacy IT systems, and modernizing the Federal IT infrastructure.

Specifically, Representative John Ratcliffe (R-TX), the chairmen of the Homeland Security and Infrastructure Protection Subcommittee, stated that a major goal of his is to ensure the full utilization of the EINSTEIN and Continuous Diagnostics and Mitigation (CDM) programs by Federal agencies. In addition, Congress has placed a high priority on renewing several provisions from the E-Government Act of 2002 that have already, or are about to expire. This would include addressing the expired E-Government Fund and reauthorizing numerous programs, including:

  • The General Services Administration’s (GSA) programs which maintain an integrated Federal internet portal, study best practices, and develop common protocols
  • The Office of Management and Budget’s (OMB) programs which maintain government-wide repositories and ensure information security

In addition, the Committee will also address acquisition reform, with a particular emphasis on ensuring that the Federal procurement process reflects commercial best practices, leverages the capacity of both sectors to enhance efficiency, and encourages innovative solutions through streamlined contracting procedures.


DoD Hiring Freeze

On February 3, Federal Computer Week reported that the Department of Defense (DoD) issued a memorandum in response to the recent hiring freeze by the Trump Administration. The memo outlines exemptions to the freeze for 16 categories of civilian positions and authorizes defense officials to add additional exemptions for positions that they certify to be, “necessary to meet the Department’s national security or public safety responsibilities.”

Pursuant to the memo, as of January 22, 2017, agencies are not allowed to fill existing vacant positions and are prohibited from issuing any new job offers or creating new positions. Individuals who received a job offer prior to January 22 and have received a starting date on or before Feb. 22, 2017 should report to work on that day.

The hiring freeze temporarily prohibits agencies from making new hires until the Office of Management and Budget (OMB) develops a long-term plan within the next 90 days to reduce the size of the federal workforce through attrition. Significantly, it applies to all executive branch departments and agencies, including DoD.

The memo, which was issued by Deputy Secretary Robert Work, requires senior leadership within DoD to determine which positions fall within its scope. The 16 categories described include, but are not limited to, positions related to cybersecurity, combat operations support, deployment, and nuclear command.


RFP Issued for Third-Generation SmartPay Program

The General Services Administration (GSA) recently issued a request for proposals (RFP) seeking solutions to streamline transactions, lower costs, and more effectively deliver services with the next generation of the SmartPay program. The RFP was developed to offer more value and efficiency while continuing to provide the federal government access to purchase, travel, fleet, and integrated charge card and payment features, including chip-enabled charge cards, virtual accounts, single-use accounts, and declining balance accounts.

Current SmartPay contracts will expire Nov. 29, 2018, and SmartPay 3 contracts will be awarded in time to cover the transition through November 28, 2021, with the potential to extend services to 2031 if all options are exercised.

The deadline for submitting proposals is 4 p.m. EDT, March 22, 2017.


New Green Icons in GSA Advantage!

GSA has added two new green icons for products in GSA Advantage!. A “Safer Choice” icon is available for products that meet the Environmental Protection Agency (EPA) Safer Choice standard, demonstrating that the product is safe for human health and the environment. The second icon is an “EPA Recommended” label, which is available for products that conform to one of the specification, standards, and ecolabels recommended by the EPA. The new icons are not yet available in the Formatted Product Tool (FPT).

In GSA’s announcement on Interact, “Schedule contractors that qualify for a Safer Choice or EPA Recommended icon are encouraged to update their product information in SIP, EDI, and all other relevant mediums in accordance with clause 552.238-72 Identification of Products That Have Environmental Attributes.”

GSA also removed the following icons from Schedules Input Program (SIP): EPA primary metals free, NESHAP, and PRIME. The icons were mainly used by Global Supply and had low usage rates by Schedule contractors.


Legal Corner

The New Proposed DHS Rule on Safeguarding of Controlled Unclassified Information—A Critical Analysis

Robert Metzger, Shareholder, Rogers Joseph O’Donnell

On January 19, 2017, DHS published a proposed rule to address requirements for the safeguarding of Controlled Unclassified Information (CUI). Homeland Security Acquisition Regulation (HSAR); Safeguarding of Controlled Unclassified Information (HSAR Case 2015–001). 82 Fed. Reg. 6429. Comments are due by March 20, 2017.

Unfortunately, the rule attempts to do too much but achieves too little. I expect the rulemaking to be contentious. While a few companies may see the rule as advantageous to their opportunities to dominate DHS business, many more will object.

Twelve Categories of DHS CUI

Without doubt, DHS does produce and provide to contractors sensitive information which must be protected as to confidentiality, availability and integrity. The proposed rule identifies twelve types of DHS CUI.

