Friday Flash, 04.04.14

FAR and Beyond Blog

I can’t believe our Spring Training Conference is already less than a week away, coming up next week on Thursday, April 10^th!  As the Vice President of Membership and Marketing here at The Coalition, my number one priority is to form a relationship with each of our members and gain a solid understanding of their business so that we as an organization can help maximize the value The Coalition provides, with the help of your feedback.  Our Spring Training Conference offers the perfect setting, the trifecta of 1) education and training; 2) discussion and discourse; and 3) networking and camaraderie.

We will begin the morning focusing on the education piece, hearing Cameron Leuthy, Senior Budget Analyst at Bloomberg Government, talk about Selling in the Federal Market – Who’s Buying and Who’s Not.  Cameron will be followed by an excellent panel discussion on Oversight and Enforcement – The OIG Perspective, which will be moderated by Angela Styles of Crowell & Moring, and will include panelist Richard Levi, Counsel to the Inspector General, GSA; and Maureen Regan, Counsel to the Inspector General, VA.  Next up is our Legal Panel discussion on Maximizing the Benefits, Avoiding the Risks, led by Jason Workmaster of McKenna Long & Aldridge; Jonathan Aronie of Sheppard-Mullin; and David Dowd of Mayer Brown.  Following the legal panel you will have the pleasure of listening to Harry Hallock, Deputy Assistant Secretary for the US Army, discuss Army Acquisition – Current and Future Initiatives.  Our last panel discussion will be held after lunch and titled Government-Wide Acquisition Summit.  This discussion will be moderated by Bill Gormley of The Gormley Group and will included panelist Dr. Angela Billups, Senior Procurement Executive, Associate Deputy Assistant Secretary for Acquisition, HHS; Richard Ginman, Director, Defense Acquisition and Procurement Policy; and Jeffrey Koses, Senior Procurement Executive, GSA.

After the conclusion of the Government-Wide Acquisition Summit, we will move on to the piece of the day that allows for great discussions by way of breakout sessions.  You will be able to attend two out of eight sessions based on what topic is most relevant to you.  These will be hour long sessions complete with presentations, but will also provide the opportunity to ask questions directly to the presenters!  The first group of breakout sessions you can choose from include The GSA Acquisition Centers; The GSA Services Portfolio; Doing Business with DHS; and an Update on Government-Wide IT Acquisitions.  The second group of breakout sessions will consist of Small Business Preferences – What Does it Mean for Your Business; Air Force Strategic Sourcing – What’s the Current Status and What’s Next?; The GSA Schedule Crystal Ball – What to Expect for the Program and its Pricing Policy; and The GSA Category Management – What Does it Mean to Your Business?

The third piece of the puzzle is networking, and there will be plenty of it!  The morning will get kicked off with breakfast and networking, sponsored by The George Washington University.  We will have a morning break sponsored by The Gormley Group and 3M where you will be able to grab some extra coffee and a snack before heading back into the main session.  Lunch will be an excellent opportunity to spend an hour getting to know new faces and making business connections, and is being sponsored by Deloitte and AMERICAN SYSTEMS.  Finally, the day will conclude with a networking reception sponsored by Berkeley Research Group, complete with open bar and appetizers.

I would like to recognize the contributions from all of our sponsors, especially our Title Sponsor, Bloomberg Government; our Gold Sponsor, Johnson & Johnson Health Care Systems; our Silver Sponsor, Deltek; and our Media Sponsor, Federal News Radio, who will be set up all day at the Marriott broadcasting live during the day’s events!  Additionally, a big thank you to all our Keystone Members and Strategic Partners who make events like this possible in the first place.

If you haven’t registered yet, please do so today as space is filling up fast!  For everyone else, please find me and introduce yourself if we haven’t already met.  A lot of hard work goes into creating this successful event and we couldn’t be more excited it’s just around the corner.  From all of us at The Coalition, we look forward to welcoming you to our 2014 Spring Training Conference!

Sincerely,

Matt Cahill

Vice President of Membership and Marketing

 

Join The Coalition’s 2014 Spring Training Conference!

 

Want to actively participate in discussions and hear directly from acquisition leaders at DoD, DHS, HHS, VA, and GSA? Now’s your chance!  Register for The Coalition for Government Procurement’s Spring Training Conference taking place on April 10th!

