FAR and Beyond Blog
This week’s focus is on Thought Number Eight of the Fourteen Foods for Thought in 2014: “The follow-on Networx procurement: Time for a GSA Schedules telecommunications solution.” In April GSA’s Integrated Technology Services (ITS) issued an Enterprise Infrastructure Solutions (EIS) Request for Information #QTA00NS14THI3001 (the RFI). The RFI seeks public input/feedback on the Network Services 2020 (NS2020) Strategy to meet future Federal information technology and telecommunications needs. The RFI can be found here. The closing date for receipt of comments is May 8, 2014 at 4 pm.
The contract structure envisioned by NS2020 acquisition strategy will have major implications for competition in the federal market. Moreover, the NS2020 strategy creates significant questions regarding duplication among GSA’s government wide contract portfolio. The concerns regarding the NS2020 proposed acquisition strategy center on the scope of services contemplated by the RFI and designation of mandatory services and optional services. The following chart from the RFI (Page 5, Figure 2: EIS Services) sets forth the categories and scope of proposed NS2020 services:
The RFI states that “[f]or services, the minimum mandatory requirement will be for voice and data services as identified in Figure 2.” See page 6 of the RFI. The RFI provides that in order to be eligible for award under NS2020 an offeror must propose compliant video and data services as identified in Figure 2. The remaining products/services identified in Figure 2 are optional: (1) Data Center; (2) Network & Security Equipment; (3) Cabling; (4) Managed Services; (5) Service-Related Labor; and Call Center Services. As optional items under NS2020, an offeror may or may not include them in their proposal. However, in order to be eligible to provide optional products/services, an offeror must propose the minimum mandatory voice and data services.
The minimum/mandatory structure, combined with the optional products/services will unduly restrict competition. The practical impact will be to restrict the ability of cloud service providers, call center providers and a host of equipment suppliers from competing directly for requirements under NS2020. In essence, the acquisition strategy bundles requirements in a manner that will limit competition to a small subset of the information technology and telecommunications market. For example, there are a host of cloud service providers working through GSA’s FedRAMP program that are able to compete for and provide cloud services across the federal government. Will NS2020 shut these firms out of the market? How will the bundling impact small business?
Moreover, NS2020’s proposed scope and structure duplicate major portions of pre-existing GSA government wide contract vehicles, including Alliant and the GSA Schedules. NS2020’s approach is also inconsistent with the contract structure used in the OASIS procurement which maximized competition across the services marketplace. The OASIS structure left it to the offerors to decide which “pools” or functional areas to propose—there was no minimum mandatory set of services.
NS2020 is the fourth generation procurement for telecommunications services managed by GSA: (1) FTS 2000; (2) FTS2001; (3) Networx; and now (4) NS2020. In each generation it appears that the transition costs and timing has become more and more challenging. Perhaps it is time to consider a GSA Schedules telecommunications solution. The GSA Schedules provide flexibility to offer a suite of services while not limiting competition across the market. Continuous open seasons would ensure access to the commercial telecommunication market on an ongoing basis meaning greater access to new services, products and technologies. The 20 year contract period would provide greater stability and ease concerns regarding the timing for task order competitions and transitions. Most importantly, GSA, as the statutory manager of the GSA Schedules program, has the discretion to structure a telecommunications Schedule that maximizes competition from the commercial market.
The Coalition will be submitting member comments in response to the RFI and looks forward to a positive dialogue with ITS.
The Tower Club, Tysons Corner, VA
May 22, 2014, 8:00AM – 11:00AM, Registration 7:30AM
Registration Fee: Premier Member $95; Standard Member $145; Non-Member $215
The Coalition will host a morning panel discussion and workshop on the implications for contractors of the new DoD and GSA final report on cybersecurity acquisition – including an overview and update on the Draft Implementation Plan and NIST cybersecurity requirement for critical infrastructure.
- Jon Boyens, Senior Advisor for Information Security, NIST
- Emile Monette, Senior Advisor for Cybersecurity, GSA Office of Mission Assurance
- Don Johnson, USD (AT&L) | DASD (C3Cyber)
- Richard Blake, Business Management Specialist with GSA’s Federal Acquisition Service Enterprise GWAC Center, San Diego (pending travel approval)
- Ken Evans Jr., Deputy Product Manager for the Army Information Warfare Product Office
- Tom Barletta, Partner, Steptoe & Johnson
- David Z. Bodenheimer, Partner, Crowell &
- Beth Ferrell, Partner, McKenna Long & Aldridge
- More to come!
