Friday Flash 08/26/2022

Dog Day Diversions

In the final weeks of summer, and within weeks of the midterm elections, we might be tempted to write-off procurement issues as “on the back-burner,” i.e.¸ not at the top of the list of issues to address relative to matters of government funding and campaigning.  That point may be so, but it does not diminish the importance of these issues or the need for their redress.  What appears below is a list of important issues that, for stakeholders in the procurement community, remain on the front burner.

E-commerce Portals – In July, GSA released, “Procurement Through Commercial E-Commerce Portals, its testing and analysis of commercial online models.  GSA concluded that there is little difference “between commercial online business models in their ability to meet core program capabilities,” as all three of the e-commerce models it identified “meets or exceeds the foundational capability needs of the program, with many offering sophisticated features that may or may not add value to the user experience.”

GSA’s “testing” of the models, however, to a great extent, involved surveys, begging the question, when is a test a survey, or when is a survey a test.  The point here is not levity; there is a question whether GSA has an over-arching strategy for the full utilization of these solutions beyond simple purchases.  Defining that strategy could have implications for procurement streamlining and efficiency, but that definition cannot be made without hard data.

Loopholes Facilitating Cyber Risk – Earlier this summer, this blog addressed the use of the small business set-aside “non-manufacturer” rule (NMR) as risk-channel through which products representing a cyber threat could enter the government’s supply chain and networks.  When the SBA provides an NMR waiver for a set-aside procurement, a small business reseller/dealer is permitted to supply the product of any size business without regard to place of manufacture.  Because, under the FAR, the Buy American Act applies to set-asides, under a NMR waiver, a small business reseller/dealer can provide a product from China that otherwise, under a “full and open” procurement, would be barred by operation of the Trade Agreement Act.

Over the last several years, the government, rightly so, has increased its efforts to limit attacks from adversaries via channels provided by their products.  It is a mystery, then, why this gaping loophole in the system is permitted to exist.  To safeguard government systems and data, the loophole needs to be eliminated.

The Multiple Award Schedules (MAS) and Transactional Data Reporting (TDR) – TDR will enhance the government’s ability to make smart purchasing decisions through the sharing of information. The program has naturally progressed, beginning with the Discount Schedule and Marketing Data (DSMD) requirements that existed in the 1980s, followed by the introduction of the Commercial Sales Practices (CSP) and Price Reduction Clause (PRC) in the 1990’s, to TDR.  TDR  moves the MAS program away from outdated, burdensome, and anti-competitive pricing policies towards more market focused model.

As the TDR pilot evolved, the procurement community has come to understand that TDR is a best value management tool in the government’s procurement toolbox. TDR’s strength lies in its ability to track the market while reducing contract administration burdens for commercial firms, particularly small firms as well as enhancing competitive opportunities for contractors. In contrast, the PRC requires costly administrative oversight which significantly hinders MAS contractors’ ability to compete in the commercial marketplace. In September, look for a series of blogs focusing on TDR and its role in the Schedule program.

Customer Experiences and Equitable Price Adjustment – Administrator Carnahan has expressed her management focus on the customer experience, recognizing that, “[c]reating user-friendly and accessible government services is essential to building trust in government and delivering the resources and benefits the American people need, when they need them.”  Coalition members share this view, recognizing that, in their businesses, a positive customer experience is fundamental to their success in the commercial market.

As the largest commercial item contracting program in government, the Multiple Award Schedule (MAS) Program provides a marketplace where customer agencies and industry partners come together to meet mission requirements.  The health of the MAS program is reflected in customer experience, both for agencies and industry partners.  Based on the experience of Coalition members, that health is not good.  Specifically, they are encountering bottlenecks and delays (up to a year)  in contract administration functions across the program, including ongoing challenges regarding inflation and the processing of Economic Price Adjustments (EPAs), putting significant pressure on the industrial base, especially small businesses, resulting in thousands of unfilled orders and significant economic loss.  GSA needs to expedite redress of these bottlenecks and the processing of EPAs to maintain the stability and vitality of its industrial base. 

The foregoing is but a sampling of important issues facing stakeholders in the procurement community.  As we watch children return to school and await the change of seasons, we would do well to reflect on these issues and develop constructive ways to address them quickly.         

