Friday Flash 05/19/23

FAR & Beyond: “Pathways” to the Federal Acquisition Service’s North Star Goals

In leading GSA’s Federal Acquisition Service (FAS), Commissioner Sonny Hashmi has established “North Star Goals” for the organization in its efforts to support customer agency missions on behalf of the American people. North Star Goals are generally long-term, stretch goals. They are aspirational, yet achievable, and comprise multiple projects. The following diagram, part of a recent FAS slide presentation, sets forth FAS’s North Star goals:

“Make it dead easy to do business with FAS” is at the center of this diagram, reflecting the central force driving FAS’s success in supporting customer agency missions on behalf of the American people. “Creating tremendous value for our customers” and “…a thriving, innovative, compliant[,] and equitable marketplace” are fundamentally dependent on making it “dead easy” to do business with FAS for both customer agencies and industry partners. As often has been observed, the GSA FAS, customer agencies, and industry are like a three-legged stool, each dependent on the other to support agency missions.

In this context, GSA FAS is the channel, or market maker, through which customer agencies and industry partners engage to support and deliver mission requirements. So, how do we work together to make it dead easy to do business with FAS and within the FAS marketplace? Here are several “pathways” to FAS’ North Star Goals:

  • Right off the launchpad, delete the “highly competitive” language from the MAS solicitation, as discussed in last week’s blog. This language is undefined and introduces confusion into the procurement process. As such, it represents a significant barrier to entry for commercial firms, especially new small businesses seeking to enter the federal market through the Multiple Award Schedule (MAS) program.
  • Allow for automatic price reductions when submitted by current MAS contractors. Doing so immediately delivers value to customer agencies.
  • Publicize all internal FAS policy guidance relied upon by contracting operations. Transparency is fundamental to understanding FAS procurement priorities and program considerations. The more information industry partners have regarding how FAS approaches the market, the better industry can meet FAS and customer needs, improving the efficiency of the procurement process. This information was once regularly published by FAS and the practice should be revived.
  • Incorporate associated material terms and conditions for pricing in the 4P tool. This pathway would ensure a rational, fair conversation/negotiation of price consistent with regulation and the market.
  • Lower the Maximum Order Threshold to $250,000 across the program to reduce burdensome record-keeping; bring MAS contract terms in line with FAR 8.4; and enhance the ability to provide solutions, rather than individual SINs, in response to agency requirements.
  • Expand the e-commerce program for customer agencies and industry partners, including small businesses.
  • Continue to modernize GSA’s e-systems including the transition to the FAS Catalog Platform for all MAS contractors.
  • Reform cloud pricing on MAS contracts to allow greater variability consistent with the commercial cloud marketplace. Recognizing the dynamic nature of the cloud marketplace, remove the Price Reduction Clause (PRC) for cloud services.
  • Remove the PRC for all services requiring a Statement of Work (SOW). The unique nature of each SOW completely undermines any underlying rationale for, and applicability of, the PRC.
  • Make the EPA clause changes permanent to improve the response to, and reflect, the commercial market.
  • Reverse the decision not to implement Section 876 for MAS service contracts.
  • Commit to, and execute on, holding an in-person FAST 2024 Training Conference, where customer agencies, FAS, and industry attend procurement training, program presentations and updates, and engage in cross-cutting market research.
  • Require that when a FAS contracting officer cites certain data as support for a negotiation position vis-a-vis an offeror or contractor, that data be made available to the offeror or contractor, in order provide a fulsome, reasonable discussion of negotiation positions with the goal of obtaining a reasonable outcome for all stakeholders.

These pathways will help FAS reach its North Star Goal of making it “dead easy to do business with FAS.” In achieving this threshold goal, FAS will be able to deliver on “creating tremendous value for our customer agencies” and “creating a thriving, innovative, compliant[,] and equitable marketplace.”

We ask you: What are your ideas for making it dead easy to do business with FAS? The FAR and Beyond blog wants to hear from you.  So, please submit your comments here.

And for FAS contractors, please do respond to FAS’s annual customer survey, which can found here.

