Friday Flash 10.15.21

Cybersecurity:  Not Letting Down Our Guard 

It is October, and for many of us, we started the month with a small sense of anticipation, if not excitement.  Perhaps it is residue from our childhood, knowing that, in several short weeks, it will be Halloween, the threshold into November and our national holiday season.  October, however, also is Cybersecurity Awareness Month, and, according to the Cybersecurity and Infrastructure Security Agency (CISA), 2021 represents the 18th year our nation has set aside this month to raise the national consciousness about cybersecurity, cyber resources, and safe cyber practices online. 

 At this point, the need to raise the national consciousness about cybersecurity should not be questioned.  According to the Center for Strategic and International Studies (CSIS), so far this year, there have been over 100 significant cyber incidents across the public and private sectors internationally.  By way of example, among these incidents, CSIS includes the following:  

  • Breach of a State Department email server resulting in the theft of thousands of emails (hackers from Russia suspected). 
  • VPN service vulnerabilities exploited to target entities, particularly U.S. defense contractors, in the U.S. and Europe (state-backed hackers, including a group working the Chinese Government’s behalf). 
  • Data theft from thousands of private and public entities around the globe resulting from the targeting of Microsoft enterprise email software (Chinese Government hackers). 
  • Attempted hacks into the systems of Pfizer to obtain COVID-19 vaccine information (hackers from North Korea). 
  • Attempt to attack the water supply of a Florida town by raising the supply’s levels of sodium hydroxide (lye) (unknown hackers). 
  • Social engineering (fake blogs, emails) against cyber researchers to lead them online to sites or emails that expose them to infected materials (North Korean Government hackers). 
  • Ransomware attack shutting down the largest U.S. fuel pipeline in the United States, for which, a $5 million ransom was paid (attributed to a Russian-speaking hacking group). 
  • Hacking attempts to steal the credentials of geneticists, neurologists, and oncologists in Israel and the U.S. (Suspected hackers from Iran). 

The foregoing sampling (the full list is quite sobering) of examples demonstrates that cyber-attacks come in different forms and from different sources.  Thus, combatting them requires not only vigilance, but also adaptability to a changing attack landscape.  To this end, the Administration has not been sitting on its hands.  In May, the President signed an Executive Order on “Improving the Nation’s Cybersecurity,” which takes important steps in leveraging federal requirements to assure that government systems “meet or exceed the standards and requirements for cybersecurity” that the order sets forth.  The Coalition discussed this order in a prior blog, pointing to, among other things, issues it addresses, including: 

  • The removal of contract barriers to facilitate threat, incident, and risk information sharing. 
  • Cyber incident reporting.  
  • The use of a Zero Trust Architecture and the acceleration of “movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).  
  • Centralization and streamlining access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks. 
  • Prioritization of resources to adopt the use of cloud technology. 
  • For data in transit and at rest, the adoption of multi-factor authentication and encryption. 
  • The provision of a Software Bill of Materials containing, among other things, a record of the supply chain relationships associated with the construction of the software. 
  • The establishment of a Cyber Safety Review Board. 

In addition, NIST issued a bulletin on July 9, highlighting its three obligations under the order completed last month: definingcritical software; publishing guidance outlining security measures for critical software; and issuing guidelines recommending minimum standards for vendors’ testing of their software source code.  Finally, CISA published resources on its website specifically directed to Cybersecurity Awareness Month, with topics scheduled for each week of the month.  In addition, it provides technical and nontechnical resources to help various stakeholders to improve their cyber posture. 

The theme for Cybersecurity Awareness Month is: “Do Your Part. #BeCyberSmart.”  CISA pointed out, 

This evergreen theme encourages individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability and the importance of taking proactive steps to enhance cybersecurity. 

We agree, and for its part, the Coalition is working to keep members informed on these issues.  Just this week, the focus of a joint meeting of the Business and Regulatory Issues Committee (BRIC) and the Cyber and Supply Chain Security Committee (CSCSC) was on telework in the post-COVID environment that included a discussion of cyber issues with Sheppard Mullin’s Townsend Bourne (co-chair of the CSCSC), Anne Perry, Jonathan Aronie, and Ryan Roberts. And, just last month, another co-chair of the Coalition’s CSCSC, Bob Metzger from Rogers Joseph O’Donnell, appeared on Federal News Network’s “Off the Shelf” radio show for a wide-ranging discussion of the current policy developments addressing cyber security and the supply chain. In a few weeks, the Coalition’s Fall Training Conference will include two panels relevant to these issues: the Cyber and Supply Chain Compliance Panel, and the DoD Cybersecurity Initiatives and CMMC Panel. 

There is one bottom line here: when it comes to cybersecurity, we cannot rest on assumptions. The dynamic nature of cyber threats requires all of us to maintain our situational awareness and to enhance our understanding of the existing and new threats on the horizon, our ability to respond to those threats, and our resiliency in the face of attack.  The Coalition will continue to do its part, bringing members timely and actionable information to promote business continuity in service to customer agencies and the citizens that rely on them. 

 

In Honor of Our Colleague and Dear Friend, Skip Derick 

The Coalition for Government Procurement mourns the passing of Charles “Skip” Derick, a longtime industry partner and dear friend to both Coalition staff and our members. Skip passed away peacefully in his home on October 4 surrounded by the comfort of his family.  

A long-time veteran of the IT industry, Skip served as Staff Vice President of GSA Services Schedules at General Dynamics Information Technology before retiring in 2012.  Outside of his decorated career as a well-respected acquisition professional, Skip enjoyed a number of activities, including fishing, walking, and traveling. 