Featured Speakers include:

• Harry Hallock, Deputy Assistant Secretary, United States Army
• Jan Frye, Deputy Assistant Secretary, Office of Acquisition and Logistics
• Cameron Leuthy, Senior Budget Analyst, Bloomberg Federal
• Richard Levi, Counsel to the Inspector General, GSA
• Maureen Regan,  Counsel to the Inspector General, VA
• Richard Ginman, Director of Defense Procurement and Acquisition Policy, DoD
• Jeffrey Koses, Senior Procurement Executive, GSA

Discussion Topics include:

• The Future of Federal Acquisition – What’s on the Horizon
• Selling in the Federal Market – Who’s Buying and Who’s Not
• Oversight and Enforcement – The OIG Perspective
• Maximizing the Benefits, Avoiding the Risks—The Latest in Contract Compliance and Regulatory Changes
• Army Acquisition – Current and Future Initiatives
• Government-wide Acquisition Summit

Breakout Sessions Include:

• The GSA Acquisition Centers – Updates for 2014
• The GSA Services Portfolio
• Doing Business with DHS – New Guidelines for Acquiring Services; Eagles Update
• Government-wide IT Acquisitions – Updates for 2014
• Small Business Preferences – What’s Going Right and What Needs Improvement?
• Air Force Strategic Sourcing – What’s the Current Status and What’s Next?
• The GSA Schedule Crystal Ball – What to Expect for the Program and its Pricing Policy
• The GSA Category Management – What Does it Mean to your Business?

View the Agenda Here!

Register Here!

Interested in being a sponsor?  Check out our sponsorship opportunities here or contact Matt Cahill at mattcahill@thecgp.org.

 

Calculating GSA Schedule Price Reductions

The Coalition has recently received questions from members about the impact of a recent Federal Acquisition Service (FAS) Instructional Letter on the applicability of the Price Reductions Clause (PRC).  Carolyn Alston, Executive Vice President and General Counsel at the Coalition, addressed this topic in the Friday Flash a few weeks ago.  The following is a reprint of her article:

FAS Instructional Letter – Calculating Price Reductions

GSA issued FAS Instructional Letter 2013-06 on September 16, 2013, to provide guidance on clause I-FSS-125, Requirements Exceeding the Maximum Order.  The clause is no longer used in GSA Schedule contracts.  An Office of the Inspector General (OIG) audit last spring found that the clause remained in some old contracts and further found that the OIG disagreed with how contractors interpreted the clause.

The Instructional Letter does not change any policy regarding when a price decrease to a commercial customer will trigger a reduction to the government pursuant to the GSA Schedule Price Reductions Clause.  Rather, the instructional letter addresses how the amount of the price reduction to the government should be calculated.  Specifically, it states the government’s position that if a price reduction is triggered, the reduction must be applied to all government orders regardless of size, For example:

Assume that

1. Government and contractor both agree that the Basis of Award customer received a 2% price decrease
2. The Maximum Order Threshold  is $1 million
3. Total sales to the government under the GSA schedule contracts was $15 million
   a. The government has 10 orders under $1 million dollars, totaling $5 million
   b. The government has an additional 5 orders over $1 million totaling $10 million

The Instructional Letter would take the position that the price reduction owed to the government is 2% of $15 million.  The OIG audit found that MAS contractors previously took the position that the 2% should be applied only to orders under the MO; in this example $5 million.  You can read the entire Instructional Letter here.

 

Breakout Sessions at Spring Conference

Coalition members have consistently said over the years that the afternoon breakout sessions at the Spring Conference are the most valuable offerings during the event.  These small group discussions with acquisition leaders from the government on specific programs and contracts provide members with a unique opportunity to learn about new initiatives and opportunities.  The following is a list of the breakout sessions that will be available at the 2014 Spring Conference next Thursday, April 10 in Falls Church, Virginia.

Session One Breakouts

1. The GSA Acquisition Centers
Join the GSA Acquisition Center Directors for a discussion of their latest initiatives and priorities.  New product offerings, price negotiation methodologies, Strategic Sourcing…now is the time to ask your questions!

Shaloy Castle-Higgins, Director, Greater Southwest Acquisition Center
Janet Haynes, Schedules Acquisition Acting Director, Center for Facilities Maintenance and Hardware
Peter Han, Director, National Administrative Services and Office Supplies Acquisition Center*
Brian Knapp, Director, Integrated Workplace Acquisition Center*

* GSA Speaker subject to approval process

 

2. The GSA Services Portfolio
Change is coming soon!  From the newly launched OASIS to new strategies in managing the portfolio, get ahead of the curve by attending this informative breakout session.    

Tiffany Hixon, Regional Commissioner, Federal Acquisition Service
Geri Watson, Director, Services Acquisition Center
Bruce Spainhour, Director, Center for Innovation Acquisition Development
Jim Ghiloni, Acting Director, Acquisition Operations

3. Doing Business with DHS
The mission is huge:  preventing terrorism and securing our borders, safeguarding cyberspace and strengthening national preparedness and resilience. Get an update on DHA Acquisition Programs that support critical missions.

