Friday Flash 02/10/23

Strategic Asset Spotlight: Alliant 2

Last week, the Coalition spotlighted the General Services Administration’s (GSA) efforts regarding the implementation and success of its One Acquisition Solution for Integrated Services (OASIS) professional services contract vehicle since its launch nearly a decade ago. In this week’s FAR & Beyond blog, we would like to shift the focus to another best-in-class vehicle, GSA’s premier Governmentwide Acquisition Contract (GWAC), Alliant 2. Alliant 2, the follow-on to Alliant Unrestricted, is a multiple award, indefinite-delivery, indefinite-quantity GWAC that offers leading edge IT solutions to federal agencies, including:

  • Artificial Intelligence;
  • Distributed Ledger Technology;
  • Robotic Process Automation; and
  • Other Emerging Technologies.

Alliant 2 is a ten-year contract with a period of performance of July 1, 2018 to June 30, 2023 with a five-year option period. There are more than 40 companies on Alliant 2 that provide over 100 federal agencies with flexible IT solutions. Because of the vehicle’s success, GSA increased its ceiling by $25 billion, raising it from $50 to $75 billion. As Federal Acquisition Service (FAS) Commissioner Sonny Hashmi put it, “Alliant 2 has surpassed our expectations at every turn.” Since the contract’s inception in 2018, Alliant 2 obligations have reached over $15 billion, with 530 total task orders, according to GSA’s FAS GWAC Sales Dashboard. In fiscal year 2022, obligations totaled over $6 billion, representing a near 50 percent growth from the previous year. From 2018 to 2022, the program experienced steady, significant growth, demonstrated by the figure below.

Again, over 100 federal agencies have participated in the Alliant 2 program, demonstrating the value that the vehicle brings in meeting agency customers’ IT mission needs. The Department of Defense (DoD) and its constituent agencies accounted for 49 percent of total Alliant 2 obligations in fiscal year 2022. Notably, DoD’s Alliant 2 obligations grew 47 percent from fiscal year 2021 to 2022, with the Air Force and Navy both experiencing over a 50 percent increase. The Department of Homeland Security is also very a large Alliant 2 customer, with obligations exceeding $1 billion. Several other federal agencies also saw their Alliant 2 sales skyrocket over the past fiscal year, including the Departments of State, Health and Human Services, Justice, Commerce, GSA, and the Environmental Protection Agency.

GSA remains dedicated to creating opportunities for qualified small businesses in federal procurement through the agency’s acquisition strategy and portfolio of contract vehicles. The Alliant 2 program continues this mission, with a determined goal of 50 percent of all subcontracted dollars performed by small businesses over the life of the contract. According to Laura Stanton, GSA’s Assistant Commissioner for the Office of Information Technology Category, “small businesses have already won more than $1.3 billion on Alliant 2, substantially surpassing small business subcontracting dollars won on the original Alliant contract at the same point in the contract’s life.” Stanton noted that the Alliant 2 ceiling increase also benefits small business organizations through additional subcontracting opportunities.

The success of GSA’s Alliant program has been impressive, and the Coalition recognizes the agency’s efforts to continue to support the Federal Government’s IT mission needs through this best-in-class contract. We also acknowledge GSA’s significant efforts towards the Alliant 2 follow-on, Alliant 3. Analogous to its predecessor, Alliant 3 will provide federal agencies with extensive IT solutions while offering significant opportunities for small businesses. In October 2022, GSA released the first Alliant 3 Draft Request for Proposals (RFP), in response to which, Coalition members provided comprehensive feedback. The Coalition’s comments can be found here, along with a cover letter. Similar to OASIS+, the Coalition has formed an Alliant 3 Working Group which will continue to engage with GSA on the follow-on vehicle. Members interested in joining the group should email Michael Hanafin at mhanafin@thecgp.org. In the meantime, the Coalition looks forward to continuing the dialogue regarding the future of the Alliant program.

