Friday Flash 02/03/23

Strategic Asset Spotlight: GSA’s OASIS

About a decade ago, the General Services Administration (GSA) commenced with the implementation of the One Acquisition Solution for Integrated Services (OASIS) professional services contract vehicle. This program consists of Multiple Award Indefinite-Delivery, Indefinite-Quantity (MAIDIQ) vehicles for the acquisition of complex professional services divided between Unrestricted vehicles (OASIS U) and Small Business (OASIS SB) vehicles for the following services:

  • Program management
  • Management consulting
  • Logistics
  • Engineering
  • Scientific services
  • Financial services

Under the program, awardees are selected based on a technical evaluation of their capabilities, experience, and past performance, using a weighted, point scoring methodology. Cost/price is evaluated only for fairness and reasonability. Task orders are competed in accordance with FAR 16.505 and can be performed on a cost, fixed price, time and material, or labor hour basis.

At the midpoint in the program, this blog provided a review of what, to that point, had been a highly successful, best value contract management program. We pointed out that, since its inception, with an estimated total value of almost $21 billion, growth in OASIS demonstrated that the market embraced the program. We also highlighted the substantial obligations going to small businesses (48 percent or $4.7 billion) at the time. Five years hence, we find that the program continues its great success.

As shown in the charts below, give or take, obligations under both OASIS channels doubled since the midpoint of the program. In fiscal year (FY) 2022, cumulative OASIS obligations exceeded $12 billion, which represents a 12 percent increase from FY 2021. OASIS SB accounted for 40 percent of the total obligations under the program. Specifically, OASIS obligations increased 8.9 percent from FY 2021 to FY 2022, and OASIS SB obligations increased 16.4 percent. Since FY 2015, the program has grown over 1900 percent.

More impressive than this raw data, however, is the story that lies underneath. For instance, regarding small businesses, there is healthy participation across the spectrum of the socio-economic space that comprises the explosion in small business obligations, $394 million to $5.025 billion, over the life of the program. Virtually every segment of the socio-economic business space has participated significantly in OASIS―8A, Service Disabled Veteran Owned Small Businesses, Woman Owned Small Businesses, Veteran Owned Small Businesses, and on.

Equally important is the data surrounding the federal customer’s acceptance of OASIS. The breadth of the federal market space, civilian and defense customers, participates significantly in OASIS.  Indeed, the Department of Defense and its constituent agencies make up the single largest source of OASIS expenditures at $5,411,560,957.33. Additional evidence of the acceptance of OASIS in the federal market space is found in the comparison of OASIS obligations to other Professional Services Spending (PSS). In FY 2015, PSS spending was $10,838,703,981, and total OASIS obligations were $616,131,751.  By FY 2022, total OASIS’ obligations had grown to $12,614,029,207, and PSS spending was $8,936,898,697.

Overall, OASIS has been a good news story for the government and for GSA as the program’s managing agency. GSA should be complimented for its good work here, as it holds the promise of building on demonstrated success to create success in the future. Coalition members are encouraged to see again the identification of an opportunity channel for small business and the reference to OASIS in the planned follow-on program, OASIS+. Coalition members look forward to working with GSA and all stakeholders in ensuring the success of OASIS+.

Figure 1

Figure 2

Figure 3

Figure 4

Figure 5

Increased DoD Contract Spending Provides Opportunities for Small Businesses

A new year brings continued growth and new opportunities for small businesses in defense contracting, reports Federal News Network. Following a $40 billion COVID-19 related dip in 2021, Department of Defense (DoD) contract spending rose by 6.7 percent to reach a total of $436 billion in 2022. One area of emphasis is research and development, with a push across DoD for advancement in cybersecurity, artificial intelligence, machine learning, quantum computing, and 5G communications. This emphasis particularly benefits small businesses. Of the businesses contracted by DoD for research and development in 2021, 77 percent are classified as small businesses.

