FAR and Beyond Blog
This week’s “FAR and Beyond” blog hits on a couple items for our membership. First, here is an update on our May calendar of events.
May 2014 Member Calendar
1. Jan Frye, the Deputy Assistant Secretary for Acquisition and Logistics, U.S. Department of Veterans Affairs, is meeting with the Coalition on May 7, 2014. The Coalition is extending this unique opportunity to have a small group conversation with the head of one of the largest acquisition and logistics programs in the federal government to the Healthcare and IT/ Services committees. Jan manages and oversees the development and implementation of policies and procedures for department-wide acquisition and logistics programs supporting all VA facilities. His responsibilities include management of VA’s National Acquisition Center in Hines, Illinois; the Technical Acquisition Center in Eatontown, NJ; the Centers for Acquisition Innovation in Austin, Texas and Washington, D.C.; the VA Acquisition Academy in Frederick, Maryland; and the Denver Acquisition and Logistics Center in Denver, Colorado. He also serves as the VA Senior Procurement Executive.
Join the discussion with Jan Frye to find out more about:
- Major VA acquisitions across a broad spectrum of items including IT and services
- VA acquisition priorities
- Budget outlook
The meeting will be held on May 7 at 10:00 a.m. at the law office of McKenna, Long and Aldridge, 1900 K Street NW, Washington, DC. Members please RSVP to firstname.lastname@example.org if you would like to attend.
2. Cyber Security Forum on May 22, 2014. On the morning of May 22nd at the Tower Club in Tysons the Coalition will be hosting a Briefing on “The New Guidance on Cybersecurity Acquisition—What Contracting Professionals Must Learn Now!” This briefing will provide the latest information on how cybersecurity policy, functional, and operational requirements are flowing into the procurement system. More importantly, we are structuring the briefing to deliver relevant information that will provide insights on how the evolving cybersecurity framework will impact day-to day operations and contract performance requirements. For example, as part of the Alliant follow-on Interact dialogue GSA recently posted comments seeking feedback on potential approaches to addressing cybersecurity as part of the next Alliant contract vehicle. In essence, from our member’s perspective we will endeavor to answer the question: “How will the “new normal” in cybersecurity impact my organization and my contract vehicles?”
For this event we are very fortunate to have an array of subject matter experts from across the private and public sectors. Here is the current lineup:
Don Johnson, Office of the Under Secretary of Defense for Acquisition,
Technology & Logistics (AT&L), DASD (C3Cyber), DoD
Jon Boyens, Senior Advisor for Information Security, National Institute of Standards and Technology (NIST)
Emile Monette, Senior Advisor for Cybersecurity, GSA
Richard Blake, Business Management Specialist, Federal Acquisition Service Enterprise GWAC Center, GSA
Tom Barletta, Partner Steptoe & Johnson LLP
David Z. Bodenheimer, Partner Crowell & Moring LLP
Elizabeth Ferrell, Partner, McKenna Long & Aldridge LLP
Please click here for more information and to register for this important event. We look forward to seeing at the Tower Club, May 22nd!
3. Tom Sharpe, Commissioner of the Federal Acquisition Service (FAS) for a Myth-Busters dialogue on the future of FAS also in May 2014. Tom will be outlining his vision for FAS moving forward over the next 3-5 years. This dialogue will provide a wonderful opportunity to highlight opportunities and strategies for delivering best value for customer agencies and growing FAS’s programs. More details to follow on this event as we set the day, time and location.
Also in the news is GSA’s launch of an OS2 Dashboard that provides pricing data/information for the OS2 Blanket Purchase Agreements under FSSI. The Coalition welcomes GSA’s efforts to increase transparency regarding strategic sourcing pricing and savings. It is an important step in continuing the dialogue on the strategies, results, and impact of FSSI on GSA, customer agencies and contractors. Next week’s “Far and Beyond” will examine the pricing information contained on the Dashboard in an effort to further the dialogue regarding FSSI. The OS2 Dashboard can be found here.
Finally, OMB and GSA are seeking public feedback on the procurement system and contracting programs. This week OMB and the CAO Council launched a National Dialogue focusing on the procurement system. The link to the National Dialogue site can be found here. The Coalition has submitted our consensus recommendations for reforming the procurement system, in particular the GSA Schedules program, to ensure sound business opportunities for contractors that deliver best value outcomes for customer agencies and the American people. We encourage all our members to participate in the dialogue by supporting ideas submitted on the site and providing your thoughts and recommendations to improve procurement outcomes for all.
This week, The Chief Acquisition Officers (CAO) Council launched an open dialogue to collect ideas about how to improve the federal acquisition system. The CAO Council, along with the FAR Council, the CIO Council, GSA and OMB’s Office of Federal Procurement Policy, are opening the online conversation to identify specific rules and requirements, tools, procedures, and practices that impact the efficiency and effectiveness of federal procurement and ways to improve them.