A primary purpose of the DoD – GSA Final Report is to recommend strategic guidelines for acquisition practitioners. In addition to covering the substantive materials, panelists will discuss the following issues as they relate to the new guidance, NIST Framework, and DFARS rule:
- How government, schedule, and commercial contractors should prepare and respond to the new guidance in proposal efforts
- Is it likely that the new guidance will move from voluntary to mandatory for contractors in the near future?
- With an estimated $46 Billion spent on global critical infrastructure cybersecurity in 2013, how much is enough?
- Are Risk Management principles and Best Practices management sufficient in this current threat and vulnerability environment?
- Are there implications in the new guidance for the certification and qualifications of FedRAMP contractors in providing cloud services?
We are confident that the information, sources, and resources covered will strengthen your cybersecurity efforts and expand your knowledge in this critical area and we look forward to your participation.
To register, click HERE!
All Coalition members have the opportunity to vote to improve the Federal acquisition system as part of the National Dialogue on procurement—before voting ends on Monday.
The Government is using the information (and vote count!) collected during the National Dialogue to set the acquisition policy agenda moving forward.
The Coalition has submitted member recommendations to the Dialogue at http://cxo.dialogue.cao.gov/ based on what we have heard from you- e.g. Update the MAS Pricing Policy, Remove the PRC, and Implement ODCs.
We ask that you support greater efficiency and effectiveness in our acquisition system today by taking no more than 10 minutes to vote for Coalition member recommendations.
How to Vote:
- Register at http://cxo.dialogue.cao.gov/
- Go to the Reporting and Compliance, Procurement Rules and Practices, and Small Business Participation Campaigns
- For each Campaign, click “I Agree” next to the following member recommendations:
- Contract Duplication
- Failure to Implement Other Direct Costs in MAS Contracts
- PRC Removal and Multiple Award Schedule Pricing Reform
- Extensive Data Collection Requirements
- Clarity Needed for Intellectual Property Rights – GSA Schedules
- Restrictive Experience Requirements – GSA Schedules Program
- Burdensome Ordering Procedures for BPAs
If you have any technical problems, send an email to firstname.lastname@example.org for assistance.
Remember the National Dialogue closes Monday, May 5 so act today to make sure your company’s vote is counted!
In order to demonstrate savings and its commitment to small business, GSA has released its Federal Strategic Sourcing Initiative (FSSI) Second Generation Office Supplies (OS2) Savings and Small Business Dashboard. According to a post on GSA Interact, the OS2 dashboard was developed as a key component of GSA’s goal to increase transparency and its ongoing support of small business, veterans, and taxpayers. The interactive dashboard displays pricing and sales data with the aim of demonstrating cumulative cost savings and small business participation. With the FSSI Office Supplies (OS2) solution launched in 2010, GSA reports saving the government more than $364 million as of February 2014 and increasing Small Business utilization from 67% to 76%. Additionally, GSA estimates that the next Office Supplies FSSI contract, OS3, will save the Government $65 million a year in administrative costs.
GSA’s 18F will host a “behind the scenes” Demo Day next Friday, May 9! 18F is GSA’s new in-house digital delivery team that works with agencies to deliver on their mission through the development of digital and web services. The following is 18F’s event announcement posted at https://18f.gsa.gov/.
Don’t miss this opportunity to go behind the scenes with 18F, GSA’s new digital incubator. Hatched at GSA HQ in Washington, DC, 18F is building tools for a 21st century digital government. Come see what the team is working on and meet the folks delivering these exciting new services.
Space is limited. Please Register Now! Registration is open to the government and the public.
Registration – 8:00 a.m. to 8:30 a.m. (Valid Government-Issued ID Required for Building Access)
Welcome – David McClure, Assoc. Administrator, Citizen Services and Innovative Technologies
Opening Remarks – Dan Tangherlini, GSA Administrator
Ignite Sessions – Lena Trudeau, Assoc. Commissioner, Strategic Innovations
Interactive Demonstrations – 18F Team
According to a recent study completed by the Government Accountability Office (GAO), the Department of Homeland Security (DHS) could better manage its acquisition portfolio and improve its communications with Congress.
In response to requests from Congress, the GAO was tasked with examining (1) the prevalence of funding instability at DHS and its effects on major acquisition programs, (2) the extent to which DHS develops multi-year funding plans in accordance with key portfolio management practices, and (3) the extent to which DHS has complied with reporting requirements for major acquisition programs’ multi-year funding plans. To conduct the study, GAO reviewed DHS’s recent annual funding plans and solicited input from 35 of DHS’s largest acquisition program offices.
