Announcing the Agenda for the 2023 Spring Training Conference!
As promised in last week’s FAR & Beyond blog, the Coalition is pleased to share the draft agenda for the 2023 Spring Training Conference – Procurement Watchwords for 2023! The two-day training conference will take place on May 2-3 in Falls Church, Virginia. This year’s Spring Conference focuses on four major procurement “watchword” themes that will serve as driving forces for the acquisition system and government operations over the course of the year: Market Continuity, Cybersecurity, Supply Chain Security, and Sustainability. Government and industry leaders will share how these watchwords play a major role in shaping procurement policies and programs. We have invited a wide range of agencies to participate in this year’s Spring Training Conference, including DoD, GSA, VA, OMB, CISA, EPA, NASA, FDA, DHA, and DLA. Keep reading to learn more about the lineup of sessions you can look forward to attending on both days!
To view the 2023 Spring Training Conference draft agendas, click here. To register for the conference, click here. Click here to reserve your discounted hotel room.
May 2 – Governmentwide Focus
Consistent with this year’s theme, we have compiled panels throughout the day focused on the four procurement watchwords. Some of the highlights on the governmentwide day include:
Market Continuity – We have invited leadership from GSA’s Federal Acquisition Service (FAS) to share priorities and initiatives from each of their offices. During the FAS Executive Panel, attendees will hear FAS Assistant Commissioners discuss GSA’s continued efforts regarding a number of different procurement programs and how they are moving forward.
Cybersecurity – The Cybersecurity Panel features invited government officials from multiple agencies, including DoD and GSA. During the panel, these officials will address recent developments for multiple cybersecurity measures during the conference, such as the release of the Cybersecurity Maturity Model Certification (CMMC) DFARs rule and FedRAMP authorization.
Supply Chain Security – The third panel of the day focuses on Supply Chain Security, and we have invited both government and industry subject matter experts to address supply chain-focused policies, programs, and regulations that will impact the procurement system. Topics covered during the panel include the Cybersecurity Supply Chain Risk Management (C-SCRM) program, the 2023 National Defense Authorization Act (NDAA), the Defense Production Act, Made in America, and Buy American laws.
Sustainability – The first day’s general sessions will wrap up with a highly informative Sustainability Panel. We have invited government agencies, such as the EPA, to cover sustainability-related programs and policies, such as the FAR proposed rule regarding disclosure of greenhouse gas emissions and climate risk, the Environmentally Preferable Purchasing program, and federal high-performance green buildings.
Following the general sessions, you will not want to miss out on a vast selection of afternoon Market Continuity Panels that will offer a deep-dive into specific agency and governmentwide topics and initiatives, such as:
- NASA SEWP VI
- OASIS+
- Alliant 3
- Other Transaction Authorities
- GSA Schedules
- GSA’s Office of the Future
- NITAAC Contracting
- Assisted Acquisition Services
- GSA Global Supplies and Services
- Congressional Updates
May 3 – Healthcare Focus
Once again, we have put together multiple sessions that highlight the four watchwords, specifically focused on healthcare procurement.
Market Continuity – In the morning, we have invited VA leadership to participate in back-to-back panels to discuss their ongoing efforts to provide support to veterans and VA healthcare facilities. The first panel invites leaders from the VA’s Office of Acquisition, Logistics, and Construction (OALC). Following this panel, we will hear from the Veteran Health Administration (VHA) on their organization’s initiatives.
Sustainability – During our lunch break, we look forward to hearing an update on how sustainability requirements, such as the greenhouse gas disclosures proposed rule, will specifically impact federal healthcare contractors in the present and future.
Cyber and Supply Chain Security – In the afternoon, government and industry experts from multiple agencies, including DLA, NIH, FDA, and the VA, have been invited to participate on the Cyber and Supply Chain Security Panel focused on healthcare technology systems and efforts to strengthen the medical supply chain.
