Skip to Content

Friday Flash 04/19/2024

FAR & Beyond: Procurement Flow-downs Can’t be One-sided!

Flow-down requirements are a unique, yet ubiquitous, feature of the federal acquisition system. Flow-down requirements impact prime contractors, subcontractors, customer agencies, contracting activities, and contracting officers. 

The Federal Acquisition Regulation (FAR) includes a host of contract clauses that must be flowed down to subcontractors. Moreover, given the procurement system’s focus on regulatory and performance compliance, prime contractors are incentivized to flow down as many clauses as possible beyond those mandatory flow-downs. Some of these additional flow-downs can be central to contract performance, like the Trade Agreement Act (TAA). The government expects, in the normal course of business, that prime contractors and subcontractors effectively address flow-down requirements to ensure contract compliance. 

Similarly, procurement policies and procedures flow down to the acquisition workforce through the FAR, General Services Acquisition Regulation (GSAR), acquisition letters, and other management guidance. These regulations and associated guidance address a host of contracting officer responsibilities, including but not limited to, proposal evaluation, negotiations, price and/or cost analysis, data rights, and foreign acquisition (e.g., TAA). 

For this reason, procurement policy flow-downs cannot be one-sided. The government rightly expects compliance from its industry partners regarding contract clause flow-down requirements. Likewise, industry partners and the public have a right to expect sound, effective flow down of acquisition policies to the federal acquisition workforce. Unfortunately, the record is this regard is mixed, at best, and the General Service Administration’s (GSA’s) Multiple Award Schedule (MAS) program serves as a case in point. 

MAS contractors continue to experience challenges regarding the negotiation and administration of MAS contracts. These challenges often reflect unsound, ineffective flow-down of key policy guidance to the workforce. Many MAS contract negotiations are premised on positions and analysis that are inconsistent with the GSAR and FAR. As a result, contractors and offerors are being asked to make untenable business decisions in order to receive a MAS contract or have an option exercised. This result is especially problematic for small business concerns and, ironically, occurs at a time when the Administration and Administrator Carnahan are focused on supporting small business concerns entering the federal market. 

Investments in training, in-person and virtual, can help address the gap in knowledge (contractors report some contracting officers are unfamiliar with the MAS pricing policies.) This training should include a focus on commercial business practices and incorporate reverse industry days. Additionally, sound procurement management, consistent with the Senior Procurement Executive’s memorandum on the appropriate role of management in the GSA acquisition process (See SPE Memo SPE-2022-03), is vital to consistent, balanced application of the rules. The memo should be included in any GSA-specific acquisition training.  Finally, FAS Policy and Procedure Memorandum 2021-05 (the PAP) should be rescinded, so as to allow contracting officers to rely on the guidance contained in the GSAR and the FAR when conducting MAS contract negotiations.

The PAP and a new Request for Information 

The PAP includes guidance that is inconsistent with the underlying GSAR pricing policies and the FAR. Some of this inconsistent guidance is punitive in nature (e.g., “all commercial customers” as the Basis of Award (BOA) tracking customer), especially negatively impacting small businesses. It also imposes, for all intents and purposes, new data collection requirements on contractors and offerors that are not in the GSAR. The (hopefully) unintended consequence of the PAP is to establish a new and different negotiation regulatory framework for contracting officers and contractors without the benefit of public notice and the opportunity to comment.   

In September 2023, the Coalition provided comments on the PAP to the Federal Acquisition Service (FAS). Subsequently, the Coalition has had the opportunity to engage with FAS regarding the PAP. FAS’s willingness to discuss the PAP is greatly appreciated and consistent with need for transparency in policy making. Unfortunately, little has changed over the last eight months to address the significant policy questions raised by the PAP. In this regard, just this week FAS released a Request for Information (RFI) seeking feedback on “GSA FAS – MAS Pricing Practices – Market Research.” 

While GSA’s industry partners appreciate the opportunity to provide feedback and GSA’s apparent willingness to consider such feedback, the RFI is disappointing. It asks for information from industry without the appropriate context, specifically reference to the PAP. Without the context of the PAP, the public will not be able to provide effective feedback and/or useful information to FAS. The PAP text should be included as part of the RFI with specific questions tailored to those parts of the PAP where FAS is seeking feedback/information. This step towards greater transparency is in the public interest.     

The RFI questions/data requests, in some cases, make troubling assumptions regarding the validity of certain “policy positions” taken in the PAP. One regards what seems to be a standard policy view that invoices and other documentation are required as a part of an offer. The GSAR does not reflect this view. A second, significant view is the RFI’s endorsement of the use “all commercial customers” as the BOA customer for contractors with limited commercial sales. This position is fundamentally inconsistent with the GSAR.  In the RFI, FAS even goes so far as to say that use of “all commercial customers” as the BOA “provides the government with the best price protection.” It does not.

