FAR & Beyond:
Recently, the Coalition for Government Procurement observed the Department of Defense’s (DoD) release of a Request for Information (RFI) seeking input regarding how to best acquire an enterprise-wide cloud services architecture to support the needs of DoD both domestically and internationally. The RFI raises serious concerns about the potential negative government market impact of the single provider approach that the RFI appears to promote, especially recognizing that DoD’s diverse mission requirements and need for innovation suggest that it would be better served by multiple cloud services providers. As the Coalition noted in response to the RFI:
A multiple award IDIQ approach that offers diversified solutions from the commercial market will facilitate a culture of experimentation, adaption, and risk-taking and increase the speed of technology development and procurement, as envisioned by the recent cloud acceleration memorandum by Deputy Secretary of Defense Patrick Shanahan. In contrast, a single award DoD Enterprise Cloud Acquisition contract would lock-in DoD to a single approach, and, by so doing, give rise to performance and national security risks.
A recent posting of an Air Force Justification and Approval (J&A) for Other than Full and Open Competition in the acquisition of web services validates the growing concern regarding cloud lock-in based a single solution strategy. The sole source J&A in question is for Smartronix Amazon Web Services (AWS) to support Air Force development and test initiatives. As an operational example of the potential for cloud vendor lock-in, the J&A raises serious policy, management, and strategic concerns.
The J&A cites the “sole-source” exception to competition in 10 USC 2304(c)(1) (the property or services are available from only one responsible source) as the basis for awarding a sole source contract for one base year and two option years. Because the sought solution must mirror the existing hardware architecture to assure independent quality test and evaluation, the J&A states that, “the continued use of AWS Cloud Solution is essential to the Government’s requirements.” At the same time, however, it states that, “Failure to be functionally identical (operating system/hardware/network/COTS software) with the production framework will prevent” completion of the mission. [Emphasis added.] In addition, according to the J&A, the activity could not be reconstituted with another vendor; award to another vendor would be costly and time-consuming; and “the current cloud space will expire in approximately two (2) weeks, on 15 Nov 2017.”
The J&A is lacking in detail, if not internally inconsistent. For instance, the J&A does not explain how the need for a “functionally identical” solution translates into a solution from only one source. The J&A appears to be justifying that the requirement can only be met by a single source based on the view that a full and open competition award and performance would be costly and take time. This approach is akin to pre-selecting the winner before ever competing the requirement. How does the Air Force know without actually conducting the competition? Moreover, the notion that the sole-source action here is justified based on the imminent expiration of the current cloud space flies in the face of settled procurement practice. Noncompetitive procedures cannot be justified based on the lack of advanced planning. 10 USC 2304(f)(4). The Air Force still must make an effort to promote competition, say through a sole-source bridge to a competitive procurement, and, in this regard, it is not apparent how a contract for one base year and two option years constitutes such a bridge.
In addition, virtually all the arguments raised in support of this sole-source award demonstrate the risk to the government of cloud vendor lock-in. Indeed, the J&A states that the agency, “…invested in the initial architect [sic] of AWS Cloud[,] and because of this investment[,] we are limited to AWS Cloud products when expanding and technically refreshing the environment.” At a minimum, the apparent limited flexibility of the agency, even at this early stage of adoption, suggests that, in the context of national defense, the issue of cloud vendor lock-in is ripe for review.
Finally, the J&A states that, “[t]he AWS Cloud Solution is a DoD priority as per the Secretary of Defense Memorandum date 13 Sep 2017… Air Force IT personnel are being trained on this solution.” It is unclear on what basis one commercial solution was selected as a priority for a whole service, let alone the entire DoD. Notwithstanding that decision and what led up to it, however, as mentioned in the Coalition’s earlier blog, it is not apparent how the long-term interests of defense, like maintenance of the nation’s technological edge, are being served with a single vendor solution. History is replete with examples of how the absence of a vibrant, competitive market stifles performance and innovation.
DoD’s actions of late are raising more questions than they are answering, leaving stakeholders to wonder where the Department of Defense is headed with cloud. As policy-makers address these and other issues, the Coalition stands ready to work with the Department and all stakeholders towards a flexible, open, innovative, and transparent cloud procurement approach that facilitates innovation and access to best-value solutions from across the commercial market.