Webinar: False Claims Act Enforcement in 2023: Key Developments and Risk Mitigation Strategies, February 16

The risks of exposure to damages and penalties under the civil False Claims Act (FCA) present recurring challenges for government contractors. For this presentation on False Claims Act Enforcement in 2023: Key Developments and Risk Mitigation Strategies, the Coalition is pleased to host Perkins Coie LLP Partners Alexander Canizares and Barak Cohen on February 16 from 12 – 1 pm EST, who will provide a practical overview of key considerations for government contractors related to the FCA, trends in FCA enforcement, and how to manage effectively risks related to whistleblower allegations and qui tam lawsuits.
Among other things, Alex and Barak will address:

  • The Department of Justice’s FCA enforcement priorities;
  • Key takeaways from DOJ’s FY 2022 statistics for FCA settlements and judgments;
  • FCA developments before the Supreme Court and their implications for contractors;
  • Emerging issues related to the FCA and cybersecurity;
  • FCA risks and private equity; and
  • Recent cases involving small business programs and Paycheck Protection Program loans.

To register for the webinar, click here.

Materials from This Week’s “2022 Small Business Year in Review”

The Coalition’s Small Business Committee held a members-only briefing, the Year in Review for Small Business Contractors, on February 1. Thank you to our excellent panelists: Ken Dodds, Government Contracting Industry Expert at Live Oak Bank; David Black, Partner at Holland & Knight; and Jon Williams, Partner at PilieroMazza.

The presentation focused on legislative and regulatory developments, notable bid protest decisions, and highlights from the Small Business Administration’s (SBA) Office of Hearing and Appeals. To access the slides from the presentation, click here. To access a recording of the presentation, click here.

SBA Releases New HUBZone Map

The SBA has released the official preview of the new Historically Underutilized Business Zone (HUBZone) map (see below). The new map will take effect on July 1, 2023 and will not change again until July 2028. Certified HUBZone firms for areas that lose eligibility due to the map change will be permitted to continue their participation in the program through their following annual recertification. Firms that have been awarded HUBZone contracts will generally be considered HUBZone firms through the life of their contract.

Briefing on GSA’s Verified Products Portal, February 21

The Coalition’s General/Office Products Committee will be hosting a briefing that is open to all members on the General Service Administration’s (GSA) Verified Products Portal (VPP) with Josh Royko, Branch Chief at the FAS Catalog Management Office. The purpose of the VPP is to identify prohibited products and standardize contractor catalogs, ensuring products are accurately represented in GSA e-commerce platforms such as GSA Advantage!.
The meeting will be held virtually on February 21 from 10:00 AM -11:00 AM EST through Microsoft Teams. To register, click here. Registration is open to members only. If you have any questions, please reach out to Joseph Snyderwine at jsnyderwine@thecgp.org.

New Agency Advisors to Urge Federal Contractor Compliance with Labor Laws

GovExec reports that the Administration is requiring the largest 24 agencies to designate labor advisors to oversee Federal contractors’ compliance with Federal labor and employment laws. The advisors will work to “promote greater awareness of labor law requirements among their agencies’ acquisition workforce, develop training on labor law in conjunction with the Labor Department, and liaise between enforcement agencies.”

Office of Management and Budget (OMB) Director Shalanda Young issued a memo last week instructing these 24 agencies to designate an advisor by February 15 and encouraged other agencies to do the same. This requirement was recommended last year by the White House Task Force on Worker Organizing and Empowerment. The memo also states that OMB and the Department of Labor will provide training and assistance to newly designated labor advisors. In addition, the labor advisors will:

  • Help “to ensure the goals of labor laws and implementing regulations and policies are being met by their contractors,”
  • Communicate regularly “with the Wage and Hour Division (WHD) in the Department of Labor (DOL) over issues arising under the Davis Bacon Act (DBA), the Davis Bacon Related Acts (DBRA) and the SCA [Service Contract Act] and with the DOL’s Federal Contract Compliance Programs (OFCCP),”
  • “Work with the acquisition workforce and other agency personnel … to promote greater awareness and understanding of labor law requirements, including wages, benefits, recordkeeping, reporting and notice requirements,”
  • “Work … on the development of Federal workforce training, as needed, on labor law requirements, and tools and information that can be used by the acquisition workforce,”
  • “Collaborate with agency acquisition innovation advocates on business practices and technology applications that enable more efficient implementation of labor laws, regulations and policies applicable to acquisitions.”