Competition at the task and delivery order level provides the best price protection for the government because it is the point at which requirements are definitized, and thus vendors are incented to offer their best solutions. Further, the use of “all commercial customers” is a profoundly anti-competitive measure, as it restricts the ability of contractors to compete in the commercial marketplace independently and effectively. This measure is especially punitive to small businesses seeking to grow their federal and commercial business. It is shocking that FAS continues to impose this anti-small business policy on firms, as it is fundamentally at odds with the Administration’s efforts to reduce barriers and increase opportunities for small businesses. 

Based on the foregoing, the RFI should be rescinded, revised, and republished with the PAP. Alternatively, if the PAP is itself rescinded, the RFI could reference the GSAR, as appropriate. These actions would provide the public with a fully transparent opportunity to provide useful feedback to FAS. To this end, the Coalition stands ready to work with all stakeholders on training for the acquisition workforce, including participation in reverse industry days.  

GSA Seeks Input on “Fair and Reasonable” Schedule Pricing 

The General Services Administration (GSA) Federal Acquisition Service (FAS) announced that it is reviewing existing agency practices related to conducting price analysis and determining “fair and reasonable” prices on Multiple Award Schedule (MAS) contracts.  

To support its review, GSA has issued a Request for Information (RFI) to all MAS contractors. The purpose of this RFI is to seek industry input on a select number of questions related to MAS pricing.  

Click on this link to access the Market Research As a Service (MRAS) RFI. To download a PDF of the RFI, click here. The RFI can also be accessed through the System for Award Management (SAM). Responses to the RFI are due on Wednesday, May 8, 2024

Explore the Latest Agenda and Register for the Spring Training Conference! 

Excitement is mounting with only three weeks remaining until the Coalition’s 2024 Spring Training Conference – What is Fair and Reasonable, Part 2: Let’s Continue the Dialogue!! This educational event promises opportunities to network with Federal acquisition leaders and member colleagues, and to gain valuable insights into the latest procurement policies, programs, and initiatives. Join us on May 8-9 at the Fairview Park Marriott in Falls Church, VA to continue the engaging discussion from last year on “What is Fair and Reasonable?” in the Federal marketplace. Check out the two-day agenda, which features a governmentwide and healthcare day, and register below! 

Click HERE to register today!   

Federal Keynote Speakers: 

Hotel Room Block 

Please note that the room block at the Fairview Park Marriott, the location of the conference, has sold out. However, the Coalition has secured an additional room block at the Residence Inn by Marriott Fairfax Merrifield, located 1.5 miles away from the Fairview Park Marriott. Transportation to the conference will be provided for guests staying at the Residence Inn Marriott via shuttle in the morning and evening on Wednesday and Thursday.  

Book your group rate for CGP Spring Training Conference at the Residence Inn Marriott by clicking here. The cutoff date for this room block is Friday, April 19.  
 
As a reminder, the Spring Training Conference will be at the Fairview Park Marriott in Falls Church, VA, located 1.5 miles away from the Residence Inn Marriott.  

Keep reading to learn more about the engaging two-day agenda that we have planned!     

Governmentwide Day, May 8    

Day one of the conference includes a diverse lineup of sessions that cover topics pertaining to GSA and other agencies. After welcome remarks by Coalition president, Roger Waldron, the morning will officially get kicked off with our Keynote Address on The Government-wide Better Contracting Initiative, for which we have invited Christine Harada to address our members. Ms. Harada serves as the Senior Advisor, Office of Federal Procurement Policy, for the Office of Management and Budget. Following the Keynote Address, the general sessions will continue on:    

  • Generative AI in Federal Procurement    
  • Cybersecurity (CMMC, Cyber Threat Reporting, and More)    
  • The Federal Procurement State of Play; and    
  • FAS Executive Panels (IT, Professional Services, and Assisted Services Panel and Catalog, General Supplies and Services Panel)    

The first group of afternoon breakout sessions will cover:    

  • GSA IT Schedules and GWACs    
  • GSA E-Tools    
  • Assisted Acquisition Services   
  • Office Management Branch   
  • Furniture   

The second group will include:    

  • Small Business    
  • Professional Services Category    
  • Cloud and Software   
  • General Supplies and Services    

Another popular feature members look forward to is the ability to have one-on-one conversations with different Federal PMOs. We are pleased to announce that on day one, the following tables will be set up in the foyer:    

  • Ask the MAS PMO    
  • Ask the SAM.gov PMO    
  • GSA Pricing Tools    
  • VA Med/Surg Supply BPA Tables    

Please find the complete day one DRAFT agenda here.    

Healthcare Day, May 9    

Day two will feature speakers from the Department of Veterans Affairs (VA), Department of Health and Human Services (HHS), Defense Health Agency (DHA), and Defense Logistics Agency (DLA), starting with Keynote speaker, Al Montoya, Acting Assistant Under Secretary for Health for Support Services, VHA, who will discuss Optimizing Healthcare Delivery for Veterans. The general sessions following the Keynote speaker will include:    

  • VA Acquisition Leadership Panel    
  • Supporting Healthcare Agency Missions Panel 
  • Defense Health Agency Lunch Keynote with CIO Pat Flanders   
  • Medical Logistics and Supply Chain Panel    

The first group of afternoon breakout sessions will include:    

  • The Latest on DHA Pharmaceutical Contracts    
  • VA Prosthetics    

The second group will include:    

  • Medical/Surgical Supplies    
  • VA FSS Pharmaceutical 
  • ECAT    

The tables featuring government programs in the foyer on day two will be Ask the PMO – VA Federal Supply Schedule (FSS) and the Ask the PMO – SAM.gov Table. In addition, there is a new Ask the PMO – VA Prosthetics Table.    