  • Eight of these are in the National Archives and Records Administration (NARA) CUI Registry: Chem-terrorism Vulnerability Information (CVI), Protected Critical Infrastructure Information (PCII), Sensitive Security Information, International Agreement Information, Physical Security Information, Privacy Information, Sensitive Personally Identifiable Information (SPII) and Information System Vulnerability Information (ISVI).


  • The rule adds four new categories/subcategories of CUI that are not in the NARA CUI Registry: Homeland Security Agreement Information, Homeland Security Enforcement Information, Operations Security Information, and Personnel Security Information


On its face, the addition of four categories of CUI, at the initiative of one agency, seems contrary to the CUI Final Rule, 81 Fed. Reg. 63325, 63326 (Sep. 14, 2016). In that Rule, NARA stated that “the CUI Registry lists categories and subcategories of CUI that laws, regulations, and Government-wide policies create or govern”. The Final CUI Rule states:

“Agencies may use only those categories or subcategories approved by the CUI EA [Executive Agent – NARA] and published in the CUI Registry to designate information as CUI.”

32 CFR 2002.12(b). Moreover, the Final CUI rule explicitly “overrides agency-specific or ad hoc requirements when the conflict.” 32 CFR 2002.1(i).

Two Categories of Contractor Access to DHS CUI

The rule requires safeguarding of CUI for two very different categories of contractor activity. The first is where DHS CUI is on a contractor information system that the contractor operates on behalf of DHS. The second is where a contractor may have access to DHS CUI on the contractor’s information system.

  • Contractors Who Use DHS CUI to Operate a Federal Information System for DHS. In the first category, as the proposed rule recognizes, the contractor is operating a “federal information system” (here “FIS”) by or on behalf of an agency. The proposed rule applies the full range of federal obligations to contractors who operate a FIS – and then some. Proposed Homeland Security Acquisition Regulation (HSAR) 3052.204-7X (c). A contractor in this category “shall not collect, possess, store or transmit CUI” without an Authority to Operate (ATO) that has been accepted by DHS. An extensive and rigorous process is described, including a Security Authorization process, requirements to develop a Security Authorization Package, independent assessment, periodic ATO renewal, mandatory consent to random periodic security reviews, compliance with federal reporting, obligatory continuous monitoring, incident reporting and response – and more (as further described below).


  • Other Contractors Who Have Access to DHS CUI. The second category applies, if you will, to “the rest of us,” namely, any other contractor or subcontractor to whom DHS allows access to DHS CUI. These contractors and subcontractors – who are not operating a FIS – “must provide adequate security to protect CUI from unauthorized access and disclosure.” Proposed HSAR 3052.204-7X (b).


(For the first category (contractors operating a FIS for DHS), my concern is that the rule is too burdensome, highly intrusive, restrictive of competition, and not cost effective.  I do not focus on these concerns in this post, however.)

The treatment of contractors in the second category is frankly baffling. An obligation to safeguard is to be imposed on any DHS contractor who has access to any of the 12 forms of DHS CUI. But, the proposed rule does not address what “safeguards” are to be applied. Nor does it discuss who has the responsibility to identify or designate DHS CUI, whether any safeguarding obligations also apply to other categories or subcategories of CUI as listed in the Federal Registry, what relationship must exist between the presence of information that could be CUI and a contractual obligation to DHS, or how the agency will respond, advise or adjudicate any questions as to application, administration, implementation or enforcement of the safeguarding obligation.

There is no room for doubt that DHS intends to obligate that any contractor (or subcontractor) who has DHS CUI is obligated to safeguard CUI, even when it is on a contractor information system that is not a FIS:

DHS requires that CUI be safeguarded wherever such information resides. This includes government-owned and operated information systems, government-owned and contractor operated information systems, contractor-owned and/or operated information systems operating on behalf of the agency, and any situation where contractor and/or subcontractor employees may have access to CUI. There are several Department policies and procedures (accessible at which also address the safeguarding of CUI. Compliance with these policies and procedures, as amended, is required.”

Proposed HSAR Section 3004.470-3(a) (Policy) (emphasis added).

No Use of NIST SP 800-171

Other agencies, seeking to protect forms of CUI, rely upon NIST SP 800-171 (Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations). In the proposed HSAR, however, SP 800-171 is all but ignored.

The NARA CUI Final Rule was clear that SP 800-171 establishes the safeguards contractors are to use when they host, transmit or use CUI:

“The NIST SP 800–171, incorporated by reference in this final rule, establishes guidance for protecting CUI in non-Federal systems: (1) When the CUI is resident in non-Federal information systems and organizations; (2) when the information systems where the CUI resides are not used or operated by contractors of Federal agencies or other organizations on behalf of those agencies; and (3) when the authorizing law, Federal regulation, or Governmentwide policy listed in the CUI Registry for the CUI category or subcategory does not prescribe specific safeguarding requirements for protecting the CUI’s confidentiality.”