The dialogue is focused on 3 areas:
- Reporting and compliance requirements—e.g., opportunities where collection processes and systems can be reengineered or automated, duplicative reporting can be eliminated, the frequency of reporting can be reduced, and outdated compliance thresholds can be changed.
- Procurement practices—e.g., opportunities where acquisition strategies can be modernized (to support more efficient and effective acquisition of IT, in particular), where best commercial practices can be utilized, as well as efforts to promote greater consideration of innovative solutions and contracting practices.
- Participation by small and minority businesses, new entrants, and non- traditional government contractors— e.g., opportunities for improving existing technical or strategic assistance programs, making buying platforms for finding business opportunities and bidding more user friendly, and lowering the cost of doing business.
The Coalition has already submitted our ideas about:
- Contract Duplication
- Implementation of Other Direct Costs in MAS Contracts
- PRC and Multiple Award Schedule Pricing Reform
- Extensive Data Collection Requirements
- Regulatory Burdens
- Clarity Needed for Intellectual Property Rights – GSA Schedules
- Restrictive Experience Requirements – GSA Schedules Program
- Burdensome Ordering Procedures for BPAs
We encourage members to vote on these ideas and submit your own by visiting http://cxo.dialogue.cao.gov/.
This week, GSA announced its plans to invest more than $70 million in consolidation projects at 19 Federal locations nationwide. GSA Administrator Dan Tangherlini said about the projects, “By consolidating these locations we are not we are not just eliminating redundant rents and space, but also encouraging collaboration among government workers by creating open workspace. We’re ushering in a new day for office space throughout the federal government.”
The following is the Consolidated Projects List provided by GSA.
Meet Jan Frye on VA Acquisition, May 7
Coalition members are invited to attend a meeting on May 7 with Jan Frye, Deputy Assistant Secretary Office of Acquisition and Logistics at the Department of Veterans Affairs.
This is a unique opportunity for members to hear from Jan Frye on the latest acquisition initiatives at the VA designed to support America’s Veterans. The May 7 meeting will be at 10:00am at McKenna Long & Aldridge (1900 K Street, Washington, DC 20006). To attend in person, RSVP to Roy Dicharry at email@example.com.
Sharpe on GSA Management Instructional Letter
This week Federal News Radio published an article about FAS Commissioner Tom Sharpe’s recent instructional letter on the proper role of management in the Schedules program. Read the article below for an interview with Tom Sharpe on the memo, and thoughts from Coalition President, Roger Waldron, on industry’s perspective.
GSA’s new contracting policy tackles IG’s concerns about management interference
“The General Services Administration is attempting to clarify to managers and vendors alike the proper approach to overseeing the schedules program.
In an April 17 blog post, Assistant Commissioner for the Office of Integrated Technology Services (ITS) Mary Davie announced that GSA recently launched the Mobile Lifecycle & Expense Management (ML&EM), a component of GSA’s Managed Mobility Program. The site provides resources federal agencies can use in their search for wireless solutions, including a list of service providers that meet ML&EM requirements, various pathways through government-wide acquisition contracts and other information. According to the post, ML&EM solutions can reduce agency mobile costs, saving up to 25% during initial rollout and 8-10% savings thereafter. The larger an agency’s mobile footprint, the higher expected efficiencies and cost savings, but value grows for any agency as its mobile strategy evolves and mobile usage trends up, Davie writes.
In order to enhance the mobile management solutions for agencies, GSA and and a cross-government working group recently documented common government requirements for ML&EM. GSA identified industry partner solutions that meet the bulk of the requirements and mapped solutions to existing government contracts. To review the blog post in full, click here.
The Intelligence Community is beginning to roll out an interdependent system of IT shared services for all 17 intelligence agencies called the Intelligence Community Information Technology Enterprise (ICITE). Announced last week, James Clapper, the director of national intelligence noted that ICITE is ready to start deploying capabilities to agencies, after more than two years of development. The DoD is also developing a similar effort between the military services and defense agencies with its Joint Information Environment (JIE).
According to Federal News Radio, Defense would like to connect both the Intelligence and Defense systems with the Defense Intelligence Information Enterprise (DI2E). To build that bridge, Defense officials would like to repurpose as much material as they can from what the architects of JIE and ICITE are already designing, the article says. In charge of the DI2E initiative, the Defense Information Integration (DI2) council found that there are 183 individual IT services that handle everything the intelligence community currently does. In an effort to streamline and consolidate, the council has identified 10 separate focus areas that it thinks should help bridge the gap between JIE and ICITE. Among these areas are identity and access management, data tagging and time synchronization.
By: Jack Horan, Partner, McKenna Long & Aldridge LLP
Effective and compliant contract administration should be a primary goal for all government contractors, including, of course, contractors with the Department of Veterans Affairs (VA). As with any other business goal, compliance should be attained efficiently. Within the web of statutory, regulatory, and contractual requirements, VA contractors should understand the areas where noncompliance creates the greatest risk and exposure, and spend their resources accordingly.