Jose Arrieta, Procurement Ombudsman
David Grant, Head of Contracting Activity, FEMA
Michael Smith, Director, Strategic Sourcing Program Office

 

4. Update on Government-wide IT Acquisitions
This session will highlight major acquisition programs supporting the acquisition of government wide IT programs, including CIOSP, Alliant, NASA SEWP, GSA Schedule 70 and more!  Don’t miss this opportunity for information that helps enhance your performance in the IT market.

Christopher Fornecker, Acting Deputy Assistant Commissioner, Integrated Technology Service, GSA
Darlene Coen, Deputy Program Manager, NASA SEWP, NASA
Robert Coen, Acting Director, NIH Information Technology Acquisition and Assessment Center (NITAAC)
Kay Ely, Director, IT Schedule Acquisition Center

 

Session Two Breakouts

1. Small Business Preferences – What does it mean for your business?
Small business participation is a strategic goal of the current administration.  Whether your business is small or large, you must understand the program to succeed in the federal market. This session will help small businesses understand the changing federal market.

Judith Roussel, Director, Office of Government Contracting. Small Business Administration
Magdy Bastawrous, Office of Acquisition Management, General Services Administration, FAS

 

2. Air Force Strategic Sourcing – What’s the current status and what’s next?
This is a great opportunity to learn more about acquisition strategies for $155B in existing and planned contracts for services across the Air Force.

Randall Culpepper, Air Force Program Executive Officer, Combat and Mission Support

 

3. The GSA Schedule Crystal ball – What to expect for the program and its pricing policy
The Schedules program is the largest commercial item program in the federal government but its pricing policy is decades old.  How will GSA update the pricing policy to accommodate 21th century acquisition trends?      

Robert Bourne, Division Director, Acquisition Management Center
Mark Lee, Deputy Director, Office of General Services Acquisition Policy, Integrity & Workforce Office of Government-wide Policy

4. The GSA Category Management – What does it mean to your business?
GSA is changing the way is manages its portfolio.   Is it an organizational change? Will it impact how you contract with GSA or sell to customer agencies?  Who’s in charge? Come to this session to learn more about category management and how it impacts the way contractors interface GSA.

Amanda Fredriksen, Assistant Commissioner for Strategic Business Planning
Beth Foltz, Office of Strategic Planning

 

To view the full agenda for the 2014 Spring Conference and register to attend, visit https://thecgp.org/event/2014-spring-training-conference-opportunities-for-success-in-the-federal-market.

 

FSSI Furniture Team Announces Virtual Industry Day

The General Services Administration has released an event notice on the Interact page for FSSI – Furniture. On Tuesday, April 15, 2014 from 10:00AM to 12:00PM EST, GSA will be holdi a virtual meeting to engage commercial industry and to gather input regarding the development of a potential government-wide strategic sourcing program for furniture products and services.

GSA asks that vendors register for the event by Monday, April 14, 2014 at 12:00PM EST. Information to connect to the meeting will be sent to all registered attendees on Monday, April 14, 2014. You can register for the session using this link: Register Here

All questions regarding this event and anything related to strategic sourcing for furniture can be directed towards the team through this GSA Interact site or emailed directly to FSSI.furniture@gsa.gov

 

GAO on Major Automated Information Systems

In a report released last week, the Government Accountability Office (GAO) recommended that select Major Automated Information Systems (MAIS) for the DoD implement key acquisition practices in order to stay within planned cost estimates and meet schedule and performance targets. According to the DoD Instruction manual 5000.02, a Major Automated Information System is defined as “a system of computer hardware, computer software, data or telecommunications that performs functions such as collecting, processing, storing, transmitting, and displaying information.” In 2011, DoD allotted at least $5.6 billion for designated MAIS programs.

The GAO found that of 14 selected DoD MAIS programs, 9 had stayed within their planned cost estimates, while 5 did not. 5 programs remained on schedule, while 9 experienced delays, and 8 programs met their system performance targets.  5 did not fully meet their targets. Overall, 3 programs stayed within their planned cost and schedule estimates and 2 programs experienced shortcomings in cost, schedule, and performance.

An additional three programs including the Navy Consolidated Afloat Networks and Enterprise Services (CANES) Program, the Army’s Global Combat Support System (GCSS)-Army program and the Air Force Defense Enterprise Accounting and Management System (DEAMS) were scrutinized further regarding their risk management actions.  The programs were assessed against best practices for requirements management and project monitoring and control.