Coalition President Roger Waldron shared the following thoughts and memories in his honor: 

“I am deeply saddened by the news of Skip’s passing. Skip was one of the kindest and most caring individuals that I have met. He had the ability to leave a positive impact on everyone that he encountered. I first got to know Skip during my time at GSA both as an industry partner and a friend.  Later, I had the distinct pleasure of working closely with Skip, as he was a great supporter of the Coalition. Even after retirement Skip stayed involved with the Coalition, serving as a judge for our Excellence in Partnership awards.  

In 2011, Skip received one of our highest honors, the Lifetime Excellence Award. This award not only demonstrated the excellent work he did for the acquisition community, but also the sincere character in which he carried himself. Skip will be dearly missed.”  

Skip Derick also served as dedicated member of the Coalition’s IT/Services Committee and co-chair of the Green Committee. 

Skip is survived by his loving wife, daughter, and her husband.  

For details on the funeral service, as well as sending flowers or planting trees in memory of Skip Derick, please click here.  

 

GSA Virtual Meeting on COVID-19 Safety Protocols

On Wednesday, October 13, the General Services Administration (GSA) held an industry event on COVID-19 Safety Protocols for Contractors in which GSA’s acquisition leadership discussed the agency’s implementation of Executive Order 14042 on Ensuring Adequate COVID-19 Safety Protocols for Federal Contractors,” as well as an associated FAR Council memorandum and GSA class deviation.  

The virtual meeting included information for contractors about the new FAR contract clause, covered contracts and contractor employees, procedures for contracts, and enforcement of the clause. GSA plans to implement the COVID-19 FAR clause in GSA contracts including GSA Schedules contracts, GWACs and MACs. GSA began sending mass modifications with the COVID-19 FAR clause to all its Schedule holders last Friday, October 8, and is sending them on a rolling basis at approximately 3,000 per day. Modifications for other GSA contracts, including 8(a) STARs, Alliant 2, OASIS, Enterprise Infrastructure Solutions (EIS), and Networks, will be sent to contractors beginning Friday, October 15.  

The FAR clause directs contractors to follow the Safer Federal Workforce Task Force Guidance for Contractors, including its FAQs, and directs contractors to flow the clause down to its covered subcontractors at all tiers except subcontractors for products. According to GSA, prime contractors may assume that subcontractors are complying with the clause absent credible evidence otherwise.  

The slides from the virtual meeting are posted here 

For additional COVID-19 resources for contractors, visit the Coalition’s website here: https://thecgp.org/coronavirus-resources-for-federal-contractors 

 

OSHA to Require COVID-19 Vaccinations and Testing Protocols for Businesses

The Safety and Health publication reported that the Occupational and Safety Health Administration (OSHA) is working “expeditiously” on an emergency temporary standard on COVID-19 vaccination and testing. No time frame was provided for when the emergency temporary standard will be issued. However, OSHA provided the text on the COVID-19 vaccination and testing standard to the Office of Information and Regulatory Affairs (OIRA) this Tuesday, Oct. 12 for final review and approval.  The President requested that OIRA expedite its review. 

 BidenannouncedSept. 9 that OSHA is developing an ETS that will require employers with at least 100 workers to “ensure their workforces are fully vaccinated or show a negative test at least once a week.” According to the publication, Frederick acknowledged that the “expedited nature” of an ETS “unfortunately” doesn’t allow for public comment before its publication. However, he said the ETS essentially serves as a proposed rule and would allow for comments that could guide the drafting of a permanent standard if OSHA chooses to issue one. 

 

DOE and GSA Release “Green Proving Ground” RFI

On October 13, GSA, in collaboration with Department of Energy (DOE), released a RFI for technology that will support the reduction of greenhouse gas emissions for commercial buildings. GSA is in search of technologies and solutions that have the potential to be adopted throughout the U.S. marketplace. The RFI centers on three categories of technologies and solutions that will support the transition to net-zero carbon emissions: 

  • High-Performance/Low-Carbon Building Technologies and Solutions. Technologies of interest include electrification of major loads; large-scale heat pump systems, including those that can operate in cold climates; retrofit heat recovery systems; and innovative building envelope retrofit solutions. 
  • Onsite Energy Generation and Storage Systems. Technologies of interest include high-efficiency photovoltaics (PV); building-integrated PV; solutions to better integrate PV and energy storage into building management systems; solar thermal and geothermal; on-site distributed wind; and hydrogen fuel cells. 
  • Greenhouse Gas or Carbon Reduction Technologies. Technologies of interest include on-site carbon capture for fuel-fired processes and technologies that use next-generation refrigerants with low or no global warming potential. 

GSA will evaluate responses on “inclusion in GSA’s Green Proving Ground (GPG) program or voluntary partnership programs facilitated by DOE.” If technologies and solutions are not ready for evaluation in occupied, operational buildings then they will not be considered. Submissions are due by Tuesday, December 7. Responses may be submitted by a single vendor or by a team. Responses can be submitted here. 

GSA is hosting an information session on Wednesday, November 10 from 1 pm – 2 pm EDT. Registration is available here.   

  

Security of Agency Telework during COVID-19

A recent Government Accountability Office (GAO) report looked into 12 agencies and the technology that supports remote access to telework. They found that “all had the technology to support remote access for telework. But not all agencies had fully addressed relevant guidance for securing their remote access systems.” They all had elements of a telework security policy, but not all had “fully addressed other relevant federal guidance for securing their systems that support remote access for telework.” Specifically, two agencies had not fully documented relevant IT security controls to protect those systems. In addition, assessments for systems that five agencies relied upon for remote access did not address all relevant controls to ensure the controls were operating effectively. Further, four selected agencies had not fully documented remedial actions to mitigate weaknesses they had previously identified.”  