Contractors May Face “Black Swan” Moment as Debt Ceiling Looms

In the event of a United States default on its debt, Federal contractors should be prepared for a “black swan” economic event, reports  Washington Technology. If the debt ceiling is not raised by June 1, Federal agencies will have to make decisions on what financial obligations to meet and which to postpone. This could lead to situations where agencies must make decisions for active contracts on whether to press on with regular business or pause operations until funding comes in. Additionally, it is expected that new solicitations, awards of contracts, and task orders will be affected.

Pentagon Announces New Cybersecurity Compliance Tools for Small Businesses

Farooq Mitha, Director of the Pentagon’s Office of Small Business Programs, announced on May 11 that his office will be releasing a series of software tools to support small business cybersecurity compliance, reports FCW. The tools are being created to help agencies comply with the forthcoming Cybersecurity Maturity Model Certification (CMMC) as well as the current National Institute of Standards and Technology 800-171 requirements. The Office of Small Business Program is still working on a potential cost-sharing model with the industry to determine what features will be funded by the Federal government. Potential features include market intelligence and operation security. The new tools are expected to be released later this year.

General/Office Products Committee Meeting: FedMall Update, May 23

The General/Office Products Committee will be hosting a virtual meeting with James Mette, FedMall Program Director at the Defense Logistics Agency, to provide an update on FedMall, DLA’s eCommerce ordering system. The virtual meeting will be held on May 23rd at 10 AM EDT. To register click here. The Coalition is collecting member questions for the meeting. To submit your questions, please contact Joseph Snyderwine at

Imaging Committee Meeting: DLA Document Services, June 8

The Coalition’s Imaging Committee will be hosting Terra Nguyen, Director of the Defense Logistics Agency Office of Document Services. The virtual meeting will be held June 8 at 10:00 AM ET and will provide an update on the office’s work as well as a discussion on industry challenges and strengths for 2023. To register click here.

GSA Launches First Grid-Interactive Efficient Buildings 

Caption: GSA Administrator Robin Carnahan cuts the ribbon, flanked by Oklahoma City Mayor David Holt on her left, and Keith Erickson, VP, Sales and Customer Operations, OG&E, Nicole Bulgarino, EVP, Ameresco, and Kevin Kampschroer, Chief Sustainability Officer, GSA on her left.

Last Thursday, GSA Administrator Robin Carnahan unveiled GSA’s first large-scale experiment with Grid-Interactive Efficient Buildings (GEBs) at the Oklahoma City Federal Building. “We are proud to deliver on GSA’s first project that demonstrates how we can transform federal buildings into high-tech clean energy hubs that dynamically interact with the grid, generate their own energy, and make the grid stronger and more resilient for the surrounding community,” said Carnahan.

The GEB model, created by the Department of Energy (DoE), is a framework that encourages creating energy-efficient buildings that connect with the power grid and use smart technology to optimize operations and reduce power consumption. In the $11 million Oklahoma City project, GSA used nine different conservation measures to lower consumption at the Federal building and four other sites, including solar panels, lighting controls, battery storage, and new heating and cooling controls. Under a newly negotiated utility contract with performance incentives, the technologies are expected to reduce energy use by 41% and save $400,000 annually. In a case study of the project, DoE noted, “similar strategies should be replicable in almost any GSA location or environment” and that Oklahoma has low utility rates, suggesting cost savings may be greater elsewhere.

GSA has been studying GEBs since 2019 and currently has four pilot projects in progress. Independent research found that a nationwide move to GEBs by GSA could save 50 million dollars annually and see costs recouped in four years. Additionally, many of the technologies involved, such as optimizing for occupancy and automatically controlled lighting, would come at low or no-cost—a significant boon as the Federal government aims to achieve net-zero emissions for its 300,000 building portfolio by 2045 under the Federal Sustainability Plan.

GSA Advantage to Increase Order Status, Cancellation and On-time Thresholds Beginning May 24

One of the most frequent customer questions received by GSA is related to orders placed through GSA Advantage! is “Where’s my stuff?” Thanks to the efforts of contractors, the percentage of orders with delivery/shipped status has increased tremendously.