Please find the complete day two DRAFT agenda here.    

Both days will conclude with a networking reception that encourages all conference participants to continue conversations from the day, collaborate with other procurement professionals, and build valuable connections. We look forward to seeing you at the Conference on May 8-9!    

Help Prepare our Conference Speakers by Submitting Your Questions by April 30 

The Coalition is looking forward to seeing you at the Spring Training Conference in a few weeks! We encourage you to check out the agendas and register for the conference here.

Submit Questions/Topics 
Our Government speakers are very interested in covering the topics and questions that are of most interest to our members. Please submit any questions/topics you have to Michael Hanafin at mhanafin@thecgp.org by Tuesday, April 30.  

May 8 

  • GSA IT Schedules and GWACs    
  • GSA E-Tools    
  • Assisted Acquisition Services   
  • Office Management Branch   
  • Furniture      
  • Small Business    
  • Professional Services Category    
  • Cloud and Software   
  • General Supplies and Services    

May 9 

  • The Latest on DHA Pharmaceutical Contracts    
  • VA Prosthetics     
  • Medical/Surgical Supplies    
  • VA FSS Pharmaceutical 
  • ECAT    

Thank You to Our 2024 Spring Training Conference Sponsors! 

The Coalition sincerely thanks our sponsors of the Spring Training Conference for their generous support! Because of your partnership, we can provide invaluable opportunities for learning, networking, and collaboration. Your contributions have not only made this conference possible but have also empowered us to continue our mission of promoting common sense in government procurement! 

If you are interested in securing a future sponsorship, please contact Heather Tarpley at htarpley@thecgp.org or 202-315-1055. To view the 2024 Sponsorship Prospectus, click here.

AvKARE – Platinum Sponsor of the Spring Training Conference

Control Cramps Today

Control is a revolutionary menstrual cramp relief cream that provides fast and effective pain relief, allowing women to conquer their day without discomfort. With its fast-acting soothing formula, Control helps women take charge of their menstrual cycle confidently and comfortably.

Coalition Submits Comments on FFATA

On Monday, the Coalition submitted comments on GSA’s information collection extension for Federal Funding Accountability and Transparency Act (FFATA) reporting.

In our comments, members expressed their concerns about the relevance of FFATA reporting and the burden it imposes on contractors. We then provided suggestions about how GSA can improve the user-friendliness of FFATA reporting. Under the FFATA, all Federal contractors must publicly report information about subcontract awards over $30,000, and some contractors must report their executive compensation.

To see the comments, click here. For any questions regarding these comments, please contact Ian Bell at ibell@thecgp.org. Thank you to all the members who contributed to their development.

GSA Publishes MAS Refresh 20 

GSA has now published the final text of Refresh 20 of the Multiple Award Schedule (MAS) solicitation. The refresh addresses procedures around non-compliance and cancellation in the instructions to all offerors, adds a note to the “Contract Price Lists” clause that states that all commercially available off-the-shelf (COTS) products should be posted for sale on GSA Advantage! and not be duplicated in GSA’s eLibrary, and makes some modifications to price proposal templates and letters of supply. The refresh also makes changes to specific SINs and subcategories in six large categories, including Facilities, Furniture & Furnishings, and Information Technology. GSA also published the questions and answers from a session on the update it held earlier this month. 

CISA Releases New AI Deployment Guidance 

On Monday, the Cybersecurity and Infrastructure Security Agency (CISA) released new guidance on how to deploy artificial intelligence (AI) systems securely in collaboration with other intelligence and security agencies in the “Five Eyes” cohort, NextGov reports. The guidance is targeted at organizations who supply and operate externally developed AI systems and has three goals: 

  1. Improving the confidentiality, integrity, and availability of AI systems; 
  1. Ensuring there are appropriate mitigations for known vulnerabilities in AI systems; and 
  1. Providing methodologies and controls to protect, detect, and respond to malicious activity against AI systems and related data and services. 

Earlier guidance from this cohort, which includes the security agencies of the United States, United Kingdom, Australia, New Zealand, and Canada, addressed secure AI development and secure AI use.  

The new guidance applies familiar software and security best practices to the AI context, like hardening deployment environments and protecting networks. The authors note that “models” are “software, and like all other software may have vulnerabilities, other weaknesses, or malicious code or properties.” AI specific suggestions include: 

  • Protecting model weights, which are the key determinants of model behavior; 
  • Actively monitoring model architecture and behavior; and  
  • Using cryptographic methods to confirm the integrity of artifacts and prevent unauthorized access.  