Top U.S. Army Information Technology Officer Speaks about Accelerated Transition to Cloud Computing 

Lt. Gen. John Morrison, the Army’s Deputy Chief of Staff for Command, Control, Communications and Computers, has promised “much more rapid movement to the cloud” by the Army in the next fiscal year, report C4ISRNET and Breaking Defense. Speaking at the 2022 AFCEA TechNet Conference in Augusta, Georgia, Morrison explained that the “foundation has been set” for transitioning to cloud computing and that the Army is briefing its operating personnel on what applications must move and readying requisite capabilities. Data center audits coordinated with Chief Information Officer Raj Iyer (who previously called FY 2023 a “year of inflection” for digital modernization), the service’s top civilian IT official, will further accelerate the transition to the cloud by clarifying what is and is not cloud-ready. Morrison also stated that the Army’s progress on the cloud was well-aligned with Joint Warfighting Cloud Capability, the Department of Defense’s $9-billion-dollar cloud-computing initiative. According to its budget request, the Army itself plans to spend around $290 million dollars on cloud investments in FY 2023. 

Senators Urge More Suspensions and Debarments by the Justice Department

This week, Federal News Network reported on a recent letter to the Justice Department (DoJ) from the offices of Senator Warren (D-MA) and Senator Lujan (D-NM) requesting that DoJ exercise its suspension and debarment authority against corporate entities as a punitive action following misconduct. The letter has generated a large amount of feedback from the contracting community. Much of the response to the letter has focused on the purpose of debarment and suspension with industry experts urging DoJ to avoid using these enforcement mechanisms as a punitive measure. “They are asking that Justice adopt a role that it hasn’t historically done. DoJ has suspended and debarred contractors who deal with DoJ, but what this letter is asking them to do is adopt the role of super all-encompassing S&D authority for the government,” said John Chierichella, the CEO of Chierichella Procurement Strategies and a long-time federal procurement lawyer. “What that would do is put the authority into the hands of agency that may not be, and probably will not be, the agency that was the ‘victim’ of the underlying wrongdoing. DoJ is not the agency that will suffer the consequences of having a contractor excluded of providing goods and services to that agency.”

In their critique of the letter many experts emphasized the Interagency Suspension and Desbarment committee’s documented guidance on the issue. As the document states:

          “Question: Can the suspension and debarment remedy be used for punishment or penalties, or as an enforcement tool?

          Answer: No. The suspension and debarment remedies are used prospectively to protect the government’s interests and assess business risk.”

Robert Burton, a partner with Crowell & Moring and a former deputy administrator in the Office of Federal Procurement Policy stated his support for the current use of the process and its role in protecting agencies and preventing future misconduct. “If a company has taken corrective action and maybe entering into a civil settlement, most agencies find it hard to punish them further because that has been done by criminal or civil authorities,” Burton said. “Since it’s not a punishment tool, does the government need to be protected from an entity after the company took corrective action and put in internal controls to prevent issues in the future?” Eric Crusius, a procurement attorney with Holland & Knight, stated that currently agencies already can terminate a contract or provide a negative past performance review which both achieve the goal of preventing future harm. “The agency that contracts with the contractor often has the best insight of the contractor’s conduct and present responsibility,” he said. “Further, the contracting agency best understands the practical implications of a debarment, like is the company vital to their supply chain?” Crusius also emphasized that DoJ would lack insight into the implications of debarment on agencies which could create undue burden on agencies.

Welcome Ian Bell to the Coalition

The Coalition for Government Procurement welcomes Ian Bell as the newest member of its team. Ian will be serving as the Program Assistant providing administrative and logistical support for Coalition members. He will also assist with the management of the Coalition’s customer relation systems and contribute to our weekly member publications, the Tuesday Tracker and Friday Flash. He has a strong interest in public policy and experience having worked overseas as a Consular Affairs intern in the US Consulate—General in Almaty, Kazakhstan. Ian graduated from The Ohio State University with a BA in Philosophy in May 2022 and is fluent in Russian. Please join us in welcoming Ian Bell to the Coalition!