According to GSA’s notice on Interact, “Beginning with scores sent out on May 24, 2023, [GSA] will be raising the threshold for order status, on-time, and cancellation scores to further assist our customers.” Please note the following threshold updates posted in Interact to avoid potential suspension.

Order Status Score
All order lines should have a status of shipped, canceled, or back ordered by the due date. Contracts that have fewer than 80% of order lines with status will be subject to suspension from GSA Advantage!/eBuy. If a contract has fewer than 7 total lines or 2 or fewer lines with missing status, you will be exempted from suspension. 

Cancellation Score
If you have 100 or more order lines combined with a cancellation rate of 30% or higher, your contract may be subject to suspension from GSA Advantage!/eBuy.
Tip: If you have a significant cancellation rate, we have often found that it is because items that are unavailable are still listed on GSA Advantage!.

 On-time Score
If you have 100 or more order lines combined with an on-time rate below 30%, your contract may be subject to suspension from GSA Advantage!/eBuy. 

If you have a poor on-time delivery score, please take action to deliver faster, delete items that can’t be delivered in a reasonable amount of time, or correct your delivery times to match actual performance. 

All contractors will be allowed to submit a corrective action plan to avoid suspension. 

GSA has also provided a Vendor Feedback Form for contractors to provide feedback to GSA on what may be causing cancellations and late orders.  The form is posted here.

Upcoming Webinars on Domestic Sourcing and Software Supply Chain Security, May 25 and June 1

Domestic and Foreign Sourcing Requirements Webinar, May 25
The Coalition for Government Procurement is pleased to host a webinar, Domestic and Foreign Sourcing Requirements, on May 25 from 12:00 – 1:00 PM EST and will feature Covington attorneys Mike Wagner (Partner) and Jen Bentley (Associate) This webinar will provide an overview of key considerations for government contractors who need to comply with various domestic content regimes. To register, click here.

Software Supply Chain Security Requirements: Are You Ready? Webinar, June 1
On June 1 from 12:00 – 1:00 PM EST the Coalition will host a webinar on Software Supply Chain Security Requirements. This webinar will feature Crowell & Moring attorneys Michael Gruden, Alexander Urbelis, and Alexis Ward as they discuss the Office of Management and Budget’s forthcoming self-attestation requirements and deadlines approaching this summer. To register, click here.

NIST Releases Third Revision of Standard on Protecting CUI

On May 10, the National Institute of Standards and Technology (NIST) released a draft for public comment of the third revision of NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. In tandem with Federal regulations, 800-171 governs how contractors and the Federal Government handle controlled unclassified information (CUI) and makes up the core criteria in the forthcoming Cybersecurity Maturity Model Certification (CMMC) program requirements for defense contractors. CUI includes information like health data and critical infrastructure information that fall below the level of classified but is required to have safeguarding or disseminating controls.

The new draft version of the standard, based on more than a year of study, intends to improve its alignment with the technical tools provided by another NIST document, SP 800-53, to simplify implementation for users. Additionally, the draft updates tailoring criteria, introduces “organization-defined parameters” for some security requirements, increases the specificity of requirements, and provides a prototype CUI overlay. According to a press release, NIST will release another draft version of the third revision before publishing a final version in early 2024. The draft is open for comment until July 14, and comments may be submitted to NIST is particularly interested in feedback on “Re-categorized controls (e.g., controls formerly categorized as NFO), Inclusion of organization-defined parameters (ODP), [and the] Prototype CUI overlay.”