The GAO found that the funding plans for 35 of the Department of Homeland Security (DHS) acquisition programs changed from fiscal years 2012 to 2014, though the instability affected some programs more than others. Additionally, program officials reported that funding instability negatively affected 17 of the 35 programs, contributing to schedule slips, cost growth, and capability reductions.
Among other recommendations, the GAO recommended that the Secretary of Homeland Security update the guidance to fully reflect the following two portfolio management practices:
- Establish standard assessment criteria to ensure transparency and comparability across alternatives
- Continually make go/no-go decisions to rebalance the portfolio.
This week the Office of Personnel Management (OPM) and the General Services Administration (GSA) announced a new strategic sourcing multiple award contract vehicle to support OPM’s Training and Management Assistance (TMA) program. A signed Memorandum of Understanding (MOU) established that the vehicle will be jointly managed by GSA and OPM. The vehicle will provide customized human capital and training services to all agencies. According to the GSA press release, the solution plans to leverage GSA’s acquisition expertise in combination with OPM’s skills in human capital and training programs. OPM and GSA plan to have the new contract in place in fiscal 2015.
By: Jack Horan, Partner, McKenna Long & Aldridge LLP
Effective and compliant contract administration should be a primary goal for all government contractors, including, of course, contractors with the Department of Veterans Affairs (VA). As with any other business goal, compliance should be attained efficiently. Within the web of statutory, regulatory, and contractual requirements, VA contractors should understand the areas where noncompliance creates the greatest risk and exposure, and spend their resources accordingly.
As with the Offices of Inspectors General throughout the government, the VA Office of Inspector General (OIG) is a central player in the oversight of contracts, enforcing compliance with all major VA statutory, regulatory, and contractual requirements, and redressing compliance failures. As part of its responsibilities, the VA OIG reports to Congress twice annually on the audits, reviews, and investigations it conducts. Although intended for other purposes, these reports can assist VA contractors in identifying the requirements that are of the most importance to the VA, and should be most important to the contractor. In short, VA OIG’s actions over the prior year serve as a lesson to contractors on where to spend their time and money (and the effect of noncompliance).
The VA OIG has “a nationwide staff of auditors, investigators, health care inspectors, and support personnel” in six major component “offices” that conduct “independent oversight reviews to improve the economy, efficiency, and effectiveness of VA programs, and to prevent and detect criminal activity, waste, abuse, and fraud.” For a VA contractor, the three component offices that are of most importance are: (1) the Immediate Office of the IG; (2) the Office of Counselor to the IG; and (3) Office of Investigations.
The Immediate Office of the IG is top-tier management, with the Deputy Inspector General operating as the “Chief Operating Officer.” In addition to planning, directing and monitoring all [IG] operations,” the Immediate Office establishes investigative priorities for the Office, and identifies and promotes legislative initiatives to Congress.
The new year should bring a new IG to the VA. On November 6, 2013, GeorgeOpfer announced his retirement as IG after more than 44 years of government service. Mr.Opfer assumed responsibility as Inspector General on November 17, 2005, after being nominated by President GeorgeW.Bush. Although President Obama has not nominated a replacement, Mr.Opfer’s long-time Deputy, RichardGriffin, is currently serving as Acting Inspector General. Mr.Griffin has been a Deputy Inspector General since November 23, 2008, and previously served as Inspector General from November 1997 to June 2005.
A change in Inspector General can have a significant effect on the priorities, policies, and procedures of an office – as demonstrated by the GSA’s OIG under the direction of the current IG, Brian Miller. Given his status as Acting Inspector General and his long service under Mr.Opfer, it would be surprising if Mr.Griffin made dramatic changes to the VA OIG’s policies or procedures. Significant changes will likely come, if at all, under the next IG.
The Office of Counselor provides counsel to the OIG on False Claims Act cases affecting the VA and serves as liaison to the Department of Justice on False Claims Act cases. The Office of Counselor also manages the Office of Contract Review, which provides pre-award and post-award audits of contractors’ proposals and contracts under an agreement with VA’s Office of Acquisition, Logistics and Construction (OALC). The majority of pre-award audits of proposals for contracts or modifications under the VA’s Federal Supply Schedule (FSS) program. The Office automatically reviews the pricing for all proposals when the estimated contract or modification exceeds $5,000,000 under Schedule 65IB, Drugs, Pharmaceuticals, and Hematology Related Products, and $3,000,000 for the other VA Schedules. The Office of Contract Review also reviews pharmaceutical manufacturers’ compliance with the pricing requirements of the Veterans Health Care Act. Thus, the Office of Contract Review reviews pricing for major VA contracts and ensures the pricing is compliant with contractual, regulatory, and statutory requirements, and provides a recommendation to the contracting officer on the prices the VA should pay for items on large FSS contracts.