Be sure to check out the draft agenda to learn about the afternoon’s Market Continuity Panels, which will provide the latest in-depth information on agency programs, such as:
- Medical/Surgical Prime Vendor (MSPV) Program
- VA Pharmacy Benefit Management Services
- Medical Device Cybersecurity
- DHA and DLA Pharmaceutical Prime Vendors
- DLA MSPV and ECAT Programs
- VA Prosthetics
We hope that you are as excited as we are about two full days of networking with the acquisition community and learning from procurement leaders across the government and industry!
As always, we would like to thank our current sponsors for their continued support of the Coalition and the Spring Training Conference. Our sponsors include:
- Platinum Sponsors: AvKARE and McKesson
- Silver Sponsor: Sheppard Mullin
- Coffee & Networking Sponsor: SAIC
“Developments in Cybersecurity Policy” Meeting, March 24
On March 24, 11:00 AM – 12:00 PM, the Business and Regulatory Issues and Cyber Supply Chain Security Committees (collectively, BRIC/Cyber) will jointly hold a members-only, virtual meeting focused on the theme, “Developments in Cybersecurity Policy: What Federal Contractors Need to Know” (click here for registration). We will hear from two cybersecurity and government contracting experts, Townsend Bourne, Partner, Sheppard Mullin and Bob Metzger, Shareholder, Rogers Joseph O’Donnell, who will cover the latest regulatory and policy trends in Federal cybersecurity, including: the White House’s new National Cybersecurity Strategy and what it means for Federal contractors, the current state of the Cybersecurity Maturity Model Certification (CMMC) program, and developments in the FedRAMP risk-based cloud authorization program. They will also provide an update on new regulations being promulgated for the FAR and DFARS regarding controlled unclassified information and supply chain security. To register, please click here.
If you encounter any difficulties registering or have further questions about this meeting, please contact Ian Bell at ibell@thecgp.org.
Coalition Events in March
The Coalition currently has six members-only committee meetings and events scheduled for March, listed for your convenience below. All times are in Eastern Standard Time. For assistance with registration, please contact Ian Bell at ibell@thecgp.org.
- March 15, 10:00 – 11:00 AM: All-Member Briefing on FY 2023 NDAA: Healthcare Focus with Moshe Schwartz, President, Etherton and Associates (click here to register)
- March 21, 12:00 – 1:00 PM: Pharmaceutical Subcommittee Meeting with Dr. Jennifer Martin, VA PBM (click here to register)
- March 22, 10:00 – 11:00 AM: Small Business Committee Meeting, OSDBU Panel (click here to register)
- March 23, 1:30 – 3:00 PM: OASIS+ In-Person Working Group Meeting with Tiffany Hixson, GSA (click here to register)
- March 24, 11:00 AM – 12:00 PM: BRIC/Cyber Meeting with Townsend Bourne and Bob Metzger (click here to register)
- March 28, 10:00 – 11:00 AM: NASA SEWP Working Group Meeting with Joanne Woytek, NASA (click here to register)
GSA Extends EPA Flexibility Through End of FY 2023
On Monday, the General Services Administration (GSA) published an extension to an Acquisition Letter that allows contracting officers to approve Economic Price Adjustments (EPAs) to contracts without further consultation through September 30, 2023. The first version of the letter in March 2022 lowered the level of additional approval for EPAs needed from a contracting director to one level above the contracting officer, but a supplement published in September of last year eliminated the need for additional approval altogether. Intended to allow contractors to update prices when economic conditions change, EPAs have become an essential flexibility for Federal contractors as inflation hit a 40-year high of 9.1 percent in Summer 2022 and remains, at 6.4 percent in January, above historic averages.
GSA Announces Demand Data Initiative
GSA’s General Supplies and Services (GSS) Portfolio announced a new initiative this week focusing on Demand Data to improve Delivery and Price/Value initiatives. Demand data allows GSA to use transactional data to identify what items are purchased the most across business lines.
As part of the initiative, GSA is sharing the 25,000 top selling items within the GSS portfolio (to download the data in spreadsheet form, click here). GSS expects that the initiative will help contractors better tailor their price list to meet customer demand, reduce price lists to enable shorter turnaround on modifications, and showcase areas where product availability plays a key role in determining demand. Currently, the program focuses on office supplies, but planned updates will include data for additional product categories and will be made available through the Vendor Support Center.