Coalition has Submitted Comments on CMMC Draft Assessment Process

The CMMC Advisory Board (AB) has released a pre-decisional draft of the CMMC Assessment Process (CAP) for Level 2 for public comment. The CAP is designed to be used by CMMC Third Party Assessment Organizations (C3PAOs) and organizations seeking certification (OSCs). According to the CMMC AB, the CAP “establishes the various phases, procedures, and templates that are employed in the conduct of a CMMC assessment.” The Coalition has submitted comments on the draft CAP and you can access the letter here.

VA Experiences Nearly 500 Major Incidents Since EHR Rollout

FedScoop reports that the new Electronic Health Record (EHR) system at the Department of Veterans Affairs (VA) has had nearly 500 major incidents along with 45 days of downtime since its launch in the fall of 2020. A dataset acquired through a Freedom of Information Act request shows that the EHR system had 930 hours of “incomplete functionality” where the system lost partial functionality, over 103 hours of reduced performance and almost 40 hours of “outage,” which means that the system was completely unusable.

Of these incidents one third are attributed to the VA while two thirds are attributed to the system. In about half of the incidents the root cause is unidentifiable. In a statement to FedScoop, Secretary of Veterans Affairs Denis McDonough said, “The bottom line is that my confidence in the EHR is badly shaken. Regardless of whether an outage in the system lasts for one minute or one hour or one day, any outage or delay is unacceptable for the Veterans we serve and our VA health care providers who serve them.” Secretary McDonough also reiterated that further rollouts have been delayed until 2023.

NIST Releases Second Draft of Artificial Intelligence Risk Management Framework

The National Institute of Standards and Technology (NIST) released a second draft of its Artificial Intelligence Risk Management Framework (AI RMF) on August 18, continuing a consensus-driven development process that began last year. Designed for use by both technical and lay audiences who interact with AI, the RMF provides voluntary, non-regulatory guidance on how to manage potential AI risks and create trustworthy AI systems. At the center of the RMF are four core risk management functions—Map, Measure, Manage, and Govern—that give organizations a framework for setting outcomes and taking actions throughout an AI system’s lifecycle. The NIST has also released a partial draft of a companion Playbook which gives organizations more concrete suggestions for implementing core functions. The first complete version of the RMF and Playbook are set for publication in January of 2023. NIST will be accepting comments on the current draft until September 29, 2022 via email at AIframework@nist.gov or at its third AI RMF virtual workshop, October 18-19, 2022.

The creation of the RMF is one element of the development of the NIST Trustworthy and Responsible AI Resource Center, an online resource which will host third-party resources on RMF use and implementation. Among the resources that the NIST plans on hosting is information on “how the AI RMF can be used for procurement or acquisition activities.”

Take the GSA FedRAMP Annual Survey

GSA has released its FedRAMP Annual Survey for Fiscal Year (FY) 22. GSA asks for those who have interacted with FedRAMP at any point in the last year to fill out the 5-minute survey. The agency is looking for responses on what they are doing well and what areas need improvement. The results of the survey will help to identify potential FedRAMP program changes and enhancements that will better serve customers. The survey will remain open until September 9, 2022.

Off the Shelf: Maintaining Medical Supply Chain Resilience

This week on Off the Shelf, Deborah Haywood, Vice President of Government Solutions at McKesson Medical Surgical, discussed the imperative of medical supply chain resilience, the role of the national strategic stockpile, and the impact of COVID-19 on the supply chain.

Haywood shared her insights regarding best practices in managing strategic stockpiling, focusing on the importance of communication among all stakeholders, visibility, inventory control, and data management.

She outlined the critical importance of communication between government, industry, and treatment facilities in managing the stockpile supplies, while responding to the pandemic.

The discussion highlighted lessons learned and potentially enduring best practices that will help shape the future and continuing delivery of healthcare at all levels.

Listen to the podcast here.

