Friday Flash 07.23.21

From the President:  Wishing the Best to a Procurement Innovator and a Dedicated Public Servant

I would like to wish a happy retirement to a recognized procurement leader with whom I have had the pleasure of working, Soraya Correa. As reported recently in the Flash, Soraya will be retiring from her position as the Department of Homeland Security’s (DHS) Chief Procurement Officer at the end of the month. Her retirement concludes a distinguished career of over 40 years of service in the Federal Government. She took on the role of DHS’ Chief Procurement Officer in 2015, where she provided leadership and oversight for the department’s contracting workforce and played a key role in managing major acquisition programs. Prior to her appointment as Chief Procurement Officer, Soraya held leadership positions at multiple Federal agencies, including the U.S. Citizenship and Immigration Services Directorate (ISCIS), the Naval Sea Systems Command, the General Services Administration (GSA), the National Aeronautics and Space Administration (NASA), the Immigration and Naturalization Service (INS), and DHS Headquarters. Soraya’s accomplished career of service in the Federal Government is well known to the procurement community, across both Government and industry.

I first met and had the opportunity to work with Soraya while at GSA, allowing me to experience firsthand Soraya’s professionalism and engaging approach to solving issues. She then went on to INS, taking on the role of Director for Financial Systems Management. Our next chance to join forces came at the Federal Executive Institute, where we were placed on the same executive team for a month. During this time, I was able to get reacquainted with her confident and creative approach to problem-solving. Over the course of the month, we engaged in several thoughtful conversations about leadership and change management. More recently, along with Coalition members, I have had the pleasure of engaging with her on DHS procurement matters.

Soraya is recognized for her focus on strategic sourcing and bringing innovative approaches into Federal procurement. Soon after becoming DHS Chief Procurement Officer, she launched the Procurement Innovation Lab (PIL), which provides DHS with a space to experiment with innovative acquisition techniques and share best practices. The PIL has worked on procurement projects with many agencies, including the U.S. Coast Guard, Customs and Border Protection, the Office of Procurement Operations, and the Office of Selective Acquisitions. It has become a model for other agencies to follow in their efforts to bring innovative ideas to procurement. As a testament to her success and Soraya’s leadership, the lab earned Soraya’s team Excellence in Partnership Awards in 2018 and 2016.

As a dedicated public servant, Soraya understood the importance of transparency with industry and across her agency. She introduced the idea of reverse industry days, in which contracting professionals can converse with DHS acquisition officers. She always welcomed collaboration and was willing to experiment with new ideas and solutions that could lead to positive outcomes for her agency and the procurement community. She knew that improvement sometimes involves risks, but for advancement, she was not afraid to confront such risks. In these endeavors, she maintained unwavering support for her people. She was the first to accept responsibility for any unplanned outcomes, and the first to recognize the hard work of others that led to success.

Certainly, Soraya’s transformational leadership and dedication to bringing common sense to Federal procurement will be missed, as will her kind, effervescent personality. I know I speak for Coalition members when I say that we look forward to honoring her legacy at DHS by  advancing the mission of common sense acquisition. I congratulate Soraya for her invaluable career of public service, and I wish her all the best as she starts a new chapter in her life.

 

Blog II: New Administration, New GSA Administrator, and Acquisition Opportunities:   Making Cost-Reimbursement Task Orders Part of the MAS Program

Recently, this blog focused on the benefits of adding cost reimbursement capability to the Multiple Award Schedule (MAS) program so that contractors with commercial item goods and services on Schedule also can offer cost-reimbursable labor.  It highlighted the many ways in which hybrid contracts that include both commercial and cost reimbursement capabilities would be a “win-win-win” for customer agencies, GSA, and industry.  This blog focuses on the practical steps that GSA can take to modify the existing MAS program to include cost reimbursement capabilities.

It is important to note that no additional legislative authorization is needed to add cost reimbursement capabilities to the MAS program.  GSA, as the administrator of the program, already possesses the authority to expand it.  The primary statutory authorities for the MAS program are 41 U.S.C. § 152(3) (Competitive Procedures) and 40 U.S.C. § 501 (Services for Agencies), and nothing in these statutes, or any other statute, prohibits GSA from adding cost-reimbursable capability to the MAS program.  Rather, the only relevant statutory requirements here are for GSA to continue to ensure that the MAS program is open to all “responsible sources” and that “orders and contracts under [the MAS program] result in the lowest overall cost alternative to meet the needs of the Federal Government.”  41 U.S.C. § 152(3).  So long as these requirements are satisfied, with respect to cost-reimbursement capability under the Schedules, GSA is well within its statutory authority to add that capability to the program.  GSA’s Alliant, OASIS, and OASIS SB programs, which already combine the use of commercial and cost reimbursement contracting, can serve as a roadmap.