In a press release, the National Security Agency, which also worked on the guidance, said that it planned to develop further guidance as AI continues to evolve, including on “data security, content authenticity, model security, identity management, model testing and red teaming, incident response, and recovery.” 

RFI on the Responsible Procurement of AI

On March 29, the Office of Management and Budget (OMB) issued a Request for Information (RFI) on the responsible procurement of artificial intelligence (AI) in the government. OMB is releasing the RFI in concurrence with its recent memo directing Federal agencies to manage the public’s rights and safety risks associated with the use of AI. An AI Executive Order required OMB to “develop initial means to ensure that agency contracts for acquiring AI systems and services align with the guidance provided in the memo” within 180 days of its release.  

OMB issued the RFI to assist with the development of an initial means for agencies to responsibly procure AI. The RFI contains a series of questions on two topic areas: Strengthening the AI Marketplace and Managing the Performance Risks of AI. In addition, responders may provide feedback on any topic they believe will have “implications for the procurement of AI by Federal agencies.” 

Thank you to all members who have submitted feedback on this RFI. The Coalition is drafting comments and will have a response available for member review next week. If you have any questions please contact Joseph Snyderwine at JSnyderwine@thecgp.org.

Covington – Platinum Sponsor of the Spring Training Conference

Today’s multidimensional issues demand a multidisciplinary approach

Covington brings rare insight and practical advice to avoid pitfalls, solve problems, and seize opportunities around the world

Watch the Full Video.

Login.gov Pilot to Enhance Identity Verification Technology 

Last week, GSA’s Technology Transformation Services (TTS) announced plans for a Login.gov pilot program to provide enhanced facial matching technology consistent with the National Institute of Standards and Technology’s Digital Identity Guidelines (800-63-3) to achieve evidence-based remote identity verification at the Identity Assurance Level 2 (IAL2). Login.gov is GSA’s single-sign-on platform that currently provides over 49 million active users secure access to online government benefits and services. The pilot will begin in May with selected agency-partners and will allow users to match a live “selfie” with their self-supplied photo identification, such as a driver’s license.  

“We look forward to soon launching this new identity verification pathway for our agency customers that will protect user data, prevent fraud, and align with IAL2 guidelines – all while doubling down on our strong commitment to privacy, accessibility, and security,” said Ann Lewis, Director of TTS. “This will be a key step in helping federal and state agencies that require an IAL2-compliant solution to more easily deliver benefits to millions of Americans in a secure, seamless, and timely way.”  

GSA also plans to expand their “visible, upfront option” to verify identity in-person through a partnership with over 18,000 U.S. Postal Service locations. Additionally, Login.gov plans to roll out a new pricing model for agencies on July 1, 2024. The model aims to provide access to the service for agencies of all sizes. According to GSA, “The pricing model is based on extensive forecasting that helps ground Login.gov’s future in a long-term, sustainable financial model.” 

Alliant 3 Presolicitation Notice  

GSA released an Interact notice stating that it intends to release the official Request for Proposal (RFP) for the Alliant 3 Governmentwide Acquisition Contract (GWAC) Unrestricted in the third quarter of fiscal year 2024. GSA recommends that all potential offerors ensure their legal entity is registered in SAM.gov with an up-to-date account containing a corresponding and validated Unique Entity Identifier (UEI). GSA intends to award an Alliant 3 contract to 76 potential offerors (plus ties). This presolicitation notice will be updated to include a link to Symphony, the proposal intake system, to prepare your organization for proposal submission and familiarity with the software. 

The following draft Alliant 3 GWAC sections and attachments have been released on SAM.gov early to support the proposal development and decision-making process of potential offerors.

Alliant 3 Draft Sections: 

  • L.5.1.1 Standard Form (SF) 33 and SF-30 for Amendments 
  • L.5.1.4 Existing Joint Venture, if applicable 
  • L.5.1.4.1 Claiming Relevant Experience from an Existing or Previous Joint Venture 
  • L.5.1.4-Alt Small Business Contractor Teaming Arrangements 
  • L.5.1.4.1-Alt. Small Joint Venture 
  • L.5.1.4.2-Alt. Small Business with Subcontractors 
  • L.5.1.4.3-Alt. Small Business Mentor-Protégé CTAs 
  • L.5.1.4.4-Alt. Claiming Small Business Prime Contractor Relevant Experience from an Existing or Previous Joint Venture 
  • L.5.1.5 Meaningful Relationship Commitment Letters 

 Alliant 3 Attachments: 

GSA will allow the following versions of the listed attachments to be included in an Offeror’s proposal submission with the appropriate representative signature. 