GAO made nine recommendations that were based on these findings to “document and assess relevant controls, and to fully document remedial actions for systems supporting remote access.”  

 

Join the 2021 Fall Training Conference, Nov 17- 18

The 2021 Fall Training Conference’s theme will continue the Coalition’s focus on the Biden Administration’s priorities for the federal acquisition system and what it means for government and industry. We have invited a host of speakers from across the federal acquisition community for a dialogue on key policy, operational, and management initiatives shaping the business of government.  This two-day virtual conference, taking place November 17-18, will utilize the same technology as our previous two conferences. 

Day One: 

We have invited Robin Carnahan, GSA Administrator, to provide Keynote remarks at the beginning of day one.  Following on the agenda will be our critically acclaimed Legal Panel, where we’ve invited David Dowd (Mayer Brown), Lorraine Campos (Crowell & Morning), Jonathan Aronie (Sheppard Mullin), and Jason Workmaster (Miller & Chevalier) to provide commentary on a variety of legal topics and announce this year’s “The Rogers.”  

After a short break for lunch, the following topics will be on the agenda in parallel tracks:   

    • Cyber and Supply Chain Compliance: Townsend Bourne (Partner, Sheppard Mullin – confirmed); Leo Alvarez (Director, Baker Tilly – invited) 
    • VA Procurement and Contracting: Craig Robinson (Associate Executive Director, NAC – invited); Rick Lemmon (Executive Deputy Chief Procurement Officer, VHA – invited); Christopher Parker (Associate Executive Director, SAC – confirmed); Sharon Ridley (Executive Director, VA OSDBU – invited)
    • DoD Cybersecurity Initiatives and CMMC: Bob Metzger (Shareholder, Rogers Joseph O’Donnell – confirmed) 
    • Schedules Workshop: Steve Sizemore (Project Manager, MAS PMO, GSA – invited); Mark Lee (Assistant Commissioner, Office of Policy and Compliance, GSA – invited) 
    • View from the Hill: Matthew Cornelius (Professional Staff Member, Minority, Senate Committee on Homeland Security and Governmental Affairs – invited) 
    • GSA Interagency Contracting Portfolio Panel (GWACs, OASIS, and More): Erv Koehler (Assistant Commissioner, Customer Accounts and Stakeholder Engagement, GSA – invited as moderator); Laura Stanton (Assistant Commissioner, Information Technology Category, GSA – invited); Chris Bennethum (Deputy Assistant Commissioner for Assisted Acquisition Services, GSA – invited); Sheri Meadema (Director of Program Operations, Professional Services and Human Capital, GSA – invited)  

As always, both days will conclude with smaller breakout sessions where you will be able to chose your session based on your particular interest and ask questions directly to the speakers.  Day one breakouts will include:  

    1. GSA Systems: Judith Zawatsky (Assistant Commissioner, OSM, GSA – invited); Tim Dempsey (Lead Program Manager, Operations Division, OSM, GSA – invited) 
    2. Office Products: Maria Viscione (Supervisory Contract Specialist, GSA – invited) 
    3. Industrial Products/Update from the SSAC: Teresa McCarthy (Center Director, GSA – invited); Kim Kittrell (Branch Chief, GSA – invited); George Prochaska (FAS Regional Commissioner, GSA – invited); Susannah Elizondo (Contract Specialist, GSA – invited) 
    4. Services on GSA Schedules: Scott Eberle (Acquisition Program Manager, GSA – invited); Kristann Montague (Supervisory Contract Specialist, GSA – invited) 
    5. IT: Cheryl Thornton-Cameron (Acting Deputy Assistant Commissioner, Office of Acquisition, GSA – invited); Giovanni Onwuchekwa (Deputy Director ITC, GSA – invited) 
    6. VA Public Law Pricing Update: Joy Sturm (Partner, Hogan Lovells – confirmed); Jeff Blake (Managing Partner, Federal Compliance Solutions – invited) 
    7. DLA MSPV and ECAT: Steve Bollendorf (Chief, DLA Med/Surg Prime Vendor Program – confirmed); Yasmeen Turner (Senior Contracting Officer, DLA – confirmed) 

Small Business Opportunities: David Black (Partner, Holland & Knight – confirmed as moderator); Ken Dodds (Government Contracting Industry Expert, Live Oak Bank – confirmed); Antoine Broughton (Direct Access Program & Strategic Outreach and Communications, VA OSDBU – invited); David Loines (Director, Office of Government Contracting, SBA – invited); Exodie Roe (Associate Administrator, GSA OSDBU – invited) 

Day Two  

Day two will follow a similar format where we have invited Mike Parrish, Principal Executive Director and Chief Acquisition Officer, OALC, VA, to provide Keynote remarks in the morning.  Following the keynote, topics and speakers will include:  