So how did the pricing proposed by potential contractors fare with Office of Contract Review? During fiscal year 2013, the Office conducted 83 pre-award audits of proposals of all types, and identified $655,056,285 in cost savings, or an average of $7.9 million in cost savings per audit. It’s safe to say that the Office did not routinely accept pricing as proposed by the contractors.
How about proposals for FSS awards, renewals or modifications? Forty-six of the 83 pre-award audits were of proposals for awards, renewals or modifications under the FSS program – 32 for initial award, ten for renewals, and four for modifications to add products. The Office recommended a price reduction for 72% (23 of 32) of the audited proposals for initial award. The Office recommended a total of $470,428,110 in price reductions, with an average of $14.7 million per audit (including all 32 audits). Thus, offerors submitting proposals for an initial award of an FSS contract fared worse than the average contractor subject to pre-award audits.
With pricing established by the existing contracts, one would expect that the contractor would fare better in pre-award audits for contract renewals. Contractors did fare better but the Office frequently challenged the proposed pricing. The Office recommended a total of $18,577,827 in price reductions, with an average of $1,857,783 per audit. The OIG recommended a price reduction for 60% (six of ten) renewal proposals.
Contractors seeking product additions fared the best over the past year with the OIG recommending price reductions in only 25% (one of four) of its audits. The one price reduction was a significant one though — $8,615,256.
So, here are the lessons learned from the pre-award audits:
- Most obviously, the OIG takes a hard look at proposed pricing, in the past year rejecting 72% of pricing proposed for initial award, 60% for renewals, and 25% for modifications.
- A contractor needs to be prepared to support its pricing not only when it is seeking the initial FSS contract, but also at renewal and for each modification.
Now let’s look at post award audits – audits conducted to determine whether a contractor is complying with its pricing obligations. The Office reported 33 post-award audits in fiscal year 2013, which resulted in the VA recovering contract overcharges totaling over $17.6 million. According to the OIG, approximately $11.7 million of that recovery resulted from Veterans Health Care Act compliance with pricing requirements, recalculation of Federal ceiling prices, and appropriate classification of pharmaceutical products.
Fourteen of the post-award audits were of voluntary disclosures. The Office claimed more than offered by the contractor in nine of 14 voluntary disclosures. The average recovery to the VA from voluntary disclosures was $1,157,117.
The VA recovered 100 percent of recommended recoveries for post-award audits.
Lessons learned from post-award audits:
- Pay close attention to your Veterans Health Care Act pricing – it is a major compliance area for the OIG, comprising the largest recovery area.
- Be prepared to support your accounting and rationale for any voluntary disclosures. The disclosure is likely to be audited and the proposed repayment amount is likely to be challenged.
- Your opportunity to affect the government’s view of your liability is through negotiations with the OIG. The Office has an excellent record – 100% of the time – of recovering what it determines the VA is due.
Now, a look at the focus of the Office of Investigations over the past fiscal year. The Office of Investigations (OI) investigates crimes committed against programs and operations of the VA. Within the OI, the Criminal Investigations division investigates all types of crimes (including criminal fraud as well as rape and murder) and civil fraud. For fiscal year 2013, the OI reported opening 45 cases, making 11 arrests, and obtaining more than $564.1 million in fines, restitution, penalties, and civil judgments “in the area of procurement practices.”
The OI specifically identified twelve criminal cases involving procurement violations by contractors – all twelve involved service-disabled, veteran-owned small business fraud. In those cases, the SDVOSB business either misrepresented the eligibility of its owner, or the true ownership of the business.
Lessons learned from the OI:
- Exposure under the False Claims Act for VA contracts can be very significant – reaching over $500 million in 2013.
- People get arrested and go to jail for defrauding the VA.
- If you tell the VA that you are a serviced-disabled veteran and own and operate a SDVOSB, you better be a service-disabled veteran and own and operate the SDVOSB.
Finally, one other lesson learned – this one from the structure of the VA OIG. Contact by the Office of Contract Review and the Office of Investigations can both lead to civil or even criminal liability, but there is a significant difference. If the contact comes from the Office of Investigations, the issue has already likely been determined to be a potential civil fraud or criminal violation. There is no doubt that it is time to call your lawyer.
 See Semiannual Report to Congress, Issue 69, (October 1, 2012 – March 31, 2013),VA OIG; Semiannual Report to Congress, Issue 70 (April 1 – September 30, 2013), VA OIG.