OIG Recommends that CISA Strengthen Quality of Cyber Threat Information

On August 16, the Department of Homeland Security (DHS) Office of Inspector General (OIG) issued a report on the Cybersecurity and Infrastructure Security Agency’s (CISA) information sharing progress under the Cybersecurity Act of 2015. This act requires DHS to “establish a capability and process for Federal entities to receive cyber threat information from non-Federal entities.” The OIG found that CISA has addressed the basic information sharing requirements of the bill but has not made significant progress enhancing the quality of threat information. Throughout 2019 and 2020, CISA used its Automated Indicator Sharing (AIS) tool to share cyber threat information between the public and private sectors. During those years, CISA reported that the number of Federal AIS users increased by over 15 percent, and the number of non-Federal participants increased by 13 percent. The agency also reported that the number of cyber threat indicators that they shared and received increased by more than 162 percent. However, according to the OIG, the quality of the information that was shared with AIS users was not always “adequate to identify and mitigate cyber threats.” The OIG found that most cyber threat indicators did not contain sufficient contextual information to assist in decision making. The OIG attributed this to limited AIS functionality, limited staffing, and external factors. The OIG warned that insufficient quality of information may hinder the government’s ability to identify and reduce cyber threats.

The OIG gave four recommendations to CISA, including completing system upgrades, hiring additional staff, encouraging compliance with information sharing agreements, and developing a formal reporting process with quality controls. CISA agreed with all four of these recommendations.

GSA’s Presidential Innovation Fellows Program Celebrates 10-Year Anniversary

On August 23, GSA celebrated the 10-year anniversary of its Presidential Innovation Fellows (PIF) Program. The PIF Program, which is housed in GSA’s Technology Transformation Services (TTS), is made up of senior-level technologists from industry who serve as advisors to Federal agencies. Some participants remain in the government after their time in the program, such as the current Chief Technology Officer and the Deputy Chief Technology Officer at the Department of Veterans Affairs. For the past 10 years, over 200 participants have supported more than 50 agencies in areas like artificial intelligence, data strategy, software development, and digital strategy. GSA Administrator Robin Carnahan said the following about the program:

“The PIF Program is a smart way for Federal agencies to access new ideas and extraordinary tech talent and put both to work solving hard problems and delivering better government services to the American people. The program has been delivering outstanding results and saving money for taxpayers for the past 10 years and we look forward to supporting even more technologists interested in serving a tour of duty in government.”

Some of the PIF Program’s accomplishments over the past few years include:

  • Developing and launching the new Advanced Research Projects Agency for Health (ARPA-H).
  • Launching telehealth.hhs.gov, which served one million healthcare providers and millions of patients during the height of the COVID-19 pandemic in 2020.
  • Developing chatbots to serve patients within the VA. 

GAO Releases 2021 Snapshot of Government Wide Contracting Spending

The Government Accountability Office released their 2021 snapshot of Government Wide Contracting Spending. The defense agency responsible for the most contract dollars was the US Navy with $111.7 billion dollars. Of the civilian agencies the Department of Health and Human Services was responsible for the most contracting dollars with a total of $38.9 billion. For both military and civilian agencies, the top product category was drugs and biologicals. GAO also found that across the government 23 percent of contract dollars went through small businesses. It also of note that for all contract dollars 63 percent of them faced competition on the bids. There was a large discrepancy between civilian agencies who had competition on 80 percent of their contract dollars versus military agencies who faced competition on 52 percent of their dollars. Lastly we can see a decline in spending through other transaction agreements (OTA) of about $2 billion dollars, this breaks continual growth in spending through these agreements but we still see an increase in spending of $7 billion when comparing OTA spending from 2021 to 2019.

The Coalition Discusses the Alliant 2 Contract on the Daily Scoop Podcast

This week, the host of FedScoop’s The Daily Scoop Podcast, Francis Rose, sat down with Coalition President Roger Waldron to discuss the increased Alliant 2 contract ceiling from $50 billion to $75 billion. The discussion emphasized the need for continuity in the contract to support continued spending on critical IT matters such as the COVID-19 response. You can access the podcast here.