Healthcare Corner: VA Seeking Cyber Services

The Department of Veterans Affairs (VA) posted a Sources Sought notice on May 11 seeking a range of Cyber services to support the VA Cybersecurity Operations Center (VA CSOC) ongoing mission. The VA CSOC aims to “provide world class information security for VA and Veteran information and information systems.” VA plans to fulfill this vision by focusing on 6-core missions:

  1. Cybersecurity Incident Response
  2. Cybersecurity Technical Services
  3. Cybersecurity Analysis
  4. Vulnerability Scanning Service
  5. Cybersecurity Execution Management Services
  6. Cyber Threat Intelligence

The VA is looking to the industry for database scanning support, vulnerability scanning support, cybersecurity execution management support, knowledge management, authority to operate support, and a host of other services and is accepting responses until June 2.

Off the Shelf: On The Road to Recovery

This week on Off the Shelf, Jonathan Aronie, partner at Sheppard Mullin, joined Coalition President Roger Waldron to share stories, thoughts, and appreciation regarding his six-month journey battling acute leukemia. Aronie also discussed his experiences, both emotional and physical, in dealing with his cancer, and talked about the amazing people at Johns Hopkins Cancer Center who delivered his care.

To listen to the full episode, click here, or search “Off the Shelf” on all major podcast platforms.

Off the Shelf: MAS Update with Robin Bourne of The Gormley Group

Robin Bourne, Subject Matter Expert in Federal Acquisition at the Gormley Group, joins Roger Waldron on the latest episode of Off the Shelf. Bourne addresses the status of GSA’s Multiple Award Schedule (MAS) program on topics such as Transactional Data Reporting, Economic Price Adjustments, and the role of management in procurement operations. Additionally, Robin highlighted the MAS’s programs efforts to support small businesses at all levels of procurement.

Who Is Required to Complete Attestations?

The term “software producer” is not defined but, on its face, it encompasses all firms that produce or develop software. These attestations will be required for:

  1. software developed after September 14, 2022,
  2. software that undergoes a major version change (e.g., using a semantic versioning schema of Major.Minor.Patch or the software version number goes from 2.5 to 3.0) after September 14, 2022, and
  3. software where the producer delivers continuous changes to the software code (e.g., software-as-a-service products or other products using continuous delivery/continuous deployment).

This requirement applies to third-party software used on an “agency’s information systems or otherwise affecting the agency’s information.” Software broadly encompasses: “firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.”  Note that software developed by Federal agencies is exempt.

It’s unclear how this will apply to resellers of software. Presumably though, to provide software to an agency, the contractor selling it must ensure its developer completed the attestation. Similar to other areas of government contracts, it may be possible that Federal contractors who resell software to the government can rely, in good faith, on the representations and certifications made in the Form from the software producers. While we need to wait until the Form is finalized, agencies can require contractors to provide these attestations as “go/no-go” requirements or as part of responsibility determinations in solicitations.

Examples of Some Attestations and Related SSDF Practices

If you are a producer familiar with the NIST SSDF, the following references and examples of some secure software practices will be familiar. If you are new to the world of SSDF, these attestations and references to the SSDF may seem daunting at first. Below are some of the attestations in the draft form, as well as some (non-exhaustive) examples of practices that meet the SSDF requirements.

  1. The Form requires the environment the software was developed and built in be secured by regularly logging, monitoring, and auditing trust relationships used for authorization and access to any software development and build environments and among components within each environment. Examples of practices that meet this requirement include: (i) using multi-factor authentication and conditional access for each environment, (ii) using network segmentation to separate environments from each other, and (iii) enforcing authentication and restricting connections entering and exiting each software development environment.
  2. Another attestation from the Form requires the software producer to maintain provenance data for internal and third-party code incorporated into the software. Examples of practices consistent with this statement include: (i) making the provenance data available to the organization’s operations and response teams to aid them in mitigating software vulnerabilities, (ii) protecting the integrity of provenance data and providing a way for recipients to verify provenance data integrity, and (iii) updating the provenance data every time any of the software’s components are updated.
  3. The Form also requires producers to attest they employed automated tools or comparable processes that check for security vulnerabilities. Examples of such tools and/or processes include: (i) using up-to-date versions of compiler, interpreter, and build tools, (ii) following change management processes when deploying or updating compiler, interpreter, and build tools and audit all unexpected changes to tools, and (iii) having a qualified person who was not involved with the design and/or automated processes within the toolchain review the software design to confirm and enforce that it meets all of the security requirements and satisfactorily addresses the identified risk information.