Additionally, the White House announced that OMB’s Office of Federal Procurement Policy and the Department of Labor will be establishing a Contract Labor Advisory Group aimed at supporting efforts to manage Federal contractors’ compliance with employment law. This group will consist of agency labor advisors and acquisition employees.

GSA to Launch SIP Replacement Pilot in March

On February 2, GSA released a demo of its new FAS Catalog Platform (FCP), the successor of the current Common Catalog Platform (CCP) and a replacement for the Schedule Input Program (SIP). GSA will begin piloting FCP in March 2023, with a broader transition from the CCP/SIP to the FCP occurring in early 2024. GSA’s purpose for the FCP is to simplify the process of submitting, modifying, reviewing, and approving GSA Contract catalogs. The new platform will enable contractors to submit modifications on one platform as opposed to the current system where modifications are sent first to GSA, then to GSA Advantage! through the SIP or the Electronic Data Interchange. The demo can be viewed on GSA Interact.

Legal Corner:

VA Contractors Have Broad New Cybersecurity Obligations

The Legal Corner provides the legal community with an opportunity to share insights and comments on legal issues of the day. The comments herein do not necessarily reflect the views of The Coalition for Government Procurement.

By Eric S. Crusius, Holland & Knight

The U.S. Department of Veterans Affairs (VA) is overhauling and remaking its regulations aimed at contractor cybersecurity and privacy practices. Any companies in the VA supply chain should take note and ensure compliance with these regulations, which significantly increase obligations in certain circumstances – including immediate breach notification requirements and liquidated damages for breaches – and allow unscheduled on-site inspection of contractor information technology (IT) systems. The following is a summary of some of the significant policies and contract clauses impacting contractors.

Policies

Basic Safeguarding of Covered Contractor Information Systems: Initially, the VA creates a new Subpart (804.19) that sets out policies and procedures for the protection of certain VA information – namely, “VA information, information systems, and VA sensitive information.” This part covers the acquisition of commercial products and services, excluding commercial off-the-shelf items. While “VA information” is not defined, the definitions for “information system” and “VA sensitive information” indicated a broad and inclusive approach. For instance, “VA sensitive information” includes:

information where improper use or disclosure could adversely affect the ability of VA to accomplish its mission, proprietary information, records about individuals requiring protection under various confidentiality provisions such as the Privacy Act and the HIPAA Privacy Rule, and information that can be withheld under the Freedom of Information Act. Examples of VA sensitive information include the following: individually-identifiable medical, benefits, and personnel information; financial, budgetary, research, quality assurance, confidential commercial, critical infrastructure, investigatory, and law enforcement information; information that is confidential and privileged in litigation such as information protected by the deliberative process privilege, attorney work-product privilege, and the attorney-client privilege; and other information which, if released, could result in violation of law or harm or unfairness to any individual or group, or could adversely affect the national interest or the conduct of Federal programs.

While not exactly like the definition of controlled unclassified information (CUI), it is likewise arguable that the definition of “VA-sensitive” information is so broad and can include most information contractors create, store or transmit in the performance of a VA contract or subcontract.

Contractors who have a covered contract must, among other things: 1) comply with all VA information security and privacy policies; 2) complete VA security awareness training annually; and 3) disclose all security or privacy incidents within one hour of discovery to the contracting officer and contracting officer’s representative. This disclosure is even required if an incident is suspected.

Liquidated Damages: The VA adds a new Subpart (811.5) dedicated to liquidated damages in contracts that involve VA-sensitive personal information. This is narrower than the definition of VA-sensitive information noted above and essentially adds personally identifiable information as a limiting element. In the instances of a data breach involving this type of information, the liquidated damages would be used to pay for credit monitoring services and other things detailed below. There is no indication that the contractor (or subcontractor) would have had to act contra to VA cybersecurity requirements in order to be responsible for liquidated damages; it appears to be a strict liability standard.

Protection of Individual Privacy: New sections are added within Subpart 824.1, including ones to require the inclusion of new clauses ensuring privacy of individuals with protected health information, the requirement to flow down Business Associate Agreements and inclusion of the liquidated damages clause.

Acquisition of Information Technology: Previously reserved, the VA adds a new Part 839 specifically setting out policies for IT acquisitions. Under this Part, the VA would require contractors providing IT products and services to, among other things, comply with VA Directive 6500 and “use appropriate common security configurations available” from the National Institute of Standards and Technology (NIST). The exact NIST standards are not defined within the policy, except pointing to NIST’s checklists.