Erv Koehler, FAS Assistant Commissioner for GSS, also presented the initiative to Coalition members at Wednesday’s members-only meeting (click here for slides) and encouraged contractors to provide feedback on the initiative by emailing DemandData@gsa.gov.
SAM.gov Experiences Issues
Nextgov reports that on Wednesday, the System for Award Management (SAM.gov), the Federal Government’s main portal for managing information about contractors and contract awards, experienced two separate issues that impacted users. First, at approximately 12 AM, Entity Administrators received an email from a do-not-reply address suggesting that their information had been updated, leading to concerns that a hack had taken place. The website then went offline until Wednesday morning until approximately 11 AM.
GSA stated in an email notice to SAM.gov users that the unexpected email was sent because of a system error, not by a third party or a hacker, and that users did not have to take any action in response. The agency, the notice continues, has “no evidence of any security breach and … believe[s] no data was exposed” and “is confident that the data is secure.” The email also said that GSA was aware of issues with the outage, which it stated may be ongoing for some users, but emphasized that it was “unrelated” to the email issue.
Defense Pricing and Contracting Releases 2022 Year in Review
The Department of Defense’s (DoD) Defense Pricing and Contracting (DPC) unit released its unclassified Year in Review last Wednesday touting the “resolve and adaptability” of the defense contracting workforce and providing a wide-ranging look at the office’s operational and policy endeavors over the past calendar year. The report begins by discussing the DPC’s response to “levels of inflation not experienced since the 1970’s.” The DPC issued two memoranda to the contracting workforce on employing economic price adjustments, contract modifications, and extraordinary contractual relief to combat the effects of inflation. It also led both government-specific and industry–government trainings on constructing EPA clauses, including advanced procedures such as using “trigger bands” for fine tuning.
The DPC also acted on current executive branch priorities, including category management, equity in procurement, small business goals, and AbilityOne program participation. To support Buy American preferences, DPC has “created a DoD Senior Accountable Official network” to support Made in America policymaking and refine the review process for Buy American waivers. DPC made internal improvements to several systems, including its Government Purchase Card program and existing Procurement Data Standards. It also released a draft Catalog Data Standard in November 2022 to simplify catalog upload and maintenance for contractors, and worked with SAM.gov to manage the transition from the legacy DUNS system for identifying contractors to the current Unique Entity Identifiers.
Policy developments included 31 FAR, DFARS and PGI revisions to implement executive and legislative developments. DPC also issued an update to DoD’s Source Selection Procedures, the basis for ensuring competitive procurements. Other subjects reviewed in the report include international contracting agreements, how DPC responded to the war in Ukraine, and streamlining the certification of contracting officers.
Looking forward to 2023, the report noted that DoD will be releasing the Defense Contract Finance Study, which evaluates “defense industry financial performance over a twenty-year timeframe” and is “the first comprehensive review of contract financing since 1985.” The report also identifies eight key policy initiatives for DPC in 2023, including “strengthening and empowering the DoD contracting workforce,” “cultivating improvements in DoD’s use of contract financing,” and “enhancing international procurement partnerships.”
GSA Releases Second OASIS+ Draft RFP
On Tuesday, GSA released the Second OASIS+ Draft Request for Proposals. Within the request, GSA released a cover letter outlining some of the changes made in the new version and an additional Q&A covering industry questions from the first RFP. A second Q&A answering more questions will be released by GSA shortly.
GSA is hosting a pre-solicitation virtual industry day for OASIS+ on March 15 at 1:00 PM EST. To register, click here.
The Coalition will be compiling member feedback to send comprehensive comments on the new draft RFP. Please submit your feedback to JSnyderwine@thecgp.org by COB, March 22, 2023.
For any additional questions, please reach out to JSnyderwine@thecgp.org.