 The three other component offices are the following: (1) the Office of Audits and Evaluations, which audits and evaluates the effectiveness of the Veterans Health Administration programs and Veterans Benefits Administration programs; (2) the Office of Healthcare Inspections, which monitors the healthcare provided to the veterans; and (3) the Office of Management and Administration, which provides comprehensive support services to the VA OIG, and administers the VA OIG Hotline.
 The Office of Counselor also supervises the Release of Information Office, which primarily processes Freedom of Information Act and Privacy Act requests for OIG records, as well as other requests for information.
 The reports describe the pre-award audits results as “potential cost savings” and “savings and cost avoidance” so it is not clear whether these amounts include audit recommendations ultimately rejected by the contractors.
 To provide some perspective, the VA estimates that there are currently 1900 contract holders under its FSS program.
 The categorization of the pre-award and post-award audits in this article are based on the description of the audits in Appendix A of the reports.
 The OIG’s reports labeled eleven post-award reviews as involving voluntary disclosures with a total recovery to the VA of $12,728,288.
 This amount includes a $500 million fine resulting from a False Claims Act case against a large pharmaceutical company.
Cybersecurity Takes The Pole Position in 2014 In Federal Acquisitions
By: Tom Barletta, Partner, Steptoe & Johnson LLP; Andy Irwin, Partner, Steptoe & Johnson LLP; & George Leris, Associate, Steptoe & Johnson LLP 
The Obama Administration has been placing greater emphasis on cybersecurity, including enhancing cybersecurity in the acquisition process. Three of the Administration’s more recent acquisition related cybersecurity initiatives are discussed below.
On November 18, 2013, the DoD issued a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to impose requirements on contractors for safeguarding unclassified controlled technical information and reporting cyber incidents. On the same day, the DoD also issued an interim rule amending the DFARS to address supply chain security in defense contracts.
More recently, DoD and GSA issued a DoD/GSA Final Report on Improving Cybersecurity through Acquisition (“Final Report”) on January 23, 2014, containing recommendations for incorporating cybersecurity standards into the acquisition planning and contract administration process. Those recommendations include instituting baseline cybersecurity requirements; improving cybersecurity training; developing common cybersecurity definitions; instituting a federal cyber risk management strategy; purchasing from trusted sources; and increasing government accountability for cyber risk management.
Safeguarding Unclassified Controlled Technical Information and Cyber-Reporting
The DoD final rule and implementing contract clause require a contractor who has access to or stores specific types of unclassified “controlled technical information” (UCTI) to implement certain security standards on its computer network and to report certain “cyber incidents” to DoD. See DFARS 304.734 & 252.204-7012; see also DFARS 204.703 & 212.301 (regarding solicitations and contracts for commercial items).
The final rule focuses on “controlled technical information” — technical data or computer software, as defined in DFARS 252.227-7013, with a “military or space application” that is subject to restrictions on access, release, and disclosure. In that regard, the final rule references DoD Directive 5230.24, Distribution Statements on Technical Documents, and (in the preamble) DoD Directive 5230.25, Withholding of Unclassified Technical Data from Public Disclosure. Those Directives generally deal with sensitive but unclassified information that is subject to marking or release restrictions under U.S. government programs. Much of this information is likely to be subject to US export control laws and regulations, such as the International Traffic in Arms Regulations (ITAR).
The final rule imposes three requirements on covered contractors. First, the contractor must implement certain National Institute of Standards and Technology (NIST) information systems security procedures in its project, enterprise, or company-wide unclassified information technology (IT) systems to safeguard any UCTI transiting through or residing in its systems. These procedures, drawn from NIST Special Publication 800-53, Revision 4, cover fourteen areas of information security: access control; awareness and training; accountability; configuration management; contingency planning; identification and authentication; incident response; maintenance; media protection; physical and environmental protection; program management; risk assessment; system and communications protection; and system and information integrity. Alternate methods of protection may be proposed to the contracting officer, and additional security measures beyond the NIST procedures may be required if warranted by risk/vulnerability assessments. (In assessing the security of their information systems, contractors may also want to consult NIST’s more recent, February 12, 2014 Framework for Improving Infrastructure Cybersecurity, which sets out guidelines and processes for cybersecurity activities.)
Second, the final rule requires a contractor to report to DoD any cyber incident affecting UCTI information within 72 hours of the incident. The definition of “cyber incident” in the final rule suggests that the term refers to a deliberate use of a computer network (e.g., “hacking”) that has an adverse effect on a contractor’s IT system or the controlled information residing therein. However, the final rule may have a broader reach, as a “cyber incident” potentially includes “an adverse release” of controlled information (as set forth in DFARS 252.304-7012(d)(1)(xi)), or “any other activities … that allow unauthorized access to the Contractor’s unclassified information system” (as set forth in DFARS 252.204-7012(d)(2)(ii)). The final rule also requires contractors to further investigate any cyber incidents after making the initial report and to cooperate in any DoD damage assessment activities, including responding to requests for information. The reporting requirement also presents difficult parallel export control considerations for contractors, as they may need to consider whether they should file parallel self-disclosures with the export control regulatory agencies.