Solicitation Clauses

The above policies are implemented through the following clauses that the VA inserts into relevant contracts.

Information and Information Systems Security: This clause is required to be inserted whenever FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, is required and covers a broad base of contractors, including those with access to “VA information, information systems, or information technology (IT) or providing and accessing IT-related goods and services.” At its center, it requires that covered VA contractors adhere to VA Directive 6500. VA Directive 6500 is comprehensive and contains more than 150 separate controls, including the necessity of an incident response plan. Besides VA Directive 6500, contractors are also expected to comply with VA Handbooks, and other listed requirements.

Depending on the type of information involved, the prime contractor and subcontractors may be required to enter into Business Associate Agreements. Further, contractors are required to develop software and perform services within the U.S. “to the maximum extent practicable.” Services that are proposed to be performed under the contract that are not disallowed by law to be outside the U.S. must be disclosed in the proposal and include a detailed Information Technology Security Plan. Other notable requirements include:

  • a four-hour notification requirement if employees with access to a VA information (including by virtue of working on a VA information system) leave or are reassigned
  • using data only from the VA or developed by the contractor under the contract for the purposes outlined in the contract
  • separation of VA information from other information the contractor possesses
  • sanitation of data in accordance with VA Directive 6500
  • provision of “all necessary access” to VA and U.S. Government Accountability Office staff for scheduled and unscheduled on-site inspections of contractor information systems assets by the VA
  • destruction of data in accordance with VA policies, including VA Directive 6371, within 30 days after the termination of the contract and compliance with other policies concerning copying, retaining, using, returning and destroying relevant information
  • encryption of data consistent with Federal Information Processing Standard 140-3
  • meeting the VA’s guidelines for firewalls and web services security controls
  • compliance with relevant privacy laws
  • reporting cybersecurity incidents or imminent cybersecurity incidents in writing to the contracting officer and contracting officer representative within one hour of discovery
  • providing training to certain employees who have access to VA information or VA information systems
  • flowing down this clause to subcontractors covered by the above requirements

Liquidated Damages: Contractors with access to sensitive personal information must provide liquidated damages in the event of a breach that results in spillage of that information. The contractor may instead provide actual damages if they can be proven. Either way, the damage calculations should take into account costs for notifications, credit monitoring, data breach analysis and impact assessment, fraud alerts, and identity theft insurance. Further, under alternate contract language, the VA may obtain damages for the repurchase of goods and services.

Gray Market and Counterfeit Items: The VA proposes significantly updating an existing clause (852.212-71) that previously concerned only gray market goods. The new clause also prohibits the sale of counterfeit goods to the VA. While this may seem obvious, the definition of “counterfeit” is broad and includes substitutions defined as including “used items represented as new, or the false identification of grade, serial number, lot number, date code, or performance characteristics.” There is also a new clause (852.212-72) that would specifically allow “used, refurbished, or remanufactured parts” under certain circumstances. Gray market and counterfeit items would still be prohibited.

Other Clauses of Interest: In addition to the above, the following is a selection of clauses that the VA is proposing to revise or add:

  • Security Requirements for Information Technology Resources (852.239-70): Contractors with access to VA information are responsible for the security of that information, have an Information System Security Plan submitted within 90 days of contract award, have their system security accredited, give access to the federal government when requested (including subcontractor systems) and flow these requirements down the supply chain when applicable.
  • Security Controls Compliance Testing (852.239-74): This allows the VA, including the VA Inspector General (with 10 working days’ notice), access to each location where VA information is “processed or stored, or information systems are developed, operated maintained, or used on behalf of VA …” The VA may also conduct assessments without notice.

Conclusion

Taken together, contractors that do business with the VA will face significant new cybersecurity and privacy responsibilities. These responsibilities do not apply just to contractors with personally identifiable information, but information that contractors will come across or create on most contracts for IT products and services. Contractors covered by this should review these regulations and ensure compliance or risk adverse consequences from the VA.