Penalties for Willfully Disclosing Misleading or False Information

The disclosure statement refers to 18 U.S.C. § 1001 as a potential penalty in the event attesters willfully provide false or misleading information. 18 U.S.C. § 1001 makes it a federal crime to, among other things, “knowingly and willfully” falsify a material fact or make a fraudulent statement or representation. While the False Claims Act is not specifically referenced, the U.S. Department of Justice could also prosecute software producers who make false statements or representations in the Form.

Relatedly, the estimated reporting burden to complete the Form is 3 hours and 20 minutes. While some companies well-versed in these practices may be able to attest to the Form’s statements in that time, some commenters made it clear that having a Chief Executive Officer (CEO)—as required by the Form—sign off on the attestation, will require a detailed, point-by-point review and analysis of the company’s current policies and practices. The SSDF and related NIST documents are detailed, comprehensive sets of policies, practices, and cross-references, requiring a great deal of time, resources, and energy to go through; it will likely entail consulting legal counsel. The estimated reporting burden therefore may not be accurate. Although the Form is not particularly long, to ensure contractors are not misrepresenting their secure software development practices, they should expect completing the Form will take much longer than a few hours, especially considering the potential penalties that might result.

CISA is collecting public comments regarding the Form here until June 26, 2023. If you have questions about the attestations and how to prepare for compliance with them, or any other secure software developments, please contact Cy Alba and Daniel Figuenick, the authors of this blog, or another member of PilieroMazza’s Government Contracts or Cybersecurity & Data Privacy practice groups.

Healthcare Corner:

VA Seeking Cyber Services

The Department of Veterans Affairs (VA) posted a Sources Sought notice on May 11 seeking a range of Cyber services to support the VA Cybersecurity Operations Center (VA CSOC) ongoing mission. The VA CSOC aims to “provide world-class information security for VA and Veteran information and information systems.” VA plans to fulfill this vision by focusing on 6-core missions:

  1. Cybersecurity Incident Response
  2. Cybersecurity Technical Services
  3. Cybersecurity Analysis
  4. Vulnerability Scanning Service
  5. Cybersecurity Execution Management Services
  6. Cyber Threat Intelligence

The VA is looking to the industry for database scanning support, vulnerability scanning support, cybersecurity execution management support, knowledge management, authority to operate support, and a host of other services and is accepting responses until June 2.

A View From Main Street

By Ken Dodds, Live Oak Bank

The following blog does not necessarily represent the views of The Coalition for Government Procurement. 

New SBA Rule Highlights

8(a) Mergers and Acquisitions
The Small Business Act provides that an 8(a) contract must be terminated for the convenience of the government if there is an acquisition of an entity or assets involving 8(a) contracts unless the SBA Administrator issues a waiver.[2] In a major positive development for 8(a) concerns and disadvantaged individuals, SBA is streamlining the waiver request process by having such requests submitted directly to the head of the 8(a) program instead of the District Office and imposing a time limit of 90 days to review the waiver request. SBA is also deleting the requirement that the acquiring concern have experience performing the type of work performed by the acquired concern.

One of the primary reasons to acquire another concern is to gain experience and past performance in a new industry by utilizing the management and technical expertise of the acquired concern’s personnel.[3] There is also a change of ownership process where a disadvantaged owner is substituted for another disadvantaged owner. A change of ownership decision is made by the head of the 8(a) program, not the SBA Administrator, and SBA should issue a change of ownership decision within 60 days.[4] The change of ownership concept applies when an entity such as an ANC/Tribe/NHO acquires an 8(a) graduate with 8(a) contracts.[5]