GSA can add cost reimbursement capability to the MAS program by taking a few simple steps:

  1. GSA will need to revise the solicitation to include contract terms and conditions that apply to cost reimbursement contacts. Included in this revision would be the ordering provisions under the solicitation.
  2. GSA will need to identify those contract terms and conditions in the solicitation that only apply to orders for the acquisition of commercial items (FAR 2.101) and limit the application of those clauses to orders for commercial items. In order to ensure that all necessary clauses are included in any resulting task orders, GSA can include a provision, as it does in the OASIS solicitation, explaining that all applicable and required provisions/clauses set forth in FAR 52.301 will flow down automatically to all MAS task orders based on their specific contract type, statement of work, competition requirements, commercial or non-commercial nature, and dollar value as of the date the task order solicitation is issued.
  3. GSA will need to identify the offerings that are available for purchase on a cost reimbursement basis. The MAS solicitation is broken into 12 Large Categories of commercial items, with subcategories and Special Item Numbers (SINs) that have corresponding North American Industry Classification System (NAICS) codes.  The solicitation then can be amended to include a single SIN covering cost-reimbursable labor, with offerors able to propose direct labor categories that complement their commercial-item SINs to allow Schedule holders to offer complete solutions to customer agencies.
  4. GSA must decide the offer preparation instructions and evaluation criteria it wants to use for cost reimbursement contracts. Currently, the instructions and evaluation criteria are tailored to commercial contracting, but this section can be modified to include criteria specific to cost type task orders.  Again, OASIS provides a model for this, as it establishes straightforward criteria for GSA to assess the fairness and reasonableness of proposed direct labor costs and indirect rates.

Adding cost-reimbursement capability to the Schedules is not a heavy lift.  With a few changes to the Schedule Solicitation, GSA could open the possibility of cost-reimbursement task orders on Schedule contracts, without reinventing the wheel and adding to contract duplication. Leveraging the existing Schedules infrastructure will save customer agencies, GSA, and contractors tens of millions of dollars in contract administration costs as compared to creating a fundamentally duplicative, cost-intensive Services MAC that abandons the OASIS model and undercuts the Schedules program.  Just as importantly, the expanded scope of the Schedules program will enhance competition for customer agency solutions across government.  Again, it is a win-win-win for customer agencies, GSA, and industry.

Over the years, GSA, to its credit, has implemented significant changes to the Schedules program to deliver greater value to customer agencies.  Most recently, the Schedules consolidation initiative provides the framework to host this change.  The Coalition stands ready to host a GSA-Industry roundtable to discuss this blog and share the roadmap.

 

 

Agencies Finalize Return to Workplace Plans

Government Executive reported this week that agencies’ final return to workplace plans were due to the Office of Management and Budget (OMB) on July 19. The plans were required to include phased reentry schedules and other safety measures outlined by guidance from the Centers for Disease Control and Prevention (CDC), the Safer Federal Workplace Task Force, and the Occupational Safety and Health Administration (OSHA). 

In accordance with guidance from OMB, the Office of Personnel Management (OPM), and the General Services Administration (GSA), agencies must complete several milestones before they can begin implementing their reentry plans. These milestones include ensuring that their plans reflect current CDC guidelines, satisfying applicable labor-relations obligations, and providing adequate notice to employees. According to the guidance, the draft and final plans are not intended for publication or release by agencies.  

In terms of when Federal employees will actually return to the physical workplace under these plans, FedWeek has reported that while agency plans are under review by OMB, they are not to start implementation until they have completed necessary bargaining with unions. Not all Federal employees are under union bargaining units, but they could delay implementation in certain agencies to prevent inconsistent policies. After the bargaining with unions is complete, employees will typically have 30 days advance notice of their new work arrangements. 

 

Senate Hearing Addresses Tumultuous Implementation of EHR at VA

On July 14, the U.S. Senate held a hearing on the Department of Veteran Affairs’ (VA) efforts to modernize their EHR system being implemented with Cerner. The $16 billion modernization program is meant to streamline and standardize record keeping within the VA, eventually connecting VA records to those from a parallel program at the Department of Defense (DoD), MHSGenesis. The hearing came in the wake of the first phase of a strategic review which began in March. The VA’s EHR program has received significant criticisms. A Government Accountability Office (GAO) report found that costs were underreported by 32 percent, training concerns have been raised by the Inspector General, and there have been reports of workforce demoralization. 

VA Secretary Denis McDonough testified before the Senate to begin the hearing. He announced a new unified enterprise-wide governance effort, led by the Deputy Secretary, which aims to bring the perspectives of different stakeholders together in an organized manner. He also announced that the VA plans to pivot to a deployment approach, whereby the sites deemed most prepared for EHR implementation would be chosen for future deployments after the next two occur. A “fully simulated testing and training environment” is being developed to facilitate EHR workforce and user readiness before real-world implementation. These changes, along with those in accordance with GAO and other office recommendations, aim to refocus and revitalize the Electronic Health Records Modernization Program (EHR)

McDonough was followed by a panel with David Case, Deputy Inspector General for the VA Office of Inspector General (VA OIG), and Marc Probst, an outside expert who served as the Chief Information Officer for Intermountain Healthcare for 17 years. They offered information and advice regarding the implementation of the VA’s EHR. An emphasis was put on properly managing expectations, including interim goal setting during the modernization process.

