FAR and Beyond Blog
For this week’s comment I wanted to share with you my inaugural blog post that was first published on the Federal Times’ Acquisition Blog (www.federaltimes.com). The post highlights Thought #2 “GSA’s Strategic Plan: Plan versus implementation,” one of the issues contained in my “Food for Thought in 2014”:
GSA’s Draft Strategic Plan for FY 2014 – 2018: Where is the $40 Billion Multiple Award Schedules program?
Today marks the launch of a new blog focusing on GWACs and GSA. I want to thank Federal Times for the opportunity to expand the dialogue on interagency contracting and in particular GSA’s role in our procurement system. And what better way to kick things off but to focus on GSA’s Draft Strategic Plan for FY 2014-2018 and what it says and doesn’t say about the future role of GSA.
On December 20, 2013, GSA posted on its website the agency’s Draft Strategic Plan for FY 2014-2018. The plan can be found here. GSA is to be commended for posting the plan and providing the public with an opportunity to comment. It is welcomed transparency that provides all stakeholders in GSA’s programs with an opportunity to provide feedback on the way forward for the agency.
The plan identifies three strategic goals: (1) Savings: Provide savings to federal departments and agencies; (2) Efficiency: Improve the efficiency of operations and service delivery; and (3) Service: Deliver excellent customer service. The goals are laudable. They reflect the necessary and appropriate focus on delivering savings and value to customer agencies and the American people.
However, the vision and strategies for achieving the strategic goals fail to focus on improving GSA’s largest, most successful contract vehicle the Multiple Award Schedule (MAS) program. As such, GSA is unlikely to achieve the strategic goals identified in the plan without a course correction.
The current draft plan notes that the Federal Acquisition Service (FAS) provides federal agencies with over 11 million different products and services thereby delivering over $54 billion in procurement solutions, services and products on a government-wide basis. In looking at the numbers, the MAS program accounts for approximately $40 billion of FAS’s $54 billion or roughly 75 percent (three quarters!) of the total dollar volume.
Yet, the draft strategic plan makes only one formal mention of the MAS program. The plan is devoid of any discussion on improving the program for the long term. The void raises several questions.
Can a strategic plan that essentially ignores a program that accounts for three quarters of the total business volume be successful? What does the plan say about the role of the MAS program at GSA? Is, as many in industry believe, GSA seeking to dismantle the program? Is there a strategic role for commercial item contracting at GSA?
Reforming the MAS program to streamline the contracting processes, enhance task order competitions and reduce transactional costs can have a profound impact on government-wide procurement operations. MAS reform that leads to even just a one percent savings across the MAS program would deliver $400 million in annual savings, far exceeding the projected $255 million in savings by 2015 GSA claims will result from its Federal Strategic Sourcing Initiatives.
Moreover, the potential savings through reform and streamlining of the program can have a multiplying effect across the procurement system. Streamlining the MAS contracting process will reduce operational costs for GSA which in turn could lead to a reduction in the Industrial Funding Fee. MAS Reform can increase access to new commercial technologies thereby increasing competition, savings, and value for customer agencies. MAS Reform can reduce contract duplication saving government and industry millions, if not billions over the long term. Reducing the cost of doing business with the government can result in real savings for contractors—savings that can be passed on to Federal agencies. The time is now for reforming, streamlining, and improving the MAS program!
Reform of the MAS program includes the following:
- Create an Innovation Schedule that provides streamlined access to the latest commercial technologies
- Update the MAS Pricing Policies to reflect current commercial practices and the federal marketplace where pricing is driven by task order competition for agency specific requirements
- Eliminate the Price Reduction Clause which increases transactional costs for all while restricting the ability of MAS contractors to compete in the private sector
- Enhance MAS commercial solutions by authorizing “other direct costs” for orders
- Review and eliminate all MAS contract terms and conditions where the costs outweigh the benefits
Look for my next blog the second week in February that will highlight the GSA “supplier” relationship.
Additionally, anyone who is interested in a new invigorated vision for the schedules program should review our recently released letter to Chief Information Officer Steven VanRoekel on transforming IT Schedule 70 into the IT Commercial Innovation Schedule for government IT. Next week, I will be addressing the DoD deviation regarding FAR 8.4 and FAR 15.4.
This half-day forum and workshop will provide an overview and update on:
- The Status of Proposed and Pending legislation
- The President’s Executive Order, EO 13636 (February 12, 2013)
- Improving Cybersecurity and Resilience through Acquisition – Final Report of the Department of Defense and General Services Administration (January 23, 2014)- where do we go from here?
- Framework for Improving Critical Infrastructure Cybersecurity, the National Institute of Standards and Technology (NIST) (February 12, 2014)
- The DFARS Final Rule on enhanced safeguards for unclassified CTI (controlled technical information) (November 18, 2013)
Subject matter experts from across government and industry will participate in panel discussions addressing these topics and more. The event will be held the third week of May at the Tower Club in Tysons. Keep your eyes on the Friday Flash for more information in the coming weeks.