As with the Offices of Inspectors General throughout the government, the VA Office of Inspector General (OIG) is a central player in the oversight of contracts, enforcing compliance with all major VA statutory, regulatory, and contractual requirements, and redressing compliance failures. As part of its responsibilities, the VA OIG reports to Congress twice annually on the audits, reviews, and investigations it conducts. Although intended for other purposes, these reports can assist VA contractors in identifying the requirements that are of the most importance to the VA, and should be most important to the contractor. In short, VA OIG’s actions over the prior year serve as a lesson to contractors on where to spend their time and money (and the effect of noncompliance).
The VA OIG has “a nationwide staff of auditors, investigators, health care inspectors, and support personnel” in six major component “offices” that conduct “independent oversight reviews to improve the economy, efficiency, and effectiveness of VA programs, and to prevent and detect criminal activity, waste, abuse, and fraud.” For a VA contractor, the three component offices that are of most importance are: (1) the Immediate Office of the IG; (2) the Office of Counselor to the IG; and (3) Office of Investigations.
The Immediate Office of the IG is top-tier management, with the Deputy Inspector General operating as the “Chief Operating Officer.” In addition to planning, directing and monitoring all [IG] operations,” the Immediate Office establishes investigative priorities for the Office, and identifies and promotes legislative initiatives to Congress.
The new year should bring a new IG to the VA. On November 6, 2013, GeorgeOpfer announced his retirement as IG after more than 44 years of government service. Mr.Opfer assumed responsibility as Inspector General on November 17, 2005, after being nominated by President GeorgeW.Bush. Although President Obama has not nominated a replacement, Mr.Opfer’s long-time Deputy, RichardGriffin, is currently serving as Acting Inspector General. Mr.Griffin has been a Deputy Inspector General since November 23, 2008, and previously served as Inspector General from November 1997 to June 2005.
A change in Inspector General can have a significant effect on the priorities, policies, and procedures of an office – as demonstrated by the GSA’s OIG under the direction of the current IG, Brian Miller. Given his status as Acting Inspector General and his long service under Mr.Opfer, it would be surprising if Mr.Griffin made dramatic changes to the VA OIG’s policies or procedures. Significant changes will likely come, if at all, under the next IG.
The Office of Counselor provides counsel to the OIG on False Claims Act cases affecting the VA and serves as liaison to the Department of Justice on False Claims Act cases. The Office of Counselor also manages the Office of Contract Review, which provides pre-award and post-award audits of contractors’ proposals and contracts under an agreement with VA’s Office of Acquisition, Logistics and Construction (OALC). The majority of pre-award audits of proposals for contracts or modifications under the VA’s Federal Supply Schedule (FSS) program. The Office automatically reviews the pricing for all proposals when the estimated contract or modification exceeds $5,000,000 under Schedule 65IB, Drugs, Pharmaceuticals, and Hematology Related Products, and $3,000,000 for the other VA Schedules. The Office of Contract Review also reviews pharmaceutical manufacturers’ compliance with the pricing requirements of the Veterans Health Care Act. Thus, the Office of Contract Review reviews pricing for major VA contracts and ensures the pricing is compliant with contractual, regulatory, and statutory requirements, and provides a recommendation to the contracting officer on the prices the VA should pay for items on large FSS contracts.
So how did the pricing proposed by potential contractors fare with Office of Contract Review? During fiscal year 2013, the Office conducted 83 pre-award audits of proposals of all types, and identified $655,056,285 in cost savings, or an average of $7.9 million in cost savings per audit. It’s safe to say that the Office did not routinely accept pricing as proposed by the contractors.
How about proposals for FSS awards, renewals or modifications? Forty-six of the 83 pre-award audits were of proposals for awards, renewals or modifications under the FSS program – 32 for initial award, ten for renewals, and four for modifications to add products. The Office recommended a price reduction for 72% (23 of 32) of the audited proposals for initial award. The Office recommended a total of $470,428,110 in price reductions, with an average of $14.7 million per audit (including all 32 audits). Thus, offerors submitting proposals for an initial award of an FSS contract fared worse than the average contractor subject to pre-award audits.
With pricing established by the existing contracts, one would expect that the contractor would fare better in pre-award audits for contract renewals. Contractors did fare better but the Office frequently challenged the proposed pricing. The Office recommended a total of $18,577,827 in price reductions, with an average of $1,857,783 per audit. The OIG recommended a price reduction for 60% (six of ten) renewal proposals.
Contractors seeking product additions fared the best over the past year with the OIG recommending price reductions in only 25% (one of four) of its audits. The one price reduction was a significant one though — $8,615,256.