Healthcare Corner:

New Chair of House VA Tech Subcommittee Introduces Bill to End EHRM Program

The new Chairman of the House Veterans’ Affairs Subcommittee on Technology Modernization, Rep. Matt Rosendale (R-MT), introduced a bill last Friday that would end the Department of Veterans Affairs (VA) Electronic Health Record Modernization (EHRM) Program. Text for the bill is not yet available, but it is reported that the bill would abolish the EHRM office within 180 days of passage and roll back all VA medical centers to the prior platform. The co-sponsor of the bill, Rep. Mike Bost (R-IL), has previously called the program a “bad investment.”

Following several major delays, the VA made the decision in October 2022 to postpone further deployment of the system until June 2023 to address concerns and ensure improved performance moving forward. Bost has also introduced a second bill that would prohibit further rollout of the program until certification of system improvements and facility readiness has been verified.

For the latest on the status of the EHRM, see the Coalition’s briefing on the VA’s EHRM here. This slide deck is also posted in the Member Portal under the Medical/Surgical Subcommittee and Pharmaceutical Subcommittee pages. Please contact Ian Bell at ibell@thecgp.org for questions about how to access it.

A View From Main Street

By Ken Dodds, Live Oak Bank

The following blog does not necessarily represent the views of the Coalition for Government Procurement.

Size Recertification Revelations

The Army’s RS3 contract is a multiple award IDIQ contract with large and small business contractors, which allows the agency to set aside orders for small business. There has been a great deal of litigation concerning whether a firm must be small at the time of offer for a set-aside order under the RS3 contract, or whether size for a set-aside order should be determined based on the firm’s size for the underlying contract. In a recent size appeal decision, we learned two things. First, according to OHA the RS3 contract requires firms to be small at the time of offer for the set-aside order. It does not matter if the solicitation for the order explicitly requested size representations or certifications at the time of offer for the order. Second, SBA’s 2020 rule change which provides that firms must recertify their size in connection with orders set aside for small business under full and open contracts (like RS3), applies to solicitations for orders issued after the effective date of the rule (November 16, 2020). Language in the preamble stating that the rule did not have “retroactive effect” for purposes of compliance with Executive Order 12988 did not directly address whether the rule should apply to solicitations for contracts issued after the effective date, or should apply to solicitations for orders issued after the effective date under contracts awarded prior to the effective date.[1] Other language in the rule indicated that SBA intended to address the issue prior to expiration of all existing full and open contracts.[2]

In a Federal Circuit case involving RS3, 22nd Century was a small when it submitted an offer for the contract on May 9, 2015. The Army awarded 22nd Century a contract on March 1, 2019. On December 29, 2020, the Army issued a solicitation for an order that was set aside for small business. The solicitation for the order required firms to certify that they were small at the time of offer for the order. 22nd Century submitted an offer for the order and represented that it was small at the time of its offer for the RS3 contract. The Army awarded the order to 22nd Century, and two unsuccessful offerors protested. On June 4, 2021, the Area Office issued two size determinations finding 22nd Century other than small and ineligible for the order. 22nd Century appealed to OHA and OHA denied the appeal on September 21, 2021. The Army terminated the award to 22nd Century.
On September 28, 2021, 22nd Century filed a bid protest at the Court of Federal Claims (COFC) seeking to overturn the OHA decision and enjoin the Army from terminating the award of the order. The Federal Acquisition Streamlining Act (FASA) bars bid protests in connection with orders unless the order increases the scope, period or maximum value of the contract or the value of the order exceeds $25 million.[3] 22nd Century did not allege that either exception applied and COFC dismissed the protest.
22nd Century appealed to the Federal Circuit. While COFC can consider a size protest in connection with a bid protest over which it has jurisdiction, it does not have jurisdiction to independently review a size protest. The Federal Circuit found that the value of the order did not exceed $25 million, and thus the protest was barred by FASA. Further, the Federal Circuit rejected 22nd Century’s argument that even though it was not alleged in the complaint, its challenge was instead a claim under the Contract Disputes Act (CDA). 22nd Century did not allege that it had filed a claim with the contracting officer and had received a final decision. Further, there is no precedent for an injunction of a contract termination under the CDA. Thus, the Federal Circuit affirmed COFC’s dismissal for lack of jurisdiction.[4]
Do you have a topic you wish to be covered or a question on how Live Oak Bank can support your business? Email me at ken.dodds@liveoak.bank.
[1] 85 FR 66146, 66176.