Joint Ventures
Orders are not contracts for purposes of SBA’s joint venture rule which provides that a joint venture can receive an unlimited number of contract awards within a two-year period after the first contract award.[6] Joint ventures can be populated with employees where the parties to the joint venture are similarly situated with respect to the type of set-aside contract, but the firm’s employees/revenues in the aggregate must meet the relevant size standard (in contrast with unpopulated joint ventures where each member of the joint venture must individually meet the size standard).[7] Members of unpopulated joint ventures must include in their own size calculation the receipts or employees of the joint venture based on work share. Members of populated joint ventures must include in their own size calculation the receipts or employees of the joint venture based on the ownership percentage of the joint venture.[8] A joint venture minority member’s consent can be required to initiate litigation or pursue contract opportunities on behalf of the joint venture.[9] A firm cannot be a member of more than one joint venture pursuing a specific 8(a)/HUBZone/SDVO/WOSB/EDWOSB set-aside contract.[10]

Ostensible Subcontractor Rule
If a firm and its similarly situated subcontractors are meeting the limitations on subcontracting, a firm cannot be found to be affiliated with a large business subcontractor under the ostensible subcontractor rule.[11] SBA declined to include hiring a large number of the incumbent’s personnel as a factor under the ostensible subcontractor rule, since that is often the government’s desire and sometimes legally required.[12] As part of a status protest SBA will review whether a HUBZone or WOSB/EDWOSB is unduly reliant on a non-eligible subcontractor to perform the primary and vital parts of a HUBZone or WOSB/EDWOSB contract.[13] This change has already been implemented for the SDVO program.[14]

8(a) Business Development Program

A firm must be small and in the 8(a) program at the time of award of an 8(a) sole source order.[15]

Where an SBIR awardee is affiliated with a subcontractor under the ostensible subcontractor rule the parties will be treated as a joint venture and therefore must comply with the SBIR rules applicable to joint ventures.[16] The exemption from affiliation applicable to Small Business Investment Companies applies to SBIR/STTR as well.[17]

Non-Manufacturer Rule
Where SBA has granted a waiver of the non-manufacturer rule for a contract with a duration of greater than five years, the contracting officer must request a new waiver after five years.[18] A contract must be awarded within one year of the date of SBA’s waiver of the non-manufacturer rule.[19]

Combined Set-Asides
SBA is codifying its long-time policy that agencies cannot issue solicitations that limit competition to multiple socio-economic categories or give evaluation credit for additional socio-economic categories beyond the designated set-aside.[20]

Limitations on Subcontracting
For multi-agency contracts, the limitations on subcontracting will apply to each order.[21]

Mentor Protégé
A protégé can use its second opportunity to have mentor by extending its time with its first mentor for an additional six more years.[22]

Recertification is not required where an acquisition does not result in a change of control or negative control.[23]

Do you have a topic you wish to have covered or a question on how Live Oak Bank can support your business? Email me at

[1] 88 FR 26164.

[2] 15 USC 637(a)(21),

[3] 13 CFR 124.515.

[4] 13 CFR 124.105(i).

[5] 13 CFR 124.105(i)(1).

[6] 13 CFR 121.103(h).

[7] 13 CFR 121.103(h)(1).

[8] 13 CFR 121.103(h)(4).

[9] 13 CFR 125.8(b)(2)(ii)(A).

[10] 13 CFR 124.513(a), 126.616(a)(2), 127.506(a)(3), and 128.402(a)(3).

[11] 13 CFR 121.103(h)(3)(iii).

[12] 88 FR 26164, 26166.

[13] 13 CFR 126.801(e)(2) and 127.603(d)(2).

[14] 13 CFR 134.1003(c).

[15] 13 CFR 121.404(a)(1)(i)(B), 121.404(a)(1)(ii)(B), 124.501(h), and 124.502(a), 124.503(i)(1)(iv).

[16] 13 CFR 121.702(c)(7).

[17] 13 CFR 121.702(c)(11).

[18] 13 CFR 121.1203(e).

[19] 13 CFR 121.1204(b)(5).

[20] 13 CFR 124.501, 126.609, 127.503(e), and 128.404(d).

[21] 13 CFR 125.6(d).

[22] 13 CFR 125.9(e)(6)(iv).

[23] 13 CFR 121.404(g)(2)(i).