So, here are the lessons learned from the pre-award audits:
- Most obviously, the OIG takes a hard look at proposed pricing, in the past year rejecting 72% of pricing proposed for initial award, 60% for renewals, and 25% for modifications.
- A contractor needs to be prepared to support its pricing not only when it is seeking the initial FSS contract, but also at renewal and for each modification.
Now let’s look at post award audits – audits conducted to determine whether a contractor is complying with its pricing obligations. The Office reported 33 post-award audits in fiscal year 2013, which resulted in the VA recovering contract overcharges totaling over $17.6 million. According to the OIG, approximately $11.7 million of that recovery resulted from Veterans Health Care Act compliance with pricing requirements, recalculation of Federal ceiling prices, and appropriate classification of pharmaceutical products.
Fourteen of the post-award audits were of voluntary disclosures. The Office claimed more than offered by the contractor in nine of 14 voluntary disclosures. The average recovery to the VA from voluntary disclosures was $1,157,117.
The VA recovered 100 percent of recommended recoveries for post-award audits.
Lessons learned from post-award audits:
- Pay close attention to your Veterans Health Care Act pricing – it is a major compliance area for the OIG, comprising the largest recovery area.
- Be prepared to support your accounting and rationale for any voluntary disclosures. The disclosure is likely to be audited and the proposed repayment amount is likely to be challenged.
- Your opportunity to affect the government’s view of your liability is through negotiations with the OIG. The Office has an excellent record – 100% of the time – of recovering what it determines the VA is due.
Now, a look at the focus of the Office of Investigations over the past fiscal year. The Office of Investigations (OI) investigates crimes committed against programs and operations of the VA. Within the OI, the Criminal Investigations division investigates all types of crimes (including criminal fraud as well as rape and murder) and civil fraud. For fiscal year 2013, the OI reported opening 45 cases, making 11 arrests, and obtaining more than $564.1 million in fines, restitution, penalties, and civil judgments “in the area of procurement practices.”
The OI specifically identified twelve criminal cases involving procurement violations by contractors – all twelve involved service-disabled, veteran-owned small business fraud. In those cases, the SDVOSB business either misrepresented the eligibility of its owner, or the true ownership of the business.
Lessons learned from the OI:
- Exposure under the False Claims Act for VA contracts can be very significant – reaching over $500 million in 2013.
- People get arrested and go to jail for defrauding the VA.
- If you tell the VA that you are a serviced-disabled veteran and own and operate a SDVOSB, you better be a service-disabled veteran and own and operate the SDVOSB.
Finally, one other lesson learned – this one from the structure of the VA OIG. Contact by the Office of Contract Review and the Office of Investigations can both lead to civil or even criminal liability, but there is a significant difference. If the contact comes from the Office of Investigations, the issue has already likely been determined to be a potential civil fraud or criminal violation. There is no doubt that it is time to call your lawyer.
 See Semiannual Report to Congress, Issue 69, (October 1, 2012 – March 31, 2013),VA OIG; Semiannual Report to Congress, Issue 70 (April 1 – September 30, 2013), VA OIG.
 The three other component offices are the following: (1) the Office of Audits and Evaluations, which audits and evaluates the effectiveness of the Veterans Health Administration programs and Veterans Benefits Administration programs; (2) the Office of Healthcare Inspections, which monitors the healthcare provided to the veterans; and (3) the Office of Management and Administration, which provides comprehensive support services to the VA OIG, and administers the VA OIG Hotline.
 The Office of Counselor also supervises the Release of Information Office, which primarily processes Freedom of Information Act and Privacy Act requests for OIG records, as well as other requests for information.
 The reports describe the pre-award audits results as “potential cost savings” and “savings and cost avoidance” so it is not clear whether these amounts include audit recommendations ultimately rejected by the contractors.
 To provide some perspective, the VA estimates that there are currently 1900 contract holders under its FSS program.
 The categorization of the pre-award and post-award audits in this article are based on the description of the audits in Appendix A of the reports.
 The OIG’s reports labeled eleven post-award reviews as involving voluntary disclosures with a total recovery to the VA of $12,728,288.
 This amount includes a $500 million fine resulting from a False Claims Act case against a large pharmaceutical company.
Cybersecurity Takes The Pole Position in 2014 In Federal Acquisitions
By: Tom Barletta, Partner, Steptoe & Johnson LLP; Andy Irwin, Partner, Steptoe & Johnson LLP; & George Leris, Associate, Steptoe & Johnson LLP 
The Obama Administration has been placing greater emphasis on cybersecurity, including enhancing cybersecurity in the acquisition process. Three of the Administration’s more recent acquisition related cybersecurity initiatives are discussed below.
On November 18, 2013, the DoD issued a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to impose requirements on contractors for safeguarding unclassified controlled technical information and reporting cyber incidents. On the same day, the DoD also issued an interim rule amending the DFARS to address supply chain security in defense contracts.