[2] Avenge, Incorporated, SBA No. SIZ-6178 (November 15, 2022).

[3] 10 USC 3406(f).

[4] 22nd Century Techs. Inc. v. United States, Fed. Cir., No. 2022-1275, (Fed. Cir. 2023) 2023 WL 139156.

GAO Issues Report on Securing Federal Information Systems

On January 31, the Government Accountability Office (GAO) published its second in a series of four reports on significant risks to cybersecurity that the Federal Government should urgently address. This report focuses on securing Federal systems and information. Since 2010, GAO has made over 700 recommendations to agencies related to this area. As of December 2022, 150 of these recommendations have not been implemented. In the report, GAO outlines three actions related to securing Federal systems and information that the government should undertake:

1. Improving implementation of government-wide cybersecurity initiatives

The Cybersecurity and Infrastructure Agency (CISA) was assigned five major cybersecurity responsibilities aimed at securing information and systems as well as coordinating Federal efforts to protect critical infrastructure. To address these responsibilities, CISA began an organizational transformation initiative to help unify the agency and improve both mission effectiveness and the workplace experience. In March 2021, GAO reported that CISA had completed 37 out of 94 implementation tasks. GAO recommends that CISA establish deadlines for completing the implementation tasks and transformation initiative, develop performance measures, and create a strategy for comprehensive workforce planning.

2. Addressing weaknesses in Federal agency information security programs

The Federal Information Security Modernization Act (FISMA) requires GAO to report on agencies’ information security programs. In March 2022, GAO issued a report on the systems of 23 agencies, including annual program reviews by agency Inspectors General (IGs). IGs determined that 16 of these agencies had ineffective programs for fiscal year 2020. GAO found that OMB guidance to agency IGs on conducting evaluations of information security programs was not always clear, which led to inconsistent reporting. GAO recommends that OMB clarify its guidance and establish an enhanced overall rating scale.

3. Enhancing the Federal response to cyber incidents to better protect Federal systems and information

Since 2015, DoD has experienced several cyberattacks targeting information systems, with over 12,000 cyber incidents in total. A November 2022 GAO report found that DoD has taken steps to combat cyberattacks, leading to a decline in the number of incidents. However, GAO found that DoD had not fully implemented its processes for managing cyber incidents, lacked complete data on staff-reported cyber incidents, and did not document whether individuals whose data was compromised in an incident were notified. Additionally, DoD has not decided whether cyber incidents impacting the defense industrial base (DIB) which are detected by cybersecurity service providers should be reported to all relevant stakeholders. This could lead to the department missing opportunities to identify threats to information systems and improve system weaknesses. GAO recommends that DoD improve the sharing of DIB cyber incident information, as well as document when impacted individuals are notified of a potential breach of their personal data.

GSA Officials Discuss Goals for Workplace Innovation Lab

During last Wednesday’s launch of GSA’s Workplace Innovation Lab, Federal News Network heard from several Federal officials on their key goals for the new space. Located at GSA headquarters, the 25,000 square foot lab contains six distinct suites with novel furniture and technology products intended to enhance the hybrid work experience, like collaborative seating nooks and state-of-the-art climate control technology. Federal workers may reserve space within the Lab at no cost to their agencies through 2023, and more than 200 have already visited.

Speaking with FNN, Public Building Service Commissioner Nina Albert said that the Lab, part of GSA’s broader Workplace 2030 initiative, departs from past attempts by GSA to redefine Federal office space by focusing on users’ needs and “providing employees with a lot of different choices.” The space has multiple work environments available for employees, from soundproof nooks intended to promote focus to more open-concept areas for collaboration. It also takes advantage of technological innovations such as noise-canceling technology in conference rooms.

Chuck Hardy, GSA’s Chief Architect, also emphasized that the space would evolve over its year-long pilot run based on user feedback. “Over the year, we’re right now in discussions about having roundtables of people that use it to say let’s bring some people in and have a conversation about how it worked or not. So we can elicit some in person feedback,” he told FNN, adding that the five vendors involved in the project will have the opportunity to make changes to the space.

