With the start of the New Year, the Coalition hopes members are returning to work refreshed and renewed from some well-deserved time off with their loved ones over the holidays. For those here in Washington, returning to work comes with a sense of anticipation, as the community looks to a new Congress and a new Administration, and with them, a recognition that change is on the horizon.
As we learn more about the management priorities of the incoming Administration, the Coalition believes that the procurement system will play a vital role in meeting the challenges we face as a nation. It is the public-private partnership executed through the procurement system that provides the tools to meet agency missions on behalf of the American people. As we look forward to working with new leadership across government, the Coalition will focus on the following:
- Supporting “Common-sense” Acquisition Policies to promote improvement in the efficiency and effectiveness of the Federal acquisition system
- Providing timely updates to members on the leadership and priorities of the new Administration and Congress
- Educating members about GSA’s Services Marketplace Initiative and providing GSA with industry input on the acquisition strategy for GSA’s BIC MAC and the IT GWACs
- Promoting dialogue with GSA on price negotiation practices, systems, and pricing policies, including the implementation of “Unpriced” Services for GSA Schedules
- Supporting the enhancement of healthcare for veterans through improved partnership and shared services between the VA, DHA, DLA, and industry
- Supporting transparent VA transition to DLA’s DMLSS system in partnership with industry
- Informing members of the latest cyber and supply chain security requirements (g., Section 889 and Cybersecurity Maturity Model Certification) and sharing industry’s feedback with the Government
- Monitoring, informing, and engaging members and stakeholders on supply chain sourcing, including any changes to Buy American or domestic sourcing policies and requirements
- Promoting the ongoing consolidation of GSA’s Schedules program
- Addressing implementation of Category Management government-wide and industry input into the identification of Best-in-Class contracts
The foregoing list is not exhaustive, and it is likely that the changes in Washington will bring new matters for the procurement community to address. Our team will remain vigilant so that, in this new environment, members and the procurement community can rest easy and rely on the Coalition, as they have for over 40 years, to bring them value-added analysis for their business operations, along with support for common sense in government procurement. So too, the Coalition stands ready to assist all stakeholders in the new Administration and the new Congress in support of a procurement system that delivers best value for the American people.
Congress Overrides Presidential Veto of the NDAA
For the first time since President Trump took office, Congress overrode a Presidential veto last week of the National Defense Authorization Act (NDAA). The $740 billion bill guides defense policy, new weapons systems and military readiness, personnel policy, national security priorities and other military goals. One of the major provisions in the NDAA allows Cybersecurity and Infrastructure Security Agency (CISA) to request data from internet service providers and conduct threat hunting on federal networks. The Cybersecurity Maturity Model Certification (CMMC) provisions are included in the NDAA, as well. The Department of Defense (DoD) will be required to review the cybersecurity components against the CMMC requirements. In addition, Section 713 of the NDAA includes language requiring the DoD to report on drugs, biologics and medical supplies necessary for combat readiness in its National Security Strategy. The NDAA will affect small businesses because there is an extension of the 8(a) program. The extension includes any small business who was a part of the 8(a) program as of September 9, 2020 will have the opportunity to extend their participation for a year. The Senate voted 81-13 and the House 322-87 to override the President’s veto.
The General Services Administration (GSA) released a draft request for proposals (RFP) for the new Polaris small business government-wide acquisition contract (GWAC). The contract will have three pools: small businesses, HUBZone, and women-owned small businesses. The GWAC will have a focus on emerging technologies, and offerors are encouraged to propose solutions involving the following:
- Advanced and quantum computing
- Artificial intelligence
- Automation technology
- Distributed ledger technology
- Edge computing
- Immersive technology
Additionally, Polaris utilizes the authority from Section 876 of the 2019 National Defense Authorization Act, which allows for unpriced services at the master contract level. Similar to other government-wide contract, GSA plans to utilize a self-scoring evaluation method for Polaris. The self-scoring categories are included in the draft RFP, but the points associated with each category will be published in a future document.
According to Federal Computer Week, a federal judge in a California district court blocked parts of the September executive order Combatting Race and Gender Stereotyping that applies to federal contractors. In her decision, U.S. District Judge Beth Labson Freeman wrote that the government’s argument that the order was in the public interest was a “gross mischaracterization” of the diversity training plaintiffs offered. The lawsuit was filed by nonprofits and consultants in early November. Under the terms of the executive order, contractors face suspension and debarment if they fail to comply. The plaintiffs argued that the order violated their free speech rights and challenged the constitutionality of the order on the grounds of due process, arguing that the language is too vague to outline which speech is prohibited.