More recently, DoD and GSA issued a DoD/GSA Final Report on Improving Cybersecurity through Acquisition (“Final Report”) on January 23, 2014, containing recommendations for incorporating cybersecurity standards into the acquisition planning and contract administration process. Those recommendations include instituting baseline cybersecurity requirements; improving cybersecurity training; developing common cybersecurity definitions; instituting a federal cyber risk management strategy; purchasing from trusted sources; and increasing government accountability for cyber risk management.
Safeguarding Unclassified Controlled Technical Information and Cyber-Reporting
The DoD final rule and implementing contract clause require a contractor who has access to or stores specific types of unclassified “controlled technical information” (UCTI) to implement certain security standards on its computer network and to report certain “cyber incidents” to DoD. See DFARS 304.734 & 252.204-7012; see also DFARS 204.703 & 212.301 (regarding solicitations and contracts for commercial items).
The final rule focuses on “controlled technical information” — technical data or computer software, as defined in DFARS 252.227-7013, with a “military or space application” that is subject to restrictions on access, release, and disclosure. In that regard, the final rule references DoD Directive 5230.24, Distribution Statements on Technical Documents, and (in the preamble) DoD Directive 5230.25, Withholding of Unclassified Technical Data from Public Disclosure. Those Directives generally deal with sensitive but unclassified information that is subject to marking or release restrictions under U.S. government programs. Much of this information is likely to be subject to US export control laws and regulations, such as the International Traffic in Arms Regulations (ITAR).
The final rule imposes three requirements on covered contractors. First, the contractor must implement certain National Institute of Standards and Technology (NIST) information systems security procedures in its project, enterprise, or company-wide unclassified information technology (IT) systems to safeguard any UCTI transiting through or residing in its systems. These procedures, drawn from NIST Special Publication 800-53, Revision 4, cover fourteen areas of information security: access control; awareness and training; accountability; configuration management; contingency planning; identification and authentication; incident response; maintenance; media protection; physical and environmental protection; program management; risk assessment; system and communications protection; and system and information integrity. Alternate methods of protection may be proposed to the contracting officer, and additional security measures beyond the NIST procedures may be required if warranted by risk/vulnerability assessments. (In assessing the security of their information systems, contractors may also want to consult NIST’s more recent, February 12, 2014 Framework for Improving Infrastructure Cybersecurity, which sets out guidelines and processes for cybersecurity activities.)
Second, the final rule requires a contractor to report to DoD any cyber incident affecting UCTI information within 72 hours of the incident. The definition of “cyber incident” in the final rule suggests that the term refers to a deliberate use of a computer network (e.g., “hacking”) that has an adverse effect on a contractor’s IT system or the controlled information residing therein. However, the final rule may have a broader reach, as a “cyber incident” potentially includes “an adverse release” of controlled information (as set forth in DFARS 252.304-7012(d)(1)(xi)), or “any other activities … that allow unauthorized access to the Contractor’s unclassified information system” (as set forth in DFARS 252.204-7012(d)(2)(ii)). The final rule also requires contractors to further investigate any cyber incidents after making the initial report and to cooperate in any DoD damage assessment activities, including responding to requests for information. The reporting requirement also presents difficult parallel export control considerations for contractors, as they may need to consider whether they should file parallel self-disclosures with the export control regulatory agencies.
Third, the final rule’s implementing contract clause includes contains a mandatory flow down to all tiers of subcontractors, including to subcontracts for commercial items. The final rule does not have a separate definition of “subcontractor” and vendors that may not consider themselves subcontractors may therefore be subject to the new rule. For example, the preamble to the final rule states that the requirements can apply to Internet service providers (ISPs) and cloud computing vendors. Furthermore, if a subcontractor experiences a cyber incident, the final rule requires reporting to the Government through the prime contractor.
Interim Rule on Supply Chain Security
This interim DFARS rule grants “pilot” authority to the DoD (to expire on September 30, 2018) to place certain restrictions on IT supply chains in procurements related to “national security systems” (NSS) (as defined in 44 U.S.C. § 3542(b) and including contractor NSS) in order to address supply chain risks. Specifically, the interim rule authorizes certain DoD officials to exclude a source for IT, whether acquired as a service or a supply, based on certain qualification standards and evaluation procedures. It also authorizes them to withhold consent to a subcontract with a particular source or to direct a contractor to exclude a particular source from consideration for a subcontract.
The interim rule includes a new solicitation provision and a new contract clause to be included in all solicitations and contracts for the development or delivery of information technology that are subject to the DFARS (i.e. not just for contracts for NSS). Those provisions give notice that DoD may use its exclusionary authority to manage supply chain risk. Contractors are required to flow the clause down to “all subcontracts involving the development or delivery of any information technology, whether acquired as a service or supply.” (Emphasis supplied).