We hope that everyone had a relaxing Thanksgiving! As we enter the holiday season, the Coalition for Government Procurement looks forward to continuing to serve our members with two exciting training opportunities.
Service Contract Act Training, December 6
On Wednesday, December 6 at 8:30 AM, the Coalition will be hosting training focusing on compliance with the Services Contract Act (SCA) at the offices of CGI Federal (12601 Fair Lakes Circle, Fairfax, VA). The training will cover topics such as contractor responsibility under the SCA, an overview of wage determinations and how they vary by location, ways to mitigate compliance risk, and the application of the SCA to the GSA Schedules.
Topics that will be covered during this training include:
- Compliance Requirements
- Roles and Responsibilities throughout the contract life cycle
- Understanding your WD
- SCA Enforcement
- GSA Contracting
- Issues & Best Practices
- Minimum Wage
- Non-Displacement of Qualified Workers
- Paid Sick Leave for Government Contractors
Trina Fairley Barlow, Partner, Crowell Moring LLP
Trina Fairley Barlow represents and advises employers on numerous state and federal laws that regulate the employment relationship. She routinely provides comprehensive legal advice, guidance, and training on a wide range of issues. Additionally, Trina regularly conducts internal investigations and audits of workplace policies and practices to provide critical advice and recommendations for compliance with applicable laws (including those of the Department of Labor) and avoidance of potential liability from high-risk practices.
Jennifer Flickinger, Principal, Baker Tilly, Government Contractor Advisory Services
Jennifer Flickinger has supported government contractors of all shapes and sizes, in nearly every industry, for more than 20 years. Her experience covers a wide range of government contract cost accounting, pricing, business system internal controls, Service Contract Act compliance, forensic accounting, and litigation support.
Members who are interested in this training can register here. Registration is required to attend.
Protecting “Covered Defense Information” – How to Respond to DoD’s Cyber Contract Requirements, December 13
DoD contractors are obligated by DFARS 252.204-7012 to implement, by December 31, 2017, 110 cyber “requirements” stated in NIST Special Publication (SP) 800-171. Recognizing that some companies are unsure what they can do, the Coalition is hosting a webinar that will be structured to deal with 15 timely topics related to NIST SP 800-171 compliance and allow ample time for Q&A.
This 90-minute webinar, which will take place on Wednesday, December 13 at 12:00 PM EST, will feature Bob Metzger, recognized as a leading expert on federal efforts to improve contractor cybersecurity through regulation and contract requirements. A frequent author and speaker on these subjects, Bob heads the Washington, D.C. office of Rogers Joseph O’Donnell, PC, a boutique law firm (and Coalition member) specializing in government contracts.
The 15 topics to be discussed will include:
- A Risk-Informed Response to DoD’s Objectives
- Starting Late: Strategies for Compliance by 12/31/2017
- What is “CDI” and Do You Have it?
- Is DoD Responsible to Identify CDI
- Importance of a Self-Assessment
- Leveraging Existing Security Practices to Meet SP 800-171
- The System Security Plan and its Importance
- NIST’s New SP 800-171A Assessment Guide
- A Tiered Approach to Improved Security Over Time
- Where Can Third Parties Assist?
- What is Sufficient to Demonstrate Compliance?
- Managed Security Services and the Cloud
- What to Expect in Solicitations
- Can Cyber Figure into Bid Protests?
- Preparing for Cyber Events and Incident Response
Members who are interested in this training can register here. Registration is required to attend.
Protests Filed Following Alliant 2 Awards
On Friday, November 17, the General Services Administration announced the awardees for the Alliant 2 GWAC. There are 61 awardees for Alliant 2 Unrestricted. According to GSA, Alliant 2 Small Business awards will be announced “in the near future.” The FedBizOpps notice can be found here, and the list of awardees can be found here.
After GSA announced the award, five companies filed bid protests with the Government Accountability Office.
Last week, Covington & Burling LLP published a blog detailing two recent Class Deviations issued by Defense Procurement Acquisition Policy (DPAP) that seek to enhance the flexibility afforded to contracting personnel in times of crisis. Class Deviation 2017-O0007, which implemented Sections 816 and 1641 of the Fiscal Year 2017 National Defense Authorization Act (NDAA), was issued by DPAP on September 1, 2017. The deviation increased the micro-purchase threshold to $30,000 and the simplified acquisition threshold to $1.5 million for purchases that are made in support of a response to an emergency or natural disaster. In addition, the deviation expanded the statutory scope of what is considered an emergency to include cyber-attacks.
