Friday Flash 08.19.22

Thank You for Supporting the Joseph P. Caggiano Memorial Golf Tournament!

The Coalition would like to thank everyone who attended the 9th Annual Joseph P. Caggiano Memorial Golf Tournament on Wednesday. It was a beautiful day at the Whiskey Creek Golf Course, with the weather providing the perfect conditions for an excellent round of golf and the opportunity to honor Joe Caggiano’s legacy. It was great to see so many friends and colleagues on the course and at the clubhouse during the reception.

Thanks to your generous contributions, we were able to raise $10,000 for the Coalition’s endowment for qualified veterans pursuing the JD/LLM/MSL degree at The George Washington University Law School. We were fortunate to have members of the Caggiano family and this year’s scholarship recipient, Maxie Lawton, a seven-year Army veteran and current GWU Law School student for the presentation of this year’s check to GWU. We appreciated the opportunity to honor Joe Caggiano’s legacy and celebrate Maxie’s achievements before kicking off the tournament.

We would like to highlight our many sponsors who allowed for this wonderful event to be possible. We sincerely appreciate your contributions to this very important cause. This year’s sponsors included Title Sponsor, The Gormley Group; Lunch Sponsor, The Center for Procurement Advocacy; Beverage Cart Sponsors, ManTech International Corporation and DocuSign; and Hole Sponsors, Allen Federal Business Partners, Amazon Business, Baker Tilly, Bosma Enterprises, CGI, Etherton and Associates, GDIT, the George Washington University Law School, the Gibbs Family, GraingerHarvey Ernest, Mayer Brown, Miller & Chevalier, Noblis, PenFed, the Rendely Family, RIVERGROUP, Raytheon, Sheppard Mullin, and the Sisti Family.

We also want to recognize some excellent performances on the golf course. This year’s competition came down to the wire. Congratulations to the tournament champions, Team Grainger! Team members included Mark Snead, Chad Urban, Ken Julian, and Jordan Pearts. The second-place finisher was Team Caggiano, consisting of Paul Caggiano, Michael Caggiano, Andy Eppright, and Bob Gibbs. Third place was the trio of Tim Cook, Leo Sisti, and Robert Spallone.

Thank you to all golfers for participating, and more importantly, taking the time to celebrate our friend Joe Caggiano. We look forward to seeing you again next summer!

 

GSA Raises Alliant 2 Ceiling to $75 Billion

On August 17, the General Services Administration (GSA) announced that they are raising the Alliant 2 contract ceiling by $25 billion, bringing it to $75 billion. Alliant 2 provides Federal agencies with “access to more than 40 companies offering integrated IT solutions for evolving needs worldwide.” The contract has been used by more than 100 agencies. Federal Acquisition Service Commissioner Sonny Hashmi said the following on the raise of the Alliant 2 contract ceiling:

“Alliant 2 has surpassed our expectations at every turn. With more than 465 task order awards exceeding $36 billion in estimated value already, it’s clear that this ceiling increase is critical to ensure consistent mission delivery for our customer agencies. The Alliant GWAC has again proven itself to be a go-to IT service contract to meet the complex IT modernization and mission needs of the government.”

Laura Stanton, Assistant Commissioner for the Office of Information Technology Category, added that the increase benefits small businesses by providing more subcontracting opportunities. According to Stanton, small businesses have won more than $1.2 billion on Alliant 2, which “substantially surpasses small business subcontracting dollars won on the original Alliant.”

GSA noted that Alliant 3 has been approved and market research is underway. GSA plans to release the draft Request for Proposals in quarter 1 of fiscal year 2023.