The GAO recommends that DoD direct the Army’s GCSS program to address weaknesses in its risk management and independent verification and validation practices. DoD concurred with these recommendations and provided additional information that removed the need for a third recommendation regarding the Air Force’s DEAMS program.

 

OMB on the Growth in Cloud Services

According to a report in Federal Times, civilian agencies plan to spend more than $2.8 billion on cloud solutions this year, with the vast majority of funding slated for software services hosted in private clouds. Data provided by the Office of Management and Budget (OMB) concludes that $2.2 billion of those funds will be invested in private cloud models, where infrastructure is provisioned exclusively for an agency. Federal Times notes that since 2012, cloud investments have grown by nearly a billion dollars across civilian agencies according to OMB data. Additionally, Software-as-a-Service, which includes email and collaboration tools, continues to be the preferred delivery or service model for agency cloud purchases.

 

Compliance Lessons from the Office of Inspector General

By: Jack Horan, Partner, McKenna Long & Aldridge LLP

Effective and compliant contract administration should be a primary goal for all government contractors, including, of course, contractors with the Department of Veterans Affairs (VA).  As with any other business goal, compliance should be attained efficiently.  Within the web of statutory, regulatory, and contractual requirements, VA contractors should understand the areas where noncompliance creates the greatest risk and exposure, and spend their resources accordingly.

As with the Offices of Inspectors General throughout the government, the VA Office of Inspector General (OIG) is a central player in the oversight of contracts, enforcing compliance with all major VA statutory, regulatory, and contractual requirements, and redressing compliance failures.  As part of its responsibilities, the VA OIG reports to Congress twice annually on the audits, reviews, and investigations it conducts.[1]  Although intended for other purposes, these reports can assist VA contractors in identifying the requirements that are of the most importance to the VA, and should be most important to the contractor.  In short, VA OIG’s actions over the prior year serve as a lesson to contractors on where to spend their time and money (and the effect of noncompliance).

The VA OIG has “a nationwide staff of auditors, investigators, health care inspectors, and support personnel” in six major component “offices” that conduct “independent oversight reviews to improve the economy, efficiency, and effectiveness of VA programs, and to prevent and detect criminal activity, waste, abuse, and fraud.”  For a VA contractor, the three component offices that are of most importance are:  (1) the Immediate Office of the IG; (2) the Office of Counselor to the IG; and (3) Office of Investigations.^[2]

The Immediate Office of the IG is top-tier management, with the Deputy Inspector General operating as the “Chief Operating Officer.”  In addition to planning, directing and monitoring all [IG] operations,” the Immediate Office establishes investigative priorities for the Office, and identifies and promotes legislative initiatives to Congress.

The new year should bring a new IG to the VA.  On November 6, 2013, GeorgeOpfer announced his retirement as IG after more than 44 years of government service.  Mr.Opfer assumed responsibility as Inspector General on November 17, 2005, after being nominated by President GeorgeW.Bush.  Although President Obama has not nominated a replacement, Mr.Opfer’s long-time Deputy, RichardGriffin, is currently serving as Acting Inspector General.  Mr.Griffin has been a Deputy Inspector General since November 23, 2008, and previously served as Inspector General from November 1997 to June 2005.

A change in Inspector General can have a significant effect on the priorities, policies, and procedures of an office – as demonstrated by the GSA’s OIG under the direction of the current IG, Brian Miller.  Given his status as Acting Inspector General and his long service under Mr.Opfer, it would be surprising if Mr.Griffin made dramatic changes to the VA OIG’s policies or procedures.  Significant changes will likely come, if at all, under the next IG.

The Office of Counselor provides counsel to the OIG on False Claims Act cases affecting the VA and serves as liaison to the Department of Justice on False Claims Act cases.  The Office of Counselor also manages the Office of Contract Review, which  provides pre-award and post-award audits of contractors’ proposals and contracts under an agreement with VA’s Office of Acquisition, Logistics and Construction (OALC).[3]  The majority of pre-award audits of proposals for contracts or modifications under the VA’s Federal Supply Schedule (FSS) program.  The Office automatically reviews the pricing for all proposals when the estimated contract or modification exceeds $5,000,000 under Schedule 65IB, Drugs, Pharmaceuticals, and Hematology Related Products, and $3,000,000 for the other VA Schedules.  The Office of Contract Review also reviews pharmaceutical manufacturers’ compliance with the pricing requirements of the Veterans Health Care Act.  Thus, the Office of Contract Review reviews pricing for major VA contracts and ensures the pricing is compliant with contractual, regulatory, and statutory requirements, and provides a recommendation to the contracting officer on the prices the VA should pay for items on large FSS contracts.