Issued by DPAP in November, Class Deviation 2018-O0001 augments the earlier Class Deviation, expanding the types of acquisitions that should be considered commercial item and exempt procurements during an emergency or natural disaster. Further, Class Deviation 2018-O0001 delegates the determination authority for these purchases to the various contracting activity managers within the Department of Defense (DoD).
Bid Protest Data for 2017
In November, the Government Accountability Office (GAO) submitted its annual report on bid protests to Congress. Although GAO determined that the number of bid protests filed in Fiscal Year (FY) 2017 represented a 7% decrease relative to FY 2016, it also found that an additional 1% of contractors received relief from agencies during the same period.
Further, GAO found that approximately 10% of the protests filed in FY 2017 were for task orders, reporting that the most prevalent reasons for sustaining protests were the following:
- unreasonable technical evaluation;
- unreasonable past performance evaluation;
- unreasonable cost or price evaluation;
- inadequate documentation of the record; and
- flawed selection decision
Less Federal CIO Oversight of Major IT Projects
Last week, the Government Accountability Office (GAO) published a report detailing its review of the Office of Management and Budget’s (OMB) oversight of high priority programs. Significantly, GAO found that the Federal Chief Information Officer (CIO) had become less involved in the oversight of major IT projects over the past two years, which contributed to significant delays and cost overruns. In particular, GAO found that OMB has discontinued or de-emphasized regular reporting and oversight on high-priority IT projects.
The GAO recommended OMB continue issuing its own reports on high-priority IT projects, ensure the Federal CIO is “directly involved” in oversight and continue reporting on the status of the United States Digital Service’s (USDS) projects.
On Thursday, November 23, Federal Times published an article detailing recent comments submitted by the Coalition in response to a Department of Defense Request for Information (RFI) regarding the DOD’s potential adoption of modern enterprise cloud services solutions. The RFI sought industry’s feedback on a variety of topics including, but not limited to, their experience in the commercial market, their offerings and associated pricing structure, the ability to support third-parties, and policies and regulations that may impede commercial cloud solution providers from entering the Federal market.
In its comments, the Coalition raised concerns related to the potential impact of the RFI on the Federal cloud services marketplace. As constructed, the RFI appeared to be directed towards a single provider result, and thus, did not recognize the unique nature of DoD as a buyer, which may necessitate the inclusion of multiple cloud services providers to meet its mission-focused, dynamic, and diverse requirements. Further, the Coalition raised concerns regarding the RFI’s potential for fragmentating the Federal procurement process and its lack of significant input from the intelligence community. To access the Coalition’s comments, click here.
Bill Would Enable Veterans to Bypass VA for Health Insurance
A recently introduced legislative proposal would establish a “work around” health insurance program for veterans. If enacted, the bill would enable veterans to completely circumvent the Department of Veterans Affairs in accessing private-sector medical care at taxpayers’ expense. Lawmakers believe that the proposal will help address issues related to patient wait times at the VA and enhance the medical care available to veterans.
Surprise, Surprise. Congress Does Listen – Well, Kind Of
An Analysis of NDAA Section 846’s Online Marketplace Provisions
Jonathan Aronie, Partner, Sheppard Mullin
There has been a lot of speculation about the future of commercial items purchasing within the federal Government since Representative Mac Thornberry circulated his “Section 801” proposal to hand over the bulk of DOD COTS purchasing to one or two existing online commercial marketplaces. (See Section 801 article HERE). Industry groups mobilized, companies called their legislators, and the media contributed several stories describing the wide spread criticism of the House NDAA proposal. To the surprise of many, however, the Senate seems to have heard industry’s concerns – or at least some of them.
The compromise language that just emerged from the House/Senate Conference, designated Section 846 of the 2018 NDAA, reflects significant improvements from the original Thornberry bill. While the new compromise language still moves the Government significantly down the path toward the creation of an online marketplace, which almost certainly will change the way DOD (and likely other federal agencies) will purchase COTS items, the new approach resolved many of the most problematic provisions of the original House bill.