CISA Task Force Leader Sees Need for Global Cooperation to Manage Supply Chain Risks

FCW reports on a public-private task force, created by the Cybersecurity and Infrastructure Security Agency (CISA), that is working to develop international collaboration to address threats to the supply chain. The Information and Communications Technology Supply Chain Risk Management Task Force (ICT) is working to “create actionable tools that can help organizations address various aspects of the supply chain security challenge now, as opposed to just writing reports that collect dust.” In addition to creating a variety of publicly available tools and resources, the task force has published reports analyzing the COVID-19 pandemic and its impact on the logistical supply chain of ICT companies and templates to help companies implement risk management industry standards. The ICT will also be rolling out a series of webinars to spread awareness of its existing resources.

GAO Recommends that DHA Verify Provider Qualifications at their Medical Facilities”

The Government Accountability Office (GAO) released a report on the review of the Defense Health Agency’s (DHA) administration of Defense Department (DoD) medical facilities. For the report, GAO examined four medical facilities with a total of 100 individual care providers. They found that the medical facilities had not verified approximately one sixth of providers’ medical licenses, and that the facilities failed to obtain clinical references for nearly half of the reviewed providers. See the figure below for the adherence rate to DHA credentialing for the sampled providers.

In addition to the examination of provider certification, the GAO also examined performance evaluations of providers and patient safety events. The four facilities also conducted 20 evaluations “to address clinical performance concerns raised about individual providers.” GAO found that in almost half of these evaluations, facilities did not document the performance metrics used to track whether the situation was properly resolved. GAO found that the lack of documentation stemmed from inconsistent terminology and unclear procedures. In addition to these issues, GAO examined a dozen patient safety events that resulted in compensation for the patient or their family. In nine out of twelve cases, DHA exceeded the required time limit to review the event and failed to report providers to the national database as mandated. In addition to these findings, GAO also found that DHA has not yet implemented its plans to monitor patient safety events and to ensure that focused evaluations are conducted properly.

The GAO issued two recommendations to DHA based on the findings in their report. The first recommendation was that the Director of the Defense Health Agency should revise the procedures manual for clinical quality management to ensure that requirements are clear and specific. Revisions should:

  • clarify whether clinical references are required for providers whose privileges are being renewed.
  • specify how far in advance of privileging a MTF is allowed to verify licenses and query the NPDB and List of Excluded Individuals and Entities.
  • specify that MTF staff must document their consideration of information that raises concerns during the credentialing and privileging process.
  • clarify requirements for FPPEs for cause, including clear distinctions between requirements that apply to initial FPPEs and those that apply to FPPEs for cause.
  • specify how DHA defines commencing and completing a PCE review and how MTFs should document these milestones in DOD’s centralized healthcare risk management database.

In addition to this recommendation, the GAO also recommended that the DHA Director monitor its clinical quality management procedures at MTFs and ensure that the monitoring approach includes:

  • an assessment of MTF adherence to credentialing and privileging, FPPE for cause, and PCE review procedures.
  • a process for obtaining and evaluating information about all patient safety events that resulted in compensation and require DHA review.

DoD concurred with both recommendations. The full report can be found here.

Survey Shows Uptick in Agency Zero Trust Initiatives

Fedscoop reported that 72 percent of Federal agencies have begun work on at least one Zero Trust security initiative. Additionally, a survey conducted by Pulse Q&A found that over the past year, 86 percent of agencies have increased their budgets for Zero Trust programs. These budget increases come after the release of the Administration’s Federal Zero Trust Strategy which requires agencies to submit their Zero Trust implementation plans each year. Some agencies have also applied for funding under the Technology Modernization Fund to use for Zero Trust projects. Most agencies’ implementation efforts are focused on the five pillars of Zero Trust, which include identity, devices, networks, applications and workloads, and data. Of the agencies surveyed, Pulse Q&A found that 66 percent had already implemented multi-factor authentication (MFA) for employees. Many agencies are exploring identity-as-a-service which would allow for agencies to “manage identities, onboard and offboard users, apply MFA, and secure single sign-on.”

