Government E-Commerce: In Search of a Direction from Government
Readers of this blog will recall that, recently, we addressed the mixed messages being sent by the government on e-commerce. We juxtaposed the concerns of Dr. Peter Navarro, Assistant to the President and Director of the Office of Trade and Manufacturing Policy, that, “e-commerce platforms[,] as a class[, play] by a different set of rules that simultaneously hammer brick-and-mortar retailers, defraud consumers, steal American jobs[,] and rip[-]off intellectual property rights holders,” against the reality of the General Services Administration (GSA) implementing a government-wide e-commerce program pursuant to Section 846 of the FY2018 NDAA that is rooted in non-compliance with the Trade Agreements Act (TAA), the Buy American Act (BAA), and various socio-economic laws. Significantly, GSA further amended its solicitation in January to limit platform provider accountability for product integrity and even reporting requirements for product country of origin.
Dr. Navarro made his comments on the release of Executive Order 13904, Ensuring Safe and Lawful E-Commerce for United States Consumers, Businesses, Government Supply Chains, and Intellectual Property Rights Holders. Given the recent publication of EO 13904, it is imperative that GSA review the e-commerce solicitation to ensure that it is consistent with the Administration’s current e-commerce policy.
Coalition members generally have been strong supporters of acquisition streamlining measures, like e-commerce. At the same time, we have commented repeatedly on the many unaddressed issues associated with the construct of GSA’s e-commerce effort, specifically, its impact on spending, security, foreign acquisition, and the overarching market. One issue, the program’s focus on purchases below the Micro Purchase Threshold (MPT), warrants some emphasis here.
The MPT is a process device with roots in the acquisition reforms of the 1990s. Facilitated by the government’s use of purchase cards, it streamlines certain small purchases by allowing them to be made outside of compliance with the TAA, BAA, and socio-economic laws. Again, it is a process, not a program, and that distinction is a key concern with GSA’s e-commerce effort.
Central to GSA’s implementation of Section 846 is its reliance on the MPT for its waiver of compliance with the law. This reliance, however, has elevated the MPT process tool to the status of a program, as is demonstrated by the fact that GSA is embedding a transactional industrial funding fee in the effort at the same rate applicable to the Multiple Award Schedules, notwithstanding the fact that, unlike the Schedules, platform management is outsourced. In addition, the sheer size and impact of GSA’s e-commerce effort demonstrate the MPT’s program status. GSA estimates that its e-commerce program will impact $6 billion in sales annually, but, in reality, the program’s non-compliant platforms have the potential to impact upwards of $60 billion in government commercial transactions annually, including transactions under the Schedules program.
Grounding a program that fails to support compliance with the law contradicts sound public policy. Simply put, the minimum needs of the government, presumably manifested in the law, cannot be met. Moreover, the economic impact of this noncompliance cannot be overstated. Recall that, under the Schedules program, GSA negotiates with industry partners to ensure that products meeting the requirements of the TAA, BAA, small business, AbilityOne, and other laws and regulations are available to agencies at competitive prices. To obtain a Schedules contract, almost 14,000 vendors undertake the expenditures of time, resources, and money to follow the law. With the implementation of GSA’s e-commerce effort, however, they will compete against platform vendors that, with the waiver of such compliance and associated costs, are placed at a significant profit advantage.
In the end, with GSA’s e-commerce solicitation at odds with the Administration’s overarching concerns about e-commerce articulated by Dr. Navarro, the government is at an inflection point. It needs to provide clarity in the form of a consistent e-commerce agenda to GSA and the industrial base that serves its agencies. To that end, the Coalition has sent a letter to Dr. Navarro seeking guidance on this matter. Given the legitimate need for compliance with the law to mitigate supply chain and other risks, a consistent policy on e-commerce is essential for stakeholders to orient their corporate activities and serve their customer agencies.
DoD Alerts Industry About Fake CMMC Certifiers
Stacy Bostjanick, the Director of the Cybersecurity Maturity Model Certification (CMMC) policy office in the Under Secretary of Defense for Acquisition and Sustainment, has warned that there are companies falsely claiming that they can get vendors certified under CMMC. The CMMC accreditation body is considering sending “cease and desist” letters to these companies.