So how did the pricing proposed by potential contractors fare with Office of Contract Review?  During fiscal year 2013, the Office conducted 83 pre-award audits of proposals of all types, and identified $655,056,285 in cost savings, or an average of $7.9 million in cost savings per audit.[4]  It’s safe to say that the Office did not routinely accept pricing as proposed by the contractors.

How about proposals for FSS awards, renewals or modifications?  Forty-six of the 83 pre-award audits were of proposals for awards, renewals or modifications under the FSS program^[5] – 32 for initial award, ten for renewals, and four for modifications to add products.[6]  The Office recommended a price reduction for 72% (23 of 32) of the audited proposals for initial award.  The Office recommended a total of $470,428,110 in price reductions, with an average of $14.7 million per audit (including all 32 audits).  Thus, offerors submitting proposals for an initial award of an FSS contract fared worse than the average contractor subject to pre-award audits.

With pricing established by the existing contracts, one would expect that the contractor would fare better in pre-award audits for contract renewals.  Contractors did fare better but the Office frequently challenged the proposed pricing.  The Office recommended a total of $18,577,827 in price reductions, with an average of $1,857,783 per audit.  The OIG recommended a price reduction for 60% (six of ten) renewal proposals.

Contractors seeking product additions fared the best over the past year with the OIG recommending price reductions in only 25% (one of four) of its audits.  The one price reduction was a significant one though — $8,615,256.

So, here are the lessons learned from the pre-award audits:

• Most obviously, the OIG takes a hard look at proposed pricing, in the past year rejecting 72% of pricing proposed for initial award, 60% for renewals, and 25% for modifications.
• A contractor needs to be prepared to support its pricing not only when it is seeking the initial FSS contract, but also at renewal and for each modification.

Now let’s look at post award audits – audits conducted to determine whether a contractor is complying with its pricing obligations.  The Office reported 33 post-award audits in fiscal year 2013, which resulted in the VA recovering contract overcharges totaling over $17.6 million.  According to the OIG, approximately $11.7 million of that recovery resulted from Veterans Health Care Act compliance with pricing requirements, recalculation of Federal ceiling prices, and appropriate classification of pharmaceutical products.

Fourteen of the post-award audits were of voluntary disclosures.  The Office claimed more than offered by the contractor in nine of 14 voluntary disclosures.  The average recovery to the VA from voluntary disclosures was $1,157,117.[7]

The VA recovered 100 percent of recommended recoveries for post-award audits.

Lessons learned from post-award audits:

• Pay close attention to your Veterans Health Care Act pricing – it is a major compliance area for the OIG, comprising the largest recovery area.
• Be prepared to support your accounting and rationale for any voluntary disclosures.  The disclosure is likely to be audited and the proposed repayment amount is likely to be challenged.
• Your opportunity to affect the government’s view of your liability is through negotiations with the OIG.  The Office has an excellent record – 100% of the time – of recovering what it determines the VA is due.

Now, a look at the focus of the Office of Investigations over the past fiscal year.  The Office of Investigations (OI) investigates crimes committed against programs and operations of the VA.  Within the OI, the Criminal Investigations division investigates all types of crimes (including criminal fraud as well as rape and murder) and civil fraud.  For fiscal year 2013, the OI reported opening 45 cases, making 11 arrests, and obtaining more than $564.1 million[8] in fines, restitution, penalties, and civil judgments “in the area of procurement practices.”

The OI specifically identified twelve criminal cases involving procurement violations by contractors – all twelve involved service-disabled, veteran-owned small business fraud.  In those cases, the SDVOSB business either misrepresented the eligibility of its owner, or the true ownership of the business.

Lessons learned from the OI:

• Exposure under the False Claims Act for VA contracts can be very significant – reaching over $500 million in 2013.
• People get arrested and go to jail for defrauding the VA.
• If you tell the VA that you are a serviced-disabled veteran and own and operate a SDVOSB, you better be a service-disabled veteran and own and operate the SDVOSB.

Finally, one other lesson learned – this one from the structure of the VA OIG.  Contact by the Office of Contract Review and the Office of Investigations can both lead to civil or even criminal liability, but there is a significant difference.  If the contact comes from the Office of Investigations, the issue has already likely been determined to be a potential civil fraud or criminal violation.  There is no doubt that it is time to call your lawyer.

 

Legal Corner 

Cybersecurity Takes The Pole Position in 2014 In Federal Acquisitions 

By: Tom Barletta, Partner, Steptoe & Johnson LLP; Andy Irwin, Partner, Steptoe & Johnson LLP; & George Leris, Associate, Steptoe & Johnson LLP [1]

The Obama Administration has been placing greater emphasis on cybersecurity, including enhancing cybersecurity in the acquisition process.  Three of the Administration’s more recent acquisition related cybersecurity initiatives are discussed below.