81 Fed. Reg. 63325.

The Department of Defense, in the “Network Penetration” DFARS, obligates all DoD suppliers who possess “Covered Defense Information” (CDI). As now defined CDI includes both “Controlled Technical Information” (i.e., information of military or space significance) and any other form of CUI. The DFARS require all DoD suppliers, at all tiers, to use the safeguards of SP 800-171 to protect CDI if marked or otherwise identified by DoD or used by the contractor in support of the performance of the DoD contract. DFARS 252.204-7012 (“Safeguarding Covered Defense Information and Cyber Incident Reporting”), at 204-7012(a), 204-7012(b)(2).

SP 800-171 describes 110 controls in 14 families of security requirements. The families and controls in SP 800-171 align to corresponding principles in FISMA, which applies to federal agencies and federal information systems. SP 800-171 articulates safeguards as objectives but deliberately does not require contractors to follow the specific controls and enhancements elaborated in the Special Publication, SP 800-53, that NIST developed for federal information systems that are subject to FISMA information security requirements.

The only mention to SP 800-171 in the proposed HSAR to safeguard CUI is in a footnote in the preamble to the rule. 82 Fed. Reg. 6431, n.5. Although DHS allows that it is “aware” of SP 800-171, and that it was released to provide federal agencies with recommended requirements for CUI, DHS insists that “the information system security requirements in this proposed rulemaking are focused on Federal information systems, which include contractor information systems operating on behalf of an agency”, and such systems “are not subject” to SP 800-171.

While the drafters may have “focused” on DHS contractors who operate a FIS, the Proposed HSAR is not limited just to them. For illustration, the following statement is contained in the required analysis under the Regulatory Flexibility Act:

This rule will apply to DHS contractors that require access to CUI, collect or maintain CUI on behalf of the Government, or operate Federal information systems, which includes contractor information systems operating on behalf of the agency, that collect, process, store or transmit CUI.”

82 Fed. Reg. 6439 (emphasis added). Another statement is that “adequate security” requirements apply “when contractor and/or subcontractor employees will have access to sensitive CUI.” Id. In the same analysis, DHS refers to its award, for FY 2014, of nearly 14,000 new contract awards to large and small business. By no means were all of these contracts for operation of a FIS. DHS says that “a number of factors determine applicability of the proposed clause”. Id. The proposed “Safeguarding” clause says that “[c[ontractors and subcontractors must provide adequate security to protect CUI from unauthorized access and disclosure.” Proposed HSAR 3052.204-7X(b)(1). This obligation is not confined only to the FIS contractor category. The “adequate security” obligation appears to apply to every DHS contractor (and every subcontractor, at any level) who is allowed access to DHS CUI.

The neglect of SP 800-171, despite recognition of its intended purpose, is a gaping hole. If this proposed HSAR were to take effect as presently drafted, it would leave thousands of contractors and subcontractors completely “in the dark” as to what safeguards would satisfy their obligations to DHS. The proposed rule says that the Government will provide a “Requirements Traceability to Matrix (RTM) (sic) so that “contractors will know at the solicitation level the security requirements for which they must comply.” 82 Fed. Reg. 6437. But the RTM is directly linked to the requirements for a contractor’s security authorization package – itself an obligation imposed only on those “first category” contractors who operate a FIS for DHS. Reference to a future, “to be determined” set of security requirements does not provide much for contractors to work with for planning purposes. The RTM concept also suggests that there could be many variations of requirements and that means companies won’t know what will apply, to the system on which they host the CUI, until they see the solicitation, which might be too late.

The proposed HSAR takes an approach to protection of DHS CUI that is both incomplete and inconsistent with that of federal agencies.  This seems at odds with a fundamental purpose of the Final CUI Rule, expressed by the statement that “[a]gencies therefore may not implement safeguarding or dissemination controls for any unclassified information other than those controls consistent with the CUI Program.” 32 CFR 2002.1(c). Nor does it answer the obvious question of why not to use SP 800-171 when it was developed specifically for contractor information systems and for the purpose of protecting CUI.

Other Concerns

  • For the category of contractors who operate a FIS for DHS, the proposed HSAR does state that they “must meet prior to collecting, processing or storing, or transmitting CUI, the security requirements of SP 800-53. 82 Fed. Reg. 6431. That is an unworkable approach for non-federal entities that may host, transmit or use CUI on their contractor information system. And it is contrary to the supposedly government-wide decision reflected in the Final CUI rule, namely that when “non-executive branch entities” are not using or operating a FIS, the agency “must prescribe the requirements of NIST SP 800-171 in agreements to protect CUI, unless the agreement established higher security requirements.” 81 Fed. Reg. 63330.