White House Expected to Release Digital Theft Executive Order

FedScoop reports that the Administration plans to issue an executive order (EO) on digital theft and improving protections for U.S. citizens’ data privacy following this Tuesday’s State of the Union address. The digital theft EO would introduce new measures to detect and prevent identity theft “involving public benefits.” Specific details regarding the EO are being developed and finalized.

Sources with knowledge of the EO state that it will include sections focused on the use of Login.gov, a secure sign-on service developed by the General Services Administration (GSA) for Federal agencies. The EO will direct agencies, when possible, to use Login.gov to allow for users to log in to public services securely. Agencies currently are required by Federal law to adopt a single sign-on authentication service developed by GSA. According to the article, however, the Office of Management and Budget (OMB) has not yet enforced this law. Agencies that currently use full or partial versions of Login.gov include the Small Business Administration, the Internal Revenue Service, the Office of Personnel Management, the Department of Labor, and the Department of Veterans Affairs.

President Announces New Buy America Preferences for Construction Materials

In the annual State of the Union address Tuesday evening, President Biden announced proposed guidance requiring “that construction materials used in Federal infrastructure projects be made in the United States,” Reuters reports.

On Wednesday, the OMB published the proposed rule in the Federal Register. It imposes more stringent domestic manufacturing standards for “plastic and polymer-based products, glass (including optic glass), lumber, and drywall” based on preliminary, non-binding OMB guidance issued last year. The regulation must be followed “on all awards that include infrastructure projects.” Congress required the current guidance in the Build America, Buy America Act (BABA), a part of the 2021 bipartisan infrastructure bill. BABA also requires iron and steel used in federally funded projects be domestically manufactured.

The proposed guidance is open for public comment through March 13. In addition to inviting comments on the standards proposed under the regulation, the notice asks for comments on “what, if any, additional construction materials should be included in the proposed guidance,” naming coatings, brick and engineered wood products as examples.

Register for February and March Coalition Committee Meetings

The Coalition currently has four member-only committee meetings scheduled for February and March. All times are in Eastern Standard Time:

  • February 21, 10:00 – 11:00 AM: General/Office Products Committee Meeting with Josh Royko, Branch Chief FAS Catalog Management (click here to register)
  • February 28, 10:00 – 11:00 AM: IT/Services Committee Meeting with Cheryl Cameron-Thornton, Executive Director of the Office of Acquisitions Operations (click here to register)
  • NEW: March 2, 2:00 – 3:00 PM: Furniture and Furnishings Committee Meeting with Integrated Workplace Acquisition Center (IWAC) Leadership Team (click here to register)
  • NEW: March 21, 12:00 – 1:00 PM: Pharmaceutical Subcommittee Meeting with Dr. Jennifer Martin, Defense Logistics Agency (click here to register)

Our February 21 General/Office Products Committee meeting will be a briefing open to all members with Josh Royko, Branch Chief at the FAS Catalog Management Office. The briefing will cover the General Service Administration’s (GSA) Verified Products Portal (VPP) and the Price Point Plus Portal tool (4P tool). Please send any questions you would like covered in the meeting to Joseph Snyderwine, JSnyderwine@thecgp.org. The meeting will be held virtually on February 21 from 10:00 AM11:00 AM EST through Microsoft Teams. To register, click here.

On February 28, the IT/Services Committee will be hosting Cheryl Cameron-Thornton, Executive Director at the Office of Acquisition Operations, to provide an update on price escalation adjustments. The event will be held on February 28th, from 10:0011:00 AM EST at the offices of Northrop Grumman, 7575 Colshire Drive, McLean Virginia. Virtual attendance will also be supported through Microsoft Teams. To register, click here.