Want to actively participate in discussions and hear directly from acquisition leaders at DoD, DHS, HHS, VA, and GSA? Now’s your chance! Register for The Coalition for Government Procurement’s Spring Training Conference taking place on April 10th!
Featured Speakers include:
- Harry Hallock, Deputy Assistant Secretary, United States Army
- Jan Frye, Deputy Assistant Secretary, Office of Acquisition and Logistics
- Cameron Leuthy, Senior Budget Analyst, Bloomberg Federal
- Richard Levi, Counsel to the Inspector General, GSA
- Maureen Regan, Counsel to the Inspector General, VA
- Richard Ginman, Director of Defense Procurement and Acquisition Policy, DoD
- Jeffrey Koses, Senior Procurement Executive, GSA
Discussion Topics include:
- The Future of Federal Acquisition – What’s on the Horizon
- Selling in the Federal Market – Who’s Buying and Who’s Not
- Oversight and Enforcement – The OIG Perspective
- Maximizing the Benefits, Avoiding the Risks—The Latest in Contract Compliance and Regulatory Changes
- Army Acquisition – Current and Future Initiatives
- Government-wide Acquisition Summit
Breakout Sessions Include:
- The GSA Acquisition Centers – Updates for 2014
- The GSA Services Portfolio
- Doing Business with DHS – New Guidelines for Acquiring Services; Eagles Update
- Government-wide IT Acquisitions – Updates for 2014
- Small Business Preferences – What’s Going Right and What Needs Improvement?
- Air Force Strategic Sourcing – What’s the Current Status and What’s Next?
- The GSA Schedule Crystal Ball – What to Expect for the Program and its Pricing Policy
- The GSA Category Management – What Does it Mean to your Business?
Anne Rung Heading to OFPP
According to FCW, GSA’s Chief Acquisition Officer Anne Rung will leave the agency and move to the Office of Management and Budget to serve as administrator of the Office of Federal Procurement Policy (OFPP). Anne was named associate administrator for the Office of Governmentwide Policy at GSA in June 2013 and has been the agency’s chief acquisition officer since May 2012. Before joining GSA, Rung had served as senior director of administration at the Department of Commerce, leading several management initiatives including acquisition reform.
Coalition Response to ODC RFI
Thank you to our members who contributed to the Coalition’s comments in response to GSA’s Request for Information (RFI) about how to implement Other Direct Costs (ODCs) under the Schedules program. We especially appreciate those who participated in the ODC Survey which provided valuable information for the Coalition’s submission. To view the ODC comments, visit https://thecgp.org/images/Coalition-ODC-Comments-with-Attachment.pdf.
Federal News Radio reported this week that GSA’s strategic sourcing contracts—Office Supplies 3 (OS3), OASIS Small Business (SB), and Maintenance, Repair and Operations (MRO)—are facing a number of protests. Based on information available through the Government Accountability Office (GAO) as of March 21, 2014, OS3 has 16 open pre-award protests, MRO has 3 post-award protests and OASIS SB has 8 post-award protests filed with GAO. This is just the beginning of what many industry experts believe is likely to be the year of bid protests at GSA, writes Jason Miller of Federal News Radio. With GSA expected to award the unrestricted version of the complex professional services contract under OASIS, more bid protests could be filed.
The Coalition’s President, Roger Waldron discussed the protests in an exclusive interview with Federal News Radio. “OS3 RFP is one of most difficult RFPs for a company to propose against that I’ve seen in a long time for something as straight forward as office supplies,” said Roger Waldron. “There are a lot of ambiguities and it creates uncertainty for GSA schedule holders. If you’re a schedule contractor, your pricing has to be consistent across two contracts, which begs the question—why is GSA creating two contracts? OS3 creates compliance concerns and puts schedule holders at a disadvantage because those without a schedule don’t need to worry about the price reduction clause.” To listen to Roger’s full interview, click here.
GSA Briefing on FSSI for Buildings Maintenance & Operations, March 27
Join the Federal Buildings Committee next Thursday, March 27 for a briefing by GSA’s Mary Snodderly on the Federal Strategic Sourcing Initiative (FSSI) for Buildings Maintenance and Operations (BMO). The FSSI strategy for BMO is the first specifically targeting services. Industry Relations from the Public Buildings Service (PBS) will also participate in the meeting to discuss the various offices, programs and resources available within PBS for vendors. The meeting will be held at 10:00am at Mayer Brown (1999 K St NW, Washington, DC 20006). To RSVP to attend or request the dial-in information, please contact Roy Dicharry at firstname.lastname@example.org.
In a Wednesday press release, GSA announced the creation of an Interact community for the furniture industry. According to the release, GSA has started discussions with the furniture industry on another possible strategic sourcing solution focused on federal furniture purchasing. The proposed furniture solution will target office furniture including, but not limited to, seating, shelving, tables, workstations, and displays.
The agency is looking for feedback from federal agency customers and industry partners on its approach to building an effective strategic sourcing solution for furniture products and services. Interested members are encouraged to join the The Furniture community page on Interact to keep abreast of all updates on this initiative and to provide GSA feedback on proposed strategies for a strategic sourcing solution.