In her injunction, Judge Freeman said that the plaintiffs are likely to succeed in overturning the executive order on grounds of the First Amendment. Additionally, the preliminary injunction prohibited the Department of Labor Office of Federal Contract Compliance Programs (OFCCP) from implementing, enforcing, or effectuating Section 4 of Executive Order 13950 “in any manner against any recipient of federal funding by way of contract [or] subcontract….” This preliminary injunction took effect immediately on December 22, 2020. The hotline that was created so that people can report training materials in violation of the EO to the OFCCP was also suspended. This hotline had been a concern because it did not distinguish between reports of violations from training participants and the actual training curriculum in question.
DoD WOSB Program Eligibility
The Department of Defense (DoD) released a memo, on December 17, on the procedures for Women-Owned Small Business (WOSB) and Economically Disadvantaged Women-Owned Small Business (EDWOSB) set-aside or sole-source award eligibility under the WOSB program. Contract officers (CO) are instructed to follow the Federal Acquisition Regulation (FAR) 19.1503(b) through (d) in order for COs to verify WOSB or EDWOSB in the Dynamic Small Business Search (DSBS). For set-asides only, COs will verify in DSBS whether the EDWOSB or WOSB has an application pending with the Small Business Administration (SBA) or any of the authorized third parties. If the business concern is awarded a contract while the application with SBA or the third party is still pending, the CO will notify SBA’s Director of Government Contracting to ensure priority of review of application. This class deviation is in alignment with SBA’s revision to its regulation at Code of Federal Regulations (CFR) part 127 of title 13. The changes will remain in effect until the FAR and SAM are changed to align with SBA’s revision or it is otherwise rescinded.
House Passes FedRAMP Authorization Bill
Earlier this week, the House passed the FedRAMP Authorization Act, which would formally establish the Federal Risk and Authorization Management Program (FedRAMP) within the General Services Administration (GSA). The bill would also authorize $20 million per year to support the program. FedRAMP, which provides a standardized approach to security assessments and authorizations for cloud products, was first established by a memorandum from the Office of Management and Budget in 2011.
A similar provision was included in the National Defense Authorization Act (NDAA) that passed the House in the previous Congress, but according to Federal News Network, the provision was removed from the final NDAA at the request of the Senate.
beta.SAM.gov Update Newsletter Now Available
The General Services Administration (GSA) posted a notice on Interact that the December 2020 version of the beta.SAM.gov Update newsletter has been uploaded. The newsletter contains articles on the upcoming transition of SAM.gov to beta.SAM.gov, recent improvements and changes at the Federal Service Desk (FSD.gov), and Product Service Codes (PSC) updates and changes. To access the newsletter, click here.
The Government Accountability Office (GAO) released a report that reviewed fifteen of the Department of Defense’s (DoD) major IT programs. This included a review of each program’s cost and timeline changes since the program was initially released. Eleven of the fifteen programs saw a reduction in the cost of the programs. The cost reduction ranged from .03% to 33.8%. Some of the major reasons for the cost reductions are program management, contract cost revisions, and lower than expected costs. Four programs’ costs increased, which ranged from 1.5% to 150.6%. Some of the major reasons for these increases were testing delays and development challenges.
GAO also reported that ten of the fifteen programs experienced schedule delays. The delays ranged from one month to five years. Some of the reasons found for the major schedule delays, defined as a delay of a year or more, were cybersecurity and system performance issues and the maintenance and budget approval process.
IT programs were also reviewed for performance testing and cybersecurity practices. Of the fifteen programs that GAO reviewed, ten of the programs started performance testing. Eight of the ten programs have met all performance targets. All the programs reported that they had developed cybersecurity strategies, but only eight reported conducting cybersecurity vulnerability assessments. All eight programs that conducted cybersecurity assessments have experienced less increase in cost and fewer schedule delays than the programs who did not complete the assessments.
GAO completed this report to see how DoD’s IT programs have changed in cost and timeline.. GAO also wanted more information on the development and cybersecurity risks of selected DoD software and the impact this software has on the acquisition outcomes for DoD’s IT programs.