OASIS+ Working Group Meeting with GSA’s Tiffany Hixson
In tandem with the release of the next draft of the OASIS+ solicitation, the Coalition will host a meeting with GSA Regional Commissioner and Assistant Commissioner for the Office of Professional Services and Human Capital Tiffany Hixson on March 23, 1:30 – 3:00 PM EST. The meeting will be held in a hybrid format, with in-person attendance at the offices of Northrop Grumman in McLean, Virginia as well as an opportunity for virtual participation. To register, click here. Please note that this meeting is for Coalition members only.
For further questions or assistance with registration, please contact Joseph Snyderwine at jsnyderwine@thecgp.org.
OMB Launches New “Life Experience” Projects
Last Friday, the Office of Management and Budget (OMB) announced nine “Life Experience projects” that will see the Federal Government redesign how they deliver critical services to Americans, MeriTalk reports. Last year, the President’s Management Council identified five life experiences that require Americans to interact with multiple Federal agencies and levels of government:
- Recovering from a disaster,
- Facing a financial shock,
- Approaching retirement,
- Having a child and early childhood for low-income families, and
- Navigating transition to civilian life.
Now, OMB has reached the next step in the project and created nine projects, each of which falls under one life experience, to help alleviate “pain points” Americans having one of these experiences encounter when trying to access Federal support or resources.
Under the “approaching retirement” experience, for instance, OMB will work with the Social Security Administration, the Department of Health and Human Services, and the Consumer Financial Protection Board to increase seniors’ access to information they need to make retirement and healthcare decisions. OMB decided to prioritize access to information after conducting listening sessions with 42 retirees and speaking to 40 Medicare and Social Security Experts. Projects from other life experiences include “building a trauma-informed care approach” to help those recovering from disaster, piloting a new “benefits bundle” approach to help low-income families having a child receive the support they are eligible for, and “prototyping integrated transition planning” to help veterans entering civilian life.
The new “life experience framework” that underpins the current crop of projects comes as a result of a 2021 executive order focused on customer experience, “Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government,” and is a key point in the current President’s Management Agenda that agencies use to set priorities. According to the project announcement, other major efforts to improve the quality of Federal services taken since the order include the launch of “a VA Health and Benefits App,” a new version of the Social Security Administration’s website, and new self-service options for taxpayers.
White House Releases National Cybersecurity Strategy
The Legal Corner provides the legal community with an opportunity to share insights and comments on legal issues of the day. The comments herein do not necessarily reflect the views of The Coalition for Government Procurement.
By Rajesh De, Stephen Lilley, Veronica R. Glick, Dominique Shelton Leipzig, David A. Simon, Marcus A. Christian, Marcia G. Madsen, Howard W. Waltzman, Sasha Keck, and Lauren N. Williams, Mayer Brown
The Biden administration released its National Cybersecurity Strategy (“Strategy”) on March 2, 2023.1 The Strategy builds on previous policy actions by the Biden administration that sought to strengthen cybersecurity in critical infrastructure and protect personal data, including through regulatory action, government procurement requirements, and an emphasis on software security.
The Strategy calls for (1) a “[r]ebalanc[ing of] the responsibility to defend cyberspace,” under which the “most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem,” with the Strategy notably highlighting the role of cloud services and software providers and (2) a “realign[ment of] incentives to favor long-term investments,” in part to “ensure that market forces and public programs alike reward security and resilience.” While still emphasizing public-private sector collaboration, the Strategy reflects an increased focus on regulatory action and private sector liability. Although many of the Strategy’s proposed changes will hinge on congressional action, if implemented by Congress and the administration, the Strategy would have significant consequences for certain businesses, including owners and operators of critical infrastructure, software developers, cloud providers, government contractors, and businesses that handle personal information. Understanding the Strategy and its potential implications accordingly will be important for companies across sectors.