According to Federal News Network, Bostjanick said that CMMC training and examination requirements are not yet in place. She also added the first set of third-party assessment organizations will likely be available later in the summer. Training and assessment guides, which will provide vendors instructions on how to be certified at levels 1, 2, sand 3, will be finalized in March. Later in the Spring, between April and June, the accreditation body will develop training classes for third party assessors.
NIST Releases Revision 2 of SP 800-171
The National Institute of Standard and Technology (NIST) released revision 2 of SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organization. Defense contractors are subject to the security requirements in SP 800-171 under DFARS 252.204-7012. SP 800-171 provides organizations with security requirements to protect controlled unclassified information (CUI). Revision 2 of the standard provides minor editorial changes in Chapters One and Two, and in the Glossary, Acronyms, and References appendices. There are no changes to the basic and derived security requirements in Chapter Three.
Join the Coalition at GSA’s FAST 2020
The FAST 2020 is right around the corner! The training conference will be held April 14 – 16 in Atlanta, Georgia. It will bring together thousands of government and industry acquisition professionals, senior executives, and program managers for three days packed with training, dialogue, and collaboration on key procurement policies, procedures, and programs. The conference agenda will include key/leading acquisition management programs, like Category Management and associated Best in Class contracts, acquisition innovation initiatives (think OTAs), and supply chain risk management and cyber security (think Section 889). Of course, the agenda will include training and government-industry exchanges on the Multiple Award Schedules (MAS), IT GWAC, OASIS, and much, much more.
The Coalition commends GSA for its commitment and hard work focused on creating a cost effective, government-wide training event that will enhance understanding and support the procurement system in delivering best value mission support for customer agencies and the American people. Already, over 500 firms have signed up as exhibitors, and space is filling up. Many of the exhibitors are Coalition members, and the Coalition will be at booth 515 throughout the conference. Additionally, the Coalition will be hosting a complimentary reception for members on the evening of April 14 at the Omni Hotel, right across the street from the Georgia World Congress Center. We will share more details as they become available. We hope to see you there.
Here is more information on the agenda, events, and registration for FAST 2020.
GSA Provides Update on OASIS On-Ramps
The General Services Administration (GSA) posted an update of the OASIS on-ramps on GSA Interact. The OASIS program is conducting a series of open season on-ramps to increase the industrial bases of the OASIS Small Business (SB) pool, and OASIS Unrestricted Pools 1, 3, and 4. 8(a) sub-pools under each OASIS SB Pool with task order history will also be established. The on-ramps are being completed in phases. A table has been posted with the remaining milestones.
So far, two bid protests have been filed with the Government Accountability Office (GAO) over the on-ramps. GAO has until June 4 to issue decisions in the protests.
| Milestones | OASIS SB
Pool 1 (Top 40) |
OASIS SB
Pool 1 (#41-190) |
OASIS SB
Pool 3, 4 |
8(a) SubPools | OASIS U
Pool 1, 3, 4 |
| Solicitation Issued | 04/29/19 |
04/29/19
|
04/29/19
|
04/29/19
|
07/11/19 |
| Proposals Due | 06/28/19 |
06/28/19
|
06/28/19
|
06/28/19
|
10/10/19 |
| Award Notifications | Phase 1 (40 contracts awarded 11/15/19) | Phase 2 ( 89 contracts awarded 2/13/20)
Phase 3 March 2020 Phase 4 April 2020 |
Q3 FY20 | Q3 FY20 | Q3 FY20 |
Protest on GSA’s e-Marketplace Solicitation Withdrawn
On February 24, FedScoop reported that Overstock.com withdrew its bid protest to GSA’s commercial e-marketplace solicitation. They filed the protest with the Government Accountability Office (GAO) on January 15, citing ambiguous terms that could restrict competition and insufficient time to respond. The withdrawal comes ten days after GSA responded with an agency report. GSA did not make any changes to the solicitation. In the absence of other protests, GSA can continue its process for awarding a contract for a commercial e-marketplace.