By: Jack Horan, Partner, McKenna Long & Aldridge LLP
Effective and compliant contract administration should be a primary goal for all government contractors, including, of course, contractors with the Department of Veterans Affairs (VA). As with any other business goal, compliance should be attained efficiently. Within the web of statutory, regulatory, and contractual requirements, VA contractors should understand the areas where noncompliance creates the greatest risk and exposure, and spend their resources accordingly.
As with the Offices of Inspectors General throughout the government, the VA Office of Inspector General (OIG) is a central player in the oversight of contracts, enforcing compliance with all major VA statutory, regulatory, and contractual requirements, and redressing compliance failures. As part of its responsibilities, the VA OIG reports to Congress twice annually on the audits, reviews, and investigations it conducts. Although intended for other purposes, these reports can assist VA contractors in identifying the requirements that are of the most importance to the VA, and should be most important to the contractor. In short, VA OIG’s actions over the prior year serve as a lesson to contractors on where to spend their time and money (and the effect of noncompliance).
The VA OIG has “a nationwide staff of auditors, investigators, health care inspectors, and support personnel” in six major component “offices” that conduct “independent oversight reviews to improve the economy, efficiency, and effectiveness of VA programs, and to prevent and detect criminal activity, waste, abuse, and fraud.” For a VA contractor, the three component offices that are of most importance are: (1) the Immediate Office of the IG; (2) the Office of Counselor to the IG; and (3) Office of Investigations.
The Immediate Office of the IG is top-tier management, with the Deputy Inspector General operating as the “Chief Operating Officer.” In addition to planning, directing and monitoring all [IG] operations,” the Immediate Office establishes investigative priorities for the Office, and identifies and promotes legislative initiatives to Congress.
The new year should bring a new IG to the VA. On November 6, 2013, GeorgeOpfer announced his retirement as IG after more than 44 years of government service. Mr.Opfer assumed responsibility as Inspector General on November 17, 2005, after being nominated by President GeorgeW.Bush. Although President Obama has not nominated a replacement, Mr.Opfer’s long-time Deputy, RichardGriffin, is currently serving as Acting Inspector General. Mr.Griffin has been a Deputy Inspector General since November 23, 2008, and previously served as Inspector General from November 1997 to June 2005.
A change in Inspector General can have a significant effect on the priorities, policies, and procedures of an office – as demonstrated by the GSA’s OIG under the direction of the current IG, Brian Miller. Given his status as Acting Inspector General and his long service under Mr.Opfer, it would be surprising if Mr.Griffin made dramatic changes to the VA OIG’s policies or procedures. Significant changes will likely come, if at all, under the next IG.
The Office of Counselor provides counsel to the OIG on False Claims Act cases affecting the VA and serves as liaison to the Department of Justice on False Claims Act cases. The Office of Counselor also manages the Office of Contract Review, which provides pre-award and post-award audits of contractors’ proposals and contracts under an agreement with VA’s Office of Acquisition, Logistics and Construction (OALC). The majority of pre-award audits of proposals for contracts or modifications under the VA’s Federal Supply Schedule (FSS) program. The Office automatically reviews the pricing for all proposals when the estimated contract or modification exceeds $5,000,000 under Schedule 65IB, Drugs, Pharmaceuticals, and Hematology Related Products, and $3,000,000 for the other VA Schedules. The Office of Contract Review also reviews pharmaceutical manufacturers’ compliance with the pricing requirements of the Veterans Health Care Act. Thus, the Office of Contract Review reviews pricing for major VA contracts and ensures the pricing is compliant with contractual, regulatory, and statutory requirements, and provides a recommendation to the contracting officer on the prices the VA should pay for items on large FSS contracts.
So how did the pricing proposed by potential contractors fare with Office of Contract Review? During fiscal year 2013, the Office conducted 83 pre-award audits of proposals of all types, and identified $655,056,285 in cost savings, or an average of $7.9 million in cost savings per audit. It’s safe to say that the Office did not routinely accept pricing as proposed by the contractors.
How about proposals for FSS awards, renewals or modifications? Forty-six of the 83 pre-award audits were of proposals for awards, renewals or modifications under the FSS program – 32 for initial award, ten for renewals, and four for modifications to add products. The Office recommended a price reduction for 72% (23 of 32) of the audited proposals for initial award. The Office recommended a total of $470,428,110 in price reductions, with an average of $14.7 million per audit (including all 32 audits). Thus, offerors submitting proposals for an initial award of an FSS contract fared worse than the average contractor subject to pre-award audits.
With pricing established by the existing contracts, one would expect that the contractor would fare better in pre-award audits for contract renewals. Contractors did fare better but the Office frequently challenged the proposed pricing. The Office recommended a total of $18,577,827 in price reductions, with an average of $1,857,783 per audit. The OIG recommended a price reduction for 60% (six of ten) renewal proposals.