The Strategy replaces the 2018 National Cyber Strategy and largely builds on the path charted by the 2021 Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” and on the National Security Memorandum “Improving Cybersecurity for Critical Infrastructure Control Systems.” It sets out its priorities within five pillars: (1) defend critical infrastructure, (2) disrupt and dismantle threat actors, (3) shape market forces to drive security and resilience, (4) invest in a resilient future, and (5) forge international partnerships to pursue shared goals. Below we highlight key elements of these pillars that could have important implications for businesses, including:
- Expanded regulation of critical sectors’ cybersecurity practices, including technology and cloud services
- Potential legislative debates over liability frameworks for software security
- Initiatives to increase the speed and scale of collaboration with the private sector to disrupt threat actor groups
- Efforts to harmonize cybersecurity regulations that apply to businesses
Pillar One: Defend Critical Infrastructure
Pillar One aims to set out a regime for “collaborative defense that equitably distributes risk and responsibility, and delivers a foundational level of security and resilience for our digital ecosystem.” It identifies five strategic objectives: (1) establish cybersecurity requirements to support national security and public safety, (2) scale public-private collaboration, (3) integrate federal cybersecurity centers, (4) update federal incident response plans and processes, and (5) modernize federal defenses.
New and expanded regulation is central to this pillar of the Strategy. The Strategy states that “[w]hile voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes.” To address this, the Strategy tasks federal agencies with using existing authorities to set minimum cybersecurity requirements for critical sectors. The administration states its intent to work with Congress to pursue legislation to cover areas where gaps in authority are present. The Strategy also notes that the administration “encourage[s]” states and independent regulators to use their authorities to set cybersecurity requirements in a “deliberate and coordinated manner.”
The Strategy identifies cloud-based services as a focus, given many sectors’ reliance on cloud infrastructure. The Strategy states that the administration plans to work with industry, Congress, and regulators to close any “gaps in authorities to drive better cybersecurity practices in the cloud computing industry.” To that end, during a rollout discussion of the Strategy at the Center for Strategic and International Studies (“CSIS”), Acting National Cyber Director Kemba Walden remarked that, since cloud services are a “baseline service across critical infrastructure sectors. . . [,] there needs to be some baseline minimum requirements that are common across all their customer sets.”2
The Strategy does not provide specifics on these intended regulations. Rather, it emphasizes “performance-based” requirements that “leverage existing cybersecurity frameworks, voluntary consensus standards, and guidance” including the Cybersecurity and Infrastructure Security Agency’s (“CISA”) Cybersecurity Performance Goals3 and the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity.4 The Strategy also describes an effort to be led by the Office of the National Cyber Director (“ONCD”), in coordination with the Office of Management and Budget (“OMB”), to harmonize federal cybersecurity regulations, which may be beneficial to cross-sector businesses facing conflicting and duplicative requirements. For example, the Strategy notes that the Cyber Incident Reporting Council will coordinate and deconflict federal incident reporting requirements.
Pillar One also lays out plans to enhance public-private information sharing and access to support from federal agencies during cyber incidents. For example, the Strategy states that the federal government will partner with the private sector to explore enhanced machine-to-machine data sharing that will enable “real-time, actionable and multi-directional” information sharing. This Pillar also describes a plan to increase inter-agency collaboration and integration to improve the private sector’s ability to reach and receive support from the appropriate federal agencies.
Pillar Two: Disrupt and Dismantle Threat Actors
Pillar Two targets “more sustained and effective disruption of adversaries” in pursuit of “mak[ing] malicious actors incapable of mounting sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States.” It states five strategic objectives: (1) integrate federal disruption activities, (2) enhance public-private operational collaboration to disrupt adversaries, (3) increase the speed and scale of intelligence sharing and victim notification, (4) prevent abuse of US-based infrastructure, and (5) counter cybercrime and defeat ransomware.
Pillar Two emphasizes offensive efforts to thwart threat actors and cause sustained disruption to malicious cyber activities. It outlines campaigns spearheaded by the Department of Justice and Department of Defense, noting the important role of the private sector in disruption efforts, including its visibility into adversary activity. To facilitate public-private collaboration in this area, the Strategy declares that the federal government will “increase the speed and scale of cyber threat intelligence sharing to proactively warn cyber defenders and notify victims when the government has information that an organization is being actively targeted or may already be compromised.”