    • Procurement Executive Panel: Jeff Koses (Senior Procurement Executive, GSA – invited;) John Tenaglia (Principal Director, DPC – invited); Paul Courtney (Chief Procurement Officer, DHS – invited); Dr. Angela Billups (Executive Director and Senior Procurement Executive, OAL, VA – invited) 
    • Future of VA Medical Logistics: Mike Parrish (Principal Executive Director and Chief Acquisition Officer, OALC, VA – invited); Deb Kramer (Acting Assistant Under Secretary for Health for Support, VHA – invited); Phil Christy (OALC Deputy Executive Director, VA – invited); Andrew Centineo (Executive Director, Procurement and Logistics, VHA – invited) 
    • Dialogue with Made in America Director Celeste Drake: Celeste Drake (Made in America Director, OMB – confirmed)
    • Medical Supply Chain: Dan Keefe (Director, Medical Supply Chain, DLA – invited); Luis Villarreal (DLA Industrial Capability & Warstopper Program Manager – invited); Makoto Braxton (Director, Contracts and Grants Division, HHS – invited) 
    • Observations from FAS Commissioners – Present and Past: Sonny Hashmi (FAS Commissioner, GSA – invited); Jim Williams (President, Jim Williams Consulting LLC – invited); Alan Thomas (Chief Operating Officer, IntelliBridge – confirmed) 
    • Priorities for IT Modernization Fund: Raylene Yung (TMF Executive Director – invited); Clare Martorana (Federal Chief Information Officer, OMB – invited); David A. Shive (Chief Information Officer, GSA – invited); Matthew Hartman (Deputy Executive Assistant Director of Cybersecurity, DHS CISA – invited) 
    • Buy American and Domestic Sourcing: Moshe Schwartz (President, Etherton and Associates – confirmed as moderator); Mathew Blum (Associate Administrator, OFPP – invited); Chris Toffales (President and Managing Director, CTC Aero – invited); Roxanne Banks (Deputy Director, Acquisition, DLA – invited) 

Day two breakouts will include the following options to choose from:  

    1. VA MSPV – Operational Update: Mark Probus (Director, VHA Medical Supply Program Office, VHA – confirmed); Katie Hulse (Director, Acquisition Services 3, Medical/Surgical Prime Vendor, VA SAC – invited); Craig Hilliard (Lead Contracting Officer, MSPV Supply BPAs, VHA – invited); Kim Hupp (Contracting Officer, MSPV DAPAs, VA – confirmed); Gina Napier (Contracting Officer, MSPV-NG Bridge, VA – confirmed) 
    2. E-Commerce – Update on Commercial Platforms Initiative: Keil Todd (Program Manager, Commercial Platforms Initiative, GSA – invited); Haven Wynne (Digital Products Marketplace Advisor, GSS, GSA – invited);  
    3. Cloud Marketplace: Skip Jentsch (Cloud Products Manager, GSA – invited); Matthew McFarland (Legislative and Regulatory Advisor, GSA – invited); Joel Lundy (Director, IT Software Subcategory, ITC, GSA – invited) 
    4. DHA Pharmaceuticals: Col. Markus Gmehlin (Chief, Pharmacy Operations Division, DHA – confirmed); Dr. Julia Trang (Strategic Sourcing Pharmacist, Industry Liaison, DHA, POD, FM – confirmed) 
    5. GWAC/MAC: Carlton Shufflebarger (Acting Executive Director of IT Services, OITC, GSA – invited); Joanne Woytek (SEWP Program Manager, NASA – confirmed); Ana Eckles (Director of Human Capital Solutions, GSA – invited); Brian Goodger (NITAAC Acting Director and Associate Director, Office of Logistics and Acquisition Operations, NIH – invited); Chelsey Hayes (OASIS Program Manager, GSA – invited) 
    6. Global Supply/4PL: Steve Smith (Director, GSS Central Office Acquisition Division, GSA – invited); Paul Mack (Director, Office of Retail Operations, GSA – invited) 
    7. Services MAC: Jill Akridge (Director of Customer Account Management, Professional Services and Human Capital Portfolio, GSA – invited); Adam Soderholm (Program Executive, Category Management PMO, GSA – invited); Lee Tittle (Project Manager, GSA – invited); Paul Szymanski (OASIS/BIC MAC ConOps Chief, GSA – invited) 
    8. Furniture: Ryan Schrank (Center Director, GSA – invited); Dena McLaughlin (FAS Regional Commissioner, GSA – invited); Shaun Kelly (Branch Chief, MAS Program, GSA – invited); Ivana Henry (Business Development Director, GSA – invited); John Breen (IWAC Projects Branch Chief, GSA – invited); Linda Valdes (IWAC Contracts Administration Branch Chief, GSA – invited) 

Roger Waldron, Coalition President, will close out the two-day virtual conference with final remarks.  We look forward to your participation at this important training conference!
 

Please click HERE to see the full DRAFT agenda. 

Please click HERE to register!   

Calling all SPONSORS! Please contact Matt Cahill at mcahill@thecgp.org or 202-315-1054 for sponsorship opportunities! 

 

OMB Releases New Cybersecurity Memo on “End Point Detection and Response”

Federal News Network reported that last week, the Office of Management and Budget (OMB) released an end point detection and response (EDR) memorandum to Federal agencies as part of its strategy to be more proactive versus reactive. According to the memo, EDR will improve the Government’s ability to detect and respond to increasingly sophisticated threat activity on Federal networks. EDR can be described as “real-time continuous monitoring and collection of endpoint data with rules based automated response and analysis capabilities.” EDR provides increased visibility to respond to advanced cybersecurity threats that traditional security solutions do not possess. EDR is also an essential component for the transition to Zero Trust Architecture. The memo gives agencies 120 days to assess current EDR capabilities, identify gaps, and then work with the CISA to improve systems. CISA and the CIO Council have 90 days to develop an EDR technical reference model as well as recommendations to OMB to speed up the use of these tools throughout the Government. CISA and the Council also have 120 days to develop a strategy to implement these tools.