  • The language cited immediately above contains a phrase – “must meet prior to collecting …” – that likely will be very controversial. As to the first category (FIS contractors), the proposed rule contains extensive “end-to-end” demands. These will be expensive to implement and considerable time will be required to prepare for and then engage the required process before receipt of the ATO. A fair reading of the “prior to” phrasing is that some companies may not be able to bid on or receive award of a DHS FIS-type contract until they’ve been through the entire ATO process and can demonstrate ability to meet all HSAR requirements. Companies that think they should be eligible to compete for DHS will think the “front-loaded” requirements exclude them.


  • Fundamentally, this proposed rule may follow from a mindset that DHS has key information to protect and is prepared to do business only with contractors who will invest and secure their on-premises information systems and monitor as DHS specially requires. That will narrow DHS’ access to sources. It likely will add to acquisition costs. Surprisingly, the proposed HSAR does not so much as recognize much less accommodate the use of cloud services by its contractors in either category of access to DHS CUI. (The only reference to cloud is that DHS received input from FedRAMP for the costs of independent assessment of security methods. 82 Fed. Reg. 6434.)


  • The rule also describes itself as having “requirements …expanded to include professional services contractors that have access to CUI”. 82 Fed. Reg. 6439. Because it does not clearly articulate how requirements would be applied to professional service providers, what safeguards they would be obligated to provide, or how they would be assessed by DHS, I consider it likely that the professional services community will object.


  • Small businesses also should be concerned. DHS acknowledges that this is a “significant” regulatory action and that it will have impact on small business. 82 Fed. Reg. 6443, 6439. DHS seems resigned to high costs of consultants and systems. DHS “invites comments from small business concerns … on the expected impact of this rule on small entities,” but there is nothing specific to assure the small business community that it will be able to comply.


  • In addition to expected requirements that DHS contractors report compromise incidents, the proposed rule includes PII and SPII notification requirements to individuals whose PII and/or SPII was under a contractor’s control at the time of the incident, and obligates mandatory credit-monitoring for a period of not less than eighteen (18) months. Proposed HSAR 3052.204-7X (f), (g). Including these as “embedded” obligations, in the absence of either the incident or the injury, prompts the questions of “why” and “who is going to pay for it”? It would be different to require a DHS (FIS) contractor to demonstrate that they have these capabilities in place, but not to include the execution of these capabilities in a contract clause that sets minimum security requirements.



The timing of the proposed regulation, released just one day before the transition of power to the new President, suggests that DHS may have hurried to start the rulemaking process. If the intent was to accelerate achievement of a final, binding rule, I doubt this will succeed. My perspective is that there are flaws in the proposed draft that will draw critical scrutiny from many potentially affected stakeholders – inside as well as outside of the Government. DHS might de-couple the regulations focused on its contractors who receive DHS CUI to operate information systems on the agency’s behalf and complete those separately from regulations that generally impose safeguards on any contractor that is afforded access to DHS CUI. As to the latter category, DHS should seek to more closely align its approach to that DoD is working to achieve and which NARA anticipates.

Author’s note – this version (dated Jan. 23, 2017) contains several corrections and additional analysis to the version originally published).


IT/Services Committee Meeting, Feb. 14

On Tuesday, February 14, at 10:00 am, the Coalition’s IT/Services Committee will be hosting guest speaker Kathy Jocoy, Professional Services Project Manager at GSA. Ms. Jocoy will update members on recent initiatives for the Professional Services Schedule (PSS). Topics of discussion will include the:

  • PSS Streamlining Initiative
  • Transactional Data Reporting Pilot
  • Proposed Changes to SIN 871-7
  • Identity Protection Services (IPS) SIN 520-20 RFI

To attend the meeting, please RSVP to Jason Baccus at RSVPs are required for security purposes.

Healthcare Committee Meeting, Feb. 24

On Friday, February 24, at 9:30 am, the Coalition’s Healthcare Committee will be hosting guest speaker Phil Christy, Associate Executive Director of the Department of Veteran Affairs’ (VA) Strategic Acquisition Center (SAC). Mr. Christy will provide members with an update on the Medical/Surgical Prime Vendor (MSPV-NG) program.

To view the full agenda, click here.

If you plan to attend the meeting, please RSVP to Jason Baccus at


GSA Training Symposium in Huntsville

Huntsville Image
The Coalition is reprinting the following GSA announcement about the upcoming training in Huntsville.  We look forward to seeing you there.

The GSA Federal Acquisition Training Symposium will take place April 25 – 26, 2017, at the Von Braun Center in Huntsville, Alabama. This event is specially designed to benefit federal government employees and military members who make or influence procurement decisions.

An invaluable experience for acquisition or program managers, the training and exhibition will provide you with many opportunities to meet with over 1,600 buyers. 

Space is limited to 200 booths so register early to secure your spot!

Please visit us at for more information and to register.