The Strategy describes a plan to engage with cloud and internet infrastructure providers to share information on malicious uses of their services and support victims who report abuses of these services. The Strategy further notes the need for providers to “make reasonable attempts to secure the use of their infrastructure against abuse or other criminal behavior.”
The role of financial institutions is highlighted as part of efforts to combat ransomware. The Strategy emphasizes continuing and expanding implementation of Anti-Money Laundering and Countering the Financing of Terrorism (“AML/CFT”) controls to combat the use of cryptocurrency to launder ransom payments. More broadly, the Strategy emphasizes that “the Administration strongly discourages the payment of ransoms” because the “most effective way to undermine the motivation of these criminal groups is to reduce the potential for profit.”
Pillar Three: Shape Market Forces to Drive Security and Resilience
Pillar Three reflects a judgment that “market forces alone have not been enough to drive broad adoption of best practices in cybersecurity and resilience.” In the administration’s view, “[i]n too many cases, organizations that choose not to invest in cybersecurity negatively and unfairly impact those that do, often disproportionately impacting small businesses and our most vulnerable communities.” In light of this perspective, Pillar Three seeks to “shape market forces to place responsibility on those within our digital ecosystem that are best positioned to reduce risk.” In doing so, Pillar Three states that the administration “will not replace or diminish the role of the market, but channel market forces productively toward keeping our country resilient and secure.” Pillar Three identifies six strategic objectives to that end: (1) hold the stewards of our data accountable, (2) drive the development of secure Internet of Things (“IoT”) devices, (3) shift liability for insecure software products and services, (4) use federal grants and other incentives to build in security, (5) leverage federal procurement to improve accountability, and (6) explore a federal cyber insurance backstop.
Pillar Three reiterates the administration’s support of legislation regarding the handling of personal data. The Strategy states that the administration “supports legislative efforts to impose robust, clear limits on the ability to collect, use, transfer, and maintain personal data and provide strong protections for sensitive data like geolocation and health information.” In addition, the Strategy states that this legislation should include national standards for securing personal data that align with NIST standards and guidelines.
The Strategy also highlights a new priority to “shift liability onto those entities that fail to take reasonable precautions to secure their software,” albeit while also acknowledging that “even the most advanced software security programs cannot prevent all vulnerabilities.” The Strategy criticizes vendors that “ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance” as well as those who “leverage their market position to fully disclaim liability by contract.” It describes the desired legislation as limiting the ability of providers to fully disclaim liability by contract and establishing a “higher standard of care for software in specific high-risk scenarios.” The Strategy states that the administration will drive the “development of an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services,” which will draw from best practices such as the NIST Secure Software Development Framework. (During the CSIS launch event, Deputy National Security Advisor Anne Neuberger said that the administration would learn from existing liability regimes for products, such as vehicle safety standards, as it assesses how to incentivize development of secure software.) Pillar Three also identifies four other steps the administration intends to pursue to enhance software security: (1) encouraging coordinated vulnerability disclosure, (2) promoting the further development of Software Bills of Materials (“SBOMs”), (3) developing a process for mitigating risk from unsupported software, and (4) partnering with the private sector and the open-source software community to invest in the development of secure software. (We discuss similar software security-focused questions in a webinar.)
Pillar Three also highlights existing initiatives on IoT cybersecurity as well as federal procurement requirements under EO 14028. Pillar Three highlights the administration’s work on IoT device labeling, for example, and asserts that “[c]ontracting requirements for vendors that sell to the Federal Government have been an effective tool for improving cybersecurity.” On the latter point, Pillar Three notes that “[c]ontinuing to pilot new concepts for setting, enforcing, and testing cybersecurity requirements through procurement can lead to novel and scalable approaches.” This Pillar also explains that the government will hold companies that fail to meet contractual commitments regarding cybersecurity practices accountable under existing laws such as the False Claims Act.
In addition, Pillar Three addresses cyber incident insurance. The Strategy observes that the existing cyber insurance market might be insufficient in the event of a catastrophic cyber incident. Accordingly, the administration intends to explore “the need for and possible structures of a Federal insurance response to catastrophic cyber events.”