 

VA Seeking Cost Estimate for EHR Modernization Program 

Fedscoop reported that after failing to present Congress with a full picture of the costs associated with its Electronic Health Record (EHR) Modernization Program, the Department of Veterans Affairs (VA) is bringing in an independent body to review the program and provide a full cost estimate. According to Fedscoop, Deputy CIO “Paul Brubaker told lawmakers on the House Veterans’ Affairs Committee during a legislative hearing Thursday that the VA has contracted the Institute for Defense Analysis (IDA) to analyze and provide a total lifecycle cost of the EHR Modernization Program — which was first pitched as a $10 billion project tag before ballooning to $16 billion, and likely more. IDA will kick off its work later this month, and VA estimates it will be 12 months before it gets a full estimate, Brubaker said.” 

The VA hopes this will “make sure that for once and for all, we actually capture all of these end-to-end costs” associated with the development and deployment of the program, now three years into its rollout. The program is designed to be a complete overhaul of the VA’s health IT system, with a new cloud-based system from Cerner that should one day be interoperable with the Department of Defense’s own EHR. 

 

Justice Department to Pursue “Cyber Fraud” by Government Contractors 

 Fedscoop reported on a new program that holds contractors accountable for providing deficient cyber technologies to Federal agencies, misrepresenting their cybersecurity practices and protocols, and concealing cyber breaches. Punishment for not reporting cyber breaches to the Government can equal three times the amount their failure would cost the Government. This comes in the wake of a new Cyber-Civil Fraud Initiative announced by the Department of Justice (DOJ), under which it will use the False Claims Act to pursue these contractors that work with Federal Government agencies. According to a press release from the Justice Department, “the initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.” 

“The Cyber-Civil Fraud Initiative is being led by the Civil Division’s Commercial Litigation Branch, Fraud Section, at the DOJ. It is a direct result of the department’s ongoing comprehensive cyber review, which was ordered by Deputy Attorney General Lisa Monaco in May.” 

 

DoD Focuses on JWCC in Aftermath of JEDI Cloud Contract

Federal News Network reported on the legal dispute between the Pentagon’s JEDI Cloud contract and its demise this week following the Supreme Court’s declining to hear Oracle’s challenge to the way in which the contract was structured. The Pentagon just finished its market research for the upcoming Joint Warfighter Cloud Capability (JWCC) program, that is expected to be awarded to multiple vendors. The Pentagon is planning to issue direct solicitations to Microsoft and Amazon.  

Once the solicitations have been issued, the DoD will begin making the contract awards to the cloud providers mentioned. Once the contracts have been awarded, they plan to have these JWCC services for DoD components 30 days after for unclassified level cloud services. 

 

DoD Clearance Holders will be Under “Continuous Vetting”

There are roughly 3.6 million DoD clearance holders in the initial version of continuous vetting, according to Federal News Network. This is a milestone in the “Trusted Workforce 2.0” model. The model reforms the current personnel vetting process and creates one system that can be used governmentwide and allows reciprocity across agencies. Currently the vetting system has a “risked-managed approach with select automated record checks,” but under the new model there are continuous record checks. The continuous vetting allows the Defense Counterintelligence and Security Agency (DCSA) to find issues in real time that would have taken years to find says DCSA Director Bill Lietzau. 

At a minimum, there are 30 non-DoD agencies that are either signed up to or actively enrolling their cleared staff in the new system. GSA, HHS and VA are among the 30 agencies. DCSA is working to have more agencies enrolled in continuous vetting. The next milestone in the model is expanding continuous vetting to the following new categories: 

  • Terrorism 
  • Foreign Travel 
  • Financial Activity 
  • Criminal Activity 
  • Credit Reports 
  • Public Records 
  • Agency-Specific Eligibility Criteria 

Outside of those categories, Lietzau wants to expand social media checks. DCSA currently has pilot programs to test the effectiveness of monitoring the content. The legacy OPM database is still being managed by DCSA. DCSA is working on a replacement for the legacy database, which is called the National Background Investigation Services (NBIS). There have been adjustments to the NBIS development schedule, but the new system should be available next summer. DCSA will continue to manage the legacy system until 2023. With the new system, there will be an increase in data, so DCSA will have to create IT systems and processes for all the new data.  

 

VPP Data Coming to GSA Advantage!

GSA has announced that on October 15, Verified Products Portal (VPP) data will be displayed on GSA Advantage! VPP data displayed will include product descriptions, images and PDF attachments, which will supplement catalogs already on GSA Advantage! This update will help Commercial Off the Shelf (COTS) products be more accessible to customers. GSA wants to make VPP data available to contractors who populate their catalogs in the Common Catalog Platform (CCP) in the future. See the VPP and Advantage connection Q&A here. If you have any questions email catalogmanagement@gsa.gov 

 

DoD’s IT and Cyber Budgets Expected to Continue Steady Growth

Federal Computer Week reported that as the DoD implements Zero Trust Architecture and increases its use of AI, IT and cyber budgets may increase. Acting DoD CIO Kelly Fletcher said that the budget growth in these areas does not reflect inefficiencies, but “the nature of the next fight.” Fletcher said that resilient networks that can handle AI capabilities will be a key focus of the increased investments. In recent years, DoD’s IT spend has risen steadily, with roughly a 16 percent increase from under $31 billion in 2016 to almost $36 billion in 2021. Cyber spending also experienced similar growth over the same time period. The IT investment budget for fiscal year 2022 is estimated to be $38.6 billion. DoD is planning to stand up a Zero Trust Program Office that will work with industry partners to establish best practices and look for new ways to innovate cyber defense. 