For our March 2 Furniture and Furnishings meeting, we will hear from the IWAC Leadership Team, who will provide a general update on the work of IWAC as well as a more focused update on the Packaged Office Program. We will hear from IWAC Director Ryan Schrank; John Breen, Branch Chief, Projects; Shaun Kelly, Branch Chief, Multiple Award Schedules; Linda Valdes, Branch Chief, Contract Administration and Kristine Stein, Business Development Director. To register, click here. On March 21, Dr. Jennifer Martin, Deputy Chief Consultant in the DLA Pharmacy Benefit Program, will speak with the Pharmaceutical Subcommittee regarding a potential Specialty Pharmacy program and the Pharmacy Benefit Program in 2023. To register, click here.

Please direct questions regarding the Office Products and IT/Services meetings to Joseph Snyderwine, jsnyderwine@thecgp.org and questions about the Furniture and Furnishings and Pharmaceuticals meetings to Ian Bell, ibell@thecgp.org.

Coalition Amicus Brief on “Interpretation of Standard Record Keeping System” in Commercial Item Termination-for-Convenience Clause

Miller & Chevalier Chartered recently filed an amicus brief on behalf of The Coalition for Government Procurement (CGP), addressing an important issue for contractors who sell commercial products and commercial services (collectively, commercial items) to the government. The brief urged the U.S. Court of Appeals for the Federal Circuit to reverse the November 2, 2022 decision of the U.S. Court of Federal Claims (COFC) in ACLR, LLC v. United States, 162 Fed. Cl. 610 (2022). In its decision, COFC barred the contractor from recovering its “reasonable charges” resulting from a termination-for-convenience, based solely on an interpretation of FAR 52.212-4(l) under which COFC assessed the qualitative adequacy of the contractor’s “standard record keeping system.” As explained in the Miller & Chevalier amicus brief, COFC’s interpretation is contrary to the plain language of FAR 52.212-4(l), as well as the regulatory scheme governing commercial item terminations-for-convenience implemented pursuant to the Federal Acquisition Streamlining Act (FASA).

The case is ACLR, LLC v. United States, No. 23-1190 (Fed. Cir.). The amicus brief was authored by Jason Workmaster, Alex Sarria, and Elizabeth Cappiello.

GSA Releases Memoranda on Transactional Data Reporting and Talent Development

Last week, GSA released a memo revising Transactional Data Reporting (TDR) requirements for contracts not on the Federal Supply Schedule. The memo clarifies language in solicitation provisions and contract clauses and adds twenty-two transactional data elements that contractors must report. The twenty-two elements cover information related to invoices, contract access fees, subcontracting, and services. Additionally, the memo added language requiring contractors participating in TDR to submit a confirmation for each month that no contract transactions occur.

Earlier, on January 26, GSA released a memorandum announcing the GS-1102 Modernization Project. The project provides flexibility in the recruitment, hiring and professional development of contracting and acquisition personnel. The memo simplifies acquisition education requirements and makes it easier for contracting officers to enter GSA from the commercial world as it anticipates “a mobile workforce that may change positions many times, both in and out of Government.” Specifically, the memorandum states that GSA will transition to a talent management framework consistent with the Department of Defense’s Back-to-Basics framework. GSA will no longer require candidates for Grades 13 and above to have 24 semester hours of business credits. For all grades, requirements involving the legacy FAC-C certification have been dropped as GSA transitions to the new FAC-C Professional Certification. For grades 5-12, GSA will no longer accept 24 semester hours of business-related college courses in lieu of a bachelor’s degree.

DoD Memo: Small Disadvantaged Business (SDB) Goals Supersede Best in Class

A recent memo from the Office of Small Business Programs at the Department of Defense (DoD) and Defense Pricing and Contracting at DoD highlighted the importance of category management practices to maximize small business participation. The memo stated that category management best practices and the application of the Tier 2 Spend Under Management (SUM) credit increase the participation of small businesses in defense contracting. The memo also stated that while it is ideal to achieve both Best in Class contract goals and Small Disadvantaged Business (SDB) participation goals, the need to accomplish SDB goals supersedes Best in Class goals. The memo states that strategic efforts should be taken “to the maximum extent practicable” to achieve SDB utilization goals through existing and open market contracts. Additionally, the memo highlights how DoD components can obtain an automatic Tier 2 SUM credit for category management goals using all awards made to certified and self-certified socioeconomic small businesses.