Pillar Four: Invest in A Resilient Future
Pillar Four seeks to help “build a more secure, resilient, privacy-preserving, and equitable digital ecosystem through strategic investments and coordinated, collaborative action.” It states six strategic objectives: (1) secure the technical foundation of the internet; (2) reinvigorate federal research and development for cybersecurity; (3) prepare for our post-quantum future; (4) secure our clean energy future; (5) support development of a digital identity ecosystem; and (6) develop a national strategy to strengthen our cyber workforce.
The Strategy notes the need to develop and implement solutions to secure the technical foundations of the internet, many of which the administration views as “inherently vulnerable.” The Strategy calls for renewed federal investment in research and development in technologies, such as quantum-resistant cryptography-based environments and enhanced digital identity solutions. This pillar also states that ONCD will lead the charge in the implementation of the strategy for an expanded cyber workforce.
Pillar Five: Forge International Partnerships to Pursue Shared Goals
Pillar Five reflects the goal of “a world where responsible state behavior in cyberspace is expected and rewarded and where irresponsible behavior is isolating and costly.” Reflecting the intent to build “a broad coalition of nations working to maintain an open, free, global, interoperable, reliable, and secure Internet,” this pillar identifies five strategic objectives: (1) build coalitions to counter threats to our digital ecosystem; (2) strengthen international partner capacity; (3) expand US ability to assist allies and partners; (4) build coalitions to reinforce global norms of responsible state behavior; and (5) secure global supply chains for information, communications, and operational technology products and services.
This pillar highlights the administration’s commitment to strengthening collaboration with partners to combat threat actors based in foreign countries, establishing policies for providing cyber support to allies, and holding states accountable for violating international law in cyberspace. It also advocates for examining the dependency on foreign products and services that pose a risk to the United States’ digital ecosystem. The Strategy states that “[c]ritical inputs, components, and systems must increasingly be developed at home or in close coordination with allies and partners.” This aligns with existing federal government efforts to secure supply chains, such as the International Technology Security and Innovation Fund established by the CHIPS and Science Act of 2022 to support secure semiconductor and telecommunications supply chains.
Implementation
The Strategy directs ONCD to coordinate implementation of the Strategy under the oversight of National Security Council staff and in coordination with OMB. The precise pace and course of these implementation efforts remains to be seen. Given the limited availability of details on the potentially significant requirements described in the Strategy, companies should continue to monitor for legal and regulatory developments and for opportunities for private sector input in legislative and administrative processes.
1 See National-Cybersecurity-Strategy-2023.pdf (whitehouse.gov).
2 CSIS, The Biden-Harris Administration’s National Cybersecurity Strategy.
3 See Cross-Sector Cybersecurity Performance Goals | CISA.
4 See Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 | NIST.
Healthcare Corner:
Deputy VA Secretary Leading EHR Modernization Announces Departure
The Department of Veterans Affairs (VA) announced that Deputy Secretary Donald Remy will step down on April 1. Remy was sworn in on July 19, 2021 and oversaw the rollout of the VA’s Electronic Health Record modernization program. Guy Kiyokawa, VA’s Assistant Secretary for Enterprise Integration, will be stepping into the role of acting deputy secretary. Kiyokawa currently advises the VA on strategic planning, performance, and risk management; policy and analysis; data analytics, statistics, and governance; and interagency coordination and collaboration. Before serving at the VA, he was a Medical Service Corps Officer in the United States Army.
By Ken Dodds, Live Oak Bank
The following blog does not necessarily represent the views of the Coalition for Government Procurement.