The interim rule includes required procedures for taking exclusion actions and indicates that those actions should only be taken where there is a significant supply chain risk to a particular NSS. However, the interim rule does not define what qualification standards or evaluation factors DoD officials will use in considering supply chain risks and excluding supply sources. Furthermore, the interim rule gives DoD authority to limit disclosure of information relating to an exclusion decisions and provides that exclusion actions are not reviewable in a bid protest.
DoD/GSA Final Report on Improving Cybersecurity through Acquisition
The Final Report aims to establish a unified framework to address federal cyber risk management and acquisition processes, and, in particular, cyber risk in the acquisition of commercial information and communications technology. (The report essentially indicates that it does not apply to acquisition practices applicable to NSS.)
The Final Report identifies several important cyber risk related issues affecting federal acquisitions, and provides joint DoD/GSA recommendations on mitigating them at the federal level. At the top of the list are intentional or unintentional vulnerabilities that may come from inside or outside the supply chain, but which increase acquisition risk. The risk of counterfeit, “grey market,” or other nonconforming information and communications technology (ICT) components entering the supply chain also adds to the risk in supply chain management. Finally, the operations, maintenance, and disposal stages of ICT present significant risks when supervised and/or implemented improperly. The Final Report indicates that a well-functioning and unified federal acquisition approach to such issues is likely to reduce cybersecurity threats to the supply chain.
To that end, the Final Report lays out six recommendations which aim to reduce exposure to cyber risks in commercial ICT federal acquisition. First, it recommends establishing “baseline cybersecurity requirements” as a condition to awarding a contract. These requirements encompass basic protections (e.g., up-to-date virus protection and software patches; multiple-factor logical access; and methods ensuring data confidentiality). These elements should be expressed as technical requirements, and include performance measures and be clearly described in the relevant contract language. Importantly, the Final Report recommends that these requirements should be harmonized with other FAR/DFARS rule making actions, including the final rule discussed above on safeguarding UCTI in contractor IT systems.
Second, the Final Report recommends increasing the cybersecurity awareness of employees and entities working in federal acquisitions. It suggests that additional education and training opportunities for employees involved with procurements will lead to improved cyber risk management, including avoiding over-specifying and under-specifying cybersecurity requirements. It also proposes a government-sponsored cybersecurity outreach campaign targeting stakeholders to familiarize them with the government’s changing approach to cybersecurity.
Third, the Final Report recommends adopting common cybersecurity definitions for federal acquisitions. It acknowledges that use of unclear and inconsistently defined terms in the acquisition process (e.g., “cyber incident”) can lead to “suboptimal outcomes for both cybersecurity and efficiency” (e.g., changes, terminations, and disputes). The Final Report suggests that a having common definitions will reduce problems with, inter alia, cost estimates, solicitations, and award and performance of contracts.
Fourth, the Final Report recommends the creation of an interagency “federal acquisition cyber risk management strategy,” which would identify a unified hierarchy of cyber risks. It would also develop “overlays” – i.e., sets of flexible, risk-based security requirements and supplemental guidance – that an agency would tailor to its specific needs for specific products. These overlays would, for example, identify different security controls depending on the type of acquisition. As the Final Report highlights, different acquisitions present different risks and warrant different cybersecurity responses. Applying standardized but flexible overlays across markets segments and similar types of procurement will, according to the report, reduce the costs and duration associated with an acquisition.
Fifth, the Final Report emphasizes that federal agencies must ensure that the goods they acquire are authentic, as any sub-par goods drastically increase cyber risks (e.g., they may arrive with outdated security updates, or built to different specifications). Accordingly, it recommends identifying “trusted sources” – manufacturers, suppliers, or resellers, and taking other steps, appropriate to the particular acquisition, to qualify vendors as a means of reducing cyber risks. Further, the Final Report indicates that in cases involving the greatest risk, it may be appropriate for government personnel to determine whether a vendor is a “trusted source,” while in other less risky cases, attestation of company conformance to external standards may be appropriate.
Finally, the Final Report recommends increasing government accountability for cyber risk management. It details a four-step process for holding key personnel accountable for upholding cyber standards. Specifically, such personnel should: 1) address cyber risks when a requirement is being defined and a solution is being analyzed; 2) certify that the solicitation includes the appropriate cybersecurity requirements; 3) participate in the proposal evaluation process and provide for consideration of cybersecurity in best value decisions; and 4) continue to monitor post-award performance to the extent relevant to cybersecurity.
The three actions discussed above reflect the increased emphasis on cybersecurity in the acquisition process and indicate that cybersecurity will be an important issue for the acquisition community going forward.
 Tom Barletta is a partner in the Washington D.C. office of Steptoe & Johnson LLP and head of the Government Contracts group. Andy Irwin is a partner in its International Regulation & Compliance and Government Contracts group. George Leris is an attorney in Steptoe’s Privacy and Cybersecurity practice.