  • J.P-1 A3 Contractor Teaming Arrangement Template 
  • J.P-2 A3 Primary NAICS Code Relevant Experience Project Template 
  • J.P-3 A3 Emerging Technology Relevant Experience Project Template 
  • J.P-4 A3 Subcontractor Experience Project Template 
  • J.P-5 A3 Small Business Engagement Template 
  • J.P-6 A3 Past Performance Rating Template 

Symphony Information: 

An online training event will be conducted for Symphony for all potential offerors. Please see the following instructional video on YouTube for more user information: https://www.youtube.com/watch?v=Caq0LZWiNyg 

VA Data for Healthcare Members

To increase the number of valuable tools available for members, the Coalition has compiled several data sets pertaining to VA Medical Centers’ procedures, diagnoses, and product spend. Below is a description of the different VA data reports that the Coalition can provide to healthcare members based on areas of interest to their business:   

  • Diagnosis data by each VA Medical Center: Members can request a report by providing the relevant International Classification of Diseases (ICD)-10 codes of interest to their business.  
  • Procedure data by each VA Medical Center: Members can request a report by providing the relevant Current Procedural Terminology (CPT) codes of interest to their business.  
  • Prosthetic (medical implants, DME) product spend by VA Medical Center: members can request a report by providing the relevant Healthcare Common Procedure Coding System (HCPCS) codes of interest to their business for items managed by VHA Prosthetics.  

For any data requests or related questions, please contact Michael Hanafin at mhanafin@thecgp.org

The Legal Corner provides the procurement community with an opportunity to share insights and comments on relevant legal issues of the day. The comments herein do not necessarily reflect the views of The Coalition for Government Procurement.

Authored by Townsend Bourne, Sheppard Mullin

The Cybersecurity and Infrastructure Security Agency (“CISA”) recently released its new Proposed Rule pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), which was published in the Federal Register on April 4, 2024 and is open for public comment through June 3, 2024. The Proposed Rule will be published in Part 6 of the Code of Federal Regulations, in a new Section 226, as part of the Department of Homeland Security’s regulations on Domestic Security.

We read the 400-plus page document so you don’t have to, and outline the “Who, What, When, Where, Why & How” of CISA reporting for critical infrastructure below.

Author’s Note

As a brief aside – while I was not initially pleased to learn the length of this proposed rule, which resulted in me spending a good chunk of two weekends diving into it, I found the discussion in CISA’s publication to be understandable, helpful, and (gasp!) overall quite reasonable.

CISA discusses its process for determining key definitions in the rule (including approaches it considered and ultimately discarded); provides an overview of current cyber incident reporting requirements in the U.S. (as part of a discussion regarding its harmonization efforts, for which a lot of us had high hopes that will not be realized); and gives us examples of what may and may not constitute a reportable incident under the rule (for example, short-term unavailability of a business system or temporary rerouting of network traffic, or even exploitation of a known vulnerability by a threat actor that is quickly detected and remediated, typically would not be considered reportable incidents).

Kudos also goes to CISA for putting in writing something all of us know and have been grappling with when considering the timeline for reporting: “CISA recognizes that covered entities may require some limited time to conduct preliminary analysis before establishing a reasonable belief that a covered cyber incident has occurred and thereby triggering the 72-hour timeframe for reporting.” While the threshold for reporting under CISA’s rule is higher than, for example, under the Department of Defense’s (“DoD’s”) cyber incident reporting rule (which requires reporting of incidents involving activities that “may have” occurred), this is a welcome acknowledgement of the practicalities of cyber incident detection and response.

Who is “Covered”?

CISA’s new Proposed Rule will require cyber incident reporting for covered entities in all 16 critical infrastructure sectors. Entities that meet certain threshold criteria – regardless of size – are covered by the rule. Businesses that are small per the Small Business Administration’s size standards not otherwise covered by the threshold criteria are excluded from the definition of “covered entities.” Large entities in each of the critical infrastructure sectors are covered by the rule regardless of whether they meet the threshold criteria.

The Proposed Rule includes threshold criteria for entities in 13 of the 16 critical infrastructure sectors. These are listed below – threshold criteria for sectors of key interest to government contractors are set forth in more detail.

  1. Chemical Sector – any entity that owns or operates a covered chemical facility subject to the Chemical Facility Anti-Terrorism Standards
  2. Communications Sector – any entity that provides communications services by wire or radio communications to the public, business, or government
    • This will apply to telecommunications carriers, and wireless and internet service providers to the Federal government.
  3. Critical Manufacturing Sector – any entity that owns or has business operations that engage in one or more of four key manufacturing industries that make up this sector
  4. Defense Industrial Base Sector – any entity that is a contractor or subcontractor required to report cyber incidents to DoD per DFARS 252.204-7012
    • This pulls in any DoD contractor or subcontractor, regardless of size, that handles Controlled Unclassified Information (“CUI”).
  5. Emergency Services Sector – any entity that provides one or more of certain emergency services or functions to a population equal to or greater than 50,000 individuals
  6. Energy Sector – any entity that is required to report cybersecurity incidents under NERC’s CIP Reliability Standards or file an Electric Emergency Incident and Disturbance Report OE-417 form, or any successor form, to the Department of Energy
  7. Financial Services Sector – three categories of entities that have the potential to impact the economic security of the nation
  8. Government Facilities Sector – entities that meet one of three criteria relating to state, local, tribal, and territorial government; education; or election processes
  9. Healthcare and Public Health Sector – any entity that meets certain criteria relating to patient services, and certain drug and device manufacturers
  10. Information Technology Sector – any entity that meets one or more of four criteria, including any entity that (a) knowingly provides IT hardware, software, systems, or services to the Federal government; (b) has developed and continues to sell, license, or maintain any software that meets the definition of “critical software” as defined by NIST; (c) is an OEM, vendor, or integrator of OT hardware or software components; or (d) performs functions related to domain name operations.
    • This pulls in all government IT product and services providers as well as companies that develop or resell “critical software” as defined per Executive Order 14028.
  11. Nuclear Reactors, Materials, and Waste Sector – any entity that owns or operates a commercial nuclear power reactor or fuel cycle facility
  12. Transportation Systems Sector – certain entities that meet criteria relating to non-maritime transportation, or own or operate a vessel, facility, or outer continental shelf facility
  13. Water and Wastewater Systems Sector – certain owners and operators of a Community Water System or a Publicly Owned Treatment Works (“POTWs”)