Legal Corner:

VA Contractors Have Broad New Cybersecurity Obligations

The Legal Corner provides the legal community with an opportunity to share insights and comments on legal issues of the day. The comments herein do not necessarily reflect the views of The Coalition for Government Procurement.

By Eric S. Crusius, Holland & Knight

The U.S. Department of Veterans Affairs (VA) is overhauling and remaking its regulations aimed at contractor cybersecurity and privacy practices. Any companies in the VA supply chain should take note and ensure compliance with these regulations, which significantly increase obligations in certain circumstances – including immediate breach notification requirements and liquidated damages for breaches – and allow unscheduled on-site inspection of contractor information technology (IT) systems. The following is a summary of some of the significant policies and contract clauses impacting contractors.

Policies

Basic Safeguarding of Covered Contractor Information Systems: Initially, the VA creates a new Subpart (804.19) that sets out policies and procedures for the protection of certain VA information – namely, “VA information, information systems, and VA sensitive information.” This part covers the acquisition of commercial products and services, excluding commercial off-the-shelf items.

For instance, “VA sensitive information” includes:

information where improper use or disclosure could adversely affect the ability of VA to accomplish its mission, proprietary information, records about individuals requiring protection under various confidentiality provisions such as the Privacy Act and the HIPAA Privacy Rule, and information that can be withheld under the Freedom of Information Act. Examples of VA sensitive information include the following: individually-identifiable medical, benefits, and personnel information; financial, budgetary, research, quality assurance, confidential commercial, critical infrastructure, investigatory, and law enforcement information; information that is confidential and privileged in litigation such as information protected by the deliberative process privilege, attorney work-product privilege, and the attorney-client privilege; and other information which, if released, could result in violation of law or harm or unfairness to any individual or group, or could adversely affect the national interest or the conduct of Federal programs.

While not exactly like the definition of controlled unclassified information (CUI), it is likewise arguable that the definition of “VA-sensitive” information is so broad and can include most information contractors create, store or transmit in the performance of a VA contract or subcontract.

Contractors who have a covered contract must, among other things: 1) comply with all VA information security and privacy policies; 2) complete VA security awareness training annually; and 3) disclose all security or privacy incidents within one hour of discovery to the contracting officer and contracting officer’s representative. This disclosure is even required if an incident is suspected.

Liquidated Damages: The VA adds a new Subpart (811.5) dedicated to liquidated damages in contracts that involve VA-sensitive personal information. This is narrower than the definition of VA-sensitive information noted above and essentially adds personally identifiable information as a limiting element. In the instances of a data breach involving this type of information, the liquidated damages would be used to pay for credit monitoring services and other things detailed below. There is no indication that the contractor (or subcontractor) would have had to act contra to VA cybersecurity requirements in order to be responsible for liquidated damages; it appears to be a strict liability standard.

Protection of Individual Privacy: New sections are added within Subpart 824.1, including ones to require the inclusion of new clauses ensuring privacy of individuals with protected health information, the requirement to flow down Business Associate Agreements and inclusion of the liquidated damages clause.

Acquisition of Information Technology: Previously reserved, the VA adds a new Part 839 specifically setting out policies for IT acquisitions. Under this Part, the VA would require contractors providing IT products and services to, among other things, comply with VA Directive 6500 and “use appropriate common security configurations available” from the National Institute of Standards and Technology (NIST). The exact NIST standards are not defined within the policy, except pointing to NIST’s checklists.

Solicitation Clauses

The above policies are implemented through the following clauses that the VA inserts into relevant contracts.