Contractors seeking product additions fared the best over the past year with the OIG recommending price reductions in only 25% (one of four) of its audits. The one price reduction was a significant one though — $8,615,256.
So, here are the lessons learned from the pre-award audits:
- Most obviously, the OIG takes a hard look at proposed pricing, in the past year rejecting 72% of pricing proposed for initial award, 60% for renewals, and 25% for modifications.
- A contractor needs to be prepared to support its pricing not only when it is seeking the initial FSS contract, but also at renewal and for each modification.
Now let’s look at post award audits – audits conducted to determine whether a contractor is complying with its pricing obligations. The Office reported 33 post-award audits in fiscal year 2013, which resulted in the VA recovering contract overcharges totaling over $17.6 million. According to the OIG, approximately $11.7 million of that recovery resulted from Veterans Health Care Act compliance with pricing requirements, recalculation of Federal ceiling prices, and appropriate classification of pharmaceutical products.
Fourteen of the post-award audits were of voluntary disclosures. The Office claimed more than offered by the contractor in nine of 14 voluntary disclosures. The average recovery to the VA from voluntary disclosures was $1,157,117.
The VA recovered 100 percent of recommended recoveries for post-award audits.
Lessons learned from post-award audits:
- Pay close attention to your Veterans Health Care Act pricing – it is a major compliance area for the OIG, comprising the largest recovery area.
- Be prepared to support your accounting and rationale for any voluntary disclosures. The disclosure is likely to be audited and the proposed repayment amount is likely to be challenged.
- Your opportunity to affect the government’s view of your liability is through negotiations with the OIG. The Office has an excellent record – 100% of the time – of recovering what it determines the VA is due.
Now, a look at the focus of the Office of Investigations over the past fiscal year. The Office of Investigations (OI) investigates crimes committed against programs and operations of the VA. Within the OI, the Criminal Investigations division investigates all types of crimes (including criminal fraud as well as rape and murder) and civil fraud. For fiscal year 2013, the OI reported opening 45 cases, making 11 arrests, and obtaining more than $564.1 million in fines, restitution, penalties, and civil judgments “in the area of procurement practices.”
The OI specifically identified twelve criminal cases involving procurement violations by contractors – all twelve involved service-disabled, veteran-owned small business fraud. In those cases, the SDVOSB business either misrepresented the eligibility of its owner, or the true ownership of the business.
Lessons learned from the OI:
- Exposure under the False Claims Act for VA contracts can be very significant – reaching over $500 million in 2013.
- People get arrested and go to jail for defrauding the VA.
- If you tell the VA that you are a serviced-disabled veteran and own and operate a SDVOSB, you better be a service-disabled veteran and own and operate the SDVOSB.
Finally, one other lesson learned – this one from the structure of the VA OIG. Contact by the Office of Contract Review and the Office of Investigations can both lead to civil or even criminal liability, but there is a significant difference. If the contact comes from the Office of Investigations, the issue has already likely been determined to be a potential civil fraud or criminal violation. There is no doubt that it is time to call your lawyer.
 See Semiannual Report to Congress, Issue 69, (October 1, 2012 – March 31, 2013),VA OIG; Semiannual Report to Congress, Issue 70 (April 1 – September 30, 2013), VA OIG.
 The three other component offices are the following: (1) the Office of Audits and Evaluations, which audits and evaluates the effectiveness of the Veterans Health Administration programs and Veterans Benefits Administration programs; (2) the Office of Healthcare Inspections, which monitors the healthcare provided to the veterans; and (3) the Office of Management and Administration, which provides comprehensive support services to the VA OIG, and administers the VA OIG Hotline.
 The Office of Counselor also supervises the Release of Information Office, which primarily processes Freedom of Information Act and Privacy Act requests for OIG records, as well as other requests for information.
 The reports describe the pre-award audits results as “potential cost savings” and “savings and cost avoidance” so it is not clear whether these amounts include audit recommendations ultimately rejected by the contractors.
 To provide some perspective, the VA estimates that there are currently 1900 contract holders under its FSS program.
 The categorization of the pre-award and post-award audits in this article are based on the description of the audits in Appendix A of the reports.
 The OIG’s reports labeled eleven post-award reviews as involving voluntary disclosures with a total recovery to the VA of $12,728,288.
 This amount includes a $500 million fine resulting from a False Claims Act case against a large pharmaceutical company.
Cybersecurity Takes The Pole Position in 2014 In Federal Acquisitions
By: Tom Barletta, Partner, Steptoe & Johnson LLP; Andy Irwin, Partner, Steptoe & Johnson LLP; & George Leris, Associate, Steptoe & Johnson LLP 
The Obama Administration has been placing greater emphasis on cybersecurity, including enhancing cybersecurity in the acquisition process. Three of the Administration’s more recent acquisition related cybersecurity initiatives are discussed below.
On November 18, 2013, the DoD issued a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to impose requirements on contractors for safeguarding unclassified controlled technical information and reporting cyber incidents. On the same day, the DoD also issued an interim rule amending the DFARS to address supply chain security in defense contracts.