GSA Publishes GSAR ANPR on Reducing Single-Use Plastics and Packaging 

On July 7, GSA issued an advance notice of proposed rulemaking (ANPR) seeking public feedback on the agency’s use of single-use plastics, including those used in packaging and shipping of products under GSA contracts as well as items included on the contracts. GSA will use the feedback to establish requirements and reporting mechanisms that will reduce the use of unnecessary single-use plastics. Single-use plastics are defined as plastic materials that are used and immediately disposed of once the product is delivered. The ANPR includes a total of 15 questions in which the agency is seeking feedback, with six related to the economic impact of single-use plastics. Executive Order 14057, Catalyzing Clean Energy Industries and Jobs Through Federal Sustainability, which was issued in December, instructed each agency to “reduce waste to include supporting a recycled content market and circular economy approaches.” In addition to the Federal Supply Schedule, GSA is looking to address single-use plastics in its construction, concession, and facility maintenance contracts. According to the notice, GSA “looks for the most advantageous solutions, remaining ahead of problems before they culminate, and making the best decisions on behalf of the American taxpayer.” The agency is looking to address sustainability in contracts in order to achieve this. For more information on the ANPR you can access GSA’s slides from the Coalition’s Green Committee meeting on the topic here.

The Coalition is considering submitting comments in response to the ANPR, which are due to GSA on September 6, 2022. We are interested in hearing members’ input on single-use plastics and packaging in products offered under the Schedules and other GSA contracts. Please contact Aubrey Woolley at awoolley@thecgp.org with any feedback or questions that you may have on this topic. 

Legal Corner: Recent DoD Memorandum and DoJ Report Highlight Enforcement Mechanisms Available to the Federal Government for Noncompliance with Cybersecurity Requirements

The Legal Corner provides the legal community with an opportunity to share insights and comments on legal issues of the day.  The comments herein do not necessarily reflect the views of The Coalition for Government Procurement.

While industry awaits substantive developments on the Cybersecurity Maturity Model Certification (CMMC) 2.0, a recent Department of Defense (DoD) memorandum and the Department of Justice (DoJ) Comprehensive Cyber Review serve as timely reminders of the importance of complying with existing cybersecurity requirements as well as the various mechanisms available to the federal government to enforce compliance.

The principal cybersecurity requirement in the DoD context, and the focus of the DoD memorandum, is Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. Among other things, that clause directs DoD contractors that own or operate an unclassified information system that “processes, stores, or transmits” controlled unclassified information to implement the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. NIST SP 800-171 requires a covered contractor to develop a system security plan (SSP) that describes the information system and explains how the contractor has implemented NIST SP 800-171’s security controls. The contractor must also create a plan of action (POA) identifying any unsatisfied requirements, explaining how it will meet those requirements, and describing how it will mitigate any security vulnerabilities in the meantime. SSPs and POAs are often not formal contract deliverables, but contractors must provide them to the government upon request. In addition, contractors must monitor and timely report cyber incidents. Contracting officers have tools to assess compliance, including requiring assessments in accordance with DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements.

The recent DoD memorandum specifies the above requirements and underscores for contracting officers—and, in turn, industry—the various enforcement mechanisms that the government can utilize to address noncompliance. Specifically, the memorandum notes that a contractor’s “[f]ailure to have or to make progress on a plan to implement NIST SP 800-171 may be considered a material breach of contract requirements” and enumerates available remedies for a breach, including withholding progress payments, declining to exercise contract options, and terminating contracts in whole or in part.

Of course, this is not an exhaustive list of the consequences a contractor may face for noncompliance with cybersecurity requirements. Separate and apart from contract-based remedies, contractors may also face liability under the False Claims Act (FCA). As many will recall, just last year, the DoJ announced a Civil Cyber-Fraud Initiative (CCFI) to utilize the FCA to “combat new and emerging cyber threats to the security of sensitive information and critical systems.” DoJ did not mince words, stating that the CCFI “will utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients” and thereby affirming that companies in the federal marketplace are the central focus of this initiative. We have been tracking such cases as they progress through federal courts even before the formal announcement of the CCFI, with settlements now being announced by DoJ.

Earlier this month, DoJ issued a Comprehensive Cyber Review report, which discusses the CCFI, as well as a review that DoJ conducted following the December 2020 breach of its Microsoft Office 365 email environment, which it ultimately traced back to the compromise of SolarWinds’s Orion software. In the report, DoJ affirmed its plans to “lead the effort to enforce cybersecurity requirements on federal contractors and grantees” and further announced its desire to participate in actually developing those requirements. Having found the existing requirements to be “insufficiently rigorous,” DoJ has offered to leverage its enforcement experience to assist the Federal Acquisition Regulation (FAR) Council in developing cybersecurity provisions and standards that are, to DoJ’s judgment, readily enforceable.