Background

On November 18, 2013, the DoD issued a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to impose requirements on contractors for safeguarding unclassified controlled technical information and reporting cyber incidents.  On the same day, the DoD also issued an interim rule amending the DFARS to address supply chain security in defense contracts.

More recently, DoD and GSA issued a DoD/GSA Final Report on Improving Cybersecurity through Acquisition (“Final Report”) on January 23, 2014, containing recommendations for incorporating cybersecurity standards into the acquisition planning and contract administration process.  Those recommendations include instituting baseline cybersecurity requirements; improving cybersecurity training; developing common cybersecurity definitions; instituting a federal cyber risk management strategy; purchasing from trusted sources; and increasing government accountability for cyber risk management.

Safeguarding Unclassified Controlled Technical Information and Cyber-Reporting

The DoD final rule and implementing contract clause require a contractor who has access to or stores specific types of unclassified “controlled technical information” (UCTI) to implement certain security standards on its computer network and to report certain “cyber incidents” to DoD.  See DFARS 304.734 & 252.204-7012; see also DFARS 204.703 & 212.301 (regarding solicitations and contracts for commercial items).

The final rule focuses on “controlled technical information” — technical data or computer software, as defined in DFARS 252.227-7013, with a “military or space application” that is subject to restrictions on access, release, and disclosure.  In that regard, the final rule references DoD Directive 5230.24, Distribution Statements on Technical Documents, and (in the preamble) DoD Directive 5230.25, Withholding of Unclassified Technical Data from Public Disclosure.  Those Directives generally deal with sensitive but unclassified information that is subject to marking or release restrictions under U.S. government programs.  Much of this information is likely to be subject to US export control laws and regulations, such as the International Traffic in Arms Regulations (ITAR).  

The final rule imposes three requirements on covered contractors.  First, the contractor must implement certain National Institute of Standards and Technology (NIST) information systems security procedures in its project, enterprise, or company-wide unclassified information technology (IT) systems to safeguard any UCTI transiting through or residing in its systems.  These procedures, drawn from NIST Special Publication 800-53, Revision 4, cover fourteen areas of information security: access control; awareness and training; accountability; configuration management; contingency planning; identification and authentication; incident response; maintenance; media protection; physical and environmental protection; program management; risk assessment; system and communications protection; and system and information integrity.  Alternate methods of protection may be proposed to the contracting officer, and additional security measures beyond the NIST procedures may be required if warranted by risk/vulnerability assessments.  (In assessing the security of their information systems, contractors may also want to consult NIST’s more recent, February 12, 2014 Framework for Improving Infrastructure Cybersecurity, which sets out guidelines and processes for cybersecurity activities.)

Second, the final rule requires a contractor to report to DoD any cyber incident affecting UCTI information within 72 hours of the incident.  The definition of “cyber incident” in the final rule suggests that the term refers to a deliberate use of a computer network (e.g., “hacking”) that has an adverse effect on a contractor’s IT system or the controlled information residing therein.  However, the final rule may have a broader reach, as a “cyber incident” potentially includes “an adverse release” of controlled information (as set forth in DFARS 252.304-7012(d)(1)(xi)), or “any other activities … that allow unauthorized access to the Contractor’s unclassified information system” (as set forth in DFARS 252.204-7012(d)(2)(ii)).  The final rule also requires contractors to further investigate any cyber incidents after making the initial report and to cooperate in any DoD damage assessment activities, including responding to requests for information.  The reporting requirement also presents difficult parallel export control considerations for contractors, as they may need to consider whether they should file parallel self-disclosures with the export control regulatory agencies.

Third, the final rule’s implementing contract clause includes contains a mandatory flow down to all tiers of subcontractors, including to subcontracts for commercial items.  The final rule does not have a separate definition of “subcontractor” and vendors that may not consider themselves subcontractors may therefore be subject to the new rule.  For example, the preamble to the final rule states that the requirements can apply to Internet service providers (ISPs) and cloud computing vendors.  Furthermore, if a subcontractor experiences a cyber incident, the final rule requires reporting to the Government through the prime contractor.

Interim Rule on Supply Chain Security

This interim DFARS rule grants “pilot” authority to the DoD (to expire on September 30, 2018) to place certain restrictions on IT supply chains in procurements related to “national security systems” (NSS) (as defined in 44 U.S.C. § 3542(b) and including contractor NSS) in order to address supply chain risks.  Specifically, the interim rule authorizes certain DoD officials to exclude a source for IT, whether acquired as a service or a supply, based on certain qualification standards and evaluation procedures.  It also authorizes them to withhold consent to a subcontract with a particular source or to direct a contractor to exclude a particular source from consideration for a subcontract.