 

VA to Reform EHR Implementation

FedScoop reported that the VA is planning to restructure how it implements its EHR Modernization Program. The plan to restructure comes after a twelve-week strategic review of the EHR by the VA Secretary and numerous reports by the VA Inspector General and the GAO highlighting deficiencies with the rollout. Moving forward, there will be an introduction of new virtual testing environments, which will support the improvement of the underlying IT infrastructure at each VA facility before the system deployment. 

Initial testing and training issues led to delays in the rollout of EHR in Spokane, Washington. Training and the ability for the facilities to make progress on deploying the system will determine how the EHR rollout continues. There will be an increase in activity in the coming weeks and months which will focus on veteran experience, patient safety, and employee engagement. There will be new data teams working to integrate databases associated with the EHR. The integration will eventually connect EHR and the DoD’s MHS Genesis Modernization Program. The connection of the two systems will provide seamless information sharing and provision of managed, trusted data. 

The VA will not rollout the EHR to any additional sites in the next six months reports Federal News Network. A new timeline of the rollout will likely occur by the end of the 2021 calendar year. The VA will review the state of physical and IT infrastructure, leadership, and staffing at each of its facilities. Those with the highest readiness will be next to deploy the new EHR. The VA is starting over with the estimate cost on the EHR modernization.  

 

Jen Easterly Sworn in as CISA Director

The Hill reported that Jen Easterly was sworn in as Director of the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) on July 13. Easterly will be taking over the role from Brandon Wales, who had been serving as Director in an acting capacity since November. During this time, CISA played a key role in responding to national cybersecurity incidents, including the SolarWinds hack and a number of ransomware attacks. Easterly was nominated for the Director position by the President in April. 

Previously, she served as the Deputy for Counterterrorism at the National Security Agency (NSA) under the Obama Administration. She will work closely with Chris Inglis, who was recently sworn in as the first White House National Cyber Director.

 

Fed CIO Provides Advice on Agency TMF Proposals

Federal Computer Week reported that on July 15, the OMB delivered agencies key advice on its updated guidance for Technology Modernization Fund (TMF) proposals as board operations have scaled up due to an “increasing number of submissions following a $1 billion injection in funds and relaxed repayment requirements.” Earlier this year, the TMF Board announced repayment guidelines that allowed partial repayment on “projects seeking to improve cybersecurity posture, modernize high-priority systems or address cross-government services and missions.” Maria Roat, who serves as the Deputy Federal CIO, stated that she has been impressed with the number of proposals  received proposals received for projects and that those proposals cross four main priorities: modernizing high-priority systems, cybersecurity, public-facing digital services, and cross-government services. 

For agencies hoping to secure TMF funding for a project addressing one of those critical areas, Roat said the goal is to “get the attention of the board” with a “thoughtfully-crafted business case.”

“The initial project proposals need to get to the point. Too often, people are going on about their agencies. We know who your agency is,” Roat said. “The board is looking for the mission alignment, that [a proposal] is mission-focused, the partnership with the CFO … It’s about solving a hard business problem.”

The TMF board reviewed a proposal within the last week that appeared to check off many of those boxes, Roat said: it was succinct in its packaging, with clear steps to address a critical issue that was both mission-focused and within the four buckets included in OMB’s latest guidance. The proposal also featured elements of agency support and alignment to showcase how the project can be carried out.”

“Those are the proposals that we really need to see,” she said. “Really good business cases.”

 

DoD Seeking Input on Potential Sustainability Requirements for Contractors

On July 8, DoD’s Defense Acquisition Regulations System (DARS) released a request for information (RFI) for interested parties to submit feedback on sustainability initiatives including climate-related disclosures. DoD is seeking input specifically on: 

  • Disclosure of Greenhouse Gas (GHG) Emissions;
  • Environmental, Social, and Governance (ESG) – General; and
  • Supply Chain CHC and Risk Management.

Under each topic, DoD has listed in the notice specific questions for industry.

DoD is seeking comments on standard commercial practices as it works to implement recent sustainability initiatives like Executive Order (EO) 14030, Climate-Related Financial Risk, dated May 20, 2021. EO 14030 requires the FAR Council to consider amending the Federal Acquisition Regulations to require major Federal suppliers to publicly disclose greenhouse gas emissions and climate-related financial risk and to set science-based reduction targets.

The deadline to submit comments is September 7, 2021. For more details, see the notice here.  The Coalition plans to submit comments through its Green Committee.  To submit your input and/or questions, please contact Aubrey Woolley at awoolley@thecgp.org.  