Subk, Size Standard and FAR Updates
Accelerated Payment
Effective March 16, 2023, the FAR will be amended to provide for a goal of payment to small business prime contractors within 15 days of receipt of a proper invoice. In addition, the goal will be to pay prime contractors that subcontract with small business concerns within 15 days of receipt of an invoice if they agree to make payment to small business subcontractors within 15 days of receipt of the accelerated payment, assuming the small business subcontractor has submitted a proper invoice.[1]
NIST Launches New Cybersecurity Community of Interest for Small Businesses
Fedscoop reports that the National Institute of Standards and Technology (NIST) launched a new cybersecurity community of interest for U.S. small businesses this week. The launch comes after President Biden released the National Cybersecurity Strategy last week, which focuses on “fundamentally reimagining America’s cyber social contract.” The community of interest will promote more collaboration between NIST and small businesses that provide and use cybersecurity services. The program also aims to improve two-way information sharing and cyber best practices.
During an event at the Department of Commerce’s National Cybersecurity Center of Excellence (NCCoE), Deputy Secretary of Commerce Don Graves said that the community of interest will help to better reflect the needs of smaller companies in NIST’s cybersecurity activities. He added that “smaller businesses that participate in this effort will inform NIST’s decisions about its broad portfolio of cybersecurity activities to ensure that they are as relevant and effective as ever.” NCCoE Deputy Director Natalia Martin urged small businesses to use the program to work with the NCCoE, and stated that they are receptive to feedback on what issues NIST should address through its portfolio.
Cyber Workforce Strategy to Address Deficit of More Than 700,000 Cyber Workers
Following the release of the National Cybersecurity Strategy, Kemba Walden, Acting National Cyber Director, spoke at the 2023 State of the Net Conference on an upcoming cyber workforce strategy, reports FCW. The Workforce Strategy will address a myriad of issues including the lack of incoming talent as well the training and development of current Federal employees. Walden questioned the need for “expensive certifications” for the Federal workforce and raised the possibility that agencies could adopt new approaches that would eliminate these requirements for most federal cybersecurity positions. A Request for Information issued last year by the Office of National Cyber Director estimated that the cyber workforce strategy will necessitate hiring more than 700,000 cyber staff.
OIG Releases Report on GSA’s Login.gov Compliance with Digital Identity Standards
The GSA Office of Inspector General (OIG) released a report on GSA’s Login.gov service that revealed if failed to comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63-3, Digital Identity Guidelines. Login.gov, a component of GSA’s Technology Transformation Services (TTS), is GSA’s multi-factor authentication platform designed for customer agencies.
The evaluation found that despite claiming Login.gov met SP 800-63-3 Identity Assurance Level 2 (IAL2) requirements, Login.gov has never included a physical or biometric comparison for its customer agencies. According to the OIG, following the suspension of efforts to meet IAL2 requirements, GSA continued to mislead customer agencies and knowingly billed IAL2 customer agencies over $10 million for services, including alleged IAL2 services, that did not meet IAL2 standards. The report also asserts that GSA used misleading language to secure $187 million from the Technology Modernization Fund (TMF) for Login.gov, despite not complying with IAL2 standards as the agency had claimed to TMF. Finally, the OIG found that GSA lacked adequate controls over the Login.gov program and allowed it to operate under a hands-off culture, and that, because of its failure to exercise management oversight and internal controls over Login.gov, the Federal Acquisition Service (FAS) shares responsibility for the misrepresentations to GSA’s customers.
The report recommended that the FAS Commissioner take the following actions:
- Establish adequate management controls over TTS.
- Ensure adequate documentation of policies, decisions, procedures, and essential transactions involving TTS programs, including Login.gov, and records management in accordance with GSA standards.
- Implement a comprehensive review of Login.gov billings for IAL2 services.
- Establish a system for internal reviews of TTS programs to ensure that they comply with relevant standards.
- Adopt a policy to clearly notify each customer agency seeking identity and authorization assurance services whether Login.gov meets all applicable NIST published standards and the services specified in the interagency agreements.
In his response to the report, FAS Commissioner Sonny Hashmi stated that GSA fully concurs with the OIG recommendations and will be submitting a corrective action plan in response. Additionally, he noted that in February 2022, a new Director of Login.gov was hired to oversee the program. To provide oversight and transparency, GSA has initiated a review of TTS financial operations, created a Technology Law Division to advise on technology-related standards, and created an executive steering committee for Login.gov.