Third, the final rule’s implementing contract clause includes contains a mandatory flow down to all tiers of subcontractors, including to subcontracts for commercial items. The final rule does not have a separate definition of “subcontractor” and vendors that may not consider themselves subcontractors may therefore be subject to the new rule. For example, the preamble to the final rule states that the requirements can apply to Internet service providers (ISPs) and cloud computing vendors. Furthermore, if a subcontractor experiences a cyber incident, the final rule requires reporting to the Government through the prime contractor.
Interim Rule on Supply Chain Security
This interim DFARS rule grants “pilot” authority to the DoD (to expire on September 30, 2018) to place certain restrictions on IT supply chains in procurements related to “national security systems” (NSS) (as defined in 44 U.S.C. § 3542(b) and including contractor NSS) in order to address supply chain risks. Specifically, the interim rule authorizes certain DoD officials to exclude a source for IT, whether acquired as a service or a supply, based on certain qualification standards and evaluation procedures. It also authorizes them to withhold consent to a subcontract with a particular source or to direct a contractor to exclude a particular source from consideration for a subcontract.
The interim rule includes a new solicitation provision and a new contract clause to be included in all solicitations and contracts for the development or delivery of information technology that are subject to the DFARS (i.e. not just for contracts for NSS). Those provisions give notice that DoD may use its exclusionary authority to manage supply chain risk. Contractors are required to flow the clause down to “all subcontracts involving the development or delivery of any information technology, whether acquired as a service or supply.” (Emphasis supplied).
The interim rule includes required procedures for taking exclusion actions and indicates that those actions should only be taken where there is a significant supply chain risk to a particular NSS. However, the interim rule does not define what qualification standards or evaluation factors DoD officials will use in considering supply chain risks and excluding supply sources. Furthermore, the interim rule gives DoD authority to limit disclosure of information relating to an exclusion decisions and provides that exclusion actions are not reviewable in a bid protest.
DoD/GSA Final Report on Improving Cybersecurity through Acquisition
The Final Report aims to establish a unified framework to address federal cyber risk management and acquisition processes, and, in particular, cyber risk in the acquisition of commercial information and communications technology. (The report essentially indicates that it does not apply to acquisition practices applicable to NSS.)
The Final Report identifies several important cyber risk related issues affecting federal acquisitions, and provides joint DoD/GSA recommendations on mitigating them at the federal level. At the top of the list are intentional or unintentional vulnerabilities that may come from inside or outside the supply chain, but which increase acquisition risk. The risk of counterfeit, “grey market,” or other nonconforming information and communications technology (ICT) components entering the supply chain also adds to the risk in supply chain management. Finally, the operations, maintenance, and disposal stages of ICT present significant risks when supervised and/or implemented improperly. The Final Report indicates that a well-functioning and unified federal acquisition approach to such issues is likely to reduce cybersecurity threats to the supply chain.
To that end, the Final Report lays out six recommendations which aim to reduce exposure to cyber risks in commercial ICT federal acquisition. First, it recommends establishing “baseline cybersecurity requirements” as a condition to awarding a contract. These requirements encompass basic protections (e.g., up-to-date virus protection and software patches; multiple-factor logical access; and methods ensuring data confidentiality). These elements should be expressed as technical requirements, and include performance measures and be clearly described in the relevant contract language. Importantly, the Final Report recommends that these requirements should be harmonized with other FAR/DFARS rule making actions, including the final rule discussed above on safeguarding UCTI in contractor IT systems.
Second, the Final Report recommends increasing the cybersecurity awareness of employees and entities working in federal acquisitions. It suggests that additional education and training opportunities for employees involved with procurements will lead to improved cyber risk management, including avoiding over-specifying and under-specifying cybersecurity requirements. It also proposes a government-sponsored cybersecurity outreach campaign targeting stakeholders to familiarize them with the government’s changing approach to cybersecurity.
Third, the Final Report recommends adopting common cybersecurity definitions for federal acquisitions. It acknowledges that use of unclear and inconsistently defined terms in the acquisition process (e.g., “cyber incident”) can lead to “suboptimal outcomes for both cybersecurity and efficiency” (e.g., changes, terminations, and disputes). The Final Report suggests that a having common definitions will reduce problems with, inter alia, cost estimates, solicitations, and award and performance of contracts.