 

Legal Corner: A Critical Step: NIST Defines “Critical Software” Subject to Biden’s Cybersecurity Order

The Legal Corner provides the legal community with an opportunity to share insights and comments on legal issues of the day. The comments herein do not necessarily reflect the views of The Coalition for Government Procurement.

Authored by Alex Sarria and Jason Workmaster; Miller & Chevalier

On June 25, 2021, the National Institute of Standards and Technology (NIST) published a definition of “critical software,” the first of several steps the Biden administration is taking to enhance the cybersecurity of America’s software supply chain under the recent Executive Order on Improving the Nation’s Cybersecurity (the Order or E.O.). In addition to providing this crucial definition, the NIST publication includes a preliminary list of “software and software products” that may qualify as “critical” under the Order and responses to a series of Frequently Asked Questions (FAQs).

The NIST publication is significant for federal contractors and other companies that offer and sell software for use by the U.S. government because under the Order, “critical software” will soon be subject to heightened development and transparency standards and eventually will be banned from use by federal agencies if the software does not meet those standards. Below we discuss the key elements of the NIST publication and what the software industry can expect next.

The Biden Cybersecurity Order

The Biden administration issued the Order on May 12, 2021, promising to make sweeping changes to the way the federal government approaches cybersecurity. The magnitude of those potential changes is perhaps most evident in Section 4, which aims to improve the “security and integrity of critical software — software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources),” according to the Order. The president directed the Secretary of Commerce, acting through NIST, to develop and publish a definition of “critical software” based on input from government agencies, the private sector, academia, and other interested parties.

Defining critical software is a crucial first step to implementing Section 4 of the Order because it eventually will lead to the creation of uniform software development standards that will be enforced via the Federal Acquisition Regulation (FAR). Following the creation of these standards, the Department of Homeland Security (DHS) will recommend contract language to the FAR Council, which in turn will amend the FAR to codify the new software development standards and require federal agencies to:

  • Remove all “non-compliant software” from existing contracting vehicles, including Indefinite Delivery, Indefinite Quantity contracts, Federal Supply Schedules, Federal Government-wide Acquisition Contracts, Blanket Purchase Agreements, and Multiple Award Contracts.
  • Mandate providers of “legacy software” update their practices to meet the new development standards.

Once implemented, these new rules could produce seismic changes in the federal marketplace for commercial software. Contractors that can offer the government more secure software will gain an even greater competitive advantage, whereas companies that are slow to adapt their products may eventually find themselves on the outside looking in.

The NIST Publication: Critical Software

There are many existing definitions and uses of the term “critical,” according to the NIST publication. To implement the Order, NIST developed a tailored definition of critical software, termed “E.O.-critical software,” which focuses on the cybersecurity attributes and functions of a given piece of software. Specifically, E.O.-critical software is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:

  • is designed to run with elevated privilege or manage privileges;
  • has direct or privileged access to networking or computing resources;
  • is designed to control access to data or operational technology;
  • performs a function critical to trust; or,
  • operates outside of normal trust boundaries with privileged access.

The definition applies to software of all forms (e.g., standalone software, software integral to specific devices or hardware components, cloud-based software) purchased for, or deployed in, production systems and used for operational purposes. Key terms within the definition are explained in the FAQs, including “direct software dependencies” and “critical to trust.” See FAQ 2 (“For a given component or product, [by direct software dependencies], we mean other software components (e.g., libraries, packages, modules) that are directly integrated into, and necessary for operation of, the software instance in question. This is not a systems definition of dependencies and does not include the interfaces and services of what are otherwise independent products.”) and FAQ 3 (“Critical to trust” covers categories of software used for security functions such as network control, endpoint security, and network protection.”).

NIST recommends a phased implementation of Section 4 of the Order, focusing first on standalone, on-premises software that has security-critical functions or poses similar significant potential for harm if compromised. Subsequent phases may address other software categories, such as:

  • Software that controls access to data
  • Cloud-based and hybrid software
  • Software development tools, such as code repository systems, development tools, testing software, integration software, packaging software, and deployment software
  • Software components in boot-level firmware
  • Software components in operational technology (OT)

The publication includes a preliminary list of software categories considered by NIST to be E.O.-critical. This list is not authoritative. The final list of E.O.-critical software will be developed by the Cybersecurity & Infrastructure Security Agency (CISA) within 30 days of the NIST publication (i.e., on or before July 25, 2021). NIST’s unofficial list identifies the following software categories as E.O.-critical:

Category of Software

Description

Product Examples

Rationale for Inclusion

Identity, credential, and access management (ICAM) Software that centrally identifies, authenticates, manages access rights for, or enforces access decisions for organizational users, systems, and devices
  • Identity management systems
  • Identity provider and federation services
  • Certificate issuers
  • Access brokers
  • Privileged access management software
  • Public key infrastructure
Foundational for ensuring that only authorized users, systems, and devices can obtain access to sensitive information and functions
Operating systems, hypervisors, and container environments Software that establishes or manages access and control of hardware resources (bare metal or virtualized/containerized) and provides common services such as access control, memory management, and runtime execution environments to software applications and/or interactive users
  • Operating systems for servers, desktops, and mobile devices
  • Hypervisors and container runtime systems that support virtualized execution of operating systems and similar environments
Highly privileged software with direct access and control of underlying hardware resources and that provides the most basic and critical trust and security functions
Web browsers Software that processes content delivered by web servers over a network and is often used as the user interface to device and service configuration functions Standalone and embedded browsers
  • Performs multiple access management functions
  • Supports browser plug-ins and extensions such as password managers for storing credentials for web server resources
  • Provides execution environments for code downloaded from remote sources
  • Provides access management for stored content, such as an access token which is provided to web servers upon request
Endpoint security Software installed on an endpoint, usually with elevated privileges which enable or contribute to the secure operation of the endpoint or enable the detailed collection of information about the endpoint
  • Full disk encryption
  • Password managers
  • Software that searches for, removes, or quarantines malicious software
  • Software that reports the security state of the endpoint (vulnerabilities and configurations)
  • Software that collects detailed information about the state of the firmware, operating system, applications, user and service accounts, and runtime environment
  • Has privileged access to data, security information, and services to enable deep inspection of both user and system data
  • Provides functions critical to trust
Network control Software that implements protocols, algorithms, and functions to configure, control, monitor, and secure the flow of data across a network
  • Routing protocols
  • DNS resolvers and servers
  • Software-defined network control protocols
  • Virtual private network (VPN) software
  • Host configuration protocols
  • Privileged access to critical network control functions
  • Often subverted by malware as the first step in more sophisticated attacks to exfiltrate data
Network protection Products that prevent malicious network traffic from entering or leaving a network segment or system boundary
  • Firewalls, intrusion detection/avoidance systems
  • Network-based policy enforcement points
  • Application firewalls and inspection systems
Provides a function critical to trust, often with elevated privileges
Network monitoring and configuration Network-based monitoring and management software with the ability to change the state of — or with installed agents or special privileges on — a wide range of systems
  • Network management systems
  • Network configuration management tools
  • Network traffic monitoring systems
Capable of monitoring and/or configuring enterprise IT systems using elevated privileges and/or remote installed agents
Operational monitoring and analysis Software deployed to report operational status and security information about remote systems and the software used to process, analyze, and respond to that information Security information and event management (SIEM) systems
  • Software agents widely deployed with elevated privilege on remote systems
  • Analysis systems critical to incident detection and response and to forensic root cause analysis of security events
  • Often targeted by malware trying to deactivate or evade it
Remote scanning Software that determines the state of endpoints on a network by performing network scanning of exposed services Vulnerability detection and management software Typically has privileged access to network services and collects sensitive information about the vulnerabilities of other systems
Remote access and configuration management Software for remote system administration and configuration of endpoints or remote control of other systems
  • Policy management
  • Update/patch management
  • Application configuration management systems
  • Remote access/sharing software
  • Asset discovery and inventory systems
  • Mobile device management systems
Operates with significant access and elevated privileges, usually with little visibility or control for the endpoint user
Backup/recovery and remote storage Software deployed to create copies and transfer data stored on endpoints or other networked devices
  • Backup service systems
  • Recovery managers
  • Network-attached storage (NAS) and storage area network (SAN) software
  • Privileged access to user and system data
  • Essential for performing response and recovery functions after a cyber incident (e.g., ransomware)

Contractors and other entities that provide software for use by the federal government should carefully examine this preliminary list to determine if their offerings may be covered. Though the list is unofficial, it seems likely that the final CISA list will closely track the NIST recommendations. Moreover, in NIST’s opinion, individual departments and agencies can ask software vendors to attest that their products meet E.O.-critical security measures set forth in Section 4 of the Order, even if those software products are not included in CISA’s final list of E.O.-critical software. See FAQ 15 (“If I am using a software product that is not included in the E.O.-critical list, but it is critical for me, can I ask the vendor to provide attestation? Yes, departments and agencies can leverage the E.O.-critical security measures defined in Section 4(e) as part of a procurement.”). Therefore, all software providers should keep a close watch on developments in this area, regardless if their products are officially included in the initial implementation phase.

If you have questions about the administration’s cybersecurity executive order or its implementation, please contact us:

Alex L. Sarriaasarria@milchev.com, 202-626-5822

Jason N. Workmasterjworkmaster@milchev.com, 202-626-5893

 

Legislative Spotlight: Update on China Legislation on the Hill

The Legislative Corner provides the community with an opportunity to share insights and comments on legislative issues of the day. The comments herein do not necessarily reflect the views of The Coalition for Government Procurement. 