FedRAMP Security Standards Transition Plan
On Tuesday of this week, the General Services Administration released deadlines for cloud vendors to adopt revised security standards. The revisions reflect changes in revision 4 of the NIST SP 800-53 security control baseline. The FedRAMP (Federal Risk and Authorization Management Program) program management office (PMO) anticipates publishing the new FedRAMP security control baseline and associated templates on or about June 1, 2014. The released transition plan provides guidance to vendors that will meet the new baseline security standards. The applicable deadlines vary depending on where vendors are in the certification process. There will be about 72 new security requirements and 140 to 150 controls that will have to be tested.
For the categorization table explaining next steps in the certification process and to view the transition guidance, click here.
Off the Shelf: Trends in Big MACs
This week on “Off the Shelf”, Roger Waldron interviews Brian Friel, government spending analyst at Bloomberg Government. Friel provides market analysis and commentary on the federal government’s largest multiple award contracts (Big MACs) in Fiscal Year 2013.
In addition, Friel identifies the overall year on year trends in contract usage for Big MACs with a special focus on the top 15 contract vehicles.
He also provides his take on GSA Schedules in 2013 and GSA’s new OASIS contract vehicle. To listen to the program, visit www.federalnewsradio.com/80/3609552/Trends-in-Big-MACs.
GSA Sustainability Training for Vendors, April 28
GSA will host an online training session called Sustainability: Changing Vendor’s Procurement Responses on April 28 at 1:00 EDT. A part of a “Doing Business with GSA” series, it is designed to provide vendors with a deeper look at partnering with GSA. This session is for current and potential contractors who understand the value of providing sustainable products and services. For more information and to register visit http://gsa.gov/portal/content/184107.
Invitation to IAE Industry Day, May 13
GSA has reached out to the Coalition to invite members to a virtual meeting on the Integrated Award Environment (IAE) on May 13. The following is GSA’s invitation to industry-
You are invited to participate in GSA’s next Integrated Award Environment’s industry outreach event on May 13, 2014 from 1:30 p.m. to 3:00 p.m. EST. Focused on Transparency in the Integrated Award Environment (IAE), this virtual meeting is intended for technical audiences considering possible implementations that may meet GSA’s future needs.
Please register online for this informative and interactive event.
The upcoming event builds on a series of outreach events that includes a webcast that occurred in April and an Industry Day that happened in December. The April 7 webcast focused on the target technical architecture and the establishment of a Common Services platform to include everything from identity and access management, hosting and APIs as well as data stores and search. We spoke to the concept of “containerization” and how we will use Agile development and continuous integration to allow for rapid, controlled development. The December 2013 Industry Day centered on IAE’s overall high-level architecture and its architectural principles. In both presentations (available in the IAE Industry Community on Interact), we emphasized a core principle of IAE’s architecture is that it is open.
The May 13 event will explore what we mean by ‘open’ and expand on how this applies to the future IAE environment. We will discuss five transparencies in the context of product, data, service, operations, and processes. We also will discuss the implications that openness has on continuous integration, the code repository, and what our business processes will need to look like in order to achieve this key architectural principal. This will lead us to some key questions about the capabilities we are acquiring within the IAE Common Services, IAE Technical Governance and IAE DevOps/IV&V contracts, so we hope you will take part in the discussion.
A recording of the full event, all handouts, and other materials will be posted online in the Interact IAE Industry Community following the event. Please send any questions regarding the webcast to IAEoutreach@gsa.gov.
We look forward to your participation, feedback, and input!
Director, GSA IT Integrated Award Environment Division
IAE Director of Outreach & Stakeholder Management
DHA Industry Day in Mid-July
This morning the Defense Health Agency (DHA) posted an announcement on FedBizOpps.gov about their upcoming industry day. DHA is contemplating the solicitation and award of the fourth generation of Defense Medical Information Systems/Systems Integration, Design Development, Operations and Maintenance Services (D/SIDDOMS 4). D/SIDDOMS 4 will provide for systems integration, design, development, operations, and maintenance services to the Military Health System (MHS), system components, and the Department of Veterans Affairs.
It was anticipated that an Industry Day for this opportunity would be held mid-May of 2014. DHA now estimates that the Industry Day will be in mid-July. DHA will post an additional notice on FedBizOpps when more information is available. Members who have questions may direct them to the Contracting Officer, Ms. Sarah Davis, 210-295-3023 firstname.lastname@example.org. Follow The Coalition on twitter and through the Flash to stay updated on the specifics for the industry day.
Performance Based Payments Guidance DPAP
In an April 17 memorandum, Director of Defense Pricing Shay Assad provided additional policy and guidance on use of performance-based payments (PBPs). In the memo, Assad directs contracting officers to review open PBP contracts with significant PBP event values remaining to determine if PBP amounts fairly represent event values. “If there is a misalignment of PBPs and event values, which is indicated when PBP amounts are greater than the costs incurred, contracting officers should seek legal counsel to assess corrective actions, which may include renegotiation of PBP event values,” the memo says. Additionally, the PBP Guide and PBP analysis tool have been updated and are located on the Defense Procurement and Acquisition Policy website.