Information and Information Systems Security: This clause is required to be inserted whenever FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, is required and covers a broad base of contractors, including those with access to “VA information, information systems, or information technology (IT) or providing and accessing IT-related goods and services.” At its center, it requires that covered VA contractors adhere to VA Directive 6500. VA Directive 6500 is comprehensive and contains more than 150 separate controls, including the necessity of an incident response plan. Besides VA Directive 6500, contractors are also expected to comply with VA Handbooks, and other listed requirements.

Depending on the type of information involved, the prime contractor and subcontractors may be required to enter into Business Associate Agreements. Further, contractors are required to develop software and perform services within the U.S. “to the maximum extent practicable.” Services that are proposed to be performed under the contract that are not disallowed by law to be outside the U.S. must be disclosed in the proposal and include a detailed Information Technology Security Plan. Other notable requirements include:

  • a four-hour notification requirement if employees with access to a VA information (including by virtue of working on a VA information system) leave or are reassigned
  • using data only from the VA or developed by the contractor under the contract for the purposes outlined in the contract
  • separation of VA information from other information the contractor possesses
  • sanitation of data in accordance with VA Directive 6500
  • provision of “all necessary access” to VA and U.S. Government Accountability Office staff for scheduled and unscheduled on-site inspections of contractor information systems assets by the VA
  • destruction of data in accordance with VA policies, including VA Directive 6371, within 30 days after the termination of the contract and compliance with other policies concerning copying, retaining, using, returning and destroying relevant information
  • encryption of data consistent with Federal Information Processing Standard 140-3
  • meeting the VA’s guidelines for firewalls and web services security controls
  • compliance with relevant privacy laws
  • reporting cybersecurity incidents or imminent cybersecurity incidents in writing to the contracting officer and contracting officer representative within one hour of discovery
  • providing training to certain employees who have access to VA information or VA information systems
  • flowing down this clause to subcontractors covered by the above requirements

Liquidated Damages: Contractors with access to sensitive personal information must provide liquidated damages in the event of a breach that results in spillage of that information. The contractor may instead provide actual damages if they can be proven. Either way, the damage calculations should take into account costs for notifications, credit monitoring, data breach analysis and impact assessment, fraud alerts, and identity theft insurance. Further, under alternate contract language, the VA may obtain damages for the repurchase of goods and services.

Gray Market and Counterfeit Items: The VA proposes significantly updating an existing clause (852.212-71) that previously concerned only gray market goods. The new clause also prohibits the sale of counterfeit goods to the VA. While this may seem obvious, the definition of “counterfeit” is broad and includes substitutions defined as including “used items represented as new, or the false identification of grade, serial number, lot number, date code, or performance characteristics.” There is also a new clause (852.212-72) that would specifically allow “used, refurbished, or remanufactured parts” under certain circumstances. Gray market and counterfeit items would still be prohibited.

Other Clauses of Interest: In addition to the above, the following is a selection of clauses that the VA is proposing to revise or add:

  • Security Requirements for Information Technology Resources (852.239-70): Contractors with access to VA information are responsible for the security of that information, have an Information System Security Plan submitted within 90 days of contract award, have their system security accredited, give access to the federal government when requested (including subcontractor systems) and flow these requirements down the supply chain when applicable.
  • Security Controls Compliance Testing (852.239-74): This allows the VA, including the VA Inspector General (with 10 working days’ notice), access to each location where VA information is “processed or stored, or information systems are developed, operated maintained, or used on behalf of VA …” The VA may also conduct assessments without notice.

Conclusion

Taken together, contractors that do business with the VA will face significant new cybersecurity and privacy responsibilities. These responsibilities do not apply just to contractors with personally identifiable information, but information that contractors will come across or create on most contracts for IT products and services. Contractors covered by this should review these regulations and ensure compliance or risk adverse consequences from the VA.