DoJ also noted its plan to further integrate “privacy and security terms and conditions” into its own procurement documents, templates, and contracts and, once such provisions are “clear and effective,” to “integrate and deploy a significant number of tools at its discretion to ensure contractual cybersecurity standards are followed.” As with the DoD memorandum, DoJ highlighted contract termination among these tools, but also highlighted its authority to pursue civil enforcement actions (and corresponding monetary penalties) in cases of “reckless or intentional failure to maintain cybersecurity standards.”

With cybersecurity top of mind across the federal government, it remains critical that contractors comply with existing requirements and remain prepared for the forthcoming CMMC 2.0 development. This diligence will come in handy in the event of a contract dispute, investigation or any other enforcement action premised upon allegations of noncompliance.

A View From Main Street: Multiple Item Procurements and the Nonmanufacturer Rule

Updates and Opinions on Timely Topics Impacting the Government Contracting Industry from GovCon Expert Ken Dodds

SBA’s waiver of the nonmanufacturer rule allows small businesses to supply the products of large businesses on supply contracts set aside for small business. Prior to June 30, 2016, SBA’s rules did not specifically address waivers in the context of multiple item procurements. Under SBA’s rules at the time a contracting officer had to provide SBA with a statement of the item to be waived and a determination by the contracting officer that there were no known small business manufacturers for the requested item, and SBA would review the contracting officer’s determination that no small business manufacturer could reasonably be expected to offer a product meeting the specifications (including period for performance) required by the solicitation. If an agency determined that 50 percent or more of the cost of manufacturing the items would be performed by small businesses, then it had to set the solicitation aside for small business in accordance with the rule of two. On the other hand, if the agency could establish that products manufactured by large businesses would account for greater than 50 percent of the value of the contract, then the agency could issue the solicitation full and open or it could request a waiver of the nonmanufacturer rule from SBA in order set the acquisition aside. If SBA granted the waiver, one reasonable interpretation was that there were no further limitations or requirements applicable to the size status of manufacturers of the items. The agency had demonstrated that the rule of two was not met and SBA waived any requirement to supply any products manufactured by small business concerns. The small business nonmanufacturer could supply the products of large businesses or small businesses in its discretion. This interpretation made it easier for agencies to set acquisitions aside for small nonmanufacturers in lieu of conducting full and open competitions.

In a final rule effective June 30, 2016, SBA addressed how it would process requests for waivers of the nonmanufacturer rule for multiple item procurements. The rule confirmed that if at least 50 percent of the contract value was comprised of items manufactured by small business concerns, then a waiver of the nonmanufacturer rule was not required in order to set the procurement aside. If more than 50 percent of the contract value was composed of items manufactured by large businesses, the agency was again faced with a decision on whether to issue the solicitation full and open or request a waiver of the nonmanufacturer rule. SBA clarified that for multiple item procurements it would grant a waiver for enough items in order to ensure that at least 50 percent of the value of the products to be supplied by the contractor would come from domestic small business manufacturers or were items that had been waived. Thus, in addition to demonstrating that 50 percent or more of the value of items will come from large businesses for purposes of the rule of two, the agency has to also determine the value of the items made by small business concerns and request a waiver for the value of large business items to equal or exceed 50 percent of the value of the contract when combined with the small business items. The clarification was intended to protect small manufacturers. However, if an agency determines that receiving small business credit towards its prime contract goals does not justify the burden of itemizing the value of items manufactured by small businesses, it can issue the solicitation full and open. In full and open competition, a large business contractor will have a small business subcontracting plan, but there is no guarantee that small business subcontractors will supply items manufactured by small business concerns because the limitations on subcontracting and nonmanufacturer rule do not apply to subcontracts.

Have a topic you wish to be covered or a question on how Live Oak Bank could support your business? Email me at ken.dodds@liveoak.bank.