Unlike Section 801, which contemplated a quick, non-competitive award to an existing commercial marketplace provider to handle DOD COTS purchasing, Section 846 directs OMB and GSA to create a phased-in implementation plan and schedule to develop, evaluate, and implement the new online marketplaces (now called “ecommerce portals”) over the better part of three years. The new language identifies a three-phase approach.
- Phase 1 gives OMB and GSA 90 days to develop an implementation plan and schedule.
- Phase 2 gives OMB and GSA a year after the plan/schedule is complete to conduct market research and to consult with federal agencies, potential ecommerce portal providers, and potential suppliers. Among other things, the “consultation” contemplated in this phase will focus on how current commercial portals function, the standard Ts & Cs of such portals, and to what extent the currently-existing portals would have to be modified to meet Government needs. This phase also will involve an assessment of data security, consideration of issues of concern to “non-traditional” Government contractors, and a review of the impact of fees charged by portal providers. On the issue of fees, the Conference Report accompanying the compromise language offered this warning to GSA: “The conferees are aware of various fee-based and other business-to-business arrangements to feature products offered by certain vendors in many commercial e-commerce portals. The conferees expect the Administrator to ensure that any contract or other agreement entered into for commercial e-commerce portals under this program preclude such business-to-business arrangements.”
- Phase 3 gives OMB and GSA two years (from the creation of its Phase 1 plan/schedule) to develop guidance for the use of the portal, “including protocols for oversight” of procurements through the new program.
As OMB and GSA progress through these three phases under the watchful eye of Congress and the GAO, their efforts will be guided by other provisions of Section 846 that differ significantly from Section 801.
The new language, for example, significantly reduces (but does not eliminate) the obstacles to becoming an official portal provider. Previously, Section 801 incorporated requirements only a handful of companies in the world (if that many) could have met. Section 846 is less restrictive. It defines an acceptable portal as a “commercial solution providing for the purchase of commercial products aggregated, distributed, sold, or manufactured via an online portal.” It directs GSA to “consider” portals that are “widely used in the private sector” and that “have or can be configured to have” frequently updated supplier and product selections, as well as an assortment of product and supplier reviews.
As before, the language still expressly states the portal cannot be managed by the Government or designed for the primary use by the Government. Thus, neither GSA Advantage nor FedMall can satisfy the Section 846 requirements.
Unlike the House version of the bill, Section 846 does NOT state the portal providers will be selected without competition – a provision that greatly concerned not only industry, but many GSA officials as well. To the contrary, Section 846 states that current procurement laws will apply to the program unless explicitly exempted. This new language suggests GSA will have to develop some sort of competitive process to select the portal providers. Whether that means GSA will conduct a full-and-open, head-to-head competition among potential portal providers or an everyone-who-meets-the-requirements-gets-in type competition (like GSA uses to award Schedule contracts) is unclear. In either case, the removal of the “non-competitive” language from Section 801 is a material improvement over the House bill.
As with Section 801, Section 846 vests significant responsibility in GSA to come up with a means to ensure products sold through the portals are screened to meet applicable statutory requirements. This likely refers to regimes like the Trade Agreements Act (“TAA”), the Buy American Act (“BAA”), environmental requirements, security requirements, and the like. The language leaves it to GSA to figure out whether it will provide the necessary product data to the portal providers or will develop a mechanism for the providers to obtain those date on their own, presumably directly from the suppliers/ manufacturers. In either case, the continuing importance of product attribute data suggests neither suppliers nor portal providers should view the new procurement process as one devoid of obligations and/or risks.
On the flip side of the obtain-data-from-GSA coin, the new compromise language includes an expected submit-data-to-GSAobligation on the part of portal providers. Specifically, pursuant to Section 846, portal providers will have to collect and provide “order information” to GSA. While GSA is left to determine what sort of “order information” it needs, chances are the resulting list will be similar to the data currently required through GSA’s TDR program. (See TDR article HERE.)
Notwithstanding the Section 846 language directing OMB and GSA to ensure the awarded portals meet certain requirements, the compromise bill clearly reflects an effort on the part of Congress to minimize meddling in the structure of existing commercial ordering platforms. In fact, the Conference Report accompanying the compromise bill “encourages” GSA “to resist the urge to make changes to the existing features, terms and conditions, and business models of available e-commerce portals, but rather demonstrate the government’s willingness to adapt the way it does business.” This “encouragement” becomes a bit more pointed in the next sentence: “Pursuant to a diligent review of existing law and regulation, the conferees direct the Administrator to be judicious in requesting exceptions.”