Authored by: Moshe Schwartz, President of Etherton and Associates

On June 8, the Senate passed the bipartisan United States Innovation and Competition Act of 2021 (S. 1260),  an amalgam of numerous China-related (and some not-so-China-related) bills, including the Endless Frontiers Act, Strategic Competition Act, NASA Authorization Act, and a variety of sections coming out of the Homeland Security committee. The sprawling nature of the bill can be seen in the seemingly different philosophies and approaches it includes.

The fate of the Innovation and Competition Act is an open question as the House has different priorities and policy preferences (see H.R. 2225, the National Science Foundation for the Future Act and H.R. 3593, the Department of Energy Science for the Future Act, both of which passed the House; H.R. 3524, the EAGLE Act, which passed the House Foreign Affairs Committee on a party-line vote). But the Senate bill and the amendments offered (only 8 of 500+ amendments were accepted) provide a glimpse into amendments we may see for the FY22 NDAA, some of which could have significant impacts for contractors. Highlights of the bill include the following:

Appropriations for the CHIPS Act would appropriate $50 billion for a CHIPS (Creating Helpful Incentives to Produce Semiconductors for America) for America Fund, $2 billion for activities unique to DoD and the intelligence community, and $500 million for an international technology security innovation fund. Another $1.5 billion would be appropriated for the Public Wireless Supply Chain Innovation Fund.

Division B—Endless Frontiers Act focuses on basic and applied research. It would establish a Directorate for Technology and Innovation in the National Science Foundation (NSF) (sec. 2102) and authorize over 5 years $81B of appropriations for the NSF (sec. 2116) and $17B for the Department of Energy (sec. 2117).

Section 2005 identifies technology focus areas, including AI, high performance computing and semiconductors, robotics, advanced manufacturing, biotechnology, energy, and materials science.

Section 2505 would require the Commerce Department to map critical industry supply chains, identify gaps and vulnerabilities, and identify opportunities to diversify sources and build capacity in critical industries.

Section 2508 would establish a Chief Manufacturing Officer to advise the President on budgets and regulatory reforms related to manufacturing and industrial innovation, and require a national strategic plan for manufacturing and industrial innovation within one year of enactment. This would be another step in creating an active national industrial base policy that will likely have tremendous influence on industry.

Division C—Strategic Competition Act of 2021 states that the U.S. “must adopt a policy of strategic competition” with China and work with “allies and partners to advance shared values and interests.” Section 3225 would authorize foreign military financing of $655M over five years for the Indo-Pacific region, and section 3232 would require the State Department to report within 90 days on efforts to facilitate access among countries in the National Technology and Industrial Base for goods and services subject to the U.S. Munitions List.

Division D—Domestic Sourcing would require OMB to issue guidelines for increasing price preferences for domestic end products and construction materials, clarify exceptions to such laws, and detail how agencies should post waiver and exception information on their websites.

The Division would also establish a “Made in America Office” within OMB and require GSA to establish the BuyAmerican.gov website for agencies to post requests to waive domestic content laws for public comment prior to granting a request (to include detailed justifications and other information). These efforts put into legislation what the administration already required in Executive Order 14005. Such postings will likely have an extreme chilling effect on waiver requests. Which official will be willing to state publicly that a domestic good or service is inferior to what can be acquired overseas?

While section 4130 states that the domestic preference requirements would be applied “consistent with United States obligations under international agreements,” the bill would also require a public report assessing the impacts of all U.S. free trade agreements on the operation of Buy American laws.

Cyber Security. Section 2233, would empower Cybersecurity & Infrastructure Security Agency (CISA) to declare a significant cyber incident, defined as an incident that harms or is likely to harm “the national security interests, foreign relations, or economy” of the U.S. or “public confidence, civil liberties, or public health and safety of” the US population (excluding incidents occurring on a national security system or DoD and Intelligence systems pursuant to 44 USC 3553). Section 2334 would establish the Cyber Response and Recovery Fund to respond to declared significant incidents.

Other provisions would reestablish DHS Other Transaction Authority through FY 2024, extend the Commercial Solutions Opening pilot program to 2027, and bar agencies from procuring unmanned aircraft systems manufactured or assembled in China, by entities under the influence of the Chinese government, or in countries identified as a security risk.

 

Moshe’s Musings:

China is driving much of the legislative agenda. So far this year, more than 100 introduced bills focus on China, although they take different approaches.

Some bills focus on investing in R&D and building the infrastructure necessary to wean the US off dependency on China.  Such efforts are a step in the right direction but not the whole answer. According to a report by the Boston Consulting Group and Semiconductor Industry Association, a $50 billion investment would make the US an attractive location for semiconductor manufacturing but “complete manufacturing self-sufficiency… would require over $400 billion in government incentives and cost more than one trillion dollars over ten years.” The U.S. cannot, and should not, try to go it alone. This is why the administration and some in Congress are also seeking to invest in and strengthen ties with allies and partners. But even this is not enough. The United States should take a whole-of-government approach, including attracting and keeping highly skilled immigrants, using tax policy, and cutting regulations to promote competitiveness.