Healthcare Corner:

HHS Creates Tool to Facilitate Medical Supply Chain Collaboration

Government Executive reports that the Department of Health and Human Services (HHS) has created a new online tool, Industrial Base Expansion (IBx) Connect, to facilitate collaboration between government and industry on matters related to medical supply chain vulnerabilities that were amplified by the COVID-19 pandemic. In a blog post, Joe Hamel, Acting Deputy Director of HHS’ Administration for Strategic Preparedness and Response (ASPR) Industrial Base and Supply Chain Office, stated that the tool builds on previous HHS efforts to address medical supply chain issues. He added that, “the pandemic showed the need for critical public health industrial investments at a scale never seen before in the United States.”

IBx Connect serves as ASPR’s “single point of entry” for the submission of market research, and allows for companies to request meetings with ASPR officials and other government personnel to discuss products and technologies they are developing that could improve the medical supply chain and public health. Specifically, HHS is looking for “solutions related to the manufacturing of personal protective equipment, optimization of the supply chain, and testing and diagnostic devices.”

A View From Main Street

By Ken Dodds, Live Oak Bank

The following blog does not necessarily represent the views of the Coalition for Government Procurement.

Experience and Past Performance

Mentor Protégé Joint Venture

Procuring agencies use both experience and past performance evaluation factors in federal procurement.[1] Experience is the degree to which the offeror has performed similar work, and past performance is the quality of the work performed.[2] SBA’s rules provide,” a procuring activity must consider work done and qualifications held individually by each partner to the joint venture as well as any work done by the joint venture itself previously. A procuring activity may not require the protégé firm to individually meet the same evaluation or responsibility criteria as that required of other offerors generally. The partners to the joint venture in the aggregate must demonstrate the past performance, experience, business systems and certifications necessary to perform the contract.”[3] In 2019, GAO denied a protest challenging a solicitation which required a protégé to submit at least one example of experience in each category of required experience. GAO found that this did not violate SBA’s regulations and that the agency had a reasonable basis for the limitation on mentor experience and requirement for protégé experience.[4] In 2021, GAO sustained a protest where the solicitation limited the experience that a mentor could provide but did not require the protégé to submit any experience. GAO found that the limitation did not violate SBA’s regulations but was unduly restrictive of competition.[5]

In a recent decision, an unsuccessful offeror challenged the agency’s past performance evaluation of a mentor protégé joint venture, where all 10 examples of past performance were from the mentor as the prime contractor, with the protégé as a subcontractor. The agency attributed all 10 examples of past performance to the joint venture and supplemented the record with a statement from the contracting officer’s representative from all 10 projects. Although the agency failed to consider the percentage of work to be performed by each party to the joint venture as part of the past performance evaluation as required by the solicitation, the protester was not competitively prejudiced. The protester had not shown that the agency would have changed its past performance rating of the joint venture even if the agency had attributed the past performance to the mentor, especially in light of SBA’s rules requiring accommodation for proteges lacking past performance. Further, even if the agency had given the awardee a lower past performance rating, the protester did not have a substantial chance of award considering the protester’s lower rating under the management capability factor and higher price.[6]

Affiliate Past Performance

An agency may consider the past performance or experience of an affiliate where the proposal demonstrates the resources of the affiliate will impact contract performance. However, an agency is not required to do so. Here, the solicitation required three past performance examples, and only one could be from a major subcontractor or team member. An ANC subsidiary submitted two past performance examples from affiliated companies. The agency disregarded the past performance examples and gave the protester a low confidence rating. GAO denied the protest finding that the agency acted reasonably under the terms of the solicitation.[7]

Do you have a topic you wish to be covered or a question on how Live Oak Bank can support your business? Email me at ken.dodds@liveoak.bank.

[1] FAR 15.304(c)(2).

[2] AnderCorp, LLC, B-419984, Oct. 14, 2021, 2021 CPD 343.

[3] 13 CFR 125.8(e).

[4] Ekagra Partners, LLC, B-408685.18, Feb. 15, 2019, 2019 CPD 83.

[5] Computer World Services Corporation; CWS FMTI JV LLC, B-419956.18, B-419956.19, B-419956.24, Nov. 23, 2021, 2021 CPD 368.