Section 846 doesn’t have much to say about how agencies will purchase through the portal. Rather, it leaves most of that to GSA and OMB to figure out down the road. At this point, however, the language provides the authorized portals will be limited to COTS purchases. (The language actually uses the term “commercial products,” but strangely redefines the term to mean COTS items.) Importantly, the language no longer includes the prior indecipherable provision providing that purchases would be deemed to meet all competitive requirements merely by virtue of there being more than one supplier selling the product. Here again, the removal of the non-competitive language represents an improvement over the prior language. (The new language, however, provides no insight regarding the “protestability” of orders placed through the new portals, which currently is one of the only means industry has to hold agencies accountable for flawed purchasing decisions.)
Probably the most important change regarding purchasing relates to the prior Section 801 language that precluded ordering agencies from altering the marketplace provider’s standard terms and conditions. That prohibition raised serious concerns over how fair a marketplace’s standard terms would be in a near-monopoly situation. The prohibition also raised significant questions about how the Government would deal with critical policy imperatives; things like data security, the Anti-Deficiency Act, socio-economic goals, country of origin rules, and the like.
The new language resolves at least some of those questions by providing that purchases through the portals “shall be made, to the maximum extent practicable, under the standard terms and conditions of the portal.…” This is not unlike the language currently used in FAR Part 12 procurements requiring that “contracts for the acquisition of commercial items shall, to the maximum extent practicable, include only those clauses … determined to be consistent with customary commercial practice.” Since it will not be easy to define when a commercial term must be accepted by the Government or not, however, this likely will be an area for future litigation — just as it has been under FAR Part 12.
Another improvement over the original Section 801 language is the way the compromise bill deals with the treasure trove of data to which the portal providers will have access. The previous Thornberry language precluded the online marketplace provider from selling or giving those data to third parties, but imposed no constraint on the provider’s use of those data for its own strategic purposes. Consequently, if a provider also were a seller, the provider could have used sales data from its competitors strategically to tailor its own offering and price its own products. The new language precludes this by requiring the portal provider to agree “not to use for pricing, marketing, competitive, or other purposes, any information related to a products from a third-party supplier featured on the commercial e-commerce portal . . . .” While this is improved language, it will not be easy for GSA to police this requirement. No doubt, the GSA OIG already is thinking through how it can help.
Notwithstanding the many improvements in the Section 846 language, the extensive breadth of the new program continues to concern many.
- First, the ecommerce portals will accommodate purchases up to the Simplified Acquisition Threshold. While more limited than the original Section 801 language, this still will direct a significant volume of DOD COTS purchasing into the hands of commercial entities.
- Second, while the language is focused on DOD purchasing, it expressly states the portal must be able to accommodate Government-wide purchasing. In other words, DOD is just the starting point. We can expect to see the program expanded to all agencies over time.
- Third, and perhaps most importantly, a companion provision of the NDAA provides that if a product previously has been purchased through a commercial items vehicle (e.g., a FAR Part 12 contract), it cannot be purchased via a more structured procurement (e.g., a FAR Part 15 contract) in the future without jumping through certain hoops. Indeed, the text expressly states that monies given to DOD may not be used to fund a FAR Part 15 procurement if the products being procured previously were purchased through a FAR Part 12 procurement. This new language appears to be designed to make it extremely difficult for DOD (and other agencies in the future) to circumvent the new portals by creating full and open commercial items competitions.
On the topic of commerciality, it is worth noting that, in addition to the ecommerce portal provisions of the compromise bill, the NDAA also includes a number of provisions designed to expand the Government’s use of commercial items purchasing vehicles and expand the number of products qualifying as commercial items. These new provisions direct DOD to undertake a broad review of its current regulations, contracts, and subcontract flow-down terms to get rid of non-commercial clauses and provisions that have crept into DOD programs over the years. Indeed, the new language directs the Defense Acquisition University to develop new, meaningful training for COs to help them master commercial items acquisitions. This is a welcome development.
Finally, in addition to the positive changes for large businesses, small businesses also have something to cheer about in the compromise language. Section 846 makes clear purchases through the new ecommerce portals are deemed purchases from prime contractors such that the ordering agencies still get their small business purchasing credit. The language also expressly states that agencies still can set aside their purchases for small businesses as they did before. (These provisions also suggest small business designation will be one of the several attributes portal providers will be required to display on their web sites.)