 

GSA Seeking Volunteers to Test UEI in SAM.gov

On October 6, GSA announced they are looking for volunteers to try the new Unique Entity ID (UEI). Volunteers will receive scripts that walk through the UEI functions, such as how to deal with error scenarios or requesting and receiving UEI. Each script will take 20 minutes or less. Volunteers can test at their own pace and will send GSA their feedback. GSA will then use the feedback to help to improve the system. 

In April 2022, the Federal Government will switch from the DUNS number to the UEI. All entities doing business with the Federal Government will receive a UEI through SAM.gov. You can register to be a volunteer tester here.   

 

Air Force Acquisition Nominee Highlights Importance of Software Acquisition

Federal Computer Week reported on the top priorities of the White House’s nominee for the position of Assistant Secretary of the Air Force for Acquisition, Technology, and Logistics, Andrew Hunter. Hunter’s top initiatives include improving how the Air Force acquires software and IT systems. During testimony in a confirmation hearing before the Senate Armed Services Committee, Hunter said that the Air Force needs to “approach the acquisition of software and software intensive systems, which are providing many of the cutting-edge new capabilities for our military, from a different vantage point with alternative approaches and alternative tools.” If confirmed, Hunter plans to focus on identifying which acquisition pilots and authorities work. He also aims to educate the workforce on tools like other transaction authorities. Additionally, Hunter highlighted the importance of developing IT business systems for the services and sharing lessons learned. To access Mr. Hunter’s statement from the confirmation hearing, click here. 

 

Legal Corner: Heightened Cyber False Claims Risk: New DOJ Approach to US Government Contractor and Federal Grantee Cybersecurity Enforcement 

On October 6, 2021, the US Department of Justice (DOJ) announced a new initiative to address cyber-fraud and that focuses on government contractors. Specifically, DOJ has launched a “Civil Cyber-Fraud Initiative” (Initiative), which will combine DOJ’s “expertise in civil fraud enforcement, government procurement and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems.” The Initiative will impact US government contractors and participants in similar agreements, e.g., Other Transactions, as well as grant recipients across the country.

What Happened and Why

DOJ formed the Civil Cyber-Fraud Initiative to address a concern that contractors may be failing to give required notice of cyber breaches. Based on its press release announcing the Initiative, DOJ appears to be of the view that some companies are electing to remain silent regarding known breaches even though the incidents should be reported according to the contract terms.

The Civil Cyber-Fraud Initiative will utilize the civil False Claims Act (FCA) to pursue cybersecurity-related fraud by government contractors and grant recipients. The FCA is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations. The FCA permits the government to obtain treble damages and penalties for “knowingly” submitting false claims for payment. The statutory definition of “knowingly” includes deliberate ignorance and reckless disregard. The FCA also includes a whistleblower provision that allows private parties (known as “relators”) to pursue fraudulent conduct and to share in any recovery.

DOJ stated that the Initiative “will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”

What to Expect

Many government contracts include clauses that require contractors to provide prompt notice of any cybersecurity breach. For example, DoD contracts that require contractors or subcontractors to safeguard covered defense information contain DFARS 252.204-7012. That clause requires a contractor (or subcontractor) to report a cyber incident within 72 hours of discovery. This timing may require the company to report an incident before the full extent of the breach has been determined.

DOJ emphasized that it expects the Initiative to, among other things, “hold[] contractors and grantees to their commitments to protect government information and infrastructure”; “ensure[] that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage”; and “support[] government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly-used information technology products and services.” The heightened scrutiny of US government contractor cybersecurity indicates that DOJ will allocate greater resources to identifying and pursuing FCA actions with regard to cybersecurity products and practices. The increased attention also may draw additional interest from the counsel who represent relators.

For additional information or to discuss what the Initiative means for you, please contact Marcia G. MadsenDavid F. Dowd or David A. Simon.

Executive Order 14042 Survival Guide

Authored by Jonathan Aronie, Anne Perry, Nikole Snyder, Denise Giraudo, and Ryan Roberts

Sheppard Mullin

The Legal Corner provides the legal community with an opportunity to share insights and comments on legal issues of the day. The comments herein do not necessarily reflect the views of The Coalition for Government Procurement.

On September 9, 2021, President Biden signed an Executive Order (EO) to implement COVID safety protocols for Federal service contractors and subcontractors. While the EO did not outline specific rules, it did direct a Federal task force (the “Safer Federal Workforce Task Force,” created by Executive Order in January 2021) to issue COVID-19-related workplace safety guidance for prime contractors and subcontractors. On September 24, 2021, the Task Force issued that Guidance, setting out specific workplace safety protocols and providing a few Questions and Answers to aid in interpretation of those protocols. Most notably, the Guidance mandates that a wide swath of the federal contracting and subcontracting communities receive COVID vaccinations. The EO and Guidance are broadly worded; and, while they do NOT apply to all contractors, they will impose new compliance obligations upon many, including: • Businesses that sell to the Government, • Businesses that sell to businesses that sell to the Government, • Colleges and universities, • Hospitals and healthcare facilities, • Hotels, • Financial institutions, including participants in GSA’s SmartPay program, • Concessionaires, and • Almost any other entity that receives Federal, non-grant dollars. At the same time President Biden announced the EO, he also announced that the Occupational Safety and Health Administration (OSHA) will be developing an emergency standard that will require employers with more than 100 employees to mandate that employees be vaccinated or submit to weekly testing. While much remains unknown about the OSHA rule, we do know it does not preempt the EO.