[6] Meltech Corporation, Inc., B-421064,B-421064.2, Dec. 22, 2022, 2022 WL 18401677.

[7] Arcticom, LLC, B-421256, B-421256.2, Dec. 28, 2022, 2022 WL 18387634.

Webinar: False Claims Act Enforcement in 2023: Key Developments and Risk Mitigation Strategies, February 16

The risks of exposure to damages and penalties under the civil False Claims Act (FCA) present recurring challenges for government contractors. For this presentation on False Claims Act Enforcement in 2023: Key Developments and Risk Mitigation Strategies, the Coalition is pleased to host Perkins Coie LLP Partners Alexander Canizares and Barak Cohen on February 16 from 12 – 1 pm EST, who will provide a practical overview of key considerations for government contractors related to the FCA, trends in FCA enforcement, and how to manage effectively risks related to whistleblower allegations and qui tam lawsuits.

Among other things, Alex and Barak will address:

  • The Department of Justice’s FCA enforcement priorities;
  • Key takeaways from DOJ’s FY 2022 statistics for FCA settlements and judgments;
  • FCA developments before the Supreme Court and their implications for contractors;
  • Emerging issues related to the FCA and cybersecurity;
  • FCA risks and private equity; and
  • Recent cases involving small business programs and Paycheck Protection Program loans.

To register for the webinar, click here.

GAO Urges Agencies to Address Critical Infrastructure Vulnerabilities

On February 7, the Government Accountability Office (GAO) issued its third in a series of four reports on significant risks to cybersecurity that the Federal Government should address urgently. The third report focuses on the need to protect critical cyber infrastructure. Since 2010, GAO has made approximately 106 recommendations to agencies related to this area. GAO found that, as of December 2022, about 60 of these recommendations had not yet been addressed or implemented. The report emphasizes that the Government should strengthen its role in protecting the cybersecurity of critical infrastructure, such as electricity grids and telecommunications networks.

Electricity Grids

GAO noted that U.S. grid distribution systems are growing more vulnerable to multiple techniques of cyberattack, partly because of the increasing connectivity of industrial control systems. In a March 2021 report, GAO reported that the Department of Energy (DOE), the lead agency of the energy sector, had developed plans to combat these threats and implement the national cybersecurity strategy for the grid. GAO found, however, that DOE’s plans did not address the grid distribution systems’ vulnerabilities related to supply chains, limiting their use in “prioritizing Federal support to states and industry.” In its current report, GAO recommends that DOE coordinate with the Department of Homeland Security, states, and industry to address fully the risks that cyberattacks pose to grid distribution systems.

Communications Sector

According to the Cybersecurity Infrastructure Security Agency (CISA), the communications sector faces serious cyberthreats that could affect local, regional, and national networks. CISA is responsible for managing Federal coordination during incidents related to the communications sector, as well as sharing information with stakeholders to improve their cybersecurity awareness and response to incidents. In a November 2021 report, GAO stated that CISA had not assessed the effectiveness of its services and programs that support the resiliency and security of the communications sector. Additionally, GAO found that CISA had not yet updated its 2015 Communications Sector-Specific Plan, which could help to address emerging threats. GAO now recommends that CISA assess the effectiveness of its programs and services that support the communications sector, as well as update the Communications Sector-Specific Plan.

Ransomware Attacks

In a September 2022 report, GAO noted that CISA, FBI, and the Secret Service assist in preventing and responding to ransomware attacks on tribal, state, local, and territorial governments. GAO found that these agencies could improve their efforts by addressing completely key practices for interagency collaboration in their aid to these governments. For example, GAO found that interagency collaboration was informal and did not contain detailed procedures. In its current report, GAO recommends that these agencies incorporate key collaboration practices.