Fourth, the Final Report recommends the creation of an interagency “federal acquisition cyber risk management strategy,” which would identify a unified hierarchy of cyber risks. It would also develop “overlays” – i.e., sets of flexible, risk-based security requirements and supplemental guidance – that an agency would tailor to its specific needs for specific products. These overlays would, for example, identify different security controls depending on the type of acquisition. As the Final Report highlights, different acquisitions present different risks and warrant different cybersecurity responses. Applying standardized but flexible overlays across markets segments and similar types of procurement will, according to the report, reduce the costs and duration associated with an acquisition.
Fifth, the Final Report emphasizes that federal agencies must ensure that the goods they acquire are authentic, as any sub-par goods drastically increase cyber risks (e.g., they may arrive with outdated security updates, or built to different specifications). Accordingly, it recommends identifying “trusted sources” – manufacturers, suppliers, or resellers, and taking other steps, appropriate to the particular acquisition, to qualify vendors as a means of reducing cyber risks. Further, the Final Report indicates that in cases involving the greatest risk, it may be appropriate for government personnel to determine whether a vendor is a “trusted source,” while in other less risky cases, attestation of company conformance to external standards may be appropriate.
Finally, the Final Report recommends increasing government accountability for cyber risk management. It details a four-step process for holding key personnel accountable for upholding cyber standards. Specifically, such personnel should: 1) address cyber risks when a requirement is being defined and a solution is being analyzed; 2) certify that the solicitation includes the appropriate cybersecurity requirements; 3) participate in the proposal evaluation process and provide for consideration of cybersecurity in best value decisions; and 4) continue to monitor post-award performance to the extent relevant to cybersecurity.
The three actions discussed above reflect the increased emphasis on cybersecurity in the acquisition process and indicate that cybersecurity will be an important issue for the acquisition community going forward.
 Tom Barletta is a partner in the Washington D.C. office of Steptoe & Johnson LLP and head of the Government Contracts group. Andy Irwin is a partner in its International Regulation & Compliance and Government Contracts group. George Leris is an attorney in Steptoe’s Privacy and Cybersecurity practice.
DoD Announces Procurement for Health Records System
According to NextGov, the Department of Defense (DoD) will be releasing its $11 billion Healthcare Management Systems Modernization procurement in the coming months. The department expects to award a single contractor, tasked with delivering and supporting an electronic health record system covering some 10 million beneficiaries and numerous health-care facilities worldwide. The award is anticipated by the close of 2014, with initial system rollout in 2017 and full operation by 2023.
President to Sign DATA Act
This week the House passed the Digital Accountability and Transparency (DATA) Act (S. 994). Approved earlier in April by the Senate, the bill now heads to President Obama for his signature. The bill requires the Treasury Department and the Office of Management and Budget (OMB) to establish government-wide standards for financial data. This information will be published publicly at USASpending.gov. Reported financial data will include Federal agency expenditures on contracts, loans, and grants. Agency inspector generals’ are to report on the quality and completeness of the spending data submitted by their respective agencies every two years.
The DATA Act also establishes a two-year pilot program covering Federal contracts, grants, and subawards valued at over $1 billion. The objectives of the pilot include eliminating unnecessary duplication in financial reporting and a reduction in compliance costs for recipients of Federal awards. Following the pilot, OMB will review the data and report on the usefulness of the information collected and the associated costs. To review the full DATA Act, visit http://beta.congress.gov/bill/113th-congress/senate-bill/994.
DHS Secretary Announces Acquisition Oversight Review
As part of DHS Secretary Jeh Johnson’s plans to strengthen the Department of Homeland Security’s (DHS’s) structures and capability, DHS will review its acquisition oversight framework. The oversight review was announced in Secretary Johnson’s April 22 memorandum on Strengthening Departmental Unity Efforts. The review will focus on updating the processes in DHS Acquisition Management Directive 102-01 which describes the agency’s Acquisition Life Cycle Framework, Acquisition Review Process, and the role of the Acquisition Review Board. It also covers additional acquisition management procedures and responsibilities unique to DHS. Secretary Johnson has said that the result of the oversight review “must be a transparent, coherent continuum of activities that link and integrate Department strategy and planning, development of joint requirements, programming and budgeting decisions, capital investment planning, and the effective and efficient execution of major acquisitions.”