More recently, DoD and GSA issued a DoD/GSA Final Report on Improving Cybersecurity through Acquisition (“Final Report”) on January 23, 2014, containing recommendations for incorporating cybersecurity standards into the acquisition planning and contract administration process. Those recommendations include instituting baseline cybersecurity requirements; improving cybersecurity training; developing common cybersecurity definitions; instituting a federal cyber risk management strategy; purchasing from trusted sources; and increasing government accountability for cyber risk management.
Safeguarding Unclassified Controlled Technical Information and Cyber-Reporting
The DoD final rule and implementing contract clause require a contractor who has access to or stores specific types of unclassified “controlled technical information” (UCTI) to implement certain security standards on its computer network and to report certain “cyber incidents” to DoD. See DFARS 304.734 & 252.204-7012; see also DFARS 204.703 & 212.301 (regarding solicitations and contracts for commercial items).
The final rule focuses on “controlled technical information” — technical data or computer software, as defined in DFARS 252.227-7013, with a “military or space application” that is subject to restrictions on access, release, and disclosure. In that regard, the final rule references DoD Directive 5230.24, Distribution Statements on Technical Documents, and (in the preamble) DoD Directive 5230.25, Withholding of Unclassified Technical Data from Public Disclosure. Those Directives generally deal with sensitive but unclassified information that is subject to marking or release restrictions under U.S. government programs. Much of this information is likely to be subject to US export control laws and regulations, such as the International Traffic in Arms Regulations (ITAR).
The final rule imposes three requirements on covered contractors. First, the contractor must implement certain National Institute of Standards and Technology (NIST) information systems security procedures in its project, enterprise, or company-wide unclassified information technology (IT) systems to safeguard any UCTI transiting through or residing in its systems. These procedures, drawn from NIST Special Publication 800-53, Revision 4, cover fourteen areas of information security: access control; awareness and training; accountability; configuration management; contingency planning; identification and authentication; incident response; maintenance; media protection; physical and environmental protection; program management; risk assessment; system and communications protection; and system and information integrity. Alternate methods of protection may be proposed to the contracting officer, and additional security measures beyond the NIST procedures may be required if warranted by risk/vulnerability assessments. (In assessing the security of their information systems, contractors may also want to consult NIST’s more recent, February 12, 2014 Framework for Improving Infrastructure Cybersecurity, which sets out guidelines and processes for cybersecurity activities.)
Second, the final rule requires a contractor to report to DoD any cyber incident affecting UCTI information within 72 hours of the incident. The definition of “cyber incident” in the final rule suggests that the term refers to a deliberate use of a computer network (e.g., “hacking”) that has an adverse effect on a contractor’s IT system or the controlled information residing therein. However, the final rule may have a broader reach, as a “cyber incident” potentially includes “an adverse release” of controlled information (as set forth in DFARS 252.304-7012(d)(1)(xi)), or “any other activities … that allow unauthorized access to the Contractor’s unclassified information system” (as set forth in DFARS 252.204-7012(d)(2)(ii)). The final rule also requires contractors to further investigate any cyber incidents after making the initial report and to cooperate in any DoD damage assessment activities, including responding to requests for information. The reporting requirement also presents difficult parallel export control considerations for contractors, as they may need to consider whether they should file parallel self-disclosures with the export control regulatory agencies.
Third, the final rule’s implementing contract clause includes contains a mandatory flow down to all tiers of subcontractors, including to subcontracts for commercial items. The final rule does not have a separate definition of “subcontractor” and vendors that may not consider themselves subcontractors may therefore be subject to the new rule. For example, the preamble to the final rule states that the requirements can apply to Internet service providers (ISPs) and cloud computing vendors. Furthermore, if a subcontractor experiences a cyber incident, the final rule requires reporting to the Government through the prime contractor.
Interim Rule on Supply Chain Security
This interim DFARS rule grants “pilot” authority to the DoD (to expire on September 30, 2018) to place certain restrictions on IT supply chains in procurements related to “national security systems” (NSS) (as defined in 44 U.S.C. § 3542(b) and including contractor NSS) in order to address supply chain risks. Specifically, the interim rule authorizes certain DoD officials to exclude a source for IT, whether acquired as a service or a supply, based on certain qualification standards and evaluation procedures. It also authorizes them to withhold consent to a subcontract with a particular source or to direct a contractor to exclude a particular source from consideration for a subcontract.
The interim rule includes a new solicitation provision and a new contract clause to be included in all solicitations and contracts for the development or delivery of information technology that are subject to the DFARS (i.e. not just for contracts for NSS). Those provisions give notice that DoD may use its exclusionary authority to manage supply chain risk. Contractors are required to flow the clause down to “all subcontracts involving the development or delivery of any information technology, whether acquired as a service or supply.” (Emphasis supplied).