CISA Stands Up Cyber Supply Chain Risk Management Office

Federal News Network reports that CISA has created a new project management office for cybersecurity supply chain risk management (C-SCRM). The office, headed by previous GSA Senior Advisor for Cybersecurity Shon Lyublanovits, will develop new training courses for the Federal government, state/local governments, and industry, and will lead “a series of roundtables focused on ‘operationalizing C-SCRM.’” As required by the 2018 SECURE Act, the Federal Acquisition Security Council will continue to set governmentwide policy on C-SCRM, while it charges CISA with socializing and coordinating C-SCRM throughout the Federal government. Currently, the council is developing a new C-SCRM scorecard to help agencies handle supply chain risk, an area that the GAO had found problems with in a 2020 report.

Prior to creating the office, CISA has addressed C-SCRM through its ongoing information and communications technology (ICT) supply chain risk management task force. Consisting of private organizations, industrial associations, and federal agencies, the task force publishes guidance on communicating and addressing SCRM risks connected to information technology. Its most recent publication was Securing Small and Medium-Sized Business Supply Chains, a voluntary handbook of guidance that identifies the six highest risk ICT categories for IT small businesses and provides real-world scenarios to illustrate how companies can address them.

MAS PMO to Assist with SAM.gov Entity Validation Issues
Last Friday, GSA provided additional advice on its Interact blog to Multiple Award Schedule (MAS) for contractors facing entity registration problems in the System for Award Management (SAM). If registration issues are “time or mission sensitive,” contractors with an active MAS award may ask the MAS Program Management Office to escalate their ticket by emailing MASPMO@gsa.gov the ticket, the entity’s legal name, its Unique Entity Identifier (UEI) if available, why the request is urgent, and a brief description of the issue.

A blog updated February 7 by the Federal Service Desk states that the average time needed for a manual review of a registration issue is four business days, although the post noted that complex cases may take longer to resolve. Federal contractors must be registered in SAM to receive awards and complete payments.

GSA has experienced problems with entity registration and validation since April 2022, when it transitioned to using the government-exclusive Unique Entity Identifiers (UEI) from the commercial DUNS numbers used to identify Federal contractors for over 40 years. The transition required all contractors to update their SAM registrations and undergo entity validation, where the information contractors provide to SAM is checked against existing records such as state-level corporate registrations. In November 2022, GSA stated that 80 percent of entities who had renewed their registrations had passed through the automated SAM validation system without issue. Some entities, however, have failed validation due to minor issues like a stray character in a business record and require manual review.

RFI Released for 2023 Federal Cybersecurity Research and Development Strategic Plan

The National Science Foundation and the Networking and Information Technology Research and Development’s National Coordination Office released a RFI for the 2023 update of the Federal Cybersecurity R&D strategic plan. The updated plan will guide federally funded research in cybersecurity, including cybersecurity education and workforce development, along with the development of consensus-based standards and best practices in cybersecurity. The plan was created by the Cybersecurity Enhancement Act of 2014 and must be updated every four years. Responses are sought on what innovations, solutions, research areas, and objectives should be prioritized. Additionally, responses are sought on what strategies, developments, or advancements should be looked at in the preparation of the strategy. Responses are due on March 3.

AFCEA Bethesda’s Engage & Connect Webinar Series

The Coalition is proud to sponsor AFCEA Bethesda’s Engage & Connect webinar series – The New IT Frontier: Defeating Threats to the Nation’s Cybersecurity! On Thursday, February 16 at 8:00 AM EST, speakers Benjamin Koshy from the Indian Health Service, Shane Barney from U.S. Citizenship & Immigration Services, and Amy Hamilton, Ph.D. from the Department of Energy/the Department of Defense will serve as the panel, moderated by Jill Aitoro of CyberRisk Alliance. They will discuss agencies’ plans for implementing the new cybersecurity executive orders, including the use of software bills of materials (SBOMs) to mitigate cyber risk, thwart cyber incidents, and defend against supply chain attacks.

Register today and be sure to stick around for the virtual networking breakout rooms after the panel to connect with other attendees, share personal insights, and discuss lessons learned. Coalition members can register here.