Legal Corner: GAO Sounds the Alarm on “Urgent Need” to Improve Supply Chain Security: What this Means for Federal Contractors
On Dec. 15, 2020, the U.S. Government Accountability Office (GAO) issued a report casting a spotlight on the inadequate management over supply chain security at all 23 civilian federal agencies audited – just days after news of the disturbing SolarWinds supply chain infiltration into federal networks began to emerge. Shared directly with congressional committees in October 2020, the report (GAO-21-171) – revised for public consumption due to sensitivity concerns – represents a critical call to action at a time of uncertainty as agencies grapple with the fallout from SolarWinds. Baker Tilly has summarized key findings from the report and provided its perspective on important takeaways for the government contractor community.
Report at a glance
The federal government’s reliance on information and communications technology (ICT) has made the supply chain for these products and services a threat vector that poses a significant risk to national security. The GAO was tasked with examining the extent to which federal agencies have implemented seven foundational practices associated with an effective approach to organization-wide ICT supply chain risk management (SCRM). The foundational practices, which were identified by reviewing guidance from the National Institute of Standards and Technology (NIST), include:
Conducted from December 2018 through October 2020, the performance audit found significant deficiencies in properly managing supply chain security. As stated within the report:
“Few of the 23 civilian CFO Act agencies had implemented the seven selected foundational practices for managing ICT supply chain risks. Further, none of the agencies had fully implemented all of the selected practices for managing such risks and 14 of the 23 agencies had not implemented any of the practices. The practice with the highest rate of implementation was implemented by only six agencies. Conversely, none of the other practices were implemented by more than three agencies. Moreover, one practice had not been implemented by any of the agencies.”
This poor performance is depicted in the following summary table, which appears in the report as “Figure 2: Extent to which the 23 civilian Chief Financial Officers Act agencies implemented ICT SCRM practices”:
According to the report, several agencies commented that a major reason why one or more of these practices had not been implemented was because they were waiting for federal SCRM guidance – primarily from the Federal Acquisition Security Council (FASC). While a variety of efforts from the FASC are underway, the report also noted that agencies were required by the Office of Management and Budget (OMB) to address their ICT supply chain risks in 2016. This is in addition to a variety of publications from NIST that agencies should be accessing to help manage their ICT supply chains.
Several other agencies reported that they couldn’t implement the processes due to having federated organizational structures. One agency’s chief information officer (CIO) had made a decision to not formally create a SCRM program, as the agency did not have enough systems that required them. Another agency stated that the office of the CIO did not establish a SCRM program “due to the complex nature of these efforts.”
Regardless, all of the audited agencies exhibited gaps in their ICT SCRM practices, which leaves them at greater risk for intrusion and/or exploitation. As stated succinctly within the report:
“Until agencies implement all of the foundational ICT SCRM practices, they will be limited in their ability to address supply chain risks across their organizations effectively. As a result, these agencies are at a greater risk that malicious actors could exploit vulnerabilities in the ICT supply chain. Securing the supply chain and the information it contains is essential to protecting key agency mission operations, including those related to energy, economic, transportation, communications, and financial services.”
Fortunately, after this report was issued, agencies have come forward to indicate that they are working diligently to enhance and/or implement these processes. For example, the Department of Education wrote a letter to the GAO stating it has been reviewing OMB guidance and is further developing their SCRM processes.
What this means for government contract community
The GAO recommendations re-emphasize that as supply chain ecosystems become more sophisticated, the SCRM practices implemented by the federal government must evolve with it. Enhancements in each agency’s SCRM security posture have the potential to impact federal contractors – as they service these entities – in several important ways:
- Increased scrutiny:
In the face of rising uncertainty over surveillance by foreign adversaries, federal contractors will likely be subject to increasing scrutiny over their supply chains. If these organizations wish to continue servicing agency customers, they should develop proactive measures to ascertain their own level of SCRM maturity. The foundational practices identified by the GAO are a good place to start. Interestingly, one of the foundational practices calls for a “SCRM review of potential suppliers.” According to the report, this review would entail:
“… reviews of the processes used by suppliers to design, develop, test, implement, verify, deliver, and support ICT products and services. In addition, the process may incorporate reviews to ensure that primary suppliers have security safeguards in place, including a practice for vetting subordinate suppliers (e.g., second- and third-tier suppliers, and any subcontractors).”
Federal contractors should be assessing if they are ready for a SCRM review should an agency customer decide to conduct one.