In the end, the new language is a significant improvement over the original House proposal, but it leaves many questions unanswered. Section 846 directs OMB and GSA to fill in those blanks. And it provides for multiple reviews (including a detailed, phased-in GAO review) of how well OMB and GSA do their job. Time will tell what the new program looks like. But we can be certain of one thing at the moment. The commercial items procurement landscape will change. It just may take longer than Rep. Thornberry had hoped.
Jonathan Aronie is a Washington, DC-based partner with Sheppard Mullin, and the co-leader of the firm’s Government Contracts & Internal Investigations practice group. He is a frequent contributor to the Coalition’s newsletters, conferences, and radio shows. Jonathan is the author of more than 75 articles focusing on Government contracting, the co-author of the GSA Schedule Handbook, and a chapter editor of the ABA’s Guide to the Mandatory Disclosure Rule.
Michael W. Mutek, Senior Counsel, Steptoe & Johnson LLP
Thomas P. Barletta, Partner, Steptoe & Johnson LLP
Paul R. Hurst, Partner, Steptoe & Johnson LLP
The end of the year approaches and that means Department of Defense (DoD) contractors must make changes to their own unclassified information systems to ensure compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.1
Why? Because Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, also known as “the -7012 clause,” requires that contractors provide “adequate security” to protect “covered defense information” – including unclassified information – that resides on, or passes through, the contractor’s information system or network. The clause requires that contractors, at a minimum, implement NIST SP 800-171 “as soon as practical” and not later than December 31, 2017.2 It also requires that DoD contractors report to DoD when a cyber incident affects the contractor’s information systems on which covered defense information resides or affects the contractor’s ability to provide operationally critical support requirements identified in the contract. Prime contractors must flow down the clause to subcontractors when contract performance involves covered defense information or operationally critical support (including subcontracts for commercial items).
This advisory provides an overview of the clause and identifies recently released guidance from DoD and NIST to assist with implementation of the NIST standards.
Why the -7012 Clause?
The goal of this clause is to require certain DoD contractors to make changes to their information systems to provide “adequate security” to protect “covered defense information.” Recognizing this clause will impose costs on its nonfederal partners, DoD’s commentary on this clause explains that “[t]he cost of not protecting covered defense information is an enormous detriment to DoD resulting in a potential loss or compromise of such information, adverse impacts to the DoD warfighting mission, and to the lives of service men and women.”3
To achieve this goal, the -7012 clause mandates implementation of appropriate NIST SP 800-171 protocols by December 31, 2017. DoD contracts containing the -7012 clause4 require certain minimum security requirements for two categories of contractor unclassified information systems: (1) those systems that are part of an information technology service or system operated on behalf of the government, and (2) any other systems that process, store, or transmit “covered defense information” during the performance of a DoD contract. In addition, where a solicitation includes DFARS 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls, each offeror makes a representation that “[b]y submission of this offer, … it will implement the security requirements specified by [NIST SP] 800-171 … that are in effect at the time the solicitation is issued or as authorized by the contracting officer not later than December 31, 2017.”
So what is Covered Defense Information or “CDI”? The -7012 clause defines it as unclassified controlled technical information or other unclassified information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to laws, regulations, and applicable policies (e.g., export controlled data, critical infrastructure, proprietary data, etc.), and is:
- Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
- Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
What does NIST SP 800-171 Require?
NIST SP 800-171 was developed to further NIST’s statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014,5 including the development of information security standards and guidelines for federal information systems. NIST SP 800-171 explains that the expansion of certain security standards to contractor information systems reflects a federal policy seeking to protect CUI while residing in nonfederal information systems and organizations. DoD describes the NIST SP 800-171 standards as “performance-based requirements” without “unnecessary specificity” and “include only those security requirements necessary to provide adequate protections for the impact level” of controlled, but unclassified, information.6
NIST SP 800-171 explains that:
This publication provides federal agencies with recommended requirements for protecting the confidentiality of CUI: (i) when the CUI is resident in nonfederal information systems and organizations; (ii) when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and (iii) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry. The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.7
Guidance on Implementation of the NIST Standards
On September 21, 2017, the DoD issued Guidance for Selected Elements of DFARS Clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting” – Implementing the Security Requirements of NIST SP 800-171.8 The guidance notes that DoD is working with all stakeholders to ensure successful implementation of the -7012 clause.