For entities in the other three sectors, Commercial Facilities SectorDams Sector, and Food and Agriculture Sector, CISA is not proposing sector-based threshold criteria, but large businesses in these sectors will be considered “covered entities.”

It is estimated the Proposed Rule will impact over 300,000 entities.

What needs to be reported?

The Proposed Rule will require covered entities to report “substantial cyber incidents” in addition to ransom payments, and to provide supplemental reports when new or material information is identified. The proposed definition for a “substantial cyber incident” focuses on outcomes rather than the cause of an incident, and is defined as an incident that leads to any of the following:

  1. A substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network;
  2. A serious impact on the safety and resiliency of a covered entity’s operational systems and processes;
  3. A disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services; or
  4. Unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a cloud service provider, managed service provider, other third-party data hosting provider, or a supply chain compromise.

Note items #1 and #2 above include a further qualifier of “substantial” or “serious” loss or impact, a somewhat subjective standard that companies will need to examine. For #3, while there is no additional express qualifier, CISA says it “believes it is appropriate to read into the prong some level of significance.” However, for #4, due to the “seriousness of unauthorized access through a third party,” such as a cloud service provider (“CSP”) or managed services provider (“MSP”), CISA takes a different view and does not further qualify the need to report. Where the cause is unknown, an entity should report if there is a “reasonable belief” that unauthorized access was caused by a third-party provider or supply chain compromise.

Unlike the current DoD cyber incident reporting provision and others currently in effect (which require reporting for “potential” effects), CISA will only require reports where the incident actually results in one or more of the above impacts.

The Proposed Rule contemplates certain exceptions to the reporting requirement, including when a covered entity reports “substantially similar information in a substantially similar timeframe” to another agency and CISA has a CIRCIA Agreement in place with that agency. We expect the DoD to be at the very top of this list where many DoD contractors already have an obligation to report cyber incidents within 72 hours.

Note the Proposed Rule explicitly allows a third party (such as an Incident Response (“IR”) company, insurance or other service provider, or law firm) to submit reports on behalf of a covered entity, a practice that already occurs in the cyber reporting world and is now explicitly acknowledged here by CISA. The third party will have to attest that it has consent to submit the report. Separately, CISA continues to encourage voluntary reporting for incidents that may not be covered under the new rules.

When does the reporting period begin?

Covered entities will be required to report covered cyber incidents within 72 hours after having a “reasonable belief” that a covered cyber incident has occurred and report ransom payments within 24 hours of the payment being made. As noted above, CISA seems to be trying to take a reasonable approach here, further stating that a reasonable belief “is subjective and will depend on the specific factual circumstances related to the particular incident” and it “does not expect a covered entity to have reached a ‘reasonable belief’ that a covered cyber incident occurred immediately upon occurrence of the incident…”

Supplemental reports are to be provided “promptly” where the covered entity obtains “substantial new or different information.” CISA says this means where additional information responsive to a data field in the CIRCIA Report is available or it becomes known that information included in a previously submitted report is materially incorrect or incomplete. This approach seems to be much more workable than that currently contemplated in the FAR Council’s proposed rule for Cyber Threat and Incident Reporting and Information Sharing, which would require covered contractors to provide updates every 72 hours regardless of whether new key or material information is available.

Where might I end up if I fail to follow the rule?

CISA discusses several enforcement mechanisms for covered entities that fail to report in accordance with the rule. These include (1) issuance of an RFI for more information; (2) issuance of a subpoena; (3) referral to the Attorney General for potential civil court action; and (4) initiation of suspension and debarment procedures. And, false or fraudulent statements in a CIRCIA Report or other response to CISA could result in penalties under 18 U.S.C. § 1001, a criminal statute.

The Proposed Rule also includes a data preservation component to require preservation of data relevant to a covered entity’s reporting (such as communications with the threat actor; indicators of compromise; log entries and forensic images; etc.) for two years from submission of the CIRCIA Report or supplemental report.

Why are we getting these new regulations?

The proposed regulations are being promulgated under CIRCIA, an act passed in 2022 to address cyber threats posed to U.S. critical infrastructure, which may impact national security, economic security, and public health and safety.