Interview with DHA Director Lt. Gen. Place
Health.mil sat down with the Director of the Defense Health Agency (DHA), Lt. Gen. Ronald Place, to discuss his vision for the future of DHA. The interview dives into his first few months as Director and his four priorities for DHA, which include Great Outcomes, a Ready Medical Force, Satisfied Patients, and a Fulfilled Staff. Other topics discussed include military treatment facilities’ transition to DHA, DHA’s patient-centered approach, the agency’s combat support function. The full interview can be found here.
Legal Corner: DoD Releases Cybersecurity Maturity Model Certification 1.0—Once It’s Effective, Thousands of DoD Contractors, Suppliers Must Be Certified as Prerequisite to Contracting
By Mayer Brown; Marcia Madsen, David Simon, and Roger Abbott
The Legal Corner provides the legal community with an opportunity to share insights and comments on legal issues of the day. The comments herein do not necessarily reflect the views of the Coalition for Government Procurement.
On January 31, 2020, the US Department of Defense (DoD) Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) released Cybersecurity Maturity Model Certification (CMMC) Version 1.0. DoD developed the CMMC to provide a unified cybersecurity standard for defense contractors and suppliers across all of the Defense Industrial Base (DIB), which, according to DoD, “consists of over 300,000 companies.”1 The development of the CMMC has been driven by concerns about the widespread exfiltration of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) from the sprawling DIB, particularly at the lower and middle levels of the supply chain.2 CMMC primarily builds upon DFARS 252.204-7012, which generally requires contractors to maintain “adequate security” on all covered contractor information systems and to report any cybersecurity incidents to the DoD Cyber Crime Center (DC3) within 72 hours. It also incorporates a number of other standards, including FAR 52.204-21 (the basic standard for protecting FCI), National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, NIST SP 800-171B,3 ST SP 800-53, ISO 27001, ISO 27032, AIA NAS 993, CIS Critical Security Controls 7.1, and CERT Resilience Management Model®.
As detailed in a Legal Update regarding CMMC Draft Version 0.6, CMMC establishes a scaled benchmark against which an organization’s level of cybersecurity preparedness can be assessed and certified across five levels of cybersecurity “maturity,” ranging from Level 1 (“Basic Cyber Hygiene” required to protect FCI) to Level 3 (the minimum level for companies that access or generate CUI) to Level 5 (“Advanced/Progressive”). The CMMC framework consists of practices and processes mapped across 17 capability domains and scaled across the five cybersecurity maturity levels. For instance, Level 1 encompasses only 17 practices (one for each of the 17 capability domains), whereas Level 5 encompasses all 171 practices. This progression is illustrated in the following visual released as part of DoD’s CMMC Version 1.0 public presentation:
DoD explained its view of CMMC Version 1.0 in a press conference featuring Ellen M. Lord, undersecretary of defense for acquisition and sustainment; Kevin Fahey, assistant secretary of defense for acquisition; and Katie Arrington, special assistant to the assistant secretary of defense for acquisition for cyber and point person for CMMC.4 Throughout the press conference, Ms. Lord and Ms. Arrington stated that DoD is taking a “crawl, walk, run” approach to implementation and is mindful of the need to minimize the compliance burden for small and medium-sized businesses.
This press conference revealed the following information, which was not included in the documents released in conjunction with CMMC Version 1.0:
- The certification requirement will encompass both standard procurement contracts and Other Transaction Agreements (OTAs) and will apply to all levels of the DoD supply chain, including suppliers and small businesses. In fact, Ms. Lord noted that DoD is particularly concerned with the lower tier of the supply chain: “We know that the adversary looks at our most vulnerable link, which is usually six, seven, eight levels down in the supply chain.”
- That said, Ms. Lord reiterated that DoD values the contributions of small businesses and is working hard to minimize the burden of compliance: “One of my biggest concerns is implementing CMMC for small and medium businesses. Because that’s where a large part of innovation comes from. We need small and medium businesses in our defense industrial base, and we need to retain them.”
- Certification will be for a three-year period, and the deadline for certification will be upon notice of contract award. Failure to obtain a timely certification will not result in a penalty but will bar a company from receiving the contract.
- The expectation is that prime contractors will help suppliers and lower-tier contracts comply, whether by facilitating certification or by providing a secure environment/network to for their work. The potential extra cost for additional facilities or networks to accommodate subcontractors or suppliers is not addressed.5
- Ms. Arrington noted that smaller companies down the supply chain will not be required to have the same level of certification as prime contractors. The level of certification required will depend on whether performance requires the contractor to use or generate sensitive information.