The interim rule includes required procedures for taking exclusion actions and indicates that those actions should only be taken where there is a significant supply chain risk to a particular NSS. However, the interim rule does not define what qualification standards or evaluation factors DoD officials will use in considering supply chain risks and excluding supply sources. Furthermore, the interim rule gives DoD authority to limit disclosure of information relating to an exclusion decisions and provides that exclusion actions are not reviewable in a bid protest.
DoD/GSA Final Report on Improving Cybersecurity through Acquisition
The Final Report aims to establish a unified framework to address federal cyber risk management and acquisition processes, and, in particular, cyber risk in the acquisition of commercial information and communications technology. (The report essentially indicates that it does not apply to acquisition practices applicable to NSS.)
The Final Report identifies several important cyber risk related issues affecting federal acquisitions, and provides joint DoD/GSA recommendations on mitigating them at the federal level. At the top of the list are intentional or unintentional vulnerabilities that may come from inside or outside the supply chain, but which increase acquisition risk. The risk of counterfeit, “grey market,” or other nonconforming information and communications technology (ICT) components entering the supply chain also adds to the risk in supply chain management. Finally, the operations, maintenance, and disposal stages of ICT present significant risks when supervised and/or implemented improperly. The Final Report indicates that a well-functioning and unified federal acquisition approach to such issues is likely to reduce cybersecurity threats to the supply chain.
To that end, the Final Report lays out six recommendations which aim to reduce exposure to cyber risks in commercial ICT federal acquisition. First, it recommends establishing “baseline cybersecurity requirements” as a condition to awarding a contract. These requirements encompass basic protections (e.g., up-to-date virus protection and software patches; multiple-factor logical access; and methods ensuring data confidentiality). These elements should be expressed as technical requirements, and include performance measures and be clearly described in the relevant contract language. Importantly, the Final Report recommends that these requirements should be harmonized with other FAR/DFARS rule making actions, including the final rule discussed above on safeguarding UCTI in contractor IT systems.
Second, the Final Report recommends increasing the cybersecurity awareness of employees and entities working in federal acquisitions. It suggests that additional education and training opportunities for employees involved with procurements will lead to improved cyber risk management, including avoiding over-specifying and under-specifying cybersecurity requirements. It also proposes a government-sponsored cybersecurity outreach campaign targeting stakeholders to familiarize them with the government’s changing approach to cybersecurity.
Third, the Final Report recommends adopting common cybersecurity definitions for federal acquisitions. It acknowledges that use of unclear and inconsistently defined terms in the acquisition process (e.g., “cyber incident”) can lead to “suboptimal outcomes for both cybersecurity and efficiency” (e.g., changes, terminations, and disputes). The Final Report suggests that a having common definitions will reduce problems with, inter alia, cost estimates, solicitations, and award and performance of contracts.
Fourth, the Final Report recommends the creation of an interagency “federal acquisition cyber risk management strategy,” which would identify a unified hierarchy of cyber risks. It would also develop “overlays” – i.e., sets of flexible, risk-based security requirements and supplemental guidance – that an agency would tailor to its specific needs for specific products. These overlays would, for example, identify different security controls depending on the type of acquisition. As the Final Report highlights, different acquisitions present different risks and warrant different cybersecurity responses. Applying standardized but flexible overlays across markets segments and similar types of procurement will, according to the report, reduce the costs and duration associated with an acquisition.
Fifth, the Final Report emphasizes that federal agencies must ensure that the goods they acquire are authentic, as any sub-par goods drastically increase cyber risks (e.g., they may arrive with outdated security updates, or built to different specifications). Accordingly, it recommends identifying “trusted sources” – manufacturers, suppliers, or resellers, and taking other steps, appropriate to the particular acquisition, to qualify vendors as a means of reducing cyber risks. Further, the Final Report indicates that in cases involving the greatest risk, it may be appropriate for government personnel to determine whether a vendor is a “trusted source,” while in other less risky cases, attestation of company conformance to external standards may be appropriate.
Finally, the Final Report recommends increasing government accountability for cyber risk management. It details a four-step process for holding key personnel accountable for upholding cyber standards. Specifically, such personnel should: 1) address cyber risks when a requirement is being defined and a solution is being analyzed; 2) certify that the solicitation includes the appropriate cybersecurity requirements; 3) participate in the proposal evaluation process and provide for consideration of cybersecurity in best value decisions; and 4) continue to monitor post-award performance to the extent relevant to cybersecurity.
The three actions discussed above reflect the increased emphasis on cybersecurity in the acquisition process and indicate that cybersecurity will be an important issue for the acquisition community going forward.
 Tom Barletta is a partner in the Washington D.C. office of Steptoe & Johnson LLP and head of the Government Contracts group. Andy Irwin is a partner in its International Regulation & Compliance and Government Contracts group. George Leris is an attorney in Steptoe’s Privacy and Cybersecurity practice.
What’s Next for Contractor Assistance Visits? Webinar – March 26
The Coalition will be hosting a Myth-Busters webinar focusing on the processes and procedures for Contractor Assistance Visits (CAVs) under the GSA Multiple Award Schedule program. CAVs are conducted by the Industrial Operations Analysts (IOA) from GSA’s Federal Acquisition Service (FAS). MAS contractors can expect 2-3 CAVs over the course of a five year contract period in the current environment. It is vital to contract compliance and your overall business interests to understand the IOA role and expectations for MAS contractors.