Does The EO And Guidance Apply To Me?

It’s likely. As discussed in more detail below, the new rules apply very broadly. If you sell a service to the U.S. Government or to a business that sells to the U.S. Government, you likely will be impacted by the rule in some way. Additionally, because the rule “urges” federal contracting officers to incorporate the new clause in contracts that go beyond the express scope of the rule, even product manufacturers are likely to be impacted in some way.

What Does The Rule Require?

Broadly speaking, the Task Force Guidance requires vaccinations (with certain limited exceptions), proper masking, and physical distancing. The specifics are spelled out in the Task Force Guidance and will not be repeated here. One point is worth emphasizing, though – all Covered Contractor Employees must be fully vaccinated by December 8, 2021 (unless entitled to a legal accommodation), including covered contractor employees working from home. If you do the math, this means contractors that will be covered by the rule better get started NOW because employees are only considered “fully vaccinated” once they are two-weeks past the second dose of a two-shot vaccine, or two weeks after receiving a one-shot vaccine. What this means is that October 27, 2021 is the last day a Covered Contractor Employee can receive the first shot of a Moderna two-shot vaccine in order to be in compliance with the new rules considering the four-week waiting period between shots, November 3, 2021 is the last day to receive the first shot of a Pfizer-BioNTech two-shot vaccine considering the three-week waiting period between shots, and November 17, 2021 is the last day to receive the Johnson & Johnson single shot vaccine. After December 8, all Covered Contractor Employees must be fully vaccinated by the first day the clause is incorporated into your contract(s) (e.g., the period of performance for a new contract, the first day of the period of performance on an exercised option or extended/renewed contract when the clause has been incorporated into the covered contract, or the first day the Government issues a modification to your contract incorporating the clause). The Guidance also requires Covered Contractors to follow the CDC’s guidelines for masking and physical distancing at a Covered Contractor Workplace (including indoor and outdoor facilities), which applies to employees and visitors. The applicable guidelines depend on whether the Covered Contractor Workplace is located in an area of high or substantial community transmission. These guidelines also vary (i.e., are less stringent) depending on whether an individual is fully vaccinated.

Are There Exceptions To The Vaccination Requirement?

There are two types of exceptions to the vaccination requirement — employees who need to be accommodated due to their sincerely held religious belief and/or a disability/medical condition. The Guidance also includes an exception for an urgent or mission-critical need for a Covered Contractor to have Covered Contractor Employees begin work on a Covered Contract or www.sheppardmullin.com EXECUTIVE ORDER 14042 SURVIAL GUIDE | PAGE 5 in a Covered workplace prior to being fully vaccinated (but such employee must get fully vaccinated within 60 days thereafter). Keep in mind, these exceptions are different from “opting out.” The Guidance does NOT permit individuals to opt-out of the vaccination requirements by subjecting themselves to regular testing (as will be permitted under the OSHA regulation). Further, the Guidance does not allow employees to demonstrate natural immunity via proof of prior COVID infection or positive results from an antibody test. The only actual exceptions are religious and medical exceptions. Frustratingly, the Guidance fails to provide the necessary details in two key areas. First, the Guidance does not provide any direction to Covered Contractors to assist with the evaluation of religious/medical exception requests, although Title VII and the Americans with Disabilities Act have guidance as to what can be considered by an employer. Covered Contractors will be required to evaluate these requests pursuant to the existing rules. This reality increases the likelihood of law suits against contractors: reject a request and risk being sued by the employee; grant a request and risk being sued by all other employees who work near the exempted individual. We have urged GSA to work toward providing at least some limited immunity to companies that make a good faith exemption decision, in the way the Government provides limited immunity under the Defense Production Act, the PREP Act, and the SAFETY Act, but we are not optimistic our advice will be adopted any time soon. Second, the Guidance fails to provide the parameters to assist Covered Contractors in understanding what types of accommodations can be made available to employees granted an accommodation due to a sincerely held religious belief and/or a disability/medical condition. For example, will the EO allow for an employee that meets the criteria for a religious accommodation to be in the workplace if they are masked at all times while distancing from others? Or, will the EO require that employee to work remotely? What if the position cannot be remote? These questions remain unanswered and we have urged GSA to provide guidance.

To view the entirety of the Executive Order 14042 Survival Guide, please click here.

Assisted Acquisition Services Forum: Delivering Best Value Mission IT and Professional Services Support to Customer Agencies

 On October 27, the Coalition will be hosting senior leaders from the Federal Acquisition Service’s Office of Assisted Acquisition Services (AAS) for a forum focusing on the AAS mission and the outlook for Fiscal Year 2022. The forum will provide an opportunity for AAS leadership to share updates on vehicle utilization strategies and current customer mission support opportunities and will include an update on ASTRO. AAS uses the IT GWACs, OASIS and the FSS to support customer agency needs. ASTRO joins this pool of contract vehicles.   