Take the GSA FedRAMP Annual Survey

GSA has released its FedRAMP Annual Survey for Fiscal Year (FY) 22. GSA asks for those who have interacted with FedRAMP at any point in the last year to fill out the 5-minute survey. The agency is looking for responses on what they are doing well and what areas need improvement. The results of the survey will help to identify potential FedRAMP program changes and enhancements that will better serve customers. The survey will remain open until September 9, 2022.

Infrastructure Projects Slowed by Federal Staffing Shortages

According to FCW, watchdogs have warned the Administration of agency staffing shortages that could impact the successful implementation of the Infrastructure Investment and Jobs Act (IIJA). GSA, which was tasked with constructing and modernizing 26 land ports around U.S. borders, is among the agencies that are facing staffing challenges. GSA’s Inspector General (IG) stated in a report that the agency is facing severe staffing shortages for project managers and contracting officers that are key for the project’s implementation. Since September 2021, almost 13 percent of project managers have left GSA’s Public Building Service. Additionally, the IG found that contracting officers have shown a lack of understanding in awarding and managing contracts. The report cited failures to comply with competition and pricing requirements on projects exceeding $100 million during the implementation of the American Recovery and Reinvestment Act. The IG noted that supply chain disruptions and inflation will also be challenges as GSA begins the project.

The Administration instructed agencies to prepare for “significant hiring efforts to meet the requirements of the infrastructure law.” In a memo, Office of Management and Budget (OMB) Director Shalanda Young stated that “to achieve IIJA’s goals, and to mitigate risk, agencies will need to engage in substantial efforts to hire qualified program staff and professionals to carry out the work at headquarters and field offices, as well as mission-support staff including human resources, contracting officers, grants managers, and data scientists.” Federal agencies are planning to hire 8,000 employees for projects related to the IIJA. GSA said that they are taking steps to focus on hiring, training, and retaining staff. The Department of Energy plans to onboard 1,000 new staff members to work on its Clean Energy Corps.

GSA Seeking new TTS Leadership

According to Federal News Network, Dave Zvenyach, deputy commissioner of the Federal Acquisition Service and director of the Technology Transformation Service (TTS) at GSA, is finishing his second tour at the agency on Sept. 9. Sonny Hashmi, GSA’s FAS Commissioner, said to staff “Since rejoining GSA in January 2021, Dave Z has worked as a visionary and champion of building sustainable and equitable civic tech partnerships, scaling governmentwide shared services, and to improve the way the American public engages with government,” Zvenyach spearheaded efforts to provide digital service where he provided leadership in the redesign of USA.gov and the expansion of the Login.gov service. Lauren Bracey Scheidt will serve as acting director of TTS while GSA searches for a permanent replacement.

Congratulations to Michael Hanafin

The Coalition for Government Procurement would like to congratulate Michael Hanafin on his promotion to Marketing & PR Strategist. In his new role, Michael will work to increase the value of Coalition member resources, increase membership engagement and participation, and increase awareness of the Coalition’s brand and thought leadership. Michael has also served as a Policy Analyst working with the GWAC/MAC, IT/Services and Furniture Committees.  He holds a Bachelor of Arts degree from the College of William and Mary.  

Legal Corner: Recent DoD Memorandum and DoJ Report Highlight Enforcement Mechanisms Available to the Federal Government for Noncompliance with Cybersecurity Requirements

The Legal Corner provides the legal community with an opportunity to share insights and comments on legal issues of the day.  The comments herein do not necessarily reflect the views of The Coalition for Government Procurement.

While industry awaits substantive developments on the Cybersecurity Maturity Model Certification (CMMC) 2.0, a recent Department of Defense (DoD) memorandum and the Department of Justice (DoJ) Comprehensive Cyber Review serve as timely reminders of the importance of complying with existing cybersecurity requirements as well as the various mechanisms available to the federal government to enforce compliance.