Tom Brady, Director, Supplier Management Division, Office of Acquisition Management at GSA’s Federal Acquisition Service will be discussing the respective roles of the Administrative Contracting Officer (ACO) and the IOA. Topics will include the updated review parameters and processes for CAVs as well as key compliance issues (e.g. Industrial Funding Fee) surrounding MAS contracts. This webinar is a “must dial in” event for contractor compliance managers, in house counsel, contracting officers, and executives responsible for management and oversight compliance.
NASA SEWP IV Extended
A FedBizOpps.gov notice released on March 14, explains that the effective ordering period for NASA’s government-wide acquisition vehicle has been extended. NASA’s Solutions for Enterprise Wide Procurement (SEWP) IV contract, originally scheduled to end April 30, will now be extended through October 31, 2014. The extension will allow for sufficient transition time to SEWP V contracts and ensure uninterrupted support to meet critical requirements until the follow-on competitive contracts are awarded.
DoD Releases Annual List of FPI Items
Defense Procurement and Acquisition Policy (DPAP) has released its annual list of product categories in which Federal Prison Industries’ share of the Defense market is greater than five percent. This list impacts the procedures that DoD customers are to follow when purchasing items offered by Federal Prison Industries (FPI).
Based on this year’s list, the following items have a DoD market share greater than five percent and should be competed in accordance with DFARS 208.620-70.
- Metal Screening (FSC 5335)
- Office Furniture (FSC 7110)
- Draperies, Awnings and Shares (FSC 7230)
- Misc. Household and Commercial Furnishings and Appliances (FSC 7290)
- Outerwear, Men’s (FSC 8405)
- Clothing, Special Purpose (FSC 8415)
- Underwear and Nightwear, Men’s (FSC 8420)
- Individual Equipment (FSC 8465)
- Signs, Advertising Displays and Identification Plates (FSC 9905)
For these items, DFARS 208.620-70 requires that competitive procedures (e.g. use of GSA Schedules, full and open competition, and set-asides) apply. Contracting officers must:
- Use competitive procedures, which includes GSA Schedules
- Consider timely offers from FPI
- Evaluate all offers, including FPI, based on evaluation criteria
- Award based on best value
To access DPAP’s FPI memo, visit www.acq.osd.mil/dpap/policy/policyvault/USA000401-14-DPAP.pdf.
Amicus Brief In Re Kellogg Brown & Root, Inc. Petitioner
The Coalition joined several other organizations to file an Amicus Brief in a case that raises a question of how the attorney-client privilege applies to in-house counsel conducting internal investigations. In a qui tam False Claims Act case the district court denied attorney-client privilege to reports from KBR’s internal investigation into possible fraud in the administration of a defense contract in Iraq. The investigation had been undertaken at the direction, and under the supervision, of corporate attorneys.
The district court ordered disclosure of 89 documents, on a theory that materials and reports generated during a government contractor’s internal investigations cannot be privileged because they are “undertaken pursuant to regulatory law and corporate policy rather than for the purpose of obtaining legal advice.” KBR’s petition seeks relief from the district court order compelling disclosure of the documents.
The Coalition believes that this is an important issue to our members. Most large government contracts are subject to the same or similar requirements to maintain codes of business ethics and systems of internal controls as those at issue in the KBR case. Use of corporate counsel to conduct internal investigations is an important tool to assure adequate monitoring and compliance with federal regulations. A decision that negatively impacts the attorney client privilege is a significant disincentive to use of in-house counsel as a part of the process. Diminution of the role of corporate attorneys could significantly decrease the quality and usefulness of internal investigations.
A diverse group of organizations have joined in submitting the amicus brief, indicating the importance of the issue. Other amici include the Chamber of Commerce, Association for Corporate Counsel, National Association of Manufacturers and the American Forest and Paper Association.
Coalition Input on RFP-IT Act
Representatives Anna Eshoo (D-CA) and Gerry Connolly (D-VA) requested the Coalition’s input on a discussion draft of the Reforming Federal Procurement of Information Technology Act (RFP-IT Act). The bill is designed to improve Federal IT Acquisition by creating a new office in the White House to review and guide major IT projects in their initial phases with the goal of improving outcomes for taxpayers. In response to the request, the Coalition has submitted input on the draft bill. To view the response, visit https://thecgp.org/images/Draft-RFP-IT-Act-Coalition-Feedback.pdf.
Bipartisan DHS Acquisition Bill Introduced
On Wednesday, Representatives Jeff Duncan (R-SC), Michael McCaul (R-Texas), Ron Barber (D-AZ) and Steve Daines (R-MT) introduced bipartisan legislation to reform the Department of Homeland Security’s (DHS) acquisition management.