- Supporting efforts to define the supply chain:
A foundational practice identified by the GAO is that agencies should take steps to map their supply chains to the furthest extent possible:
“Federal agencies should establish an approach to identify and describe or depict information about their ICT supply chains that includes, as relevant, suppliers, manufacturing facilities, logistics providers, distribution centers, distributors, wholesalers, and other organizations involved in the manufacturing, operation, management, processing, design and development, handling, and delivery of products and services.”
The report indicated that only three agencies had fully implemented this practice (and 19 agencies had not). Interesting, of the three agencies, one had adopted a supply chain illumination tool to assist it in meeting this foundational practice. The tool:
“… leveraged artificial intelligence and an underlying algorithm to analyze, among other things, publicly available information about suppliers (company and product), including company summaries … [and] also provided real-time alerts for specific suppliers within the agency’s environment.”
As this finding demonstrates, technology can often be employed and serve as one component of many that will enable an organization to efficiently map its supply chain and identify changes and new risks as they arise. As agencies look to bolster their practices in this area, federal contractors may be called upon to support their customers in providing visibility into their ICT supply chains.
- Use of SCRM requirements:
Notably, supply chain security has begun to manifest itself in key acquisitions throughout the procurement landscape. The GAO identified a foundational practice that looks to advance these requirements to provide assurance as part of contract execution. All 23 agencies had not implemented this practice fully. As stated within the report:
“Without organizational ICT supply chain security requirements for inclusion in contracts, agencies lack an essential mechanism to ensure that suppliers (and their suppliers) are adequately addressing risks associated with ICT products and services.”
Again, as agencies strengthen their practices in this area, federal contractors should expect to see increased use of requirements to provide detailed plans of action to protect hardware, software and embedded components from compromise (otherwise known as a “SCRM Plan”). To avoid any unnecessary surprises within a targeted acquisition, federal contractors would be wise to consider how it might assess systems, policies and processes to allow it to better understand its supply chains and effectively mitigate and manage risks.
Healthcare Spotlight: Medicare Links Part B Payment Rates to International Prices: Most Favored Nation Model
By Alice Valder Curran, Beth Halpern, Stuart Langbein, Beth Roberts, Christopher H. Schott, Kathleen A.Peterson, Samantha D. Marshall, James Huang, James M. Deal, and Boyd Jackson with Hogan Lovells, LLC.
The Healthcare Spotlight provides the healthcare community with an opportunity to share insights and comments on healthcare issues of the day. The comments herein do not necessarily reflect the views of The Coalition for Government Procurement.
On November 20, 2020, the U.S. Centers for Medicare & Medicaid Services (CMS) issued an interim final rule (IFR) with comment period implementing a mandatory “Most Favored Nation” demonstration model (MFN Model) to test Medicare reimbursement based on international reference prices. Comments are due no later than January 26, 2021. Initially, the Model will focus on approximately 50 Medicare Part B drugs or biologicals (collectively, drugs) with the highest spending during the preceding year, with additional drugs potentially added in subsequent years without removing a commensurate number of drugs. Part B payment will be made for such drugs based on an “MFN Price” that reflects the lowest per capita Gross Domestic Product (GDP) adjusted price of any non-US member country of the Organisation for Economic Co-Operation and Development (OECD) with a GDP per capita of at least 60 percent of the United States. CMS estimates that the Model will reduce Medicare fee-for-service spending by approximately $85.5 billion over the demonstration period.
Click here to read the full article.
Nominations for Department of Defense
Earlier this week, Federal News Network reported on President-elect Biden’s nominations for the Department of Defense. Kathleen Hicks will be nominated as the Deputy Secretary of Defense after serving as the Principal Deputy Under Secretary of Defense for Policy in the Obama Administration. Additionally, Colin Kahl will be nominated as the Under Secretary of Defense for Policy. Kahl had previously served as the National Security Advisor for then-Vice President Biden.
GSA RFI: IT Support Services for Federal Regulations Management
This week on Interact, GSA published an announcement about an RFI and industry day focused on IT support for Federal regulations management. The RFI for GSA’s Regulatory Management IT Support project is posted on beta.SAM.gov and is open to responses through Jan 29, 2021. According to GSA, the purpose of the RFI is to obtain information to support the future technical direction of “GSA IT Regulations Management IT Support Services” and promote an acquisition environment that mitigates supply chain risks. To access the RFI, click here.
GSA is also hosting an industry day on this topic on January 14 from 1- 3pm EST. During the industry day, GSA will provide in-depth details and solicit questions from industry about the RFI. To register, visit https://gsa.zoomgov.com/meeting/register/vJItcumorzooGHNU22LiYgRdNcZNvoRI9Hw.