Some bills, such as the PCBETTER Act, do little to solve the problem—and sometimes undermine progress. This bill would require contractors to provide DoD a list of every printed circuit board (PCB) in an item with electronic components that transmits or stores information (including commercial and COTS items). It would also require an attestation of whether each PCB was at least partially manufactured and assembled in China, Russian, Iran, or North Korea; was fully manufactured and assembled in another country; or is of unknown provenance.

Such visibility into supply chains does not currently exist, and little would be gained by this bill. We know the US is over-reliant on China and Congress passed legislation last year to require a verification process for PCBs. A trusted verification process and existing legislation provide a robust framework for security. Given the existing framework, the PCBETTER Act does not make the system better or safer, particularly as it relates to COTS and commercial items. It does, however, impose significant costs and paperwork. This is not the way to attract commercial companies to want to work with DoD.

Before holding up contractors as villains for relying on other countries or for lacking visibility into the lowest levels of their supply chain, we need alternative sources of supply for technology and critical items. Until such alternatives exist, the time and money necessary to implement such policies could be better used to promote DARPA’s Electronics Resurgence Initiative, Trusted Microelectronics,  or other worthwhile efforts.

 

GSA’s “Zero Trust Architecture Resources

On July 15, Laura Stanton, Assistant Commissioner for GSA’s Office of Information Technology Category (OITC), published a blog on Zero Trust Architecture (ZTA) acquisition and adoption. Zero Trust refers to an approach in cybersecurity that assumes that all cyber networks and traffic are hostile in nature, and that any implicit trust in users should be eliminated. ZTA is a cybersecurity strategy that uses dynamic network defenses where every action and use of resources is questioned, and users are given the minimum levels of access to information needed for their jobs. ZTA is especially important to agencies as cybersecurity attacks and threats become more sophisticated, and workplaces shift to remote/virtual work environments. In 2020, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-207, Zero Trust Architecture was released to provide agencies with guidance and recommendations to improve their security posture using ZTA. The EO, “Improving the Nation’s Cybersecurity,” requires Federal agencies to develop a plan to implement ZTA. 

GSA has released a Zero Trust Architecture Buyer’s Guide for acquisition and cybersecurity professionals who are seeking to implement ZTA. The guide serves as a roadmap to ZTA and provides best practices. GSA highlighted eight pillars that agencies should consider when implementing ZTA, including user, device, network, infrastructure, application, data, visibility & analytics, and orchestration & automation. 

GSA has other Zero Trust resources, including the Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN), which provides access tovendors  who passed an oral technical evaluation for cybersecurity services. This makes it easier for agencies to find quality vendors. Additionally, GSA has the Continuous Diagnostics and Mitigation (CDM) Tools SIN, which provides access to cybersecurity products included on CISA’s Approved Products List. 

Human Capital Role Returns to OPM

Kiran Ahuja, the new head of Office of Personnel Management (OPM), recently announced that OPM will be reassuming full control of the Chief Human Capital Officers (CHCO) Council, according to Federal News Network. The CHCO’s administrative functions had been assigned to GSA as a part of the previous administrations plan to merge the OPM and GSA, which has now been scrapped. OPM plans to ramp up staffing and resources allocated to the CHCO to reinvigorate the Council’s work advising and collaborating with OPM to improve human capital management. After pausing to meet during the pandemic, the CHCO has resumed its monthly meetings and has been holding other briefings for the broader community.

 

OMB to Oversee Diverse Cloud Hiring Initiative

Fedscoop reported this week that OMB has reaffirmed the Biden Administration’s commitment to hiring cloud technology experts from a more diverse talent pipeline. The Administration aims to develop this pipeline through workforce exchange programs and partnerships with educational institutions. Last month, the President signed an executive order (EO) that requires agencies to take actions to increase diversity, equity, and inclusion. An OMB representative stated that IT workforce exchange programs between the private sector and the Federal Government would be key in developing a new talent pipeline. Under the EO, agencies must collect enhanced demographic data about their employees. Departments will be required to look at new channels for personnel recruitment, including through forming partnerships with universities and colleges that have historically served minority communities. OMB and OPM are overseeing the implementation of the EO.

Upcoming Joint General/Office Products and Small Business Committee Meeting 

On July 27 at 10:00 am EDT, all members are invited to attend a virtual meeting, hosted by the General/Office Products and Small Business Committees, with DoD’s Jim Mette, FedMall Program Manager.

Jim will be sharing DoD’s changes and updates to the FedMall platform, including single sign-on.

If you have any questions/concerns that you would like addressed during the meeting, please email Samantha Holt at sholt@thecgp.org.