This guidance was created for DoD acquisition personnel in anticipation of the December 31, 2017, deadline and outlines “the manner in which contractors are likely to approach implementing NIST SP 800-171.” It also addresses how a contractor may use a system security plan to document its implementation of the NIST SP 800-171 security requirements and provides examples of how DoD organizations might choose to leverage the contractor’s system security plan, and any associated plans of action, in the contract formation, administration, and source selection processes.
The guidance includes useful information for contractors regarding implementation of the NIST standard. For example, it states that:
There is no single or prescribed manner in which a contractor may choose to implement the requirements of NIST SP 800-171, or to assess their own compliance with those requirements. For companies new to the requirements, a reasonable first step may be for company personnel with knowledge of their information systems security practices to read through the publication, examining each requirement to determine if it may require a change to company policy or processes, a configuration change for existing company information technology (IT), or if it requires an additional software or hardware solution.
The guidance notes that most of the NIST SP 800-171 requirements address policy and process for configuring IT securely and the requirements assist in determining what should be the company policy, for example, when password changes should be required. Certain requirements, according to the guidance, will require security-related software or additional hardware.
An important statement in the guidance makes clear that “it is the contractor’s responsibility to determine whether it has implemented the NIST SP 800-171 (as well as any other security measures necessary to provide adequate security for covered defense information).” As a result, although a growth industry appears to be emerging around NIST SP 800-171 compliance, the guidance cautions that “[t]hird party assessments or certifications of compliance are not required, authorized, or recognized by DoD, nor will DoD certify that a contractor is compliant with the NIST SP 800-171 security requirements.”
Finally, there are other useful publications to assist in addressing the -7012 clause. A new NIST handbook (Handbook 162) was published on November 20, 2017. This handbook, entitled Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirement,” is intended for small companies providing products that enter the DoD supply chain.9 On November 27, 2017, the Defense Procurement Acquisition Office (DPAP) also issued a Procurement Toolkit note on documenting implementation of the security requirements with a system security plan.10 The Procurement Toolkit contains several additional aids.
What about the Supply Chain, including third-party Cloud Service Providers?
Contractor supply chains continue to receive a great deal of attention, as noted in earlier Steptoe advisories.11 In the area of cybersecurity, a key reason is that a supplier in the supply chain can be a potential weak link and introduce cyber threats into the system, as many Fortune 500 companies have discovered. As a result, the -7012 clause is required to be flowed down to all suppliers that will store, process or transmit CDI as part of its subcontract performance. Specifically, the -7012 clause mandates that the contractor shall:
- Include the clause in subcontracts, or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve covered defense information, including subcontracts for commercial items, without alteration, except to identify the parties.
- Require subcontractors to notify the prime contractor (or next higher-tier subcontractor) when submitting a request to vary from a NIST SP 800-171 security requirement to the contracting officer, in accordance with the clause.
- Provide the prime contractor or next higher-tier subcontractor the incident report number assigned by DoD as soon as practicable after reporting a cyber incident to DoD as required by the clause.
In response to commentary on this clause, DoD clarified the “flow down” to cloud service providers (CSP), explaining that “when the contractor is not providing cloud computing services in the performance of the contract, but intends to use an external CSP to store, process, or transmit any covered defense information for the contract,” then DFARS 252.204-7012(b)(2)(ii)(D) specifies the flow down provisions.12 Specifically, under those circumstances, the entire clause is not flowed down to the CSP, but the CSP must meet security requirements equivalent to the “Moderate” level of security requirements established for the government’s use of CSPs under the Federal Risk and Authorization Management Program. The CSP must also commit to comply with other clause requirements, including cyber incident reporting and damage assessment, protection of malicious software/media, and access to additional information and equipment necessary for forensic analysis. See DFARS 252.204-7012(b)(2)(ii)(D).
Best practices indicate prime contractors and higher-tier subcontractors are not merely flowing down the -7012 clause but are providing additional guidance and information, for example on their supplier web portals. This includes links to other resources such as the DoD Guidance discussed above, and using other forms of communication to assist their supply chains in implementing the NIST requirements. In addition, some primes are even offering assistance through their IT departments.