- An Accreditation Body (AB)—an independent, non-profit, industry-funded board composed of 13 (currently undisclosed) members of the DIB and cybersecurity community—apparently was created in mid-January 2020, and will be responsible for training and certifying candidate third-party assessment organizations (C3PAOs).6 A detailed Memorandum of Understanding (MOU) between DoD and the AB is under development. A point of emphasis in the MOU will be to prevent conflicts of interest, e.g., to ensure that an assessment organization or auditor cannot review an affiliate or competitor.
- By “late spring/early summer” 2020, DoD will complete the formal rulemaking process and release a new Defense Federal Acquisition Regulation (DFAR) regarding the operation of CMMC.
- CMMC will not apply retroactively but will only apply to new contracts and will be phased in over the next five years. The expectation is that by FY 2026, all new DoD contracts will contain Go/No Go CMMC requirements.7
- Initially, CMMC requirements will be limited to roughly 10 “pathfinder” programs, which are each expected to affect roughly 150 contractors and subcontractors and will include a mix of contracts and subcontracts at all five CMMC Levels. DoD is still in the process of identifying these pathfinders. RFIs for these procurements are scheduled to be issued in June 2020, and corresponding RFPs issued in September 2020. DoD will monitor the success of the pathfinder procurements and make adjustments to the CMMC process (as needed) before issuing additional RFPs that incorporate CMMC.
Issues and Concerns for Contractors:
Although CMMC Version 1.0 and the corresponding DoD presentation shed some additional light on the CMMC implementation, a number of questions remain.
- Supply Chain Management: It remains unclear how the certification requirements will flow down to lower tier suppliers, subcontractors, and advisors. For example, how will suppliers of commercial technology, products, and services (sold in the open market) be addressed? Will suppliers of commercially available off-the-shelf products and services be treated as part of the DIB? Will acquisitions of technology and services under the micro-purchase threshold or pursuant to an e-marketplace be covered? Will providers of professional services that are not part of the DIB (e.g., accountants, consultants, law firms) but that regularly work with defense contractors be covered by the certification requirements?
- Can the CMMC Level Determination Be Disputed? It is unclear how DoD or contracting officers will determine which level of CMMC certification will be required for a particular procurement. Where a requirement is unreasonable, overly broad, and restricts competition, challenges are reasonably foreseeable.
- Operation of the Accreditation Body: The MOU for the AB is still being developed. It is still unclear how the accreditation process will work and what the cost of accreditation will be at each CMMC level.
- Accreditation Process Unclear: No details have been revealed about which companies will perform the accreditation, what the certification process will look like, how long it will take and at what cost, and whether contractors will be able to appeal in the event of a failed audit. For instance, will a contractor that fails the auditing process have the option to seek certification from a different auditor? How will DoD ensure that the certification process is applied consistently by all the C3PAOs?
- Potential Accreditation Backlog: As a practical matter, once DoD advances past the “crawl” stage, will it be possible to accredit 300,000 companies—including an estimated 12,000–16,000 companies that handle CUI—in less than five years? Will deviations or extensions be available if an accreditation backlog makes it impossible for companies to be certified on time?
- Concern exists within the industry that there will be an inadequate number of C3PAOs to certify companies efficiently. Many companies are reluctant to enter the accreditation market because C3PAOs will be barred from competing in many procurements due to conflicts of interest.
- One concern is that if a certification backlog emerges, companies that are involved in the early “pathfinder” procurements and succeed in becoming certified will have a competitive advantage compared to companies that are unable to certify due to the backlog and accordingly are unable to compete for contracts. For instance, when the Office of Management and Budget (OMB) established the Federal Risk and Authorization Program (FedRAMP)—purportedly “to provide a cost-effective, risk-based approach for the adoption and use of cloud services to Executive departments and agencies”— it initially took companies months or even years to certify. In 2016, it took companies as long as two years to obtain a FedRAMP Authority to Operate, at a cost of as much as $4 million to $5 million—up from nine months and a cost of $250,000 in 2014.