The interim rule includes a new solicitation provision and a new contract clause to be included in all solicitations and contracts for the development or delivery of information technology that are subject to the DFARS (i.e. not just for contracts for NSS).  Those provisions give notice that DoD may use its exclusionary authority to manage supply chain risk.  Contractors are required to flow the clause down to “all subcontracts involving the development or delivery of any information technology, whether acquired as a service or supply.”  (Emphasis supplied).

The interim rule includes required procedures for taking exclusion actions and indicates that those actions should only be taken where there is a significant supply chain risk to a particular NSS.  However, the interim rule does not define what qualification standards or evaluation factors DoD officials will use in considering supply chain risks and excluding supply sources.  Furthermore, the interim rule gives DoD authority to limit disclosure of information relating to an exclusion decisions and provides that exclusion actions are not reviewable in a bid protest.

DoD/GSA Final Report on Improving Cybersecurity through Acquisition

The Final Report aims to establish a unified framework to address federal cyber risk management and acquisition processes, and, in particular, cyber risk in the acquisition of commercial information and communications technology.  (The report essentially indicates that it does not apply to acquisition practices applicable to NSS.)

The Final Report identifies several important cyber risk related issues affecting federal acquisitions, and provides joint DoD/GSA recommendations on mitigating them at the federal level.  At the top of the list are intentional or unintentional vulnerabilities that may come from inside or outside the supply chain, but which increase acquisition risk.  The risk of counterfeit, “grey market,” or other nonconforming information and communications technology (ICT) components entering the supply chain also adds to the risk in supply chain management.  Finally, the operations, maintenance, and disposal stages of ICT present significant risks when supervised and/or implemented improperly.  The Final Report indicates that a well-functioning and unified federal acquisition approach to such issues is likely to reduce cybersecurity threats to the supply chain.

To that end, the Final Report lays out six recommendations which aim to reduce exposure to cyber risks in commercial ICT federal acquisition.  First, it recommends establishing “baseline cybersecurity requirements” as a condition to awarding a contract.  These requirements encompass basic protections (e.g., up-to-date virus protection and software patches; multiple-factor logical access; and methods ensuring data confidentiality).  These elements should be expressed as technical requirements, and include performance measures and be clearly described in the relevant contract language.  Importantly, the Final Report recommends that these requirements should be harmonized with other FAR/DFARS rule making actions, including the final rule discussed above on safeguarding UCTI in contractor IT systems.

Second, the Final Report recommends increasing the cybersecurity awareness of employees and entities working in federal acquisitions.  It suggests that additional education and training opportunities for employees involved with procurements will lead to improved cyber risk management, including avoiding over-specifying and under-specifying cybersecurity requirements.  It also proposes a government-sponsored cybersecurity outreach campaign targeting stakeholders to familiarize them with the government’s changing approach to cybersecurity.

Third, the Final Report recommends adopting common cybersecurity definitions for federal acquisitions.  It acknowledges that use of unclear and inconsistently defined terms in the acquisition process (e.g., “cyber incident”) can lead to “suboptimal outcomes for both cybersecurity and efficiency” (e.g., changes, terminations, and disputes).  The Final Report suggests that a having common definitions will reduce problems with, inter alia, cost estimates, solicitations, and award and performance of contracts.

Fourth, the Final Report recommends the creation of an interagency “federal acquisition cyber risk management strategy,” which would identify a unified hierarchy of cyber risks. It would also develop “overlays” – i.e., sets of flexible, risk-based security requirements and supplemental guidance – that an agency would tailor to its specific needs for specific products.  These overlays would, for example, identify different security controls depending on the type of acquisition.  As the Final Report highlights, different acquisitions present different risks and warrant different cybersecurity responses.  Applying standardized but flexible overlays across markets segments and similar types of procurement will, according to the report, reduce the costs and duration associated with an acquisition.

Fifth, the Final Report emphasizes that federal agencies must ensure that the goods they acquire are authentic, as any sub-par goods drastically increase cyber risks (e.g., they may arrive with outdated security updates, or built to different specifications).  Accordingly, it recommends identifying “trusted sources” – manufacturers, suppliers, or resellers, and taking other steps, appropriate to the particular acquisition, to qualify vendors as a means of reducing cyber risks. Further, the Final Report indicates that in cases involving the greatest risk, it may be appropriate for government personnel to determine whether a vendor is a “trusted source,” while in other less risky cases, attestation of company conformance to external standards may be appropriate.