How do I submit comments?

Comments may be submitted through June 3, 2024 through the Federal eRulemaking Portal available at http://www.regulations.gov (Docket No. CISA-2022-0010). CISA is interested in comments on all aspects of the Proposed Rule.

Healthcare Corner: March VA EHR Rollout Prompts Cautious Optimism 

NextGov reports that, in a Tuesday hearing, VA Secretary Denis McDonough said that the VA’s most recent rollout of its new Electronic Health Record (EHR) system “has been successful so far” and reiterated that the VA would restart deployments before the end of fiscal year (FY) 2025. Secretary McDonough testified before the House Appropriations Subcommittee on Military Construction and Veterans Affairs. In his testimony, McDonough said that feedback on the March rollout of the system at Lovell Federal Health Care Center in Chicago, a joint facility shared by the VA and DoD, has been “very positive.” He noted that the department would continue to monitor the situation, as in the past, issues have cropped up in the first several months after successful deployments.  

Addressing a question from Representative John Carter (R-TX), Secretary McDonough said that the VA planned to use prior appropriations for the rollouts because the Administration’s FY25 budget request does not include funding for additional deployments. McDonough communicated the same information last week before the full committee. 

The VA has not been transitioning facilities to the new EHR since last April, after invoking a “reset” to allow the department to address concerns related to the system’s usability and safety. The most recent VA Office of Inspector General (OIG) report on the software, issued in March, uncovered issues with sending information from new EHR sites to legacy EHR sites. The OIG found that inefficiencies from the EHR forced the VA Central Ohio Healthcare System in Columbus to increase pharmacist staffing by 62 percent. 

View from Main Street: NAICS Code Appeal; SAM Registration

Updates on Timely Topics Impacting the Government Contracting Industry from Vice President of Acquisition Policy, Ken Dodds

NAICS Code Appeal involving Class Waiver of the Nonmanufacturer Rule

The Department of Veterans Affairs (VA) issued a solicitation for medical emergency alert devices (MEADs) as a small business set-aside. The contracting officer (CO) assigned North American Industry Classification System (NAICS) code 334220, Radio and Television Broadcasting and Wireless Communications Equipment Manufacturing, to the solicitation, with a 1,250-employee size standard. A prospective offeror filed a NAICS appeal, arguing that the correct NAICS code was 334510, Electromedical and Electrotherapeutic Apparatus Manufacturing. The NAICS code suggested by the appellant also had a 1,250-employee size standard. However, a class waiver of the nonmanufacturer rule (NMR) was in place for the NAICS code suggested by the appellant, which would allow the appellant to offer the product of a large business on a small business set-aside. A class waiver did not exist for the NAICS code selected by the CO, and the CO had not requested an individual waiver of the NMR for the solicitation, which meant an offeror would have to supply the product of a small business.

The appellant argued that MEADs are electromedical apparatus and diagnostic and patient monitoring devices covered by the class waiver. The VA argued that it was seeking to acquire telecommunication devices with Global Positioning System capability, and that the MEADs are more like wireless communication devices, not therapeutic or diagnostic equipment. The Small Business Administration’s Office of Hearings and Appeals (OHA) determined that although the two NAICS codes have the same size standard, the appellant had standing to challenge the CO’s NAICS code selection. The appellant was adversely affected by the CO’s selected NAICS code because it could not qualify as a small business under that NAICS code.[1] Nevertheless, OHA denied the appeal and found that the CO had selected the appropriate NAICS code for the solicitation of MEADs.[2]    

Expired SAM Registration

An offeror must be registered in the System for Award Management (SAM) at the time of offer. The Federal Acquisition Regulation (FAR) further provides that the offeror “shall continue to be registered until time of award” and throughout performance until contract closeout.[3] A firm’s SAM registration lasts for one year from the time the firm submits information or updates its information in SAM. The General Services Administration (GSA) manages SAM and sends out emails reminding firms to review their information in SAM and update or confirm their information prior to expiration of their SAM registration. When a firm updates or confirms its information in SAM, GSA contacts the Internal Revenue Service to verify the firm’s taxpayer identification number and then contacts the Defense Logistics Agency to verify the firm’s Commercial and Government Entity code. Once verified, GSA then updates the firm’s status to “Active” in SAM.    

In this bid protest, the protested concern submitted its offer on September 15, 2023. On December 8, 2023, the protested concern updated its information in SAM. On December 11, 2023, the protested concern’s SAM registration expired. On December 12, 2023, GSA designated the protested concern’s SAM registration as “Active.” The procuring agency awarded the contract to the protested concern on December 26, 2023. An unsuccessful offeror protested, and the Government Accountability Office sustained the protest.[4] The protested concern was ineligible for award because its SAM registration had briefly expired and therefore it was not “Active” through contract award as required by the FAR. Although the protested concern updated or confirmed its information in SAM prior to expiration, GSA notified the firm that its status in SAM would be designated as “Submitted” until GSA verified the information and changed the firm’s status to “Active.”      