- Impact on DoD’s Access to Technology: Will companies that do not participate in the government market find the CMMC requirements, coupled with other regulatory burdens, audits, and litigation risk, a further barrier to doing business with DoD?
- Industrial Policy: Is this an industrial policy issue that goes beyond the procurement regulatory process?
Healthcare Spotlight: Meeting with GAO on VA FSS Reform, March 12
Coalition members are invited to a meeting on March 12th with the Government Accountability Office (GAO) about their recent report on the VA FSS program and their recommendations for reform. The GAO report is titled, Steps Needed to Ensure Healthcare Federal Supply Schedules Remain Useful, and was published Feb 6, 2020. 
The meeting will be with Shelby Oakley, a Director in the GAO’s Contracting and National Security Acquisitions team who is responsible for oversight of contracting activities of the Veterans Affairs Department.
Healthcare Committee Meeting
Thurs., March 12 at 10am
Washington, DC
Downtown Location TBD
RSVPs are required to attend. Please RSVP to Michael Hanafin at mhanafin@thecgp.org and he will send the location once it has been confirmed, or the dial-in number upon request.
CRS Releases Legal Analysis of JEDI Protest
On February 19, the Congressional Research Service (CRS) published a legal analysis of Amazon’s protest of the Defense Department’s JEDI contract. The analysis provides an overview of the JEDI procurement process and discusses allegations from the ongoing lawsuit. Click here to read the full report.
TTS Plans to Automate FedRAMP
FedScoop reported that Anil Cheriyan, Director of Technology Transformation Services (TTS), seeks to automate the Federal Risk and Authorization Management Program (FedRAMP) by the end of fiscal year 2020. FedRAMP’s Program Management Office (PMO) is working with the National Institute of Standards and Technology (NIST) to develop the Open Security Controls Assessment Language (OSCAL), which would serve as a tool to automate components of the authorization process. OSCAL would allow agencies to expedite reviews of security authorization packages. The PMO is planning to drastically increase the number of training sessions for agencies on how to reuse authorities to operate (ATOs), which is faster than waiting for an offering to gain FedRAMP authorization.
Slides from Joint BRIC/Cyber and Supply Chain Committees Meeting
The Coalition’s Business and Regulatory Issues Committee (BRIC) and Cyber and Supply Chain Committee held a joint meeting this week. First, Marcia Madsen and David Simon from Mayer Brown briefed the committee on the legal and regulatory impact of the Cybersecurity Maturity Model Certification (CMMC). Next, Jon Etherton and Moshe Schwartz from Etherton and Associates provided an update on the budget and appropriations process for this year and discussed recent acquisition reforms from the NDAA. The slides from Mayer Brown can be accessed here. The slides from Etherton and Associates can be accessed here. These slides have been provided to Coalition member companies, please do not share them with outside sources.
Off the Shelf with Alan Thomas: An Expert’s Take on the Federal Market
Alan Thomas, executive vice president for Special Projects at Trowbridge and former commissioner of the General Services Administration’s Federal Acquisition Service, joined Off the Shelf for a wide-ranging discussion of the federal market and government-wide contracting. 
Thomas provided his insights on his time at FAS, in particular, sharing the strategic vision and goals driving GSA’s Federal Market Place Strategy. He also shared his thoughts on the key market dynamics, including supply chain and cyber concerns — i.e. Section 889 — that are now reshaping requirements across government.
Finally, Thomas provided an update on multiple award schedule consolidation and e-commerce — think Section 846 — outlined his new role at Trowbridge, and shared lessons learned and management experiences from his cross-cutting career both in government and industry. To listen to the podcast, click here.
Update on 2021 Appropriations
Roll Call reported that the House Appropriations subcommittees will begin their markup for the 2021 spending bills on April 21. The first full Committee markup will be on April 28. The Committee plans to complete the markup process by May 19 and get the vote of the full House before July. The Senate plans to complete their markups before the August recess.