The principal cybersecurity requirement in the DoD context, and the focus of the DoD memorandum, is Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. Among other things, that clause directs DoD contractors that own or operate an unclassified information system that “processes, stores, or transmits” controlled unclassified information to implement the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. NIST SP 800-171 requires a covered contractor to develop a system security plan (SSP) that describes the information system and explains how the contractor has implemented NIST SP 800-171’s security controls. The contractor must also create a plan of action (POA) identifying any unsatisfied requirements, explaining how it will meet those requirements, and describing how it will mitigate any security vulnerabilities in the meantime. SSPs and POAs are often not formal contract deliverables, but contractors must provide them to the government upon request. In addition, contractors must monitor and timely report cyber incidents. Contracting officers have tools to assess compliance, including requiring assessments in accordance with DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements.

The recent DoD memorandum specifies the above requirements and underscores for contracting officers—and, in turn, industry—the various enforcement mechanisms that the government can utilize to address noncompliance. Specifically, the memorandum notes that a contractor’s “[f]ailure to have or to make progress on a plan to implement NIST SP 800-171 may be considered a material breach of contract requirements” and enumerates available remedies for a breach, including withholding progress payments, declining to exercise contract options, and terminating contracts in whole or in part.

Of course, this is not an exhaustive list of the consequences a contractor may face for noncompliance with cybersecurity requirements. Separate and apart from contract-based remedies, contractors may also face liability under the False Claims Act (FCA). As many will recall, just last year, the DoJ announced a Civil Cyber-Fraud Initiative (CCFI) to utilize the FCA to “combat new and emerging cyber threats to the security of sensitive information and critical systems.” DoJ did not mince words, stating that the CCFI “will utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients” and thereby affirming that companies in the federal marketplace are the central focus of this initiative. We have been tracking such cases as they progress through federal courts even before the formal announcement of the CCFI, with settlements now being announced by DoJ.

Earlier this month, DoJ issued a Comprehensive Cyber Review report, which discusses the CCFI, as well as a review that DoJ conducted following the December 2020 breach of its Microsoft Office 365 email environment, which it ultimately traced back to the compromise of SolarWinds’s Orion software. In the report, DoJ affirmed its plans to “lead the effort to enforce cybersecurity requirements on federal contractors and grantees” and further announced its desire to participate in actually developing those requirements. Having found the existing requirements to be “insufficiently rigorous,” DoJ has offered to leverage its enforcement experience to assist the Federal Acquisition Regulation (FAR) Council in developing cybersecurity provisions and standards that are, to DoJ’s judgment, readily enforceable.

DoJ also noted its plan to further integrate “privacy and security terms and conditions” into its own procurement documents, templates, and contracts and, once such provisions are “clear and effective,” to “integrate and deploy a significant number of tools at its discretion to ensure contractual cybersecurity standards are followed.” As with the DoD memorandum, DoJ highlighted contract termination among these tools, but also highlighted its authority to pursue civil enforcement actions (and corresponding monetary penalties) in cases of “reckless or intentional failure to maintain cybersecurity standards.”

With cybersecurity top of mind across the federal government, it remains critical that contractors comply with existing requirements and remain prepared for the forthcoming CMMC 2.0 development. This diligence will come in handy in the event of a contract dispute, investigation or any other enforcement action premised upon allegations of noncompliance.

Healthcare Corner – CRS Report on the Advanced Research Projects Agency for Health (ARPA-H) – The “DARPA” of Health

This week, the Congressional Research Service (CRS) released a report on the establishment of a new Federal health innovation agency—the Advanced Research Projects Agency for Health (ARPA-H). Congress established the agency in the Consolidated Appropriations Act for FY22 signed into law on March 15, 2022. The FY22 appropriations provided $1 billion to the Department of Health and Human Services (HHS) to launch the new agency. HHS has since announced that ARPA-H will reside within the National Institutes of Health (NIH). ARPA-H is intended to develop new innovations, similar to other “ARPAS” like the Defense Advanced Research Projects Agency (DARPA) and “ARPA-E” which focuses on energy.