Failure of a supplier to comply with NIST SP 800-171 could not only become an issue on an existing contract but could also result in a cybersecurity incident, which could lead to unfavorable past performance assessments for contractors.
1 This publication is available free of charge at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf.
2 Related Steptoe advisories: FAR Council Issues Rule on Basic Safeguarding of Covered Contractor Information Systems and Three Recent Cybersecurity and Information Systems Management Rules Impact Government Contractors.
3 81 Fed. Reg. 72986, 72997 (Oct. 21, 2016).
4 The clause is not required for commercially available off-the-shelf (COTS) items.
5 44 U.S.C. § 3541 et seq., Public Law (P.L.) 113-283.
6 81 Fed. Reg. 72986, 72997 (Oct. 21, 2016).
7 NIST SP 800-171, page iii.
9 Available at: http://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf.
11 For example, see Steptoe advisories Final DFARS Rule is the Latest in a Series of Supply Chain Obligations Contractors Should Heed and New DFARS Cyber-Reporting and Cloud Rule Impacts Defense Contractors/Supply Chains.
12 81 Fed. Reg. 72986, 72994 (Oct. 21, 2016).
Request for Feedback on FedRAMP RFI
The General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP) team has released a Request for Information (RFI) seeking input from industry regarding the preferred contract language that agencies should use for FedRAMP requirements in solicitations. Comments must be submitted by December 15.
The Coalition plans to submit comments in response to the RFI. If you are interested in participating, please send your input on the RFI to Aubrey at firstname.lastname@example.org by Friday, December 8.
This Week on “Off-the-Shelf”: Category Management & Small Business Contracting
Stabolepszy explains how category management has created a challenging market dynamic for small businesses seeking competitive channels to participate in the federal market.
At the same time he also discusses the vital role GSA’s Multiple Award Schedule (MAS) program has played in creating opportunities for small businesses and how it can continue to do so. In particular, Stabolepszy highlights MAS Blanket Purchase Agreements (BPAs) as a key tool in the tool box that both government and industry in meeting complex IT requirements while providing opportunities for small businesses.
To listen to the show, click here.
This Week on “Off-the-Shelf”: An Inside Look at the Defense Health Agency
During his tenure at DHA, Deputy Director Kiyokawa has played a leading role in the creation and implementation of DHA, including the current restructuring of the administration of “military medical treatment facilities.”
Kiyokawa shares his insights regarding the logistical and managerial complexities associated with the ensuring the warfighter is “medically ready to deploy.”
To listen to the show, click here.
GSA Releases Schedules Sales Query Plus
Last week, the General Services Administration announced the release of Schedules Sales Query Plus (SSQ+), which will replace the old SSQ as a repository for GSA Schedules sales data. SSQ+ is a dynamic dashboard that allows users to create and download customized reports. In addition, GSA has released the Schedule sales data for Fiscal Year 2017, which indicates that spending on the Schedules fell 1.5 percent to $31 billion.
Coalition Furniture Meeting, Dec. 12
The Coalition’s Furniture Committee will be meeting on Tuesday, December 12 at 1:30 PM. The meeting will focus on planning for next year as well as discussing the upcoming Wright Patterson Air Force Base furniture Indefinite-Delivery, Indefinite-Quantity (IDIQ) vehicle.
If you are interested in attending the meeting, please RSVP to Jason Baccus at email@example.com.
On Thursday, November 30, the Coalition hosted a webinar focused on Section 846 of the National Defense Authorization Act (NDAA). Jonathan Aronie, Partner at Sheppard Mullin, provided members with an overview of the legislation’s online marketplace provisions, including detailed discussion on the following:
- the significant changes from House Section 801,
- the likely impacts on Federal IDIQ contract holders, including GSA Schedule holders, and;
- steps contractors should take to be prepared for the forthcoming changes.
The webinar is available for Coalition members, and can be accessed by logging into your account via the Coalition’s webpage. Click here to view the virtual meeting!
Please Consider Helping Those Impacted by the 2017 Hurricanes
The Coalition asks that you consider offering support to our fellow citizens in their time of need. In the wake of the 2017 Atlantic hurricane season, many found their lives in total disarray. Below are just a few links to organizations that will help provide life-changing relief to those impacted by these terrible tragedies.