The “DHS Acquisition Accountability and Efficiency Act” requires the Department of Homeland Security (DHS) to improve management of its acquisition programs and processes. Specifically it gives DHS’s chief acquisition officer, the Undersecretary for Management, the authority to approve, stop, modify, or cancel major acquisition programs. Additionally it would direct the department to work to eliminate unnecessary duplication in acquisition programs, among other provisions. The bill also:
- Requires that every major acquisition program have an approved Acquisition Program Baseline (APB) document
- Requires that a Multiyear Acquisition Strategy be included in each Future Years Homeland Security Program
- Alters the role of the Chief Procurement Officer to serve as the main liaison to industry and to oversee a certification and training program for DHS’s acquisition workforce
- Requires DHS to submit to Congress major acquisition programs that fail to meet cost, schedule or performance metrics through quarterly status and accountability reports
The bill is being considered by the House Committee on Homeland Security.
DIA Releases $6 Billion IT Contract
The Defense Intelligence Agency (DIA) has released its request for proposals to industry for its $6 billion Enhanced Solutions for the Information Technology Enterprise (E-SITE) contract. According to the notice on FedBizOpps, the global IT contract will provide worldwide coverage for IT requirements and technical support services through system design, development, fielding, and sustainment of global intelligence and command and control (C2) assets vital to the security of the United States. E-SITE will support classified and unclassified programs on multiple networks and security domains. Federal Times notes that DIA is looking for companies with a track record of innovation and driving adoption of cloud and mobile computing, virtualization and other new technologies.
PBS Releases New Facilities Standards
This week, PBS Commissioner Dorothy Robyn announced the release of the 2014 Facilities Standards for the Public Buildings Service (PBS)—known as the P100. The P100 establishes design standards and criteria for new Federal buildings, repairs and alterations, modernizations, and lease construction facilities with GSA’s option to purchase. It is also a guide for work in historic buildings.
According to a blog post by Commissioner Robyn, the new version of P100 has expanded its focus on outcomes in many areas rather than prescribing exactly how the outcomes should be achieved. For example, “the old P100 required that the HVAC system in all federal buildings use variable air volume (VAV) technology. The new P100 specifies the target performance for an HVAC system—as measured in terms of temperature, humidity, energy efficiency, ventilation and other variables—and leaves it to the designer to decide which technology best achieves that outcome.”
Users of the P100 span the entire spectrum of building professional disciplines both inside and outside of government. To download a copy of the 2014 P100, visit http://www.gsa.gov/portal/category/106319.
DoD to Host Counterfeit Parts Meeting
The Department of Defense (DoD) recently posted a meeting notice in the Federal Register regarding the Detection and Avoidance of Counterfeit Electronic Parts. DoD is hosting the public meeting to obtain the views of experts and interested parties on further implementation of the requirement for detection and avoidance of counterfeit electronic parts, as required by a section of the National Defense Authorization Act for Fiscal Year 2012. The meeting will take place on March 27, 2014, from 9:00 a.m. to 12:00 p.m. at the General Services Administration (GSA) Regional Office Building (ROB Auditorium) at 301 7th Street SW., Washington, DC 20407 (entrance on D Street). Individuals wishing to attend the public meeting should register by March 20, 2014. Interested parties may register here.
GSA Pushes Forward with Integrated Acquisition Environment
A recent report from Government Computer News describes a renewed effort from GSA to update and enhance its system for managing federal contract awards. After encountering months of security and speed issues since the launch of the System for Award Management (SAM), GSA is currently working to mitigate the system’s issues, while simultaneously setting up a roadmap to move away from a single system and toward a set of common services for handling various acquisition functions. The plan in its current form is to roll out its Integrated Acquisition Environment (IAE) through fiscal year 2018. During this time GSA will gradually decommission legacy systems—including the old System for Award Management infrastructure, FedBizOpps, and the Electronic Subcontracting Reporting System—after capturing their data for use in the new IAE, reports ASI Government.
Feedback Requested: PSCs for Alliant II and Alliant II SB
Last week, the Alliant II and Alliant II Small Business team posted to GSA Interact, a new question concerning Product Service Codes (PSC). According to the post, PSCs are used by the United States government to record the products, services, and research and development purchased by the government. The codes indicate what was bought for each contract action reported in the Federal Procurement Data System (FPDS). GSA is interested in feedback from industry on the following questions regarding PSCs:
- Does this list of Product Service Codes adequately represent the work experience you have seen through the current Alliant and Alliant Small Business GWACs and other agency information technology contracts?
- Are we missing any other Product Service Codes aligned to Information Technology (IT) services?
- Are there Product Service Codes listed that should not be listed?
- What advantages do you see in a contract that provides a list of Product Service Codes that would help in the market research and procurement of IT services?
- What types of innovative solutions (i.e. PSC dashboard, apps, research tools, etc.) could be derived by collecting and sharing Product Service Codes?
To respond, please visit the Alliant II and Alliant II SB community on GSA Interact at https://interact.gsa.gov/group/alliant-ii-alliant-small-business-ii-gwacs.