The forum will also address procurement and management best practices and priorities from the regional offices and FEDSIM. AAS has seen unprecedented growth in its portfolio of customer agency support projects and will share insights on where things are headed over the next year from a business and organizational perspective. The forum will feature the two following panel discussions:    

 9:00 am to 10:00am EDT – Vehicle Utilization and Customer Mission Support—the picture for AAS   

Chris Bennethum, Assistant Commissioner, AAS                  

Chris Hamm, Director, FEDSIM                                                                                

10:00am to 11:00am EDT – Best Practices and Priorities   

Erin Quick, Acquisition Quality Director, FEDSIM  

Kari Santora, AAS Director, Region 3 (Mid-Atlantic)  

Jack Wise, Director, Acquisition Operations, Region 3 (Mid-Atlantic)  

Garett Nelson, Branch Manager, Region 4 (Southeast Sunbelt)  

Joel Fada, AAS Director, Region 9 (Pacific Rim)  

This event will be complimentary for all Coalition Members, but registration is required. Please CLICK HERE to register.   

 

Requesting Member Feedback on Polaris Draft RFP

GSA released an updated Polaris draft solicitation on September 24. Some of the changes included: 

  • Inclusion of a service-disabled, veteran-owned small business (SDVOSB) pool; 
  • Reduction of the minimum dollar thresholds for relevant experience; 
  • Reduction to the number of potential relevant experience project submissions; and 
  • Revisions to clarify proposal requirements. 

GSA is accepting comments and questions on Polaris at polaris@gsa.gov. If you have any Polaris feedback you would like to share with the Coalition, please submit it to Samantha Holt at Sholt@thecgp.org. GSA is hosting a Polaris Industry Forum on October 20. 

GSA Polaris Industry Forum, Oct. 20 

On Wednesday, October 20 at 1 pm EDT, GSA will be hosting a Polaris Industry Forum for small businesses and those interested in helping Federal agencies with IT services solutions. In this session, GSA will discuss the path forward for their new, innovative, and exciting small business Governmentwide Acquisition Contract, or GWAC, and what it could mean for your business. To register, click here. 

 

Buy American Act NPRM Deadline for Comments Extended to Oct. 28

The FAR Council has extended the comment period on the amendments to the Buy American Act from September 28, 2021 to October 28, 2021 to give additional time for interested parties to develop comments on the proposed rule and provide feedback on the questions posed in the preamble. On July 28, the FAR Council published a Notice of Proposed Rulemaking that would make changes to the implementation of the Buy American Act. 

The proposed rule addresses section eight of Executive Order (EO) 140005, Ensuring the Future is Made in All of America by All of America’s Workers signed by President Biden in January 2021. Specifically, the proposed rule calls for an increase to the domestic content threshold, a framework for application of an enhanced price preference for a domestic product that is considered a critical product or made up of critical components, and a post-award domestic content reporting requirement for contractors.    

The Coalition is submitting comments in response to the Notice of Proposed Rulemaking by October 28. The Coalition’s draft comments can be read here. Please submit any feedback on the draft comments to Tsisti@thecgp.org by COB Wed., October 20.    

 

DoD Proposed Rule: Updating Required Data for Other than Certified Cost or Pricing Data

On August 30, DoD released a proposed rule to amend the DFARS to implement Section 803 of the National Defense Authorization Act (NDAA) for FY20. Section 803 prohibits Contracting Officers (COs) from determining if the price of a contract or subcontract is fair and reasonable if the determination is only based on historical prices paid by the Federal Government. Under Section 803, offerors are required to make a good faith effort to submit data if a CO submits a reasonable request that the data is needed  to determine if the prices are reasonable, unless it is determined that it is in the best interest of the Federal Government to make the award to that offeror by the head of the contracting activity.  

The proposed rule will amend DFARS 215.403-3(a) to prohibit COs from determining fair and reasonable prices solely based on historical prices paid by the Federal Government. Another proposed change is amending DFARS 215.403-3(a)(4), which states that COs must verify that analysis was performed to determine that prior prices paid by the Federal Government were fair and reasonable before relying on prior prices paid.  DoD is proposing that DFARS 215.403-3(a)(4) be replaced with  10 U.S.C. 2306a(d)(2), which states that an offeror must submit cost or pricing data and certify that the data submitted is accurate, complete, and current. A final proposed change is that COs will need to note in the Contractor Performance Assessment Reporting System, regardless of award status, if the offeror has denied multiple requests to submit data other than certified cost or pricing data over the prior three years. Comments are due on October 29 and should be submitted here. The Coalition is considering submitting comments, if you would like for the Coalition to respond to the proposed rule, please notify Aubrey Woolley at awoolley@thecgp.org. 

 

FAR Proposed Rule to Update WOSB Certification Requirements

On October 7, the FAR Council released a proposed rule that will amend the FAR to implement an SBA published final rule, which requires Women-Owned Small Business Concerns (WOSBs) and Economically Disadvantaged Women-Owned Small Business Concerns (EDWOSBs) to be certified to participate in the Procurement Program, such as set-asides or sole source contracts, for WOSBs. The SBA rule implements Section 825 of the National Defense Authorization Act FY15. Section 825 amends the Small Business Act mandating that a business be certified as a WOSB or a EDWOSB by SBA, a certifying entity approved by SBA, or a Federal or State government. 

fThe proposed rule would amend the FAR to include the certification requirement for WOSBs and EDWOSBs to be eligible to participate in WOSB set-aside or sole source awards. One of the proposed changes is that COs will be required to verify the business as a certified WOSB or EDWOSB in the Dynamic Small Business Search. Another proposed change is that businesses can submit an offer on a set-aside, while awaiting certification. If the offer is accepted then the CO must notify the SBA of the pending certification and the SBA will make a determination of certification within 15 days of the notification. If the CO does not receive notification from the SBA within 15 days, they may give the SBA more time or move on to the next highest offeror. The proposed rule does not allow businesses awaiting certification to win sole-source awards. Comments are due on December 6 and can be submitted here.