The specific “goals, structure, placement, activities, and authorities” of the ARPA-H are yet to be defined by Congress. However, there are currently two legislative proposals under consideration—the PREVENT Pandemics Act (S. 3799), which includes the ARPH-A Act (S. 3819) as an amendment, and H.R. 5585 which passed the House on June 22, 2022.

According to the CRS, there are multiple policy questions about the ARPA-H that are still open for debate:

  • where to place ARPA-H within the federal government and how to facilitate its independence and autonomy,
  • what the appropriate goals are for ARPA-H and how to prevent its activities and programs from duplicating the efforts of other federal agencies and the private sector, and
  • what the appropriate current and future appropriations levels are for ARPA-H

For more on these policy questions and a side-by-side of the two legislative proposals on the Hill, view the report here.

A View From Main Street: Multiple Item Procurements and the Nonmanufacturer Rule

Updates and Opinions on Timely Topics Impacting the Government Contracting Industry from GovCon Expert Ken Dodds

SBA’s waiver of the nonmanufacturer rule allows small businesses to supply the products of large businesses on supply contracts set aside for small business. Prior to June 30, 2016, SBA’s rules did not specifically address waivers in the context of multiple item procurements. Under SBA’s rules at the time a contracting officer had to provide SBA with a statement of the item to be waived and a determination by the contracting officer that there were no known small business manufacturers for the requested item, and SBA would review the contracting officer’s determination that no small business manufacturer could reasonably be expected to offer a product meeting the specifications (including period for performance) required by the solicitation. If an agency determined that 50 percent or more of the cost of manufacturing the items would be performed by small businesses, then it had to set the solicitation aside for small business in accordance with the rule of two. On the other hand, if the agency could establish that products manufactured by large businesses would account for greater than 50 percent of the value of the contract, then the agency could issue the solicitation full and open or it could request a waiver of the nonmanufacturer rule from SBA in order set the acquisition aside. If SBA granted the waiver, one reasonable interpretation was that there were no further limitations or requirements applicable to the size status of manufacturers of the items. The agency had demonstrated that the rule of two was not met and SBA waived any requirement to supply any products manufactured by small business concerns. The small business nonmanufacturer could supply the products of large businesses or small businesses in its discretion. This interpretation made it easier for agencies to set acquisitions aside for small nonmanufacturers in lieu of conducting full and open competitions.

In a final rule effective June 30, 2016, SBA addressed how it would process requests for waivers of the nonmanufacturer rule for multiple item procurements. The rule confirmed that if at least 50 percent of the contract value was comprised of items manufactured by small business concerns, then a waiver of the nonmanufacturer rule was not required in order to set the procurement aside. If more than 50 percent of the contract value was composed of items manufactured by large businesses, the agency was again faced with a decision on whether to issue the solicitation full and open or request a waiver of the nonmanufacturer rule. SBA clarified that for multiple item procurements it would grant a waiver for enough items in order to ensure that at least 50 percent of the value of the products to be supplied by the contractor would come from domestic small business manufacturers or were items that had been waived. Thus, in addition to demonstrating that 50 percent or more of the value of items will come from large businesses for purposes of the rule of two, the agency has to also determine the value of the items made by small business concerns and request a waiver for the value of large business items to equal or exceed 50 percent of the value of the contract when combined with the small business items. The clarification was intended to protect small manufacturers. However, if an agency determines that receiving small business credit towards its prime contract goals does not justify the burden of itemizing the value of items manufactured by small businesses, it can issue the solicitation full and open. In full and open competition, a large business contractor will have a small business subcontracting plan, but there is no guarantee that small business subcontractors will supply items manufactured by small business concerns because the limitations on subcontracting and nonmanufacturer rule do not apply to subcontracts.

Have a topic you wish to be covered or a question on how Live Oak Bank could support your business? Email me at ken.dodds@liveoak.bank.