Proposed Rule on Personal Conflicts of Interest
A proposed rule was published on April 2, 2014 to amend the Federal Acquisition Regulation (FAR) to extend the limitations on contractor employee personal conflicts of interest to apply to the performance of all functions that are closely associated with inherently governmental functions and contracts for personal services. Responses are due June 2, 2014. The Coalition will follow-up with members to see if you would like us to submit comments.
Proposed Rule: Use of FSS By Non-Federal Entities
GSA published a proposed rule on April 17, 2014 to amend the General Services Administration Acquisition Regulation (GSAR) to provide for increased access to GSA’s Federal Supply Schedules. The rule proposes that use of the Schedules extend to the American Red Cross and other qualified organizations in certain circumstances. These organizations include National Voluntary Organizations Active in Disaster (NVOAD), state and local governments.
The rule also proposes that all users of the Schedules, including non-Federal users, follow GSA guidance including FAR 8.4. However, non-Federal users may use different established competitive ordering procedures if such procedures are needed to satisfy their state or local acquisition regulations and/or organizational policies.
Lastly, the proposed rule would allow state and local governments to use the Schedules to facilitate disaster preparedness and response. Comments are due June 16, 2014. Members who would like to provide input for the Coalition’s comments, please contact Aubrey Woolley at email@example.com.
FAR Proposed Rule: Reps and Certs
A proposed rule was published in the Federal Register on April 23, 2014 to standardize language regarding representations and certifications. The FAR Council is proposing to revise the language at FAR subpart 4.12, Representations and Certifications, and add a new clause at FAR 52.204– X to standardize the incorporation by reference of representations and certifications in contracts. The commercial items clause 52.212–4 will have a new paragraph (v) to cover this issue for commercial items. To access the proposed rule, visit www.gpo.gov/fdsys/pkg/FR-2014-04-23/pdf/2014-09231.pdf. Comments are due June 23, 2014.
CGP Briefing: The New Guidance on Cybersecurity Acquisition – What Contracting Professionals Must Learn Now
The Tower Club, Tysons Corner, VA
May 22, 2014, 8:00AM – 11:00AM, Registration 7:30AM
Registration Fee: Premier Member $95; Standard Member $145; Non-Member $215
The Coalition will be hosting a morning panel discussion and workshop on the implications for contractors of the new DoD and GSA final report and guidance on cybersecurity acquisition – including an overview and update on the Draft Implementation Plan and:
- Improving Cybersecurity and Resilience through Acquisition – Final Report of the Department of Defense and General Services Administration (January 23, 2014)
- Management Strategy Considerations on the Draft Implementation Plan (March 12, 2014)
- Framework for Improving Critical Infrastructure Cybersecurity, the National Institute of Standards and Technology (NIST) (February 12, 2014)
- The DoD (DFARS) Final Rule on enhanced safeguards for unclassified CTI (controlled technical information) (November 18, 2013)
- The President’s Executive Order, EO 13636 (February 12, 2013)
- The Status of Proposed and Pending Federal Legislation
The specific recommendations from the DoD – GSA Final Report include:
- Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions
- Address Cybersecurity in Relevant Training
- Develop Common Cybersecurity Definitions for Federal Acquisitions
- Institute a Federal Acquisition Cyber Risk Management Strategy
- Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other “Trusted” Sources, Whenever Available, In Appropriate Acquisitions
- Increase Government Accountability for Cyber Risk Management
A primary purpose of the DoD – GSA Final Report is to recommend strategic guidelines for acquisition practitioners. In addition to covering the substantive materials, panelists will discuss the following issues as they relate to the new guidance, NIST Framework, and DFARS rule:
- How government, schedule, and commercial contractors should prepare and respond to the new guidance in proposal efforts
- Is it likely that the new guidance will move from voluntary to mandatory for contractors in the near future?
- With an estimated $46 Billion spent on global critical infrastructure cybersecurity in 2013, how much is enough?
- Are Risk Management principles and Best Practices management sufficient in this current threat and vulnerability environment?
- Are there implications in the new guidance for the certification and qualifications of FedRAMP contractors in providing cloud services?
Discussions will likely include Cloud issues as well as network security and certification, and the two panels will include the following:
Confirmed Speakers Include:
- Jon Boyens, Senior Advisor for Information Security, NIST
- David Z. Bodenheimer, Partner, Crowell & Moring LLP
- Beth Ferrell, Partner, McKenna Long & Aldridge
- Tom Barletta, Partner, Steptoe & Johnson
We are confident that the information, sources, and resources covered will strengthen your cybersecurity efforts and expand your knowledge in this critical area and we look forward to your participation.
To register, click HERE!