Webinar – Prepare for ASTRO Launch: Draft RFP Insight, March 4
GSA FEDSIM has been commissioned by DoD to establish a multiple award IDIQ contract program dedicated to unmanned, manned, and optionally manned systems, robotics, and platforms. Code-named ASTRO, the program is expected to be a unique DoD focused contract vehicle that will capture a lot of attention this year as a critical federal acquisition. Similar to OASIS, ASTRO will utilize a self-scoring system to evaluate a contractor’s status as a best-in-class solution provider. On February 5th, GSA FEDSIM issued a draft RFP and is slated to hold one-on-one due diligence sessions with interested vendors on February 18th through the 20th. Prospective contractors would be wise to consider the latest news as GSA moves forward.
Please join the Coalition on March 4 at 12 pm ET as we host Baker Tilly to provide an overview of the ASTRO contract, expected contract requirements, and what contractors should consider as they make bidding decisions, including:
– Program Drivers
– ASTRO Background
– Anticipated FEDSIM Proposal Evaluation Criteria
– Vendor Self-Scoring
– Impact of “Bootstrapping” on Small and Mid-Tier Businesses
– Proposal Preparation Lessons Learned From OASIS
– Bid / No-Bid Factors
Click here to register for the webinar.
Join the Dialogue on GSA’s e-Tools and the MAS Consolidation, March 10
All members are welcome to join a dialogue with Judith Zawatsky, Deputy Assistant Commissioner for the Office of Systems Management at GSA, on March 10th at 10am in Tysons Corner. The meeting will be hosted by the IT/Services Committee. Judith and her team will address e-Tools in the context of the Schedules Consolidation, for example e-Buy (how is GSA preparing and what outreach is being conducted with agencies), e-Offer, and e-Mod.
If you have any questions about GSA’s e-Tools that you would like GSA to address during the meeting, please send them to Aubrey at awoolley@thecgp.org.
RSVPs are required to attend. Please email Michael Hanafin at mhanafin@thecgp.org to RSVP and receive the meeting location or the dial-in number.
Small Business Committee Meeting, March 16
Please join the Small Business Committee of the Coalition for Government Procurement, on March 16 at 10 am ET, as they welcome Maggie Moore, Professional Staff Member, and Therese Meers, Counsel, of the Senate Small Business Committee.
Moore and Meers will discuss important issues impacting small business government contractors including, barriers to entry, CMMC certification, the impact of the Runway Extension Act, proposed sole source increases, and proposed changes to the calculation of size for employee-based size standards.
RSVPs are required to attend this meeting. There will also be a dial-in option. To RSVP to receive the meeting location or the dial-in information, please email Michael Hanafin at MHanafin@thecgp.org
Webinar – Bid Protest Update for Commercial Contractors, March 25
Please join the Coalition for a 1-hour webinar on March 25, 2020 at 12 pm ET focusing on recent bid protest decisions relevant to commercial contractors. This webinar will feature Perkins Coie’s Seth Locke and Alexander Canizares and will provide an overview of several recent bid protest decisions by the Government Accountability Office and the U.S. Court of Federal Claims as well as offer practical considerations for commercial contractors when bidding on contracts and evaluating the likelihood and viability of a potential bid protest. Among the topics that will be discussed are recent cases involving (1) the scope of the government’s obligation to consider commercially available solutions; (2) challenges related to Other Transaction (OT) agreements; (3) the government’s justification for issuing a sole-source award based on an “urgent and compelling need,” and (4) the extent to which a contract modification may be set aside as anti-competitive and unlawful.
Click here to register.
Trade Agreement Act Update Webinar: Acetris Health, LLC. v United States Now Available
On Wednesday, February 26, Stephen Ruscus and Donna Lee Yesner of Morgan, Lewis and Bockius discussed the decision and implications of the Acetris Health, LLC v. United States case in an hour-long webinar. Ruscus and Yesner successfully protested the VA’s decision to exclude the company’s products in the Court of Federal Claims, defended the decision on appeal and have 11 current cases before the Court of International Trade challenging CBP’s country of origin determinations on behalf of Acetris. The webinar explored the implications for finished drug products that are not manufactured in the U.S. and for non-drug products manufactured in the U.S. More broadly, the decision is important for bid protests challenging agency interpretations of statutes and regulations, because, like mootness, it expands the concept of interested party beyond the particular solicitation or contract award when the government’s interpretation will persist and the plaintiff is likely to bid in the future and be affected by the interpretation.
The webinar recording is available here.