On December 23, 2020, the Government Accountability Office (GAO) released its Bid Protest Annual Report to Congress. According to the GAO, the number of cases filed decreased 2% from 2,198 in FY2019 to 2,149 in FY2020. Of the 2,149 cases filed, 2,052 were protests, 56 cost claims, and 41 requests for reconsideration. The GAO closed 2,137 cases during the fiscal year, 2,024 protests, 66 cost claims, and 47 requests for reconsideration. Of the 2,137 cases closed, 417 were attributable to GAO’s bid protest jurisdiction over task orders.
The GAO sustained 15% of the protests resolved on the merits during fiscal year 2020. The most prevalent reasons for sustaining protests during the 2020 fiscal year were:
- Unreasonable technical evaluation
- Flawed solicitation
- Unreasonable cost or price evaluation
- Unreasonable past performance evaluation
GAO notes that a significant number of protests filed do not reach a decision on the merits because agencies voluntarily take corrective action in response to the protest rather than defend the protest on the merits. To access the full report, visit www.gao.gov/products/GAO-21-281SP#mt=e-report.
Latest FITARA Scorecards Released
According to Federal Computer Week, the House Oversight Committee’s Subcommittee on Government Operations released the latest Federal Information Technology Acquisition Reform Act (FITARA) scorecard on December 22. The scorecard assessed 24 federal agencies on their IT management over the last several months. Overall, 16 out of 24 agencies kept the same scores, most of which were B’s and C’s. Categories that many agencies struggled with were Agency CIO enhancements, which measures how agencies use IT investments to deliver functional services, and transition from Networx, which is GSA’s former telecommunications contract. This category was added to the scorecard last summer due to agencies lagging in transitioning to GSA’s new telecommunications contract. Five agencies failed this category. Five agencies also scored an F in the CIO Authorities category. For the first time, all 24 agencies earned A’s in the software licensing category. Additionally, almost all agencies received A’s in the Data Center Optimization category.
Off the Shelf: Compliance Requirements that are Shaping Federal Procurement
Clayton and Alvarez highlight the current regulatory push addressing supply chain risk management and what it means for federal contractors. They also tackle the medical supply chain and the implications of the growing government contract focus on reshoring manufacturing.
Clayton and Alvarez provide their insights on the current state of play surrounding Section 876, increasing competition at the task order level, and GSA’s outreach to industry. The discussion turns to the upcoming CIO-SP4 procurement and the sue of scorecard proposals.
Finally, Clayton and Alvarez provide an update on what is happening to commercial services on the schedules program.
Click here to listen to the show.
Webinar: SBA’s Final Rule on Mentor-Protégé Programs, January 14
The Coalition is pleased to host Peter Ford, Partner at PilieroMazza, for a webinar on January 14th regarding SBA’s Final Rule on Mentor-Protégé Programs: Key Changes for Government Contractors.
SBA’s final rule will largely simplify procedures for small businesses pursuing government procurement opportunities, particularly 8(a) program participants. Understanding the new rule is essential to leveraging it for your business. Peter will cover key changes for government contractors, including changes for:
- Mentor-Protégé Program Limitations and Requirements
- Secondary NAICS Codes
- Joint Ventures
- Multiple-Award Contracts (MACs)
- Self-Certification and Recertification
- The 8(a) Program
- Tribally-Owned Applicants and Participants
- Small Business Rules Generally
Click here to register.
Webinar: A Call to Action – Additional DFARS Cybersecurity Requirements, January 21
The Coalition is pleased to host Mike Tomaselli of Chess Consulting LLC for a webinar on January 21st regarding A Call to Action – Additional DFARS Cybersecurity Requirements.
On December 1st the Department of Defense continued its journey to protect controlled unclassified information on contractor networks with the implementation of three more DFARS requirements; 252.204-7019, 7020 and 7021. During this webinar, Mike will walk through the requirements of the clauses, which include the submission of a NIST assessment score and the formal introduction of the Cybersecurity Maturity Model Certification (CMMC), as well as strategies for ongoing compliance and a Q&A session.
Webinar topics will include:
- Brief history of DoD cyber requirements
- CUI, CDI and FCI
- Overview of 252.204-7019, 7020 and 7020
- DoD Scoring methodology
- Assessment considerations and resources
- Mechanics of the SPRS submission
- Common contractor challenges
- Attendee questions
Click here to register.