[1] 13 CFR 134.302(b).

[2] NAICS Appeal of First Nation Group, LLC, SBA No. NAICS-6270 (2024).

[3] FAR 52.204-7(b)(1).

[4] TLS Joint Venture, LLC, B-422275, Apr. 01, 2024.

Off the Shelf: Healthcare and Its Impact on the VA’s Mission 

Anthony Principi, Principal of the Principi Group, and former Secretary of Veterans Affairs (VA), joined Off the Shelf for a discussion on the evolving healthcare environment and its implications for the VA’s mission. During the interview, Principi highlights the advances in medical technologies, treatments, and protocols that have reduced the need for hospital beds and resulted in a VA medical infrastructure that is a mismatch due to its surplus number of hospitals and facilities. He also talks about efforts over the last 20 years to address the VA’s healthcare infrastructure, taking into consideration the evolving healthcare environment. 

Principi outlines the critical role the VA healthcare system plays in our nation, including medical research, training, and serving as the national healthcare backstop in times of emergency. The conversation also includes Principi’s thoughts on leadership and management, often drawing on key experiences during his time in government. Finally, Principi highlights the noble mission of the VA in delivering critical healthcare to veterans. 

Listen to the full podcast here.  

Cyber Command Expands Use of Nontraditional Acquisition Strategies 

Federal News Network reports that the U.S. Cyber Command (CYBERCOM) is seeking to expand its acquisition team and use of flexible purchasing strategies as the agency’s role in cyber procurement increases within the Department of Defense (DoD). In FY16, CYBERCOM was granted limited acquisition authority by Congress, with 10 billets and $75 million in buying authority over five years. Congress has since removed these restrictions, and the command is looking to add 50 billets this year. In addition, CYBERCOM was designated as a Federal laboratory earlier this year, which allows the command more authorities to collaborate with industry and academia on technology research. The command was also given “enhanced budgetary control” on how DoD makes cyber investments.  

CYBERCOM is currently standing up a program management office for DoD’s Joint Cyber Warfighting Architecture, which is “a collective term for the cyber products and services used across the military services by the 133-team Cyber Mission Force.” While in the process of enhancing its acquisition program and buying new cyber capabilities, CYBERCOM is looking to use nontraditional methods and flexibilities. For example, the command collaborated with the Defense Innovation Unit (DIU) to procure cyber mission kits using DIU’s prototyping process that utilizes Other Transaction Authorities (OTAs). CYBERCOM is also leveraging DoD’s Adaptive Acquisition Framework to mold its procurement strategy, specifically the software acquisition and middle tier acquisition pathways that allow for agile development and quick prototyping. CYBERCOM will also focus on training its acquisition workforce through the Defense Acquisition University. 

RFI on FAR Part 40, Information and Supply Chain Security

On Wednesday, the Federal Acquisition Regulation (FAR) Council released a Request for Information (RFI) asking for feedback on the scope and organization of the new FAR Part 40, “Information and Supply Chain Security.” The Council created the new, currently empty part, announced last week, to make it easier to find policies on information and supply chain security that are currently spread throughout the FAR. The RFI asks commenters to review a list of parts or subparts (click here to see the list) that might be located in or relocated to the new part. It also asks them to suggest what additional sections of the FAR could benefit from relocation and for “specific suggestions … for otherwise improving the proposed scope or subparts of FAR part 40.”

The Coalition is considering submitting feedback to the RFI. If you have feedback on the creation of FAR Part 40 and any potential parts or relocations, please contact Ian Bell at ibell@thecgp.org by May 10. Comments on the RFI are due June 10.

New Webinar: Joint Ventures on the GSA Schedule: Understanding Unique Challenges and Risks, April 24 

The Coalition is pleased to host a webinar on April 24 from 12:00 – 1:00 PM (ET) with guest presenters Jacelyn Ferriell, Senior Manager, Government Contracting, Aprio and David S. Black, Co-Chair, National Government Contracts Team, Holland & Knight LLP on Joint Ventures on the GSA Schedule: Understanding Unique Challenges and Risks

Joint ventures are a hot structure for seeking a GSA Schedule, but they are awkward and there is still a learning curve.  With the two-year bidding period for small business JVs limited to contracts but not task orders, many M-P JVs and even all-small JVs are seeking GSA Schedule contracts because of the long ordering period that is not subject to the two-year bidding limitation.  While this presents a great opportunity, there are several compliance risks for a JV that holds a GSA schedule.  When not fully understood these risks can potentially impact both the JV’s GSA schedule and GSA schedules held by individual JV members. 

During the webinar, they will address key hurdles and risks when a joint venture seeks and then holds a GSA Schedule. Topics to be discussed include:  

  • GSA’s current policies and procedures addressing joint venture proposals for GSA MAS;  
  • Issues regarding proposal pricing and the Commercial Sales Practices disclosure for the joint venture;  
  • Product considerations;
  • Price Reductions Clause compliance and risk; and
  • Best practices for compliance. 

To register for the webinar, click here.  

Back to top