Finally, GSA Administrator Robin Carnahan noted that while the overarching goal of all GSA building management is to empower teams, office space is “going to look different for each agency.” “The platforms, that the technology, that the setups all are going to matter, that we’re going to have to be intentional about making sure that we have spaces that create meaningful interactions for people to come in to offices,” she added.

NITAAC Names Permanent Director

Fedscoop reports that Brian Goodger has been appointed as the Director of the National Institutes of Health Information Technology Acquisition and Assessment Center (NITAAC), where he has been acting director since 2021. Previously, Goodger held appointments as the Associate Director for the Office of Logistics and Acquisitions Operations (OLAO) in the National Institutes of Health and the Deputy Director for the Office of Acquisitions Management, Contracts & Grants (AMCG) in the Department of Health and Human Services. NITAAC manages several best-in-class information technology contracts, including the CIO-SP3 contract for IT services and solutions, which NITAAC is currently working to replace with a successor contract, CIO-SP4. It also provides assisted acquisitions services, helps Federal agencies acquire computer hardware, and performs technical assessments on solicitations.

NIST Releases and Seeks Feedback on Potential Cybersecurity Framework Revisions

Nextgov reports that the National Institute of Standards and Technology (NIST) released a “concept paper” with potential revisions to its Cybersecurity Framework (CSF) on January 19 as part of the development process for a new version of the framework, CSF 2.0. The CSF, currently in Version 1.1, is meant to help organizations use existing standards and guidelines to manage and reduce cybersecurity risks.

There are six major categories of prospective revisions, related to, respectively:

  • Explicitly recognizing the broad use of the CSF and reflecting the broad CSF community in the framework,
  • Maintaining CSF 2.0’s status as a framework,
  • Updating implementation guidance,
  • Emphasizing the importance of cyber security governance,
  • Emphasizing the importance of cybersecurity supply chain risk management, and
  • Using the framework to advance the measurement and assessment of cybersecurity.

The paper notes that these revisions, which it refers to as “more substantial” than the last update, are not the only ones that NIST may make to the framework. In addition, NIST welcomes feedback on the entire CSF and its associated resources. Comments on the concept paper are due by March 3, 2022 at cyberframework@nist.gov. There will also be opportunities for industry and the public to provide feedback at the February 15 CSF 2.0 Virtual Workshop and the CSF 2.0 In-Person Working Sessions on February 22 and 23.

NIST developed the current revisions through a February RFI issued last year and an August 2022 workshop on CSF 2.0, which saw nearly 4,000 participants worldwide. NIST first created the CSF in 2014 specifically for organizations that work with critical infrastructure, but it has since seen wider adoption throughout the private sector and in municipal and state government. Federal agencies have been required by executive order to use the framework since 2017.

Off the Shelf: 2022 Procurement Year in Review

Last week, Jason Miller, Executive Editor of Federal News Network, joined Coalition President Roger Waldron on Off the Shelf to discuss the year that was–and the year that will be–in Federal procurement. Miller and Waldron discussed the continued lack of an Office of Federal Procurement Policy administrator and its effect on government and industry. They also dive into upcoming recompetes in 2023, the CMMC rollout, source selection, cybersecurity, and small business.

To listen to this episode of Off the Shelf, click here, or search “Off the Shelf” on all major podcasting platforms.

AFCEA Bethesda’s Engage & Connect Webinar Series

The Coalition is proud to sponsor AFCEA Bethesda’s Engage & Connect webinar series – The New IT Frontier: Defeating Threats to the Nation’s Cybersecurity! On Thursday, February 16 at 8:00 AM EST, speakers Benjamin Koshy from the Indian Health Service, Shane Barney from U.S. Citizenship & Immigration Services, and Amy Hamilton, Ph.D. from the Department of Energy/the Department of Defense will serve as the panel, moderated by Jill Aitoro of CyberRisk Alliance. They will discuss agencies’ plans for implementing the new cybersecurity executive orders, including the use of software bills of materials (SBOMs) to mitigate cyber risk, thwart cyber incidents, and defend against supply chain attacks.

Register today and be sure to stick around for the virtual networking breakout rooms after the panel to connect with other attendees, share personal insights, and discuss lessons learned. Coalition members can register here.