To RSVP, email Michael Hanafin at mhanafin@thecgp.org

 

Top FORE (!) Reasons to Register TODAY for the Joseph P Caggiano Memorial Golf Tournament

After a one-year hiatus due to the global pandemic, The Coalition for Government Procurement is thrilled to announce we are bringing back our Annual Joseph P. Caggiano Memorial Golf Tournament on August 18! Here are the top FORE (!) reasons you should register TODAY!

1: Honoring Joe’s legacy – Joe was not only a colleague and member of the Coalition Board of Directors, but a true friend to many of us and an overall wonderful person. His career in the government marketplace spanned 25 years, including serving seven years as COO of the Washington Management Group/FedSources. Joe also served eight years in the Navy and inspired the Coalition to support veteran non-profit organizations. The Caggiano family will once again be in attendance to honor his legacy and one of his close friends recently summed it up perfectly by saying, “I have not met anyone better than Joe, yet! I’m still looking…”

2: Supporting our veterans – Tournament proceeds will once again support the Coalition’s endowment for a qualified veteran concentrating their studies in the field of U.S. Government procurement and pursuing the JD/LLM degree or the interdisciplinary Masters degree at The George Washington University. We are excited to share that to date, four scholarships have been awarded to deserving veterans:

  • The first ever recipient in 2017 was Tom Roltsch, who served four deployments in Afghanistan and Iraq with the Army Reserve. Tom studied procurement policy in the Masters program at The George Washington University and currently works for ManTech International Corporation as Principal Reliability Engineer.
  • The 2018 recipient of the scholarship was Craig Barrett. Craig is currently a Senior Counsel in the Government Contracts Group at Crowell & Moring. Prior to joining Crowell & Moring, Craig spent nearly 18 years in government service both as an active-duty service member and as a civilian. Craig served as an active-duty Marine Judge Advocate immediately after the attacks on 9/11. His service with the military continued as a civilian executing the role of Acquisitions Operations Manager for the Marine Corps Systems Command, the acquisition arm of the Marine Corps.
  • The 2019 recipient of the scholarship was Jennifer Sandusky. Jennifer joined the United States Civilian Board of Civil Contracts as a full-time Attorney Adviser in February of 2020 and completed the L.L.M. program in Government Procurement Law at The George Washington University Law School.
  • The 2020 recipient was Connor Smith. Connor is a third-year law student at The George Washington University completing his Government Procurement Concentration. In 2012, Conner graduated from Clark University before enlisting in the Army, where he served for five years. During his time with the Army, Connor served as a Cryptological Linguist, responsible for identifying foreign communications.

3: A Beautiful Venue – Whiskey Creek Golf Club is an amazing golf course in Ijamsville, Maryland with outstanding views on every hole. As their website notes, the course is “bordered by a high ridge of hardwoods and a winding, free-flowing creek, the property contains many different environments and natural features including springs, streams, stone walls, wetlands, rock outcroppings, broad meadows, pine forests and dramatic views of the Catoctin Mountains. Architect J. Michael Poellot and design consultant Ernie Els, a 2-time United States Open Champion, have designed Whiskey Creek to take full advantage of its spectacular setting.”

4: Time to get out of your basement and enjoy some camaraderie and competition – Everyone has been cooped up for a long time, and what better way to get some fresh air and reconnect with colleagues than by hitting the greens!  We know you have a personal pandemic story to share, along with business challenges and successes. Take advantage of this opportunity to catch up with old friends (and make new ones!) during a friendly scramble style golf competition. There will be low scores and there will be (very) high scores – but everyone will be a winner as there will be prizes for both! Not a golfer? No problem! You can come participate in the Veranda Club where you can take in the scenic views from the large club house deck, play cornhole, or join us for the reception as golfers filter in from the course to enjoy an awards ceremony, BBQ, and burgers!

Lastly, I want to encourage you to consider one of our sponsorship opportunities as we are still seeking Title Sponsors, a Reception Sponsor, and many hole sponsors. Thank you to our Lunch Sponsor, The Gormley Group; our Beverage Cart Sponsors, CACI and ManTech; and all our hole sponsors! For sponsorship questions or commitments, please contact Matt Cahill at mcahill@thecgp.org or 202-315-1054.

Webinar: The New Hostage Crisis: How Federal Contractors Can Reduce Ransomware Risks, August 12 

The Coalition is pleased to have attorneys Alexander Major and Matthew Wright, both Partners at McCarter & English, along with Dennis Underwood, ransomware forensic IT professional from Cyber Crucible, join us to discuss this topic from multiple perspectives on August 12 from 12:00 – 1:30 pm EDT. They will be providing practical and actionable information, guidance and recommendations to address this evolving and growing menace.

We anticipate this webinar content will be relevant for nearly every member, but especially important to CIOs, in-house counsel, and IT security leads, amongst many others. They will be looking at this issue through the lens of legal/regulatory compliance, best practices, and risk mitigation with a dose of technical analysis and practical recommendations. We hope you can join us for this important webinar topic!

Click here to register.