Join PBS Industry Relations on Interact
Public Buildings Service (PBS) Industry Relations Division has launched a new community on GSA Interact. Through the PBS Industry Relations Community, Industry Relations’ will provide pertinent information and updates to help vendors work with GSA, as well as collaborate, share ideas and get feedback on how to improve and be more efficient. The information shared through the community will be used to help shape PBS strategies and inform decision-making. The inaugural post is written by PBS Deputy Assistant Commissioner for Acquisition, Andrew Blumenfeld, and proposes “Reducing Proposal Costs by Requiring Oral Presentations Instead of Written Proposals.” To join the community and provide feedback on this topic, visit https://interact.gsa.gov/group/pbs-industry-relations.
Proposed Rule on Personal Conflicts of Interest
A proposed rule was published on April 2 to amend the Federal Acquisition Regulation (FAR) to extend the limitations on contractor employee personal conflicts of interest to apply to the performance of all functions that are closely associated with inherently governmental functions and contracts for personal services. Responses are due June 2, 2014. The Coalition will follow-up with members to see if you would like us to submit comments.
Former Congressman Tom Davis on Off the Shelf
The former Congressman from Virginia’s 11th district makes a compelling case that the current budget challenges demand a move to a smart lean government model. Smart lean government increases efficiency and effectiveness by reducing duplicative operations, breaking down silos across the federal enterprise, and leveraging shared services such as cloud computing. To listen to the program, visit www.federalnewsradio.com/80/3610407/Building-a-smart-lean-government.
Invitation to IAE Industry Day, May 13
GSA has reached out to the Coalition to invite members to a virtual meeting on the Integrated Award Environment (IAE) on May 13. The following is GSA’s invitation to industry-
You are invited to participate in GSA’s next Integrated Award Environment’s industry outreach event on May 13, 2014 from 1:30 p.m. to 3:00 p.m. EST. Focused on Transparency in the Integrated Award Environment (IAE), this virtual meeting is intended for technical audiences considering possible implementations that may meet GSA’s future needs.
Please register online for this informative and interactive event.
The upcoming event builds on a series of outreach events that includes a webcast that occurred in April and an Industry Day that happened in December. The April 7 webcast focused on the target technical architecture and the establishment of a Common Services platform to include everything from identity and access management, hosting and APIs as well as data stores and search. We spoke to the concept of “containerization” and how we will use Agile development and continuous integration to allow for rapid, controlled development. The December 2013 Industry Day centered on IAE’s overall high-level architecture and its architectural principles. In both presentations (available in the IAE Industry Community on Interact), we emphasized a core principle of IAE’s architecture is that it is open.
The May 13 event will explore what we mean by ‘open’ and expand on how this applies to the future IAE environment. We will discuss five transparencies in the context of product, data, service, operations, and processes. We also will discuss the implications that openness has on continuous integration, the code repository, and what our business processes will need to look like in order to achieve this key architectural principal. This will lead us to some key questions about the capabilities we are acquiring within the IAE Common Services, IAE Technical Governance and IAE DevOps/IV&V contracts, so we hope you will take part in the discussion.
A recording of the full event, all handouts, and other materials will be posted online in the Interact IAE Industry Community following the event. Please send any questions regarding the webcast to IAEoutreach@gsa.gov.
We look forward to your participation, feedback, and input!
Director, GSA IT Integrated Award Environment Division
IAE Director of Outreach & Stakeholder Management
Online Chat with Energy Department CIO, May 13
Join Bob Brese, chief information officer at the Energy Department, and Federal News Radio Executive Editor Jason Miller for a live online chat, Tues. May 13, 2014, from 1-1:30 p.m.
The free chat will take place immediately after Brese’s appearance on Federal News Radio’s Ask the CIO radio program at 12:30 p.m., heard on 1500AM (in the Washington D.C. metro area) and streamed online.
During the Ask the CIO radio show and online chat, Brese will discuss his plans to update Energy’s infrastructure, including the OneNNSA construct; progress the Joint Cybersecurity Coordination Center is making in sharing threats and mitigation across the department; and a host of other technology programs that are changing the way Energy meets its mission.
Those participating in the online chat will be able to ask Brese their own questions in real-time. Questions for the online chat can also be emailed in advance to Executive Editor Jason Miller, who will moderate the discussion.
Brese has been CIO at the Energy Department for almost two years. He manages the agency’s technology policy, governance and oversight of more than $1.5 billion in annual investments, as well as DOE initiatives around open data, cloud computing and energy efficient IT strategies. Brese is also DoE’s senior agency official for privacy, and for information sharing and safeguarding.
This online chat is underwritten by IBM.
Registration is required to attend this free online chat. Pre-registration is now open and will continue through Monday, May 12, at 4 p.m. To register, click here.