Finally, the Final Report recommends increasing government accountability for cyber risk management.  It details a four-step process for holding key personnel accountable for upholding cyber standards.  Specifically, such personnel should: 1) address cyber risks when a requirement is being defined and a solution is being analyzed; 2) certify that the solicitation includes the appropriate cybersecurity requirements; 3) participate in the proposal evaluation process and provide for consideration of cybersecurity in best value decisions; and 4) continue to monitor post-award performance to the extent relevant to cybersecurity.

Conclusion

The three actions discussed above reflect the increased emphasis on cybersecurity in the acquisition process and indicate that cybersecurity will be an important issue for the acquisition community going forward.

 

Take the Strategic Sourcing Survey

The Coalition invites members to take the Strategic Sourcing Survey.  The results will be used as the basis for our Strategic Sourcing White Paper, which will provide feedback to the Government on the current approach to strategic sourcing and recommendations to achieve savings and increase transparency and efficiency.  We are especially interested in hearing from members impacted by current and future FSSI initiatives.

Strategic Sourcing Survey (members only)

www.surveymonkey.com/s/HPM5P8H

We sincerely appreciate your survey responses! If there is anything you think we should be asking that is not included in the survey, please let us know.  The contact is Roy Dicharry (rdicharry@thecgp.org).

 

DISA milCloud Launches Cloud Services

Recently, the Defense Information Systems Agency (DISA) announced its DoD-wide cloud service named milCloud. The cloud services system is designed to reduce the DoD’s costs and increase control, flexibility and security for classified and controlled unclassified information, reports FCW. milCloud is a shared virtual data center that will allow DoD components to manage, store, and network resources using a self-service, on-demand model. DISA has assessed milCloud against DoD Information Assurance Certification and Accreditation Process (DIACAP) security standards and controls. The bulk of DoD’s expected cloud savings is expected to occur at Impact Levels 3-5, which signify higher-risk unclassified data.  However,  commercial providers have yet to be assessed against these standards. FCW notes that DISA Chief Technology Officer David Mihelcic said he anticipates formal assessments at impact levels 3-5 to begin in the second quarter of 2014. Draft standards for vendors to meet Impact Level 6 requirements have not been formally released yet for that level.

 

Off the Shelf: The State of the National Security Market

This week on “Off the Shelf”, David Ramirez, general manager of the Federal Solutions business unit at the L-3 National Security Solutions group, discusses innovation in the federal market. Ramirez provides his insights on the current state of the national security market and what customer agencies are seeking in terms of services, solutions and technologies. He also outlines key trends with IDIQ contracts as an important, critical procurement channel for customer agencies and contractors. Readers can listen to the program here.

 

The Coalition on In Depth with Francis Rose

This week, the Coalition’s Roger Waldron joined Francis Rose on In Depth to discuss the importance of the supplier relationship to GSA.  Ultimately, the fulfillment of GSA’s mission is reliant upon the “three legged stool”—cooperation between customer agencies, GSA and its business partners.  To listen to the discussion, click here.

 

Proposed Rule on Personal Conflicts of Interest

A proposed rule was published on April 2 to amend the Federal Acquisition Regulation (FAR) to extend the limitations on contractor employee personal conflicts of interest to apply to the performance of all functions that are closely associated with inherently governmental functions and contracts for personal services.  Responses are due June 2, 2014.  The Coalition will follow-up with members to see if you would like us to submit comments.

 

NASA Proposal Adequacy Checklist Finalized

A recent final rule from NASA notes that the agency has adopted as final, without change, a proposed rule amending the NASA FAR Supplement (NFS) to incorporate a proposal adequacy checklist for proposals in response to solicitations that require the submission of certified cost or pricing data. The rule took effect on March 28. The rule supports the NASA Assistant Administrator for Procurement’s ‘‘Reducing Transaction Costs in NASA Procurements’’ initiative by incorporating the requirement for a proposal adequacy checklist into the NFS. According to NASA, the purpose is to ensure offerors take responsibility for submitting thorough, accurate, and complete proposals. The provision will be included in solicitations that require the submission of certified cost or pricing data.

 

DoE Deficient Business Systems Rule

The Department of Energy (DoE) has published a notice of proposed rulemaking that would amend the DoE Acquisition Regulation (DEAR) to define a contractor’s business system as its accounting system, estimating system, purchasing system, earned value management system, and property management system. DoE is proposing to implement compliance enforcement through the addition of a contractor business system clause and related clauses, allowing contracting officers to withhold a percentage of payments when a contractor’s business system contains significant deficiencies. Written comments on the proposed rule are due close of business June 2, 2014.